Minimum distance between polynomials in ring-LWE
$begingroup$
Let $R_q=mathbb{Z}_q[x]/langle f(x)rangle$ where $f(x)=x^n+1$, as in the ring-LWE problem.
Let $a(x)$ be chosen uniformly at random from $R_q$.
Question: Is there any theorem that lower bounds the distance between any two polynomials of the form $a(x)s_1(s)$ and $a(x)s_2(x)$?
In other words, what is the value of $d$ such that $$||a(x)s_1(x)-a(x)s_2(x)||geq d$$ except with negligible probability, for any two polynomials $s_1(x),s_2(x)in R_q$ and where $||cdot||$ is the usual $L_2$ norm?
lattice-crypto lwe ring-lwe
asked Nov 24 '18 at 16:33
P.B.P.B.
1596
$endgroup$
add a comment |
$begingroup$
Let $R_q=mathbb{Z}_q[x]/langle f(x)rangle$ where $f(x)=x^n+1$, as in the ring-LWE problem.
Let $a(x)$ be chosen uniformly at random from $R_q$.
Question: Is there any theorem that lower bounds the distance between any two polynomials of the form $a(x)s_1(s)$ and $a(x)s_2(x)$?
In other words, what is the value of $d$ such that $$||a(x)s_1(x)-a(x)s_2(x)||geq d$$ except with negligible probability, for any two polynomials $s_1(x),s_2(x)in R_q$ and where $||cdot||$ is the usual $L_2$ norm?
lattice-crypto lwe ring-lwe
asked Nov 24 '18 at 16:33
P.B.P.B.
1596
$endgroup$
$begingroup$
Hello. It is a good question, but the $L_2$ norm is defined over vectors and it is not clear how you are embedding the polynomials in a vector space. Are you just representing the polynomials as vectors with their coefficients? (So, for instance, $2x^3 -1$ becomes the vector $(2, 0, 0, -1)$).
$endgroup$
– Hilder Vítor Lima Pereira
Nov 24 '18 at 17:19
$begingroup$
Yes, I am thinking of the canonical embedding
$endgroup$
– P.B.
Nov 24 '18 at 17:26
$begingroup$
Well, the canonical embedding is the one that uses isomorphisms to embed the polynomials. The one I've described is the coefficient embedding...
$endgroup$
– Hilder Vítor Lima Pereira
Nov 24 '18 at 17:31
$begingroup$
Sorry. I mean the coefficient embedding then
$endgroup$
– P.B.
Nov 24 '18 at 17:46
$begingroup$
How do you define "negligible probability" in this case?
$endgroup$
– kodlu
Nov 24 '18 at 21:19
add a comment |
$begingroup$
Let $R_q=mathbb{Z}_q[x]/langle f(x)rangle$ where $f(x)=x^n+1$, as in the ring-LWE problem.
Let $a(x)$ be chosen uniformly at random from $R_q$.
Question: Is there any theorem that lower bounds the distance between any two polynomials of the form $a(x)s_1(s)$ and $a(x)s_2(x)$?
In other words, what is the value of $d$ such that $$||a(x)s_1(x)-a(x)s_2(x)||geq d$$ except with negligible probability, for any two polynomials $s_1(x),s_2(x)in R_q$ and where $||cdot||$ is the usual $L_2$ norm?
lattice-crypto lwe ring-lwe
asked Nov 24 '18 at 16:33
P.B.P.B.
1596
$endgroup$
Let $R_q=mathbb{Z}_q[x]/langle f(x)rangle$ where $f(x)=x^n+1$, as in the ring-LWE problem.
Let $a(x)$ be chosen uniformly at random from $R_q$.
Question: Is there any theorem that lower bounds the distance between any two polynomials of the form $a(x)s_1(s)$ and $a(x)s_2(x)$?
In other words, what is the value of $d$ such that $$||a(x)s_1(x)-a(x)s_2(x)||geq d$$ except with negligible probability, for any two polynomials $s_1(x),s_2(x)in R_q$ and where $||cdot||$ is the usual $L_2$ norm?
lattice-crypto lwe ring-lwe
lattice-crypto lwe ring-lwe
asked Nov 24 '18 at 16:33
P.B.P.B.
1596
asked Nov 24 '18 at 16:33
P.B.P.B.
1596
asked Nov 24 '18 at 16:33
P.B.P.B.
1596
asked Nov 24 '18 at 16:33
P.B.P.B.
