Results 1 
2 of
2
P.: An improved BKW algorithm for LWE with applications to cryptography and lattices
 In: CRYPTO
, 2015
"... Abstract. In this paper, we study the Learning With Errors problem and its binary variant, where secrets and errors are binary or taken in a small interval. We introduce a new variant of the Blum, Kalai and Wasserman algorithm, relying on a quantization step that generalizes and finetunes modulus s ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Abstract. In this paper, we study the Learning With Errors problem and its binary variant, where secrets and errors are binary or taken in a small interval. We introduce a new variant of the Blum, Kalai and Wasserman algorithm, relying on a quantization step that generalizes and finetunes modulus switching. In general this new technique yields a significant gain in the constant in front of the exponent in the overall complexity. We illustrate this by solving within half a day a LWE instance with dimension n = 128, modulus q = n2, Gaussian noise α = 1/( n/π log2 n) and binary secret, using 228 samples, while the previous best result based on BKW claims a time complexity of 274 with 260 samples for the same parameters. We then introduce variants of BDD, GapSVP and UniqueSVP, where the target point is required to lie in the fundamental parallelepiped, and show how the previous algorithm is able to solve these variants in subexponential time. Moreover, we also show how the previous algorithm can be used to solve the BinaryLWE problem with n samples in subexponential time 2(ln 2/2+o(1))n / log logn. This analysis does not require any heuristic assumption, contrary to other algebraic approaches; instead, it uses a variant of an idea by Lyubashevsky to generate many samples from a small number of samples. This makes it possible to asymptotically and heuristically break the NTRU cryptosystem in subexponential time (without contradicting its security assumption). We are also able to solve subset sum problems in subexponential time for density o(1), which is of independent interest: for such density, the previous best algorithm requires exponential time. As a direct application, we can solve in subexponential time the parameters of a cryptosystem based on this problem proposed at TCC 2010. 1
Tesla: Tightlysecure efficient signatures from standard lattices. Cryptology ePrint Archive, Report 2015/XXX
, 2015
"... Abstract. Generally, latticebased cryptographic primitives offer good performance and allow for strong security reductions. However, the most efficient current latticebased signature schemes sacrifice (part of its) security to achieve good performance: first, security is based on ideal lattice pr ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Generally, latticebased cryptographic primitives offer good performance and allow for strong security reductions. However, the most efficient current latticebased signature schemes sacrifice (part of its) security to achieve good performance: first, security is based on ideal lattice problems, that might not be as hard as standard lattice problems. Secondly, the security reductions of the most efficient schemes are nontight; hence, their choices of parameters offer security merely heuristically. Moreover, latticebased signatures are instantiated for classical adversaries, although they are based on presumably quantum hard problems. Yet, it is not known how such schemes perform in a postquantum world. We bridge this gap by proving the latticebased signature scheme TESLA to be tightly secure based on the learning with errors problem over standard lattices in the random oracle model. As such, we improve the security of the original proposal by Bai and Galbraith (CTRSA’14) twofold; we tighten the security reduction and we minimize the underlying security assumptions. Remarkably, by enhancing the security we can improve TESLA’s performance by a factor of two. Furthermore, we are first to propose parameters providing a security of 128 bits against both classical and quantum adversaries for a latticebased signature scheme. Our implementation of TESLA competes well with stateoftheart latticebased signatures and SPHINCS (EUROCRYPT’15), the only signature scheme instantiated with quantumhard parameters thus far.