Home - 密码学

经历春天观赏夜樱,夏天挂玉菊,秋天听仁和贺戏,四季变换,而这条街始终喧嚣热闹,门前的这条大街,10 分钟不到就有 75 辆车来来往往。

# An LWE-Based Encryption Scheme

Consider such an encryption scheme:

sk:s[β]mpk:(A,t)=(AZqm×m,t=As+e1),e1[β]m\begin{aligned} & sk:\textbf{s}\leftarrow[\beta]^m\\ & pk:(\textbf{A},\textbf{t})= (\textbf{A}\leftarrow \mathbb{Z}_q^{m\times m},\textbf{t}=\textbf{As}+\textbf{e}_1),\textbf{e}_1\leftarrow [\beta]^m \end{aligned}

where [β]={β,...,1,0,1,...,β}[\beta]=\{-\beta,...,-1,0,1,...,\beta\}. To encrypt a message μ{0,1}\mu\in\{0,1\}, the encryptor chooses r,e2[β]m,e3[β]\textbf{r},\textbf{e}_2\in[\beta]^m,e_3\in[\beta] and compute:

(uT,v)=(rTA+e2T,rTt+e3+q/2μ)(\textbf{u}^T,v)=(\textbf{r}^T\textbf{A}+\textbf{e}_2^T,\textbf{r}^T\textbf{t}+e_3+\lceil q/2\rfloor\mu)

where q/2\lceil q/2\rfloor is the nearest number to q/2q/2.

To decrypt:

  1. Compute:

    vuTs=rTt+e3+q/2μrTAse2Ts=rT(As+e1)+e3+q/2μrTAse2Ts=rTe1+e3+q/2μe2Ts\begin{aligned} v-\textbf{u}^T\textbf{s}&=\textbf{r}^T\textbf{t}+e_3+\lceil q/2\rfloor \mu-\textbf{r}^T\textbf{As}-\textbf{e}_2^T\textbf{s}\\ &=\textbf{r}^T(\textbf{As}+\textbf{e}_1)+e_3+\lceil q/2\rfloor \mu-\textbf{r}^T\textbf{As}-\textbf{e}_2^T\textbf{s}\\ &= \textbf{r}^T\textbf{e}_1+e_3+\lceil q/2\rfloor \mu -\textbf{e}_2^T\textbf{s} \end{aligned}

  2. Since r,e1,s,e2[β]m,e3[β]\textbf{r},\textbf{e}_1,\textbf{s},\textbf{e}_2\in [\beta]^m,e_3\in[\beta], so rTe1[mβ2],e2Ts[mβ2],e3[β]\textbf{r}^T\textbf{e}_1\in [m\beta^2],\textbf{e}_2^T\textbf{s}\in[ m\beta^2],e_3\in[\beta], then

    vuTs[2mβ2+β]+q/2μv-\textbf{u}^T\textbf{s}\in [2m\beta^2+\beta]+\lceil q/2\rfloor \mu

  3. If the choice of parameters m,βm,\beta satisfies 2mβ2+β<q/42m\beta^2+\beta<q/4, then the decryptor can just determine:

    μ={1vuTs is more close to q/20vuTs is more close to 0\mu=\begin{cases} 1 & v-\textbf{u}^T\textbf{s}\textnormal{ is more close to q/2}\\ 0 & v-\textbf{u}^T\textbf{s}\textnormal{ is more close to 0} \end{cases}

The security of scheme is based on the difficulties of the following problem:

Definition(Learning With Error, LWE): For positive integers m,n,qm, n, q, and βq\beta \ll q, the LWEn,m,q,β\textnormal{LWE}_{n,m,q,\beta} problem asks to distinguish between the following two distributions:

  • (A,As+e)(\textbf{A},\textbf{As}+\textbf{e}), where AZqn×m,s[β]m,e[β]n\textbf{A}\leftarrow \mathbb{Z}_q^{n\times m},\textbf{s}\leftarrow[\beta]^m,\textbf{e}\leftarrow [\beta]^n.
  • (A,u)(\textbf{A},\textbf{u}), where AZqn×m,uZqn\textbf{A}\leftarrow \mathbb{Z}_q^{n\times m},\textbf{u}\leftarrow \mathbb{Z}_q^n.

We assume the that the problem is hard, i.e. the two distribution is indistinguishable. The LWE problem has been proven to have a reduction to the difficult problem in lattice problem.

The public key (A,t)(\textbf{A},\textbf{t}) is indistinguishable from uniform distribution due to the LWE assumption,

Edited on Views times