1596
asked Nov 24 '18 at 16:33
P.B.P.B.
1596
1596
$begingroup$
Hello. It is a good question, but the $L_2$ norm is defined over vectors and it is not clear how you are embedding the polynomials in a vector space. Are you just representing the polynomials as vectors with their coefficients? (So, for instance, $2x^3 -1$ becomes the vector $(2, 0, 0, -1)$).
$endgroup$
– Hilder Vítor Lima Pereira
Nov 24 '18 at 17:19
$begingroup$
Yes, I am thinking of the canonical embedding
$endgroup$
– P.B.
Nov 24 '18 at 17:26
$begingroup$
Well, the canonical embedding is the one that uses isomorphisms to embed the polynomials. The one I've described is the coefficient embedding...
$endgroup$
– Hilder Vítor Lima Pereira
Nov 24 '18 at 17:31
$begingroup$
Sorry. I mean the coefficient embedding then
$endgroup$
– P.B.
Nov 24 '18 at 17:46
$begingroup$
How do you define "negligible probability" in this case?
$endgroup$
– kodlu
Nov 24 '18 at 21:19
add a comment |
$begingroup$
Hello. It is a good question, but the $L_2$ norm is defined over vectors and it is not clear how you are embedding the polynomials in a vector space. Are you just representing the polynomials as vectors with their coefficients? (So, for instance, $2x^3 -1$ becomes the vector $(2, 0, 0, -1)$).
$endgroup$
– Hilder Vítor Lima Pereira
Nov 24 '18 at 17:19
$begingroup$
Yes, I am thinking of the canonical embedding
$endgroup$
– P.B.
Nov 24 '18 at 17:26
$begingroup$
Well, the canonical embedding is the one that uses isomorphisms to embed the polynomials. The one I've described is the coefficient embedding...
$endgroup$
– Hilder Vítor Lima Pereira
Nov 24 '18 at 17:31
$begingroup$
Sorry. I mean the coefficient embedding then
$endgroup$
– P.B.
Nov 24 '18 at 17:46
$begingroup$
How do you define "negligible probability" in this case?
$endgroup$
– kodlu
Nov 24 '18 at 21:19
$begingroup$
Hello. It is a good question, but the $L_2$ norm is defined over vectors and it is not clear how you are embedding the polynomials in a vector space. Are you just representing the polynomials as vectors with their coefficients? (So, for instance, $2x^3 -1$ becomes the vector $(2, 0, 0, -1)$).
$endgroup$
– Hilder Vítor Lima Pereira
Nov 24 '18 at 17:19
$begingroup$
Hello. It is a good question, but the $L_2$ norm is defined over vectors and it is not clear how you are embedding the polynomials in a vector space. Are you just representing the polynomials as vectors with their coefficients? (So, for instance, $2x^3 -1$ becomes the vector $(2, 0, 0, -1)$).
$endgroup$
– Hilder Vítor Lima Pereira
Nov 24 '18 at 17:19
$begingroup$
Yes, I am thinking of the canonical embedding
$endgroup$
– P.B.
Nov 24 '18 at 17:26
$begingroup$
Yes, I am thinking of the canonical embedding
$endgroup$
– P.B.
Nov 24 '18 at 17:26
$begingroup$
Well, the canonical embedding is the one that uses isomorphisms to embed the polynomials. The one I've described is the coefficient embedding...
$endgroup$
– Hilder Vítor Lima Pereira
Nov 24 '18 at 17:31
$begingroup$
Well, the canonical embedding is the one that uses isomorphisms to embed the polynomials. The one I've described is the coefficient embedding...
$endgroup$
– Hilder Vítor Lima Pereira
Nov 24 '18 at 17:31
$begingroup$
Sorry. I mean the coefficient embedding then
$endgroup$
– P.B.
Nov 24 '18 at 17:46
$begingroup$
Sorry. I mean the coefficient embedding then
$endgroup$
– P.B.
Nov 24 '18 at 17:46
$begingroup$
How do you define "negligible probability" in this case?
$endgroup$
– kodlu
Nov 24 '18 at 21:19
$begingroup$
How do you define "negligible probability" in this case?
$endgroup$
– kodlu
Nov 24 '18 at 21:19
add a comment |
1 Answer
1
active
oldest
votes
$begingroup$
I'm assuming $n$ is a power of $2$ and that $q$ is an odd prime larger than $n$. I'm discarding the trivial case $s_1 = s_2$.
