On the Complexity of the BKW Algorithm on LWE

Transcription

1 On the Complexity of the BKW Algorithm on LWE Martin R. Alrecht 1, Carlos Cid 3, Jean-Charles Faugère, Roert Fitzpatrick 3, and Ludovic Perret 1 Technical University of Denmark, Denmark INRIA, Paris-Rocquencourt Center, POLSYS Project UPMC Univ Paris 06, UMR 7606, LIP6, F-75005, Paris, France CNRS, UMR 7606, LIP6, F-75005, Paris, France 3 Information Security Group Royal Holloway, University of London Egham, Surrey TW0 0EX, United Kingdom maroa@dtu.dk, carlos.cid@rhul.ac.uk, jean-charles.faugere@inria.fr, roert.fitzpatrick.010@live.rhul.ac.uk, ludovic.perret@lip6.fr Astract. This work presents a study of the complexity of the Blum-Kalai-Wasserman (BKW algorithm when applied to the Learning with Errors (LWE prolem, y providing refined estimates for the data and computational effort requirements for solving concrete instances of the LWE prolem. We apply this refined analysis to suggested parameters for various LWE-ased cryptographic schemes from the literature and compare with alternative approaches ased on lattice reduction. As a result, we provide new upper ounds for the concrete hardness of these LWE-ased schemes. Rather surprisingly, it appears that BKW algorithm outperforms known estimates for lattice reduction algorithms starting in dimension n 50 when LWE is reduced to SIS. However, this assumes access to an unounded numer of LWE samples. 1 Introduction LWE (Learning with Errors is a generalisation for large moduli of the well-known LPN (Learning Parity with Noise prolem. It was introduced y Regev in [9] and has provided cryptographers with a remarkaly flexile tool for uilding cryptosystems. For example, Gentry, Peikert and Vaikuntanathan presented in [17] LWE-ased constructions of trapdoor functions and identity-ased encryption. Moreover, in his recent seminal work Gentry [16] resolved one of the longest standing open prolems in cryptography with a construction related to LWE: the first fully homomorphic encryption scheme. This was followed y further constructions of (fully homomorphic encryption schemes ased on the LWE prolem, e.g. [5, 11]. Reasons for the popularity of LWE as a cryptographic primitive include its simplicity as well as convincing theoretical arguments regarding its hardness, namely, a reduction from worst-case lattice prolems, such as the (decision Shortest Vector Prolem (GapSVP and Short Independent Vectors Prolem (SIVP, to average-case LWE [9, 10]. Definition 1 (LWE [9]. Let n, q e positive integers, χ e a proaility distriution on Z and s e a secret vector following the uniform distriution on Z n q. We denote y L s,χ the proaility distriution on Z n q Z q otained y choosing a from the uniform distriution on Z n q, choosing e Z according to χ, and returning (a, c = (a, a, s + e Z n q Z q. Search-LWE is the prolem of finding s Z n q given pairs (a i, c i Z n q Z q sampled according to L s,χ. Decision-LWE is the prolem of deciding whether pairs (a i, c i Z n q Z q are sampled according to L s,χ or the uniform distriution over Z n q Z q.

2 The modulus q is typically taken to e polynomial in n, and χ is the discrete Gaussian distriution on Z with mean 0 and standard deviation σ = α q, for some α. 1 For these choices it was shown in [9, 10] that if πσ > n, then (worst-case GapSVP Õ(n/α reduces to (average-case LWE. Motivation. While there is a reduction of LWE to (assumed hard lattice prolems [9], little is known aout the concrete hardness of particular LWE instances. That is, given particular values for σ, q and n, what is the computational cost to recover the secret using currently known algorithms? As a consequence of this gap, most proposals ased on LWE do not provide concrete choices for parameters and restrict themselves to asymptotic statements aout security, which can e considered unsatisfactorily vague for practical purposes. In fact we see this lack of precision as one of the several ostacles to the consideration of LWE-ased schemes for real-world applications. Previous Work. We may classify algorithms for solving LWE into two families. The first family reduces LWE to the prolem of finding a short vector in the (scaled dual lattice (commonly known as the Short Integer Solution (SIS prolem constructed from a set of LWE samples. The second family solves the Bounded Distance Decoding (BDD prolem in the primal lattice. For oth families lattice reduction algorithms may e applied. We may either use lattice reduction to find a short vector in the dual lattice or apply lattice reduction and (a variant of Baai s algorithm to solve BDD [1]. Indeed, the expected complexity of lattice algorithms is often exclusively considered when parameters for LWE-ased schemes are discussed. However, while the effort on improving lattices algorithms is intense [31, 1, 6, 15, 7, 19, 5, 8], our understanding of the ehaviour of these algorithms in high dimensions is still limited. On the other hand, cominatorial algorithms for tackling the LWE prolem remain rarely investigated from an algorithmic point of view. For example, the main suject of this paper the BKW algorithm specifically applied to the LWE prolem has so far received no treatment in the literature. However, since the BKW algorithm can e viewed as an oracle producing short vectors in the dual lattice spanned y the a i (i.e., it reduces LWE to SIS it shares some similarities with cominatorial (exact SVP solvers. Finally, recently a new algorithm for LWE that reduces the prolem to BDD ut does not make calls to lattice reduction algorithms has een proposed: Arora and Ge [7] proposed a new algeraic technique for solving LWE. The algorithm has a total complexity (time and space of Õ(σ and is thus suexponential when σ n, remaining exponential when σ > n. It is worth noting that Arora and Ge achieve the n hardnessthreshold found y Regev [9], and thus provide a suexponential algorithm precisely in the region where the reduction to GapSVP fails. We note however that currently the main relevance of Arora-Ge s algorithm is asymptotic as the constants hidden in Õ( are rather large [3]; it is an open question whether one can improve its practical efficiency. Contriution. Firstly, we present a detailed study of a dedicated version of the Blum, Kalai and Wasserman (BKW algorithm [9] for LWE with discrete Gaussian noise. The BKW algorithm is known to have (time and space complexity O(n when applied to LWE instances with a prime modulus polynomial in n [9]; in this paper we provide oth the leading constant of the exponent in O(n and concrete costs of BKW when applied to Search- and Decision-LWE. That is, y studying in detail all steps of the BKW algorithm, we deasymptotic-ify the understanding of the hardness of LWE under the BKW algorithm and provide concrete values for the expected numer of operations for solving instances of the LWE prolem. More precisely, we show the following theorem in Section It is common in the literature on LWE to parameterise discrete Gaussian distriutions y s = σ π instead of σ. Since we are mainly interested in the size of the noise, we deviate from this standard in this work. However, a detailed study of the algorithm to the LPN case was provided [14], which in fact heavily inspired this work. The authors of [14] conducted a detailed analysis of the BKW algorithm as applied to LPN, while also giving revised security estimates for some HB-type authentication protocols relying on the hardness of LPN.

