A Non-heuristic Approach to Time-Space Tradeoffs and Optimizations for BKW

Hanlin Liu; Yu Yu

doi:10.1007/978-3-031-22969-5_25

A Non-heuristic Approach to Time-Space Tradeoffs and Optimizations for BKW

Hanlin Liu, Yu Yu^*

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

3 Scopus citations

Abstract

Blum, Kalai and Wasserman (JACM 2003) gave the first sub-exponential algorithm to solve the Learning Parity with Noise (LPN) problem. In particular, consider the LPN problem with constant noise and dimension n. The BKW solves it with space complexity 2(1+ϵ)nlog(n) and time/sample complexity 2(1+ϵ)nlog(n)·2Ω(n11+ϵ) for small constant ϵ→ 0 ⁺. We propose a variant of the BKW by tweaking Wagner’s generalized birthday problem (Crypto 2002) and adapting the technique to a c-ary tree structure. In summary, our algorithm achieves the following: 1.(Time-space tradeoff). We obtain the same time-space tradeoffs for LPN and LWE as those given by Esser et al. (Crypto 2018), but without resorting to any heuristics. For any 2 ≤ c∈ N, our algorithm solves the LPN problem with time complexity 2log(c)(1+ϵ)nlog(n)·2Ω(n11+ϵ) and space complexity 2log(c)(1+ϵ)n(c-1)log(n) for ϵ→ 0 ⁺, where one can use Grover’s quantum algorithm or Dinur et al.’s dissection technique (Crypto 2012) to further accelerate/optimize the time complexity.2.(Time/sample optimization). A further adjusted variant of our algorithm solves the LPN problem with sample, time and space complexities all kept at 2(1+ϵ)nlog(n), saving factor 2Ω(n11+ϵ) for ϵ→ 0 ⁺ in time/sample compared to the original BKW, and the variant of Devadas et al. (TCC 2017).3.(Sample reduction). Our algorithm provides an alternative to Lyubashevsky’s BKW variant (RANDOM 2005) for LPN with a restricted amount of samples. In particular, given Q= n¹⁺^ϵ (resp., Q=2nϵ ) samples for any constant ϵ> 0, our algorithm saves a factor of 2Ω(n)/log(n)1-κ (resp., 2Ω(nκ) ) for constant κ→ 1 ^- in running time while consuming roughly the same space, compared with Lyubashevsky’s algorithm. In particular, the time/sample optimization benefits from a careful analysis of the error distribution among the correlated candidates, which was not studied by previous rigorous approaches such as the analysis of Minder and Sinclair (J.Cryptology 2012) or Devadas et al. (TCC 2017).

Original language	English
Title of host publication	Advances in Cryptology – ASIACRYPT 2022 - 28th International Conference on the Theory and Application of Cryptology and Information Security, 2022, Proceedings
Editors	Shweta Agrawal, Dongdai Lin
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	741-770
Number of pages	30
ISBN (Print)	9783031229688
DOIs	https://doi.org/10.1007/978-3-031-22969-5_25
State	Published - 2022
Externally published	Yes
Event	28th International Conference on the Theory and Application of Cryptology and Information Security, ASIACRYPT 2022 - Taipei, Taiwan, Province of China Duration: 5 Dec 2022 → 9 Dec 2022

Publication series

Name	Lecture Notes in Computer Science
Volume	13793 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	28th International Conference on the Theory and Application of Cryptology and Information Security, ASIACRYPT 2022
Country/Territory	Taiwan, Province of China
City	Taipei
Period	5/12/22 → 9/12/22

Access to Document

10.1007/978-3-031-22969-5_25

Cite this

Liu, H., & Yu, Y. (2022). A Non-heuristic Approach to Time-Space Tradeoffs and Optimizations for BKW. In S. Agrawal, & D. Lin (Eds.), Advances in Cryptology – ASIACRYPT 2022 - 28th International Conference on the Theory and Application of Cryptology and Information Security, 2022, Proceedings (pp. 741-770). (Lecture Notes in Computer Science; Vol. 13793 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-22969-5_25

Liu, Hanlin ; Yu, Yu. / A Non-heuristic Approach to Time-Space Tradeoffs and Optimizations for BKW. Advances in Cryptology – ASIACRYPT 2022 - 28th International Conference on the Theory and Application of Cryptology and Information Security, 2022, Proceedings. editor / Shweta Agrawal ; Dongdai Lin. Springer Science and Business Media Deutschland GmbH, 2022. pp. 741-770 (Lecture Notes in Computer Science).

