Coded-BKW: Solving LWE Using Lattice
Codes
Qian Guo1,2 Thomas Johansson1 Paul Stankovski1
1Dept. of Electrical and Information Technology, Lund University2School of Computer Science, Fudan University
CRYPTO 2015 August 17th, 2015
Outline
1 IntroductionThe LWE ProblemMotivationRelated WorksLattice Codes
2 The New AlgorithmCoded-BKWNew FFT Testing Technique
3 ResultsAssumptionsComplexityResults and Applications
4 Conclusions
Qian Guo, Thomas Johansson, Paul Stankovski, 2 / 24
Outline
1 IntroductionThe LWE ProblemMotivationRelated WorksLattice Codes
2 The New AlgorithmCoded-BKWNew FFT Testing Technique
3 ResultsAssumptionsComplexityResults and Applications
4 Conclusions
Qian Guo, Thomas Johansson, Paul Stankovski, 3 / 24
Learning with Errors (LWE)
There is a secret vector s in Znq. We then have access to an oracle
(who knows s):
The LWE oracle with parameters (n, q,X ):
1. Uniformly picks r from Znq.
2. Picks a 'noise' e ← X .3. Outputs the pair (r, v = 〈r, s〉+ e) as a sample.
Binary-LWE: the secret s is in {0, 1}n or a small interval.
The search problem (informal):
Find s after collecting enough samples.
Error distribution Xαq
Discrete Gaussian over Znq with mean 0 and standard deviation αq.
Qian Guo, Thomas Johansson, Paul Stankovski, 3 / 24
Learning with Errors (LWE)
There is a secret vector s in Znq. We then have access to an oracle
(who knows s):
The LWE oracle with parameters (n, q,X ):
1. Uniformly picks r from Znq.
2. Picks a 'noise' e ← X .3. Outputs the pair (r, v = 〈r, s〉+ e) as a sample.
Binary-LWE: the secret s is in {0, 1}n or a small interval.
The search problem (informal):
Find s after collecting enough samples.
Error distribution Xαq
Discrete Gaussian over Znq with mean 0 and standard deviation αq.
Qian Guo, Thomas Johansson, Paul Stankovski, 3 / 24
Learning with Errors (LWE)
There is a secret vector s in Znq. We then have access to an oracle
(who knows s):
The LWE oracle with parameters (n, q,X ):
1. Uniformly picks r from Znq.
2. Picks a 'noise' e ← X .3. Outputs the pair (r, v = 〈r, s〉+ e) as a sample.
Binary-LWE: the secret s is in {0, 1}n or a small interval.
The search problem (informal):
Find s after collecting enough samples.
Error distribution Xαq
Discrete Gaussian over Znq with mean 0 and standard deviation αq.
Qian Guo, Thomas Johansson, Paul Stankovski, 3 / 24
Motivation
I LWE's claim to fame.I A generalization of Learning parity with noise (LPN).
I LPN: q = 2 and the noise distribution is a Bernoulli one.
I Known to be as hard as worst-case hard lattice problems.I E�cient cryptographic primitives.I Extremely versatile, e.g., Fully Homomorphic Encryption
(FHE) schemes.I Post-quantum cryptography
I Complexity of solving LWE?I Especially for practical security. Say, how to choose the
smallest parameters for a security level (e.g., 80-bit security)?
Qian Guo, Thomas Johansson, Paul Stankovski, 4 / 24
Motivation
I LWE's claim to fame.I A generalization of Learning parity with noise (LPN).
I LPN: q = 2 and the noise distribution is a Bernoulli one.
I Known to be as hard as worst-case hard lattice problems.I E�cient cryptographic primitives.I Extremely versatile, e.g., Fully Homomorphic Encryption
(FHE) schemes.I Post-quantum cryptography
I Complexity of solving LWE?I Especially for practical security. Say, how to choose the
smallest parameters for a security level (e.g., 80-bit security)?
Qian Guo, Thomas Johansson, Paul Stankovski, 4 / 24
Solving Algorithms
Mainly three types:
1. Reduce to lattice problems.I Short Integer Solution (SIS) problemI Bounded Distance Decoding (BDD) problem
2. Arora-Ge [AroraGe11]I Performs asymptotically well, but not practically.
3. BKW1
1Unbounded number of samples are provided.
