## Abstract

Some recent constructions based on LWE do not sample the secret uniformly at random but rather from some distribution which produces small entries. The most prominent of these is the binary-LWE problem where the secret vector is sampled from {0, 1}* or {−1, 0, 1}*. We present a variant of the BKW algorithm for binary-LWE and other small secret variants and show that this variant reduces the complexity for solving binary-LWE. We also give estimates for the cost of solving binary-LWE instances in this setting and demonstrate the advantage of this BKW variant over standard BKW and lattice reduction techniques applied to the SIS problem. Our variant can be seen as a combination of the BKW algorithm with a lazy variant of modulus switching which might be of independent interest.

Original language | English |
---|---|

Title of host publication | Public-Key Cryptography – PKC 2014 : Proceedings |

Publisher | Springer |

Publication date | 2014 |

Pages | 429-445 |

ISBN (Print) | 978-3-642-54630-3 |

ISBN (Electronic) | 978-3-642-54631-0 |

DOIs | |

Publication status | Published - 2014 |

Event | 17th International Conference on Practice and Theory in Public-Key Cryptography - Buenos Aires, Argentina Duration: 26 Mar 2014 → 28 Mar 2014 Conference number: 17 |

### Conference

Conference | 17th International Conference on Practice and Theory in Public-Key Cryptography |
---|---|

Number | 17 |

Country | Argentina |

City | Buenos Aires |

Period | 26/03/2014 → 28/03/2014 |

Series | Lecture Notes in Computer Science |
---|---|

Volume | 8383 |

ISSN | 0302-9743 |