3 Theorem 1 (Search-LWE, simplified. Let (a i, c i e samples following L s,χ, set a = log (1/(α, = n/a and q a prime. Let d e a small constant 0 < d < log (n. Assume α is such that q = q n/a = q n/ log (1/(α is superpolynomial in n. Then, given these parameters, the cost of the BKW algorithm to solve Search-LWE is ( q 1 operations in Z q. Furthermore, ( a(a 1 (n q q a + poly(n calls to L s,χ and storage of ( n + 1 d a + poly(n ( a n q d ( a q n elements in Z q are needed. We note that the aove result is a corollary to our main theorem (Theorem which depends on a value m. However, since at present no closed form expressing m is known, the aove simplified statement avoids m y restricting choices on parameters of the algorithm. We also show the following simple corollary on the algorithmic hardness of Decision-LWE. Corollary 1 (Decision-LWE. Let (a i, c i e samples following L s,χ, 0 < n e a parameter, 0 < ɛ < 1 the targeted success rate and a = n/ the addition depth. Then, the expected cost of the BKW algorithm to distinguish L s,χ from random with success proaility ɛ is ( q 1 ( a(a 1 a(a 1 (n + 1 ((a (a (a 1 additions/sutractions in Z q to produce elimination tales, ( a m (n + with m = ɛ/ exp ( π σ a+1 additions/sutractions in Z q to produce samples. Furthermore, a ( q a (n + 1 a 1 elements in Zq are needed. q q + m calls to L s,χ and storage for This corollary is perhaps the more useful result for cryptographic applications which rely on Decision-LWE and do not assume a prime modulus q. Here, we investigate the search variant first ecause the decision variant follows easily. However, we emphasize that there are noticeale differences in the computational costs of the two variants. A reader only interested in Decision-LWE is invited to skip Sections 3. and 3.3. In Section 4, we apply the BKW algorithm to various parameter choices for LWE from the literature [9, 1, 5] and compare with alternative approaches in Section 5. It appears that the BKW algorithm outperforms known estimates for lattice reduction algorithms when LWE is reduced to SIS (called Distinguishing in [1] starting in dimension n 50 (ut, assuming access to an unounded numer of LWE samples. However, reducing LWE to BDD (called Decoding in [1] and applying a comination of lattice reduction and decoding outperforms BKW for the parameter sets considered in this work. However, since the concrete ehaviour of lattice reduction algorithms is not fully understood, the commonly used running-time estimates tend to e optimistic. In contrast, for cominatorial algorithms such as BKW, we have a much etter understanding of the concrete complexity, leading to greater confidence in the recovered ounds. Finally, we report experimental results for small instances of LWE in Section 6. 3

4 Preliminaries Gaussians. Let N (µ, σ denote the Gaussian distriution with mean µ and standard deviation σ. The LWE prolem considers a discrete Gaussian distriution over Z which is then reduced modulo q. This distriution in Z q can e otained y discretising the corresponding wrapped Gaussian distriution over the reals. To wrap N (0, σ mod q, we denote y p(φ the proaility density function determined y σ, define the periodic variale θ := φ mod q and let p (θ = k= p(θ + qk for q/ < θ q/. (1 As k increases, the contriution of p(θ + qk falls rapidly; in fact, exponentially fast [13]. Hence, we can pick a point at which we cut p (θ and work with this approximation. We denote the distriution sampled according to p and rounded to the nearest integer in the interval ] q, q ] y χ α,q, where σ = α q. That is, Pr[X = x] = x+ 1 x 1 p (tdt ( We note that, in our cases of interest, we can explicitly compute Pr[X = x] ecause oth q and k are poly(n. We state a straightforward lemma which will e useful in our computations later. Lemma 1. Let X 0,..., X m 1 e independent random variales, with X i N (µ, σ. Then their sum X = m 1 i=0 X i is also normally distriuted, with X N (mµ, mσ. In the case of X i following a discrete Gaussian distriution, it does not necessarily follow that a sum of such random variales is distriuted in a way analogous to the statement aove. However, throughout this work, we assume that this does hold i.e., that Lemma 1 applies to the discrete Gaussian case - while we do not know how to prove this, this assumption causes no apparent discrepancies in our experimental results. For a detailed discussion on sums of discrete Gaussian random variales, the interested reader is referred to [1]. Computational Model. We express concrete costs as computational costs and storage requirements. We measure the former in Z q operations and the latter in the numer of Z q elements requiring storage. However, as the hardness of LWE is related to the quantity n log q [10], relying on these measures would render results for different instances incommensurale. We hence normalise these magnitudes y considering itoperations where one ring operation in Z q is equivalent to log q such it operations. The specific multiplier log q is derived from the fact that the majority of operations are additions and sutractions in Z q as opposed to multiplications in Z q. In particular, we ignore the cost of ook keeping and of fixed-precision floating point operations occuring during the algorithm (where the precision is typically a small multiple of n, cf. Section 4. We make the assumption that we have unrestricted access to an LWE oracle, allowing us to otain a large numer of independent LWE samples which may not e availale in practise. This assumption is usually made for cominatorial algorithms and the Arora-Ge algorithm, while lattice reduction algorithms usually require only a small numer of LWE samples. However, as we discuss later, the optimal strategies for employing lattice ased approaches for solving LWE appear to require executing a large numer of small-advantage executions, each requiring independent LWE samples. While the cryptosystems considered in this work do not provide such an LWE oracle it is known [30] that given roughly n log q LWE samples one can produce many more LWE samples at the cost of an increase in the noise through inter-addition. While employing these approaches would render our proofs inapplicale, it is assumed that in practice similar results would 4

