Learning with Errors Public Key Cryptosystem with Its Security ()
1. Introduction
In 2005, O. Regev proposed the first LWE public key cryptosystem in Tel Aviv University in Israel based on LWE distribution
. Because of this paper, Regev won the highest award for theoretical computer science in 2018—the Godel Award. The size of public key is
bits, and the size of private key s and ciphertext is
bits. The plaintext encrypted each time is 1 bit. In fact, the LWE public key cryptosystem is a probabilistic cryptosystem, which depends on a high probability algorithm. Since the security of LWE problem has been clearly proved, the LWE cryptosystem has received extensive attention as soon as it was proposed, and it becomes the most cutting-edge research topic in the lattice-based cryptosystem study.
Let p be a prime number,
be two positive integers. Given a list of equations with error as follows:
where
,
,
are selected independently and uniformly, and
means the inner product of the vectors s and
. The errors
in the above equations come from a probability distribution
, i.e. for any
, we have
and
is generated independently according to the probability distribution
. The problem of finding
is denoted as
[1] [2]. The LWE public key cryptosystem of Regev introduced in the next section is proposed based on this problem.
The LWE problem could be regarded as an extension of a well known problem in learning theory which is believed hard to solve. Many researchers worked on the LWE problem and proved that the complexity of the best known algorithm is running in exponential time of n [3] [4] [5] [6]. An important theorem that gives the difficulty of solving the LWE problem is at least as hard as that of hard problems on lattice, such as the determination of the shortest vector problem (GapSVP) and the continuous shortest vector problem (SIVP) [3], which is proved by a quantum polynomial probabilistic reduction algorithm. Since the academic community believes that the hard problems on lattice such as the SVP, SIVP and GapSVP problems can resist quantum computing effectively, that is, there are no known quantum algorithms to solve the hard problems on lattice, so that the security of the LWE public key cryptosystem is guaranteed. We will give a detailed proof for the security of the LWE cryptosystem proposed by Regev in 2005 in section 3. However, this cryptosystem could only encrypt a single bit of plaintext and the efficiency is low. In order to encrypt multiple bits of plaintext and improve the efficiency signally, Regev presented a general LWE cryptosystem in 2009. We gave a more precise estimation probability of decryption error based on independent identical Gaussian disturbances and any general independent identical disturbances in [7], which shows that the general LWE public key cryptosystem could have high security.
An application of the LWE cryptosystem is the fully homomorphic encryption (FHE) [8]. The earliest FHE cryptosystem was based on average-case assumptions about ideal lattices [9] [10]. Later, Brakerski and Vaikuntanathan constructed the second FHE cryptosystem, which was based on the LWE problem [11] [12]. In 2013, the third fully homomorphic encryption algorithm based on the LWE problem was proposed by Gentry, Sahai, and Waters, which is proved that has some unique and advantageous properties [13]. It also remains some improvable techniques which need to be studied in depth [14]. The main purpose of this paper is to introduce the LWE public key cryptosystem with the proof of its security mathematically, which guarantees the widespread applications of it.
2. LWE Cryptosystem of Regev
Let
,
be positive integers,
be a given probability distribution in
. The LWE distribution
is
(1.1)
where
is uniformly distributed,
is the private key chosen at random,
,
is called error distribution. LWE cryptosystem depends on LWE distribution
, and its workflow has the following three steps:
1) Public key
First we choose
at random as the private key, let
. Then we choose m samples distributed from
,
,
,
,
. Let
where
is a matrix uniformly at random,
indicates the m samples are independent. The public key of LWE cryptosystem is the following
matrix
(1.2)
If the uniformly random matrix
is given and saved for all the users of LWE cryptosystem, then the true public key is
with size
. The public key and private key satisfy the following equation:
(1.3)
2) Encryption.
In order to encrypt plaintext of 1 bit
, let
be an uniformly distributed m dimensional vector with each entry 0 or 1. The ciphertext
is an
dimensional vector in
, defined by
(1.4)
where
,
,
is the nearest integer to
. We call
the encryption algorithm of LWE. In order to understand the encryption algorithm better, we give another definition of
.
The following set
has
subsets. We choose a subset
uniformly at random which is called the index set. Then the encryption algorithm
for plaintext
is
(1.5)
In fact, the subset S is corresponding to the uniformly chosen vector
. The above formula (1.5) was proposed by Regev originally.
