On Accuracy of Testing Decryption Failure Rate for Encryption Schemes under the LWE Assumption

Lattice-based encryption schemes are signi ﬁ cant cryptographic primitives to defend information security against quantum menace, and the decryption failure rate is related to both theoretical and realistic security. We quantitatively analyze how the ﬂ oating-point arithmetic and neglecting small probabilities impact the precision, and propose a new effective and ef ﬁ cient test of the failure probability. Therein explicit criteria are given to select the ﬂ oating-point datatype and to decide which small probabilities should be abandoned. Furthermore, the outcome is theoretically ensured to meet a given precision. Moreover, by combining the heuristic estimate and the precise simulation, this test is more ef ﬁ cient than previously neglecting small probabilities in a practical way.


Introduction
Due to Shor's algorithm [1,2], quantum computing seriously threatens popular public key cryptosystems, including RSA [3], encryption and digital signature schemes based on discrete logarithm [4,5], and elliptic curve cryptography [6][7][8].Much research has been carried out to construct robust cryptography in the quantum era, referring to a survey [9].Particularly, the National Institute of Standards and Technology (NIST) began its standardization project on post-quantum cryptography (PQC) in 2016 [10], selected four algorithms in July 2022 [11] and then advances further into the fourth round [12].
Lattice-based cryptography is the most promising and the most significant in PQC [13].It occupies 7 seats among 15 in the third round of NIST PQC standardization [14].Particularly, among the four post-quantum ciphers selected by NIST [11], three are lattice-based, particularly the unique key encapsulation mechanism (KEM) CRYSTALS-Kyber [15].
Dating back to knapsack cryptosystems [16] and successful NTRU [17], lattice-based cryptography has made great progress since Regev [18] proposed the learning with errors (LWE) problem.Let q be a positive integer, Z q the residue ring modulo q, and a mod q the unique representative of a in the range − ½ q=2; q=2Þ.Let D be a (discrete) distribution over Z q .A sample X complies with D if Pr X ½ ¼ a ¼ D a ð Þ for D a ð Þ ≥ 0, and we denote this by X ← $D.For a set S, without ambiguity X ← $S means that X is uniformly sampled over S. The LWE problem is to find the secret s 2 Z r q given (sufficiently many) pairs a; ð bÞ, where a ← $Z r q , e ← $D, and b ¼ a T s þ e.The Lindner-Peikert encryption scheme [19] is grounded on the assumption that the LWE problem is intractable, and therefrom many lattice-based KEMs have developed along with other techniques, for example, structured lattices [20,21], variants of LWE [22,23], and compressing public keys/ciphertexts [21].Figure 1 below shows a version of the Lindner-Peikert cryptosystem enciphering a message in Z q .
For the cryptosystem in Figure 1, decryption fails if the size of e T 1 s 2 − s T 1 e 2 þ e 3 mod q is not as small as required.Explicitly, the decryption failure rate (DFR; the condition in Equation (1) [24] is also interpreted as e T 1 s 2 − j s T 1 e 2 þ e 3 mod qj>t, for example, in D'Anvers et al. [23,25,26].Whether t is counted in does not exert substantial influence on computing δ fail ), denoted by δ fail , is the following probability Pr e T 1 s 2 − s T 1 e 2 þ e 3 mod q j j ∉ −t; t ½ Þ: where the critical positive value t depends on the specific scheme, for example, involving the modulus q and the number of bits in the plaintext m.
Decryption failure is closely related to the security of latticedbased cryptography.On the one hand, the DFR impacts the tightness of constructing IND-CCA encryption/KEMs in the (quantum) random oracle model [27][28][29].On the other hand, lattice-based schemes with large DFR are vulnerable to the "failure boosting" attack [26,30,31] and risk a loss of security level.Therefore, it is meaningful and interesting to efficiently compute the DFR δ fail with confident accuracy.
The key to obtaining δ fail is to characterize the distribution of e T 1 s 2 − s T 1 e 2 þ e 3 mod q in Equation (1).At present there are two approaches [24,25].One is a heuristic estimate via the central limit theorem.The other is to compute the r-fold convolution of distributions via the "double-and-add" method.Specifically, let r have its binary representation

