2.1 Notation

We follow the notation used by Albrecht, Player and Scott [4]. Logarithms are base 2 if not indicated otherwise. We write ln⁡(⋅) to indicate the use of the natural logarithm. Column vectors are denoted by lowercase bold letters and matrices by uppercase bold letters. Let 𝐚 be a vector then we denote the i-th component of 𝐚 by 𝐚(i). We write 𝐚i for the i-th vector of a list of vectors. Moreover, we denote the concatenation of two vectors 𝐚 and 𝐛 by 𝐚∥𝐛=(𝐚(1),…,𝐚(n),𝐛(1),…,𝐛(n)) and 𝐚⋅𝐛=∑i=1n𝐚(i)⁢𝐛(i) is the usual dot product. We denote the euclidean norm of a vector 𝐯 with ∥𝐯∥.

With Dℤ,α⁢q we denote the discrete Gaussian distribution over ℤ with mean zero and standard deviation σ=α⁢q2⁢π. For a finite set S, we denote sampling the element s uniformly from S with s←$S. Let χ be a distribution over ℤ; then we write x←χ if x is sampled according to χ. Moreover, we denote sampling each coordinate of a matrix 𝐀∈ℤm×n with distribution χ by 𝐀←χm×n with m,n∈ℤ>0.

2.2 Lattices

For definitions of a lattice L, its rank, its bases, and its determinant det⁢(L) we refer to [4]. For a matrix 𝐀∈ℤqm×n, we define the lattices

The distance between a lattice L and a vector 𝐯∈ℝm is defined as

Furthermore, the i-th successive minimum λi⁢(L) of the lattice L is defined as the smallest radius r such that there are i linearly independent vectors of norm at most r in the lattice. Let L be an m-dimensional lattice. Then the Gaussian heuristic is given as

and the Hermite factor of a basis is given as

where 𝐯 is the shortest non-zero vector in the basis. The Hermite factor describes the quality of a basis, which, for example, may be the output of a basis reduction algorithm. We call δ0 the root-Hermite factor and log⁡δ0 the log-root-Hermite factor.

At last we define the fundamental parallelepiped as follows. Let 𝐗 be a set of n vectors 𝐱i. The fundamental parallelepiped of 𝐗 is defined as

2.3 The LWE problem and solving strategies

In the following we recall the definition of LWE.

In Regev’s original definition of LWE, the attacker has access to arbitrary many LWE samples, which means that χ𝐬,α is seen as an oracle that outputs samples at will. If the maximum number of samples available is fixed, we can write them as a fixed set of m>0∈ℤ samples

often written as matrix (𝐀,𝐜)∈ℤqm×n×ℤqm with 𝐜=𝐀𝐬+𝐞modq. We call 𝐀sample matrix.

In the original definition, 𝐬 is sampled uniformly at random in ℤqn. At the loss of n samples, an LWE instance can be constructed where the secret 𝐬 is distributed as the error 𝐞 (see [7]).

Two characterizations of LWE are considered in this work: (1) the generic characterization by n,α,q, where the coefficients of secret and error are chosen according to the distribution Dℤ,α⁢q, and (2) LWE with small secret, i.e., the coefficients of the secret vector are chosen according to a distribution over a small set, e.g., I={0,1}; the error is again chosen with distribution Dℤ,α⁢q.

The Lenstra–Lenstra–Lovász algorithm.

Let L be a lattice with basis 𝐁={𝐛0,…,𝐛n-1}. Furthermore, let 𝐁*={𝐛0*,…,𝐛n-1*} be the Gram–Schmidt basis with Gram–Schmidt coefficients

Let ϵ>0. Then the runtime of the LLL algorithm is determined by 𝒪⁢(n5+ϵ⁢log2+ϵ⁡B) with B>∥𝐛i∥ for all i with 0≤i≤n-1. Additionally, an improved variant, called L2, exists, whose runtime is estimated to be 𝒪⁢(n5+ϵ⁢log⁡B+n4+ϵ⁢log2⁡B), see [29]. Furthermore, a runtime 𝒪⁢(n3⁢log2⁡B) is estimated heuristically, see [14]. The first vector of the output basis is guaranteed to satisfy ∥𝐛0∥≤(43+ϵ)n-12⋅λ1⁢(L) with ϵ>0.

The Blockwise Korkine–Zolotarev algorithm.

The BKZ algorithm employs an algorithm to solve several SVP instances of smaller dimension, which can be seen as an SVP oracle. The SVP oracle can be implemented by computing the Voronoi cells of the lattice, by sieving, or by enumeration. During BKZ several BKZ rounds are done. In each BKZ round an SVP oracle is called several times to receive a better basis after each round. The algorithm terminates when the quality of the basis remains unchanged after another BKZ round. The difference between BKZ and BKZ 2.0 are the usage of extreme pruning [19], early termination, limiting the enumeration radius to the Gaussian Heuristic, and local block pre-processing [14].

