On the concrete hardness of Learning with Errors

Journal of Mathematical Cryptology

Volumn 9, Issue 3, 2015, Pages 169-203

  Albrecht, Martin R ^a   Player, Rachel ^a   Scott, Sam ^a  

^a UNIVERSITY OF LONDON   (United Kingdom)

Author keywords

lattice reduction; lattice based cryptography; Learning with Errors

Indexed keywords

EID: 84943753015     PISSN: 18622976     EISSN: 18622984     Source Type: Journal    
DOI: 10.1515/jmc-2015-0016     Document Type: Review

References (79)

1. D. Aggarwal, D. Dadush, O. Regev and N. Stephens-Davidowitz, Solving the shortest vector problem in 2n time via discrete gaussian sampling, preprint (2014), http://arxiv.org/abs/1412.7994.
2. M. Ajtai, Generating hard instances of lattice problems (extended abstract), in: Theory of Computing (STOC 1996), ACM Press, New York (1996), 99-108.
3. M. Albrecht, BKW-LWE, 2013, https://bitbucket.org/malb/bkw-lwe.
4. M. Albrecht, Estimator for the bit security of LWE instances, 2015, https://bitbucket.org/malb/lwe-estimator.
5. M. Albrecht, D. Cadé, X. Pujol and D. Stehlé, fplll, development version, 2014, https://github.com/dstehle/fplll.
6. M. R. Albrecht, C. Cid, J.-C. Faugère, R. Fitzpatrick and L. Perret, On the complexity of the BKW algorithm on LWE, Des. Codes Cryptogr. 74 (2015), 325-354.
7. M. R. Albrecht, C. Cid, J.-C. Faugère and L. Perret, Algebraic algorithms for LWE, preprint (2014), http://eprint.iacr.org/2014/1018.
8. M. R. Albrecht, J.-C. Faugère, R. Fitzpatrick and L. Perret, Lazy modulus switching for the BKW algorithm on LWE, in: Public-Key Cryptography (PKC 2014) Lecture Notes in Comput. Sci. 8383, Springer, Berlin (2014), 429-445.
9. M. R. Albrecht, R. Fitzpatrick, D. Cabracas, F. Göpfert and M. Schneider, A generator for LWE and Ring-LWE instances, preprint (2013), www.iacr.org/news/-les/2013-04-29lwe-generator.pdf.
10. M. R. Albrecht, R. Fitzpatrick and F. Göpfert, On the e-cacy of solving LWE by reduction to unique-SVP, in: Information Security and Cryptology (ICISC 13), Lecture Notes in Comput. Sci. 8565, Springer, Cham (2014), 293-310.
11. B. Applebaum, D. Cash, C. Peikert and A. Sahai, Fast cryptographic primitives and circular-secure encryption based on hard learning problems, in: [40], 595-618.
12. S. Arora and R. Ge, New algorithms for learning in presence of errors, in: Automata, Languages and Programming (ICALP 2011), part I, Lecture Notes in Comput. Sci. 6755, Springer, Berlin (2011), 403-415.
13. L. Babai, On Lovász' lattice reduction and the nearest lattice point problem (shortened version), in: Theoretical Aspects of Computer Science (STACS 1986), Lecture Notes in Comput. Sci 182, Springer, Berlin (1985), 13-20.
14. S. Bai and S. D. Galbraith, Lattice decoding attacks on binary LWE, in: Information Security and Privacy (ACISP 2014), Lecture Notes in Comput. Sci. 8544, Springer, Berlin (2014), 322-337.
15. D. J. Bernstein, J. Buchmann and E. Dahmen (eds.), Post-Quantum Cryptography, Springer, Berlin, 2009.
16. A. Blum, A. Kalai and H. Wasserman, Noise-tolerant learning, the parity problem, and the statistical query model, J. ACM 50 (2003), no. 4, 506-519.
