On the concrete hardness of Learning with Errors

Abstract The learning with errors (LWE) problem has become a central building block of modern cryptographic constructions. This work collects and presents hardness results for concrete instances of LWE. In particular, we discuss algorithms proposed in the literature and give the expected resources required to run them. We consider both generic instances of LWE as well as small secret variants. Since for several methods of solving LWE we require a lattice reduction step, we also review lattice reduction algorithms and use a refined model for estimating their running times. We also give concrete estimates for various families of LWE instances, provide a Sage module for computing these estimates and highlight gaps in the knowledge about algorithms for solving the LWE problem.

[1]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[2]  H. Chernoff A Measure of Asymptotic Efficiency for Tests of a Hypothesis Based on the sum of Observations , 1952 .

[3]  Steven A. Orszag,et al.  CBMS-NSF REGIONAL CONFERENCE SERIES IN APPLIED MATHEMATICS , 1978 .

[4]  Jorge J. Moré,et al.  User Guide for Minpack-1 , 1980 .

[5]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[6]  László Babai,et al.  On Lovász' Lattice Reduction and the Nearest Lattice Point Problem (Shortened Version) , 1985, STACS.

[7]  Ravi Kannan,et al.  Minkowski's Convex Body Theorem and Integer Programming , 1987, Math. Oper. Res..

[8]  Volker Strassen,et al.  Algebraic Complexity Theory , 1991, Handbook of Theoretical Computer Science, Volume A: Algorithms and Complexity.

[9]  Ronitt Rubinfeld,et al.  On the learnability of discrete distributions , 1994, STOC '94.

[10]  Claus-Peter Schnorr,et al.  Lattice basis reduction: Improved practical algorithms and solving subset sum problems , 1991, FCT.

[11]  Miklós Ajtai,et al.  Generating hard instances of lattice problems (extended abstract) , 1996, STOC '96.

[12]  Kenneth J. Giuliani Factoring Polynomials with Rational Coeecients , 1998 .

[13]  Eric Jones,et al.  SciPy: Open Source Scientific Tools for Python , 2001 .

[14]  A. ADoefaa,et al.  ? ? ? ? f ? ? ? ? ? , 2003 .

[15]  Claus-Peter Schnorr,et al.  Lattice Reduction by Random Sampling and Birthday Methods , 2003, STACS.

[16]  Adam Tauman Kalai,et al.  Noise-tolerant learning, the parity problem, and the statistical query model , 2000, STOC '00.

[17]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[18]  Damien Stehlé,et al.  Floating-Point LLL Revisited , 2005, EUROCRYPT.

[19]  Brent Waters,et al.  Lossy trapdoor functions and their applications , 2008, SIAM J. Comput..

[20]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[21]  Brent Waters,et al.  A Framework for Efficient and Composable Oblivious Transfer , 2008, CRYPTO.

[22]  Nicolas Gama,et al.  Predicting Lattice Reduction , 2008, EUROCRYPT.

[23]  Daniele Micciancio,et al.  On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem , 2009, CRYPTO.

[24]  Craig Gentry,et al.  A fully homomorphic encryption scheme , 2009 .

[25]  Antoine Joux,et al.  Algorithmic Cryptanalysis , 2009 .

[26]  David Cash,et al.  Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems , 2009, CRYPTO.

[27]  Chris Peikert,et al.  Public-key cryptosystems from the worst-case shortest vector problem: extended abstract , 2009, STOC '09.

[28]  Phong Q. Nguyen,et al.  The LLL Algorithm - Survey and Applications , 2009, Information Security and Cryptography.

[29]  Craig Gentry,et al.  Fully Homomorphic Encryption over the Integers , 2010, EUROCRYPT.

[30]  Phong Q. Nguyen Hermite's Constant and Lattice Algorithms , 2010, The LLL Algorithm.

[31]  Yael Tauman Kalai,et al.  Robustness of the Learning with Errors Assumption , 2010, ICS.

[32]  Oded Regev,et al.  The Learning with Errors Problem (Invited Survey) , 2010, 2010 IEEE 25th Annual Conference on Computational Complexity.

[33]  Nicolas Gama,et al.  Lattice Enumeration Using Extreme Pruning , 2010, EUROCRYPT.

[34]  Damien Stehlé,et al.  Analyzing Blockwise Lattice Algorithms Using Dynamical Systems , 2011, CRYPTO.

[35]  Chris Peikert,et al.  Better Key Sizes (and Attacks) for LWE-Based Encryption , 2011, CT-RSA.

[36]  Daniele Micciancio Lattice-Based Cryptography , 2011, Encyclopedia of Cryptography and Security.

[37]  Sanjeev Arora,et al.  New Algorithms for Learning in Presence of Errors , 2011, ICALP.

[38]  David Cash,et al.  Bonsai Trees, or How to Delegate a Lattice Basis , 2010, Journal of Cryptology.

[39]  Vinod Vaikuntanathan,et al.  Efficient Fully Homomorphic Encryption from (Standard) LWE , 2011, 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science.

[40]  Damien Stehlé,et al.  Algorithms for the Shortest and Closest Lattice Vector Problems , 2011, IWCC.

[41]  Craig Gentry,et al.  Fully Homomorphic Encryption with Polylog Overhead , 2012, EUROCRYPT.

[42]  Phong Q. Nguyen,et al.  BKZ 2.0: Better Lattice Security Estimates , 2011, ASIACRYPT.

