For modulus $Q$ and stddev $\sigma$, [GHS12] suggests that, to achieve 128-bit security, just choose the dimension $N$: $$ N\geq(Q/\sigma)\cdot 33.1 $$
This seems to suggest flexibility to choose smaller $\sigma$ ("as long as it is not too tiny"), but just paying a price on $N$.
Many instantiations seem to favor a fixed $\sigma$ about $3.2$ ([GHS12]). Especially, the homomorphic encryption standard said:
The standard deviation that we use below is chosen as $\sigma = 8/\sqrt{2}\pi \approx 3.2$, which is a value that is used in many libraries in practice and for which no other attacks are known. (Some proposals in the literature suggest even smaller values of $\sigma$.)
There are schemes using a smaller $\sigma$. Frodo is looking at approximating $\sigma\approx1$.
My question:
In my use case, I do need the noise to be very small.
- Can one do $\sigma\approx0.1$?
- If not, how small can $\sigma$ be, if one needs to minimize it?
- Is it because we need to approximate continuous Gaussian, so $\sigma$ can never be too small?
Note that $\sigma\approx 0.1$ seems unreasonable, since, with a high possibility, all sampled values will be zero (by making it an integer). And [GHS12] mentions explicitly that the $N\geq(Q/\sigma)\cdot 33.1$ check does not apply to "too tiny $\sigma$", although the paper did not explicitly mention what is considered "too tiny".
Yet, the LWE estimator seems "okay" with $\sigma\approx0.1$. I guess small $\sigma$ is beyond the scope of the LWE estimator?
