Closed macknight closed 2 years ago
ChristianMct
commented
2 years ago The indistinguishability properties of p_0 are given by the RLWE problem.
You don't need this property for decryption (since the decryptor has access to s).
You need this property to argue that the u p_0 + e_1 term computed during encryption constitutes a uniformly pseudorandom mask.
macknight
commented
2 years ago Hi,
In encryption process, it seems there's no u*p_0 + e_1. Is that typo?
Should we argue u*p_0 + e_0 constitutes a uniformly pseudorandom mask? So that the keypoint is that ct_0 looks as if it's uniformly distributed to protect m, am I right?
BR
ChristianMct
commented
2 years ago In encryption process, it seems there's no u*p_0 + e_1. Is that typo?
Yes, the correct error term is e_0.
Should we argue u*p_0 + e_0 constitutes a uniformly pseudorandom mask? So that the keypoint is that ct_0 looks as if it's uniformly distributed to protect m, am I right?
This is correct.
Hi,
We know p1<--U(R), then why is p0 indistinguishable from uniform? And where do we use this p0's indistinguishable characteristic in the decryption process? I mean "it is hard to find s and p0+sp1~0" is not enough for the security?
BR