A refined analysis of the cost for solving lwe via usvp

Shi Bai; Shaun Miller; Weiqiang Wen

doi:10.1007/978-3-030-23696-0_10

A refined analysis of the cost for solving lwe via usvp

Shi Bai
, Shaun Miller
, Weiqiang Wen

Résultats de recherche: Le chapitre dans un livre, un rapport, une anthologie ou une collection › Contribution à une conférence › Revue par des pairs

Résumé

The learning with errors (LWE) problem (STOC’05) introduced by Regev is one of the fundamental problems in lattice-based cryptography. One standard strategy to solve the LWE problem is to reduce it to a unique SVP (USVP) problem via Kannan’s embedding and then apply a lattice reduction to solve the USVP problem. There are two methods for estimating the cost for solving LWE via this strategy: the first method considers the largeness of the gap in the USVP problem (Gama-Nguyen, Eurocrypt’08) and the second method (Alkim et al., USENIX’16) considers the shortness of the projection of the shortest vector to the Gram-Schmidt vectors. These two estimates have been investigated by Albrecht et al. (Asiacrypt’16) who present a sound analysis and show that the lattice reduction experiments fit more consistently with the second estimate. They also observe that in some cases the lattice reduction even behaves better than the second estimate perhaps due to the second intersection of the projected vector with the Gram-Schmidt vectors. In this work, we revisit the work of Alkim et al. and Albrecht et al. We first report further experiments providing more comparisons and suggest that the second estimate leads to a more accurate prediction in practice. We also present empirical evidence confirming the assumptions used in the second estimate. Furthermore, we examine the gaps in USVP derived from the embedded lattice and explain why it is preferable to use μ= 1 for the embedded lattice. This shows there is a coherent relation between the second estimate and the gaps in USVP. Finally, it has been conjectured by Albrecht et al. that the second intersection will not happen for large parameters. We will show that this is indeed the case: there is no second intersection as β→ ∞.

langue originale	Anglais
titre	Progress in Cryptology – AFRICACRYPT 2019 - 11th International Conference on Cryptology in Africa, Proceedings
rédacteurs en chef	Johannes Buchmann, Abderrahmane Nitaj, Tajjeeddine Rachidi
Editeur	Springer Verlag
Pages	181-205
Nombre de pages	25
ISBN (imprimé)	9783030236953
Les DOIs	https://doi.org/10.1007/978-3-030-23696-0_10
état	Publié - 1 janv. 2019
Modification externe	Oui
Evénement	11th International Conference on the Theory and Applications of Cryptographic Techniques in africa, Africacrypt 2019 - Rabat, Maroc Durée: 9 juil. 2019 → 11 juil. 2019

Série de publications

Nom	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	11627 LNCS
ISSN (imprimé)	0302-9743
ISSN (Electronique)	1611-3349

Une conférence

Une conférence	11th International Conference on the Theory and Applications of Cryptographic Techniques in africa, Africacrypt 2019
Pays/Territoire	Maroc
La ville	Rabat
période	9/07/19 → 11/07/19

Accès au document

10.1007/978-3-030-23696-0_10

Autres fichiers et liens

Lien vers la publication dans Scopus

Contient cette citation

Bai, S., Miller, S., & Wen, W. (2019). A refined analysis of the cost for solving lwe via usvp. Dans J. Buchmann, A. Nitaj, & T. Rachidi (eds.), Progress in Cryptology – AFRICACRYPT 2019 - 11th International Conference on Cryptology in Africa, Proceedings (p. 181-205). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol 11627 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-030-23696-0_10