Qian Guo, Thomas Johansson, Paul Stankovski, 5 / 24
The BKW Algorithm
The BKW (Blum, Kalai, and Wasserman) algorithm:
I Originally proposed for solving LPN.I The best asymptotic algorithm with sub-exponential
complexity 2O(n/ log(n)) for LPN (exponential for LWE).
I Main idea:I Divide the length n vector r into a parts, each with size
b = dn/ae.I Merge and Sort (called one BKW step)�A trade-o�:
I Store all the samples.I Sort according to the bottom b entries of the vector r.I Subtract samples in the same partition.
v1 = 〈[r1, r0], s〉+ e1v2 = 〈[r2, r0], s〉+ e2
v1 − v2 = 〈[r1 − r2, 0], s〉+ e1 − e2I Do a− 1 BKW steps iteratively to zero out the bottom a− 1
blocks.
Qian Guo, Thomas Johansson, Paul Stankovski, 6 / 24
The BKW Algorithm
The BKW (Blum, Kalai, and Wasserman) algorithm:
I Originally proposed for solving LPN.I The best asymptotic algorithm with sub-exponential
complexity 2O(n/ log(n)) for LPN (exponential for LWE).
I Main idea:I Divide the length n vector r into a parts, each with size
b = dn/ae.I Merge and Sort (called one BKW step)�A trade-o�:
I Store all the samples.I Sort according to the bottom b entries of the vector r.I Subtract samples in the same partition.
v1 = 〈[r1, r0], s〉+ e1v2 = 〈[r2, r0], s〉+ e2
v1 − v2 = 〈[r1 − r2, 0], s〉+ e1 − e2I Do a− 1 BKW steps iteratively to zero out the bottom a− 1
blocks.
Qian Guo, Thomas Johansson, Paul Stankovski, 6 / 24
The BKW Algorithm
The BKW (Blum, Kalai, and Wasserman) algorithm:
I Originally proposed for solving LPN.I The best asymptotic algorithm with sub-exponential
complexity 2O(n/ log(n)) for LPN (exponential for LWE).
I Main idea:I Divide the length n vector r into a parts, each with size
b = dn/ae.I Merge and Sort (called one BKW step)�A trade-o�:
I Store all the samples.I Sort according to the bottom b entries of the vector r.I Subtract samples in the same partition.
v1 = 〈[r1, r0], s〉+ e1v2 = 〈[r2, r0], s〉+ e2
v1 − v2 = 〈[r1 − r2, 0], s〉+ e1 − e2I Do a− 1 BKW steps iteratively to zero out the bottom a− 1
blocks.
Qian Guo, Thomas Johansson, Paul Stankovski, 6 / 24
Related Works
[BKW03]
[LF06]
[ACFFP13]
[BL13/Kirchner11] [GJL14]
[DTV15]
[AFFP14]
[BlumKalaiWasserman03]I LPN
[LevieilFouque06]I Add Fast Walsh-Hadamard transform (FWHT).
[BernsteinLange13/Kirchner11]I Secret-error transformation for LPN.
[GuoJohanssonLöndahl14]I Subspace hypothesis testing using covering codes.
Qian Guo, Thomas Johansson, Paul Stankovski, 7 / 24
Related Works
[BKW03]
[LF06]
[ACFFP13]
[BL13/Kirchner11] [GJL14]
[DTV15]
[AFFP14]
[BlumKalaiWasserman03]I LWE
[AlbrechtCidFaugèreFitzpatrickPerret13]I Apply BKW for solving LWE.
[ApplebaumCashPeikertSahai09]I Secret-error transformation for LWE.
[AlbrechtFaugèreFitzpatrickPerret14]I Introduce the lazy modulus switching technique.I The best known BKW-type binary-LWE solver.
[DucTramèrVaudenay15]I Add Fast Fourier transform (FFT).I The best known BKW-type LWE solver.
