Solving LWR via BDD strategy

Modulus switching approach

Huy Quoc Le, Pradeep Kumar Mishra, Dung Hoang Duong, Masaya Yasuda

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

The typical approach in attacking an LWR m,n,q,p(χs) instance parameterized by four integers m, n, q, p (Formula Presented) and a probability distribution χs is just by simply regarding it as a Learning with Errors (LWE) modulo q instance and then trying to adapt known LWE attacks to this LWE instance. In this paper, we show that for an LWR m,n,q,p(χs) instance whose parameters satisfy a certain sufficient condition, one can use the BDD strategy to recover the secret with higher advantages if one transforms the LWR instance to an LWE modulo (Formula Presented) instance with (Formula Presented) chosen appropriately instead of an LWE modulo q instance. The optimal modulus q used in our BDD attack is quite close to p as well as typically smaller than q. Especially, our experiments confirm that our BDD attack is much better in solving search-LWR in terms of root Hermite factor, success probability and even running time either in case the ratio log (q)/log (p) is big or/and the dimension n is sufficiently large.

Original languageEnglish
Title of host publicationCryptology and Network Security - 17th International Conference, CANS 2018, Proceedings
EditorsPanos Papadimitratos, Jan Camenisch
PublisherSpringer Verlag
Pages357-376
Number of pages20
ISBN (Print)9783030004330
DOIs
Publication statusPublished - Jan 1 2018
Event17th International Conference on Cryptology and Network Security, CANS 2018 - Naples, Italy
Duration: Sep 30 2018Oct 3 2018

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume11124 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Other

Other17th International Conference on Cryptology and Network Security, CANS 2018
CountryItaly
CityNaples
Period9/30/1810/3/18

Fingerprint

Modulus
Modulo
Attack
Hermite
Probability distributions
Probability Distribution
Learning
Strategy
Roots
Transform
Integer
Sufficient Conditions
Experiment
Experiments

All Science Journal Classification (ASJC) codes

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

Le, H. Q., Mishra, P. K., Duong, D. H., & Yasuda, M. (2018). Solving LWR via BDD strategy: Modulus switching approach. In P. Papadimitratos, & J. Camenisch (Eds.), Cryptology and Network Security - 17th International Conference, CANS 2018, Proceedings (pp. 357-376). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 11124 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-030-00434-7_18

Solving LWR via BDD strategy : Modulus switching approach. / Le, Huy Quoc; Mishra, Pradeep Kumar; Duong, Dung Hoang; Yasuda, Masaya.

Cryptology and Network Security - 17th International Conference, CANS 2018, Proceedings. ed. / Panos Papadimitratos; Jan Camenisch. Springer Verlag, 2018. p. 357-376 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 11124 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Le, HQ, Mishra, PK, Duong, DH & Yasuda, M 2018, Solving LWR via BDD strategy: Modulus switching approach. in P Papadimitratos & J Camenisch (eds), Cryptology and Network Security - 17th International Conference, CANS 2018, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 11124 LNCS, Springer Verlag, pp. 357-376, 17th International Conference on Cryptology and Network Security, CANS 2018, Naples, Italy, 9/30/18. https://doi.org/10.1007/978-3-030-00434-7_18
Le HQ, Mishra PK, Duong DH, Yasuda M. Solving LWR via BDD strategy: Modulus switching approach. In Papadimitratos P, Camenisch J, editors, Cryptology and Network Security - 17th International Conference, CANS 2018, Proceedings. Springer Verlag. 2018. p. 357-376. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-030-00434-7_18
Le, Huy Quoc ; Mishra, Pradeep Kumar ; Duong, Dung Hoang ; Yasuda, Masaya. / Solving LWR via BDD strategy : Modulus switching approach. Cryptology and Network Security - 17th International Conference, CANS 2018, Proceedings. editor / Panos Papadimitratos ; Jan Camenisch. Springer Verlag, 2018. pp. 357-376 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{92fe4160d8e24f55ad19a0c15f741baf,
title = "Solving LWR via BDD strategy: Modulus switching approach",
abstract = "The typical approach in attacking an LWR m,n,q,p(χs) instance parameterized by four integers m, n, q, p (Formula Presented) and a probability distribution χs is just by simply regarding it as a Learning with Errors (LWE) modulo q instance and then trying to adapt known LWE attacks to this LWE instance. In this paper, we show that for an LWR m,n,q,p(χs) instance whose parameters satisfy a certain sufficient condition, one can use the BDD strategy to recover the secret with higher advantages if one transforms the LWR instance to an LWE modulo (Formula Presented) instance with (Formula Presented) chosen appropriately instead of an LWE modulo q instance. The optimal modulus q used in our BDD attack is quite close to p as well as typically smaller than q. Especially, our experiments confirm that our BDD attack is much better in solving search-LWR in terms of root Hermite factor, success probability and even running time either in case the ratio log (q)/log (p) is big or/and the dimension n is sufficiently large.",
author = "Le, {Huy Quoc} and Mishra, {Pradeep Kumar} and Duong, {Dung Hoang} and Masaya Yasuda",
year = "2018",
month = "1",
day = "1",
doi = "10.1007/978-3-030-00434-7_18",
language = "English",
isbn = "9783030004330",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
publisher = "Springer Verlag",
pages = "357--376",
editor = "Panos Papadimitratos and Jan Camenisch",
booktitle = "Cryptology and Network Security - 17th International Conference, CANS 2018, Proceedings",
address = "Germany",

