Lattice Decoding Attacks on Binary LWE
نویسندگان
چکیده
We consider the binary-LWE problem, which is the learning with errors problem when the entries of the secret vector are chosen from {0, 1} or {−1, 0, 1} (and the error vector is sampled from a discrete Gaussian distribution). Our main result is an improved lattice decoding algorithm for binary-LWE which first translates the problem to the inhomogeneous short integer solution (ISIS) problem, and then solves the closest vector problem using a re-scaling of the lattice. We also discuss modulus switching as an approach to the problem. Our conclusion is that binary-LWE is easier than general LWE. We give experimental results and theoretical estimates that can be used to choose parameters for binary-LWE to achieve certain security levels.
منابع مشابه
Parallel Implementation of BDD Enumeration for LWE
One of the most attractive problems for post-quantum secure cryptographic schemes is the LWE problem. Beside combinatorial and algebraic attacks, LWE can be solved by a lattice-based Bounded Distance Decoding (BDD) approach. We provide the first parallel implementation of an enumeration-based BDD algorithm that employs the Lindner-Peikert and Linear Length pruning strategies. We ran our algorit...
متن کاملArithmetic Coding and Blinding Countermeasures for Ring-LWE
We describe new arithmetic coding techniques and side-channel blinding countermeasures for lattice-based cryptography. Using these techniques we develop a practical, compact, and more quantum-resistant variant of the BLISS Ring-LWE Signature Scheme. We first show how the BLISS hash-based random oracle can be modified to be more secure against quantum preimage attacks while optimising signature ...
متن کاملA Hybrid Lattice Basis Reduction and Quantum Search Attack on LWE
Recently, an increasing amount of papers proposing postquantum schemes also provide concrete parameter sets aiming for concrete post-quantum security levels. Security evaluations of such schemes need to include all possible attacks, in particular those by quantum adversaries. In the case of lattice-based cryptography, currently existing quantum attacks are mainly classical attacks, carried out ...
متن کاملKey Recovery for LWE in Polynomial Time
We present a generalization of the Hidden Number Problem and generalize the Boneh-Venkatesan method [BV96, Shp05] for solving it in polynomial time. We then use this to mount a key recovery attack on LWE which runs in polynomial time using the LLL lattice basis reduction algorithm. Success can be guaranteed with overwhelming probability for narrow error distribution when q ≥ 2, where n is the d...
متن کاملOn the Hardness of LWE with Binary Error: Revisiting the Hybrid Lattice-Reduction and Meet-in-the-Middle Attack
The security of many cryptographic schemes has been based on special instances of the Learning with Errors (LWE) problem, e.g., Ring-LWE, LWE with binary secret, or LWE with ternary error. However, recent results show that some subclasses are weaker than expected. In this work we show that LWE with binary error, introduced by Micciancio and Peikert, is one such subclass. We achieve this by appl...
متن کامل