@inproceedings{9f8df3fa7a1441eba86bd5fc57c09d93,

title = "A Non-heuristic Approach to Time-Space Tradeoffs and Optimizations for BKW",

abstract = "Blum, Kalai and Wasserman (JACM 2003) gave the first sub-exponential algorithm to solve the Learning Parity with Noise (LPN) problem. In particular, consider the LPN problem with constant noise and dimension n. The BKW solves it with space complexity 2(1+ϵ)nlog(n) and time/sample complexity 2(1+ϵ)nlog(n)·2Ω(n11+ϵ) for small constant ϵ→ 0 +. We propose a variant of the BKW by tweaking Wagner{\textquoteright}s generalized birthday problem (Crypto 2002) and adapting the technique to a c-ary tree structure. In summary, our algorithm achieves the following: 1.(Time-space tradeoff). We obtain the same time-space tradeoffs for LPN and LWE as those given by Esser et al. (Crypto 2018), but without resorting to any heuristics. For any 2 ≤ c∈ N, our algorithm solves the LPN problem with time complexity 2log(c)(1+ϵ)nlog(n)·2Ω(n11+ϵ) and space complexity 2log(c)(1+ϵ)n(c-1)log(n) for ϵ→ 0 +, where one can use Grover{\textquoteright}s quantum algorithm or Dinur et al.{\textquoteright}s dissection technique (Crypto 2012) to further accelerate/optimize the time complexity.2.(Time/sample optimization). A further adjusted variant of our algorithm solves the LPN problem with sample, time and space complexities all kept at 2(1+ϵ)nlog(n), saving factor 2Ω(n11+ϵ) for ϵ→ 0 + in time/sample compared to the original BKW, and the variant of Devadas et al. (TCC 2017).3.(Sample reduction). Our algorithm provides an alternative to Lyubashevsky{\textquoteright}s BKW variant (RANDOM 2005) for LPN with a restricted amount of samples. In particular, given Q= n1+ϵ (resp., Q=2nϵ ) samples for any constant ϵ> 0, our algorithm saves a factor of 2Ω(n)/log(n)1-κ (resp., 2Ω(nκ) ) for constant κ→ 1 - in running time while consuming roughly the same space, compared with Lyubashevsky{\textquoteright}s algorithm. In particular, the time/sample optimization benefits from a careful analysis of the error distribution among the correlated candidates, which was not studied by previous rigorous approaches such as the analysis of Minder and Sinclair (J.Cryptology 2012) or Devadas et al. (TCC 2017).",

author = "Hanlin Liu and Yu Yu",

note = "Publisher Copyright: {\textcopyright} 2022, International Association for Cryptologic Research.; 28th International Conference on the Theory and Application of Cryptology and Information Security, ASIACRYPT 2022 ; Conference date: 05-12-2022 Through 09-12-2022",

year = "2022",

doi = "10.1007/978-3-031-22969-5\_25",

language = "英语",

isbn = "9783031229688",

series = "Lecture Notes in Computer Science",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "741--770",

editor = "Shweta Agrawal and Dongdai Lin",

booktitle = "Advances in Cryptology – ASIACRYPT 2022 - 28th International Conference on the Theory and Application of Cryptology and Information Security, 2022, Proceedings",

address = "德国",

}

Liu, H & Yu, Y 2022, A Non-heuristic Approach to Time-Space Tradeoffs and Optimizations for BKW. in S Agrawal & D Lin (eds), Advances in Cryptology – ASIACRYPT 2022 - 28th International Conference on the Theory and Application of Cryptology and Information Security, 2022, Proceedings. Lecture Notes in Computer Science, vol. 13793 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 741-770, 28th International Conference on the Theory and Application of Cryptology and Information Security, ASIACRYPT 2022, Taipei, Taiwan, Province of China, 5/12/22. https://doi.org/10.1007/978-3-031-22969-5_25

A Non-heuristic Approach to Time-Space Tradeoffs and Optimizations for BKW. / Liu, Hanlin; Yu, Yu.
Advances in Cryptology – ASIACRYPT 2022 - 28th International Conference on the Theory and Application of Cryptology and Information Security, 2022, Proceedings. ed. / Shweta Agrawal; Dongdai Lin. Springer Science and Business Media Deutschland GmbH, 2022. p. 741-770 (Lecture Notes in Computer Science; Vol. 13793 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - A Non-heuristic Approach to Time-Space Tradeoffs and Optimizations for BKW

