We provide for the first time an asymptotic comparison of all known algorithms for the search version of the Learning with Errors (LWE) problem. This includes an analysis of several lattice-based approaches as well as the combinatorial BKW algorithm. Our analysis of the lattice-based approaches defines a general framework, in which the algorithms of Babai, Lindner-Peikert and several pruning st...

Bounded Distance Decoding (BDD) is a basic lattice problem used in cryptanalysis: the security of most lattice-based encryption schemes relies on the hardness of some BDD, such as LWE. We study how to solve BDD using a classical method for finding shortest vectors in lattices: enumeration with pruning speedup, such as Gama-NguyenRegev extreme pruning from EUROCRYPT ’10. We obtain significant im...

This work presents a study of the complexity of the Blum-Kalai-Wasserman (BKW) algorithm when applied to the Learning with Errors (LWE) problem, by providing refined estimates for the data and computational effort requirements for solving concrete instances of the LWE problem. We apply this refined analysis to suggested parameters for various LWE-based cryptographic schemes from the literature ...

Sahai and Waters introduced a fuzzy id-based encryption (FIBE) scheme in which an identity was viewed as a set of descriptive attributes, and any user with a private key for an identity ID was allowed to decrypt a ciphertext encrypted with an identity ID′ , if and only if the identity ID and ID′were close to each other as measured by the “set overlap” distance metric. After that, Shweta Agrawal...

In this work we separate private-key semantic security from 1-circular security for bit encryption using the Learning with Error assumption. Prior works used the less standard assumptions of multilinear maps or indistinguishability obfuscation. To achieve our results we develop new techniques for obliviously evaluating branching programs.

In the learning parities with noise problem —well-studied in learning theory and cryptography— we have access to an oracle that, each time we press a button, returns a random vector a ∈ GF(2) together with a bit b ∈ GF(2) that was computed as a ·u+η, where u ∈ GF(2) is a secret vector, and η ∈ GF(2) is a noise bit that is 1 with some probability p. Say p = 1/3. The goal is to recover u. This ta...

In this paper, we consider a generic inexact subgradient algorithm to solve a nondifferentiable quasi-convex constrained optimization problem. The inexactness stems from computation errors and noise, which come from practical considerations and applications. Assuming that the computational errors and noise are deterministic and bounded, we study the effect of the inexactness on the subgradient ...

In this paper, we show that the SVD of a matrix can be constructed efficiently in a hierarchical approach. Our algorithm is proven to recover the singular values and left singular vectors if the rank of the input matrix A is known. Further, the hierarchical algorithm can be used to recover the d largest singular values and left singular vectors with bounded error. We also show that the proposed...

We introduce the notion of approximate-deterministic public key encryption (A-DPKE), which extends the notion of deterministic public key encryption (DPKE) by allowing the encryption algorithm to be “slightly” randomized. However, a ciphertext convergence property is required for A-DPKE such that the ciphertexts of a message are gathering in a small metric space, while ciphertexts of different ...