Key Recovery for LWE in Polynomial Time
- Kim Laine ,
- Kristin Lauter
We present a generalization of the Hidden Number Problem and generalize the polynomial time algorithm [BV96, Shp05]. We then use this to mount a key recovery attack on LWE which runs in polynomial time using the LLL lattice basis reduction algorithm. Success can be guaranteed with overwhelming probability for narrow error distribution when q ~ 2^O(n), where n is the dimension of the secret key, and we can give an explicit constant in the exponent, but in practice the performance is significantly better. The same attack can be used to break RLWE for the same parameter ranges. Two main types of attacks are already known for LWE: the distinguishing attack [MR09] and the decoding attack ([LP11]), which uses the BKZ algorithm. Our key recovery attack is interesting because it runs in polynomial time and yields simple and concrete security estimates for a wide range of parameters depending in a clear and explicit way on the effective approximation factor in the LLL algorithm. We ran the attack for hundreds of LWE instances demonstrating successful key recovery attacks and yielding information about the effective approximation factor as the lattice dimension grows (see Figure 3). For example, we successfully recover the secret key for an instance with n = 350 in about 3:5 days on a single machine.