and denote
P fin the distribution of r ½ ⋅ e 1 s 2 − s 1 e 2 ð Þþe 3 ; where s 1 ← $D s 1 , s 2 ← $D s 2 , e 1 ← $D e 1 , e 2 ← $D e 2 , e 3 ← $D e 3 , and m ½ ⋅ e 1 s 2 − ð s 1 e 2 Þ denotes the sum of m independent random variable with the same distribution as e 1 s 2 − s 1 e 2 .This is algorithmically feasible by recursive computation [15,24,25] where X ⊛ Y means the convolution of distributions X and Y.In addition, to optimize time and space cost in computation, the above "double-and-add" method [15,24,25] uses floating-point arithmetic and deliberately neglect tiny probabilities (e.g., those less than some assigned bound β).
In respect of the above estimation, there remain two unanswered questions below.In order to obtain δ fail with a required precision, (i) which floating-point datatype should be chosen?(ii) which tiny probabilities should be neglected?Specifically, how large should we set β to be?
1.1.Our Results.This correspondence addresses these two questions above.First, we quantitatively analyze the impact of floating-point arithmetic and the trimming threshold β on the precision to approximate δ fail .Second, derived from the analysis, it is specified how to select floating-point datatype based on cipher parameters.Third, a new test of DFR is proposed.This test has the following three properties: (1) Instead of operating the heuristic estimation and the precise simulation independently, it combines both together and makes use of their internal relation with δ fail .Specifically, the obtained heuristic approximation of decryption failure helps to select the trimming threshold β for the "double-and-add" method.(2) Its returned estimate is ensured to approximate δ fail with any assigned high precision as long as the machine precision allows.Particularly, whether its output is accurate enough can be theoretically verified.
(3) It selects the trimming bound β in a balanced and inexpensive way and thereby accelerates the "doubleand-add" method, costing less time than previous computing [15,24,25].Particularly, for Frodo640 [24] the new test, even including the heuristic estimate in it, takes time only 5:92% of that the previous method costs.
Fourth, we also analyze how the test of decryption failure is influenced by algebraic lattices and the rounding compression and whether the proposed test is feasible for lattice-based ID-based encryption (IBE) and attribute-based encryption (ABE).
1.2.Related Work.So far, it has not been analyzed how the floating-point arithmetic impacts the precision to approximate δ fail , and a clear and explicit criterion to select floatingpoint datatype for DFR test has not been given though the DFR, for example, 2 −136 for SABER [23], is possibly much FIGURE 1: The Lindner-Peikert encryption scheme [19].

2
IET Information Security less than the machine precision of common floating-point arithmetic.According to available program scripts [14,15,24,25], CRYSTALS-Kyber and SABER use double-precision floating-point while FrodoKEM employs float128 in the python numpy package.
To the best of our knowledge, an explicit relation between the precision of δ fail and the trimming threshold β has not been given and there has not been a reasonable approach to choosing the trimming threshold β.Intuitively, the greater β is, the less computation time we need; and the smaller β is, the preciser our approximation is.At present practical trimming thresholds are used.According to available program scripts [14], during computation Equation (3), CRYSTALS-Kyber and SABER neglect probability not greater than 2 −300 and give log δ fail with three significant digits [15,25], and FrodoKEM always removes probability less than 10 −200 and gives log δ fail with four significant digits [24].
1.3.Organization.The rest of this paper is organized as follows.In Section 2, we prepare some definitions and facts on floating-point arithmetic and discrete distributions.Section 3 includes the main result and consists of three subsections: Subsection 3.1 analyzes effectiveness of the "doubleand-add" algorithm with floating-point errors and the trimming technique; Subsection 3.2 shows our method to select the floating-point datatype; Subsection 3.3 gives a new algorithm to estimate the DFR whose outcome is confirmed to be precise as required; and Subsection 3.5 analyzes the impact of structured lattices and the rounding compression on the "double-and-add" test, and also discuss its application in IBE/ABE cryptosystems.Finally, Section 4 concludes this paper with a summary.

