In 2005, O.Regev proposed the first LWE public key cryptosystem at Tel Aviv University in Israel based on LWE distribution \(A_{s,\chi }\). Because of this paper, Regev won the highest award for theoretical computer science in 2018—the Godel Award. The size of public key is \(\tilde{O}(n^2)\) bits, and the size of private key s and ciphertext is \(\tilde{O}(n)\) bits. The plaintext encrypted each time is 1 bit. In fact, the LWE public key cryptosystem is a probabilistic cryptosystem, which depends on a high probability algorithm. Since the security of LWE problem has been clearly proved (see Chap. 3), the LWE cryptosystem has received extensive attention as soon as it was proposed, and it becomes the most cutting-edge research topic in the lattice-based cryptosystem study.

4.1 LWE Cryptosystem of Regev

Let \(n\geqslant 1\), \(q\geqslant 2\) be positive integers, \(\chi \) be a given probability distribution in \(\mathbb {Z}_q\). By Definition 4.3.1 in Chap. 3, the LWE distribution \(A_{s,\chi }\) is

$$\begin{aligned} \left\{ \begin{array}{l} A_{s,\chi }=(a,b)\in \mathbb {Z}_q^n\times \mathbb {Z}_q,\\ b\equiv _{\chi }<a,s>+e\ (\text {mod}\ q), \end{array} \right. \end{aligned}$$
(4.1.1)

where \(a\in \mathbb {Z}_q^n\) is uniformly distributed, \(s\in \mathbb {Z}_q^n\) is the private key chosen at random, \(e\in \mathbb {Z}_q\), \(e\leftarrow \chi \) is called error distribution. LWE cryptosystem depends on LWE distribution \(A_{s,\chi }\), and its workflow has the following three steps:

(1) Public key.

First we choose \(s\in \mathbb {Z}_q^n\) at random as the private key, let \(m=O(n\text {log}q)\). Then we choose m samples distributed from \(A_{s,\chi }\), \((a_i,b_i)\in \mathbb {Z}_q^n\times \mathbb {Z}_q\), \(e_i\in \mathbb {Z}_q\), \(e_i\leftarrow \chi \), \(1\leqslant i\leqslant m\). Let

$$\begin{aligned} \overline{A}=[a_1,a_2,\dots ,a_m]_{n\times m}\in \mathbb {Z}_q^{n\times m}, \end{aligned}$$
$$\begin{aligned} b=\begin{pmatrix} b_1 \\ b_2 \\ \vdots \\ b_m \end{pmatrix},\ e=\begin{pmatrix} e_1 \\ e_2 \\ \vdots \\ e_m \end{pmatrix},\ e\leftarrow \chi ^m, \end{aligned}$$

where \(\overline{A}\) is a matrix uniformly at random, \(e\leftarrow \chi ^m\) indicates the m samples are independent. The public key of LWE cryptosystem is the following \((n+1)\times m\) matrix

$$\begin{aligned} A=\begin{pmatrix} \overline{A} \\ b' \end{pmatrix}\in \mathbb {Z}_q^{(n+1)\times m}. \end{aligned}$$
(4.1.2)

If the uniformly random matrix \(\overline{A}\) is given and saved for all the users of LWE cryptosystem, then the true public key is \(b=\begin{pmatrix} b_1 \\ b_2 \\ \vdots \\ b_m \end{pmatrix}\in \mathbb {Z}_q^m\) with size \(O(m)=\tilde{O}(n)\). The public key and private key satisfy the following equation:

$$\begin{aligned} (-s',1)A\equiv _{\chi }e'\ (\text {mod}\ q). \end{aligned}$$
(4.1.3)

(2) Encryption.

In order to encrypt plaintext of 1 bit \(u\in \mathbb {Z}_2\), let \(x\in \{0,1\}^m\) be an uniformly distributed m dimensional vector with each entry 0 or 1. The ciphertext \(c\in \mathbb {Z}_q^{n+1}\) is an \((n+1)\) dimensional vector in \(\mathbb {Z}_q\), defined by

$$\begin{aligned} f_A(u)=c=Ax+\begin{pmatrix} 0 \\ u\cdot \lfloor \frac{q}{2}\rceil \end{pmatrix}\in \mathbb {Z}_q^{n+1}, \end{aligned}$$
(4.1.4)

where \(0=\begin{pmatrix} 0 \\ 0 \\ \vdots \\ 0 \end{pmatrix}\in \mathbb {Z}_q^n\), \(u \lfloor \frac{q}{2}\rceil \in \mathbb {Z}_q\), \(\lfloor \frac{q}{2}\rceil \) is the nearest integer to \(\frac{q}{2}\). We call \(f_A\) the encryption algorithm of LWE. In order to understand the encryption algorithm better, we give another definition of \(f_A\).

The following set \(\{1,2,\dots ,m\}\) has \(2^m\) subsets. We choose a subset \(S\subset \{1,2,\dots ,m\}\) uniformly at random which is called the index set. Then the encryption algorithm \(f_A(u)\) for plaintext \(u\in \mathbb {Z}_2\) is

$$\begin{aligned} c=f_A(u)=\begin{pmatrix} \sum \nolimits _{i\in S} a_i \\ \sum \nolimits _{i\in S} b_i+u \lfloor \frac{q}{2}\rceil \end{pmatrix}\in \mathbb {Z}_q^{n+1}. \end{aligned}$$
(4.1.5)

In fact, the subset S is corresponding to the uniformly chosen vector \(x\in \{0,1\}^m\). The above algorithm (4.1.5) was proposed by Regev originally.

(3) Decryption.