17. Z. Brakerski, C. Gentry and V. Vaikuntanathan, (Leveled) fully homomorphic encryption without bootstrapping, in: Innovations in Theoretical Computer Science (ITCS 2012), ACM Press, New York (2012), 309-325.
18. Z. Brakerski, A. Langlois, C. Peikert, O. Regev and D. Stehlé, Classical hardness of learning with errors, in: Theory of Computing (STOC 2013), ACM Press, New York (2013), 575-584.
19. Z. Brakerski and V. Vaikuntanathan, E-cient fully homomorphic encryption from (standard) LWE, in: Foundations of Computer Science (FOCS 2011), IEEE Computer Society Press, Los Alamitos (2011), 97-106.
20. P. Bürgisser, M. Clausen and M. A. Shokrollahi, Algebraic Complexity Theory, Grundlehren Math. Wiss. 315, Springer, Berlin, 1997.
21. D. Cadé, X. Pujol and D. Stehlé, fpLLL 4.0.4, 2013, http://perso.ens-lyon.fr/damien.stehle/fplll/.
22. D. Cash, D. Ho-einz, E. Kiltz and C. Peikert, Bonsai trees, or how to delegate a lattice basis, J. Cryptology 25 (2012), no. 4, 601-639.
23. Y. Chen, Réduction de réseau et sécurité concrète du chi-rement complètement homomorphe, Ph.D. thesis, Paris 7, 2013.
24. Y. Chen and P. Q. Nguyen, BKZ 2.0: Better lattice security estimates, in: Advances in Cryptology (Asiacrypt 2011), Lecture Notes in Comput. Sci. 7073, Springer, Berlin (2011), 1-20.
25. Y. Chen and P. Q. Nguyen, BKZ 2.0: Better lattice security estimates (full version), preprint (2012), www.di.ens.fr/~ychen/research/Full-BKZ.pdf.
26. H. Cherno-, A measure of asymptotic e-ciency for tests of a hypothesis based on the sum of observations, Ann. Math. Stat. 23 (1952), 493-507.
27. A. Duc, F. Tramèr and S. Vaudenay, Better algorithms for LWE and LWR, preprint (2015), http://eprint.iacr.org/2015/056.
28. L. Ducas-Binda, Signatures fondeés sur les réseaux euclidiens: attaques, analyses et optimisations, Ph.D. thesis, École Normale Supérieure Paris, 2013.
29. N. Gama and P. Q. Nguyen, Predicting lattice reduction, in: Advances in Cryptology (Eurocrypt 2008), Lecture Notes in Comput. Sci. 4965, Springer, Berlin (2008), 31-51.
30. N. Gama, P. Q. Nguyen and O. Regev, Lattice enumeration using extreme pruning, in: [38], 257-278.
31. S. Garg, C. Gentry and S. Halevi, Candidate multilinear maps from ideal lattices, in: Advances in Cryptology (Eurocrypt 2013), Lecture Notes in Comput. Sci. 7881, Springer, Berlin (2013), 1-17.
32. C. Gentry, A fully homomorphic encryption scheme, Ph.D. thesis, Stanford University, 2009.
33. C. Gentry, S. Gorbunov and S. Halevi, Graph-induced multilinear maps from lattices, preprint (2014), http://eprint.iacr. org/2014/645.
34. C. Gentry, S. Halevi and N. P. Smart, Fully homomorphic encryption with polylog overhead, in: Advances in Cryptology (Eurocrypt 2012), Lecture Notes in Comput. Sci. 7237, Springer, Berlin (2012), 465-482.
35. C. Gentry, S. Halevi and N. P. Smart, Homomorphic evaluation of the AES circuit, in: Advances in Cryptology (Crypto 2012), Lecture Notes in Comput. Sci. 7417, Springer, Berlin (2012), 850-867.
36. C. Gentry, S. Halevi and N. P. Smart, Homomorphic evaluation of the AES circuit, preprint (2012), http://eprint.iacr.org/2012/099.
37. C. Gentry, C. Peikert and V. Vaikuntanathan, Trapdoors for hard lattices and new cryptographic constructions, in: Theory of Computing (STOC 2008), ACM Press, New York (2008), 197-206.
