Memory-Efficient BKW Algorithm for Solving the LWE Problem

Yu Wei; Lei Bi; Xianhui Lu; Kunpeng Wang

Paper 2025/266

Memory-Efficient BKW Algorithm for Solving the LWE Problem

Yu Wei

, Institute of Information Engineering, CAS, Beijing, China, School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China

Lei Bi, Institute of Information Engineering, CAS, Beijing, China, School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China

Xianhui Lu, Institute of Information Engineering, CAS, Beijing, China, School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China

Kunpeng Wang, Institute of Information Engineering, CAS, Beijing, China, School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China

Abstract

The study of attack algorithms for the Learning with Errors (LWE) problem is crucial for the cryptanalysis of LWE-based cryptosystems. The BKW algorithm has gained significant attention as an important combinatorial attack for solving LWE. However, its exponential time and memory requirements severely limit its practical applications, even with medium-sized parameters. In this paper, we present a memory-efficient BKW algorithm for LWE, which extends Bogos's work [Asiacrypt'16] on the Learning Parity with Noise (LPN) problem. While their work improved efficiency, it overlooked the high memory demands of the BKW algorithm. We address this with two key improvements. First, we propose an efficient reduction technique for low-memory regimes, -sum-PCS-reduce, which combines the -sum technique with Parallel Collision Search (PCS) to achieve a better time-memory trade-off. Second, we present an improved memory-optimized finite automaton for our optimized BKW algorithm by incorporating several efficient memory-saving reduction techniques and pruning potential high-memory paths. Our algorithm, using graphs as a meta tool, can automatically identify the optimal reduction path within the graph, aiming to reduce both time and memory complexities. Compared to the state-of-the-art coded-BKW in the lattice-estimator, our algorithm achieves time complexity improvements ranging from to . Furthermore, memory complexity is improved, with reductions ranging from to .

Metadata

Available format(s): PDF
Category: Attacks and cryptanalysis
Publication info: A major revision of an IACR publication in PKC 2025
Keywords: Post-quantum cryptanalysis Learning with errors problem The BKW algorithm Time-memory trade-off
Contact author(s): weiyu @ iie ac cn
bilei @ iie ac cn
luxianhui @ iie ac cn
wangkunpeng @ iie ac cn
History: 2025-02-18: approved; 2025-02-18: received; See all versions
Short URL: https://ia.cr/2025/266
License: CC BY

BibTeX

@misc{cryptoeprint:2025/266,
      author = {Yu Wei and Lei Bi and Xianhui Lu and Kunpeng Wang},
      title = {Memory-Efficient {BKW} Algorithm for Solving the {LWE} Problem},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/266},
      year = {2025},
      url = {https://eprint.iacr.org/2025/266}
}