Example

[prev][parent][next]

C-4.2 Example

Suppose we have the following LWE setup:

$t = 4$

$q = 64$

$n = 4$

$Δ = \frac{q}{t} = 16$

$m = 1 \in ℤ_{t}$

$S = (s_{0}, s_{1}, s_{2}, s_{3}) = (0, 1, 1, 0) \in {- 1, 0, 1}^{4}$

$A = (a_{0}, a_{1}, a_{2}, a_{3}) = (- 25, 12, - 3, 7) \in ℤ_{q}^{4}$

$e = 1 \in ℤ_{q}$

$b = a_{0} s_{0} + a_{1} s_{1} + a_{2} s_{2} + a_{3} s_{3} + Δ m + e = 26 \in ℤ_{q}$

${𝖫𝖶𝖤}_{S, σ} (Δ m + e) = 𝖼𝗍 = (a_{0}, a_{1}, a_{2}, a_{3}, b) = (- 25, 12, - 3, 7, 26) \in ℤ_{q}^{n + 1}$

Now, suppose we want modulus switching from $q = 64$ to $\hat{q} = 32$ , which gives:

$\hat{Δ} = Δ \cdot \frac{32}{64} = 8$

$\hat{e} = ⌈ 1 \cdot \frac{32}{64} ⌋ = 1$

${𝖫𝖶𝖤}_{S, σ} (\hat{Δ} m + \hat{e} + 𝜖_{𝑎𝑙𝑙}) = \hat{𝖼𝗍} = (\hat{a_{0}}, \hat{a_{1}}, \hat{a_{2}}, \hat{a_{3}}, \hat{b})$

$= (⌈ - 25 \cdot \frac{32}{64} ⌋, ⌈ 12 \cdot \frac{32}{64} ⌋, ⌈ - 3 \cdot \frac{32}{64} ⌋, ⌈ 7 \cdot \frac{32}{64} ⌋, ⌈ 26 \cdot \frac{32}{64} ⌋)$

$= (- 12, 6, - 1, 4, 13) \in ℤ_{\hat{q}}^{n + 1}$

Now, verify if the following LWE constraint holds:

$\hat{b} = {\hat{a}}_{0} s_{0} + {\hat{a}}_{1} s_{1} + {\hat{a}}_{2} s_{2} + {\hat{a}}_{3} s_{3} + \hat{Δ} m + \hat{e} \in ℤ_{32}$

$13 = 0 + 6 - 1 + 0 + 8 \cdot 1 + 1 \in ℤ_{32}$

$13 \approx 14 \in ℤ_{32}$

We got this small difference of 1 due to the rounding drift error of:

$\hat{a_{0}} = ⌈ - 12.5 ⌋ = - 12$ , $\hat{a_{2}} = ⌈ - 1.5 ⌋ = - 1$ , $\hat{a_{3}} = ⌈ 3.5 ⌋ = 4$ , and $\hat{e} = ⌈ 0.5 ⌋ = 1$

If we solve the LWE decryption formula:

$\hat{b} - ({\hat{a}}_{0} s_{0} + {\hat{a}}_{1} s_{1} + {\hat{a}}_{2} s_{2} + {\hat{a}}_{3} s_{3}) = 0 (- 12) + 1 (6) + 1 (- 1) + 0 (4) = 6 - 1 = 5 = \hat{m} + \hat{e} \in ℤ_{32}$

$m = ⌈ \frac{9}{\hat{Δ}} ⌋ = ⌈ \frac{9}{8} ⌋ = 1$ , which is correct.

[prev][parent][next]