There exist several practical estimations of the runtime tBKZ of BKZ in the literature. Some of these results are listed in the following. Our firstly mentioned estimation is based on Lindner and Peikert’s [26] estimation. Originally, Linder and Peikert’s estimates were extrapolated from experimental data computed on a machine that run at 2.3 GHz. Following [4], we give the corresponding estimates

in clock cycles, called LP model. This result should be used carefully, since applying this estimation implies the existence of a subexponential algorithm for solving LWE [4]. The estimation – shown by Albrecht, Cid, Faugère, Fitzpatrick and Perret [1] –

called delta-squared model, is non-linear in log⁡δ0 and it is claimed that this is more suitable for current implementations. As before, the estimates of the delta-square model are given in clock cycles that were converted from Albrecht–Cid–Faugère–Fitzpatrick–Perret’s extrapolation of the runtime of experiments derived on a 2.3GHz machine. Additionally, in the LWE-Estimator a third approach is used. Given an n-dimensional lattice, the running time in clock cycles is estimated to be

where ρ is the number of BKZ rounds and tk is the time needed to find short enough vectors in lattices of dimension k. Even though, ρ is exponentially upper bounded by (n⁢k)n at best, in practice the results after ρ=n2k2⁢log⁡n rounds yield a basis with

where νk≤k is the maximum of root-Hermite factors in dimensions ≤k, see [22]. However, recent results like progressive BKZ (running BKZ several times consecutively with increasing block sizes) show that even smaller values for ρ can be achieved. Consequently, the more conservative choice ρ=8 is used in the LWE-Estimator. In the latest version of the LWE-Estimator the following runtime estimations to solve SVP of dimension k are used and compared:^[1]

The estimation tk,enum are extrapolations of the runtime estimates presented by Chen and Nguyen [14]. The estimations tk,sieve and tk,q-sieve are presented in [11] and [23], respectively. The latter is a quantumly enhanced sieving algorithm.

Under the Gaussian heuristic and geometric series assumption, the following correspondence between the block size k and δ0 can be given:

where vk is the volume of the unit ball in dimension k. As examples show, this estimation may also be applied when n is finite [4]. As a function of k, the lattice rule of thumb approximates δ0=k12⁢k, sometimes simplified to δ0=21k. Albrecht, Player and Scott [4] show that the simplified lattice rule of thumb is a lower bound to the expected behavior on the interval [40,250] of usual values for k. The simplified lattice rule of thumb is indeed closer to the expected behavior than the lattice rule of thumb, but it implies an subexponential algorithm for solving LWE. For later reference we write

4.1 Distinguishing attack

The distinguishing attack solves decisional LWE via the SIS strategy using basis reduction. For this, the dual lattice L⊥⁢(𝐀)={𝐰∈ℤm:𝐰T⁢𝐀=𝟎modq} is considered. The dimension of the dual lattice L⊥⁢(𝐀) is m, the rank is m, and det⁡(L⊥⁢(𝐀))=qn (with high probability) [28]. Basis reduction is applied to find a short vector in L⊥⁢(𝐀). The result is used as short vector 𝐯 in the SIS problem to distinguish the Gaussian from the uniform distribution. By doing so, the decisional LWE problem is solved. Since this attack is in a dual lattice, it is sometimes also called dual attack.

4.2 Decoding approach

The decoding approach solves LWE via the BDD strategy described in Section 2. The procedure considers the lattice L=L⁢(𝐀) defined by the sample matrix 𝐀 and consists of two steps: the reduction step and the decoding step. In the reduction step, basis reduction is employed on L. In the decoding phase the resulting basis is used to find a close lattice vector 𝐰=𝐀𝐬 and thereby eliminate the error vector 𝐞.

In the following let the target success probability be the overall success probability of the attack, chosen by the attacker (usually close to 1). In contrast, the success probability refers to the success probability of a single run of the algorithm. The target success probability is achieved by running the algorithm potentially multiple times with a certain success probability for each single run.

4.3 Standard embedding

The standard embedding attack solves LWE via reduction to uSVP. The reduction is done by creating an (m+1)-dimensional lattice that contains the error vector 𝐞. Since 𝐞 is very short for typical instantiations of LWE, this results in a uSVP instance. The typical way to solve uSVP is to apply basis reduction.