Preliminaries
2.1.Floating-Point Arithmetic.Let ε M (called unit round-off in Saad [32]) denote the upper bound of relative errors to represent real numbers by normalized floating-point numbers, and let α M be the minimal positive normalized floatingpoint number in machine.Both ε M and α M highly depend on machine precision.For example, by IEEE Standard 754 [33], rounding a real number to its nearest 64 bit normalized floating-point number yields a relative error at most 2 −53 [32], α M ¼ 2 −126 for single precision and α M ¼ 2 −1; 022 for double precision.
In the sequel, for any variables (or functions) f and g, let The relative error of floating-point arithmetic is known to be bounded.
Lemma 1 (see [32]).Let a 1 and a 2 be non-negative normalized floating-point numbers, and s (resp.p) the sum (resp.product) of a 1 and a 2 in floating-point arithmetic.If no overflow occurs, then 2.2.Pseudo-Laws.A distribution completely characterizes a discrete random variable, and we introduce the term "pseudo-law" to describe part of a distribution.
In this paper, we only consider pseudo-laws over R ¼ Z q .Let C a denote the law distributed only at a 2 Z q , that is, Let D 1 and D 2 be pseudo-laws.The convolution of D 1 and D 2 , denoted by and the product of D 1 and D 2 , denoted by Notice that C −1 ⊙ D is a mirror reflection of D over the Y-axis.
The convolution D 1 ⊛ D 2 (partially) describes the sum of independent random variables complying with pseudo-laws D 1 and D 2 .
Remark 1.A pseudo-law D can be represented by in the quotient ring R x ½ = x q − ð 1Þ of polynomials, where x q − ð 1Þ denotes the principal ideal generated by x q − 1. Thereby, the convolution of D 1 and D 2 is implemented by χ D 1 ⋅ χ D 2 and hence techniques for polynomial multiplication are admissible and helpful.This strategy was essentially employed by FrodoKEM [24] to accelerate convolutions, while CRYSTALS-Kyber [15] and SABER [25] used the definition Equation (8).
The statistical distance measures how far two random variables differ from each other [34], and it naturally extends to pseudo-laws.

Definition 2. (Statistical distance).
Given two pseudo-laws D 1 and D 2 , the statistical distance of D 1 and D 2 , denoted by Lemmas 2 and 3 straightforwardly follow from Definition 2.
Lemma 2. Let D 1 ; D 2 ; D 3 be pseudo-laws over Z q .Then Lemma 3 upper-bounds propagation of statistical distances in the convolution of pseudo-laws, and a brief proof is included in Appendix A.
Definition 3 describes the procedure imposing zero probability over a given subspace S, and particularly the operation which removes positive probability not larger than a threshold β.Definition 3. (Trim).Let S ⊂ Z q .A trim of a pseudo-law D by S, denoted by Trim S D ð Þ, is a pseudo-law defined by
In Algorithm 1, values of pseudo-laws are stored and operated in floating-point numbers.Above all, using the "double-and-add" method, Algorithm 1 terminates in polynomial time O q 2 logr ð Þsince a convolution or a product cost at most O q 2 ð Þ.As in Remark 1, this complexity can be further reduced using Fourier transformation.

