The Influence of LWE/RLWE Parameters on the Stochastic Dependence of Decryption Failures

Abstract

Learning with Errors (LWE) and Ring-LWE (RLWE) problems allow the construction of efficient key exchange and public-key encryption schemes. However, while improving the security through the use of error distributions with large standard deviations, the decryption failure rate increases as well. Currently, the independence of individual coefficient failures is assumed to estimate the overall decryption failure rate of many LWE/RLWE schemes. However, previous work has shown that this assumption is not correct. This assumption leads to wrong estimates of the decryption failure probability and consequently of the security level of the LWE/RLWE cryptosystem. An exploration of the influence of the LWE/RLWE parameters on the stochastic dependence among the coefficients is still missing. In this paper, we propose a method to analyze the stochastic dependence between decryption failures in LWE/RLWE cryptosystems. We present two main contributions. First, we use statistical methods to analyze the influence of fixing the norm of the error distribution on the stochastic dependence among decryption failures. The results have shown that fixing the norm of the error distribution indeed reduces the stochastic dependence of decryption failures. Therefore, the independence assumption gives a very close approximation to the true behavior of the cryptosystem. Second, we analyze and explore the influence of the LWE/RLWE parameters on the stochastic dependence. This exploration gives designers of LWE/RLWE based schemes the opportunity to compare different schemes with respect to the inaccuracy made by using the independence assumption. This work shows that the stochastic dependence depends on three LWE/RLWE parameters in different ways: i) it increases with higher lattice dimensions (n) and higher standard deviations of the error distribution (\(\sqrt{k/2}\)); and ii) it decreases with higher modulus (q).

G. Maringer and T. Fritzmann contributed equally to this work.

G. Maringer’s work was supported by the German Research Foundation (Deutsche Forschungsgemeinschaft, DFG) under Grant No. WA3907/4-1. T. Fritzmann’s work was supported by the German Research Foundation (Deutsche Forschungsgemeinschaft, DFG) under Grant No. SE2989/1-1.

Appendices

A Influence of k on the Stochastic Dependence

Fig. 6.

Number of failed coefficients for fixed \(n=1024\), \(q=12289\)

As mentioned in Subsect. 6.2, NewHope parameters with an increased variance of the error distribution are used to show the influence of k on the stochastic dependence of decryption failures with finer granularity.

Figure 6 shows the influence of the variance of the error distribution on the probability of the number of decryption failures. The results show that increasing the variance increases the failure rate. It is also shown that the deviation between independence assumption and experimentally determined curves is increased for larger k.

Table 3 shows the Pearson correlation, l1-distance, and mutual information for \(k=40\) and \(k=52\). The results show an increase of the stochastic dependence when k is increased.

Table 3. Pearson correlation, \(l_1-\)distance and mutual information for different standard deviations of the error distribution (\(1.8\cdot 10^9\) samples)

B Statistical Estimation Error of \(p_b\)

In order to obtain the results presented in Figs. 1 and 2, it was necessary to estimate the failure probability \(p_b\) of a single coefficient. This was accomplished using a Monte Carlo simulation. We denote the number of samples as n and the number of errors within those samples as \(n_e\). We estimate \(p_b\) with

$$\begin{aligned} p_b' = \frac{n_e}{n}. \end{aligned}$$

(21)

In the following we justify why the error inflicted by using the estimation \(p_b'\) of \(p_b\) is negligible.

Therefore, the basic task is to use the knowledge of n and \(n_e\) obtained from the experiment to find an interval in which \(p_b\) lies with high probability. This interval is denoted in the following as the confidence interval \([p_1,p_2]\). The probability for \(p_b\) to be in this interval is denoted as the confidence level \(c_l\). The confidence interval depends on the demanded confidence level \(c_l\), n and \(n_e\).

The following approach is analogous to the description in  [11].

We define the variable

$$\begin{aligned} g:=\text {norminv}\left( \frac{1+c_l}{2}\right) \end{aligned}$$

where norminv(.) denotes the inverse of the cumulative distribution function of the standard normal distribution.

Then

$$\begin{aligned} p_{1,2} = \frac{n_e + g^2/2 \mp g \sqrt{n_e (1-n_e/n) + g^2/4}}{n+g^2}. \end{aligned}$$

(22)

As in general \(g \ll n\) the confidence interval is approximately centered around \(p_b'\).

Example 2

In this example the algorithm LAC256 with Round 2 sampling is considered. We consider only failures within the first coefficient in the Monte Carlo simulation. Due to symmetry the likelihood of an error is the same within each coefficient.

We fix the demanded confidence level to \(c_l=99\%\). The results of the Monte Carlo simulation show that \(n_e = 560305194\), \(n=10^{11}\). Therefore,

$$\begin{aligned} \frac{n_e}{n} = 0.0056031, \quad p_1 = 0.0056024, \quad p_2 = 0.0056037 \end{aligned}$$

(23)

The results show that the length of the interval relative to \(p_b'\) is \(0.0217\%\) for a confidence level of \(99\%\). Therefore it is possible to approximate the actual \(p_b\) with \(p_b'\) obtained using a Monte Carlo simulation.