Join Log in
Score:3
xade93 avatar Crypto

Hardness of LWE

gf flag
xade93

I was reading "TFHE Deep Dive" from Ilaria Chillotti, and I am a bit confused over the sample given in 31:08 enter image description here In the above toy sample, isn't it possible to directly eliminate noise by shifting ciphertext by $\Delta$, then by Gaussian Elimination yielding plaintext?

In general, while intuitively original LWE hardness make sense (errors taken from $D_{L,r}$ with $r\geq \eta_\epsilon(L)$, so support of error cover then whole modulus), I don't really understand how are schemes keeping noise completely separate from plaintext (like above) secure, can't I just discard the noisy bits and do regular gaussian elimination ...?

This is probably a dumb question. Thanks for the reply :)

171
1 + 2
lwe
Hilder Vitor Lima Pereira avatar
us flag
Hilder Vitor Lima Pereira
Try to think better about what you mean by "discard the noisy bits"...
0
Reply
JeremyKun avatar
us flag
JeremyKun
The noise can also be negative, no? The top part of the message would then be altered and truncating the bits would give the wrong data.
1
Reply
Score:4
Hilder Vitor Lima Pereira avatar Crypto
us flag
Hilder Vitor Lima Pereira

Discarding the noisy bits just means that you are "overwriting" that noise with new noise, essentially.

If $b = as + e$ and the norm of $e$ is bounded by $2^k$, then zeroing the noisy bits means that you are computing $u = b \bmod 2^k$ and $b' = b - u$. Notice that the $k$ lowest bits of $b'$ are zero. But what you obtained is just $b' = as + e - u$. Also notice that since $b$ is random, $u$ is also so (although it is known).

Therefore the noise is always there anyway.

+ 4
xade93 avatar
gf flag
xade93
What I mean is to perform rescale over the entire ciphertext $(a,b)$, rather than the $b$ term only. A rescale homomorphically performs division and round to nearest element, hence removing the lower bits containing noise, leaving a valid encryption of zero with no noise. Having said that though, I am not really sure how to *homomorphically* perform division, aside from knowing CKKS being able to achieve it.
0
Reply
Hilder Vitor Lima Pereira avatar
us flag
Hilder Vitor Lima Pereira
Zeroing the lowest bits takes values from $\mathbb{Z}_q$ and outputs values of $\mathbb{Z}_q$ again. Rescaling is different because it also reduces the modulus. That is, if you divide a ciphertext whose noise is $e$ by some $D$ that divides $q$, then you output a ciphertext with noise close to $e/D$ but modulus $q/D$. So the relative noise is essentially the same, i.e., $(e/D) / (q/D) = e / q$, thus the "security of both ciphertexts" is basically the same (remember that the hardness of LWE depends on the ration "norm of noise" over "ciphertext modulus").
0
Reply
xade93 avatar
gf flag
xade93
But if $|e|<\frac{D}{2}$, does that mean rescale lead to valid encryption with zero noise? since $(e/D)=0$
0
Reply
Hilder Vitor Lima Pereira avatar
us flag
Hilder Vitor Lima Pereira
e/D is not zero. Round(e/D) would be zero in this case, but you don't round the error when you round the ciphertext. Moreover, there are actually other noise terms included by the rounding. I suggest that you check my answer [here](https://crypto.stackexchange.com/questions/66186) to see the exact equations.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.