LP Solutions of Vectorial Integer Subset Sums – Cryptanalysis of Galbraith's Binary Matrix LWE [chapter]

Gottfried Herold, Alexander May
2017 Lecture Notes in Computer Science  
We consider Galbraith's space efficient LWE variant, where the (m × n)-matrix A is binary. In this binary case, solving a vectorial subset sum problem over the integers allows for decryption. We show how to solve this problem using (Integer) Linear Programming. Our attack requires only a fraction of a second for all instances in a regime for m that cannot be attacked by current lattice algorithms. E.g. we are able to solve 100 instances of Galbraith's small LWE challenge (n, m) = (256, 400) all
more » ... in a fraction of a second. We also show under a mild assumption that instances with m ≤ 2n can be broken in polynomial time via LP relaxation. Moreover, we develop a method that identifies weak instances for Galbraith's large LWE challenge (n, m) = (256, 640). This is the eprint version of the paper with the same title that appeared at PKC 2017 [11] .
doi:10.1007/978-3-662-54365-8_1 fatcat:4ar73tgenfhqpcvqqcqo3ggei4