38. H. Gilbert (ed.), Advances in Cryptology (Eurocrypt 2010), Lecture Notes in Comput. Sci. 6110, Springer, Berlin, 2010.
39. S. Goldwasser, Y. Kalai, C. Peikert and V. Vaikuntanathan, Robustness of the learning with errors assumption, in: Innovations in Computer Science (ICS 2010), Tsinghua University Press, Beijing (2010), 230-240.
40. S. Halevi (ed.), Advances in Cryptology (Crypto 2009), Lecture Notes in Comput. Sci. 5677, Springer, Berlin, 2009.
41. G. Hanrot, X. Pujol and D. Stehlé, Algorithms for the shortest and closest lattice vector problems, in: Coding and Cryptology, Lecture Notes in Comput. Sci. 6639, Springer, Berlin (2011), 159-190.
42. G. Hanrot, X. Pujol and D. Stehlé, Analyzing blockwise lattice algorithms using dynamical systems, in: Advances in Cryptology (Crypto 2011), Lecture Notes in Comput. Sci. 6841, Springer, Berlin (2011), 447-464.
43. W. Hart, F. Johansson and S. Pancratz, FLINT: Fast Library for Number Theory, 2014. Version 2.4.4, http://flintlib.org.
44. E. Jones et al., SciPy: Open source scienti-c tools for Python, 2001, www.scipy.org.
45. A. Joux, Algorithmic Cryptanalysis, CRC Press, Boca Raton, 2009.
46. R. Kannan, Minkowski's convex body theorem and integer programming, Math. Oper. Res. 12 (1987), no. 3, 415-440.
47. M. J. Kearns, Y. Mansour, D. Ron, R. Rubinfeld, R. E. Schapire and L. Sellie, On the learnability of discrete distributions, in: Theory of Computing (STOC 1994), ACM Press, New York (1994), 273-282.
48. T. Laarhoven, Sieving for shortest vectors in lattices using angular locality-sensitive hashing, preprint (2014), http://eprint.iacr.org/2014/744.
49. T. Laarhoven and B. de Weger, Faster sieving for shortest lattice vectors using spherical locality-sensitive hashing, preprint (2015), http://eprint.iacr.org/2015/211.
50. A. Lenstra, J. Lenstra, H.W. and L. Lovász, Factoring polynomials with rational coe-cients, Math. Ann. 261 (1982), no. 4, 515-534.
51. T. Lepoint and M. Naehrig, A comparison of the homomorphic encryption schemes FV and YASHE, in: Progress in Cryptology (Africacrypt 2014), Lecture Notes in Comput. Sci. 8469, Springer, Berlin (2014), 318-335.
52. R. Lindner and C. Peikert, Better key sizes (and attacks) for LWE-based encryption, in: Topics in Cryptology (CT-RSA 2011), Lecture Notes in Comput. Sci. 6558, Springer, Berlin (2011), 319-339.
53. C. Ling, S. Liu, L. Luzzi and D. Stehlé, Decoding by embedding: Correct decoding radius and DMT optimality, in: Information Theory Proceedings (ISIT 2011), IEEE Computer Society, Los Alamitos (2011), 1106-1110.
54. M. Liu and P. Q. Nguyen, Solving BDD by enumeration: An update, in: Topics in Cryptology (CT-RSA 2013), Lecture Notes in Comput. Sci. 7779, Springer, Berlin (2013), 293-309.
55. L. Lovász, An Algorithmic Theory of Numbers, Graphs and Convexity, CBMS-NSF Regional Conf. Ser. in Appl. Math., SIAM, Philadelphia, 1986.
56. V. Lyubashevsky and D. Micciancio, On bounded distance decoding, unique shortest vectors, and the minimum distance problem, in: [40], 577-594.
57. D. Micciancio and C. Peikert, Hardness of SIS and LWE with small parameters, in: Advances in Cryptology (Crypto 2013), part I, Lecture Notes in Comput. Sci. 8042, Springer, Berlin (2013), 21-39.