5 still hold. Similar notions (in the case of LPN were considered in [14], although, as in this work, the authors did not analyse the impact of these steps. Notation. We always start counting at zero, and denote vectors in old. Given a vector a, we denote y a (i the i-th entry in a, i.e., a scalar, and y a (i,j the suvector of a spanning the entries at indices i,..., j 1. When given a list of vectors, we index its elements y suscript, e.g., a 0, a 1, a, to denote the first three vectors of the list. When we write (a i, c i we always mean the output of an oracle which should e clear from the context. In particular, (a i, c i does not necessarily refer to samples following the distriution L s,χ. 3 The BKW Algorithm The BKW algorithm was proposed y Blum, Kalai and Wasserman [9] as a method for solving the LPN prolem, with su-exponential complexity, requiring O(n/ log n samples and time. The algorithm can e adapted for tackling Search- and Decision-LWE, with complexity O(n, when the modulus is taken to e polynomial in n. To descrie and analyse the BKW algorithm we use terminology and intuitions from linear algera. Recall that noise-free linear systems of equations are solved y (a transforming them into a triangular shape, ( recovering a candidate solution in one variale for the univariate linear equation produced and (c extending this solution y ack sustitution. Similarly, if we are only interested in deciding whether a linear system of equations does have a common solution, the standard technique is to produce a triangular asis and express other rows as linear cominations of this asis, i.e., to attempt to reduce them to zero. The BKW algorithm when applied to Search-LWE can e viewed as consisting of three stages somewhat analogous to those of linear system solving: (a sample reduction is a form of Gaussian elimination which, instead of treating each component independently, considers locks of components per iteration, where is a parameter of the algorithm. ( hypothesis testing tests candidate su-solutions to recover components of the secret vector s. (c ack sustitution such that the whole process can e continued on a smaller LWE instance. On a high-level, to aid intuition, if the standard deviation of χ was zero and hence all equations were noisefree, we could oviously recover s y simple Gaussian elimination. When we have non-zero noise, however, the numer of row-additions conducted during Gaussian elimination result in the noise eing amplified to such levels that recovery of s would generally e impossile. Thus the motivation ehind the BKW algorithm can e thought of as using a greater numer of rows ut eliminating many variales with single additions of rows rather than just one. If we can perform a Gaussian elimination-like reduction of the sample matrix using few enough row additions, the resulting noise in the system is still low enough to allow us to recover one or a few components of s at a time. While, mainly for convenience of analysis, we choose a nested-oracle approach elow to define the algorithm, the aove intuitive approach is essentially equivalent. The way we study the complexity of the BKW algorithm for solving the LWE prolem is closely related to the method descried in [14]: given an oracle that returns samples according to the proaility distriution L s,χ, we use the algorithm s first stage to construct an oracle returning samples according to another distriution, which we call B s,χ,a, where a = n/ denotes the numer of levels of addition. The complexity of the algorithm is related to the numer of operations performed in this transformation, to otain the required numer of samples for hypothesis testing. We now study the complexity of the first stage of the BKW algorithm. 5

6 3.1 Sample Reduction Given n Z, select a positive integer n (the window width, and let a := n/ (the addition depth. Given an LWE oracle (which y ause of notation, we will also denote y L s,χ, we denote y B s,χ,l a related oracle which outputs samples where the first l coordinates of each a i are zero, generated under the distriution (which again y ause of notation, we denote y B s,χ,l otained as follows: if l = 0, then B s,χ,0 is simply L s,χ ; if 0 < l < a, the distriution B s,χ,l is otained y taking the difference of two vectors from B s,χ,l 1 that agree on the elements (a ((l 1, a ((l 1 +1,..., a (l 1. We can then descrie the first stage of the BKW algorithm as the (recursively constructed series of sample oracles B s,χ,l, for 0 l < a. Indeed, we define B s,χ,0 as the oracle which simply returns samples from L s,χ, while B s,χ,l is constructed from B s,χ,l 1, for l 1. We will make use of a set of tales T (maintained across oracle calls to store (randomly-chosen vectors that will e used to reduce samples arising from our oracles. More explicitly, given a parameter n for the window width, and letting a = n/, we can descrie the oracle B s,χ,l as follows: 1. For l = 0, we can otain samples from B s,χ,0 y simply calling the LWE oracle L s,χ and returning the output.. For l = 1, we repeatedly query the oracle B s,χ,0 to otain (at most (q 1/ samples (a, c with distinct non-zero vectors for the first coordinates of a. We only collect (q 1/ such vectors ecause we exploit the symmetry of Z q and that of the noise distriution. We use these samples to populate the tale T 1, indexed y the first entries of a. We store (a, c in the tale. During this course of this population, whenever we otain a sample (a, c from B s,χ,0, if either the first entries of a (resp. their negation match the first entries of a vector a such that the pair (a, c is already in T 1, we return (a ± a, c ± c, as a sample from B s,χ,1. Note that, if the first entries in a are zero, we return (a, c as a sample from B s,χ,1. Further calls to the oracle B s,χ,1 proceed in a similar manner, ut using (and potentially adding entries to the same tale T For 1 < l < a, we proceed as aove: we make use of the tale T l (constructed y calling B s,χ,l 1 up to (q 1/ times to reduce any output sample from B s,χ,l 1 which has the entries in its l-th lock already in T l, to generate a sample from B s,χ,l. Pseudo-code for the oracle B s,χ,l, for 0 < l < a, is given in Algorithm 1 (the case l = a will e discussed elow. 6

