### Abstract

The typical approach in attacking an LWR
_{m,n,q,p(χs)}
instance parameterized by four integers m, n, q, p (Formula Presented) and a probability distribution χs is just by simply regarding it as a Learning with Errors (LWE) modulo q instance and then trying to adapt known LWE attacks to this LWE instance. In this paper, we show that for an LWR
_{m,n,q,p(χs)}
instance whose parameters satisfy a certain sufficient condition, one can use the BDD strategy to recover the secret with higher advantages if one transforms the LWR instance to an LWE modulo (Formula Presented) instance with (Formula Presented) chosen appropriately instead of an LWE modulo q instance. The optimal modulus q used in our BDD attack is quite close to p as well as typically smaller than q. Especially, our experiments confirm that our BDD attack is much better in solving search-LWR in terms of root Hermite factor, success probability and even running time either in case the ratio log (q)/log (p) is big or/and the dimension n is sufficiently large.

Original language | English |
---|---|

Title of host publication | Cryptology and Network Security - 17th International Conference, CANS 2018, Proceedings |

Editors | Panos Papadimitratos, Jan Camenisch |

Publisher | Springer Verlag |

Pages | 357-376 |

Number of pages | 20 |

ISBN (Print) | 9783030004330 |

DOIs | |

Publication status | Published - Jan 1 2018 |

Event | 17th International Conference on Cryptology and Network Security, CANS 2018 - Naples, Italy Duration: Sep 30 2018 → Oct 3 2018 |

### Publication series

Name | Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) |
---|---|

Volume | 11124 LNCS |

ISSN (Print) | 0302-9743 |

ISSN (Electronic) | 1611-3349 |

### Other

Other | 17th International Conference on Cryptology and Network Security, CANS 2018 |
---|---|

Country | Italy |

City | Naples |

Period | 9/30/18 → 10/3/18 |

### Fingerprint

### All Science Journal Classification (ASJC) codes

- Theoretical Computer Science
- Computer Science(all)

### Cite this

*Cryptology and Network Security - 17th International Conference, CANS 2018, Proceedings*(pp. 357-376). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 11124 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-030-00434-7_18

**Solving LWR via BDD strategy : Modulus switching approach.** / Le, Huy Quoc; Mishra, Pradeep Kumar; Duong, Dung Hoang; Yasuda, Masaya.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

*Cryptology and Network Security - 17th International Conference, CANS 2018, Proceedings.*Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 11124 LNCS, Springer Verlag, pp. 357-376, 17th International Conference on Cryptology and Network Security, CANS 2018, Naples, Italy, 9/30/18. https://doi.org/10.1007/978-3-030-00434-7_18

}

TY - GEN

T1 - Solving LWR via BDD strategy

T2 - Modulus switching approach

AU - Le, Huy Quoc

AU - Mishra, Pradeep Kumar

AU - Duong, Dung Hoang

AU - Yasuda, Masaya

PY - 2018/1/1

Y1 - 2018/1/1

N2 - The typical approach in attacking an LWR m,n,q,p(χs) instance parameterized by four integers m, n, q, p (Formula Presented) and a probability distribution χs is just by simply regarding it as a Learning with Errors (LWE) modulo q instance and then trying to adapt known LWE attacks to this LWE instance. In this paper, we show that for an LWR m,n,q,p(χs) instance whose parameters satisfy a certain sufficient condition, one can use the BDD strategy to recover the secret with higher advantages if one transforms the LWR instance to an LWE modulo (Formula Presented) instance with (Formula Presented) chosen appropriately instead of an LWE modulo q instance. The optimal modulus q used in our BDD attack is quite close to p as well as typically smaller than q. Especially, our experiments confirm that our BDD attack is much better in solving search-LWR in terms of root Hermite factor, success probability and even running time either in case the ratio log (q)/log (p) is big or/and the dimension n is sufficiently large.

AB - The typical approach in attacking an LWR m,n,q,p(χs) instance parameterized by four integers m, n, q, p (Formula Presented) and a probability distribution χs is just by simply regarding it as a Learning with Errors (LWE) modulo q instance and then trying to adapt known LWE attacks to this LWE instance. In this paper, we show that for an LWR m,n,q,p(χs) instance whose parameters satisfy a certain sufficient condition, one can use the BDD strategy to recover the secret with higher advantages if one transforms the LWR instance to an LWE modulo (Formula Presented) instance with (Formula Presented) chosen appropriately instead of an LWE modulo q instance. The optimal modulus q used in our BDD attack is quite close to p as well as typically smaller than q. Especially, our experiments confirm that our BDD attack is much better in solving search-LWR in terms of root Hermite factor, success probability and even running time either in case the ratio log (q)/log (p) is big or/and the dimension n is sufficiently large.

UR - http://www.scopus.com/inward/record.url?scp=85057324007&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85057324007&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-00434-7_18

DO - 10.1007/978-3-030-00434-7_18

M3 - Conference contribution

SN - 9783030004330

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 357

EP - 376

BT - Cryptology and Network Security - 17th International Conference, CANS 2018, Proceedings

A2 - Papadimitratos, Panos

A2 - Camenisch, Jan

PB - Springer Verlag

ER -