We use the private key \(s\in \mathbb {Z}_q^n\) for decryption of the ciphertext c. Actually we only need to decrypt for the last entry of vector c. We have

$$\begin{aligned} f_A^{-1}(c)=(-s',1)c=(-s',1)Ax+u\lfloor \frac{q}{2}\rceil \equiv _{\chi }e'x+u\lfloor \frac{q}{2}\rceil \ (\text {mod}\ q). \end{aligned}$$
(4.1.6)

The error samples are much smaller than q, namely

$$\begin{aligned} \sum \limits _{i\in S}e_i=e'x<\lfloor \frac{q}{2}\rceil /2. \end{aligned}$$
(4.1.7)

Therefore, by comparing the distances between the right side of (4.1.6) and 0 or \(\lfloor \frac{q}{2}\rceil \), one can decrypt successfully:

$$\begin{aligned} f_A^{-1}(c)= \left\{ \begin{array}{l} 0,\ \text {if}\ (-s',1)c\ \text {is closer to}\ 0,\\ 1,\ \text {if}\ (-s',1)c\ \text {is closer to}\ \lfloor \frac{q}{2}\rceil , \end{array} \right. \end{aligned}$$
(4.1.8)

finally we have \(f_A^{-1}(c)=u\) and finish the whole workflow of LWE cryptosystem.

Both of the encryption algorithm and decryption algorithm of LWE are probabilistic algorithms, so we should verify the correctness, namely

$$\begin{aligned} Pr\{f_A^{-1}(c)=u\}\geqslant 1-\delta (n). \end{aligned}$$
(4.1.9)

Here \(\delta (n)\) is a negligible function of n, i.e. \(\delta (n)=o\left( \frac{1}{\text {log}^{\epsilon }n}\right) \), \(\forall \epsilon >0\), more precisely:

$$\begin{aligned} \lim \limits _{n\rightarrow \infty }\delta (n)\text {log}^{\epsilon }n=0,\ \forall \epsilon >0. \end{aligned}$$

We prove (4.1.9) with given discrete Gauss distribution \(\chi =\overline{\psi }_{\alpha }\). For \(a\in \mathbb {Z}_q\), \(\mathbb {Z}_q=\{0,1,\dots ,q-1\}\),

$$\begin{aligned} |a|= \left\{ \begin{array}{l} a,\ \text {if}\ 0<a\leqslant \lfloor \frac{q}{2}\rceil ,\\ q-a,\ \text {if}\ \lfloor \frac{q}{2}\rceil <a\leqslant q-1. \end{array} \right. \end{aligned}$$
(4.1.10)

For \(x\in \mathbb {T}=[0,1)\), we define

$$\begin{aligned} |x|= \left\{ \begin{array}{l} x,\ \text {if}\ 0\leqslant x<\frac{1}{2},\\ 1-x,\ \text {if}\ \frac{1}{2}\leqslant x<1. \end{array} \right. \end{aligned}$$
(4.1.11)

Lemma 4.1.1

Let \(\delta >0\), \(0\leqslant k\leqslant m\), if the distribution \(\chi ^k\) satisfies

$$\begin{aligned} \mathop {Pr}\limits _{e\sim \chi ^k}\left\{ |e|<\lfloor \frac{q}{2}\rceil /2\right\} >1-\delta , \end{aligned}$$
(4.1.12)

then (4.1.9) holds, i.e.

$$\begin{aligned} Pr\left\{ f_A^{-1}(c)=u\right\} >1-\delta . \end{aligned}$$

Proof

When we choose the error samples \(e_i\in \mathbb {Z}_q\), \(e_i\leftarrow \chi \), we can always guarantee \(e_i=|e_i|\) without changing the probability distribution. By (4.1.7), suppose that \(|S|=k\), the corresponding sample

$$\begin{aligned} e=\begin{pmatrix} e_1 \\ e_2 \\ \vdots \\ e_k \end{pmatrix},\ |e|=\sum \limits _{i=1}^k |e_i|=\sum \limits _{i=1}^k e_i. \end{aligned}$$

As long as (4.1.7) holds, i.e.

$$\begin{aligned} |e|<\lfloor \frac{q}{2}\rceil /2\Rightarrow f_A^{-1}(c)=u, \end{aligned}$$

then

$$\begin{aligned} Pr\left\{ f_A^{-1}(c)=u\right\} \geqslant Pr\left\{ |e|<\lfloor \frac{q}{2}\rceil /2\right\} >1-\delta . \end{aligned}$$

   \(\square \)

Next we prove (4.1.12) holds for discrete Gauss distribution \(\overline{\psi }_{\alpha }\) in \(\mathbb {Z}_q\). The following assumptions are made for the selection of parameters:

$$\begin{aligned} \left\{ \begin{array}{l} n\geqslant 1,\ q\geqslant 2,\ n^2\leqslant q\leqslant 2n^2,\\ m=(1+\epsilon )(n+1)\text {log}q,\ \epsilon >0\ \text {is any positive real number},\\ \chi =\overline{\psi }_{\alpha (n)},\ \alpha (n)=o(\frac{1}{\sqrt{n}\text {log}n}), \end{array} \right. \end{aligned}$$
(4.1.13)

where the symbol o indicates

$$\begin{aligned} \lim \limits _{n\rightarrow 0}\alpha (n)\sqrt{n}\text {log}n=0. \end{aligned}$$

For example, we can choose \(\alpha (n)=\frac{1}{\sqrt{n}\text {log}^2 n}\), or

$$\begin{aligned} \alpha (n)=\left( \sqrt{n}\text {log}^{1+\epsilon }n\right) ^{-1},\ \forall \epsilon >0. \end{aligned}$$

Lemma 4.1.2

Under the condition for parameters of (4.1.13), for any \(0\leqslant k\leqslant m\), we have

$$\begin{aligned} \mathop {Pr}\limits _{e\sim \overline{\psi }_{\alpha (n)}^k}\left\{ |e|<\lfloor \frac{q}{2}\rceil /2\right\} >1-\delta (n), \end{aligned}$$
(4.1.14)

where \(\delta (n)=o\left( \frac{1}{\text {log}^{\epsilon }n}\right) \), \(\forall \epsilon >0\), is a negligible function.

