**On the Hardness of Module-LWE with Binary Secret**

*Katharina Boudgoust and Corentin Jeudy and Adeline Roux-Langlois and Weiqiang Wen*

**Abstract: **We prove that the Module Learning With Errors (M-LWE) problem with binary secrets and rank $d$ is at least as hard as the standard version of M-LWE with uniform secret and rank $k$, where the rank increases from $k$ to $d \geq (k+1)\log_2 q + \omega(\log_2 n)$, and the Gaussian noise from $\alpha$ to $\beta = \alpha \cdot \Theta(n^2\sqrt{d})$, where $n$ is the ring degree and $q$ the modulus. Our work improves on the recent work by Boudgoust et al. in 2020 by a factor of $\sqrt{md}$ in the Gaussian noise, where $m$ is the number of given M-LWE samples, when $q$ fulfills some number-theoretic requirements. We use a different approach than Boudgoust et al. to achieve this hardness result by adapting the previous work from Brakerski et al. in 2013 for the Learning With Errors problem to the module setting. The proof applies to cyclotomic fields, but most results hold for a larger class of number fields, and may be of independent interest.

**Category / Keywords: **foundations / Lattice-based cryptography, module learning with errors, binary secret

**Original Publication**** (with minor differences): **CT-RSA 2021

**Date: **received 3 Mar 2021

**Contact author: **katharina boudgoust at irisa fr

**Available format(s): **PDF | BibTeX Citation

**Version: **20210303:195140 (All versions of this report)

**Short URL: **ia.cr/2021/265

[ Cryptology ePrint archive ]