MechFroG88
commented
1 month ago Hi, the parameter choice was referenced from
I couldn't just follow the parameters given on the paper because it is too inefficient
Open kicca000 opened 1 month ago
MechFroG88
commented
1 month ago Hi, the parameter choice was referenced from
I couldn't just follow the parameters given on the paper because it is too inefficient
kicca000
commented
1 month ago Thank you for your answer! In https://github.com/fentec-project/CiFEr/blob/e8a87287aecb449b4c3346ee6e1b6fa16c65c2ce/src/innerprod/simple/lwe.c#L42 they set the parameter p (that we call K) to a prime with (X_bit+Y_bit+l_bit+2) bit, while q is defined as a prime with [(\sqrt{l} X +1)pY \sqrt{n+l+1} 8n]^{3/2} bit. It seems a different way of setting the parameters respect to PyMIFE/mife/single/lwe.py
MechFroG88
commented
1 month ago Hi, when I was using their parameters as is, I couldn't manage to achieve the correctness of the tests. To address this issue, I have done some tweaking to the parameters to ensure the perfect correctness, but I am not very sure of the impact in security level.
As such I am not confident in the lwe scheme compared to those ddh schemes and would advise you to not use it for any significant purposes. Regardless, if you managed to get it working with proven secure parameters and would like to contribute to the repo, I would greatly appreciate it
I have a question about the choice of the parameters q and alpha in mife/single/lwe.py, where they are set respectively to getPrime(k.bit_length() 2 + n.bit_length() 15 + 10) and 1 / (k k (n * q.bit_length()) ** 7). In the paper you referenced (https://eprint.iacr.org/2015/608.pdf), the method for choosing q and alpha seems to be different. Could you clarify the reason behind this choice?