Proof

Based on (4.1.13), when \(n\geqslant n_0\), it is easy to see that

$$\begin{aligned} 0\leqslant k\leqslant m\leqslant 4(1+\epsilon )(n+1)\text {log}n<\frac{n^2}{32}\leqslant \frac{q}{32}. \end{aligned}$$

The k samples \(e=\begin{pmatrix} e_1 \\ \vdots \\ e_k \end{pmatrix}\) distributed as \(\overline{\psi }_{\alpha }^k\) could be obtained from the k samples \(x_1,x_2,\dots ,x_k\) of distribution \(\psi _{\alpha }\), where

$$\begin{aligned} x_i\in \left[ 0,\frac{1}{2}\right) ,\ e_i=\lfloor qx_i \rceil \ \text {mod}\ q,\ 1\leqslant i\leqslant k. \end{aligned}$$

Here the set of representative elements of \(\mathbb {Z}_q\) is

$$\begin{aligned} \mathbb {Z}_q=\left\{ a\in \mathbb {Z}\ |\ -\frac{q}{2}\leqslant a<\frac{q}{2}\right\} . \end{aligned}$$

So we have

$$\begin{aligned} |e|=\sum \limits _{i=1}^k |e_i|=\sum \limits _{i=1}^k \lfloor qx_i \rceil \ \text {mod}\ q. \end{aligned}$$

Note that

$$\begin{aligned} \sum \limits _{i=1}^k \left( \lfloor qx_i \rceil -qx_i\right) \ \text {mod}\ q\leqslant k\leqslant \frac{q}{32}. \end{aligned}$$

Therefore,

$$\begin{aligned} \sum \limits _{i=1}^k qx_i\ \text {mod}\ q\leqslant \frac{q}{16}\Rightarrow \big (\sum \limits _{i=1}^k x_i\big )\ \text {mod}\ 1\leqslant \frac{1}{16}, \end{aligned}$$

we have \(|e|<\lfloor \frac{q}{2}\rceil /2\). Since \(\sum \nolimits _{i=1}^k x_i\ \text {mod}\ 1\) distributed as \(\psi _{\sqrt{k}\alpha }\), where \(\sqrt{k}\cdot \alpha =o\left( \frac{1}{\sqrt{\text {log}n}}\right) \), so

$$\begin{aligned} Pr\left\{ \sum \limits _{i=1}^k x_i\ \text {mod}\ 1<\frac{1}{16}\right\} =1-\delta (n), \end{aligned}$$

where \(\delta (n)=\sqrt{k}\cdot \alpha =o\left( \frac{1}{\sqrt{\text {log}n}}\right) \). We complete the proof.    \(\square \)

4.2 The Proof of Security

To prove the security of Regev’s cryptosystem, we first prove some general properties for the probability distribution of Abel group by Impagliazzo and Zurkerman Impagliazzo and Zuckerman (1989).

Let G be a finite Abel group, \(k\geqslant 1\) be a positive integer. For any l elements \(g_1,g_2,\dots ,g_l\in G\), suppose \(x\in \{0,1\}^l\), \(g=(g_1,g_2,\dots ,g_l)\), then

$$\begin{aligned} gx=\sum \limits _{i=1}^l x_i g_i,\ x_i=0\ \text {or}\ 1 \end{aligned}$$

is called a subsum of \(\{g_1,g_2,\dots ,g_l\}\). Randomly choose \(x\in \{0,1\}^l\), let gx denote the distribution of subsum, and let U(G) denote the uniformly distribution on G.

Lemma 4.2.1

For any l elements \(\{g_1,g_2,\dots ,g_l\}\) uniformly at random, the expectation of statistical distance between the distribution of subsum and the uniformly distribution on U(G) is

$$\begin{aligned} E(\Delta (gx,U(G)))\leqslant (|G|/2^l)^{\frac{1}{2}}. \end{aligned}$$

Specially, the probability that the statistical distance is larger than \((|G|/2^l)^{\frac{1}{4}}\) is no more than \((|G|/2^l)^{\frac{1}{4}}\), i.e.

$$\begin{aligned} Pr\left\{ \Delta (gx,U(G))\geqslant (|G|/2^l)^{\frac{1}{4}}\right\} \leqslant (|G|/2^l)^{\frac{1}{4}}. \end{aligned}$$

Proof

Let \(g=(g_1,g_2,\dots ,g_l)\) be l group elements chosen at random, \(h\in G\) is a given group element. Define \(P_g(h)\)

$$\begin{aligned} P_g(h)=\frac{1}{2^l}\left| \left\{ x\in \{0,1\}^l\ |\ gx=\sum \limits _{i=1}^l x_i g_i=h\right\} \right| , \end{aligned}$$

we call \(P_g(h)\) the distribution of subsum for g. In order to prove \(P_g(h)\) is close to uniformly distribution, we first prove the \(l_2\) norm between \(P_g(h)\) and the uniformly distribution is very small. In fact, we have:

$$\begin{aligned} \sum \limits _{h\in G} P_g(h)^2=\mathop {Pr}\limits _{x,x'}\{gx=gx'\}=\frac{1}{2^l}+\mathop {Pr}\limits _{x,x'}\{gx=gx'\ ,\ x\ne x'\}. \end{aligned}$$

Note that for any \(x\ne x'\),

$$\begin{aligned} \mathop {Pr}\limits _g\{gx=gx'\}=\frac{1}{|G|}. \end{aligned}$$

