Regev’s LWE Cryptosystem

Recall that Regev [Reg05] gave the first LWE-based public-key encryption scheme, in which public keys areO˜(n2)bits, secret keys and ciphertexts areO˜(n)bits, and each ciphertext encrypts a single bit. (Heren

is the dimension of the underlying LWE problem.) In the multi-user setting, if there is a trusted source of randomness that can be shared among all users, then the per-user public key size can be reduced to onlyO˜(n) bits.

Description of the system. The cryptosystem is parameterized by an LWE dimensionn, modulusq, error distributionχoverZ, and number of samplesmthat all should satisfy various conditions needed for security

and correct decryption, as described below.

• The secret key is a uniformly random LWE secrets∈Znq, and the public key is somem≈(n+ 1) logq samples(¯ai, bi =hs,¯aii+ei)∈Znq+1drawn from the LWE distributionAs,χ, collected as the columns of a matrix A= _¯ A bt ∈Z(qn+1)×m, (5.2.1) wherebt _{= s}t_A¯ _+et_{modq. (In the multi-user setting,A}¯ _{can be shared among all users, and the} user’s public key is justb.) Note that by definition, the secret and public keys satisfy the relation

(−s,1)t·A=et≈0 (modq). (5.2.2)

• To encrypt a bitµ∈_Z2 ={0,1}using the public keyA, one just takes a random subset-sum of the LWE samples and appropriately encodes the message bit in the last coordinate.1 More specifically, one chooses a uniformly randomx∈ {0,1}mand outputs the ciphertext

c=A·x+ (0, µ· b₂qe)∈_Zn+1

q . (5.2.3)

Notice that, ignoring the µ· bq₂e term, encryption is merely evaluation of the function fA from

Equation (4.1.1) on a random binary inputx, although here the matrixAis not uniformly random, but is instead pseudorandom.

• To decrypt using the secret keys, one computes (−s,1)t·c= (−s,1)t·A·x+µ· bq₂e

=et·x+µ· bq₂e (Equation (5.2.2))

≈µ· bq₂e (modq) (e,x∈_Zmare short) and tests whether it is closer to0or tobq₂emoduloq.

1_{More generally, it was observed by [KTX08, PW08] that one can encrypt messages from}

Zpusingq/pin place ofq/2, as long

Notice that decryption is correct as long as the accumulated errorhe,xi ∈_Zhas magnitude less thanq/4. This can be made to hold simply by choosingqto be large enough relative to the error distributionχand the value ofm. For example, ifχ=D_Z,ris a discrete Gaussian, which is subgaussian with parameterr, then

he,xiis subgaussian with parameter at mostr√m, and hence has magnitude less thanrpmln(1/ε)/πwith probability at least1−2ε.2 So to ensure correct decryption with overwhelming probability, along with security under a worst-case assumption (as discussed next), one can use parameters as small asr = Θ(√n)and

q= ˜O(n), which correspond to an LWE error rate ofα=r/q= 1/O˜(√n)and worst-case approximation factors ofγ = ˜O(n3/2).

Security. Regev’s system is semantically secure against passive eavesdroppers, assuming that decision- LWEn,q,χ,mis hard, which for appropriate parameters is implied by the conjectured worst-case (quantum) hardness of lattice problems (see Section 4.2.2).

Here we give a reasonably detailed outline of the security proof, which follows a strategy that has come to be known as a “lossiness” argument. The two main ideas are: 1. a properly formed public keyA is indistinguishable from a “malformed” uniformly random one, and 2. encrypting under such a malformed key isinformation-theoreticallysecure. More formally, recall that we wish to show that a public keyAtogether with an encryptioncof a fixed bitµare indistinguishable forµ= 0,1(see Section 2.4.2). We proceed by considering a sequence of alternative, or “hybrid,” experiments that produceA,cin different ways:

• In the first hybrid experiment, the public keyAis “malformed” in the sense that it is chosen uniformly at random fromZ(qn+1)×m, instead of being generated from LWE samples. (Note that there is no corresponding secret key.) The ciphertextcis generated by encryptingµusingAin the usual way, as

c=A·x+ (0, µ· bq₂e)∈_Zn+1 q .

We claim that this experiment is indistinguishable from the real one, under the LWE assumption. This is shown by a reduction: any hypothetical attackerAthat aims to distinguish the two experiments can be transformed into an algorithmDthat aims to distinguish LWE samples from uniformly random ones, i.e., it attacks decision-LWEn,q,χ,m:Dsimply collects its input samples into a matrixA, encryptsµ usingAto get a ciphertextc, and invokesAon(A,c), outputting the same accept/reject decision. It is clear thatDperfectly simulates the real or hybrid experiment, depending on whether its input samples are LWE or uniform (respectively); therefore,DandAhave equal distinguishing advantages. BecauseD’s advantage must be negligible by hypothesis, so isA’s.

• In the second hybrid experiment, the public keyAis still uniformly random, but now the ciphertextc∈

Znq+1is also chosen uniformly and independently ofA.

We claim that this experiment isstatistically indistinguishable from the previous one, i.e., even a computationally unbounded attacker has only negligible advantage in distinguishing them. In other words, encrypting under a uniformly random public key is “lossy,” in that it hides the message information-theoretically. The claim follows immediately from the fact thatm ≈ (n+ 1) logq is sufficiently large, and by aregularity lemma(also known as theleftover hash lemma) [HILL99], which says that(A,u=A·x)for uniform and independentA←Zq(n+1)×mandx← {0,1}mis statistically indistinguishable from uniformly random. (Clearly, adding any fixed vector(0, µ· bq₂e)toupreserves its uniform distribution.)

