On the Sample Complexity of solving LWE using BKW-Style Algorithms

TL;DR

This paper analyzes the sample complexity of BKW-style algorithms for solving the LWE problem, showing that FFT-based distinguishers are optimal and introducing improvements with practical benefits.

Contribution

It demonstrates the optimality of FFT distinguishers in BKW algorithms and introduces a pruned FFT method, supported by extensive experimental validation.

Findings

FFT distinguisher matches optimal sample complexity

Pruned FFT improves practical performance

Sample dependency is limited in experiments

Abstract

The Learning with Errors (LWE) problem receives much attention in cryptography, mainly due to its fundamental significance in post-quantum cryptography. Among its solving algorithms, the Blum-Kalai-Wasserman (BKW) algorithm, originally proposed for solving the Learning Parity with Noise (LPN) problem, performs well, especially for certain parameter settings with cryptographic importance. The BKW algorithm consists of two phases, the reduction phase and the solving phase. In this work, we study the performance of distinguishers used in the solving phase. We show that the Fast Fourier Transform (FFT) distinguisher from Eurocrypt'15 has the same sample complexity as the optimal distinguisher, when making the same number of hypotheses. We also show that it performs much better than theory predicts and introduce an improvement of it called the pruned FFT distinguisher. Finally, we indicate, via extensive experiments, that the sample dependency due to both LF2 and sample amplification is limited.