Keywords

1 Introduction

Given a full-rank lattice \(L\subset \mathbb {Z}^n\), we denote the public basis of L by B and private basis of L by R. Both B and R are \(n \times n\) invertible matrices. In the GGH public-key encryption scheme, for a plaintext vector \(v\in \mathbb {Z}^n\), the random error vector e is chosen by setting the absolute value of each entry no more than a constant \(\sigma \), where \(\sigma \) is a positive real number. The ciphertext c is computed by \(c=f_{B,\sigma }(v,e)=Bv+e\in \mathbb {R}^n\). Using the results of BaBai and some other ones (Ajtai, 1996; Ajtai & Dwork, 1997; Babai, 1986; Coppersmith & Shamir, 1997; Goldreich et al., 1997; Micciancio, 2001; Hoffstein et al., 2017, 1998), we can decipher the plaintext \(v=B^{-1}[c]_R\) given B, R and ciphertext c. Here the lattice point \([c]_R\) is obtained by representing c as a linear combination on the columns of R and rounding the coefficients in this linear combination to the nearest integers. The problem is that how \(\sigma \) should be chosen so that we can get a right plaintext v or guarantee a low error probability. We show three theorems to solve this problem. A probability inequality is given to estimate the bound of inversion error probability.

2 Main Results

Theorem 1

B is the public basis and R is the private basis of lattice L. \(v\in \mathbb {Z}^n\), e is the random error vector, \(|e|_{\infty }\leqslant \sigma \), \(c=f_{B,\sigma }(v,e)=Bv+e\). Then \(B^{-1}[c]_R=v\) if and only if \([R^{-1}e]=0\), here \([R^{-1}e]\) denotes the vector in \(\mathbb {Z}^n\) which is obtained by rounding each entry in \(R^{-1}e\) to the nearest integer.

Proof

Let \(T=B^{-1}R\), then

$$\begin{aligned} B^{-1}[c]_R=B^{-1}[Bv+e]_R=B^{-1}R[R^{-1}(Bv+e)]=T[T^{-1}v+R^{-1}e] \end{aligned}$$

since \(T=B^{-1}R\) is a unimodular matrix, \(T^{-1}\) is also a unimodular matrix. \(v\in \mathbb {Z}^n\), so \(T^{-1}v\in \mathbb {Z}^n\).

$$\begin{aligned} B^{-1}[c]_R=T[T^{-1}v+R^{-1}e]=v+T[R^{-1}e] \end{aligned}$$

Thus \(B^{-1}[c]_R=v\) is equivalent to \(T[R^{-1}e]=0\), and this equality holds if and only if \([R^{-1}e]=0\).

Remark 1

This theorem gives an equivalent condition to check whether the decryption result is accurate.

Theorem 2

Let R be the private basis of lattice L. e is the random error vector such that \(|e|_{\infty }\leqslant \sigma \). Suppose the maximum \(L_1\) norm of the rows in \(R^{-1}\) is \(\rho \). Then if \(\sigma <\frac{1}{2\rho }\), \([R^{-1}e]=0\) holds.

Proof

Let \(R^{-1}=(c_{ij})_{n \times n}\), \(R^{-1}e=(a_1,a_2,...,a_n)^{T}\), i.e., \(a_i=\sum _{j=1}^{n} c_{ij}e_j\), \(1\leqslant i \leqslant n\).

$$\begin{aligned} |a_i|=|\sum _{j=1}^{n} c_{ij}e_j|\leqslant |e_j||\sum _{j=1}^{n} c_{ij}|\leqslant \sigma \rho <\frac{1}{2} \end{aligned}$$

This means that \([R^{-1}e]=0\).

Remark 2

Theorem 2 shows how \(\sigma \) can be chosen so that no inversion error occurs.

Theorem 3

Let an \(n\times n\) matrix R be the private basis used in the inversion of \(f_{B,\sigma }\), and denote the maximum \(L_{\infty }\) norm of the rows in \(R^{-1}\) by \(\frac{r}{\sqrt{n}}\). Then the probability of inversion errors is bounded by

$$\begin{aligned} P\{[R^{-1}e]\ne 0\}\leqslant 2n \cdot {\text {exp}} \left( -\frac{1}{8\sigma ^2 r^2} \right) , \end{aligned}$$

here \(e=(e_1,e_2,...,e_n)^{T}\) and \(e_1,e_2,...,e_n\) are n independent random variables such that \(|e_i|\leqslant \sigma \) and \(E(e_i)=0\) for \(1\leqslant i\leqslant n\).

