Solving LWR via BDD Strategy: Modulus Switching Approach

  • Huy Quoc LeEmail author
  • Pradeep Kumar Mishra
  • Dung Hoang Duong
  • Masaya Yasuda
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11124)


The typical approach in attacking an LWR\(_{m,n,q,p}(\chi _s)\) instance parameterized by four integers m, n, q, p \( (q \ge p)\) and a probability distribution \(\chi _s\) is just by simply regarding it as a Learning with Errors (LWE) modulo q instance and then trying to adapt known LWE attacks to this LWE instance. In this paper, we show that for an LWR\(_{m,n,q,p}(\chi _s)\) instance whose parameters satisfy a certain sufficient condition, one can use the BDD strategy to recover the secret with higher advantages if one transforms the LWR instance to an LWE modulo \(q'\) instance with \(q'\) chosen appropriately instead of an LWE modulo q instance. The optimal modulus \(q'\) used in our BDD attack is quite close to p as well as typically smaller than q. Especially, our experiments confirm that our BDD attack is much better in solving search-LWR in terms of root Hermite factor, success probability and even running time either in case the ratio \(\log (q)/ \log (p)\) is big or/and the dimension n is sufficiently large.


Learning with Errors (LWE) Learning with rounding (LWR) Bounded distance decoding (BDD) strategy Modulus switching Lattice basis reduction Babai’s Nearest Plane (BNP) algorithm 



This work was supported by JST CREST Grant Number JPMJCR14D6, Japan. This work was also supported by JSPS KAKENHI Grant Number 16H02830. We would like to thank the anonymous reviewers for their careful reading as well as very helpful comments and suggestions.


  1. 1.
    Albrecht, M.R., Faugère, J.-C., Fitzpatrick, R., Perret, L.: Lazy modulus switching for the BKW algorithm on LWE. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 429–445. Springer, Heidelberg (2014). Scholar
  2. 2.
    Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. Cryptology ePrint Archive, Report 2015/046 (2015).
  3. 3.
    Arora, S., Ge, R.: New algorithms for learning in presence of errors. In: Aceto, L., Henzinger, M., Sgall, J. (eds.) ICALP 2011. LNCS, vol. 6755, pp. 403–415. Springer, Heidelberg (2011). Scholar
  4. 4.
    Baan, H., et al.: Round2: KEM and PKE based on GLWR. Submission to NIST proposal, Round 1 (2017).
  5. 5.
    Babai, L.: On lovász’ lattice reduction and the nearest lattice point problem. Combinatorica 6(1), 1–13 (1986). Scholar
  6. 6.
    Banerjee, A., Peikert, C., Rosen, A.: Pseudorandom functions and lattices. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 719–737. Springer, Heidelberg (2012). Scholar
  7. 7.
    Bischof, C., Buchmann, J., Dagdelen, Ö., Fitzpatrick, R., Göpfert, F., Mariano, A.: Nearest planes in practice. In: Ors, B., Preneel, B. (eds.) Cryptography and Information Security in the Balkans, pp. 203–215. Springer International Publishing, Cham (2015)CrossRefGoogle Scholar
  8. 8.
    Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. In: Proceedings of the 3rd Innovations in Theoretical Computer Science Conference, ITCS 2012, pp. 309–325. ACM, New York (2012).
  9. 9.
    Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: Proceedings of the Forty-Fifth Annual ACM Symposium on Theory of Computing, STOC 2013, pp. 575–584. ACM, New York (2013).
  10. 10.
    Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. In: Proceedings of the 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science, FOCS 2011, pp. 97–106. IEEE Computer Society, Washington (2011).
  11. 11.
    Brakerski, Z., Vaikuntanathan, V.: Fully homomorphic encryption from ring-LWE and security for key dependent messages. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 505–524. Springer, Heidelberg (2011). Scholar
  12. 12.
    Cheon, J.H., Kim, D., Lee, J., Song, Y.: Lizard public key encryption. Submission to NIST proposal, Round 1 (2017).
  13. 13.
    Duc, A., Tramér, F., Vaudenay, S.: Better algorithms for LWE and LWR. Cryptology ePrint Archive, Report 2015/056 (2015).
  14. 14.
    Fang, F., Li, B., Lu, X., Liu, Y., Jia, D., Xue, H.: (Deterministic) hierarchical identity-based encryption from learning with rounding over small modulus. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, ASIA CCS 2016, pp. 907–912. ACM, New York (2016).
  15. 15.
    Gama, N., Nguyen, P.Q.: Predicting lattice reduction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 31–51. Springer, Heidelberg (2008). Scholar
  16. 16.
    Göpfert, F., van Vredendaal, C., Wunderer, T.: A hybrid lattice basis reduction and quantum search attack on LWE. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 184–202. Springer, Cham (2017). Scholar
  17. 17.
    Kudo, M., Yamaguchi, J., Guo, Y., Yasuda, M.: Practical analysis of key recovery attack against search-LWE problem. In: Ogawa, K., Yoshioka, K. (eds.) IWSEC 2016. LNCS, vol. 9836, pp. 164–181. Springer, Cham (2016). Scholar
  18. 18.
    Laine, K., Lauter, K.: Key recovery for LWE in polynomial time. Cryptology ePrint Archive, Report 2015/176 (2015).
  19. 19.
    Lenstra, A.K., Lenstra, H.W., Lovasz, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 515–534 (1982)MathSciNetCrossRefGoogle Scholar
  20. 20.
    Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011). Scholar
  21. 21.
    Micciancio, D., Regev, O.: Lattice-based cryptography. In: Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.) Post-Quantum Cryptography, pp. 147–191. Springer, Heidelberg (2009). Scholar
  22. 22.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 34:1–34:40 (2009). Scholar
  23. 23.
    Schnorr, C.P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66(1), 181–199 (1994). Scholar
  24. 24.
    Stein, W., et al.: Sage Mathematics Software (Version 8.1). The Sage Development Team (2018).

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Huy Quoc Le
    • 1
    Email author
  • Pradeep Kumar Mishra
    • 1
  • Dung Hoang Duong
    • 2
  • Masaya Yasuda
    • 3
    • 4
  1. 1.Graduate School of MathematicsKyushu UniversityFukuoka-shiJapan
  2. 2.School of Computing and Information TechnologyUniversity of WollongongWollongongAustralia
  3. 3.Institute of Mathematics for IndustryKyushu UniversityFukuoka-shiJapan
  4. 4.JST, CRESTKawaguchiJapan

Personalised recommendations