7 Input: an integer 0 < n Input: l an integer 0 < l < a egin T l array indexed y Z q maintained across all runs of B s,χ,l ; query B s,χ,l 1 to otain (a, c; if a ( (l 1, l is all zero vector then return (a, c; while Ta l ( (l 1, l = and T a l ( (l 1, l = do Ta l ( (l 1, l (a, c; query B s,χ,l 1 to otain (a, c; if a ( (l 1, l is all zero vector then return (a, c; if T l a ( (l 1, l then (a, c T l a ( (l 1, l ; return (a a, c c ; else (a, c T l a ( (l 1, l ; return (a + a, c + c ; Algorithm 1: B s,χ,l for 0 < l < a Then, given an LWE oracle L s,χ outputting samples of the form (a, a, s + e, where a, s Z n q, the oracle B s,χ,a 1 can e seen as another LWE oracle outputting samples of the form (a, a, s +e, where a, s Z k q, with k = n mod, if does not divide n, or k = otherwise, and e is generated with a different distriution (related to the original error distriution and the value a. The vector s is defined to e the last k components of s. For the remainder of this section we will assume that n mod = 0, and therefore k = (this is done to simplify the notation, ut all the results otained can e easily adapted when the last lock has length k <. We note that, in our analysis elow, we make the assumption for simplicity that all tales are completely filled during the elimination stage of the algorithm, thus giving conservative time and space ounds. In practise, especially in the final tales, this will not e the case and irthday-paradox arguments could e applied to derive a more realistic (lower complexity. Typically, if the numer of samples required for hypothesistesting is small, the irthday paradox implies that the storage required for the final tale can e reduced y a square-root factor. Moreover, in this work we introduce an additional parameter d which does not exist in the original BKW algorithm [9]. This parameter is used to reduce the numer of hypotheses that need to e tested in the second stage of the algorithm, and arises from the fact we work with primes q >. At times, instead of working with the last lock of length, which could lead to potentially exponentially many hypotheses q to e tested, we may employ a final reduction phase B s,χ,a to reduce the samples to d < non-zero entries in a. Thus d will represent the numer of components in our final lock, i.e., the numer of elements of the secret over which we conduct hypothesis tests. So after running the B s,χ,a 1 algorithm, we may decide to split the final lock to otain vectors over Z d q. If so, we run the reduction function descried aove once more, which we will denote y B s,χ,a. In the simple case where we do not split the last lock (i.e., d =, we adopt the convention that we will also call the B s,χ,a function, ut it will perform no extra action (i.e., it simply calls B s,χ,a 1. Thus we have that for a choice of 0 d, the oracle B s,χ,a will output samples of the form (a, a, s + e, where a, s Z d q. We pick d = 0 in the decision variant. 7

8 On choosing and d. In general, as discussed aove, choosing the parameter d to e small (e.g. 1 or leads to the est results. However, in general one could also relax the condition d to d n where d = n is equivalent to straight-forward exhaustive search. Finally, a natural question is should all the locks e of equal length or should some e shorter than others? Intuitively, choosing locks which are all of equal size (or as close as possile appears to e the optimal strategy, though we do not formally investigate this here. To ease the presentation, we assume throughout this paper that this is the case. From the constructions aove, it follows that the cost of one call to B s,χ,l is at most q / calls to B s,χ,l 1. We also need at most one addition of two outputs of B s,χ,l 1, which have the first l entries in common. This operation requires n + 1 l additions in Z q. Furthermore, since we maintain T l across different runs of B s,χ,l, this cost is amortised across different runs of B s,χ,l. Hence, when l > 0 the cost of calling B s,χ,l a total of m times is upper ounded y: m + q 1 Overall we otain Lemma. calls to B s,χ,l 1 and m additions of outputs of B s,χ,l 1. Lemma. Let n 1 e the dimension of the LWE secret vector, q e a positive integer, and d, Z with 1 d n, and define a = n/. The cost of calling B s,χ,a, which returns samples (a i, c i with at most the d rightmost entries of a i non-zero, m times is upper ounded y ( q ( 1 a(a 1 additions in Z q and a (n + 1 q a(a m calls to L s,χ. ((a (a ( a (a 1 + m (n + ( q ( 1 a(a 1 < (n m ( a (n + Proof. We may think of the B s,χ,l oracles as constructing the matrix T T T 3 B = T a T a M where, for 1 i a 1, T i represents a sumatrix of (q 1/ rows and n + 1 (i 1 columns (the +1 accounts for the c i column. According to our convention, T a is either a sumatrix of (q d 1/ rows and n + 1 (a 1 columns if we split the last lock (i.e. d <, or an empty matrix. Finally M represents a sumatrix with m rows and d + 1 columns. The matrix B has therefore at most (a 1 ((q 1/ + ((q d 1/ + m < a q + m rows and hence needs as many calls to L s,χ to e constructed. This proves the second claim. For the upper-ound on the numer of additions necessary in Z q, we have the following (we treat the worst case, where full construction of all T tales is necessary efore otaining any samples from B s,χ,a : The construction of a T -tales is required, only a 1 (at most of which require additions. 1. The construction of tale T 1 requires 0 ring additions. 8

9 . The construction of tale T requires at most ((q 1/ (n + 1 additions. 3. The construction of tale T 3 requires at most ((q 1/ ((n (n + 1 additions. 4. In general, for < i < a, the construction of tale T i requires at most ( q 1 i 1 ( (i 1 (n + 1 j q 1 = 5. The construction of T a - the aove expression is an upper ound for i = a. 6. Thus, the construction of all the T i tales requires at most ( q 1 a ((j 1 ((n + 1 j ( q ( 1 a(a 1 = j= j=1 (i 1 ((n + 1 i. a 1 (n + 1 k=1 k(k + 1 ( q ( 1 a(a 1 a(a 1 = (n + 1 ((a (a (a 1 additions in Z q. 7. Now, for the construction of our m final samples, the construction of each of these samples requires at most a (n (n (n + 1 a = (n + 1 i i=1 < a ( (n + 1 n = a (n + additions (in Z q. 8. Thus, the numer of additions (in Z q incurred through calling B s,χ,a m times is upper-ounded y: ( q ( 1 a(a 1 a(a 1 (n + 1 ((a (a ( a (a 1 + m (n + and this concludes the proof of the lemma. The memory requirements for storing the tales T i are estalished in Lemma 3 elow. Lemma 3. Let n 1 e the dimension of the secret, q e a positive integer, and d, Z with 1 d n, and define a = n/. The memory required to store the tale T i is upper ounded y ( ( q a n + 1 a 1 Z q elements, each of which requires log (q its of storage. Proof. The tale T 1 has q entries each of which holds n + 1 elements of Z q. The tale T has the same numer of entries ut holds on n + 1 elements of Z q. Overall, we get that all tales together hold a ( q i=1 ( n + 1 (i 1 ( q a = n + 1 (i 1 i=1 ( ( q = a n + 1 a 1 Z q elements. 9