}

TY - GEN

T1 - Solving LWR via BDD strategy

T2 - Modulus switching approach

AU - Le, Huy Quoc

AU - Mishra, Pradeep Kumar

AU - Duong, Dung Hoang

AU - Yasuda, Masaya

PY - 2018/1/1

Y1 - 2018/1/1

N2 - The typical approach in attacking an LWR m,n,q,p(χs) instance parameterized by four integers m, n, q, p (Formula Presented) and a probability distribution χs is just by simply regarding it as a Learning with Errors (LWE) modulo q instance and then trying to adapt known LWE attacks to this LWE instance. In this paper, we show that for an LWR m,n,q,p(χs) instance whose parameters satisfy a certain sufficient condition, one can use the BDD strategy to recover the secret with higher advantages if one transforms the LWR instance to an LWE modulo (Formula Presented) instance with (Formula Presented) chosen appropriately instead of an LWE modulo q instance. The optimal modulus q used in our BDD attack is quite close to p as well as typically smaller than q. Especially, our experiments confirm that our BDD attack is much better in solving search-LWR in terms of root Hermite factor, success probability and even running time either in case the ratio log (q)/log (p) is big or/and the dimension n is sufficiently large.

AB - The typical approach in attacking an LWR m,n,q,p(χs) instance parameterized by four integers m, n, q, p (Formula Presented) and a probability distribution χs is just by simply regarding it as a Learning with Errors (LWE) modulo q instance and then trying to adapt known LWE attacks to this LWE instance. In this paper, we show that for an LWR m,n,q,p(χs) instance whose parameters satisfy a certain sufficient condition, one can use the BDD strategy to recover the secret with higher advantages if one transforms the LWR instance to an LWE modulo (Formula Presented) instance with (Formula Presented) chosen appropriately instead of an LWE modulo q instance. The optimal modulus q used in our BDD attack is quite close to p as well as typically smaller than q. Especially, our experiments confirm that our BDD attack is much better in solving search-LWR in terms of root Hermite factor, success probability and even running time either in case the ratio log (q)/log (p) is big or/and the dimension n is sufficiently large.

UR - http://www.scopus.com/inward/record.url?scp=85057324007&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85057324007&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-00434-7_18

DO - 10.1007/978-3-030-00434-7_18

M3 - Conference contribution

SN - 9783030004330

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 357

EP - 376

BT - Cryptology and Network Security - 17th International Conference, CANS 2018, Proceedings

A2 - Papadimitratos, Panos

A2 - Camenisch, Jan

PB - Springer Verlag

ER -