1. Introduction
In this section we describe a cryptosystem based on the learning with errors problem (LWE) [1] [2]. First we introduce the LWE problem. Let
be a prime number,
be positive integers and consider a list of equations with error as follows:
Here
,
are chosen independently and uniformly from
, and
.
is the inner product of two vectors
and
. The errors in these equations are generated from a probability distribution
on
, i.e. for each equation, we have
and
is chosen independently based on the probability distribution
. The problem of finding
from such equations is called
. There is an equivalent description for the LWE problem. The input has a pair
where
is chosen uniformly, and the choices of
have two cases. One case for
is chosen uniformly from
, the other case is
for a uniformly chosen
and vector
chosen according to
. The goal is to distinguish between these two cases with non-negligible probability. It is also equivalent with a decoding problem in q-ary lattices [1].
The short integer solution (SIS) problem was first introduced in the seminal work of Ajtai [3], and has served as the foundation for one-way and collision-resistant hash functions, identification schemes, digital signatures, and other “minicrypt” primitives. A very important work of Regev from 2005 introduced the LWE problem, which is the “encryption-enabling” analogue of the SIS problem [4]. In fact, the two problems are very similar, and can meaningfully be seen as duals of each other.
The LWE problem is a very robust problem and can be viewed as an extension of a well-known problem in learning theory. It remains hard even if the attacker learns extra information about the secret and errors. Regev gave the worst-case hardness theorem for LWE [4]. The complexity of the best known algorithm is running in exponential time in n [5] [6] [7]. This theorem is proved by giving a quantum polynomial-time reduction that uses an oracle for LWE to solve
and
in the worst case, thereby transforming any algorithm that solves LWE into a quantum algorithm for lattice problems. The quantum nature of the reduction is meaningful since there are no known quantum algorithms for
and
that significantly outperform classical ones, beyond generic quantum speedups. It would be very useful to have a completely classical reduction to give further confidence in the hardness of LWE, which was given in 2009 by Peikert [8]. Regev also gave a public-key cryptosystem whose semantic security can provably be based on the LWE problem, and hence on the conjectured quantum hardness of
and
for
[4]. LWE problem has close relationship with decoding problems in coding theory [9] - [18]. Regev’s cryptosystem is secure against passive eavesdroppers since the LWE problem is hard.
Another application of LWE is fully homomorphic encryption (FHE) [19]. The earliest FHE constructions were based on average-case assumptions about ideal lattices [20] [21]. Later, Brakerski and Vaikuntanathan gave the second generation of FHE constructions, which were based on the LWE problem [22] [23]. In 2013, Gentry, Sahai, and Waters proposed an LWE-based FHE scheme that has some unique and advantageous properties, such as homomorphic multiplication does not require any key-switching step, and the scheme can be made identity-based. This yields unbounded FHE based on LWE with just an inverse-polynomial
error rate [24].
Now we introduce the efficient lattice-based cryptosystem in the following which has strong theoretical security [2].
· Private key:
is uniformly chosen at random.
· Public key:
is uniformly chosen at random and
is chosen from the distribution
. The public key is
.
· Encryption: Given
from the message space and a public key
, choose a vector
uniformly at random, and compute the ciphertext
.
· Decryption: Given a ciphertext
and a private key
, output
.
Here
are positive integers and
.
is defined to be the distribution on
obtained by sampling a normal variable with mean 0 and standard deviation
, rounding the result to the nearest integer and reduced modulo
.
is defined as the function from
to
by multiplying each coordinate by
and rounding to the nearest integer.
is defined to be the ‘inverse’ mapping of
by multiplying each coordinate by
and rounding to the nearest integer. The definitions of
and
are in the next section. The probability of decryption error in one letter for this cryptosystem is approximatively estimated in [2] as
(1)
where
is the cumulative distribution function of the standard normal distribution, i.e.
. We give a more precise upper bound estimation here
(2)
This upper bound probability could be closed to 0 if we choose
small enough. It means that the probability of decryption error for the cryptosystem could be sufficiently small. However, the above estimation is based on Gaussian disturbance. In our work, we also give the probability of decryption error for the LWE-based cryptosystem with more general disturbance. By central limit theorem [25], general disturbance could be approximated as Gaussian disturbance, then we get the following probability estimation result which is more advanced than that in [2].
(3)
here
is the standard deviation of disturbance distribution,
is positive real number.
Innovation and Contribution
Our work gives estimation probability of decryption error based on Gaussian disturbances and proves that the decryption error could be sufficiently small. The most salient innovation and contribution is that for any general disturbances, the decryption error could also be small enough. This indicates high security and reliability of LWE-based cryptosystem. In other words, this cryptosystem is secure enough against passive eavesdroppers and could be applied in many kinds of encryption process.
2. Methodology
2.1. Preliminary Property
Definition 1:
, let
be the closest integer to
, specially,
is defined to be
if the fractional part of
is
. It is trivial that
for all
.
Lemma 1:
and
are positive integers,
.
, let
.
, let
. Then
for
holds.
Remark: If
, we have
, so the definition of
is well defined and reasonable.
