toward another multiplication for structured Lattice based schemes

Question

Since the LBC use The ring $\displaystyle{R_q \simeq \frac{\mathbb{Z}_q[X]}{\langle X^d+1\rangle}}$, then all the multiplications are of form $$ c(X) = a(X) b(X) \mod(X^n+1,q) $$ which also can be interpreted as: $$c(q) = a(q) b(q) + \epsilon(q)\mod( q^n+1)$$

my questions are:

• what is the upper bound of $\epsilon(q)$ and after writing $c'(q) = a(q) b(q)$ in $q$-base ?
• the following code shows that the two multiplications are different but for if one of $a$ or $b$ is small then the difference somewhat small also

K.<z> = NumberField(x^128 + 1)  # K = Q(i)
OK = K.ring_of_integers()
q = 3329
bound = 1
Rq = OK.quotient(3329*OK,'t')
a = OK.random_element(-q//2,q//2)
b = OK.random_element(-bound,bound)
c = (a.polynomial()(x=q)*b.polynomial()(x=q))%(q^K.degree()+1)
(vector(c.digits(q))- vector(Rq(a*b).lift())).change_ring(Zmod(q)).lift_centered()

This multiplication implies that we are gaining an error part for free if I am not mistaken but how it is distributed depends on $a$ and $b$ (we can generalize for Module lattices also) another question arises given a and $c(q)$ could we retrieve $b$ or $\epsilon$?

Answer 1

It's not clear to me what you're trying to do. I would point out

1. A Framework for Cryptographic Problems from Linear Algebra, and
2. the Mersenne Number Cryptosystem, and other related ones.

as things that are semi-related.

That being said, I'd suggest you take a higher-level perspective, and try to create some clearly-stated design goals for what you are doing first. As an example, it seems likely that traditional LBC (leveraging the NTT) would have much faster multiplications than your proposed change. Before working out all of the details of your proposed change, it might make sense to try to concretely state what the proposed benefits are. If there are none, it is possible you will lead yourself in the wrong direction.