Lazy Modulus Switching for the BKW Algorithm on LWE

Albrecht, M.; Faugère, Jean-Charles; Fitzpatrick, Robert; Perret, Ludovic

doi:10.1007/978-3-642-54631-0_25

Cited by 37 publications

(43 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…This technique was initially introduced to speedup homomorphic encryption [BV11] but can also be employed to reduce the cost of solving LWE in certain cases [AFFP14]. Modulus switching can be thought of as analogous to the difference between computing with single instead of double precision floating point numbers, where switching refers to opting to compute in the lower precision of a machine float.…”

Section: Lemma 1 ([Acps09]mentioning

confidence: 99%

“…In this section we consider the small secret variant of BKW described in [AFFP14]. In this work ψ is not specified but it is assumed that the s (i) are chosen from {−1, 0, 1} or {0, 1}.…”

Section: Small Secret Bkwmentioning

confidence: 99%

“…Using lazy modulus switching (Corollary 3 of [AFFP14]), the complexity of solving is O 2 n c+ log d− 1 2 log log n log n · n log 2 n , where in both cases 0 < d ≤ 1 is a constant.…”

Section: Theorem 7 ([Affp14]mentioning

confidence: 99%

See 2 more Smart Citations

On the concrete hardness of Learning with Errors

Albrecht

Player

Scott

2015

Journal of Mathematical Cryptology

Self Cite

473

302

View full text Add to dashboard Cite

Abstract. The Learning with Errors (LWE) problem has become a central building block of modern cryptographic constructions. This work collects and presents hardness results for concrete instances of LWE. In particular, we discuss algorithms proposed in the literature and give the expected resources required to run them. We consider both generic instances of LWE as well as small secret variants. Since for several methods of solving LWE we require a lattice reduction step, we also review lattice reduction algorithms and use a refined model for estimating their running times. We also give concrete estimates for various families of LWE instances, provide a Sage module for computing these estimates and highlight gaps in the knowledge about algorithms for solving the Learning with Errors problem.

show abstract

Section: Lemma 1 ([Acps09]mentioning

confidence: 99%

Section: Small Secret Bkwmentioning

confidence: 99%

See 1 more Smart Citation

On the concrete hardness of Learning with Errors

Albrecht

Player

Scott

2015

Journal of Mathematical Cryptology

Self Cite

473

302

View full text Add to dashboard Cite

show abstract

“…This algorithm is the first LWR-solving algorithm. Further work includes the study of the Ring variants of LWE and LWR [38,8] and the study of variants of LWE, e.g., when the secret follows a non-uniform distribution (like in [2]) or when the noise follows a non Gaussian distribution. It would also be interesting to see if our LWR algorithm can be extended for q non prime.…”

Section: Resultsmentioning

confidence: 99%

“…Finally, Albercht et al presented in PKC 2014 an algorithm targeting LWE when the secret vector has small components (typically binary). Using BKW along with modulus switching techniques, they managed to reduce the complexity for solving the LWE problem in these cases [2].…”

Section: Introductionmentioning

confidence: 99%

Better Algorithms for LWE and LWR

Duc

Tramèr

Vaudenay

2015

Advances in Cryptology -- EUROCRYPT 2015

View full text Add to dashboard Cite

Abstract. The Learning With Error problem (LWE) is becoming more and more used in cryptography, for instance, in the design of some fully homomorphic encryption schemes. It is thus of primordial importance to find the best algorithms that might solve this problem so that concrete parameters can be proposed. The BKW algorithm was proposed by Blum et al. as an algorithm to solve the Learning Parity with Noise problem (LPN), a subproblem of LWE. This algorithm was then adapted to LWE by Albrecht et al. In this paper, we improve the algorithm proposed by Albrecht et al. by using multidimensional Fourier transforms. Our algorithm is, to the best of our knowledge, the fastest LWE solving algorithm. Compared to the work of Albrecht et al. we greatly simplify the analysis, getting rid of integrals which were hard to evaluate in the final complexity. We also remove some heuristics on rounded Gaussians. Some of our results on rounded Gaussians might be of independent interest. Moreover, we also analyze algorithms solving LWE with discrete Gaussian noise. Finally, we apply the same algorithm to the Learning With Rounding problem (LWR) for prime q, a deterministic counterpart to LWE. This problem is getting more and more attention and is used, for instance, to design pseudorandom functions. To the best of our knowledge, our algorithm is the first algorithm applied directly to LWR. Furthermore, the analysis of LWR contains some technical results of independent interest.

show abstract