Filters








15 Hits in 6.0 sec

Lazy Modulus Switching for the BKW Algorithm on LWE [chapter]

Martin R. Albrecht, Jean-Charles Faugère, Robert Fitzpatrick, Ludovic Perret
2014 Lecture Notes in Computer Science  
Our variant can be seen as a combination of the BKW algorithm with a lazy variant of modulus switching which might be of independent interest.  ...  We present a variant of the BKW algorithm for binary-LWE and other small secret variants and show that this variant reduces the complexity for solving binary-LWE.  ...  We thank Steven Galbraith for helpful comments on an earlier draft of this work. We also thank anonymous referees for detailed comments which greatly improved this work.  ... 
doi:10.1007/978-3-642-54631-0_25 fatcat:qhl5qxyegbbj5ckrphrgeh3sum

The Asymptotic Complexity of Coded-BKW with Sieving Using Increasing Reduction Factors [article]

Erik Mårtensson
2019 arXiv   pre-print
The Learning with Errors problem (LWE) is one of the main candidates for post-quantum cryptography.  ...  At Asiacrypt 2017, coded-BKW with sieving, an algorithm combining the Blum-Kalai-Wasserman algorithm (BKW) with lattice sieving techniques, was proposed.  ...  Lazy Modulus Switching The basic BKW algorithm was improved in [10] by Albrecht et al.  ... 
arXiv:1901.06558v2 fatcat:75c2fof2xfa55dn6yzcip53j6a

On the Sample Complexity of solving LWE using BKW-Style Algorithms [article]

Qian Guo, Erik Mårtensson, Paul Stankovski Wagner
2021 arXiv   pre-print
Among its solving algorithms, the Blum-Kalai-Wasserman (BKW) algorithm, originally proposed for solving the Learning Parity with Noise (LPN) problem, performs well, especially for certain parameter settings  ...  The BKW algorithm consists of two phases, the reduction phase and the solving phase. In this work, we study the performance of distinguishers used in the solving phase.  ...  Lazy modulus switching (LMS) was introduced in [21] and further developed in [23] . In [22] coded-BKW was introduced.  ... 
arXiv:2102.02126v1 fatcat:tallkcwzkrdo7ewp4r4c5qx5hi

Coded-BKW: Solving LWE Using Lattice Codes [chapter]

Qian Guo, Thomas Johansson, Paul Stankovski
2015 Lecture Notes in Computer Science  
[ApplebaumCashPeikertSahai09] Secret-error transformation for LWE. [AlbrechtFaugèreFitzpatrickPerret14] Introduce the lazy modulus switching technique. The best known BKW-type binary-LWE solver.  ...  ] Apply BKW for solving LWE.  ... 
doi:10.1007/978-3-662-47989-6_2 fatcat:caxcaitcyzaplnktcqbhoeqkny

On Dual Lattice Attacks Against Small-Secret LWE and Parameter Choices in HElib and SEAL [chapter]

Martin R. Albrecht
2017 Lecture Notes in Computer Science  
We present novel variants of the dual-lattice attack against LWE in the presence of an unusually short secret. These variants are informed by recent progress in BKW-style algorithms for solving LWE.  ...  For example, both libraries promise 80 bits of security for LWE instances with n = 1024 and log 2 q ≈ 47, while the techniques described in this work lead to estimated costs of 68 bits (SEAL v2.0) and  ...  We thank Kenny Paterson and Adeline Roux-Langlois for helpful comments on an earlier draft of this work. We thank Hao Chen for reporting an error in an earlier version of this work.  ... 
doi:10.1007/978-3-319-56614-6_4 fatcat:uhimpuj6d5gphe24osga4fjzhy

On the concrete hardness of Learning with Errors

Martin R. Albrecht, Rachel Player, Sam Scott
2015 Journal of Mathematical Cryptology  
We also give concrete estimates for various families of LWE instances, provide a Sage module for computing these estimates and highlight gaps in the knowledge about algorithms for solving the LWE problem  ...  This work collects and presents hardness results for concrete instances of LWE. In particular, we discuss algorithms proposed in the literature and give the expected resources required to run them.  ...  We thank Steven Galbraith and Paul Kirchner for pointing out mistakes in an earlier version of this work.  ... 
doi:10.1515/jmc-2015-0016 fatcat:55chj4a6hrbjpiugufubaw42dm

An Improved BKW Algorithm for LWE with Applications to Cryptography and Lattices [article]

Paul Kirchner, Pierre-Alain Fouque
2015 arXiv   pre-print
We introduce a new variant of the Blum, Kalai and Wasserman algorithm, relying on a quantization step that generalizes and fine-tunes modulus switching.  ...  result based on BKW claims a time complexity of 2^74 with 2^60 samples for the same parameters.  ...  The previous best result for these parameters, using a BKW algorithm with lazy modulus switching, claims a time complexity of 2 74 with 2 60 samples [5] .  ... 
arXiv:1506.02717v4 fatcat:gcqvrxecbnhttcilkxrv5f3yq4

An Improved BKW Algorithm for LWE with Applications to Cryptography and Lattices [chapter]