Let

be the q-ary lattice defined by the matrix 𝐀 as defined in Section 2.2. Moreover, let (𝐀,𝐜=𝐀𝐬+𝐞modq) and t=dist⁡(𝐜,L⁢(𝐀))=∥𝐜-𝐱∥, where 𝐱∈L⁢(𝐀) such that ∥𝐜-𝐱∥ is minimized. Then the lattice L⁢(𝐀) can be embedded in the lattice L⁢(𝐀′), with

If t<λ1⁢(L⁢(𝐀))2⁢γ, the higher-dimensional lattice L⁢(𝐀′) has a unique shortest vector 𝐜′=(-𝐞,t)∈ℤqm+1 with length

see [27, 16]. Therefore, 𝐞 can be extracted from 𝐜′, 𝐀𝐬 is known, and 𝐬 can be solved for.

To determine the success probability and the runtime, we distinguish between two cases: t=∥𝐞∥ and t<∥𝐞∥. The case t=∥𝐞∥ is mainly of theoretical interest. Practical attacks and the LWE-Estimator use t=1 instead, so we focus on this case in the following.

Based on Albrecht, Fitzpatrick and Göpfert [2], Göpfert shows [21, Section 3.1.3] that the standard embedding attack succeeds with non-negligible probability if

where m is the number of LWE samples. The value τ is experimentally determined to be τ≤0.4 for a success probability of ϵ=0.1 [2].

In Table 5, we put all together and state the runtime for the cases from Section 3 of the standard embedding attack in the LP and the delta-squared model. Table 6 gives the block size k of BKZ derived in Section 3 following the second approach to estimate run times of the standard embedding attack.

As discussed above, the success probability ϵ of a single run depends on τ and thus does not necessarily yield the desired target success probability ϵtarget. If the success probability is lower than the target success probability, the algorithm has to be repeated ρ times to achieve

Consequently, it has to be considered that ρ executions of this algorithm have to be done, i.e., the runtime has to multiplied by ρ. As before we assume that the samples may be reused in each run.

4.4 Dual embedding

Dual embedding is very similar to standard embedding shown in Section 4.3. However, since the embedding is into a different lattice, the dual embedding algorithm runs in dimension n+m+1 instead of m+1, while the number of required samples remains m. Therefore, it is more suitable for instances with a restricted number of LWE samples [16]. In case the optimal number of samples is given (as assumed in the LWE-Estimator by Albrecht, Player and Scott [4]) this attack is as efficient as the standard embedding attack. Hence, it was not included in the LWE-Estimator so far.

5.1 Description of our implementation

Our extension is also written in sage and it is already merged with the original LWE-Estimator (from commit-id eb45a74 on) in March 2017. In the following we used the version of the LWE-Estimator from June 2017 (commit-id: e0638ac) for our experiments.

Except for Arora and Ge’s algorithm based on Gröbner bases, we adapt each algorithm the LWE-Estimator implements to take a fixed number of samples into account if a number of samples is given by the user. If not, each of the implemented algorithms assumes unlimited number of samples (and hence assumes the optimal number of samples is available). Our implementation also extends the algorithms coded-BKW, decisional-BKW, search-BKW, and meet-in-the-middle attacks (for a description of these algorithms see [4]) although we omitted the theoretical description of these algorithms in Section 4.

Following the notation in [4], we assign an abbreviation to each algorithm to refer:

The shorthand symbol bkw solely refers to coded-BKW and its small secret variant. Decision-BKW and Search-BKW are not assigned an abbreviation and are not used by the main method estimate_lwe, because coded-BKW is the latest and most efficient BKW algorithm. Nevertheless, the other two BKW algorithms can be called separately via the function bkw, which is a convenience method for the functions bkw_search and bkw_decision, and its corresponding small secret variant bkw_small_secret.

In the LWE-Estimator the three different embedding approaches usvp-primal, usvp-dual, and usvp-baigal (in case of LWE with small secret is called) are summarized as the attack usvp and the minimum of the three embedding algorithms is returned. In our experiments we show the different impacts of those algorithms and hence we display the results of the three embedding approaches separately.

Let the LWE instance be defined by n, α=1/(2⁢π⁢n⁢log2⁡n), and q≈n2 as proposed by Regev [31]. In the following, let n=128 and let the number of samples be given by m=256. If instead of α only the Gaussian width parameter (sigma_is_stddev=False) or the standard deviation (sigma_is_stddev=True) is known, α can be calculated by alphaf(sigma, q, sigma_is_stddev).

The main function to call the LWE-Estimator is called estimate_lwe. Listing 1 shows how to call the LWE-Estimator on the given LWE instance (with Gaussian distributed error and secret) including the following attacks: distinguishing attack, decoding, and embedding attacks. The first two lines of Listing 1 define the parameters n,α,q, and the number of samples m. In the third line the program is called via estimate_lwe. For each algorithm a value rop is returned that gives the hardness of the LWE instance with respect to the corresponding attack.