Qian Guo, Thomas Johansson, Paul Stankovski, 7 / 24
Lattice Codes
1. Lattices are the Euclidean space counterpart of binary linearcodes in Hamming space.
2. A narrow class: lattices associated with a code, especially,constructed based on Construction A.
I Let C be a q-ary linear code.I Construct a lattice over this code
Λ(C) = {λ ∈ Rn : λ ≡ c mod q, c ∈ C}.
Why lattice codes?
1. Better shaping2.
2. Theory for estimating the noise variance when using q-arylinear codes (e.g., subspace hypothesis testing technique).
2Compared with the work [AlbrechtFaugèreFitzpatrickPerret14], in whichthey use n-cube quantization.
Qian Guo, Thomas Johansson, Paul Stankovski, 8 / 24
Lattice Codes
1. Lattices are the Euclidean space counterpart of binary linearcodes in Hamming space.
2. A narrow class: lattices associated with a code, especially,constructed based on Construction A.
I Let C be a q-ary linear code.I Construct a lattice over this code
Λ(C) = {λ ∈ Rn : λ ≡ c mod q, c ∈ C}.
Second moment
The second moment of Λ is de�ned as the second moment perdimension of a uniform distribution over its fundamental region V,i.e.,
σ2 =E[‖e‖2]
N=
1
N·∫V‖x‖2 1
Vol(V)dx. (1)
Qian Guo, Thomas Johansson, Paul Stankovski, 8 / 24
Outline
1 IntroductionThe LWE ProblemMotivationRelated WorksLattice Codes
2 The New AlgorithmCoded-BKWNew FFT Testing Technique
3 ResultsAssumptionsComplexityResults and Applications
4 Conclusions
Qian Guo, Thomas Johansson, Paul Stankovski, 9 / 24
The New Algorithm2
Main Steps:
1. Gaussian elimination.I Make the secret s follow the
noise distribution.
2. t1 standard BKW reductions.I Zero out the bottom t1b
entries of r.
3. t2 coded-BKW reductions.I Make the next bottom ncod
entries of r small.
4. Partial guessing.I Exhaust the top ntop entries of
s with the absolute value lessthan d .
5. Subspace hypothesis testing using aq-ary [ntest , l ] linear code.
Guessing part ntop
Rows[1, n]
Length ncod
Code length ntest
BKW part, length t1b
2We can modify the algorithm slightly for an e�cient binary-LWE solver.
Qian Guo, Thomas Johansson, Paul Stankovski, 9 / 24
The New Algorithm
Main Steps:
1. Gaussian elimination.
2. Standard BKW reductions.
3. Coded-BKW reductions.
4. Partial guessing.
5. New subspace hypothesistesting.
Guessing part ntop
Rows[1, n]
Length ncod
Code length ntest
BKW part, length t1b
Qian Guo, Thomas Johansson, Paul Stankovski, 10 / 24
Coded-BKW
I Recall standard BKW: use qb−12 partitions to zero out b
positions.
I New idea: use a q-ary linear code with parameters [Ni , b] foreach reduction step3.
I Rewrite rI = cI + eI . Thus,
〈sI , rI 〉 = 〈sI , cI 〉+ 〈sI , eI 〉 .
I Summing or subtracting two vectors mapped to the samecodeword will cancel out the �rst part.
Advantage: use qb−12 partitions to make Ni entries small4. (Ni > b)
3A generalization: standard BKW can be viewed as coded-BKW using a[b, b] trivial code.
4The remaining noise is controllable.
Qian Guo, Thomas Johansson, Paul Stankovski, 11 / 24
Coded-BKW
Noise Formula:
e =2t∑
j=1
eij +n∑
i=1
s i (δI1i E
(1)i + δI2
i E(2)i + · · ·+ δ
It2i E
(t2)i ), (2)
where E(h)i =
∑2t2−h+1
j=1 e(h)ij
and e(h)ij
is the coding noise introduced
in the h-th coded BKW reduction.
I A noise tower.
I Preset a variance value σ2set .
1. Make the contribution of each E(h)i the same.
2. σ2set = 2t2−i+1σ2ΛNi ,b.