2_{Using a slightly larger modulusq, one can even ensure correct decryptionwith certaintyby rejecting any (negligibly rare) error}

In conclusion, because the above experiments are indistinguishable for any fixed bitµ, and the last one does not depend onµat all, the two real experiments forµ= 0,1are also indistinguishable.

As a final remark, we note that the system is trivially breakable under anactive, or chosen-ciphertext, attack. We discuss actively secure LWE-based encryption in Section 5.3 below.

Normal form optimization. As documented in [MR09], the above cryptosystem, along with essentially all other LWE-based systems, is amenable to a mild optimization using the “normal forms” of SIS/LWE defined in Sections 4.1.1 and 4.2.1. (Indeed, some systems described below incorporate this optimization explicitly.) For the same parametersn, mas above, we let the matrixA¯ ∈Zqn×(m−n)have onlym−ncolumns, and defineA∈_Zq(n+1)×(m−n)as in Equation (5.2.1) above, where the coordinates ofs∈Znare chosen from

theerror distributionχ. To encrypt a bitµ∈ {0,1}, one chooses a uniformly randomx∈ {0,1}m+1and outputs the ciphertext

c= [In+1 |A]·x+ (0, µ· bq₂e)∈Znq+1. To decrypt given the secret keys, one computes

(−s,1)t·c= (−s,1)t·[In+1 |A]·x+µ· bq₂e

= (−s,1,e)t·x+µ· bq₂e (Equation (5.2.2))

≈µ· bq₂e (modq) (s,e,xare short) and tests whether it is closer to0or tobq₂emoduloq.

The security proof for this variant is essentially the same as the one outlined above, but it now relies on the hardness of the normal form of decision-LWE, as well as a regularity lemma for matrices of the form [In+1 |A]for uniformly randomA.

Longer messages. Typically, one wishes to encrypt several bits at a time, e.g., to transmit a key for a symmetric encryption scheme. In this context, Peikert, Vaikuntanathan, and Waters [PVW08] described a significant efficiency improvement using an amortizationtechnique. In their variant, one can encrypt

`=O(n)bits per ciphertext, with no asymptotic increase in the sizes of the public key or ciphertexts, nor in the runtime of encryption. However, the secret key size and decryption runtimes are increased toO˜(`·n), versusO˜(n)in the original system.

The main idea is, instead of using an(n+ 1)-row public key of the formA=h A¯ bt_≈st_A¯

i

, to generate an (n+`)-row key of the form

A= _¯ A B≈St·A¯ ∈Z(qn+`)×m, where the `rows of St ∈ _Z`×n

q are independent LWE secrets, and each entry ofSt·Ais perturbed by independent error drawn fromχ. Encrypting a messagem∈ {0,1}`works essentially as before, by choosing uniformly randomx∈ {0,1}mand outputting the ciphertext

c=A·x+ (0,m· bq₂e)∈_Zn_q+`.

For security, by a routine hybrid argument, it can be shown that a public keyAis indistinguishable from uniform assuming the hardness of decision-LWE. Moreover, form≈(n+`) logq= ˜O(n), the regularity lemma and lossiness argument described above still apply, thus establishing semantic security.

A separate mild optimization relates to the way that the message bits are encoded to be recoverable under noise. Throughout this survey, for simplicity we encodem∈ {0,1}`asm· bq<sub>2</sub>e ∈<sub>Z</sub>`

q. This incurs a multiplicative overhead oflogq, along with the additive overhead of the ciphertext “preamble”Ax¯ . Recently, Peikert [Pei14] described a more sophisticated “reconciliation” mechanism that encodes the message bit-for- bit, making the ciphertext overhead merely additive. This mechanism works for any value of`and essentially any (ring-)LWE cryptosystem.

Generating fresh LWE samples. We conclude this coverage of Regev’s cryptosystem by noting that its encryption algorithm (Equation (5.2.3)) implicitly contains a method for generating unboundedly many “fresh” LWE samples for a fixed secret and a somewhat wider Gaussian error distribution, given a sufficiently

large number of initial samples. More specifically, an encryption(a, b) =A·x∈_Zn+1

q of zero is essentially a new LWE sample with secrets, in the sense thatais negligibly far from uniform and independent ofA¯, and

b=hs,ai+he,xi ≈ hs,ai (mod q).

Therefore,(a, b)constitutes a noisy linear equation ins. However, for the system as described above, the distribution of the error termhe,xi ∈_Z(over the random choice ofx) may not be so “nice”—it is not easy to analyze, and it may even vary with the value ofa. So the samples generated in this way may not quite be fresh LWE samples in the sense we usually mean, i.e., from a distributionAs,χ.

Fortunately, it was shown in [GPV08, ACPS09], using a key lemma from [Reg05], that a slightly modified procedure does indeed generate LWE samples having a true Gaussian error distribution (up to negligible statistical error). To do this, one instead choosesxaccording to adiscrete GaussianD_Zm_,rfor appropriate

r= ˜O(1), and adds a little “smoothing” error to the final coordinate ofA·x. The error in the resulting sample is then statistically close to Gaussian with parameterO(r· kek), whereeis the error vector in the original LWE samples. (Note that this original errorecan come from any distribution, as long as it is relatively short.) Moreover, when the input matrixAis uniformly random (instead of from the LWE distribution), the same procedure produces samples that are nearly uniformly random and independent ofA. Therefore, the procedure is a form ofrandomized self-reductionfor both the search and decision forms of LWE.