10 Note however that, while the original LWE oracle L s,χ may output zero vectors (which offer no information for the hypothesis tests in the search variant with proaility q n, the oracle B s,χ,a may output such zero vectors with noticeale proaility. In particular, calling B s,χ,a m times does not guarantee that we get m samples with non-zero coefficients in a i. The proaility of otaining a zero vector from B s,χ,a is 1 q d, and thus expect to have to call the oracle B s,χ,a around q d /(q d 1 m times to otain m useful samples with good proaility. 3. Hypothesis Testing To give concrete estimates for the time and data complexity of solving a Search-LWE instance using BKW, we formulate the prolem of solving an LWE instance as the prolem of distinguishing etween two different distriutions. Assume we have m samples in Z d q Z q from B s,χ,a. It follows that we have Z d q hypotheses to test. In what follows, we examine each hypothesis in turn and derive a hypothesised set of noise values as a result (each one corresponding to one of the m samples. We show that if we have guessed incorrectly for the suvector s of s then the distriution of these hypothesised noise elements will e (almost uniform while if we guess correctly then these hypothesised noise elements will e distriuted according to χ a. That is, if we have that the noise distriution associated with samples from L s,χ is χ = χ α,q, then it follows from Lemmas 1 and that the noise distriution of samples otained from B s,χ,l follows χ if all inputs l α,q are independent, i.e., we are adding l discrete Gaussians and produce a discrete Gaussian with standard deviation increased y a factor of l. For the sake of simplicity, we denote this distriution y χ l in the remainder of this work and also assume that the oracle B s,χ,a performs non-trivial operations on the output of B s,χ,a 1, i.e., the oracle B s,χ,a performs a further reduction step. In other words we assume that the final oracle B s,χ,a results in a further increase in the standard deviation of the noise distriution associated with the final samples which are used to test hypotheses for elements of s. We hence make the following assumption in this section: Assumption 1 If we let s := s (n d,n = (s (n d,..., s (n 1, then the output of B s,χ,a is generated as a $ Z d q, e $ χ a : (a, a, s + e. Remark 1. This section only refers to the Search-LWE prolem in which we assume q is prime for ease of analysis and exposition. This restriction does not apply to our results elow on the decision variant. For our hypothesis-testing strategies, we think of each of the samples returned y B s,χ,a as giving rise to many equations d 1 f i = c i ± j + (a i (k x (k for 0 j < q/. k=0 Given a numer of these samples, in order to get an estimate for s, we run through q d hypotheses and compute an array of scores S indexed y the possile guesses in Z d q. That is, a function W assigns a weight to elements in Z q which represent the noise under the hypothesis s = v. For each guess v we sum over the weighted noises W ( c i + d 1 k=0 (a i (k v (k. If W is such that the counter S v grows proportionally to the likelihood that v is the correct guess, then the counter S s will grow fastest. Pseudo-code is given in Algorithm. 10

11 Input: F a set of m samples following B s,χ,a Input: W a weight function mapping memers of Z q to real numers egin S array filled with zeros indexed y Z d q; for v Z d q do w v ; for f i F do write f i as c i + d 1 k=0 (a i (k x (k ; j a i, v c i ; w v w v {W (j}; S v w i w v w i /m; return S Algorithm : Analysing candidates. Lemma 4. Running hypothesis testing costs m q d operations in Z q. Proof. Evaluating a i, v c i at some point in Z d q naively costs d operations in Z q which implies an overall cost of d m q d. However, we can reorder the elements in Z d q such that the element at index h differs from the element at index h + 1 y an addition of a unit vector in Z d q. Evaluating a i, v c i on all Z d q points ordered in such a way reduces to one operation in Z q : addition of a i,(j where j is the index at which two consecutive elements differ. Hence, Algorithm costs m q d operations in Z q. Recall that χ a is the distriution of the errors under a right guess. Now, let U a denote the distriution of errors under a wrong guess v s. By the Neyman-Pearson Lemma, the most powerful test of whether samples follow one of two known distriutions is the log-likelihood ratio. Hence, for j, with q/ j q/, we set: ( Pr[e $ χ a : e = j] W (j := log. (3 Pr[e $ U a : e = j] Next, we estalish the relation etween p j := Pr[e $ U a : e = j] and p j := Pr[e $ χ a : e = j]. Lemma 5. Given a wrong guess v for s, for each element f i c i = a i, s e i, the proaility of error j appearing is = c i + d 1 k=0 (a i (k x (k Z q [x], with p j := Pr[e $ U a : e = j] = qd 1 p j q d 1 (4 if q is prime. Proof. We write v = s + t. Since v is a wrong guess, we must have t 0. For a fixed s and for a i, t 0, it holds that: p j = Pr[e $ U a : e = j] = Pr[ a i, v c i = j] = Pr[ a i, t e i = j] ( q/ d 1 = Pr[ a i(k t (k = y] Pr[j + e i = y]. y= q/ k=0 11