3. A better trade-o� compared with [AlbrechtFaugèreFitzpatrickPerret14].4. Bound the noise.
Qian Guo, Thomas Johansson, Paul Stankovski, 12 / 24
Variance Estimation
Theorem
Assume that good5 lattice codes are employed. Let the noise level
introduced by coding be σset . Then, the variance of the total
coding noise is ‖stot‖2 σ2set , where the vector6 stot is a sub-vector
of s that the corresponding entries in r are reduced by using lattice
codes.
5This means that the fundamental regions are spherical.6Its length is ntot = ncod + ntest .
Qian Guo, Thomas Johansson, Paul Stankovski, 13 / 24
Determine the Code Length
σ2set = 2t2−i+1σ2ΛNi ,b
Compute the second moment of Λ
I σ2 = G (Λ) · Vol(V)2N , where G (Λ) is called the normalized
second moment.
I1
2πe< G (ΛN,k ) ≤ 1
12.
I For a lattice built from an [N, k] linear code by ConstructionA, the volume of V is qN−k .
To determine Ni : σ2set = 2t2−i+1GΛNi ,b
q2(1− b
Ni).
I ncod =∑t2
i=1Ni .
Qian Guo, Thomas Johansson, Paul Stankovski, 14 / 24
Subspace Hypothesis Testing
I Use a polynomial Hy(X ) in the quotient ring Z[X ]/(X q − 1)to record the occurrences.
I The right guess: the polynomial Hy(X ) will record theoccurrences of the error symbols which are discrete Gaussiandistributed; otherwise: uniformly distributed.
I A [DTV15] style FFT distinguisherI Use one FFT to compute Hy(ω), where ω = 2πi/q and
i =√−1.
I Return argmaxy R(Hy(ω)).
New solution
I Evaluate q values of the polynomial Hy(X ) at the q di�erentpoints (1, ω, ω2, . . . , ωq−1) by using q FFTs.
I Interpolate the polynomial Hy(X ).
Qian Guo, Thomas Johansson, Paul Stankovski, 15 / 24
Subspace Hypothesis Testing
Comments
I Less e�cient by a factor of q. But does not a�ect the �nalcomplexity much.
I Maximum likelihood (ML) testing.I Applicable to other error distributions.I Potential improvements from using advanced ML testing
techniques, e.g., list-decoding, using soft-information, e.t.c..
Qian Guo, Thomas Johansson, Paul Stankovski, 16 / 24
Outline
1 IntroductionThe LWE ProblemMotivationRelated WorksLattice Codes
2 The New AlgorithmCoded-BKWNew FFT Testing Technique
3 ResultsAssumptionsComplexityResults and Applications
4 Conclusions
Qian Guo, Thomas Johansson, Paul Stankovski, 17 / 24
Assumptions
Assumption One: The noise variable is (approximately) discreteGaussian distributed.
1. Follows the previous research line.I Intuition from the central limit theorem (CLT).
2. Our experiments verify this assumption.
5000
10000
15000
20000
Qian Guo, Thomas Johansson, Paul Stankovski, 17 / 24
Assumptions
Assumption One: The noise variable is (approximately) discreteGaussian distributed.
1. Follows the previous research line.I Intuition from the central limit theorem (CLT).
2. Our experiments verify this assumption.
5000
10000
15000
20000
Qian Guo, Thomas Johansson, Paul Stankovski, 17 / 24
Assumptions
Assumption Two: The theory of lattice codes is accurate.
1. In the fundamental region: uniform over integerpoints versus uniform continuously.
2. We numerically verify it: the computed Gbehaves as expected.
q 631 2053 16411
code [2,1] [3,1] [4,1] [2,1] [3,1] [4,1] [2,1] [3,1]
E[‖e‖2] 101.26† 1277.29† 4951.53 329.24† 6185.67 29107.73 2631.99† 99166.251/G 12.46 12.71 12.80 12.47 12.65 12.78 12.47 12.62
The value with a † sign means that it is optimal.
Qian Guo, Thomas Johansson, Paul Stankovski, 18 / 24
Complexity
The complexity consists of two parts:7
1. Inner complexity Cone−iteration.I The accumulated complexity of
all the steps.
2. The success probability of oneiteration.
I Guessing probability Fg .I The probability that all the
top ntop entries of s have anabsolute value less than d .