If you consider everything $mod q$, then it is most likely over the choice of $a$ that there exists $s_1 neq s_2$ such that $|a s_1 - a s_2| = sqrt{n}$. Indeed, $a$ is invertible in $R_q$ with probability about $1 - n/q$. Take $s_2 = s_1 - a^{-1}$, then you have $a s_1 - a s_2 = 1 mod q$ and the embedding norm of $1$ is $sqrt{n}$.
If you do not consider this $mod q$, i.e. you work in $R=mathbb Z[x]/⟨f(x)⟩$, then you are precisely asking for the minimal distance $lambda_1(mathfrak I)$ of the ideal lattice $mathfrak I$ generated by $a$. For such an ideal lattice, we can estimate rather precisely this minimal distance. A simple lower bound is
$lambda_1(mathfrak I) geq Delta_K^{1/2n} cdot N(a)^{1/n}$, where $N$ denotes the algebraic norm of $a$ (that is, the product of all its embeddings), and $Delta_K$ is the discriminant of field $K = mathbb Q(x)/(x^n+1)$. The reason is that the minimal vector $x$ must generate a subideal of $mathfrak I$, so $N(x) geq N(a)$, and $|x|^n geq Delta_K^{1/2} N(x)$. An upper bound is also given by Minkowski's theorem.
edited Nov 24 '18 at 22:21
Ella Rose♦
16.4k44281
answered Nov 24 '18 at 21:30
LeoDucasLeoDucas
58529
$endgroup$
$begingroup$
Shouldn't the embedding norm of 1 be 1?
$endgroup$
– P.B.
Nov 25 '18 at 0:26
$begingroup$
Well, each embedding of 1 is one, so we are looking at the norm of (1, 1, ... 1), right ?
$endgroup$
– LeoDucas
Nov 25 '18 at 7:54
$begingroup$
So this is the canonical embedding we are talking about right? In this case, we have that $||as_1-as_2||geq sqrt{n}$? Or are you just saying that there are $s_1,s_2$ such that $||as_1-as_2||= sqrt{n}$ but there could be others $r_1,r_2$ for which the differente between $ar_1$ and $ar_2$ is even lower?
$endgroup$
– P.B.
Nov 25 '18 at 13:36
$begingroup$
There could be $0$ as well ;). BBut nothing in between indeed, at least for that particular ring.
$endgroup$
– LeoDucas
Nov 25 '18 at 16:26
$begingroup$
Thank you for your help! Can you provide me some references about these facts? It would be very useful.
$endgroup$
– P.B.
Nov 25 '18 at 16:52
|
show 1 more comment
Your Answer
StackExchange.ifUsing("editor", function () {
return StackExchange.using("mathjaxEditing", function () {
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
});
});
}, "mathjax-editing");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "281"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f64299%2fminimum-distance-between-polynomials-in-ring-lwe%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
I'm assuming $n$ is a power of $2$ and that $q$ is an odd prime larger than $n$. I'm discarding the trivial case $s_1 = s_2$.
If you consider everything $mod q$, then it is most likely over the choice of $a$ that there exists $s_1 neq s_2$ such that $|a s_1 - a s_2| = sqrt{n}$. Indeed, $a$ is invertible in $R_q$ with probability about $1 - n/q$. Take $s_2 = s_1 - a^{-1}$, then you have $a s_1 - a s_2 = 1 mod q$ and the embedding norm of $1$ is $sqrt{n}$.
If you do not consider this $mod q$, i.e. you work in $R=mathbb Z[x]/⟨f(x)⟩$, then you are precisely asking for the minimal distance $lambda_1(mathfrak I)$ of the ideal lattice $mathfrak I$ generated by $a$. For such an ideal lattice, we can estimate rather precisely this minimal distance. A simple lower bound is
$lambda_1(mathfrak I) geq Delta_K^{1/2n} cdot N(a)^{1/n}$, where $N$ denotes the algebraic norm of $a$ (that is, the product of all its embeddings), and $Delta_K$ is the discriminant of field $K = mathbb Q(x)/(x^n+1)$. The reason is that the minimal vector $x$ must generate a subideal of $mathfrak I$, so $N(x) geq N(a)$, and $|x|^n geq Delta_K^{1/2} N(x)$. An upper bound is also given by Minkowski's theorem.
edited Nov 24 '18 at 22:21
Ella Rose♦
16.4k44281
answered Nov 24 '18 at 21:30
LeoDucasLeoDucas
58529
$endgroup$
$begingroup$
Shouldn't the embedding norm of 1 be 1?