Lemma 1

For any non-negative random variable X with finite expectation E(X) and any positive real number \(\mu \), we have

$$\begin{aligned} P\{X\geqslant \mu \}\leqslant \frac{E(X)}{\mu }. \end{aligned}$$

Proof

Here we treat X as a random variable of continuous type. For the other situations, the proof is similar. Let f(x) be the probability density function of X. Since \(E(X)=\int _0^{+\infty } xf(x) \textrm{d} x\geqslant \int _\mu ^{+\infty } xf(x) \textrm{d} x\geqslant \int _\mu ^{+\infty } \mu f(x) \textrm{d} x=\mu P\{X\geqslant \mu \}\), then we have \(P\{X\geqslant \mu \}\leqslant \frac{E(X)}{\mu }\).

Lemma 2

Given random variable X satisfying \(-a\leqslant X \leqslant a\) with \(E(X)=0\), here \(a>0\). For any real number \(\lambda \), we have

$$\begin{aligned} E(e^{\lambda X})\leqslant exp \left( \frac{\lambda ^2 a^2}{2} \right) . \end{aligned}$$

Proof

For any real number \(\lambda \), \(f(x)=e^{\lambda x}\) is a convex function. Notice that

$$\begin{aligned} x=\frac{x+a}{2a}\cdot a+\frac{a-x}{2a}\cdot (-a),\quad -a\leqslant x \leqslant a \end{aligned}$$

then

$$\begin{aligned} f(x)\leqslant \frac{x+a}{2a} f(a)+\frac{a-x}{2a} f(-a) \end{aligned}$$
$$\begin{aligned} e^{\lambda x} \leqslant \frac{x+a}{2a} e^{\lambda a}+\frac{a-x}{2a} e^{-\lambda a} \end{aligned}$$
$$\begin{aligned} E(e^{\lambda X})\leqslant E(\frac{X+a}{2a} e^{\lambda a}+\frac{a-X}{2a} e^{-\lambda a}) = \frac{1}{2}(e^{\lambda a}+e^{-\lambda a}) \end{aligned}$$

Let \(t=\lambda a\), next we prove that \(\frac{1}{2}(e^t+e^{-t})\leqslant \text {exp}(\frac{t^2}{2})\). This inequality is equivalent to

$$\begin{aligned} \ln \frac{e^t+e^{-t}}{2}\leqslant \frac{t^2}{2} \end{aligned}$$

Let \(g(t)=\frac{t^2}{2}-\ln \frac{e^t+e^{-t}}{2}\), then \(g'(t)=t-\frac{e^t-e^{-t}}{e^t+e^{-t}}\) and \(g'(0)=0\). Since \(g''(t)\geqslant 0\), we get \(g'(t)\leqslant 0\ \text {if}\ t\leqslant 0\) and \(g'(t)\geqslant 0\ \text {if}\ t\geqslant 0\). Then \(g(t)\geqslant g(0)=0\) and we complete the proof.

Lemma 3

Suppose \(X_1,X_2,...,X_n\) are n independent random variables. For \(1\leqslant i \leqslant n\), we have \(-a\leqslant X_i\leqslant a\) and \(E(X_i)=0\), here \(a>0\). Let \(S_n=\sum _{i=1}^{n} X_i\), \(\varepsilon >0\), then

$$\begin{aligned} P\{|S_n|\geqslant \varepsilon \}\leqslant 2\text {exp}(-\frac{\varepsilon ^2}{2na^2}). \end{aligned}$$

Proof

For any \(\lambda >0\), based on Lemma 1, we can get

$$\begin{aligned} P\{S_n\geqslant \varepsilon \}=P\{e^{\lambda S_n}\geqslant e^{\lambda \varepsilon }\} \leqslant \frac{E(e^{\lambda S_n})}{e^{\lambda \varepsilon }} \end{aligned}$$

Since \(X_1,X_2,...,X_n\) are independent random variables, combine with Lemma 2,

$$\begin{aligned} E(e^{\lambda S_n})=\prod _{i=1}^{n} E(e^{\lambda X_i})\leqslant \prod _{i=1}^{n} e^{\frac{\lambda ^2 a^2}{2}} =e^{\frac{n \lambda ^2 a^2}{2}} \end{aligned}$$
$$\begin{aligned} P\{S_n\geqslant \varepsilon \} \leqslant \frac{E(e^{\lambda S_n})}{e^{\lambda \varepsilon }} \leqslant e^{-\lambda \varepsilon +\frac{n \lambda ^2 a^2}{2}} \end{aligned}$$