12 This is equal to: + y= 1 y= q/ y= q/ y=1 ( d 1 Pr[ a i(k t (k = y] Pr[j + e i = y] k=0 ( d 1 Pr[ a i(k t (k = y] Pr[j + e i = y] k=0 d 1 + Pr[ a i(k t (k = 0] Pr[e i = j]. Now, since our q is prime, for any two non-zero elements y, z Z q, we have that: d 1 Pr[ k=0 k=0 d 1 a i(k t (k = y] = Pr[ k=0 a i(k t (k = z]. We denote this proaility y p ( 0. Conversely, we denote the proaility of otaining a i, t = 0 y p (=0. Then we clearly have p ( 0 = 1 p (=0 q 1. Thus we can write: Note that p j = p ( 0 y= 1 y= q/ Pr[j + e i = y] + d 1 + Pr[ a i(k t (k = 0] Pr[e i = j]. k=0 1 p j = Pr[e i $ χ a : e i j] = By definition, p j = p j. Thus: y= 1 y= q/ p ( 0 y= 1 y= q/ p j = p ( 0 (1 p j + p (=0 p j. Pr[j + e i = y] q/ Pr[j + e i = y] + Pr[j + e i = y]. Now, to determine p (=0, the exclusion of zero-vectors from the set of all possile dot products reduces the numer of zero dot products from q d +q d 1 q d 1 to q d 1 q d 1 q d +1. Thus we have that the proaility of otaining a zero dot product is: Thus, we have: as required. p (=0 = qd 1 q d 1 q d + 1 q d q d + 1 p j = (1 p j = qd 1 1 q d 1. y=1 q d 1 q d 1 + p j qd 1 1 q d 1 = qd 1 p j q d 1 For the final acksustitution stage, we wish to ensure that the score for the correct guess v = s is highest among the entries of S. Thus, what remains to e estalished is the size m = F needed such that the score for the right guess v = s is the highest. Under our sample independence assumptions, y the Central Limit theorem, the distriution of S v approaches a Normal distriution as m increases. Hence, for sufficiently large m we may approximate the discrete distriution S v y a normal distriution [8]. If N (µ, σ denotes a Normal distriution with mean µ and standard deviation σ we denote the distriution for v = s y D c = N (E c, Var c and for v s y D w = N (E w, Var w. Estalishing m hence first of all means estalishing E c, E w, Var c and Var w. We start with E c. 1

13 Lemma 6. Let (a 0, c 0,..., (a m 1, c m 1 e samples following B s,χ,a, q e a positive integer, v Z d q, p j := Pr(e $ χ a : e = j, w j := W (j and S v = 1 m 1 m i=0 W ( a i, v c i. When v = s, E(S v is given y: E c = E(S v v = s = q/ j= q/ j= q/ p j w j = p 0 w 0 + p j w j. (5 j=1 Proof. First, we remark that: Pr[ a i, s = c i + u] = Pr[ a i, s = a i, s + e i + u] = Pr[ e i = u] = p u. The expected value for S v in the case of a correct guess is then given y: E c := E(S v v = s = q/ j= q/ Pr[e i = j] W (j = Finally, for all j, 1 j q/, we have p j w j = p j w j. Thus: q/ j= q/ j= q/ p j w j = p 0 w 0 + p j w j. j=1 q/ j= q/ p j w j. We now examine E w = E(S v v s. To egin with, we fix a wrong guess v, such that v = s + t with t 0. Lemma 7. Let (a 0, c 0,..., (a m 1, c m 1 e samples following B s,χ,a, q e a positive integer, v Z d q, p j := Pr(e $ U a : e = j, p j := Pr(e $ χ a : e = j, w j := W (j, and S v = 1 m 1 m i=0 W ( a i, v c i. If v s, we have: q/ q/ E w = E(S v v s q d 1 p j = p j w j = q d 1 w j. (6 j= q/ j= q/ Since the proof of Lemma 7 is analogous to Lemma 6 we omit it here. We now look at the variances Var c and Var w. Lemma 8. Let (a 0, c 0,..., (a m 1, c m 1 e samples following B s,χ,a, q e a positive integer, v Z d q, p j := Pr(e $ χ a : e = j, p j := Pr(e $ U a : e = j, w j := W (j and S v = m 1 1 i=0 m W ( a i, v c i. If v = s, then Var c := Var(S v v = s = 1 m q/ j= q/ p j (w j E c. (7 If v s, then Var w := Var(S v v s = 1 m q/ j= q/ p j (w j E w. (8 13

14 Proof. In the case of v = s we have that for m = 1, Var c = q/ j= q/ p j (w j E c. In the case of adding then normalising m samples we can use the fact that when adding random variales of zero covariance, the sum of the variances is the variance of the sum. Thus the variance in the case of adding m samples and normalising is given y: Var c = m q/ j= q/ p j ( wj m E c = 1 m m q/ j= q/ p j (w j E c A similar argument holds in the case of Var w. Finally, given E c, E w, Var c, and Var w, we can estimate the rank of the right secret in dependence of the numer of samples m considered. We denote y Y h the random variale determined y the rank of a correct score S s in a list of h elements. Now, for a list of length q d and a given rank 0 r < q d, the proaility of Y q d taking rank r is given y a inomial-normal compound distriution. Finally, we get Lemma 9, which essentially states that for whatever score the right secret gets, in order for it to have rank zero the remaining q d 1 secrets must have smaller scores. Lemma 9. Let E c, E w, Var c and Var w e as in Lemmas 6, 7 and 8. Let also Y q d e the random variale determined y the rank of a correct score S s in the list S of q d elements. Then, the numer of samples m required for Y q d to take rank zero with proaility ɛ is recovered y solving for m. ɛ = x [ ( ( ] (q 1 x d 1 Ew 1 + erf Varw ( 1 e (x Ec Varc dx, πvarc Proof. Y q d follows a inomial-normal compound distriution given y Pr[Y q d = r] = x (( q d 1 r Pr[e $ D w : e x] r Pr[e $ D w : e < x] (qd r 1 Pr[e $ D c : e = x] dx. Plugging in r = 0 and Pr[Y q d = r] = ɛ we get: ɛ = Pr[e $ D w : e < x] (qd 1 Pr[e $ D c : e = x] dx as required. = x x [ ( ( ] (q 1 x d 1 Ew 1 + erf Varw ( 1 e (x Ec Varc dx πvarc Using Lemma 9 we can hence estimate the numer of non-zero samples m we need to recover suvector s. Remark. We note that Algorithm not only returns an ordering of the hypotheses ut also a score for each hypothesis. Hence, we can simply sample from B s,χ,a until the distance etween the first and second highest rated hypothesis is aove a certain threshold. 14

