TY - JOUR
T1 - Impact of the modulus switching technique on some attacks against learning problems
AU - Le, Huy Quoc
AU - Mishra, Pradeep Kumar
AU - Nakamura, Satoshi
AU - Kinjo, Koha
AU - Duong, Dung Hoang
AU - Yasuda, Masaya
N1 - Funding Information:
This work was supported by the JST CREST Grant no. JPMJCR14D6, Japan. A part of this work was also supported by the JSPS KAKENHI Grant no. 16H02830.
Publisher Copyright:
© The Institution of Engineering and Technology 2019.
PY - 2020/5/1
Y1 - 2020/5/1
N2 - The modulus switching technique has been used in some cryptographic applications as well as in cryptanalysis. For cryptanalysis against the learning with errors (LWE) problem and the learning with rounding (LWR) problem, it seems that one does not know whether the technique is really useful or not. This work supplies a complete view of the impact of this technique on the decoding attack, the dual attack and the primal attack against both LWE and LWR. For each attack, the authors give the optimal formula for the switching modulus. The formulas get involved the number of LWE/LWR samples, which differs from the known formula in the literature. They also attain the corresponding sufficient conditions saying when one should utilise the technique. Surprisingly, restricted to the LWE/LWR problem that the secret vector is much shorter than the error vector, they also show that performing the modulus switching before using the so-called rescaling technique in the dual attack and the primal attack make these attacks worse than only exploiting the rescaling technique as reported by Bai and Galbraith at the Australasian conference on information security and privacy (ACISP) 2014 conference. As an application, they theoretically assess the influence of the modulus switching on the LWE/LWR-based second round NIST PQC submissions.
AB - The modulus switching technique has been used in some cryptographic applications as well as in cryptanalysis. For cryptanalysis against the learning with errors (LWE) problem and the learning with rounding (LWR) problem, it seems that one does not know whether the technique is really useful or not. This work supplies a complete view of the impact of this technique on the decoding attack, the dual attack and the primal attack against both LWE and LWR. For each attack, the authors give the optimal formula for the switching modulus. The formulas get involved the number of LWE/LWR samples, which differs from the known formula in the literature. They also attain the corresponding sufficient conditions saying when one should utilise the technique. Surprisingly, restricted to the LWE/LWR problem that the secret vector is much shorter than the error vector, they also show that performing the modulus switching before using the so-called rescaling technique in the dual attack and the primal attack make these attacks worse than only exploiting the rescaling technique as reported by Bai and Galbraith at the Australasian conference on information security and privacy (ACISP) 2014 conference. As an application, they theoretically assess the influence of the modulus switching on the LWE/LWR-based second round NIST PQC submissions.
UR - http://www.scopus.com/inward/record.url?scp=85083443103&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85083443103&partnerID=8YFLogxK
U2 - 10.1049/iet-ifs.2019.0220
DO - 10.1049/iet-ifs.2019.0220
M3 - Article
AN - SCOPUS:85083443103
SN - 1751-8709
VL - 14
SP - 286
EP - 303
JO - IET Information Security
JF - IET Information Security
IS - 3
ER -