Results 1 
4 of
4
Lazy Modulus Switching for the BKW Algorithm on LWE
"... Abstract. Some recent constructions based on LWE do not sample the secret uniformly at random but rather from some distribution which produces small entries. The most prominent of these is the binaryLWE problem where the secret vector is sampled from {0, 1} ∗ or {−1, 0, 1} ∗. We present a variant ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
reduction techniques applied to the SIS problem. Our variant can be seen as a combination of the BKW algorithm with a lazy variant of modulus switching which might be of independent interest. 1
P.: An improved BKW algorithm for LWE with applications to cryptography and lattices
 In: CRYPTO
, 2015
"... Abstract. In this paper, we study the Learning With Errors problem and its binary variant, where secrets and errors are binary or taken in a small interval. We introduce a new variant of the Blum, Kalai and Wasserman algorithm, relying on a quantization step that generalizes and finetunes modulus s ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
switching. In general this new technique yields a significant gain in the constant in front of the exponent in the overall complexity. We illustrate this by solving within half a day a LWE instance with dimension n = 128, modulus q = n2, Gaussian noise α = 1/( n/π log2 n) and binary secret, using 228
Lattice Decoding Attacks on Binary LWE
"... Abstract. We consider the binaryLWE problem, which is the learning with errors problem when the entries of the secret vector are chosen from {0, 1} or {−1, 0, 1} (and the error vector is sampled from a discrete Gaussian distribution). Our main result is an improved lattice decoding algorithm for ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
for binaryLWE which first translates the problem to the inhomogeneous short integer solution (ISIS) problem, and then solves the closest vector problem using a rescaling of the lattice. We also discuss modulus switching as an approach to the problem. Our conclusion is that binaryLWE is easier than
APractical Latticebased Digital Signature Schemes
"... Digital signatures are an important primitive for building secure systems and are used in most real world security protocols. However, almost all popular signature schemes are either based on the factoring assumption (RSA) or the hardness of the discrete logarithm problem (DSA/ECDSA). In the case o ..."
Abstract
 Add to MetaCart
Digital signatures are an important primitive for building secure systems and are used in most real world security protocols. However, almost all popular signature schemes are either based on the factoring assumption (RSA) or the hardness of the discrete logarithm problem (DSA/ECDSA). In the case of classical cryptanalytic advances or progress on the development of quantum computers the hardness of these closely related problems might be seriously weakened. A potential alternative approach is the construction of signature schemes based on the hardness of certain lattices problems which are assumed to be intractable by quantum computers. Due to significant research advancements in recent years, latticebased schemes have now become practical and appear to be a very viable alternative to numbertheoretic cryptography. In this paper we focus on recent developments and the current stateoftheart in latticebased digital signatures and provide a comprehensive survey discussing signature schemes with respect to practicality. Additionally, we discuss future research areas that are essential for the continued development of latticebased cryptography.