Zhenfei,
I've been reviewing the invited talk at PQCrypto 2016 given by Steven Galbraith. He outlines his proposal for modulus switching related to LWE and SIS problems. He does glance over binary secrets, preferring not to discuss it after mentioning modulus switching related to hardness of LWE. The link to this talk is at the end of this message.
My reading of your paper focuses mostly on the section covering binary secrets of R-LWE. One of your main findings is that the loss of SVP from the original ring mapped to the sub-ring implies that modulus switching attacks are potentially impossible. You also base this claim on the closeness of shortest non-zero vectors to the Gaussian heuristic length for cases in which the shortest vector problem is preserved.
Intuitively, this largely makes sense to me. A change in coordinate systems implies a change in the domain of shortest vectors.
In your demonstration of modulus switching, you use an instance of R-LWE in the integer ring mod q, where modulus q is one plus a multiple of 2N. Your mod switch is then to Q, where mod Q is a modulus w.r.t "power of 2." By using these switch techniques you show that the shortest vector is largely lost in the mapping from the integer ring to the sub-ring, but I'm wondering if you've included any methods to account for the change in dimensions that might preserve the vector? You account for the Gaussian heuristic length when the shortest non-zero vector is preserved, but does any possible use of a Gaussian heuristic length help preserve the shortest non-zero vector in mappings where the shortest vector is not shown preserved?
To rephrase my question, can a Gaussian heuristic help attenuate for loss of shortest vectors in mappings from the original ring to the sub-ring? Would including the cross-rounding function help achieve this goal?
Regards,
Mod Switch and Binary Secrets mentioned by Steven Galbraith (18:00 minutes in).