3) Decryption
We use the private key
for decryption of the ciphertext c. Actually, we only need to decrypt for the last entry of vector c. We have
(1.6)
The error samples are much smaller than q, namely
(1.7)
Therefore, by comparing the distances between the right side of (1.6) and 0 or
, one can decrypt successfully:
(1.8)
finally we have
and finish the whole workflow of LWE cryptosystem.
Both of the encryption algorithm and decryption algorithm of LWE are probabilistic algorithms, so we should verify the correctness, namely
(1.9)
Here
is a negligible function of n, i.e.
,
, more precisely:
We prove (1.9) with given discrete Gauss distribution
. For
,
,
(1.10)
For
, we define
(1.11)
Lemma 1.1: Let
,
, if the distribution
satisfies
(1.12)
then (1.9) holds, i.e.
Proof: When we choose the error samples
,
, we can always guarantee
without changing the probability distribution. By (1.7), suppose that
, the corresponding sample
As long as (1.7) holds, i.e.
then
Next we prove (1.12) holds for discrete Gauss distribution
in
. The following assumptions are made for the selection of parameters:
(1.13)
where the symbol o indicates
For example, we can choose
, or
Lemma 1.2: Under the condition for parameters of (1.13), for any
, we have
(1.14)
where
,
, is a negligible function.
Proof: Based on (1.13), when
, it is easy to see that
The k samples
distributed as
could be obtained from the k samples
of distribution
, where
Here the set of representative elements of
is
So we have
Note that
therefore,
we have
. Since
mod 1 distributed as
, where
, so
where
. We complete the proof.
3. The Proof of Security
To prove the security of Regev’s cryptosystem, we first prove some general properties for the probability distribution of Abel group by Impagliazzo and Zurkerman [15].
Let G be a finite Abel group,
be a positive integer. For any
elements
, suppose
,
, then
is called a subsum of
. Randomly choose
, let
denote the distribution of subsum, and let
denote the uniformly distribution on G.
Lemma 2.1: For any
elements
uniformly at random, the expectation of statistical distance between the distribution of subsum and the uniformly distribution on
is
Specially, the probability that the statistical distance is larger than
is no more than
, i.e.
Proof: Let
be
group elements chosen at random,
is a given group element. Define
we call
the distribution of subsum for g. In order to prove
is close to uniformly distribution, we first prove the
norm between
and the uniformly distribution is very small. In fact, we have:
Note that for any
,
So the expectation of
norm for g satisfy
Finally, we have the following estimation
We complete the proof.
The security of LWE public key cryptosystem by Regev is ascribed to the following theorem, which is the most important result in this section.
Theorem 1: For any
,
, if there is a probabilistic polynomial time algorithm W which distinguishes the plaintext
or
from the ciphertext c, then there exists a polynomial time algorithm solving the
problem.
Proof: The public key of LWE cryptosystem is
, where
is a matrix uniformly at random,
is an m dimensional vector chosen uniformly. The encryption function
is
Since W is a probabilistic polynomial time algorithm, suppose
is the probability that decrypting
from
by W, and
is the probability that decrypting
from
, i.e.
(2.1)
If
is uniformly at random, then LWE distribution
is uniformly LWE distribution. Let
be the probability of decryption successfully by W under the condition of uniformly distribution
. Suppose that
(2.2)
Under the assumption of (2.2), we will construct a new algorithm
satisfying
(2.3)
By (2.2), we have
If the first inequality of the above formula holds, let
. If the second inequality of the above formula holds, then construct
as follows. Let the function
be
. Thus,
maps the LWE distribution
to
. If b is uniformly at random, so is
. We define
to be the decryption on LWE distribution
by W. According to (1.5),
So
is the algorithm which satisfies (2.3).
Let
, the public key sample satisfies distribution of
. Let
be the probability of decryption
successfully by
, i.e.
Similarly, let
be the probability of decryption successfully by
if
is uniformly at random. Suppose
(2.4)
We define
(2.5)
It’s easy to prove: if
is uniformly distributed, then we have
Therefore, in order to prove theorem 1, we need to find an algorithm Z to determine whether the LWE distribution
is uniformly at random for any
. The construction of algorithm Z: let R be a probability distribution on
which is uniform LWE distribution or general LWE distribution when
, i.e.
Let
,
be m random samples from distribution R. Let
be the probability of decryption
successfully by
, where
,
. In the same way, suppose
is the probability of decryption
successfully by
if R is uniform LWE distribution. We estimate
and
by using the algorithm
polynomial times so that the error could be controlled within
. If
, then the algorithm Z is effective, otherwise it is noneffective.