Proof of lemma 1: 1) If
, then we have
and
2) If
, then
, we know
It follows that
So we can get
This is equivalent to
and
Thus,
This means that
Lemma 2:
and
are positive integers,
. If
is uniformly chosen in
, then
Proof:
, from lemma 1 we have
This is equivalent to
So we get
Here
are different from each other in
. Next we prove that the number of
in
satisfying
is no more than
. Let
be the set containing all the elements satisfying
in
.
,
in
, then we have
in
. This means the number of
is no more than
.
Above all, it shows that
are just all the numbers in
such that
. Based on
is uniformly chosen in
, then
Corollary 1:
,
and
are positive integers.
, let
.
, let
. If
is uniformly chosen in
and
are independent, then
Proof: If
, from lemma 1, we have
So
If
, from lemma 2, we have
Since
are independent, therefore,
2.2. Probability of Decryption Error Based on Gaussian Disturbance
Now we can calculate the probability of decryption error for the LWE-based cryptosystem. As described in the first section, assume
be the private key,
be the public key, and we choose
from the message space, encrypt
and then decrypt it. The ciphertext is
. The decryption result is
Here the decryption result
. The decryption error occurs if
. Since all the parameters are taken to guarantee security and efficiency of the cryptosystem, here we set
and obtain the following theorem.
Theorem 1:
are positive integers and
.
,
is defined in the previous section,
is a Gaussian disturbance matrix with each element chosen independently from the Gaussian distribution with mean 0 and standard deviation
,
is uniformly chosen at random. Then we have the following inequality of the probability of decryption error.
Here
is the cumulative distribution function of the standard normal distribution, i.e.
.
Proof: In order to compute the probability of decryption error, we consider one letter first, i.e. the probability of
, here
is the ith coordinate of
,
and
is the ith coordinate of
. From lemma 1 we know that
for any
under this condition. We have
So if
, we get
It means that if
, we can get
. Equivalently, if
, i.e. the decryption error occurs in the ith letter, then
. So the probability of decryption error in one letter is no more than the probability of
, i.e.
The next step we estimate the probability of
. Since each coordinate of
is chosen independently from the Gaussian distribution with mean 0 and standard deviation
and the sum of independent Gaussian variables is still a Gaussian variable,
is also a Gaussian distribution variable.
and each
is chosen from
uniformly at random, then
Therefore
is treated as a normal distribution with mean 0 and standard deviation
. We have
So we get the following inequality for probability of decryption error of the LWE-based cryptosystem
This upper bound probability estimation is more precise than (1). The upper bound could be as closed as 0 if we choose
small enough. It means that the probability of decryption error for the LWE-based cryptosystem could be made very small with an appropriate setting of parameters.
2.3. Probability of Decryption Error for General Disturbance
In this section we estimate the probability of decryption error for the LWE-based cryptosystem when the noise matrix
is chosen independently from a general common variable.
Theorem 2:
are positive integers and
,
is a undetermined positive integer.
,
is defined in the second section,
is a general disturbance matrix with each element chosen independently from a common random variable of mean 0 and standard deviation
,
is uniformly chosen at random. For any
, we can find positive integer
, such that the following inequality of the probability of decryption error holds.
Here
is the cumulative distribution function of the standard normal distribution, i.e.
.
Proof: Similarly as the proof of theorem 1, we need to estimate the probability of
. Since the coordinates of
are independent identically distributed,
and
are also independent, by central limit theorem [25],
is approximately normal distribution with mean 0 and standard deviation
. Thus, for any sufficiently small
, there is a positive integer
such that
Here
. Then we get the following inequality for probability of decryption error of the LWE-based cryptosystem for general disturbance
This probability could be also closed to 0 if we choose the parameter
and
small enough. Therefore the probability of decryption error of the LWE-based cryptosystem for general disturbance could be made very small, which leads to high security.
Example 1: Let
,
,
,
,
,
,
is uniformly chosen at random, the disturbance
is a random variable with the distribution
such that
for integer
and
with parameter
,
is uniformly chosen at random. Then the probability of decryption error
On the other hand,
So it follows that
The inequality in theorem 2 holds.
Example 2: Let
,
,
,
,
,
,
is uniformly chosen at random, the disturbance
is a Laplace distribution variable with parameter
and probability density function
rounding to the nearest integer,
is uniformly chosen at random. Similarly as example 1, the probability of decryption error
On the other hand,
It follows that
The inequality in theorem 2 holds.
3. Results and Conclusion
In this work we first introduce the LWE problem and LWE-based cryptosystem. We give a more precise estimation probability of decryption error based on independent identical Gaussian disturbances. The salient significance of our work is that for any general independent identical disturbances, we also give the estimation probability of decryption error using central limit theorem. The upper bound probability could be closed to 0 if we choose applicable parameters. It means that the probability of decryption error for the cryptosystem could be sufficiently small. Then we confirm that the LWE-based cryptosystem could have high security.
4. Discussion
Future Work
Although we have reached our objective in this work, there are still many interesting works to study in this research area in the future. We will focus on the fully homomorphic encryption (FHE) based cryptosystem later, which is an application of LWE [20] [21] [22] [23] [24]. Fully homomorphic encryption was known to have abundant applications in cryptography, but for three decades no plausibly secure scheme was known until 2009. To date, the FHE based cryptography has more than three generations. The third generation FHE scheme based on LWE problem is proved that has some unique and advantageous properties [24]. It also remains some improvable techniques which need to be studied in depth.