- On the proven side of BKW with a small number of samples, one can look at section 5.2.
Assuming Gaussians behave nicely, 2n samples* with error sigma can be tranformed in an unbounded LWE with secret of size sigma and errors of size sqrt(3)sigma^2*n.
The simulation then predicts a number of bit operations of ~ 2^156 (*9).
However, BKW behaves much more nicely than some worst-case oracle.
Many have amplified the number of samples without problems, see
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.137.3510&rep=rep1&type=pdf section 4 for example.
So the real runtime of a BKW attack against the LP cryptosystem is still unclear, I just gave a lower bound.
Also, if we are given a large number of messages, one can do a Fourier for each of them and succeed only if the sender used small errors.
* : in fact there are 2n+128.
- On the other hand, lattice algorithms can be simply analyzed, and are for small instances or low noise instances faster.
BKZ reducing the dual of the basis given in appendix B.1 with blocksize 165, and using 324 samples (<n+128) gives a basis where a Babai will succeed with probability >2^-67.
The total number of nodes in the enumeration should be less 2^80 so that the number of bit operations is at most 2^90.
Recovering one message (given only one message) should take ~ 2^120 nodes with LP enumeration, and even less with extreme pruning.
The dual algorithm (appendix B.2) with blocksize 175 needs ~ 2^21 short vectors (and "independent").
Assuming they can all be generated in one enumeration, this gives ~<= 2^85 nodes.
Adding a Fourier step improves on this figure by ~ 2^5.
" which arise from the fact that the secrets are binary or ternary, rather than Gaussian as in LWE cryptosystems like LP." : not really, being small in the L2 sense is enough (section 3.6).
In the LP case, the variance is ~ 10 which is quite small in absolute value, and much smaller than what is covered by Regev's reduction (~n).
Paul