[43]  Phong Q. Nguyen Lattice Reduction Algorithms: Theory and Practice , 2011, EUROCRYPT.

[44]  Craig Gentry,et al.  (Leveled) fully homomorphic encryption without bootstrapping , 2012, ITCS '12.

[45]  Craig Gentry,et al.  Homomorphic Evaluation of the AES Circuit , 2012, IACR Cryptol. ePrint Arch..

[46]  Nigel P. Smart,et al.  Estimating Key Sizes for High Dimensional Lattice-Based Systems , 2013, IMACC.

[47]  Damien Stehlé,et al.  Classical hardness of learning with errors , 2013, STOC '13.

[48]  Craig Gentry,et al.  Candidate Multilinear Maps from Ideal Lattices , 2013, EUROCRYPT.

[49]  Martin R. Albrecht,et al.  On the Efficacy of Solving LWE by Reduction to Unique-SVP , 2013, ICISC.

[50]  Yuanmi Chen Réduction de réseau et sécurité concrète du chiffrement complètement homomorphe , 2013 .

[51]  Damien Stehlé,et al.  Decoding by Embedding: Correct Decoding Radius and DMT Optimality , 2011, IEEE Transactions on Information Theory.

[52]  Martin R. Albrecht,et al.  A Generator for LWE and Ring-LWE Instances , 2013 .

[53]  Mingjie Liu,et al.  Solving BDD by Enumeration: An Update , 2013, CT-RSA.

[54]  Chris Peikert,et al.  Hardness of SIS and LWE with Small Parameters , 2013, CRYPTO.

[55]  Léo Ducas-Binda Signatures fondées sur les réseaux euclidiens : attaques, analyses et optimisations , 2013 .

[56]  William B. Hart,et al.  FLINT : Fast library for number theory , 2013 .

[57]  Shi Bai,et al.  Lattice Decoding Attacks on Binary LWE , 2014, ACISP.

[58]  Martin R. Albrecht,et al.  Lazy Modulus Switching for the BKW Algorithm on LWE , 2014, Public Key Cryptography.

[59]  Clément Pernet High Performance and Reliable Algebraic Computing. (Calcul Algébrique Fiable et Haute Performance) , 2014 .

[60]  Michael Walter,et al.  Lattice Point Enumeration on Block Reduced Bases , 2015, ICITS.

[61]  Thijs Laarhoven,et al.  Sieving for Shortest Vectors in Lattices Using Angular Locality-Sensitive Hashing , 2015, CRYPTO.

[62]  Michael Naehrig,et al.  A Comparison of the Homomorphic Encryption Schemes FV and YASHE , 2014, AFRICACRYPT.

[63]  Michele Mosca,et al.  Finding shortest lattice vectors faster using quantum search , 2015, Designs, Codes and Cryptography.

[64]  Craig Gentry,et al.  Graph-Induced Multilinear Maps from Lattices , 2015, TCC.

[65]  이화영 X , 1960, Chinese Plants Names Index 2000-2009.

[66]  Thijs Laarhoven,et al.  Faster Sieving for Shortest Lattice Vectors Using Spherical Locality-Sensitive Hashing , 2015, LATINCRYPT.

[67]  Daniel Dadush,et al.  Solving the Shortest Vector Problem in 2n Time Using Discrete Gaussian Sampling: Extended Abstract , 2014, STOC.

[68]  Thomas Johansson,et al.  Coded-BKW: Solving LWE Using Lattice Codes , 2015, CRYPTO.

[69]  Martin R. Albrecht,et al.  Algebraic Algorithms for LWE , 2015 .

[70]  Pierre-Alain Fouque,et al.  An Improved BKW Algorithm for LWE with Applications to Cryptography and Lattices , 2015, IACR Cryptol. ePrint Arch..

[71]  Martin R. Albrecht,et al.  On the complexity of the BKW algorithm on LWE , 2012, Des. Codes Cryptogr..

[72]  Serge Vaudenay,et al.  Better Algorithms for LWE and LWR , 2015, EUROCRYPT.

[73]  Anja Becker,et al.  New directions in nearest neighbor searching with applications to lattice sieving , 2016, IACR Cryptol. ePrint Arch..

[74]  Daniele Micciancio,et al.  Fast Lattice Point Enumeration with Minimal Overhead , 2015, SODA.

[75]  Tmm Thijs Laarhoven Search problems in cryptography : from fingerprinting to lattice sieving , 2016 .

[76]  Erdem Alkim,et al.  Post-quantum Key Exchange - A New Hope , 2016, USENIX Security Symposium.

[77]  Martin R. Albrecht On Dual Lattice Attacks Against Small-Secret LWE and Parameter Choices in HElib and SEAL , 2017, EUROCRYPT.

[78]  Léo Ducas,et al.  Shortest Vector from Lattice Sieving: a Few Dimensions for Free , 2018, IACR Cryptol. ePrint Arch..

[79]  Markus Schmidt,et al.  Estimation of the hardness of the learning with errors problem with a restricted number of samples , 2019, IACR Cryptol. ePrint Arch..

[80]  Fernando Virdia,et al.  Revisiting the Expected Cost of Solving uSVP and Applications to LWE , 2017, ASIACRYPT.

[81]  Tanja Lange,et al.  Post-quantum cryptography , 2008, Nature.