$endgroup$
– P.B.
Nov 25 '18 at 0:26
$begingroup$
Well, each embedding of 1 is one, so we are looking at the norm of (1, 1, ... 1), right ?
$endgroup$
– LeoDucas
Nov 25 '18 at 7:54
$begingroup$
So this is the canonical embedding we are talking about right? In this case, we have that $||as_1-as_2||geq sqrt{n}$? Or are you just saying that there are $s_1,s_2$ such that $||as_1-as_2||= sqrt{n}$ but there could be others $r_1,r_2$ for which the differente between $ar_1$ and $ar_2$ is even lower?
$endgroup$
– P.B.
Nov 25 '18 at 13:36
$begingroup$
There could be $0$ as well ;). BBut nothing in between indeed, at least for that particular ring.
$endgroup$
– LeoDucas
Nov 25 '18 at 16:26
$begingroup$
Thank you for your help! Can you provide me some references about these facts? It would be very useful.
$endgroup$
– P.B.
Nov 25 '18 at 16:52
|
show 1 more comment
$begingroup$
I'm assuming $n$ is a power of $2$ and that $q$ is an odd prime larger than $n$. I'm discarding the trivial case $s_1 = s_2$.
If you consider everything $mod q$, then it is most likely over the choice of $a$ that there exists $s_1 neq s_2$ such that $|a s_1 - a s_2| = sqrt{n}$. Indeed, $a$ is invertible in $R_q$ with probability about $1 - n/q$. Take $s_2 = s_1 - a^{-1}$, then you have $a s_1 - a s_2 = 1 mod q$ and the embedding norm of $1$ is $sqrt{n}$.
If you do not consider this $mod q$, i.e. you work in $R=mathbb Z[x]/⟨f(x)⟩$, then you are precisely asking for the minimal distance $lambda_1(mathfrak I)$ of the ideal lattice $mathfrak I$ generated by $a$. For such an ideal lattice, we can estimate rather precisely this minimal distance. A simple lower bound is
$lambda_1(mathfrak I) geq Delta_K^{1/2n} cdot N(a)^{1/n}$, where $N$ denotes the algebraic norm of $a$ (that is, the product of all its embeddings), and $Delta_K$ is the discriminant of field $K = mathbb Q(x)/(x^n+1)$. The reason is that the minimal vector $x$ must generate a subideal of $mathfrak I$, so $N(x) geq N(a)$, and $|x|^n geq Delta_K^{1/2} N(x)$. An upper bound is also given by Minkowski's theorem.
edited Nov 24 '18 at 22:21
Ella Rose♦
16.4k44281
answered Nov 24 '18 at 21:30
LeoDucasLeoDucas
58529
$endgroup$
$begingroup$
Shouldn't the embedding norm of 1 be 1?
$endgroup$
– P.B.
Nov 25 '18 at 0:26
$begingroup$
Well, each embedding of 1 is one, so we are looking at the norm of (1, 1, ... 1), right ?
$endgroup$
– LeoDucas
Nov 25 '18 at 7:54
$begingroup$
So this is the canonical embedding we are talking about right? In this case, we have that $||as_1-as_2||geq sqrt{n}$? Or are you just saying that there are $s_1,s_2$ such that $||as_1-as_2||= sqrt{n}$ but there could be others $r_1,r_2$ for which the differente between $ar_1$ and $ar_2$ is even lower?
$endgroup$
– P.B.
Nov 25 '18 at 13:36
$begingroup$
There could be $0$ as well ;). BBut nothing in between indeed, at least for that particular ring.
$endgroup$
– LeoDucas
Nov 25 '18 at 16:26
$begingroup$
Thank you for your help! Can you provide me some references about these facts? It would be very useful.
$endgroup$
– P.B.
Nov 25 '18 at 16:52
|
show 1 more comment
$begingroup$
I'm assuming $n$ is a power of $2$ and that $q$ is an odd prime larger than $n$. I'm discarding the trivial case $s_1 = s_2$.
If you consider everything $mod q$, then it is most likely over the choice of $a$ that there exists $s_1 neq s_2$ such that $|a s_1 - a s_2| = sqrt{n}$. Indeed, $a$ is invertible in $R_q$ with probability about $1 - n/q$. Take $s_2 = s_1 - a^{-1}$, then you have $a s_1 - a s_2 = 1 mod q$ and the embedding norm of $1$ is $sqrt{n}$.
