Lazy Modulus Switching for the BKW Algorithm on LWE

  • Martin R. Albrecht
  • Jean-Charles Faugère
  • Robert Fitzpatrick
  • Ludovic Perret
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8383)


Some recent constructions based on LWE do not sample the secret uniformly at random but rather from some distribution which produces small entries. The most prominent of these is the binary-LWE problem where the secret vector is sampled from {0,1} ∗  or { − 1,0,1} ∗ . We present a variant of the BKW algorithm for binary-LWE and other small secret variants and show that this variant reduces the complexity for solving binary-LWE. We also give estimates for the cost of solving binary-LWE instances in this setting and demonstrate the advantage of this BKW variant over standard BKW and lattice reduction techniques applied to the SIS problem. Our variant can be seen as a combination of the BKW algorithm with a lazy variant of modulus switching which might be of independent interest.


Full Version Lattice Reduction Homomorphic Encryption Modulus Reduction Unbounded Number 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Akavia, A., Goldwasser, S., Vaikuntanathan, V.: Simultaneous hardcore bits and cryptography against memory attacks. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 474–495. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  2. 2.
    Albrecht, M., Cid, C., Faugr̈e, J.-C., Fitzpatrick, R., Perret, L.: On the complexity of the arora-ge algorithm against lwe. In: SCC 2012: Proceedings of the 3rd International Conference on Symbolic Computation and Cryptography, Castro-Urdiales, pp. 93–99 (July 2012)Google Scholar
  3. 3.
    Albrecht, M.R., Cid, C., Faugère, J.-C., Fitzpatrick, R., Perret, L.: On the complexity of the BKW algorithm on LWE. Designs, Codes and Cryptography, 1–30 (2013)Google Scholar
  4. 4.
    Albrecht, M.R., Fitzpatrick, R., Cabracas, D., Gpfert, F., Schneider, M.: A generator for LWE and Ring-LWE instances (2013),
  5. 5.
    Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  6. 6.
    Arora, S., Ge, R.: New algorithms for learning in presence of errors. In: Aceto, L., Henzinger, M., Sgall, J. (eds.) ICALP 2011, Part I. LNCS, vol. 6755, pp. 403–415. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  7. 7.
    Blum, A., Kalai, A., Wasserman, H.: Noise-tolerant learning, the parity problem, and the statistical query model. J. ACM 50(4), 506–519 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of Learning with Errors. In: STOC 2013, pp. 575–584. ACM, New York (2013)Google Scholar
  9. 9.
    Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. In: Ostrovsky, R. (ed.) IEEE 52nd Annual Symposium on Foundations of Computer Science, FOCS 2011, pp. 97–106. IEEE (2011)Google Scholar
  10. 10.
    Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  11. 11.
    Levieil, É., Fouque, P.-A.: An improved LPN algorithm. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 348–359. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  12. 12.
    Gentry, C., Halevi, S., Smart, N.P.: Homomorphic evaluation of the AES circuit. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 850–867. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  13. 13.
    Goldwasser, S., Kalai, Y.T., Peikert, C., Vaikuntanathan, V.: Robustness of the Learning with Errors assumption. In: ICS, pp. 230–240. Tsinghua University Press (2010)Google Scholar
  14. 14.
    Hill, K.: Blueprints of NSA’s ridiculously expensive data center in Utah suggest it holds less info than thought (2013),
  15. 15.
    Kirchner, P.: Improved generalized birthday attack. Cryptology ePrint Archive, Report 2011/377 (2011),
  16. 16.
    Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. IACR Cryptology ePrint Archive, 2010:592 (2010)Google Scholar
  17. 17.
    Liu, M., Nguyen, P.Q.: Solving BDD by enumeration: An update. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 293–309. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  18. 18.
    Micciancio, D., Regev, O.: Lattice-based cryptography. In: Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.) Post-Quantum Cryptography, pp. 147–191. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  19. 19.
    Pietrzak, K.: Subspace LWE. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 548–563. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  20. 20.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6) (2009)Google Scholar

Copyright information

© International Association for Cryptologic Research 2014

Authors and Affiliations

  • Martin R. Albrecht
    • 1
  • Jean-Charles Faugère
    • 3
    • 2
    • 4
  • Robert Fitzpatrick
    • 5
  • Ludovic Perret
    • 2
    • 3
    • 4
  1. 1.Technical University of DenmarkDenmark
  2. 2.Sorbonne Universités, UPMC Univ Paris 06, POLSYS, UMR 7606, LIP6, F-75005ParisFrance
  3. 3.INRIA, Paris-Rocquencourt Center, POLSYS ProjectFrance
  4. 4.CNRS, UMR 7606, LIP6, F-75005ParisFrance
  5. 5.Information Security Group Royal HollowayUniversity of London EghamSurreyUnited Kingdom

Personalised recommendations