So the expectation of \(l_2\) norm for g satisfy

$$\begin{aligned} \mathop {E}\limits _g \left[ \sum \limits _{h\in G} P_g(h)^2\right] \leqslant \frac{1}{2^l}+\frac{1}{|G|}. \end{aligned}$$

Finally, we have the following estimation

$$\begin{aligned} \mathop {E}\limits _g \left[ \sum \limits _{h\in G} \left| P_g(h)-\frac{1}{|G|}\right| \right] \end{aligned}$$
$$\begin{aligned} \ \leqslant \mathop {E}\limits _g \left[ |G|^{\frac{1}{2}} \left( \sum \limits _{h\in G} \left( P_g(h)-\frac{1}{|G|}\right) ^2\right) ^{\frac{1}{2}}\right] \end{aligned}$$
$$\begin{aligned} =|G|^{\frac{1}{2}} \mathop {E}\limits _g \left[ \left( \sum \limits _{h\in G} P_g(h)^2-\frac{1}{|G|}\right) ^{\frac{1}{2}}\right] \end{aligned}$$
$$\begin{aligned} =|G|^{\frac{1}{2}} \left[ \mathop {E}\limits _g \left( \sum \limits _{h\in G} P_g(h)^2\right) -\frac{1}{|G|}\right] ^{\frac{1}{2}} \end{aligned}$$
$$\begin{aligned} \leqslant (|G|/2^l)^{\frac{1}{2}}. \end{aligned}$$

We complete the proof.    \(\square \)

The security of LWE public key cryptosystem by Regev is ascribed to the following theorem, which is the most important result in this chapter.

Theorem 4.2.1

For any \(\epsilon >0\), \(m\geqslant (1+\epsilon )(n+1)\text {log}q\), if there is a probabilistic polynomial time algorithm W which distinguishes the plaintext \(u=0\) or \(u=1\) from the ciphertext c, then there exists a polynomial time algorithm solving the \(\text {D-LWE}_{n,q,\chi ,m}\) problem.

Proof

The public key of LWE cryptosystem is \(A=\begin{pmatrix} \overline{A} \\ b' \end{pmatrix}\), where \(\overline{A}\in \mathbb {Z}_q^{n\times m}\) is a matrix uniformly at random, \(b=\begin{pmatrix} b_1 \\ \vdots \\ b_m \end{pmatrix}\in \mathbb {Z}_q^m\) is an m dimensional vector chosen uniformly. The encryption function \(f_A(u)\) is

$$\begin{aligned} c=f_A(u)=Ax+\begin{pmatrix} 0 \\ u \lfloor \frac{q}{2}\rceil \end{pmatrix}\in \mathbb {Z}_q^{n+1},\ x\in \{0,1\}^m. \end{aligned}$$

Since W is a probabilistic polynomial time algorithm, suppose \(P_0(W)\) is the probability that decrypting \(u=0\) from \(f_A(0)\) by W, and \(P_1(W)\) is the probability that decrypting \(u=1\) from \(f_A(1)\), i.e.

$$\begin{aligned} \left\{ \begin{array}{l} P_0(W)=Pr\{W(f_A(0))=0\}.\\ P_1(W)=Pr\{W(f_A(1))=1\}. \end{array} \right. \end{aligned}$$
(4.2.1)

If \(b\in \mathbb {Z}_q^m\) is uniformly at random, then LWE distribution \(A_{s,\chi }\) is uniformly LWE distribution. Let \(P_u(W)\) be the probability of decryption successfully by W under the condition of uniformly distribution \(A_{s,\chi }\). Suppose that

$$\begin{aligned} |P_0(W)-P_1(W)|\geqslant \frac{1}{n^{\delta }},\ \delta >0. \end{aligned}$$
(4.2.2)

Under the assumption of (4.2.2), we will construct a new algorithm \(W'\) satisfying

$$\begin{aligned} |P_0(W')-P_u(W')|\geqslant \frac{1}{2n^{\delta }}. \end{aligned}$$
(4.2.3)

By (4.2.2), we have

$$\begin{aligned} |P_0(W)-P_u(W)|\geqslant \frac{1}{2n^{\delta }},\ \text {or}\ |P_1(W)-P_u(W)|\geqslant \frac{1}{2n^{\delta }}. \end{aligned}$$

If the first inequality of the above formula holds, let \(W'=W\). If the second inequality of the above formula holds, then construct \(W'\) as follows. Let the function \(\sigma \) be \(f_A(u)\rightarrow f_A(u)+\begin{pmatrix} 0 \\ \frac{q-1}{2} \end{pmatrix}\).

Thus, \(\sigma \) maps the LWE distribution \((\overline{A},b)\) to \((\overline{A},b+\frac{q-1}{2})\). If b is uniformly at random, so is \(b+\frac{q-1}{2}\). We define \(W'\) to be the decryption on LWE distribution \((\overline{A},b+\frac{q-1}{2})\) by W. According to (4.1.5),

$$\begin{aligned} P_0(W)=P_1(W'),\ P_1(W)=P_0(W'), \end{aligned}$$

so \(W'\) is the algorithm which satisfies (4.2.3).