AU - Liu, Hanlin

AU - Yu, Yu

PY - 2022

Y1 - 2022

N2 - Blum, Kalai and Wasserman (JACM 2003) gave the first sub-exponential algorithm to solve the Learning Parity with Noise (LPN) problem. In particular, consider the LPN problem with constant noise and dimension n. The BKW solves it with space complexity 2(1+ϵ)nlog(n) and time/sample complexity 2(1+ϵ)nlog(n)·2Ω(n11+ϵ) for small constant ϵ→ 0 +. We propose a variant of the BKW by tweaking Wagner’s generalized birthday problem (Crypto 2002) and adapting the technique to a c-ary tree structure. In summary, our algorithm achieves the following: 1.(Time-space tradeoff). We obtain the same time-space tradeoffs for LPN and LWE as those given by Esser et al. (Crypto 2018), but without resorting to any heuristics. For any 2 ≤ c∈ N, our algorithm solves the LPN problem with time complexity 2log(c)(1+ϵ)nlog(n)·2Ω(n11+ϵ) and space complexity 2log(c)(1+ϵ)n(c-1)log(n) for ϵ→ 0 +, where one can use Grover’s quantum algorithm or Dinur et al.’s dissection technique (Crypto 2012) to further accelerate/optimize the time complexity.2.(Time/sample optimization). A further adjusted variant of our algorithm solves the LPN problem with sample, time and space complexities all kept at 2(1+ϵ)nlog(n), saving factor 2Ω(n11+ϵ) for ϵ→ 0 + in time/sample compared to the original BKW, and the variant of Devadas et al. (TCC 2017).3.(Sample reduction). Our algorithm provides an alternative to Lyubashevsky’s BKW variant (RANDOM 2005) for LPN with a restricted amount of samples. In particular, given Q= n1+ϵ (resp., Q=2nϵ ) samples for any constant ϵ> 0, our algorithm saves a factor of 2Ω(n)/log(n)1-κ (resp., 2Ω(nκ) ) for constant κ→ 1 - in running time while consuming roughly the same space, compared with Lyubashevsky’s algorithm. In particular, the time/sample optimization benefits from a careful analysis of the error distribution among the correlated candidates, which was not studied by previous rigorous approaches such as the analysis of Minder and Sinclair (J.Cryptology 2012) or Devadas et al. (TCC 2017).

AB - Blum, Kalai and Wasserman (JACM 2003) gave the first sub-exponential algorithm to solve the Learning Parity with Noise (LPN) problem. In particular, consider the LPN problem with constant noise and dimension n. The BKW solves it with space complexity 2(1+ϵ)nlog(n) and time/sample complexity 2(1+ϵ)nlog(n)·2Ω(n11+ϵ) for small constant ϵ→ 0 +. We propose a variant of the BKW by tweaking Wagner’s generalized birthday problem (Crypto 2002) and adapting the technique to a c-ary tree structure. In summary, our algorithm achieves the following: 1.(Time-space tradeoff). We obtain the same time-space tradeoffs for LPN and LWE as those given by Esser et al. (Crypto 2018), but without resorting to any heuristics. For any 2 ≤ c∈ N, our algorithm solves the LPN problem with time complexity 2log(c)(1+ϵ)nlog(n)·2Ω(n11+ϵ) and space complexity 2log(c)(1+ϵ)n(c-1)log(n) for ϵ→ 0 +, where one can use Grover’s quantum algorithm or Dinur et al.’s dissection technique (Crypto 2012) to further accelerate/optimize the time complexity.2.(Time/sample optimization). A further adjusted variant of our algorithm solves the LPN problem with sample, time and space complexities all kept at 2(1+ϵ)nlog(n), saving factor 2Ω(n11+ϵ) for ϵ→ 0 + in time/sample compared to the original BKW, and the variant of Devadas et al. (TCC 2017).3.(Sample reduction). Our algorithm provides an alternative to Lyubashevsky’s BKW variant (RANDOM 2005) for LPN with a restricted amount of samples. In particular, given Q= n1+ϵ (resp., Q=2nϵ ) samples for any constant ϵ> 0, our algorithm saves a factor of 2Ω(n)/log(n)1-κ (resp., 2Ω(nκ) ) for constant κ→ 1 - in running time while consuming roughly the same space, compared with Lyubashevsky’s algorithm. In particular, the time/sample optimization benefits from a careful analysis of the error distribution among the correlated candidates, which was not studied by previous rigorous approaches such as the analysis of Minder and Sinclair (J.Cryptology 2012) or Devadas et al. (TCC 2017).

UR - https://www.scopus.com/pages/publications/85149668286

U2 - 10.1007/978-3-031-22969-5_25

DO - 10.1007/978-3-031-22969-5_25

M3 - 会议稿件

AN - SCOPUS:85149668286

SN - 9783031229688

T3 - Lecture Notes in Computer Science

SP - 741

EP - 770

BT - Advances in Cryptology – ASIACRYPT 2022 - 28th International Conference on the Theory and Application of Cryptology and Information Security, 2022, Proceedings

A2 - Agrawal, Shweta

A2 - Lin, Dongdai

PB - Springer Science and Business Media Deutschland GmbH

T2 - 28th International Conference on the Theory and Application of Cryptology and Information Security, ASIACRYPT 2022

Y2 - 5 December 2022 through 9 December 2022

ER -

Liu H, Yu Y. A Non-heuristic Approach to Time-Space Tradeoffs and Optimizations for BKW. In Agrawal S, Lin D, editors, Advances in Cryptology – ASIACRYPT 2022 - 28th International Conference on the Theory and Application of Cryptology and Information Security, 2022, Proceedings. Springer Science and Business Media Deutschland GmbH. 2022. p. 741-770. (Lecture Notes in Computer Science). doi: 10.1007/978-3-031-22969-5_25