Cryptology ePrint Archive: Report 2012/636

On the Complexity of the BKW Algorithm on LWE

Martin R. Albrecht and Carlos Cid and Jean-Charles Faugère and Robert Fitzpatrick and Ludovic Perret

Abstract: This work presents a study of the complexity of the Blum-Kalai-Wasserman (BKW) algorithm when applied to the Learning with Errors (LWE) problem, by providing refined estimates for the data and computational effort requirements for solving concrete instances of the LWE problem. We apply this refined analysis to suggested parameters for various LWE-based cryptographic schemes from the literature and compare with alternative approaches based on lattice reduction. As a result, we provide new upper bounds for the concrete hardness of these LWE-based schemes. Rather surprisingly, it appears that BKW algorithm outperforms known estimates for lattice reduction algorithms starting in dimension n ≈ 250 when LWE is reduced to SIS. However, this assumes access to an unbounded number of LWE samples.

Category / Keywords: BKW, LWE, Lattice-based Cryptography

Date: received 8 Nov 2012, last revised 12 Jul 2013

Contact author: robert fitzpatrick 2010 at live rhul ac uk

Available format(s): PDF | BibTeX Citation

Note: Final version - accepted to Designs, Codes and Cryptography. Mainly stylistic revisions.

Version: 20130712:110002 (All versions of this report)

Short URL: ia.cr/2012/636

Discussion forum: Show discussion | Start new discussion