IET Information Security
Theorem 2 describes and connects the factors that exert influence on the effectiveness of Algorithm 1.
To prove Theorem 2, we show a variant of Algorithm 1 with ideal precision (Algorithm 2).
Notice that Algorithm 2 differs from Algorithm 1 in two aspects: (i) The values of pseudo-laws are stored and processed as real numbers with ideal precision.To distinguish these notations, we add a superscript "I" on pseudolaws in Algorithm 2. (ii) Instead of a fixed trimming threshold β, Algorithm 2 imposes zero value exactly at the same elements of Z q as Algorithm 1 does.This is feasible since, as Theorem 1 ensures, it is efficient to simulate Algorithm 1.
To show how closely δ alg approximates δ fail , the proof contains four parts.Part I describes how pseudo-laws in Algorithm 1 approximates their counterparts in Algorithm 2. Part II quantifies the influence of trimming, and then Part III derives the fact that D I fin in Algorithm 2 is close to P fin .Part IV integrates the above to complete the proof.
Part I (Lemma 4): Using a power of 1 þ ð ε M Þ as multiplier, we relate the pseudo-laws in Algorithm 1 to their counterparts in Algorithm 2.
Proof.Since only pseudo-laws are processed and we always have Equation ( 6), no overflow occurs in Algorithm 1. Furthermore, the condition in Theorem 2 ensures that all processed floating-point numbers are normalized and hence no underflow occurs.By Lemma 1, to compute a convolution or a product of two pseudo-laws, the floating-point arithmetic yields a factor upper-bounded (resp.lower-bounded ).Thus, comparing Algorithms 1 and 2, we add (possible) errors by floating-point representation of D s 1 , D s 2 , D e 1 , D e 2 , and D e 3 , and count the number of convolutions, and then find that the following integers Explicitly, these integers are In the proof of Lemma 4, we conservatively choose m 0 ¼ 3q þ 4, where the addend 3q is attributed to two ⊙'s and one ⊛ in Line 1 of Algorithm 1, and the addend 4 is attributed to representing D s 1 , D s 2 , D e 1 , and D e 2 in floatingpoint numbers.Anyhow, practical cryptosystems are likely to allow smaller m 0 .On the one hand, their secret and errors are distributed in a comparatively small interval rather than the whole ring Z q and hence one ⊙ there contributes a relative error much tamer than 1 AE ε M ð Þ q .Taking Frodo640 [24] for example, the relative error of ⊙ is bounded by On the other hand, the input distributions can be exactly represented on a machine.Actually, in CRYSTALS-Kyber [15], SABER [25], and FrodoKEM [24], all input distributions are evaluated as fractions with a power-of-two denominator and are hence stored as accurate floating-point numbers.
Part II (Lemma 5): The changes of pseudo-laws by trimming in Algorithm 2 are upper-bounded. Then IET Information Security Proof.Notice that for S ⊂ Z q and any pseudo-law where S j j denotes the cardinality of S. Considering the error caused by trimming in Line 2 of Algorithm 2, we have In a similar way, Lemma 6.Let P fin be defined in Equation ( 2) and let D I fin be as in Line 12 of Algorithm 2. Then it holds that Proof.Use the notations in Equation ( 2).Now we get Similarly, we also have The detailed proof of Equation ( 25) is included in Appendix C. Using Equations ( 3), (24), and (25), we derive that The lemma below for comparing pseudo-laws is straightforward.

IET Information Security
Proof of Theorem 2. Since Trim S E ð Þ ≤ E for any pseudo-law E, the pseudo-laws in Algorithm 2 satisfy Comparing Equations ( 3) and ( 28), from Lemma 7 we derive that Since e T 1 s 2 − s T 1 e 2 mod q is the sum of r independent random variables with the same distribution P 0 , it holds that Recall that Therefore, it follows from Equation ( 29) and Lemma 6 that In addition, it follows from Lemma 4 that Finally, the proof concludes by combining Equations ( 32) and (33).□ Remark 3. In Algorithm 1 the trimming in Lines 2 and 12 are optional.Whether the two trimmings are skipped or not will affect the lower-bound in Equation ( 15), but the impact is not significant as implied by the proof of Theorem 2.
In the sequel, we always assume that each nonzero value of input distributions D s 1 , D s 2 , D e 1 , D e 2 , and D e 3 is not less than ffiffiffiffiffiffi α M p since this condition is almost trivial for nowadays LWE-based encryption schemes.
Conventionally, the failure probabilities are expressed as powers of two, and their exponents are concerned and compared [15,23,24].Therefore, we take log 2 δ fail as the final result we expect, and aim to control the absolute/relative error of log 2 δ alg .
Corollary 1.Let ε abs >0 and ε rel >0.The statements below hold. then Corollary 1 is straightforward from Theorem 2, and its proof is included in Appendix D.
Combining Corollary 1 and the inequality Equation (15) derives Corollary 2, and it gives a sufficient condition to verify whether Algorithm 1 returns an approximation with required precision.
As shown in Table 1 (as shown in Subsection 3.5, the DFR of CRYSTALS-Kyber is interpreted other than Equation (1), and hence the corresponding upper-bounds in Equations ( 38)-( 41) are adapted.The tedious details are omitted here), for all these cipher, Equations ( 38)-( 41) hold.Therefore, it is ensured by Corollary 2 that their failure probabilities [15,24,25] have met the required precision, and this is labeled as "Y" in the last column of Table 1.Because ffiffiffiffiffiffiffiffiffiffiffiffi ffi 2 −1; 022 p > 10 −200 ≈ 2 −664 , Corollary 2 does not convince the precision of δ fail for FrodoKEM if Algorithm 1 utilizes double-precision floating-point arithmetic and sets β ¼ 10 −200 .
However, Corollaries 1 and 2 do not directly inform us how to determine β in practice because neither δ fail nor δ alg is known before a test.To ensure desired absolute (and relative) error for log 2 δ fail , later we use Theorem 2 and Corollary 1 to select floating-point datatype and the trimming threshold β.