15 3.3 Back Sustitution Given a candidate solution for s which is correct with very high proaility we can perform acksustitution in our tales T i similarly to solving a triangular linear system. It is easy to see that acksustitution costs d operations per row. Furthermore, y Lemma we have a ( q / rows in all tales T i. After acksustitution, we start the BKW algorithm again in stage one where all the tales T i are already filled. To recover the next d components of s then, we ask for m fresh samples which are reduced using our modified tales T i and perform hypothesis testing on these m samples. 3.4 Complexity of BKW We can now state our main theorem. Theorem (Search-LWE. Let (a i, c i e samples following L s,χ, 0 < n, d parameters, 0 < ɛ < 1 the targeted success rate and q prime. Let a = n/ and m e as in Lemma 9 when ɛ = (ɛ 1/ n/d. Then, the expected cost of the BKW algorithm to recover s with success proaility ɛ is ( q ( 1 a(a 1 a(a 1 (n + 1 ((a (a (a 1 (9 additions/sutractions in Z q to produce the elimination tales, q d n q d 1 d + 1 ( a m (n + (10 additions/sutractions in Z q to produce samples for hypothesis testing. For the hypothesis-testing step n d (m q d (11 arithmetic operations in Z q are required and ( n + 1 d a d q (1 operations in Z q for acksustitution. Furthermore, q a + qd n q d 1 m (13 d calls to L s,χ and storage for elements in Z q are needed. ( q ( a n + 1 a 1 (14 Proof. In order to recover s we need every run of stage 1 to e successful, hence we have ɛ = (ɛ n/d and consequently ɛ = (ɛ 1/ n/d. Furthermore, we have: 15

16 The cost of constructing the tales T i in Equation (9 follows from Lemma. Lemma and the fact that with proaility 1 the oracle B q d s,χ,a returns an all-zero sample estalish that q to produce m non-zero samples for hypothesis testing, m ( d a q d 1 (n + operations are necessary. We need to produce m such samples n d times. However, as we proceed the numer of required operations linearly approaches zero. Hence, we need n d +1 q d q d 1 m ( a (n + operations as in Equation (10. The cost of Algorithm in Equation (11 which also is run n d times follows from Lemma 4. There are a q rows in all tales T i each of which requires d operations in acksustitution. We need to run acksustitution n d times, ut each time the cost decreases linearly. From this follows Equation (1. 1 The numer of samples needed in Equation (13 follows from Lemma and that with proaility q d 1 the oracle B s,χ,a returns a sample which is useless to us. The storage requirement in Equation (14 follows from Lemma 3. We would like to express the complexity of the BKW algorithm as a function of n, q, α explicitly. In that regard, Theorem does not deliver yet. However, from the fact that we can distinguish χ a and U a in suexponential time if the standard deviation a αq < q/ (i.e, the standard deviation of the discrete Gaussian distriution over Z corresponding to χ a, we can derive the following simple corollary eliminating m. Corollary. Let (a i, c i e samples following L s,χ, set a = log (1/(α, = n/a and q a prime. Let d e a small constant 0 < d < log (n. Assume α is such that q = q n/a = q n/ log (1/(α is superpolynomial in n. Then, given these parameters, the cost of the BKW algorithm to solve Search-LWE is ( q ( 1 a(a 1 q (n + 1 operations in Z q. Furthermore, q a + poly(n calls to L s,χ and storage of + ( n + 1 d a + poly(n ( a n q d ( a q n elements in Z q are needed. Proof. From the condition a α q < q/ follows that we must set a = log (1/(α. If a is set this way we have that we can distinguish χ a from U(Z q in poly(n. Now, since q is superpoynomial in n we have that m q and Theorem is dominated y terms involving q. In many cryptographic applications solving the Decision-LWE prolem is equivalent to reaking the cryptographic assumption. Furthermore, in many such constructions q may not e a prime. Hence, we also estalish the cost of distinguishing L s,χ from random with a given success proaility for aritrary moduli q. Corollary 3 (Decision-LWE. Let (a i, c i e samples following L s,χ, 0 < n e a parameter, 0 < ɛ < 1 the targeted success rate and a = n/ the addition depth. Then, the expected cost of the BKW algorithm to distinguish L s,χ from random with success proaility ɛ is ( q 1 ( a(a 1 (n + 1 a(a ((a (a (a 1 (15 additions/sutractions in Z q to produce elimination tales, ( a m (n + with m = ɛ/ exp ( π σ a+1 q (16 16

17 additions/sutractions in Z q to produce samples. Furthermore, q a + m (17 calls to L s,χ and storage for elements in Z q are needed. ( q ( a n + 1 a 1 (18 Proof. No hypothesis testing, acksustitution and accounting for all zero samples is necessary and hence any terms referring to those can e dropped from Theorem. ( Choosing m = exp π σ a+1 q /ɛ leads to a distinguishing advantage of ɛ (cf. [1]. 4 Applications In this section we apply Theorem to various sets of parameters suggested in the literature. In order to compute concrete costs we rely on numerical approximations in various places such as the computation of p j. We used n 4n its of precision for all computations, increasing this precision further did not appear to change our results. The solving step for m of Lemma 9 is accomplished y a simple search implemented in Sage [3]. As a suroutine of this search we rely on numerical integration which we performed using the mpmath lirary [0] as shipped with Sage. The Sage script used to derive all values in this section is availale at [4]. In all cases elow we always set ɛ = 0.99 and a := t log n where t is a small constant, which is consistent with the complexity of the BKW algorithm q O(n/ log (n = O(n if q poly(n. 4.1 Regev s Original Parameters In [9] Regev proposes a simple pulic-key encryption scheme with the suggested parameters q n and α = 1/( n log n π. We consider the parameters in the range n = 3,..., 56. In our experiments t = 3.0 produced the est results, i.e., higher values of t resulted in m growing too fast. Plugging these values into the formulas of Theorem we get an overall complexity of mn n n 5 + [ (3 n + 9 (n 4 1 ( 3 n n ] log (n n operations in Z q after simplification. If m < (.6 n then this expression is dominated y 1 6 n5 + ( 3 n n4 log (n (n 4 3 n 3 n+o(log n. 1 However, since we compute m numerically, we have to rely concrete values for various n to verify that with these settings indeed m does not grow too fast. Tale 1 lists the estimated numer of calls to L s,χ ( log #L s,χ, the estimated numer of required ring ( log #Z q and it ( log #Z operations, the costs in terms of ring operations for each of the three stages sampling, hypothesis testing and ack sustitution. 17