Let \(\lambda =\frac{\varepsilon }{na^2}\), therefore, the above inequality becomes to

$$\begin{aligned} P\{S_n\geqslant \varepsilon \} \leqslant \text {exp} \left( -\frac{\varepsilon ^2}{2na^2} \right) \end{aligned}$$

In the same way, we can prove that

$$\begin{aligned} P\{S_n\leqslant -\varepsilon \} \leqslant \text {exp} \left( -\frac{\varepsilon ^2}{2na^2} \right) \end{aligned}$$

Thus

$$\begin{aligned} P\{|S_n|\geqslant \varepsilon \}\leqslant 2\text {exp} \left( -\frac{\varepsilon ^2}{2na^2} \right) \end{aligned}$$

Proof of Theorem 3. Now we can prove Theorem 3 given at first according to Lemma 3.

Let \(R^{-1}=(c_{ij})_{n \times n}\), \(e=(e_1,e_2,...,e_n)^{T}\), here \(e_1,e_2,...,e_n\) are n independent random variables such that \(|e_i|\leqslant \sigma \) and \(E(e_i)=0\) for \(1\leqslant i\leqslant n\).

We denote \(R^{-1}e=(a_1,a_2,...,a_n)^{T}\), i.e., \(a_i=\sum _{j=1}^{n} c_{ij}e_j\), \(1\leqslant i \leqslant n\).

Since \(|c_{ij}|\leqslant \frac{r}{\sqrt{n}}\) and \(|e_j|\leqslant \sigma \), then the random variable \(c_{ij}e_j\) is limited to the interval \([-\frac{r\sigma }{\sqrt{n}},\frac{r\sigma }{\sqrt{n}}]\). Based on Lemma 3,

$$\begin{aligned} P\{|a_i|\geqslant \frac{1}{2}\}=P\{|\sum _{j=1}^{n} c_{ij}e_j|\geqslant \frac{1}{2}\}\leqslant 2\text {exp}(-\frac{(\frac{1}{2})^2}{2n(\frac{r \sigma }{\sqrt{n}})^2})=2\text {exp}(-\frac{1}{8\sigma ^2 r^2}) \end{aligned}$$
$$\begin{aligned} P\{[R^{-1}e]\ne 0\}\leqslant \sum \limits _{i=1}^{n} P\{|a_i|> \frac{1}{2}\}\leqslant \sum \limits _{i=1}^{n} P\{|a_i|\geqslant \frac{1}{2}\}\leqslant 2n \cdot \text {exp}(-\frac{1}{8\sigma ^2 r^2}) \end{aligned}$$

Thus the inequality in Theorem 3 holds.

Corollary 1

\(P\{[R^{-1}e]\ne 0\}<\varepsilon \) if \(\sigma <\bigg (2r\sqrt{2\ln {\frac{2n}{\varepsilon }}}\bigg )^{-1}\).

Proof

\(\sigma<\bigg (2r\sqrt{2\ln {\frac{2n}{\varepsilon }}}\bigg )^{-1}\Leftrightarrow 2n \cdot \text {exp}\left( -\frac{1}{8\sigma ^2 r^2}\right) <\varepsilon \), from Theorem 3,

$$\begin{aligned} P\{[R^{-1}e]\ne 0\}\leqslant 2n \cdot \text {exp}\left( -\frac{1}{8\sigma ^2 r^2} \right) <\varepsilon \end{aligned}$$

Remark 3

Theorem 3 provides a way to estimate the bound of inversion error probability, and Corollary 1 gives a detailed bound for \(\sigma \) based on Theorem 3 to get the error probability no more than a constant \(\varepsilon \).

3 Conclusions

In this work we mainly present a probability inequality about GGH public-key encryption scheme. In this scheme, we first take a lattice vector \(v\in \mathbb {Z}^n\) and generate a small error vector e such that \(|e|\leqslant \sigma \). Given a public basis B, the function \(f_{B,\sigma }(v,e)=Bv+e\) computes the ciphertext result c. To decrypt, the private basis R and the function \(f^{-1}_{B,\sigma }(c)=B^{-1}[c]_R\) will be used to extract the message v. We give a bound for the error probability of \(v\ne B^{-1}[c]_R\) and explain how to choose \(\sigma \) in order to obtain the error probability no more than a given constant \(\varepsilon \).