An Improved BKW Algorithm for LWE with Applications to Cryptography and Lattices

Kirchner, Paul; Fouque, Pierre-Alain

doi:10.1007/978-3-662-47989-6_3

Cited by 73 publications

(50 citation statements)

References 50 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We verify that having such choice of super-linear n makes the Kirchner-Fouque [KF15] attack at least exponential in λ: exp(Θ(n/ log log q)) = exp(Θ (λlog ε λ log log λ/ log log 1+ε λ)) > exp(Θ(λ)).…”

Section: Asymptotic Performancementioning

confidence: 76%

“…In practice, the best known algorithm for attacking NTRU lattices is the combined lattice-reduction and meet-in-the-middle attack of Howgrave-Graham [HG07]. Asymptotically, a slightly sub-exponential attack against the ternary-NTRU problem was proposed by Kirchner and Fouque [KF15], with a heuristic complexity 2 Θ(n/ log log q) , which is to our knowledge the only sub-exponential attack when q is polynomial in n.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A Subfield Lattice Attack on Overstretched NTRU Assumptions

Albrecht

Bai

Ducas

2016

Lecture Notes in Computer Science

138

View full text Add to dashboard Cite

Abstract. The subfield attack exploits the presence of a subfield to solve overstretched versions of the NTRU assumption: norming the public key h down to a subfield may lead to an easier lattice problem and any sufficiently good solution may be lifted to a short vector in the full NTRU-lattice. This approach was originally sketched in a paper of Gentry and Szydlo at Eurocrypt'02 and there also attributed to Jonsson, Nguyen and Stern. However, because it does not apply for small moduli and hence NTRUEncrypt, it seems to have been forgotten. In this work, we resurrect this approach, fill some gaps, analyze and generalize it to any subfields and apply it to more recent schemes. We show that for significantly larger moduli -a case we call overstretched-the subfield attack is applicable and asymptotically outperforms other known attacks. This directly affects the asymptotic security of the bootstrappable homomorphic encryption schemes LTV and YASHE which rely on a mildly overstretched NTRU assumption: the subfield lattice attack runs in sub-exponential time 2 O(λ/ log 1/3 λ) invalidating the security claim of 2 Θ(λ) . The effect is more dramatic on GGH-like Multilinear Maps: this attack can run in polynomial time without encodings of zero nor the zero-testing parameter, yet requiring an additional quantum step to recover the secret parameters exactly. We also report on practical experiments. Running LLL in dimension 512 we obtain vectors that would have otherwise required running BKZ with block-size 130 in dimension 8192. Finally, we discuss concrete aspects of this attack, the condition on the modulus q to guarantee full immunity, discuss countermeasures and propose open questions.

show abstract

Section: Asymptotic Performancementioning

confidence: 76%

Section: Introductionmentioning

confidence: 99%

A Subfield Lattice Attack on Overstretched NTRU Assumptions

Albrecht

Bai

Ducas

2016

Lecture Notes in Computer Science

138

View full text Add to dashboard Cite

show abstract

“…The problem with the uneven noise distribution was adressed independently in [11], [12]. The idea was to use a small step size and almost reduce the positions in the a vectors to 0 in the first step, and then gradually increase the step size n i and use less strict reduction for each step.…”

Section: Coded-bkwmentioning

confidence: 99%

“…This was improved in [10] using Lazy Modulus Switching (LMS). Further improvements were made in [11], [12] by using a varying step size and a varying degree of reduction. In [13] coded-BKW with sieving was introduced, where lattice sieving techniques were used to improve the BKW algorithm.…”

Section: Introductionmentioning

confidence: 99%

The Asymptotic Complexity of Coded-BKW with Sieving Using Increasing Reduction Factors

Mårtensson

2019

2019 IEEE International Symposium on Information Theory (ISIT)

View full text Add to dashboard Cite

The Learning with Errors problem (LWE) is one of the main candidates for post-quantum cryptography. At Asiacrypt 2017, coded-BKW with sieving, an algorithm combining the Blum-Kalai-Wasserman algorithm (BKW) with lattice sieving techniques, was proposed. In this paper, we improve that algorithm by using different reduction factors in different steps of the sieving part of the algorithm. In the Regev setting, where q = n 2 and σ = n 1.5 /( √ 2π log 2 2 n), the asymptotic complexity is 2 0.8917n , improving the previously best complexity of 2 0.8927n . When a quantum computer is assumed or the number of samples is limited, we get a similar level of improvement.

show abstract

“…In case δ is o(1) or even as small as O(1/ log n), the problem is considered to be hard. The best classical algorithm for solving Subset Sum is due to [19], and takes sub-exponential time for solving instances with δ = o(1) and time 2…”

Section: Introductionmentioning

confidence: 99%

Chosen-Ciphertext Security from Subset Sum

Faust

Masny

Venturi

2016

Public-Key Cryptography – PKC 2016

View full text Add to dashboard Cite

Abstract. We construct a public-key encryption (PKE) scheme whose security is polynomial-time equivalent to the hardness of the Subset Sum problem. Our scheme achieves the standard notion of indistinguishability against chosen-ciphertext attacks (IND-CCA) and can be used to encrypt messages of arbitrary polynomial length, improving upon a previous construction by Lyubashevsky, Palacio, and Segev (TCC 2010) which achieved only the weaker notion of semantic security (IND-CPA) and whose concrete security decreases with the length of the message being encrypted. At the core of our construction is a trapdoor technique which originates in the work of Micciancio and Peikert (Eurocrypt 2012).

show abstract

An Improved BKW Algorithm for LWE with Applications to Cryptography and Lattices

Cited by 73 publications

References 50 publications

A Subfield Lattice Attack on Overstretched NTRU Assumptions

A Subfield Lattice Attack on Overstretched NTRU Assumptions

The Asymptotic Complexity of Coded-BKW with Sieving Using Increasing Reduction Factors

Chosen-Ciphertext Security from Subset Sum

Contact Info

Product

Resources

About