Select Floating-Point Datatype.
A floating-point datatype is determined by its precision and range, respectively related to ε M and α M .Corollary 1 is helpful for selecting floatingpoint datatype in Algorithm 1. If then Algorithm 1 with proper trimming returns δ alg satisfying Equation (35) (resp.Equation ( 37)).
We have to remind that (i) the above datatype selection is based on the practical range of δ fail , while Algorithm 3 in the next subsection selects datatype only dependent on cipher parameters; (ii) lattice-based cryptosystems in other scenarios, for example, fully homomorphic encryption, may use other parameters and hence require distinct machine precision.
Experiment 2. In Table 2, we set ε abs ¼ 5 × 10 −3 , ε rel ¼ 5 × 10 −6 , and list the parameters of FrodoKEM [24] and their corresponding ε M estimated in Equation ( 42) (here conservatively using log 2 δ fail ≤ − 1).Neither Equations ( 42) nor ( 43) is satisfied for single precision floating-point numbers.Running Algorithm 1 in 32 bit floating-point arithmetic fails to approximate δ fail .Anyhow, it suffices to use double precision (64 bit) floating-point instead of float128 in the python numpy package to find the DFR δ fail of FrodoKEM, and this is effective as confirmed by Experiment 3.This experiment suggests that Equation ( 42) is effective for selecting floating-point datatype.Algorithm 3 calls Algorithm 1 as its inner core subprocedure, and it selects the trimming threshold β in a progressive way.Specifically, the heuristic estimate δ clt through a continuous normal distribution helps to decide β for a tentative test, denoted by β abstnt for the absolute error ε abs (resp.by β reltnt for the relative error ε rel ), and then an expected Hence, the trimming threshold β abscnf (resp.β relcnf ) of Algorithm 3 is upper-bounded by the right hand of Equation (34) (resp.Equation ( 36)).

IET Information Security
where erfc denotes the complementary error function.However, it is not unique to implement the heuristic test.For example, distinct from Algorithm 4, FrodoKEM [24] computes where m D e 3 and σ 2 D e 3 denote the mean and the variance of D e 3 , respectively.Generally speaking, Algorithm 4 costs more time than Equation ( 47) and yet gives a tighter approximation if D e 3 is far from a normal distribution.For example, SABER [23] has a uniform distribution D e 3 and its DFR 2 −136:16 , and Algorithm 4 yields an approximation 2 −139:07 while Equation (47) derives a rough estimate 2 −73:85 .Therefore, Algorithm 4 is preferred to Equation (47) if the tentative test is expected to approximate the DFR with a high precision.
Remark 5.The confirmatory test in Algorithm 3 is not indispensable for specific applications.On the one hand, the inequalities Equation ( 15) are conservative and δ alg is likely to be much closer to δ fail .On the other hand, via the central limit theorem, the heuristic test possibly returns a value very near δ fail .Hence, it is probable that the tentative test already obtains the DFR with a desirable precision.Experiment 3 below shows that the tentative test is sufficient for CRYSTALS-Kyber [15], SABER [25], and FrodoKEM [24].Therefore, the confirmatory test of Algorithm 3 is optional in scenarios where strict proof of the DFR is not compulsory.

