Why in the Palisade CP-ABE library the 192 bit security level uses a base of 128 while the others use a base of 2?

Question

I am performing some tests using the Palisade CP-ABE library, that is based on RLWE. The theoretical details are presented here. The library offers predefined security levels for the encryption, that correspond to a <ring size, base> pair. In particular they are <1024, 2> for 128 bit security, <2048, 128> for 192 bit security and <2048, 2> for 256 bit security. I don't understand why is it possible to use a higher base only in the 192 bit case. Using a higher base leads to faster encryption and decryption times and allows also to have smaller sizes of the keys. What could be the motivation behind this choice?

Answer 1

The short answer is that a larger base reduces the security of the scheme against certain attacks. The exact details are... complex, but sections III and IV give some sense of what is going on.

The scheme uses a trapdoor within the lattice defined by the matrix $A$ to produce small-ish vectors $y$ such that $A\mathbf y=\beta$ for any syndrome (identity/set of attributes) $\beta$. Using the trapdoor naively (per the bottom of page 6) produces $\mathbf y$ vectors whose distribution is not those of random small-ish vectors and which could leak information about the trapdoor. To prevent this a noisier method of finding $\mathbf y$ is used (algorithm 2) and this in turn produces $\mathbf y$ vectors that are less short-ish. We still need $\mathbf y$ to be sufficiently short that adversaries could not forge their own solutions and so the amount of noise that is added can't be too big.

To prevent trapdoor leakage, we choose the noise parameter $\sigma_s$ to satisfy the bound in equation 1. Conversely to make forgery hard, we must make $v$ the overall size of $\mathbf y$ small. The constraint can be expressed as in equation 2 where $q$ is the modulus of our ring and $\delta$ is a "root Hermit factor'' which expresses how hard it is to find a suitable trapdoor. The exact levels of security associated to different choices of $n$, $q$ and $\delta$ are again complex to compute. The standard practice is to use the LWE estimator of Alberecht et al. and this was used to generate the table I in the paper. The LWE estimator could be used to extend this table for $n=1024$ and various values of $q$ and $\delta$, and presumably the entries for the security of the $q$ and $\delta$ derived from the $\sigma_s$ used in the implementation meet the claimed levels of security.