Paul Kirchner, Pierre-Alain Fouque
2015 Lecture Notes in Computer Science  
We introduce a new variant of the Blum, Kalai and Wasserman algorithm, relying on a quantization step that generalizes and fine-tunes modulus switching.  ...  result based on BKW claims a time complexity of 2 74 with 2 60 samples for the same parameters.  ...  The previous best result for these parameters, using a BKW algorithm with lazy modulus switching, claims a time complexity of 2 74 with 2 60 samples [5] .  ... 
doi:10.1007/978-3-662-47989-6_3 fatcat:eefwtcc5rfcyxfkrxhdtdfimd4

Improvements on Making BKW Practical for Solving LWE

Alessandro Budroni, Qian Guo, Thomas Johansson, Erik Mårtensson, Paul Stankovski Wagner
2021 Cryptography  
One of the main groups of algorithms for solving LWE is the Blum–Kalai–Wasserman (BKW) algorithm. This paper presents new improvements of BKW-style algorithms for solving LWE instances.  ...  We provide two implementations of the algorithm, one RAM-based approach that is optimized for speed, and one file-based approach which overcomes RAM limitations by using file-based storage.  ...  Data Availability Statement: The data presented in this study are available in article. Conflicts of Interest: The authors declare no conflict of interest.  ... 
doi:10.3390/cryptography5040031 fatcat:vhbaea5pczgcjbgujygsjk4epy

SoK: On the Security of Cryptographic Problems from Linear Algebra [article]

Carl Bootland, Wouter Castryck, Alan Szepieniec, Frederik Vercauteren
2021 IACR Cryptology ePrint Archive  
Secondly, for each of these approaches we investigate whether they can be generalised to the case of a polynomial modulus g(X) having degree larger than one, thus addressing the security of the generalised  ...  In particular, we consider attacks against problems in the style of LWE, SIS and NTRU defined over rings of the form Z[X]/(f (X), g(X)), where classically g(X) = q is an integer modulus.  ...  We would like to thank all the jury members for their feedback and in particular the external jury members Damien Stehlé and Joppe Bos.  ... 
dblp:journals/iacr/BootlandCSV21 fatcat:3q4lz2xzhraajovhwj6pa7djym

On a hybrid approach to solve binary-LWE [article]

Thomas Espitau, Antoine Joux, Natalia Kharchenko
2020 IACR Cryptology ePrint Archive  
homomorphic encryption schemes based on the (Ring-)LWE problem.  ...  Then, we search for the fraction of the secret key by computing the corresponding noise for each candidate using the newly constructed LWE samples.  ...  Note that it also naturally encompasses a continuous relaxation of the lazy modulus switching technique of [Alb17], as the mathematical framework used makes it appear very naturally in the proof technique  ... 
dblp:journals/iacr/EspitauJK20 fatcat:t7pegp647ndh7effnxivjmzxoq

Post-quantum Key Exchange - A New Hope

Erdem Alkim, Léo Ducas, Thomas Pöppelmann, Peter Schwabe
2016 USENIX Security Symposium  
error-reconciliation mechanism, and propose a defense against backdoors and all-for-the-price-of-one attacks.  ...  an implementation integrated into OpenSSL, with the affirmed goal of providing post-quantum security for TLS.  ...  the name JARJAR for the low-security variant of our proposal.  ... 
dblp:conf/uss/AlkimDPS16 fatcat:sm6jbq2bmjca7naxguje35mhqm

CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme

Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, Peter Schwabe, Gregor Seiler, Damien Stehlé
2018 Transactions on Cryptographic Hardware and Embedded Systems  
Our AVX2-based implementation results in a speed-up of roughly a factor of 2 over the previously best algorithms that appear in the literature.  ...  In this paper, we present the lattice-based signature scheme Dilithium, which is a component of the CRYSTALS (Cryptographic Suite for Algebraic Lattices) suite that was submitted to NIST's call for post-quantum  ...  Similarly, if one uses a faster algorithm for seed expansion of ρ into A (or perhaps has A already stored in memory if speed is truly of the essence), then the effect on the signing and (especially) verification  ... 
doi:10.13154/tches.v2018.i1.238-268 dblp:journals/tches/DucasKLLSSS18 fatcat:skxxtodhvfcwrfb3vq7sqwrjue

Efficient implementation of ideal lattice-based cryptography

Thomas Pöppelmann
2017 it - Information Technology  
AbstractAlmost all practically relevant asymmetric cryptosystems like RSA or ECC are either based on the hardness of factoring or on the hardness of the discrete logarithm problem.  ...  One alternative is lattice-based cryptography which allows the construction of asymmetric public-key encryption and signature schemes that offer a good balance between security, performance, and key as  ...  One approach to solve LWE directly is the Blum, Kalai and Wasserman (BKW) [BKW03] algorithm that has been designed to solve the LPN problem.  ... 
doi:10.1515/itit-2017-0030 fatcat:mpmamskk25h3lbyshy4rfd4y4y

Report from Dagstuhl Seminar 14021 Symmetric Cryptography

Frederik Armknecht, Helena Handschuh, Tetsu Iwata, Bart Preneel
unpublished
Our variant can be seen as a combination of the BKW algorithm with a lazy variant of modulus switching which might be of independent interest.  ...  We present a variant of the BKW algorithm for binary-LWE and other small secret variants and show that this variant reduces the complexity for solving binary-LWE.  ...  We focus on the design decisions behind these two proposals, which differ in the size of the state and consequently in the set of platforms they are best suited for: high-end platforms for Keyak and low-end  ... 
fatcat:pvut5djxa5dkhghoo3s5kh6qba