An Experiment of DFR Test.
Through the following experiment we compare Algorithm 3 with the previous DFR testing method in respect of their effectiveness and efficiency.
On the one hand, the data of Experiment 3 show that Algorithm 3, grounded on its theoretical proof (Theorem 3), ensures high accuracy to approximate δ fail though its convolutions neglect more tiny probabilities than previous practical methods.In Table 3, the second column lists the trimming thresholds in previous tests, and the fourth and fifth columns list the trimming thresholds used in Algorithm 3; the third column lists the previously given DFRs in the submissions to NIST [14], and the last column lists the DFRs outputted by Algorithm 3.
On the other hand, Algorithm 3 outperforms previous practical DFR tests in efficiency for all parameter sets of CRYSTALS-Kyber, SABER, and FrodoKEM.The experiment data show that (i) All the parameter sets dissatisfy the condition in Line 10 of Algorithm 3 and the confirmatory test is therefore almost free.(ii) As in Figure 2, among all nine parameter sets, s achieves its minimum 5:92% for Frodo640 and its maximum 85:84% for Kyber768, where s denotes the ratio of time running Algorithm 3 for the
3.5.Use the Test for Practical Encryption Schemes.In the above, we only discussed the DFR determined by the distribution of e T 1 s 2 − s T 1 e 2 þ e 3 mod q, setting other forms aside.When the plaintext is longer and enciphered in more than one elements of Z q , where c 2 in Figure 1 is parallelized as a matrix over Z q , incorporating the union bound into Algorithm 3 will estimate the DFR of the encryption scheme.Anyhow, a practical lattice-base encryption scheme probably integrates other techniques and computes its DFR in other ways.In the rest of this subsection, we analyze the influence of algebraic lattices and the rounding compression on decryption failure, and also consider using the test for lattice-based IBE/ABE schemes.
3.5.1.The Impact of Using Structured Lattices.Lyubashevsky et al. [20] proposed the LWE over rings and also an algebraic version of the Lindner-Peikert cryptosystem (Figure 3).Despite variants of structured lattices in cryptography [37], here we consider the following algebraic lattice utilized in most practical schemes.
Let K be a number field of degree r, R an order of K, and b 0 ; b 1 ; …; b r−1 a basis of R. Denote the quotient ring R=qR by R q .
In Figure 3, u ← $D r B means each coefficient of u with respect to the basis b 0 ; f 2g.Similar to Equation (1), decryption fails in this encryption scheme if where e 1 s 2 − s 1 e 2 þ e 3 mod q k k 1 denotes the greatest absolute value of the coefficients of e 1 s 2 − s 1 e 2 þ e 3 mod q with respect to the basis b 0 ; as in Line 2 of Algorithm 3. Then the distribution of Equation ( 49) is computed by Therefore, we conclude that testing DFR depends on the algebraic rings and their chosen basis, and the "doubleand-add" method is not universally effective.Fortunately, rings in the present practical encryption schemes cause not much trouble.The power-of-two cyclotomic ring 1Þ is the most popular in structured lattices [38], including NewHope [39], CRYSTALS-Kyber [21], and SABER [23].As the conventional basis is b In this specific case, the distribution of Equation ( 49) is computed by where D m ½ denotes the m-fold convolution of D. We call a pseudo-law D to be symmetric if D a ð Þ ¼ D − ð aÞ for any a 2 Z q .The following lemma is straightforwardly derived from definitions.
In practical schemes, most secrets and errors comply with symmetric laws, for example, the centered binomial distribution and the discrete approximate Gaussian in Fro-doKEM [24].By Lemma 8, due to symmetry of D in such schemes, Equation (52) is exactly D r ½ ⊛ D e 3 and it is therefore feasible to compute δ fail by Algorithms 1 and 3.
Recall that Algorithm 3 proceeds decryption failure of one coordinate of the algebraic number.If the encryption scheme based on structured lattices employs no error correcting codes, then taking the r coordinates of e 1 s 2 − s 1 e 2 þ e 3 as independent random variables is appropriate [40]; on the contrast, using the independence assumption in such cryptosystems with error correcting codes possibly results in overestimation of the DFR and a method has been proposed to calculate the DFR for those schemes [40].FIGURE 3: The Lindner-Peikert encryption scheme using lattices over rings [20].

IET Information Security
In addition, the above test of DFR can naturally extend to cryptosystems based on module-LWE [21,41,42] or module-LWR [23].

