lance
1
As a beginner, I am confused when determin security level \lambda.

Although the manual demonstrates that \lambda is determined by ring dimension N, modulu q, and error, I have no idea how they work.

Is there a function showing how to calculate the security level \lambda by these parameters?

A good source is the homomorphic encryption standard at http://homomorphicencryption.org/wp-content/uploads/2018/11/HomomorphicEncryptionStandardv1.1.pdf In practice, pre-built tables are often used, e.g., OpenFHE uses Table 1. The table there is generated for \sigma=3.19.

If you need custom parameters, i.e., a higher \sigma or a security level different from 128, 192, and 256 bits, then you can use the lattice estimator at GitHub - malb/lattice-estimator: An attempt at a new LWE estimator

There is no simple analytical expression (the only certain fact is that q/\sigma is one parameter), as shown in On the Feasibility and Impact of Standardising Sparse-secret LWE Parameter Sets for Homomorphic Encryption. I also recommend reading the latter paper for more details.

1 Like

lance
3
Thanks a lot!

I roughly comprehend the relationship among parameters.

Thank your for your help!

1 Like