 The next talk is Coded BKW with Steven, he's by Jean-Garreau, Thomas Johansson, Eric, and Marvenson, and Paul, the kind of... Mr. Kofsky. Stan Kofsky. Stan Kofsky. Right. And Eric is a... So, here we are. Okay, so this is the presentation of the paper called Coded BKW with Steven. It's based on joint work with me, Eric Marvenson, together with Shen Gu, Thomas Johansson, and Paul Stan Kofsky. I will begin with the outline of the presentation. So, first I will spend quite a lot of time with an introduction, where I first covered the LMW problem, then BKW, followed by Coded BKW. Then I will go over to Coded BKW with Steven, which is our new algorithm. Then I will cover some results in terms of some theorems and some illustrations of those theorems, and finally I will conclude the presentation. So, in LMW, there is a secret vector S in set QM that we're looking for. And we can query an oracle, which uniformly picks a vector A in set QM, picks a noise E from some kind of distribution, and then outputs a pair A and the scale of product of A with S plus the error. And usually the error is discrete Gaussian with mean zero and standard deviation sigma or equivalently alpha times Q, where alpha is the noise factor. So, we have some parameters in the LMW problem. We have the dimension M, the alphabet size Q, and once again the standard deviation sigma. An important parameter set for LMW is the regular parameters, where we set Q to be about M squared and alpha to be about one over square with the L. And in search LWE, we want to find a secret S. There is also for example the distinguishing problem where we want to distinguish, whether it's set of samples we have are uniformly random or LWE samples. So, before I move on, just a few points on why we want cryptography based on LWE. As discussed before, there is an average case of LWE to worst case of a lattice problems reduction. LWE is one of the main candidates for post quantum cryptography and it's possible to build efficient cryptographic primitives on LWE and it's also possible to build a fully homomorphic encryption based on LWE. When it comes to solving algorithms, there are mainly three types. It's to reduce to lattice problems which we discussed in the previous talks. Then there is Aurora G, which is asymptotically very good when you have a very small noise, but otherwise not so good. And then finally here is BKW, which will be the focus of this presentation. So, BKW, or Bloom-Kalai-Wasselmann, was originally proposed for LPM, which is LWE, where you set Q equals two. The idea here is that you divide the vector A into equally sized parts with a fixed size B. And then you sort your samples according to the top B positions. And then for samples that are equal in those B positions, if you subtract two such samples, the first part is zeroed out. But, so you lessen the dimensionality of the problem. However, you add an extra noise term. So the noise increases by, so if the noise of E1 and E2 is sigma, the noise of E1 minus E2 is squared to two times sigma. So in pictures, it looks something like this. So here, the length of the vector represents the number of positions and the height represents the magnitude of the positions. So with regular BKW, you step by step reduce down the positions to zero. So as an algorithm, it looks something like this. You begin by partial guessing of some top positions. Then you do reduction with BKW steps and then you end up with some reduced samples and you use the distinguisher of those to determine whether your results is from LWE samples or uniformly random. And in case you determine that they're LWE samples, you guess some more positions and work yourself through the vector. And if not, then you modify the initial guess. And now over to some improvements of BKW. The first important one is once again, alvect with the lazy module switching with the idea to group together samples that are not completely the same but just almost the same in the fixed positions. When you subtract samples, this means that you introduce some extra noise. However, which grows by a factor of square root of two for each BKW step. However, it allows for longer steps. The problem here is that the noise corresponding to the first step grows by a square root of two by a factor of square root of two more times than the later noise and becomes dominant. So the idea to solve this was to start with a small step where you almost reduce out the positions and then gradually increase the step size and be less and less strict with the reduction. I should also notice that there is a transformation that makes the secret S followed the noise distribution. So if the noise is discrete Gaussian, we can make sure that the secret S also is discrete Gaussian with its transformation. So now I will cover a coded BKW step, which is another improvement of regular BKW. So in regular BKW, you use a certain amount of partitions to zero out the positions. The idea of coded BKW is to use the QR linear code with parameters NIMB for each erection step and to vary NIMB between steps. So in step I, you look at the vector A, restricted to some positions, which I know by I here. And then you can write AI as a sum of a CI and EI, where CI is a code word in this lattice code C, in this lattice code CI. So for example, if you take two samples here, where the first N1 positions correspond to the same code word, C0, if you subtract them, you'll notice that you only get the error vectors left. This introduces some extra noise compared to regular BKW steps, regular BKW steps. However, it allows us to take longer steps. So in pictures, coded BKW looks something like this. You begin by a short step, where you're almost zero out the positions. Then in the next step, you take the noise corresponding to the first step, as increased by a factor of square root of two, and you take a longer step, and then gradually you take the noise from the previous steps, increases by a square root of two each time, and you take longer and longer steps, such that you end up with an even and distributed error in the end. So as an algorithm coded BKW looks something like this. So you begin with a partial guessing. Then if you want to, you can pre-process with some BKW steps. Then you do coded BKW steps, and then