Estimated Cost for Solving Generalized Learning with Errors Problem via Embedding Techniques

Abstract

Estimating for the computational cost of solving learning with errors (LWE) problem is an indispensable research topic to the lattice-based cryptography in practice. For this purpose, the embedding approach is usually employed. The technique first constructs a basis matrix by embedding an LWE instance. At this stage, Kannan’s and Bai-Galbraith’s embeddings are believed to be the most efficient approaches for the standard and the binary LWE with secret vectors in Zqn and { 0, 1 } n, respectively. Indeed, both methods work well with sufficiently many LWE samples. After the embedding phase, solving the unique shortest vector problem (uSVP) in the lattice spanned by the basis matrix results in solving the LWE. Recently, there are several lattice-based schemes whose secret vectors have special distributions, e.g., small elements and/or sparse vectors, have been proposed to realize efficient implementations. In this paper, to capture such settings and more, we study the LWE problem in a general setting. We analyze the LWE problem whose secret vectors are sampled from arbitrary distributions. Furthermore, we also study the problem when the number of samples is restricted. We believe that our work provides more general understanding of the hardness of LWE. Moreover, we propose a half-twisted embedding that contains the existing two embedding methods as special cases. This proposal enables us to analyze the hardness of LWE in a generic manner and sometimes provides improved attacks.