Let \(s\in \mathbb {Z}_q^n\), the public key sample satisfies distribution of \((\overline{A},b)\in \mathbb {Z}_q^{n\times m}\times \mathbb {Z}_q^m=A_{s,\chi }\). Let \(P_0(s)\) be the probability of decryption \(u=0\) successfully by \(W'\), i.e.

$$\begin{aligned} P_0(s)=Pr\{W'(f_A(0))=0\}. \end{aligned}$$

Similarly, let \(P_u(s)\) be the probability of decryption successfully by \(W'\) if \((\overline{A},b)\) is uniformly at random. Suppose

$$\begin{aligned} |\mathop {E}\limits _s [P_0(s)]-\mathop {E}\limits _s [P_u(s)]|\geqslant \frac{1}{2n^{\delta }}, \end{aligned}$$
(4.2.4)

we define

$$\begin{aligned} Y=\left\{ s\in \mathbb {Z}_q^n\ |\ |P_0(s)-P_u(s)|\geqslant \frac{1}{4n^{\delta }}\right\} . \end{aligned}$$
(4.2.5)

It’s easy to prove: if \(s\in \mathbb {Z}_q^n\) is uniformly distributed, then we have

$$\begin{aligned} |Y|/q^n\geqslant \frac{1}{4n^{\delta }}. \end{aligned}$$

Therefore, in order to prove Theorem 4.2.1, we need to find an algorithm Z to determine whether the LWE distribution \(A_{s,\chi }\) is uniformly at random for any \(s\in Y\). The construction of algorithm Z: let R be a probability distribution on \(\mathbb {Z}_q^n\) which is uniform LWE distribution or general LWE distribution when \(s\in Y\), i.e.

$$\begin{aligned} R=\text {uniform LWE distribution, or}\ R=A_{s,\chi },\ s\in Y. \end{aligned}$$

Let \(\overline{A}=[a_1,\dots ,a_m]\in \mathbb {Z}_q^{n\times m}\), \(b=\begin{pmatrix} b_1 \\ \vdots \\ b_m \end{pmatrix}\in \mathbb {Z}_q^m\) be m random samples from distribution R. Let \(P_0(R)\) be the probability of decryption \(u=0\) successfully by \(W'\), where \((a,b)=A_{s,\chi }\), \(s\in Y\). In the same way, suppose \(P_u(R)\) is the probability of decryption \(u=0\) successfully by \(W'\) if R is uniform LWE distribution. We estimate \(P_0(R)\) and \(P_u(R)\) by using the algorithm \(W'\) polynomial times so that the error could be controlled within \(\frac{1}{64n^{\delta }}\). If \(|P_0(R)-P_u(R)|\geqslant \frac{1}{16n^{\delta }}\), then the algorithm Z is effective, otherwise it is noneffective.

We first confirm: if R is uniform LWE distribution, then Z is noneffective with high probability. Because in this case, \((\overline{A},b)\in \mathbb {Z}_q^{n\times m}\times \mathbb {Z}_q^m\), b is uniformly at random. According to Lemma 4.2.1, the Abel group \(G=\mathbb {Z}_q^n \times \mathbb {Z}_q\), we have

$$\begin{aligned} |P_0(R)-P_u(R)|\leqslant 2^{-\Omega (n)}, \end{aligned}$$

In this case, Z is noneffective.

If \(R=A_{s,\chi }\), where \(s\in Y\), we are to prove the algorithm Z is effective with probability \(\frac{1}{\text {Poly}(n)}\); i.e. one can distinguish \(s\in Y\) from uniform distribution. Since \(|P_0(R)-P_u(R)|\geqslant \frac{1}{4n^{\delta }}\), in the average sense we get

$$\begin{aligned} Pr\left\{ |P_0(R)-P_u(R)|\geqslant \frac{1}{8n^{\delta }}\right\} \geqslant \frac{1}{8n^{\delta }}. \end{aligned}$$

Thus, the algorithm Z is effective for \(A_{s,\chi }\), \(s\in Y\) with positive probability. We complete the proof of Theorem 4.2.1.    \(\square \)

4.3 Properties of Rounding Function

The public key of LWE cryptosystem by Regev is \(A=\begin{pmatrix} \overline{A} \\ b' \end{pmatrix}\in \mathbb {Z}_q^{(n+1)\times m}\), where \(\overline{A}\in \mathbb {Z}_q^{n\times m}\) is a matrix uniformly at random, \(b=\begin{pmatrix} b_1 \\ \vdots \\ b_m \end{pmatrix}\in \mathbb {Z}_q^m\) is a uniform sample vector (see 4.1.2). In this section we will discuss the sampling technique of public key A based on rounding function.

For \(\forall x\in \mathbb {R}\), let \(\{x\}\) be the fractional part of x, \(\lfloor x\rceil \) be the closest integer to x, i.e.

$$\begin{aligned} \lfloor x\rceil = \left\{ \begin{array}{l} x-\{x\},\ \text {if}\ 0\leqslant \{x\}\leqslant \frac{1}{2}.\\ x+1-\{x\},\ \text {if}\ \frac{1}{2}<\{x\}<1. \end{array} \right. \end{aligned}$$
(4.3.1)

In fact, \(\lfloor x\rceil \) is the only integer satisfying

$$\begin{aligned} x=\lfloor x\rceil +r,\ -\frac{1}{2}<r\leqslant \frac{1}{2},\ \text {if}\ r=\frac{1}{2}\Leftrightarrow \{x\}=\frac{1}{2}. \end{aligned}$$
(4.3.2)

We call \(\lfloor x\rceil \) rounding function, and its properties could be summarized as the following two lemmas.

Lemma 4.3.1

(i) \(\lfloor x+n\rceil =n+\lfloor x\rceil \), \(n\in \mathbb {Z}\), \(x\in \mathbb {R}\).

(ii) \(\lfloor -x\rceil =\left\{ \begin{array}{l} -\lfloor x\rceil ,\ \text {if}\ \{x\}\ne \frac{1}{2}.\\ -1-\lfloor x\rceil ,\ \text {if}\ \{x\}=\frac{1}{2}. \end{array} \right. \)

(iii) For any integers \(a,b\in \mathbb {Z}\), \(b\ne 0\), we have the following division: \(a=\lfloor \frac{a}{b}\rceil b+r\), where \(-\frac{b}{2}<r\leqslant \frac{b}{2}\).