If you do not consider this $mod q$, i.e. you work in $R=mathbb Z[x]/⟨f(x)⟩$, then you are precisely asking for the minimal distance $lambda_1(mathfrak I)$ of the ideal lattice $mathfrak I$ generated by $a$. For such an ideal lattice, we can estimate rather precisely this minimal distance. A simple lower bound is
$lambda_1(mathfrak I) geq Delta_K^{1/2n} cdot N(a)^{1/n}$, where $N$ denotes the algebraic norm of $a$ (that is, the product of all its embeddings), and $Delta_K$ is the discriminant of field $K = mathbb Q(x)/(x^n+1)$. The reason is that the minimal vector $x$ must generate a subideal of $mathfrak I$, so $N(x) geq N(a)$, and $|x|^n geq Delta_K^{1/2} N(x)$. An upper bound is also given by Minkowski's theorem.
edited Nov 24 '18 at 22:21
Ella Rose♦
16.4k44281
answered Nov 24 '18 at 21:30
LeoDucasLeoDucas
58529
$endgroup$
I'm assuming $n$ is a power of $2$ and that $q$ is an odd prime larger than $n$. I'm discarding the trivial case $s_1 = s_2$.
If you consider everything $mod q$, then it is most likely over the choice of $a$ that there exists $s_1 neq s_2$ such that $|a s_1 - a s_2| = sqrt{n}$. Indeed, $a$ is invertible in $R_q$ with probability about $1 - n/q$. Take $s_2 = s_1 - a^{-1}$, then you have $a s_1 - a s_2 = 1 mod q$ and the embedding norm of $1$ is $sqrt{n}$.
If you do not consider this $mod q$, i.e. you work in $R=mathbb Z[x]/⟨f(x)⟩$, then you are precisely asking for the minimal distance $lambda_1(mathfrak I)$ of the ideal lattice $mathfrak I$ generated by $a$. For such an ideal lattice, we can estimate rather precisely this minimal distance. A simple lower bound is
$lambda_1(mathfrak I) geq Delta_K^{1/2n} cdot N(a)^{1/n}$, where $N$ denotes the algebraic norm of $a$ (that is, the product of all its embeddings), and $Delta_K$ is the discriminant of field $K = mathbb Q(x)/(x^n+1)$. The reason is that the minimal vector $x$ must generate a subideal of $mathfrak I$, so $N(x) geq N(a)$, and $|x|^n geq Delta_K^{1/2} N(x)$. An upper bound is also given by Minkowski's theorem.
edited Nov 24 '18 at 22:21
Ella Rose♦
16.4k44281
answered Nov 24 '18 at 21:30
LeoDucasLeoDucas
58529
edited Nov 24 '18 at 22:21
Ella Rose♦
16.4k44281
edited Nov 24 '18 at 22:21
Ella Rose♦
16.4k44281
edited Nov 24 '18 at 22:21
Ella Rose♦
16.4k44281
16.4k44281
answered Nov 24 '18 at 21:30
LeoDucasLeoDucas
58529
answered Nov 24 '18 at 21:30
LeoDucasLeoDucas
58529
answered Nov 24 '18 at 21:30
LeoDucasLeoDucas
58529
58529
$begingroup$
Shouldn't the embedding norm of 1 be 1?
$endgroup$
– P.B.
Nov 25 '18 at 0:26
$begingroup$
Well, each embedding of 1 is one, so we are looking at the norm of (1, 1, ... 1), right ?
$endgroup$
– LeoDucas
Nov 25 '18 at 7:54
$begingroup$
So this is the canonical embedding we are talking about right? In this case, we have that $||as_1-as_2||geq sqrt{n}$? Or are you just saying that there are $s_1,s_2$ such that $||as_1-as_2||= sqrt{n}$ but there could be others $r_1,r_2$ for which the differente between $ar_1$ and $ar_2$ is even lower?
$endgroup$
– P.B.
Nov 25 '18 at 13:36
$begingroup$
There could be $0$ as well ;). BBut nothing in between indeed, at least for that particular ring.
$endgroup$
– LeoDucas
Nov 25 '18 at 16:26
$begingroup$
Thank you for your help! Can you provide me some references about these facts? It would be very useful.
$endgroup$
– P.B.