Bai, Shi ; Miller, Shaun ; Wen, Weiqiang. / A refined analysis of the cost for solving lwe via usvp. Progress in Cryptology – AFRICACRYPT 2019 - 11th International Conference on Cryptology in Africa, Proceedings. Editeur / Johannes Buchmann ; Abderrahmane Nitaj ; Tajjeeddine Rachidi. Springer Verlag, 2019. p. 181-205 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{060d7c2667834215ac5b4f0d65dbb9f7,

title = "A refined analysis of the cost for solving lwe via usvp",

abstract = "The learning with errors (LWE) problem (STOC{\textquoteright}05) introduced by Regev is one of the fundamental problems in lattice-based cryptography. One standard strategy to solve the LWE problem is to reduce it to a unique SVP (USVP) problem via Kannan{\textquoteright}s embedding and then apply a lattice reduction to solve the USVP problem. There are two methods for estimating the cost for solving LWE via this strategy: the first method considers the largeness of the gap in the USVP problem (Gama-Nguyen, Eurocrypt{\textquoteright}08) and the second method (Alkim et al., USENIX{\textquoteright}16) considers the shortness of the projection of the shortest vector to the Gram-Schmidt vectors. These two estimates have been investigated by Albrecht et al. (Asiacrypt{\textquoteright}16) who present a sound analysis and show that the lattice reduction experiments fit more consistently with the second estimate. They also observe that in some cases the lattice reduction even behaves better than the second estimate perhaps due to the second intersection of the projected vector with the Gram-Schmidt vectors. In this work, we revisit the work of Alkim et al. and Albrecht et al. We first report further experiments providing more comparisons and suggest that the second estimate leads to a more accurate prediction in practice. We also present empirical evidence confirming the assumptions used in the second estimate. Furthermore, we examine the gaps in USVP derived from the embedded lattice and explain why it is preferable to use μ= 1 for the embedded lattice. This shows there is a coherent relation between the second estimate and the gaps in USVP. Finally, it has been conjectured by Albrecht et al. that the second intersection will not happen for large parameters. We will show that this is indeed the case: there is no second intersection as β→ ∞.",

keywords = "LWE, Lattice reduction, Lattice-based cryptography, USVP",

author = "Shi Bai and Shaun Miller and Weiqiang Wen",

note = "Publisher Copyright: {\textcopyright} Springer Nature Switzerland AG 2019.; 11th International Conference on the Theory and Applications of Cryptographic Techniques in africa, Africacrypt 2019 ; Conference date: 09-07-2019 Through 11-07-2019",

year = "2019",

month = jan,

day = "1",

doi = "10.1007/978-3-030-23696-0\_10",

language = "English",

isbn = "9783030236953",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "181--205",

editor = "Johannes Buchmann and Abderrahmane Nitaj and Tajjeeddine Rachidi",

booktitle = "Progress in Cryptology – AFRICACRYPT 2019 - 11th International Conference on Cryptology in Africa, Proceedings",

}

Bai, S, Miller, S & Wen, W 2019, A refined analysis of the cost for solving lwe via usvp. Dans J Buchmann, A Nitaj & T Rachidi (eds), Progress in Cryptology – AFRICACRYPT 2019 - 11th International Conference on Cryptology in Africa, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), VOL. 11627 LNCS, Springer Verlag, p. 181-205, 11th International Conference on the Theory and Applications of Cryptographic Techniques in africa, Africacrypt 2019, Rabat, Maroc, 9/07/19. https://doi.org/10.1007/978-3-030-23696-0_10

A refined analysis of the cost for solving lwe via usvp. / Bai, Shi; Miller, Shaun; Wen, Weiqiang.
Progress in Cryptology – AFRICACRYPT 2019 - 11th International Conference on Cryptology in Africa, Proceedings. Ed. / Johannes Buchmann; Abderrahmane Nitaj; Tajjeeddine Rachidi. Springer Verlag, 2019. p. 181-205 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol 11627 LNCS).

Résultats de recherche: Le chapitre dans un livre, un rapport, une anthologie ou une collection › Contribution à une conférence › Revue par des pairs

TY - GEN

T1 - A refined analysis of the cost for solving lwe via usvp

AU - Bai, Shi

AU - Miller, Shaun

AU - Wen, Weiqiang

N1 - Publisher Copyright: © Springer Nature Switzerland AG 2019.

