Fractional LWE: A Nonlinear Variant of LWE

Gavin, Gerald; Bonnevay, Stephane

doi:10.1007/978-3-030-31578-8_20

Gerald Gavin¹¹ &
Stephane Bonnevay¹¹

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11829))

Included in the following conference series:

International Conference on Cryptology and Network Security

754 Accesses
1 Citations

Abstract

Many cryptographic constructions are based on the famous problem LWE [Reg05]. In particular, this cryptographic problem is currently the most relevant to build FHE [GSW13, BV11]. In [BV11], encrypting x consists of randomly choosing a vector \(\varvec{c}\) satisfying \(\langle \varvec{s},\varvec{c}\rangle =x+\textsf {noise}\pmod q\) where \(\varvec{s}\) is a secret size-n vector. While the vector sum is a homomorphic operator, such a scheme is intrinsically vulnerable to lattice-based attacks. To overcome this, we propose to define \(\varvec{c}\) as a pair of vectors \((\varvec{u},\varvec{v})\) satisfying \(\langle \varvec{s},\varvec{u}\rangle /\langle \varvec{s},\varvec{v}\rangle =x+\textsf {noise}\pmod q\). This simple scheme is based on a new cryptographic problem intuitively not easier than LWE, called Fractional LWE (FLWE). While some homomorphic properties are lost, the secret vector \(\varvec{s}\) could be hopefully chosen shorter leading to more efficient constructions. We extensively study the hardness of FLWE. We first prove that the decision and search versions are equivalent provided q is a small prime. We then propose lattice-based cryptanalysis showing that n could be chosen logarithmic in \(\log q\) instead of polynomial for LWE.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

1.
\(\langle \varvec{s},\varvec{c}\rangle \) denoting the scalar product between \(\varvec{s}\) and \(\varvec{c}\).
2.
For instance \(s_1,\ldots ,s_n\) can be chosen arbitrarily.
3.
not polynomial in the security parameter \(\lambda \).
4.
\(u_1v_1^3+s(u_2v_1^3+3u_1v_1^2v_2)+s^2(3u_2v_1^2v_2+3u_1v_1v_2^2)+ s^3(u_1v_2^2+3u_2v_1v_2^2)+s^4(u_2v_2^3)=e\).
5.
There does not exist any lattice-based attack satisfying Definition 3.
6.
However, by choosing \(\delta =1\), this attack fails because \(ee'\gg q\).
7.
Unlike our problem, some columns of \(\mathcal {A}\) can be removed in SIS (meaning that some components of the searched solution are set to 0) reducing the dimension of the considered lattice. Obviously, if too many columns are removed then short solutions do not exist meaning that a compromise should be done (see [MR09]).
8.
typically \(t<\ell /r\) according to gaussian estimations.
9.
meaning that \(q\mathbb {Z}^\ell \subset \mathcal {L}\), see [MR09].
10.
and vectors belonging to \(q\mathbb {Z}^{\ell }\).
11.
\(\gamma ^{d}\) for a full rank dimension-d lattice.
12.
The norm of any vector belonging to \(\mathbb {Z}_q^d\) is smaller than \( q\sqrt{d}\).
13.
Consider the \(n\times n\) matrix \(M=[(u_{ij}-x_{i}v_{ij})_{1\le i,j\le n}]\), the vector \(\varvec{t}=(u_{i0}-x_{i}v_{i0})_{1\le i\le n}\) and the matrix \(M_j\) equal to M where the \(j^{th}\) column is replaced by \(-\varvec{t}\). Solving \(\mathcal {F}=0\) as a linear system gives \(s^{i}=\det M_i/\det M\). It follows that the polynomials \(p_i=\det M_i\) and \(p_0=\det M\) have \(2^n\) monomials \(x_{1}^{e_1}\cdots x_{n}^{e_n}\) where \(0\le e_1,\ldots , e_n \le 1\).
14.
randomness coming from the choice of \(\mathcal {F}\), i.e. \(\varvec{w}_1,\ldots ,\varvec{w}_{m}.\)
15.
a quantity exponentially close to \(2^{n+1}\).
16.
For instance, one can randomly choose \(\varvec{u},v_1,\ldots ,v_{n-1},e\) and adjust \(v_n\) in order to satisfy the equality.
17.
Recall that given two vectors \(\varvec{a}=(a_0,\ldots ,a_n)\) and \(\varvec{b}=(b_0,\ldots ,b_n)\), \(\varvec{a}\odot \varvec{b}\overset{\textsf {def}}{=}(c_{ij})_{n\ge i \ge j \ge 0}\) with \(c_{ii}=a_ib_i\) and \(c_{ij}=a_ib_j+a_jb_i\) if \(i>j\).

References

Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. TOCT 6(3), 13:1–13:36 (2014)
Article MathSciNet Google Scholar
Becker, T., Kredel, H., Weispfenning, V.: Gröbner Bases: A Computational Approach to Commutative Algebra. Springer, London (1993). https://doi.org/10.1007/978-1-4612-0913-3
Book MATH Google Scholar
Berlekamp, E.R., Rumsey, H., Solomon, G.: On the solution of algebraic equations over finite fields. Info. Control 10(6), 553–564 (1967)
Article MathSciNet Google Scholar
Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. In: Proceedings of the 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science, FOCS 2011, pp. 97–106, Washington DC, USA (2011). IEEE Computer Society
Google Scholar
Gavin, G., Bonnevay, S.: Fractional LWE: a nonlinear variant of LWE. Cryptology ePrint Archive, Report 2019/902 (2019). https://eprint.iacr.org/2019/902
Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_5
Chapter Google Scholar
Laine, K., Lauter, K.: Key recovery for LWE in polynomial time. Cryptology ePrint Archive, Report 2015/176 (2015). https://eprint.iacr.org/2015/176
Micciancio, D., Regev, O.: Lattice based cryptography. In: Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.) Post-Quantum Cryptography, pp. 147–191. Springer, Berlin (2009). https://doi.org/10.1007/978-3-540-88702-7_5
Chapter MATH Google Scholar
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Proceedings of the 37th Annual ACM Symposium on Theory of Computing, Baltimore, MD, USA, May 22–24 2005, pp. 84–93 (2005)
Google Scholar
Szepieniec, A., Preneel, B.: Short solutions to nonlinear systems of equations. In: Kaczorowski, J., Pieprzyk, J., Pomykała, J. (eds.) NuTMiC 2017. LNCS, vol. 10737, pp. 71–90. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76620-1_5
Chapter Google Scholar

Download references

Author information

Authors and Affiliations

Laboratory ERIC, University of Lyon, Lyon, France
Gerald Gavin & Stephane Bonnevay

Authors

Gerald Gavin
View author publications
You can also search for this author in PubMed Google Scholar
Stephane Bonnevay
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Gerald Gavin .

Editor information

Editors and Affiliations

Fujian Normal University, Fuzhou, China
Yi Mu
Singapore Management University, Singapore, Singapore
Robert H. Deng
Fujian Normal University, Fuzhou, China
Xinyi Huang

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Gavin, G., Bonnevay, S. (2019). Fractional LWE: A Nonlinear Variant of LWE. In: Mu, Y., Deng, R., Huang, X. (eds) Cryptology and Network Security. CANS 2019. Lecture Notes in Computer Science(), vol 11829. Springer, Cham. https://doi.org/10.1007/978-3-030-31578-8_20

Download citation

DOI: https://doi.org/10.1007/978-3-030-31578-8_20
Published: 11 October 2019
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-31577-1
Online ISBN: 978-3-030-31578-8
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics