Robert Fitzpatrick

On the complexity of the BKW algorithm on LWE

This work presents a study of the complexity of the Blum–Kalai–Wasserman (BKW) algorithm when applied to the Learning with Errors (LWE) problem, by providing refined estimates for the data and computational effort requirements for solving concrete instances of the LWE problem. We apply this refined analysis to suggested parameters for various LWE-based cryptographic schemes from the literature and compare with alternative approaches based on lattice reduction. As a result, we provide new upper bounds for the concrete hardness of these LWE-based schemes. Rather surprisingly, it appears that BKW algorithm outperforms known estimates for lattice reduction algorithms starting in dimension

Lazy Modulus Switching for the BKW Algorithm on LWE

n \approx 250

Algebraic algorithms for LWE problems

n≈250 when LWE is reduced to SIS. However, this assumes access to an unbounded number of LWE samples.

Nearest Planes in Practice

We present a study of the concrete complexity of solving instances of the unique shortest vector problem (uSVP). In particular, we study the complexity of solving the Learning with Errors (LWE) problem by reducing the Bounded-Distance Decoding (BDD) problem to uSVP and attempting to solve such instances using the ‘embedding’ approach. We experimentally derive a model for the success of the approach, compare to alternative methods and demonstrate that for the LWE instances considered in this work, reducing to uSVP and solving via embedding compares favorably to other approaches.

Algebraic Algorithms for LWE Problems.

Some recent constructions based on LWE do not sample the secret uniformly at random but rather from some distribution which produces small entries. The most prominent of these is the binary-LWE problem where the secret vector is sampled from {0,1}i¾? or {-1,0,1}i¾?. We present a variant of the BKW algorithm for binary-LWE and other small secret variants and show that this variant reduces the complexity for solving binary-LWE. We also give estimates for the cost of solving binary-LWE instances in this setting and demonstrate the advantage of this BKW variant over standard BKW and lattice reduction techniques applied to the SIS problem. Our variant can be seen as a combination of the BKW algorithm with a lazy variant of modulus switching which might be of independent interest.

Practical Cryptanalysis of a Public-Key Encryption Scheme Based on New Multivariate Quadratic Assumptions

The area of lattice-based cryptography is growing ever-more prominent as a paradigm for quantum-resistant cryptography. One of the most important hard problem underpinning the security of lattice-based cryptosystems is the shortest vector problem (SVP). At present, two approaches dominate methods for solving instances of this problem in practice: enumeration and sieving. In 2010, Micciancio and Voulgaris presented a heuristic member of the sieving family, known as GaussSieve, demonstrating it to be comparable to enumeration methods in practice. With contemporary lattice-based cryptographic proposals relying largely on the hardness of solving the shortest and closest vector problems in ideal lattices, examining possible improvements to sieving algorithms becomes highly pertinent since, at present, only sieving algorithms have been successfully adapted to solve such instances more efficiently than in the random lattice case. In this paper, we propose a number of heuristic improvements to GaussSieve, which can also be applied to other sieving algorithms for SVP.

On the Complexity of the BKW Algorithm on LWE

We analyse the complexity of algebraic algorithms for solving systems of linear equations with \emph{noise}. Such systems arise naturally in the theory of error-correcting codes as well as in computational learning theory. More recently, linear systems with noise have found application in cryptography. The \emph{Learning with Errors} (LWE) problem has proven to be a rich and versatile source of innovative cryptosystems, such as fully homomorphic encryption schemes. Despite the popularity of the LWE problem, the complexity of algorithms for solving it is not very well understood, particularly when variants of the original problem are considered. Here, we focus on and generalise a particular method for solving these systems, due to Arora \& Ge, which reduces the problem to non-linear but noise-free system solving. Firstly, we provide a refined complexity analysis for the original Arora-Ge algorithm for LWE. Secondly, we study the complexity of applying algorithms for computing Grobner basis, a fundamental tool in computational commutative algebra, to solving Arora-Ge-style systems of non-linear equations. We show positive and negative results. On the one hand, we show that the use of Grobner bases yields an exponential speed-up over the basic Arora-Ge approach. On the other hand, we give a negative answer to the natural question whether the use of such techniques can yield a subexponential algorithm for the LWE problem. Under a mild algebraic assumption, we show that it is highly unlikely that such an improvement exists. We also consider a variant of LWE known as BinaryError-LWE introduced by Micciancio and Peikert recently. By combining Grobner basis algorithms with the Arora-Ge modelling, we show under a natural algebraic assumption that BinaryError-LWE can be solved in subexponential time as soon as the number of samples is quasi-linear, e.g.\ m=O(nloglog⁡n)m=O(n \log \log n). We also derive precise complexity bounds for BinaryError-\LWE with m=O(n)m=O(n), showing that this new approach yields better results than best currently-known generic (exact) CVP solver as soon as m/n≥6.6m/n \geq 6.6. More generally, our results provide a good picture of the hardness degradation of BinaryError-LWE for a number of samples ranging from m=n(1+Ω(1/log(n))m=n\left(1+\Omega\big(1/{\rm log}(n)\right) (a case for which BinaryError-\LWE{} is as hard as solving some lattice problem in the worst case) to m=O(n2)m=O(n^2) (a case for which it can be solved in polynomial-time). This addresses an open question from Micciancio and Peikert. Whilst our results do not contradict the hardness results obtained by Micciancio and Peikert, they should rule out BinaryError-\LWE for many cryptographic applications. The results in this work depend crucially on the assumption the algebraic systems considered systems are not easier and not harder to solve than a random system of equations. We have verified experimentally such hypothesis. We also have been able to prove formally the assumptions is several restricted situations. We emphasize that these issues are highly non-trivial since proving our assumptions in full generality would allow to prove a famous conjecture in commutative algebra known as Frobergs Conjecture.

On the complexity of the Arora-Ge Algorithm against LWE

The learning with errors LWE problem is one of the most attractive problems that lattice-based cryptosystems base their security on. Thus, assessing the hardness in theory and practice is of prime importance. Series of work investigated the hardness of LWE from a theoretical point of view. However, it is quite common that in practice one can solve lattice problems much faster than theoretical estimates predict. The most promising approach to solve LWE is the decoding method, which converts an LWE instance to an instance of the closest vector problem CVP. The latter instance can then be solved by a CVP solver. In this work, we investigate how the nearest planes algorithm proposed by Lindner and Peikert CT-RSA 2011 performs in practice. This algorithm improves an algorithm by Babai, and is a state-of-the-art CVP solver. We present the first parallel version of the nearest planes algorithm. Our implementation achieves speedup factors of more than 11x on a machine with four CPU-chips totaling 16 cores. In fact, to the best of our knowledge, there is not even a single parallel implementation publicly available of any LWE solver so far. We also compare our results with heuristics on the running time of a single nearest planes run claimed by Lindner and Peikert and subsequently used by others for runtime estimations.