Score:3

The decryption correctness of RLWE based Encryption

br flag
zbo

I get stuck in the proof of decryption correctness in RLWE based Cryptosystem. To state where I am , let me show the full scheme first. The image is from chapter 3.2 of this paper. enter image description here

And the decryption correctness proof of the scheme follows enter image description here

In this proof , I can get the second last equation in decryption procedure , i.e. $$\mathbf{m} + (t/q)(\mathbf{v}-\epsilon \cdot \mathbf{m}) + t\cdot \mathbf{r} $$

But for the last equation I don't know why. $$(t/q)||\mathbf{v}-\epsilon \cdot \mathbf{m}|| \lt 1/2 $$

I hava some clues. We already have $||\mathbf{v}|| \le 2\cdot \delta_R \cdot B^2 + B$, then for $2\cdot \delta_R \cdot B^2 + B \lt \Delta / 2$, we have $||\mathbf{v}|| \lt \frac{q}{2t}$ since $\Delta = \lfloor q/t \rfloor \le q/t$. Hence $(t/q)||\mathbf{v}|| \lt \frac{1}{2}$. This is very similar to what we want ,i.e. $(t/q)||\mathbf{v}-\epsilon \cdot \mathbf{m}|| \lt 1/2 $.
I guess there is a relation between $||\mathbf{v}||$ and $||\mathbf{v}-\epsilon \cdot \mathbf{m}||$ , but I don't know how to build the relation between them. The proof in the paper have a short explanation "Since $\mathbf{m} \in R_t$" , but I can not understand. Anyone gives some hint would be helpful.

Plus, the norm in this paper in infinity norm.

Edit20220601:
Add some explanation above.

  1. $\delta_R $ is called the expansion factor of a ring $R$. And $\delta_R = \max{\frac{||a\cdot b||}{||a||\cdot ||b||}},a\in R, b\in R$.
  2. In the above, we have $\mathbf{v} = \mathbf{e}\cdot \mathbf{u}+ \mathbf{e}_1 +\mathbf{e}_2\cdot \mathbf{s}$, since $\mathbf{e},\mathbf{u},\mathbf{e}_2,\mathbf{s} \in \chi$,so their infinity norm all have bound $B$, then $||\mathbf{e}\cdot \mathbf{u}||= \frac{||\mathbf{e}\cdot \mathbf{u}||}{||\mathbf{e}||\cdot ||\mathbf{u}||}\cdot ||\mathbf{e}||\cdot ||\mathbf{u}|| \le \delta_R \cdot B^2$,similarly, $||\mathbf{e}_2 \cdot \mathbf{s}|| \le \delta_R \cdot B^2$, so we have $||\mathbf{v}|| \le 2\cdot \delta_R \cdot B^2 + B$
kelalaka avatar
in flag
[Cross-posting is not a good ethic in SO](https://meta.stackexchange.com/questions/64068/is-cross-posting-a-question-on-multiple-stack-exchange-sites-permitted-if-the-qu). Could you delete the math copy?
zbo avatar
br flag
zbo
@kelalaka Sorry, didn't realize that. Will delete it right now.
Mark avatar
ng flag
Is there any assumed relationship between $t$ and $q$? It is straightforward to get the bound $(t/q)\lVert \epsilon\vec m\rVert_\infty \leq t^2/2q$. With a strong enough assumption on $t, q$, this suffices to nearly get your bound (you will lose some constant factor which should be able to be ignored in this setting).
zbo avatar
br flag
zbo
There is no talk about the relationship betwenn $t$ and $q$ in the preliminary of the paper . But in a homomorphic library like SEAL, tipically we have parameters like $t$ is $4096$ and $q$ is a number of size $109$ bits. $(t/q)||\mathbf{v} -\epsilon \cdot \mathbf{m}|| \le (t/q)(||\mathbf{v}||+\epsilon||\mathbf{m}|| ) \le (t/q)(\Delta/2)+ (t/q)(\epsilon \cdot (t/2)) \le (t/q)\cdot (q/2t)+(t/q)(\epsilon \cdot (t/2) ) = 1/2 + \frac{\epsilon \cdot t^2}{2q}$
zbo avatar
br flag
zbo
@Mark In the parameter setting , $\frac{\epsilon \cdot t^2}{2q}$ is small , maybe negligible, but still I can't make it strictly less than $\frac{1}{2}$
Mark avatar
ng flag
I don't have time to look through the paper now, but it is perhaps worth mentioning that if $t\mid q$, it is straightforward to show that $\epsilon =0$, and this whole problem goes away. This is the most common setting (both practically and theoretically), although it does not resolve your question fully.
zbo avatar
br flag
zbo
@Mark Thanks, I got stuck in this proof and didn't continue read the following paper, it seems the parameters make things different so much.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.