Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

can this estimator evaluate the security of LWR ( learning with rounding ) problem as a variant of LWE problem ? #83

Open
1853582 opened this issue Sep 4, 2023 · 10 comments
Open

can this estimator evaluate the security of LWR ( learning with rounding ) problem as a variant of LWE problem ? #83

1853582 opened this issue Sep 4, 2023 · 10 comments

Comments

@1853582
Copy link

1853582 commented Sep 4, 2023

Hello,
can this estimator evaluate the security of LWR ( learning with rounding ) problem as a variant of LWE problem ? Since some cryptographic schemes are constructed based on the LWR problem, I want to make a security evaluation of such schemes.

Banerjee A, Peikert C, Rosen A. Pseudorandom functions and lattices[C]//Annual International Conference on the Theory and Applications of Cryptographic Techniques. Berlin, Heidelberg: Springer Berlin Heidelberg, 2012: 719-737.
@1853582
Copy link
Author

1853582 commented Sep 4, 2023

The LWR problem is a variant of LWE. The difference is that the Gaussian noise is replaced by rounding computation.
`H5J9ALW3SQCZD{C2BR%FS4

@bencrts
Copy link
Collaborator

bencrts commented Sep 4, 2023

Hi @1853582!

One way to do this is to model the LWR instance as an LWE instance with uniform errors in {-q/2p + 1, ..., q/2p}. See ND.Uniform() located here. So, in your parameter set you would use Xe = ND.Uniform(-q/2p + 1, q/2p).

@1853582
Copy link
Author

1853582 commented Sep 5, 2023

Thank you for your answer.
Could you be more specific ? For example, I want to test the security of the following scheme, for here ( m, n, p, q ), to measure the security of the LWR problem.
UV@6RP40EL5V(AZKTUBL~4E

@1853582
Copy link
Author

1853582 commented Sep 5, 2023

But I seem to be wrong here ?

L1X@0 TR{PNN7)H02AQ6LBH

@1853582
Copy link
Author

1853582 commented Sep 6, 2023

May I ask how to evaluate the security of this, please.

@bencrts
Copy link
Collaborator

bencrts commented Sep 6, 2023

In Sage, you need to use 2*p, instead of 2p. So, in your code you would need to change -q/2p to -q/(2*p) (and similarly for the positive one).

@1853582
Copy link
Author

1853582 commented Sep 7, 2023

Thank you again for your answer. I have modified the code for testing and found that there is a problem with data overflow:
@9}T_9 4E(3FG810@6T63 3
V%4UQ1R935J4 `NFITM9R

When I modify smaller p and q, the code cannot output results
QR9 5PH@)6SH XR N9VFR G
How should this be resolved? Thank you for answering my question in your busy schedule.

@1853582
Copy link
Author

1853582 commented Sep 7, 2023
edited
Loading

In fact, this does not match the estimate results mentioned in the paper I saw. The paper also claims to use LWE estimator, but the results are different. It seems that he used a different estimation method?
9FPUOR W}$}M6 5IVO$Y4JQ

Ernst J, Koch A. Private Stream Aggregation with Labels in the Standard Model[J]. Proc. Priv. Enhancing Technol., 2021, 2021(4): 117-138.

@1853582
Copy link
Author

1853582 commented Sep 9, 2023

May I ask how to evaluate this? Thank you for taking the time to answer my question.

@1853582
Copy link
Author

1853582 commented Sep 12, 2023

In Sage, you need to use 2*p, instead of 2p. So, in your code you would need to change -q/2p to -q/(2*p) (and similarly for the positive one).

Can you give an example of a code running? I‘m sorry to bother you, I need a security analysis of this part at present.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bencrts @1853582