(iv) \(\lfloor x\rceil +\lfloor y\rceil -1\leqslant \lfloor x+y\rceil \leqslant \lfloor x\rceil +\lfloor y\rceil +1\), \(\forall x,y\in \mathbb {R}\).

(v) \(\lfloor \frac{\lfloor x\rceil }{n}\rceil =\lfloor \frac{x}{n}\rceil \), \(\forall n\in \mathbb {Z}\), \(n\geqslant 1\), \(x\in \mathbb {R}\).

Proof

By (4.3.2),

$$\begin{aligned} \lfloor x+n\rceil =\lfloor \lfloor x\rceil +r+n\rceil =n+\lfloor x\rceil , \end{aligned}$$

so (i) holds. If \(\{x\}\ne \frac{1}{2}\), then \(r\ne \frac{1}{2}\), and \(-\frac{1}{2}<r<\frac{1}{2}\), we have

$$\begin{aligned} \lfloor -x\rceil =\lfloor -\lfloor x\rceil -r\rceil =-\lfloor x\rceil . \end{aligned}$$

If \(r=\frac{1}{2}\), then \(\{x\}=\frac{1}{2}\), and \(1-r=\frac{1}{2}\), so that

$$\begin{aligned} \lfloor -x\rceil =\lfloor -\lfloor x\rceil -1+1-r\rceil =-1-\lfloor x\rceil , \end{aligned}$$

we have (ii). Property (iii) and (iv) can be proved similarly. To prove (v), let \(x=\lfloor x\rceil +r\), then \(-\frac{1}{2n}<\frac{r}{n}\leqslant \frac{1}{2n}\), thus,

$$\begin{aligned} \lfloor \frac{x}{n}\rceil =\lfloor \frac{\lfloor x\rceil }{n}+\frac{r}{n}\rceil =\frac{\lfloor x\rceil }{n}. \end{aligned}$$

Lemma 4.3.1 holds.    \(\square \)

Definition 4.3.1

Let t and q be two positive integers, we define function \(f:\mathbb {Z}\rightarrow \mathbb {Z}\) as

$$\begin{aligned} f(a)=\lfloor \frac{q}{t}a\rceil ,\ \forall a\in \mathbb {Z}. \end{aligned}$$
(4.3.3)

Lemma 4.3.2

Let \(a,b\in \mathbb {Z}\), then

$$\begin{aligned} a\equiv b\ (\text {mod}\ t)\Rightarrow f(a)\equiv f(b)\ (\text {mod}\ q). \end{aligned}$$

Proof

Since \(a\equiv b\ (\text {mod}\ t)\), we write \(a=st+b\), therefore

$$\begin{aligned} f(a)=\lfloor \frac{q}{t}(st+b)\rceil =\lfloor sq+\frac{q}{t}b\rceil =sq+\lfloor \frac{q}{t}b\rceil =sq+f(b). \end{aligned}$$

So we have \(f(a)\equiv f(b)\ (\text {mod}\ q)\).    \(\square \)

By the above lemma, f is a function from \(\mathbb {Z}_t\) to \(\mathbb {Z}_q\), we can define its ‘inverse function’ \(f^{-1}:\mathbb {Z}_q\rightarrow \mathbb {Z}_t\) as follows

$$\begin{aligned} f^{-1}(b)=\lfloor \frac{tb}{q}\rceil ,\ \forall b\in \mathbb {Z}_q. \end{aligned}$$
(4.3.4)

Lemma 4.3.3

(i) If \(t\leqslant q\), then \(\forall a\in \mathbb {Z}\), we have

$$\begin{aligned} f^{-1}f(a)=a. \end{aligned}$$

(ii) If \(t>q\), and \(a\in \mathbb {Z}\) is uniformly chosen at random, we have

$$\begin{aligned} Pr\{f^{-1}f(a)\ne a\}=1-\frac{q}{t}. \end{aligned}$$
(4.3.5)

Proof

We first prove (i). If \(t=q\), then

$$\begin{aligned} f(a)=\lfloor \frac{q}{t}a\rceil =\lfloor a\rceil =a\Rightarrow f^{-1}f(a)=f^{-1}(a)=\lfloor \frac{t}{q}a\rceil =\lfloor a\rceil =a,\ \forall a\in \mathbb {Z}. \end{aligned}$$

If \(t<q\), then \(\frac{q}{2t}>\frac{1}{2}\), based on the definition of rounding function,

$$\begin{aligned} \frac{q}{t}a-\frac{1}{2}\leqslant \lfloor \frac{q}{t}a\rceil <\frac{q}{t}a+\frac{1}{2}, \end{aligned}$$

it follows that

$$\begin{aligned} \frac{q}{t}a-\frac{q}{2t}<\frac{q}{t}a-\frac{1}{2}\leqslant \lfloor \frac{q}{t}a\rceil<\frac{q}{t}a+\frac{1}{2}<\frac{q}{t}a+\frac{q}{2t}. \end{aligned}$$

So we can get

$$\begin{aligned} \frac{q}{t}a-\frac{q}{2t}<\lfloor \frac{q}{t}a\rceil <\frac{q}{t}a+\frac{q}{2t}, \end{aligned}$$

this is equivalent to

$$\begin{aligned} a-\frac{1}{2}<\frac{t}{q}\lfloor \frac{q}{t}a\rceil <a+\frac{1}{2}, \end{aligned}$$
$$\begin{aligned} -\frac{1}{2}<\frac{t}{q}\lfloor \frac{q}{t}a\rceil -a<\frac{1}{2}. \end{aligned}$$

Thus,

$$\begin{aligned} \lfloor \frac{t}{q}\lfloor \frac{q}{t}a\rceil -a\rceil =0\Rightarrow \lfloor \frac{t}{q}\lfloor \frac{q}{t}a\rceil \rceil =a. \end{aligned}$$