I Testing probability Ft .I The probability that the
Euclidean length of vector stotis bounded correctly.
Guessing part ntop
Rows[1, n]
Length ncod
Code length ntest
BKW part, length t1b
7For any γ ≥ 1, Pr[‖v‖ > γσ√n; v
$← DZn,σ] < (γe(1−γ2)
2 )n. [Lyu12]
Qian Guo, Thomas Johansson, Paul Stankovski, 19 / 24
Complexity Formula
Theorem (Informal)
The complexity of the new algorithm is
C =Cone−iteration
Fg · Ft. (3)
The required number of samples M for testing is set to be8
M =4 ln((2d + 1)ntop ql )
∆(Xσfinal ‖U),
where U is the uniform distribution in Zq and σ2final = 2t1+t2σ2 + γ2σ2σ2set ntot . Thus,
the number of calls to the LWE oracle is m = (t1+t2)(qb−1)2
+ M.
8The constant factor in the formula is chosen as 4. The divergence ∆(Xσfinal
‖U) will be computed
numerically.
Qian Guo, Thomas Johansson, Paul Stankovski, 20 / 24
Results
Table: Time complexity comparison for solving various LWE instances.
n q σ Complexity (log2
#Zq)
This paper [DTV15] NTL-BKZ BKZ 2.0LP Model Simulator Model
[Regev05]128 16,411 11.81 84.5 95.0 61.6 61.9256 65,537 25.53 145.1 178.7 175.5 174.5512 262,147 57.06 287.6 357.5 386.8 518.6[LindnerPeikert11]
128 2,053 2.70 69.7 83.7 54.5 57.1256 4,099 3.34 123.8 154.2 156.2 151.2512 4,099 2.90 209.2 271.8 341.9 424.5
I Works well for both LWE and binary-LWE.I The table shows results for solving various classic LWE
parameters.I The improvement is signi�cant when n is large.I For example, we gain a factor of almost 270 when solving the
Regev instance with n = 512.
Qian Guo, Thomas Johansson, Paul Stankovski, 21 / 24
Results
Table: Time complexity comparison for solving various LWE instances.
n q σ Complexity (log2
#Zq)
This paper [DTV15] NTL-BKZ BKZ 2.0LP Model Simulator Model
[Regev05]128 16,411 11.81 84.5 95.0 61.6 61.9256 65,537 25.53 145.1 178.7 175.5 174.5512 262,147 57.06 287.6 357.5 386.8 518.6[LindnerPeikert11]
128 2,053 2.70 69.7 83.7 54.5 57.1256 4,099 3.34 123.8 154.2 156.2 151.2512 4,099 2.90 209.2 271.8 341.9 424.5
I For recently proposed ring-LWE based cryptosystems, someshould increase their security parameters.
I For example, the ones ([GFSBH12] [RVMCV14] [DRVV15])employing ring-LWE (256, 7681, 4.51) (ring-LWE(512, 12289, 4.86)) for 128(256)-bit security.
Qian Guo, Thomas Johansson, Paul Stankovski, 21 / 24
Results
Table: Time complexity comparison for solving various LWE instances.
n q σ Complexity (log2
#Zq)
This paper [DTV15] NTL-BKZ BKZ 2.0LP Model Simulator Model
[Regev05]128 16,411 11.81 84.5 95.0 61.6 61.9256 65,537 25.53 145.1 178.7 175.5 174.5512 262,147 57.06 287.6 357.5 386.8 518.6[LindnerPeikert11]
128 2,053 2.70 69.7 83.7 54.5 57.1256 4,099 3.34 123.8 154.2 156.2 151.2512 4,099 2.90 209.2 271.8 341.9 424.5
Pessimistic results: upper bound of the worst-case complexity.I We set G = 1
12and it is LF1 type.
I Actual performance will be better.I Many heuristics, e.g., the hybrid, LF2, unnatural selection (pruning),
e.t.c..I Adopting the hybrid and LF2 heuristics, we solve the Regev instance with
n = 512 in 2271 Zq operations.