Nov 25 '18 at 16:52
|
show 1 more comment
$begingroup$
Shouldn't the embedding norm of 1 be 1?
$endgroup$
– P.B.
Nov 25 '18 at 0:26
$begingroup$
Well, each embedding of 1 is one, so we are looking at the norm of (1, 1, ... 1), right ?
$endgroup$
– LeoDucas
Nov 25 '18 at 7:54
$begingroup$
So this is the canonical embedding we are talking about right? In this case, we have that $||as_1-as_2||geq sqrt{n}$? Or are you just saying that there are $s_1,s_2$ such that $||as_1-as_2||= sqrt{n}$ but there could be others $r_1,r_2$ for which the differente between $ar_1$ and $ar_2$ is even lower?
$endgroup$
– P.B.
Nov 25 '18 at 13:36
$begingroup$
There could be $0$ as well ;). BBut nothing in between indeed, at least for that particular ring.
$endgroup$
– LeoDucas
Nov 25 '18 at 16:26
$begingroup$
Thank you for your help! Can you provide me some references about these facts? It would be very useful.
$endgroup$
– P.B.
Nov 25 '18 at 16:52
$begingroup$
Shouldn't the embedding norm of 1 be 1?
$endgroup$
– P.B.
Nov 25 '18 at 0:26
$begingroup$
Shouldn't the embedding norm of 1 be 1?
$endgroup$
– P.B.
Nov 25 '18 at 0:26
$begingroup$
Well, each embedding of 1 is one, so we are looking at the norm of (1, 1, ... 1), right ?
$endgroup$
– LeoDucas
Nov 25 '18 at 7:54
$begingroup$
Well, each embedding of 1 is one, so we are looking at the norm of (1, 1, ... 1), right ?
$endgroup$
– LeoDucas
Nov 25 '18 at 7:54
$begingroup$
So this is the canonical embedding we are talking about right? In this case, we have that $||as_1-as_2||geq sqrt{n}$? Or are you just saying that there are $s_1,s_2$ such that $||as_1-as_2||= sqrt{n}$ but there could be others $r_1,r_2$ for which the differente between $ar_1$ and $ar_2$ is even lower?
$endgroup$
– P.B.
Nov 25 '18 at 13:36
$begingroup$
So this is the canonical embedding we are talking about right? In this case, we have that $||as_1-as_2||geq sqrt{n}$? Or are you just saying that there are $s_1,s_2$ such that $||as_1-as_2||= sqrt{n}$ but there could be others $r_1,r_2$ for which the differente between $ar_1$ and $ar_2$ is even lower?
$endgroup$
– P.B.
Nov 25 '18 at 13:36
$begingroup$
There could be $0$ as well ;). BBut nothing in between indeed, at least for that particular ring.
$endgroup$
– LeoDucas
Nov 25 '18 at 16:26
$begingroup$
There could be $0$ as well ;). BBut nothing in between indeed, at least for that particular ring.
$endgroup$
– LeoDucas
Nov 25 '18 at 16:26
$begingroup$
Thank you for your help! Can you provide me some references about these facts? It would be very useful.
$endgroup$
– P.B.
Nov 25 '18 at 16:52
$begingroup$
Thank you for your help! Can you provide me some references about these facts? It would be very useful.
$endgroup$
– P.B.
Nov 25 '18 at 16:52
|
show 1 more comment
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f64299%2fminimum-distance-between-polynomials-in-ring-lwe%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
$begingroup$
Hello. It is a good question, but the $L_2$ norm is defined over vectors and it is not clear how you are embedding the polynomials in a vector space. Are you just representing the polynomials as vectors with their coefficients? (So, for instance, $2x^3 -1$ becomes the vector $(2, 0, 0, -1)$).
$endgroup$
– Hilder Vítor Lima Pereira
Nov 24 '18 at 17:19
$begingroup$
Yes, I am thinking of the canonical embedding
$endgroup$
– P.B.
Nov 24 '18 at 17:26
$begingroup$
Well, the canonical embedding is the one that uses isomorphisms to embed the polynomials. The one I've described is the coefficient embedding...
$endgroup$
– Hilder Vítor Lima Pereira
Nov 24 '18 at 17:31
$begingroup$
Sorry. I mean the coefficient embedding then
$endgroup$
– P.B.
Nov 24 '18 at 17:46
$begingroup$
How do you define "negligible probability" in this case?
$endgroup$
– kodlu
Nov 24 '18 at 21:19