使用 BKW-Style Algorithms 解决LWE的复杂程度 (On the Sample Complexity of solving LWE using BKW-Style Algorithms)

from arxiv, This paper is the arXiv version of a paper submitted to ISIT 2021. Appendices A and B are not included in the conference version due to page restrictions

The Learning with Errors (LWE) problem receives much attention in cryptography, mainly due to its fundamental significance in post-quantum cryptography. Among its solving algorithms, the Blum-Kalai-Wasserman (BKW) algorithm, originally proposed for solving the Learning Parity with Noise (LPN) problem, performs well, especially for certain parameter settings with cryptographic importance. The BKW algorithm consists of two phases, the reduction phase and the solving phase. In this work, we study the performance of distinguishers used in the solving phase. We show that the Fast Fourier Transform (FFT) distinguisher from Eurocrypt'15 has the same sample complexity as the optimal distinguisher, when making the same number of hypotheses. We also show that it performs much better than theory predicts and introduce an improvement of it called the pruned FFT distinguisher. Finally, we indicate, via extensive experiments, that the sample dependency due to both LF2 and sample amplification is limited.

翻译：与错误有关的学习问题在加密学学中受到很大重视,这主要是因为它在分子后加密学中具有根本意义。在其解算法中,最初为解决与噪音有关的学习对等问题而提议的Blum-Kalai-Wasserman(BKW)算法(Blum-Kalai-Wasserman)算法(BKW)算法(BKW)算法(BKW)算法(LPN)算法(LPN)算法(LPN)算法(LPN)算法(LPN)算法(LPPN)算法(LPN)算法(LWW)算法(LWWE)问题,特别是某些具有加密重要性的参数设置。BKW算法(BKW)算法由两个阶段组成,即减少阶段和解决阶段的解算法(LF2)和解算法(LFFFFFFT)的分法(S)的分法(LFT),我们通过广泛的实验发现与欧洲加密15的分解法(FORT)的分法(FORT)的分法(F)的分法(F)与最佳分法(EUR)的分法(F)与最佳分法(15)的分法(F)的分法(FORT)算法(F)算法(F)算法(F)算法(F)的分法(F)算法(F)算法(F)算法(F)的分法(F)算法(F)的分法(F)算法(F)算法(LP)算法(F)算法(F)算法(P)算法(F)算法(F)算法(F)算法(F)算法(B)算法(B)算法(B)算法(LP)算法(P)算法(B)算法(B)算法(B)算法(B)算法(P)算法(LF)算法(LF)算法(LP)算法(LF)算法(LF)算法(LF)算法(LP)算法(15)