Qian Guo, Thomas Johansson, Paul Stankovski, 21 / 24
Simulations
15 30 45 60
5
10
15
20 variance roof
standard BKW
coded-BKW theory
coded-BKW simulation
w/ unnatural selection
Figure: Number of eliminated rows vs. log2 of error variance.
I A toy example to show the improved trade-o� using lattice codes.
I (q, σ,#samples) =(2053, 2.70, 225
)I Four standard 2-row BKW steps were used initially, followed by
three iterations each of [3,2]-, [4,2]-, [5,2]- and [6,2]-coding steps.
Qian Guo, Thomas Johansson, Paul Stankovski, 22 / 24
Outline
1 IntroductionThe LWE ProblemMotivationRelated WorksLattice Codes
2 The New AlgorithmCoded-BKWNew FFT Testing Technique
3 ResultsAssumptionsComplexityResults and Applications
4 Conclusions
Qian Guo, Thomas Johansson, Paul Stankovski, 23 / 24
Conclusions
Conclusions :
1. We present a new LWE solver which is the state-of-the-artwhen the dimension n is large enough, for some parametersettings.
I Proposing a new reduction variant�coded-BKW�by usinglattice codes.
I Combining most of the recent developed techniques for LPNand applying them to solving LWE.
I Carefully varying the code-rate for a better trade-o�. (See alsothe next talk.)
2. We also give a new subspace hypothesis testing techniqueusing FFT, which is a Maximum Likelihood (ML) testing.
Qian Guo, Thomas Johansson, Paul Stankovski, 23 / 24
Thank you for your attention!
Questions?
Qian Guo, Thomas Johansson, Paul Stankovski, 24 / 24
Variance Estimation
Lemma
For one good lattice code with length N , let the vector
(s1, s2, . . . , sN) be the information sub-vector corresponding to the
code and we use e = (e1, e2, . . . , eN) to denote the error vector.
Denote Y =∑N
i=1 siei , then Var[Y ] =∑N
i=1 s2i E[‖e‖2]N .
Sketch of proof.W.l.o.g., assume that the volume of V is 1. The LHS is
E
N∑i=1
si ei
2 =
∫V
(N∑
i=1
s2i e2i +∑
1≤i<j≤N
2si sj ei ej )dV (4)
=
∫V
N∑i=1
s2i e2i dV =N∑
i=1
s2i
∫V
e2i dV (5)
Each∫Ve2i dV is equal to E[‖e‖2]
N .
Qian Guo, Thomas Johansson, Paul Stankovski, 25 / 24
Subspace Hypothesis Testing
I Use a polynomial in the quotient ring Z[X ]/(X q − 1) to recordthe occurrences.
I Employ an [ntest , l ] systematic linear code, group the samples(a′i , z
′i ) in sets L(ci ) and de�ne the function f ci
L (X ) as
f ci
L (X ) =∑
(a′i ,z′i )∈L(ci )
X z′i (mod q).
I Rewrite f ci
L (X ) as a function of the information part u of thecodeword ci , denoted by hu(X ) = f ci
L (X ).I De�ne Hy(X ) =
∑u∈Zl
qhu(X ) · X−〈y,u〉.
Qian Guo, Thomas Johansson, Paul Stankovski, 26 / 24
Complexity Formula
1. Fg = (P(d))ntop , where9 P(d) > erf( d√2σ
).
2. We preset a value γ√ntotσ to bound the Euclidean length of
stot. Then the probability Ft is lower bounded10 by
1− (γe1−γ22 )ntot .
9erf is the error function erf(x) = 2√π
∫ x
0e−t2dt. This formula upper
bounds the complexity.
10For any γ ≥ 1, Pr[‖v‖ > γσ√n; v
$← DZn,σ] < (γe(1−γ2)
2 )n. [Lyu12]
Qian Guo, Thomas Johansson, Paul Stankovski, 27 / 24
Error Shape
5000
10000
15000
20000
Figure: q = 631, storage size = 222, error distribution after 21 eliminatedrows.
Qian Guo, Thomas Johansson, Paul Stankovski, 28 / 24
Error Shape
5000
10000
15000
20000
Figure: q = 631, storage size = 222, error distribution after 25 eliminatedrows.
Qian Guo, Thomas Johansson, Paul Stankovski, 29 / 24