The Impact of Compressing
Public Key/Ciphertexts.Let p be a positive integer less than q.The rounding function maps x 2 Z q to xp=q b c, the integer nearest to xp=q, and this operation naturally extends on vectors in Z r q and algebraic numbers in R q .This technique is used to reduce bandwidth.
Conventionally, the truncated information is also taken as errors [21,23].Let D p 1 , D p 2 , and D p 3 , respectively, denote the distributions by compressing the public key b (or b) and ciphertexts c 1 ; c 2 (or c 1 ; c 2 ) in Figure 1 (or Figure 3).According to [21, Theorem 1], the DFR is computed the same as above except for that in Line 2 of Algorithm 3 and in Line 1 of Algorithm 1 The distributions from rounding are not necessarily symmetric.Fortunately, by Lemma 8, the encryption schemes with symmetric secret distributions have symmetric D. Therefore, Algorithms 1 and 3 are able to test their DFR, with slight adaption as in Equation (53).
Furthermore, the same as in Remark 2, changes in computing D lead to distinct m 0 's in the proof of Lemma 4. The involved results following from it should be adjusted and this is straightforward.For example, CRYSTALS-Kyber [15] in the third round of NIST PQC program [14], different from its previous version, compresses only ciphertexts, that is, D p 1 ¼ C 0 .Note that the operation ⊙ with C −1 results in no loss of precision.Counting in two ⊙'s, two ⊛'s and relative errors in floating-point representation of D p 2 and D p 3 , it yields m 0 ¼ 4q þ 2.
3.5.3.Test DFR in Lattice-Based IBE/ABE Schemes.In typical constructions of lattice-based IBE [43,44] and ABE [45][46][47], instead of using the original Regev encryption scheme [18], its dual version is used as a primitive, in which the key generation and encryption procedures are essentially swapped.Specifically, in the dual system with unstructured lattices (Figure 4), the secret key is a short vector s 1 , and the corresponding public key is its syndrome b ¼ A T s 1 2 Z r q .The encryption algorithm chooses a pseudorandom LWE vector c 1 ¼ As 2 þ e 2 mod q, and uses the syndrome b to generate one more LWE instance as a "pad" to hide the message, i.e., c The decryption algorithm proceeds similarly as in Regev [18] and Lindner and Peikert [19].
Then the key to obtaining δ fail is to compute which characterizes the distribution of − s T 1 e 2 þ e 3 mod q.Therefore, the results above in this paper also work for the dual Regev cryptosystem with slightly adaption.
In respect of lattice-based ABE, the above method allows to efficiently and precisely estimate the DFR for primitive components, and deciding its DFR of the whole ABE scheme highly depends on specific access structures.For example, δ fail of the threshold ABE [45] can be determined by computing where D i and D 0 i are pseudo-laws, and Algorithms 1 and 3 with slight modification are effective for such computation.

Conclusion and Future Work
In this article, we bound the output δ alg of the "double-andadd" method with cipher parameters, the floating-point machine error ε M and the trimming threshold β, and we also propose an algorithm to determine the DFR of the LWE-based encryption schemes.The main outcomes are as below.
First, an explicit way is given to select the proper floatingpoint datatype enabling to output of the DFR with assigned accuracy.Particularly, according to theoretical analysis and experimental verification, the IEEE standardized double precision float-pointing, which is supported by a variety of computing devices and operating systems, suffices for common nowadays lattice-based encryption while single precision (32 bit) floating-point arithmetic does not guarantee a precise approximation.
Second, inequalities in Corollary 2 enables to quantitatively confirm whether the "double-and-add" algorithm returns an estimate satisfying the precision.Particularly, therefrom it immediately follows that log 2 δ fail 's obtained in CRYSTALS-Kyber [15], SABER [25], and ForoKEM [24] are theoretically proved to be precise in respect of a given absolute (resp.relative) error ε abs ¼ 5 × 10 −3 (resp.
Third, the proposed new test of DFR includes an explicit criterion to select the trimming threshold β and is theoretically ensured to achieve an assigned precision.Moreover, realistic processing shows that this test accelerates previous "double-and-add" computation with practical trimming.For example, computing δ fail of Frodo640 in double-precision floating-point allows trimming probability less than 2 −191:06  12 IET Information Security instead of previous 10 −200 ≈ 2 −664 , and thereby the new test neglects more distribution data and hence runs faster.Finally, we analyze the impact of algebraic lattices and the rounding compression, and also consider applying the results in lattice-based IBE/ABE.The "double-and-add" philosophy is effective if the cryptosystem samples symmetric secrets and errors and utilizes the power-of-two cyclotomic ring together with its natural power basis.
We hope that this work can serve as an inspiration to effectively and efficiently test (or search) parameters of lattice-based cryptosystems.For instance, it is interesting to apply the techniques and methods in this paper, adapted if necessary, to estimate the failure probability of LWE-based fully homomorphic encryption schemes.

