There is a newer version of this record available.

Report Open Access

Report on the Security of LWE: Improved Dual Lattice Attack


Many of the leading post-quantum key exchange and signature schemes rely on the conjectured hardness of the Learning With Errors (LWE) and Learning With Rounding (LWR) problems and their algebraic variants, including 3 of the 6 finalists in NIST’s PQC process. The best known cryptanalysis techniques against these problems are primal and dual lattice attacks, where dual attacks are generally considered less practical.

In this report, we present several algorithmic improvements to the dual lattice attack, which allow it to exceed the efficiency of primal attacks. In the improved attack, we enumerate over more coordinates of the secret and use an improved distinguisher based on FFT. In addition, we incorporate improvements to the estimates of the cost of performing a lattice sieve in the RAM model, reducing the gate-count of random product code decoding and performing less inner product calculations.

Combining these improvements considerably reduces the security levels of Kyber, Saber and Dilithium, the LWE/LWR based finalists, bringing them below the thresholds defined by NIST.

Files (609.9 kB)
Name Size
Report on the Security of LWE.pdf
609.9 kB Download
All versions This version
Views 12,60111,060
Downloads 8,6727,454
Data volume 5.3 GB4.5 GB
Unique views 9,7208,709
Unique downloads 7,3836,604


Cite as