This means that

$$\begin{aligned} f^{-1}f(a)=a,\ \forall a\in \mathbb {Z}. \end{aligned}$$

Next we prove (ii), at this time \(q<t\). By Lemma 4.3.2, we only need to consider how many elements a in \(\mathbb {Z}_t\) that satisfies \(f^{-1}f(a)\ne a\). By (i) we get

$$\begin{aligned} \lfloor \frac{q}{t}\lfloor \frac{t}{q}b\rceil \rceil =b,\ \forall b\in \mathbb {Z}_q. \end{aligned}$$

This is equivalent to

$$\begin{aligned} f\left( \lfloor \frac{t}{q}b\rceil \right) =b,\ \forall b\in \mathbb {Z}_q. \end{aligned}$$

So we have

$$\begin{aligned} f^{-1}f\left( \lfloor \frac{t}{q}b\rceil \right) =f^{-1}(b)=\lfloor \frac{t}{q}b\rceil ,\ \forall b\in \mathbb {Z}_q. \end{aligned}$$

Here \(0,\left[ \frac{t}{q}\right] ,\left[ \frac{2t}{q}\right] ,\dots ,\left[ \frac{(q-1)t}{q}\right] \) are different from each other in \(\mathbb {Z}_t\). Next we prove that the number of a in \(\mathbb {Z}_t\) satisfying \(f^{-1}(f(a))=a\) is no more than q. Let A be the set containing all the elements satisfying \(f^{-1}(f(a))=a\) in \(\mathbb {Z}_t\). \(\forall a_1,a_2\in A\), \(a_1\ne a_2\) in \(\mathbb {Z}_t\), then we have \(f(a_1)\not \equiv f(a_2)\ (\text {mod}\ q)\), i.e. \(f(a_1)\ne f(a_2)\) in \(\mathbb {Z}_q\). This means the number of A is no more than q. Above all, it shows that \(0,\left[ \frac{t}{q}\right] ,\left[ \frac{2t}{q}\right] ,\dots ,\left[ \frac{(q-1)t}{q}\right] \) are just all the numbers in \(\mathbb {Z}_t\) such that \(f^{-1}(f(a))=a\). Based on a is uniformly chosen in \(\mathbb {Z}_t\), then

$$\begin{aligned} Pr\{f^{-1}f(a)\ne a\}=1-\frac{q}{t}. \end{aligned}$$

We complete the proof.    \(\square \)

In order to generalize the function f and \(f^{-1}\) from one dimension to high dimension, we give the following definition.

Definition 4.3.2

Let t, q, l be positive integers, we define function \(F:\mathbb {Z}_t^l\rightarrow \mathbb {Z}_q^l\) as

$$\begin{aligned} F(a)=\left( \lfloor \frac{q}{t}a_1\rceil ,\lfloor \frac{q}{t}a_2\rceil ,\dots ,\lfloor \frac{q}{t}a_l\rceil \right) \in \mathbb {Z}_q^l,\ \forall a=(a_1,a_2,\dots ,a_l)\in \mathbb {Z}_t^l, \end{aligned}$$
(4.3.6)

and the ‘inverse function’ \(F^{-1}:\mathbb {Z}_q^l\rightarrow \mathbb {Z}_t^l\) as

$$\begin{aligned} F^{-1}(b)=\left( \lfloor \frac{t}{q}b_1\rceil ,\lfloor \frac{t}{q}b_2\rceil ,\dots ,\lfloor \frac{t}{q}b_l\rceil \right) \in \mathbb {Z}_t^l,\ \forall b=(b_1,b_2,\dots ,b_l)\in \mathbb {Z}_q^l. \end{aligned}$$
(4.3.7)

Lemma 4.3.4

\(\forall a=(a_1,a_2,\dots ,a_l)\in \mathbb {Z}_t^l\), if a is uniformly at random and \(a_1,a_2,\dots ,a_l\) are mutually independent, we have

$$\begin{aligned} Pr\{F^{-1}F(a)\ne a\}=\max \left\{ 0,1-\left( \frac{q}{t}\right) ^l\right\} . \end{aligned}$$
(4.3.8)

Proof

If \(t\leqslant q\), from Lemma 4.3.3,

$$\begin{aligned} f^{-1}f(a_i)=a_i,\ \forall a_i\in \mathbb {Z}_t,\ \forall 1\leqslant i\leqslant l. \end{aligned}$$

So

$$\begin{aligned} F^{-1}F(a)=a,\ \forall a\in \mathbb {Z}_t^l. \end{aligned}$$
$$\begin{aligned} Pr\{F^{-1}F(a)\ne a\}=0=\max \left\{ 0,1-\left( \frac{q}{t}\right) ^l\right\} . \end{aligned}$$

If \(t>q\), from Lemma 4.3.3,

$$\begin{aligned} Pr\{f^{-1}f(a_i)=a_i\}=\frac{q}{t},\ a_i\in \mathbb {Z}_t,\ \forall 1\leqslant i\leqslant l. \end{aligned}$$

Since \(a_1,a_2,\dots ,a_l\) are independent, therefore,

$$\begin{aligned} Pr\{F^{-1}F(a)=a\}=\left( \frac{q}{t}\right) ^l,\ a\in \mathbb {Z}_t^l. \end{aligned}$$
$$\begin{aligned} Pr\{F^{-1}F(a)\ne a\}=1-\left( \frac{q}{t}\right) ^l=\max \{0,1-(\frac{q}{t})^l\}. \end{aligned}$$

We finish the proof.    \(\square \)

4.4 General LWE-Based Cryptosystem

We introduced the LWE cryptosystem proposed by Regev in Sect. 4.1 and proved its security in Sect. 4.2. However, it could only encrypt a single bit of plaintext and the efficiency is low. Based on the definition and properties of rounding function given in Sect. 4.3, Regev presented a general LWE cryptosystem in 2009 Regev (2010), which could encrypt multiple bits of plaintext \(v\in \mathbb {Z}_t^l\) with size \(O(t^l)\) and improve the efficiency signally. In this section, we introduce general LWE cryptosystem first. Then we discuss the probability of decryption error for this cryptosystem and prove that it could be sufficiently small with suitable parameters. So we verify our core result that the LWE cryptosystem could have high security.

