Improvements on Making BKW Practical for Solving LWE

Alessandro Budroni,Erik Mårtensson,Thomas Johansson,Paul Stankovski Wagner,Qian Guo

doi:10.3390/cryptography5040031

Alessandro Budroni, Erik Mårtensson + Show 3 more

Open Access

https://doi.org/10.3390/cryptography5040031

Copy DOI

Journal: Cryptography	Publication Date: Oct 28, 2021
Citations: 3	License type: CC BY 4.0

Affiliation: University of Bergen, Lund University, Informa (Sweden)

Abstract

The learning with errors (LWE) problem is one of the main mathematical foundations of post-quantum cryptography. One of the main groups of algorithms for solving LWE is the Blum–Kalai–Wasserman (BKW) algorithm. This paper presents new improvements of BKW-style algorithms for solving LWE instances. We target minimum concrete complexity, and we introduce a new reduction step where we partially reduce the last position in an iteration and finish the reduction in the next iteration, allowing non-integer step sizes. We also introduce a new procedure in the secret recovery by mapping the problem to binary problems and applying the fast Walsh Hadamard transform. The complexity of the resulting algorithm compares favorably with all other previous approaches, including lattice sieving. We additionally show the steps of implementing the approach for large LWE problem instances. We provide two implementations of the algorithm, one RAM-based approach that is optimized for speed, and one file-based approach which overcomes RAM limitations by using file-based storage.

Highlights

Since a large-scale quantum computer breaks both the problem of integer factoring and the discrete logarithm problem [1], public-key cryptography needs to be based on other underlying mathematical problems
We focus on the complexity computed as the number of arithmetic operations in Zq, for solving particular learning with errors problem (LWE) instances
We describe a procedure for writing samples to physical storage in an efficient way for large LWE instances with many samples

Summary

Introduction

Since a large-scale quantum computer breaks both the problem of integer factoring and the discrete logarithm problem [1], public-key cryptography needs to be based on other underlying mathematical problems. The learning with errors problem (LWE) introduced by Regev in [3], is the main problem in lattice-based cryptography. It has a theoretically very interesting average-case to worst-case reduction to standard lattice-based problems. It has many cryptographic applications, including, but not limited to, the design of fully homomorphic encryption schemes (FHE). An interesting special case of LWE is the learning parity with noise problem (LPN), introduced in [4], which has interesting applications in light-weight cryptography. The Euclidean distance between vectors x and y in Rn is defined as kx − yk.

Objectives

Results

Conclusion