PY - 2019/1/1

Y1 - 2019/1/1

N2 - The learning with errors (LWE) problem (STOC’05) introduced by Regev is one of the fundamental problems in lattice-based cryptography. One standard strategy to solve the LWE problem is to reduce it to a unique SVP (USVP) problem via Kannan’s embedding and then apply a lattice reduction to solve the USVP problem. There are two methods for estimating the cost for solving LWE via this strategy: the first method considers the largeness of the gap in the USVP problem (Gama-Nguyen, Eurocrypt’08) and the second method (Alkim et al., USENIX’16) considers the shortness of the projection of the shortest vector to the Gram-Schmidt vectors. These two estimates have been investigated by Albrecht et al. (Asiacrypt’16) who present a sound analysis and show that the lattice reduction experiments fit more consistently with the second estimate. They also observe that in some cases the lattice reduction even behaves better than the second estimate perhaps due to the second intersection of the projected vector with the Gram-Schmidt vectors. In this work, we revisit the work of Alkim et al. and Albrecht et al. We first report further experiments providing more comparisons and suggest that the second estimate leads to a more accurate prediction in practice. We also present empirical evidence confirming the assumptions used in the second estimate. Furthermore, we examine the gaps in USVP derived from the embedded lattice and explain why it is preferable to use μ= 1 for the embedded lattice. This shows there is a coherent relation between the second estimate and the gaps in USVP. Finally, it has been conjectured by Albrecht et al. that the second intersection will not happen for large parameters. We will show that this is indeed the case: there is no second intersection as β→ ∞.

AB - The learning with errors (LWE) problem (STOC’05) introduced by Regev is one of the fundamental problems in lattice-based cryptography. One standard strategy to solve the LWE problem is to reduce it to a unique SVP (USVP) problem via Kannan’s embedding and then apply a lattice reduction to solve the USVP problem. There are two methods for estimating the cost for solving LWE via this strategy: the first method considers the largeness of the gap in the USVP problem (Gama-Nguyen, Eurocrypt’08) and the second method (Alkim et al., USENIX’16) considers the shortness of the projection of the shortest vector to the Gram-Schmidt vectors. These two estimates have been investigated by Albrecht et al. (Asiacrypt’16) who present a sound analysis and show that the lattice reduction experiments fit more consistently with the second estimate. They also observe that in some cases the lattice reduction even behaves better than the second estimate perhaps due to the second intersection of the projected vector with the Gram-Schmidt vectors. In this work, we revisit the work of Alkim et al. and Albrecht et al. We first report further experiments providing more comparisons and suggest that the second estimate leads to a more accurate prediction in practice. We also present empirical evidence confirming the assumptions used in the second estimate. Furthermore, we examine the gaps in USVP derived from the embedded lattice and explain why it is preferable to use μ= 1 for the embedded lattice. This shows there is a coherent relation between the second estimate and the gaps in USVP. Finally, it has been conjectured by Albrecht et al. that the second intersection will not happen for large parameters. We will show that this is indeed the case: there is no second intersection as β→ ∞.

KW - LWE

KW - Lattice reduction

KW - Lattice-based cryptography

KW - USVP

UR - https://www.scopus.com/pages/publications/85069170828

U2 - 10.1007/978-3-030-23696-0_10

DO - 10.1007/978-3-030-23696-0_10

M3 - Conference contribution

AN - SCOPUS:85069170828

SN - 9783030236953

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 181

EP - 205

BT - Progress in Cryptology – AFRICACRYPT 2019 - 11th International Conference on Cryptology in Africa, Proceedings

A2 - Buchmann, Johannes

A2 - Nitaj, Abderrahmane

A2 - Rachidi, Tajjeeddine

PB - Springer Verlag

T2 - 11th International Conference on the Theory and Applications of Cryptographic Techniques in africa, Africacrypt 2019

Y2 - 9 July 2019 through 11 July 2019

ER -

Bai S, Miller S, Wen W. A refined analysis of the cost for solving lwe via usvp. Dans Buchmann J, Nitaj A, Rachidi T, rédacteurs en chef, Progress in Cryptology – AFRICACRYPT 2019 - 11th International Conference on Cryptology in Africa, Proceedings. Springer Verlag. 2019. p. 181-205. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-030-23696-0_10

A refined analysis of the cost for solving lwe via usvp

Résumé

Série de publications

Une conférence

Accès au document

Autres fichiers et liens

Empreinte digitale

Contient cette citation