Dissection-BKW

Andre Esser; Felix Heuer; Robert Kübler; Alexander May; Christian Sohler

Paper 2018/569

Dissection-BKW

Andre Esser, Felix Heuer, Robert Kübler, Alexander May, and Christian Sohler

Abstract

The slightly subexponential algorithm of Blum, Kalai and Wasserman (BKW) provides a basis for assessing LPN/LWE security. However, its huge memory consumption strongly limits its practical applicability, thereby preventing precise security estimates for cryptographic LPN/LWE instantiations. We provide the first time-memory trade-offs for the BKW algorithm. For instance, we show how to solve LPN in dimension $k$ in time $2^{\frac{4}{3} \frac{k}{\log k}}$ and memory $2^{\frac{2}{3} \frac{k}{\log k}}$ . Using the Dissection technique due to Dinur et al. (Crypto ’12) and a novel, slight generalization thereof, we obtain fine-grained trade-offs for any available (subexponential) memory while the running time remains subexponential. Reducing the memory consumption of BKW below its running time also allows us to propose a first quantum version QBKW for the BKW algorithm.

Metadata

Available format(s): PDF
Publication info: A major revision of an IACR publication in CRYPTO 2018
Keywords: Cryptanalysis LPN BKW algorithm Dissection Time-Memory Trade-Off
Contact author(s): andre esser @ rub de
History: 2018-06-05: received
Short URL: https://ia.cr/2018/569
License: CC BY

BibTeX

@misc{cryptoeprint:2018/569,
      author = {Andre Esser and Felix Heuer and Robert Kübler and Alexander May and Christian Sohler},
      title = {Dissection-{BKW}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2018/569},
      year = {2018},
      url = {https://eprint.iacr.org/2018/569}
}