// Choose random c0,c1 such that c0+s*c1 = p*e for a short e
void RLWE(DoubleCRT& c0,DoubleCRT& c1, const DoubleCRT &s, long p, ZZ* prgSeed)
{
assert (p>0); // Can be used with p=1, but we always use with p>=2
// choose c1 at random (using prgSeed if not NULL)
c1.randomize(prgSeed);
// choose a short error e, set c0 = p*e - c1*s
c0.sampleGaussian();
c0 *= p;
// It is assumed that c0,c1 are defined with respect to the same set of
// primes, but s may be defined relative to a different set. Either way
// the primes for of c0,c1 are unchanged.
DoubleCRT tmp(c1);
tmp.Mul(s, /*matchIndexSets=*/false); // multiply but don't mod-up
c0 -= tmp;
}
