Abstract
Many cryptographic constructions are based on the famous problem LWE [Reg05]. In particular, this cryptographic problem is currently the most relevant to build FHE [GSW13, BV11]. In [BV11], encrypting x consists of randomly choosing a vector \(\varvec{c}\) satisfying \(\langle \varvec{s},\varvec{c}\rangle =x+\textsf {noise}\pmod q\) where \(\varvec{s}\) is a secret size-n vector. While the vector sum is a homomorphic operator, such a scheme is intrinsically vulnerable to lattice-based attacks. To overcome this, we propose to define \(\varvec{c}\) as a pair of vectors \((\varvec{u},\varvec{v})\) satisfying \(\langle \varvec{s},\varvec{u}\rangle /\langle \varvec{s},\varvec{v}\rangle =x+\textsf {noise}\pmod q\). This simple scheme is based on a new cryptographic problem intuitively not easier than LWE, called Fractional LWE (FLWE). While some homomorphic properties are lost, the secret vector \(\varvec{s}\) could be hopefully chosen shorter leading to more efficient constructions. We extensively study the hardness of FLWE. We first prove that the decision and search versions are equivalent provided q is a small prime. We then propose lattice-based cryptanalysis showing that n could be chosen logarithmic in \(\log q\) instead of polynomial for LWE.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
\(\langle \varvec{s},\varvec{c}\rangle \) denoting the scalar product between \(\varvec{s}\) and \(\varvec{c}\).
- 2.
For instance \(s_1,\ldots ,s_n\) can be chosen arbitrarily.
- 3.
not polynomial in the security parameter \(\lambda \).
- 4.
\(u_1v_1^3+s(u_2v_1^3+3u_1v_1^2v_2)+s^2(3u_2v_1^2v_2+3u_1v_1v_2^2)+ s^3(u_1v_2^2+3u_2v_1v_2^2)+s^4(u_2v_2^3)=e\).
- 5.
There does not exist any lattice-based attack satisfying Definition 3.
- 6.
However, by choosing \(\delta =1\), this attack fails because \(ee'\gg q\).
- 7.
Unlike our problem, some columns of \(\mathcal {A}\) can be removed in SIS (meaning that some components of the searched solution are set to 0) reducing the dimension of the considered lattice. Obviously, if too many columns are removed then short solutions do not exist meaning that a compromise should be done (see [MR09]).
- 8.
typically \(t<\ell /r\) according to gaussian estimations.
- 9.
meaning that \(q\mathbb {Z}^\ell \subset \mathcal {L}\), see [MR09].
- 10.
and vectors belonging to \(q\mathbb {Z}^{\ell }\).
- 11.
\(\gamma ^{d}\) for a full rank dimension-d lattice.
- 12.
The norm of any vector belonging to \(\mathbb {Z}_q^d\) is smaller than \( q\sqrt{d}\).
- 13.
Consider the \(n\times n\) matrix \(M=[(u_{ij}-x_{i}v_{ij})_{1\le i,j\le n}]\), the vector \(\varvec{t}=(u_{i0}-x_{i}v_{i0})_{1\le i\le n}\) and the matrix \(M_j\) equal to M where the \(j^{th}\) column is replaced by \(-\varvec{t}\). Solving \(\mathcal {F}=0\) as a linear system gives \(s^{i}=\det M_i/\det M\). It follows that the polynomials \(p_i=\det M_i\) and \(p_0=\det M\) have \(2^n\) monomials \(x_{1}^{e_1}\cdots x_{n}^{e_n}\) where \(0\le e_1,\ldots , e_n \le 1\).
- 14.
randomness coming from the choice of \(\mathcal {F}\), i.e. \(\varvec{w}_1,\ldots ,\varvec{w}_{m}.\)
- 15.
a quantity exponentially close to \(2^{n+1}\).
- 16.
For instance, one can randomly choose \(\varvec{u},v_1,\ldots ,v_{n-1},e\) and adjust \(v_n\) in order to satisfy the equality.
- 17.
Recall that given two vectors \(\varvec{a}=(a_0,\ldots ,a_n)\) and \(\varvec{b}=(b_0,\ldots ,b_n)\), \(\varvec{a}\odot \varvec{b}\overset{\textsf {def}}{=}(c_{ij})_{n\ge i \ge j \ge 0}\) with \(c_{ii}=a_ib_i\) and \(c_{ij}=a_ib_j+a_jb_i\) if \(i>j\).
References
Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. TOCT 6(3), 13:1–13:36 (2014)
Becker, T., Kredel, H., Weispfenning, V.: Gröbner Bases: A Computational Approach to Commutative Algebra. Springer, London (1993). https://doi.org/10.1007/978-1-4612-0913-3
Berlekamp, E.R., Rumsey, H., Solomon, G.: On the solution of algebraic equations over finite fields. Info. Control 10(6), 553–564 (1967)
Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. In: Proceedings of the 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science, FOCS 2011, pp. 97–106, Washington DC, USA (2011). IEEE Computer Society
Gavin, G., Bonnevay, S.: Fractional LWE: a nonlinear variant of LWE. Cryptology ePrint Archive, Report 2019/902 (2019). https://eprint.iacr.org/2019/902
Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_5
Laine, K., Lauter, K.: Key recovery for LWE in polynomial time. Cryptology ePrint Archive, Report 2015/176 (2015). https://eprint.iacr.org/2015/176
Micciancio, D., Regev, O.: Lattice based cryptography. In: Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.) Post-Quantum Cryptography, pp. 147–191. Springer, Berlin (2009). https://doi.org/10.1007/978-3-540-88702-7_5
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Proceedings of the 37th Annual ACM Symposium on Theory of Computing, Baltimore, MD, USA, May 22–24 2005, pp. 84–93 (2005)
Szepieniec, A., Preneel, B.: Short solutions to nonlinear systems of equations. In: Kaczorowski, J., Pieprzyk, J., Pomykała, J. (eds.) NuTMiC 2017. LNCS, vol. 10737, pp. 71–90. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76620-1_5
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Gavin, G., Bonnevay, S. (2019). Fractional LWE: A Nonlinear Variant of LWE. In: Mu, Y., Deng, R., Huang, X. (eds) Cryptology and Network Security. CANS 2019. Lecture Notes in Computer Science(), vol 11829. Springer, Cham. https://doi.org/10.1007/978-3-030-31578-8_20
Download citation
DOI: https://doi.org/10.1007/978-3-030-31578-8_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-31577-1
Online ISBN: 978-3-030-31578-8
eBook Packages: Computer ScienceComputer Science (R0)