“…As discussed above, the decryption error is not sensitive to the mismatch of {a µ , b µ , A µ , B µ }, so the searching complexity will be small practically. Assuming that the range of the four secret parameters are a µ ∈ [12,50], b µ ∈ [2.5, 9.5], A µ ∈ [0.02, 0.1], B µ ∈ [0.5, 2], respectively, the searching steps are chosen as δ aµ = δ bµ = 1, δ Aµ = 0.01, δ Bµ = 0.1, respectively 5 . Note that the range and the searching step of b µ are intentionally chosen to make sure that the real value b µ = 5 cannot be visited in the current searching precision, which is common in real attacks since the real values of the secret parameters are all unknown.…”