We first confirm: if R is uniform LWE distribution, then Z is noneffective with high probability. Because in this case,
, b is uniformly at random. According to lemma 2.1, the Abel group
, we have
In this case, Z is noneffective.
If
, where
, we are to prove the algorithm Z is effective with probability
, i.e. one can distinguish
from uniform distribution. Since
, in the average sense we get
Thus, the algorithm Z is effective for
,
with positive probability. We complete the proof of theorem 1.
4. General LWE-Based Cryptosystem
We introduced the LWE cryptosystem proposed by Regev in section 2, and proved its security in section 3. However, it could only encrypt a single bit of plaintext and the efficiency is low. Based on the definition and properties of rounding function, Regev presented a general LWE cryptosystem in 2009, which could encrypt multiple bits of plaintext
with size
and improve the efficiency signally. In this section, we introduce general LWE cryptosystem first. Then we discuss the probability of decryption error for this cryptosystem and prove that it could be sufficiently small with suitable parameters. So we verify our core result that the LWE cryptosystem could have high security.
Definition 3.1: Let
be positive integers, we define function
as
(3.1)
and the “inverse function”
as
(3.2)
Let
be positive integers,
, function F and its “inverse function” are defined in 3.1. The workflow of general LWE cryptosystem is as follows:
1) Selection of private key S:
is an
matrix uniformly at random in
.
In the LWE cryptosystem introduced in section 2, the private key is an n dimensional randomly chosen vector
. To encrypt more general plaintext
, we randomly select
private keys
independently and form an
matrix
. This is the private key S for general LWE cryptosystem.
2) Public key.
When the private key
is fixed, in order to choose samples from LWE distribution, we first select m uniform n dimensional vectors
in
and form a uniform random matrix
Then we generate
noise matrix samples
from distribution
, i.e.
,
,
,
, and the
samples are mutually independent. Finally we get an
matrix P
The public key of LWE cryptosystem is
, which is similar to that in section 2. Here we only change the public key from
to
matrix
. If the uniformly random matrix A is given and saved for all the users of LWE cryptosystem, then the true public key is the matrix P, and the public key and private key satisfy the following equation
3) Encryption.
To encrypt multiple bits of plaintext
, let
be an m dimensional vector with each entry selected uniformly in
,
i.e. a is uniformly distributed. Ciphertext
is an
dimensional vector, defined by
where F is defined in (3.1), and
is called the encryption algorithm of LWE cryptosystem.
4) Decryption.
Given ciphertext
and the private key S, we compute
as the result of decryption. We have
We need to calculate the probability of decryption error for this cryptosystem, namely, the probability of
. The following theorem 2 gives a more precise upper bound estimation than [2] for this probability, which is proved in [7].
Theorem 2: Suppose
, we have the following inequality of the probability of decryption error
(3.3)
Here
is the cumulative distribution function of the standard normal distribution, i.e.
.
The upper bound could be as closed as 0 if we choose
small enough. It means that the probability of decryption error for the LWE cryptosystem could be made very small with an appropriate setting of parameters.
We could also estimate the probability of decryption error for the LWE cryptosystem when the noise matrix
is chosen independently from a general common variable, rather than Gauss distribution. By central limit theorem [16], general disturbances could be approximated as Gaussian disturbances. We have the following theorem 3 which is proved in [7].
Theorem 3:
,
, each element
is selected independently from a common random variable of mean 0 and standard deviation
. For any
, we can find positive integer m, such that the following inequality of the probability of decryption error holds,
(3.4)
Here
is the cumulative distribution function of the standard normal distribution, i.e.
.
This probability could also be closed to 0 if we choose the parameter
and
small enough. Therefore the probability of decryption error of the LWE cryptosystem for general disturbance could be made very small, which leads to high security.
5. Conclusion
In this work, we introduce the LWE cryptosystem of Regev, and give a detailed proof for the security of LWE public key cryptosystem by Regev. We also introduce general LWE cryptosystem presented by Regev in order to encrypt multiple bits of plaintext and improve the efficiency signally. For not only independent identical Gaussian disturbances but also any general independent identical disturbances, we give a more accurate estimation probability of decryption error of general LWE cryptosystem. The upper bound probability could be closed to 0 if we choose applicable parameters, which means that the probability of decryption error for general LWE cryptosystem could be sufficiently small. So we verify that the LWE public key cryptosystem could have high security.
Acknowledgements
The authors would like to thank the editors and reviewers for their constructive comments, which help improve the study significantly.