search

malb / lattice-estimator

An attempt at a new LWE estimator
215 stars 49 forks source link

can this estimator evaluate the security of LWR ( learning with rounding ) problem as a variant of LWE problem ? #83

Open 1853582 opened 1 year ago

1853582 commented 1 year ago

Hello, can this estimator evaluate the security of LWR ( learning with rounding ) problem as a variant of LWE problem ? Since some cryptographic schemes are constructed based on the LWR problem, I want to make a security evaluation of such schemes.

Banerjee A, Peikert C, Rosen A. Pseudorandom functions and lattices[C]//Annual International Conference on the Theory and Applications of Cryptographic Techniques. Berlin, Heidelberg: Springer Berlin Heidelberg, 2012: 719-737.

1853582 commented 1 year ago

The LWR problem is a variant of LWE. The difference is that the Gaussian noise is replaced by rounding computation. `H5J9ALW3SQCZD{C2BR%FS4

bencrts commented 1 year ago

Hi @1853582!

One way to do this is to model the LWR instance as an LWE instance with uniform errors in {-q/2p + 1, ..., q/2p}. See ND.Uniform() located here. So, in your parameter set you would use Xe = ND.Uniform(-q/2p + 1, q/2p).

1853582 commented 1 year ago

Thank you for your answer. Could you be more specific ? For example, I want to test the security of the following scheme, for here ( m, n, p, q ), to measure the security of the LWR problem. UV@6RP40EL5V(AZKTUBL~4E

1853582 commented 1 year ago

But I seem to be wrong here ?

L1X@0 TR{PNN7)H02AQ6LBH

1853582 commented 1 year ago

May I ask how to evaluate the security of this, please.

bencrts commented 1 year ago

In Sage, you need to use 2*p, instead of 2p. So, in your code you would need to change -q/2p to -q/(2*p) (and similarly for the positive one).

1853582 commented 1 year ago

Thank you again for your answer. I have modified the code for testing and found that there is a problem with data overflow: @9}T_9 4E(3FG810@6T63 3 V%~4UQ1R9~35J4 `NFITM9R

When I modify smaller p and q, the code cannot output results QR9 5PH@)6SH XR N9VFR G How should this be resolved? Thank you for answering my question in your busy schedule.

1853582 commented 1 year ago

In fact, this does not match the estimate results mentioned in the paper I saw. The paper also claims to use LWE estimator, but the results are different. It seems that he used a different estimation method? 9FPUOR W}$}M6 5IVO$Y4JQ

Ernst J, Koch A. Private Stream Aggregation with Labels in the Standard Model[J]. Proc. Priv. Enhancing Technol., 2021, 2021(4): 117-138.

1853582 commented 1 year ago

May I ask how to evaluate this? Thank you for taking the time to answer my question.

1853582 commented 1 year ago

In Sage, you need to use 2*p, instead of 2p. So, in your code you would need to change -q/2p to -q/(2*p) (and similarly for the positive one).

Can you give an example of a code running? I‘m sorry to bother you, I need a security analysis of this part at present.