Appendix
A. Proof of Lemma 3 Proof of Lemma 3. The proof is by straightforward computation: B. Part of the proof of Lemma 5 The trimming error from Line 5 is estimated as The trimming errors from Line 7 (under the condition r n−i ¼ 1) is estimated as The trimming error from Line 12 is estimated as C. Part of the proof of Lemma 6 Below is the proof of Equation ( 25).It holds that by Lemma 5 ðC:1Þ 14 IET Information Security and by Lemma 5 ðC:2Þ

D. Proof of Corollary 1
Proof of Corollary 1.The inequality Equation (34) implies Taking logarithm log 2 on both sides implies using Equation ð15Þ ðD:2Þ Þ derives that the right hand of Equation ( 34) is non-negative, and is hence coherent with the fact that β ≥ 0 in Algorithm 1.
In addition, we have ðD:4Þ Then Equation ( 35) holds.The proof of Equation ( 37) is similar and omitted here.□

E. Data of Experiment 3
This section includes the data of Experiment 3. Specifically, each of Tables 4-12 shows the data for one of the parameter sets of CRYSTALS-Kyber Schwabe [15], FrodoKEM Alkim et al. [24], and SABER D'Anvers et al. [25].In the tables below, the second row gives time cost of computing D 0 (Line 2 of Algorithm 3), and the third, the fourth, and the fifth row give the data of the heuristic test, the tentative test, and the confirmatory test, respectively.The second column shows data for Algorithm 1 without trimming (β = 0), the third column shows data for Algorithm 1 with trimming [15,24,25] (β in the second column of Table 3), and the fourth and the fifth column show data of Algorithm 3 for absolute error ε abs = 0.005 and for relative error ε rel = 5 × 10 −6 , respectively.

Lemma 4 .
Let E be any of the pseudo-laws D fin , D n ⊛ D e 3 , D, D i−1 ⊛ D i−1 , and D dbl i ⊛ D 0 (1 ≤ i ≤ n) in Algorithm 1, and let E I denote its ideally precise counterpart among D I fin , D I n ⊛ D I e 3 , D I , D I i−1 ⊛ D I i−1 , and D I-dbl i ⊛ D I 0 in Algorithm 2. Given the condition in Theorem 2, it holds that

Lemma 5 .
Let E be any of the pseudo-laws D I n ⊛ D I e 3 , D I , D I i−1 ⊛ D I i−1 , and D I-dbl i ⊛ D I 0 (1 ≤ i ≤ n) in Algorithm 2, and let Trim E ð Þ denote its corresponding trim among D I fin ,

□
Part III (Lemma 6): Using Part II, we upper-bound the statistical distance between D I fin and P fin .

□
Part IV: Using Part I and III, we characterize how the output δ alg returned by Algorithm 1 approximates the DFR δ fail .

3. 3 .
A Hybrid Test of DFR with Progressive Trimming.Now we propose a new test (Algorithm 3) of DFR.

where s 1 ←
D s 1 , s 2 ← D s 2 , e 1 ← D e 1 , and e 2 ← D e 2 .{This step is the same as Line 1 of Algorithm 1, and all the three tests below share D as an input.}3: [A heuristic test] Use the central limit theorem to approximate the DFR, for example, by Algorithm 4. Denote its returned value by δ clt .4: [A tentative test] includes Lines 5-7.5: Set

Input:
the distributions D and D e 3 ; the dimension r; the critical value t of decryption failure.Output: a heuristic estimate of the DFR δ fail .1: Compute the mean m D and the variance σ denotes the normal distribution with mean r ⋅ m D and variance r ⋅ σ 2 D .ALGORITHM 4: A heuristic test of DFR.

FIGURE 2 :
FIGURE 2: Ratio of time cost of Algorithm 3 to that of Algorithm 1.
: the modulus q; the distributions D e 1 , D e 2 , D s 1 , D s 2 of coordinates of e 1 , e 2 , s 1 , s 2 , respectively; the distribution D e 3 of e 3 ; the dimension r; the critical value t of decryption failure; the trimming threshold β.Output: an approximation of δ fail .1: Compute the distribution D of e 1 ⋅ s 2 − s 1 ⋅ e 2 , where s 1 ← D s 1 , s 2 ← D s 2 , e 1 ← D e 1 , and e 2 ← D e 2 , for example,

TABLE 2 :
Estimate machine precision for testing DFR of FrodoKEM.
abstnt (resp.δ reltnt ) obtained by the tentative test determines β for a confirmatory test, denoted by β abscnf for the absolute error ε abs (resp.by β relcnf for the relative error ε rel ).The final output δ abscnf (resp.δ relcnf ) of the confirmatory test is ensured to satisfy the required precision.