Learning with Errors Decoding

The security of most public-key encryption schemes relies on the hardness of the learning with errors (LWE) problem – an average-case hard lattice problem introduced by Regev ([Reg05]). While LWE has been proved to be as hard as quantumly approximating the so-called Short Independent Vectors Problem, the parameters used in the proof are not suitable for practical reasons. It makes difficult to assess the security of the proposed lattice-based schemes and there has been a number of attempts to address this issue ([MR09], [RS10]). In the work of Lindner and Peikert ([LP11]), the authors analyze the concrete hardness of LWE instances applying their bounded-distance decoding (with a lattice basis reduction as a preprocessing step), tailored for the structure of LWE. Concretely, the Lindner-Peikert decoding algorithm can be viewed as the generalization of the Babai’s NearestPlane algorithm [Bab85]. The goal of all decoding algorithms is to find the closest lattice point to a given point in space. In a nutshell, the Babai’s algorithm projects this given point to a closest hyperplane of a lattice, chooses the closest lattice point to the projection and repeats the same procedure for the hyperplane and the lattice point, thus reducing the dimension by one. In [LP11], instead of iteratively projecting on one closest plane, we project on several close planes. Geometrically, the new algorithm extends the search space giving us the control over the approximation factor of the resulting output. This results in a parallelepipedshaped search space, and we consider all lattice point that lie inside this parallelepiped as possible solutions. The main difference we propose is to transfer this parallelepiped into an ellipsoid, thus taking into an account the Gaussian nature of the LWE error and, at the same time, cutting some vectors that are unlikely the solution. We also provide the asymptotic analysis for our algorithm and compare it with the NearestPlanes algorithm of [LP11]. LWE decoding problem. The search-LWE problem asks to find a secret vector s given polynomially many ‘noisy’ samples of the form (A, t = As + e mod q) ∈ Zn×m q × Zm, where n is the security parameter, q = poly(n),m = Ω(n) and e is a relatively short noise-vector. The problem is an average-case Bounded Distance Decoding problem for a so-called q-ary lattice Λ(A) = {z ∈ Zm : ∃s ∈ Zq s.t. z = As mod q}. Our results. The first main result of our work is the asymptotic analysis of the LindnerPeikert NearestPlanes algorithm, which turned out to be slightly sub-exponential in the lattice dimension m. We analyze the algorithm under a specific choice of parameters with a polynomial number of samples. Our second contribution is a new EllipticNearestPlanes algorithm. As the name suggests, we use an ellipsoid-shaped search space to look for a candidate solution. Asymptotic analysis shows that it outperforms the Lindner-Peikert decoding attack. We also provide the complexity estimates for concrete LWE instances, which agree with our theoretical results.