18 n log m log #Z q in log #Z log #L s,χ sample hypo. sus. total Tale 1. Cost of solving Search-LWE for parameters suggested in [9] with d = 1, t = 3, ɛ = 0.99 with BKW. 4. Lindner and Peikert s Parameters In [1], Lindner and Peikert propose new attacks and parameters for LWE. Tale lists concrete costs of the BKW algorithm for solving LWE under the parameter choices from [1] as interpreted in [6]. In our computations t =.7 produced the est results, i.e., higher values of t resulted in m growing too fast. n log m log #Z q in log #Z log #L s,χ sample hypo. sus. total Tale. Cost of solving Search-LWE for parameters suggested in [1] with d = 1, t =.7, ɛ = 0.99 with BKW. 18

19 4.3 Alrecht et al. s Polly-Cracker In [5] a somewhat homomorphic encryption scheme is proposed ased on the hardness of computing Gröner ases with noise. Using linearisation the equation systems considered in [5] may e considered as LWE instances. Tale 3 lists concrete costs for recovering the secret Gröner asis using this strategy for selected parameters suggested in [5]. In Tale 3 λ is the targeted it-security level and n the numer of variales in the linearised system. We note that we did not exploit the structure of the secret for Tale 3. λ n q α t log m log #Z q in log #Z log #L s,χ sample hypo. sus. total Tale 3. Cost of finding G s for parameters suggested in [5] with d =, ɛ = Comparison with Alternative Approaches Now, given the complexity estimates in Section 4 we may ask how these relate to existing approaches in the literature. Hence, we riefly descrie some alternative strategies for solving the LWE prolem. 5.1 Short Integer Solutions: Lattice Reduction In [4], the authors riefly examine an approach for solving LWE y distinguishing etween valid matrix- LWE samples of the form (A, c = (A, As + e and samples drawn from the uniform distriution over Z m n q Z n q. Given a matrix of samples A, one way of constructing such a distinguisher is to find a short vector u in the dual lattice Λ(A such that ua = 0 mod q. If c elongs to the uniform distriution over Z n q, then u, c elongs to the uniform distriution on Z q. On the other hand, if c = As + e, then u, c = u, As + e = u, e, where samples of the form u, e i are governed y another discrete, wrapped Gaussian distriution. Following the work of Micciancio and Regev [4], the authors of [1] give estimates for the complexity of distinguishing etween LWE samples and uniform samples y estimating the cost of the BKZ algorithm in finding a short enough vector. In particular, given n, q, σ = αq, We set s = σ π and compute β = q/s log(1/ɛ/π. From this β we then compute the required root Hermite factor δ = log (β/(4n log q. Note that this presupposes access to m = n log q/ log δ samples; an assumption which holds in our setting. Given δ we then extrapolate the running time in seconds as log T sec = 1.8/ log δ 110 as in [1]. We translate this figure into it operations y assuming it operations per second on a.3 GHz CPU. Furthermore, we note that for BKZ picking ɛ 1 and running the algorithms aout 1/ɛ times is usually more efficient than picking ɛ 1 directly. Tale 4 compares the numer of it and ring operations using the BKW and BKZ algorithm as descried in [1]. In Tale 4 running times and the numer of required samples for BKZ include the 1/ɛ factor, hence oth approaches distinguish with proaility close to 1. Hence, Tale 4 illustrates that for the families of parameters considered here, we expect the BKW algorithm to e asymptotically faster than the BKZ algorithm with a crossover around n = 50 at the cost of requiring a lot more samples and memory. 19

20 n q αq BKW NTL-BKZ Lindner/Peikert Model t log m log #Z q log #Z log #L s,χ log ɛ log m log #Z q log #Z log #L s,χ Regev [9] Lindner & Peikert [1] Tale 4. Cost of solving Decision-LWE with BKZ as in [1] and BKW as in Corollary 3. In [1] the authors present a study of BKZ.0, the amalgamation of three folklore techniques to improve the performance of BKZ: pruned enumeration; pre-processing of local locks and early termination. While no implementations of such algorithms are pulicly availale, the authors of [1] present a simulator to predict the ehaviour of out-of-reach BKZ algorithms. However, the accuracy of this simulator has not een independently verified. In a recent work [], the authors re-visit the BKZ running-time model of [1] and compare the predictions to the simulator of [1] in a few cases. In the cases examined in [], the running-time predictions otained y the use of the BKZ.0 simulator are quite close to those otained y the model of Lindner and Peikert. Based on the data-points provided in [] and converting these to the same metric as in the Lindner-Peikert model, the function log Tsec BKZ.0 = 0.009/ log δ 0 7 provides a very close approximation to the running-time output of the simulator for this particular case (cf. Figure 1. This is a non-linear approximation and hence naturally grows faster than the approximation in [1]. This does not imply that the BKZ.0 algorithm is slower than the variant implemented in NTL, as these are two different estimates for the same algorithm (the extrapolation of [1] aimed to take into account the advances collectively known as BKZ.0. However, given the greater sophistication of the latter BKZ extrapolations derived from the simulator of [1], we expect this model to provide more accurate approximations of running times than the model of [1]. In particular, a BKZ logarithmic running-time model which is non-linear in log (δ 0 appears more intuitive than a linear model. While, in practise, the root Hermite factors achievale through the use of BKZ with a particular locksize β are much etter than their est provale upper ounds, the root factor achievale appears to ehave similarly to the upper ounds as a function of β. Namely, the est proven upper ounds on the root Hermite factor are of the form γ β 1/(β 1, where γ β denotes the est known upper ound on the Hermite constant for lattices of dimension β. Now since, asymptotically, γ β grows linearly in β, if we assume that the root Hermite factor achievale in practise displays asymptotic ehaviour similar to that of the est-known upper ound, then the root Hermite factor achievale as a function of β, denoted δ 0 (β, is such that δ 0 (β Ω(1/β. Since the running time of BKZ appears to e douly-exponential in β, we can derive that log T sec is non-linear in 1/ log(δ 0, as is orne out y the results in []. We also note that in [1] the assumption is made that log T sec = O(1/ log(δ 0, which does not hold from the aove discussion. Using this model, we can give an analogue of Tale 4 in which the BKZ entries are otained using the aove approximate model. Thus, we can reasonaly conclude that, under the assumptions made aove, employing lattice reduction in a pure distinguishing approach is out-performed y BKW in surprisingly low dimension. 0