LWE Without Modular Reduction and Improved Side-Channel Attacks Against BLISS.

This paper is devoted to analyzing the variant of Regev’s learning with errors (LWE) problem in which modular reduction is omitted: namely, the problem (ILWE) of recovering a vector (mathbf {s}in mathbb {Z}^n) given polynomially many samples of the form ((mathbf {a},langle mathbf {a},mathbf {s}rangle + e)in mathbb {Z}^{n+1}) where (mathbf { a}) and e follow fixed distributions. Unsurprisingly, this problem is much easier than LWE: under mild conditions on the distributions, we show that the problem can be solved efficiently as long as the variance of e is not superpolynomially larger than that of (mathbf { a}). We also provide almost tight bounds on the number of samples needed to recover (mathbf {s}).