58. D. Micciancio and O. Regev, Lattice-based cryptography, in: 15, 147-191.
59. D. Micciancio and M. Walter, Fast lattice point enumeration with minimal overhead, in: Discrete Algorithms (SODA 2015), ACM-SIAM (2015), 276-294.
60. J. J. Moré, B. S. Garbow and K. E. Hillstrom, User guide for MINPACK-1, ANL-80-74, Argonne National Laboratory, 1980, www.mcs.anl.gov/~more/ANL8074a.pdf.
61. P. Q. Nguyen, Hermite's constant and lattice algorithms, in: 64, 19-69.
62. P. Q. Nguyen, Lattice reduction algorithms: Theory and practice (invited talk), in: Advances in Cryptology (Eurocrypt 2011), Lecture Notes in Comput. Sci. 6632, Springer, Berlin (2011), 2-6.
63. P. Q. Nguyen and D. Stehlé, Floating-point LLL revisited, in: Advances in Cryptology (Eurocrypt 2005), Lecture Notes in Comput. Sci. 3494, Springer, Berlin (2005), 215-233.
64. P. Q. Nguyen and B. Valleé (eds.), The LLL Algorithm: Survey and Applications, Inf. Secur. Cryptography, Springer, Dordrecht, 2010.
65. C. Peikert, Public-key cryptosystems from the worst-case shortest vector problem: Extended abstract, in: Theory of Computing (STOC 2009), ACM Press, New York (2009), 333-342.
66. C. Peikert, V. Vaikuntanathan and B. Waters, A framework for e-cient and composable oblivious transfer, in: Advances in Cryptology (Crypto 2008), Lecture Notes in Comput. Sci. 5157, Springer, Berlin (2008), 554-571.
67. C. Peikert and B. Waters, Lossy trapdoor functions and their applications, SIAM J. Comput. 40 (2011), no. 6, 1803-1844.
68. C. Pernet, High performance and reliable algebraic computing, Habilitation à Diriger des Recherches in Symbolic Computation, Université Joseph Fourier, Grenoble, 2014.
69. O. Regev, On lattices, learning with errors, random linear codes, and cryptography, in: Theory of Computing (STOC 2005), ACM Press, New York (2005), 84-93.
70. O. Regev, On lattices, learning with errors, random linear codes, and cryptography, J. ACM 56 (2009), Article No. 34.
71. O. Regev, The learning with errors problem (invited survey), in: IEEE Conference on Computational Complexity, IEEE Computer Society, Los Alamitos (2010), 191-204.
72. C. P. Schnorr, Lattice reduction by random sampling and birthday methods, in: Theoretical Aspects on Computer Science (STACS 2003), Lecture Notes in Comput. Sci. 2607, Springer, Berlin (2003), 145-156.
73. C. P. Schnorr and M. Euchner, Lattice basis reduction: Improved practical algorithms and solving subset sum problems, Math. Program. 66 (1994), 181-199.
74. V. Shoup, Number Theory Library 5.5.2 (NTL) for C++, www.shoup.net/ntl/.
75. D. Stehlé, An overview of lattice reduction algorithms, Invited talk at ICISC, 2013.
76. W. Stein et al., Sage Mathematics Software Version 6.3, The Sage Development Team, 2014, www.sagemath.org.
77. J. van de Pol and N. P. Smart, Estimating key sizes for high dimensional lattice-based systems, in: Cryptography and Coding (IMACC 2013), Lecture Notes in Comput. Sci. 8308, Springer, Berlin (2013), 290-303.
78. M. van Dijk, C. Gentry, S. Halevi and V. Vaikuntanathan, Fully homomorphic encryption over the integers, in: 38, 24-43.
79. M. Walter, Lattice point enumeration on block reduced bases, preprint (2014), http://eprint.iacr.org/2014/948.