in the end, you use the distinguish which we just did, just as with regular BKW. It should be noted that there is also an FFT technique for coded BKW that improves this guessing part. However, that does not improve the asymptotics of the algorithm, so it will not be discussed further in this presentation. So now over to the idea of the new algorithm. So in pictures, it looks something like this. We have this sample here. We look at the current MI positions. We map it to the corresponding list here. To a list here where the MI positions correspond to the same code word as the sample. And we use some code in a way such that if we subtract two values A1 and A2 from this list, restrict ourselves to the current small MI positions, we get something that is in norm, in average, smaller than constant B times square root of NI. Then we take this list and as new samples, we only add or subtract two samples from here such that the norm of those values gets smaller than B times square root of big NI. So now we have a guarantee that all of those positions here are small. This can be done by just trying to add or subtract all possible pairs. However, it's slow to do it that way. So what we used here was LADIS seeding techniques, which in this presentation would be seen as sort of black boxes, which solves the problem. So the previous slide was sort of the micro picture of how a coded EW seeding step works. This is the macro picture. So in blue here, we have the samples in the beginning of the step. Then we divide up the samples into different lists, depending on the code words and of course in the positions we're working with. Then we apply LADIS seeding to each of those lists to end up with samples for the next step, which are small in the first big NI positions. So as an algorithm coded BKW seeding with something like this, you begin with some partial guessing. Then you pre-process with some BKW steps and then you do BKW seeding steps. The algorithm is pretty flexible. You can combine plain BKW steps, coded BKW steps and coded BKW seeding steps in different ways to optimize the algorithm for different parameter sets. Once again, if we go back to this picture graphically of how the algorithm works, it looks something like this. You begin here instead of beginning with a small step, you begin with a large step where you aren't super strict with the reduction. Then in the next step, you take, in the next step, the seeding parts of the BKW step, make sure that the previous positions don't increase in size. So this means that we can get the same, for the positions we have reduced, the added error doesn't decrease. However, the cost of doing the seeding increases with the size of the number of positions we see. So this means that we have to take shorter and shorter steps instead of longer and longer steps which we did for coded BKW. Now over to some results. And first, I wanna mention how the asymptotic behavior of solving LWE typically looks. So you have N as the dimension of the problem. Then you set the alphabet size Q as N to the power of CQ. And the standard deviation, sigma as N to the power of CS. Then the complexity of solving LWE is typically two to the power of CN where C is a constant that depends on CQ and CS. For example, for the regular instances, we have CQ equals two, CS equals 1.5. And the previous state of the art is 2.2 to the power of 0.930N. So now we are new algorithm. We have the following results. If we don't use any kind of pre-processing, if we just use regular coding BKW with seeding steps, the complexity is two to the power of CN where C is this value. Here lambda is the best heuristic legacy in constant, which is 0.292 for classical computers right now and 0.265 for quantum computers. Then we have another theorem when we use pre-processing with plain BKW steps. So with the same setting as before, if also C is bigger than lambda for this expression C here and this other condition is also fulfilled, then the time of space complexity is two to the power of CN where C is, yeah, this expression and lambda is the same constant as before. So for the regular instances, this means that we have some improvements compared to the previous state of the art expressions. If we use coding BKW with seeding without pre-processing, we go down to 0.9054. If we use pre-processing, we get 0.8951. And then if we use pre-processing and also have access to quantum computers, we get 0.8856. Then I have a picture here for different parameters CQ and CS of the different state-of-the-art algorithms and where they are the best one. We have excluded error or G from this picture, which is the best algorithm when CS is smaller than 0.5. So the top picture there is the previous state of the art where we can see that coded BKW was the best algorithm around the regular instances. Now with coded BKW with seeding, we see that that one is the new best algorithm and we noticed that not only does it beat coded BKW in most places, it does beat the dual attack with access to exponential number of samples in some places too. Compared to coded BKW, we also have an improvement when it comes to the concrete complexity for some regular instances. And also to the conclusions, we have presented a new BKW type algorithm that combines coded BKW with light seeding techniques. We have asymptotic improvements for some parameters that are included in the regular parameters and we also have an improvement compared to coded BKW for some concrete instances. And some future work includes some asymptotics where it's possible, where it's probably possible to make some minor improvements by combining coded, plain, coded and coded BKW with seeding steps in different ways. Also to investigate the performance when we have sparse secrets and polynomial number of samples. The other future thing to do is to develop an optimal algorithm for concrete instances where we have to take a lot of stuff into account that doesn't affect the asymptotic behavior but that does affect the bit complexity for concrete instances. Thanks for your attention. The parameters that you guys know what the primal adulate lapse attack was doing at home? I don't remember exactly but it's a little bit better than our values which is probably why I didn't include it on the slide.