Let t, q, m, n, l, r be positive integers, \(q>t\), function F and its ‘inverse function’ are defined in 3.2. The workflow of general LWE cryptosystem is as follows:

(1) Selection of private key S: \(S\in \mathbb {Z}_q^{n\times l}\) is an \(n\times l\) matrix uniformly at random in \(\mathbb {Z}_q\).

In the LWE cryptosystem introduced in Sect. 4.1, the private key is an n dimensional randomly chosen vector \(s\in \mathbb {Z}_q^n\). To encrypt more general plaintext \(v\in \mathbb {Z}_t^l\), we randomly select l private keys \(s_1,s_2,\dots ,s_l\in \mathbb {Z}_q^n\) independently and form an \(n\times l\) matrix \(S=[s_1,s_2,\dots ,s_l]\). This is the private key S for general LWE cryptosystem.

(2) Public key.

When the private key \(S\in \mathbb {Z}_q^{n\times l}\) is fixed, in order to choose samples from LWE distribution, we first select m uniform n dimensional vectors \(a_1,a_2,\dots ,a_m\in \mathbb {Z}_q^n\) in \(\mathbb {Z}_q^n\) and form a uniform random matrix

$$\begin{aligned} A=[a_1,a_2,\dots ,a_m]_{n\times m}\in \mathbb {Z}_q^{n\times m}. \end{aligned}$$

Then we generate \(m\times l\) noise matrix samples \(E=(E_{ij})_{m\times l}\) from distribution \(\overline{\psi }_{\alpha }\), where \(\overline{\psi }_{\alpha }\) is defined by (4.4.1) and (3.3.13), i.e. \(E_{ij}\in \mathbb {Z}_q\), \(E_{ij}\leftarrow \overline{\psi }_{\alpha }\), \(1\leqslant i\leqslant m\), \(1\leqslant j\leqslant l\), and the \(m\times l\) samples are mutually independent. Finally we get an \(m\times l\) matrix P

$$\begin{aligned} P=A^T S+E=\begin{pmatrix}<a_1,s_1>+E_{11} &{} \cdots &{}<a_1,s_l>+E_{1l} \\ \vdots &{} \ddots &{} \vdots \\<a_m,s_1>+E_{m1} &{} \cdots &{} <a_m,s_l>+E_{ml} \end{pmatrix}_{m\times l}. \end{aligned}$$

The public key of LWE cryptosystem is (A, P), which is similar to that in Sect. 4.1. Here we only change the public key from \(b\in \mathbb {Z}_q^m\) to \(m\times l\) matrix \(P\in \mathbb {Z}_q^{m\times l}\). If the uniformly random matrix A is given and saved for all the users of LWE cryptosystem, then the true public key is the matrix P, and the public key and private key satisfy the following equation

$$\begin{aligned} P-A^T S \equiv _{\overline{\psi }_{\alpha }} E\ (\text {mod}\ q). \end{aligned}$$

(3) Encryption.

To encrypt multiple bits of plaintext \(v\in \mathbb {Z}_t^l\), let \(a\in \{-r,-r+1,\dots ,r\}^m\) be an m dimensional vector with each entry selected uniformly in \(\{-r,-r+1,\dots ,r\}\), i.e. a is uniformly distributed. Ciphertext \(\begin{pmatrix} u\\ c \end{pmatrix}\) is an \(n+l\) dimensional vector, defined by

$$\begin{aligned} g_{A,P}(v)=\begin{pmatrix} u\\ c \end{pmatrix},\ u=A a,\ c=P^T a+F(v), \end{aligned}$$

where F is defined in (4.3.6), and \(g_{A,P}\) is called the encryption algorithm of LWE cryptosystem.

(4) Decryption.

Given ciphertext (u, c) and the private key S, we compute \(F^{-1}(c-S^T u)\) as the result of decryption. We have

$$\begin{aligned} F^{-1}(c-S^{T}u) &=F^{-1}(P^{T}a+F(v)-S^{T}u)\\ &=F^{-1}((A^T S+E)^{T}a+F(v)-S^{T}A a)\\ &=F^{-1}(E^{T}a+F(v)). \end{aligned}$$

Next we calculate the probability of decryption error for this cryptosystem, namely the probability of \(F^{-1}(E^{T}a+F(v))\ne v\). The following Theorem 4.4.1 gives an estimation for this probability, which is the main result of this section.

Theorem 4.4.1

Suppose \(q>t\), we have the following inequality of the probability of decryption error

$$\begin{aligned} Pr\{F^{-1}(E^{T}a+F(v))\ne v\}\leqslant 2l\Big (1-\Phi \big (\frac{q-t}{2\alpha tq} \sqrt{\frac{6\pi }{mr(r+1)}}\big )\Big ). \end{aligned}$$
(4.4.1)

Here \(\Phi \) is the cumulative distribution function of the standard normal distribution, i.e. \(\Phi (x)=\int _{-\infty }^{x} \frac{1}{\sqrt{2\pi }} e^{-\frac{t^2}{2}} \textrm{d}t\).

Proof

Denote \(v{=}(v_1,v_2,\dots ,v_l)\), \(E_{m\times l}=(E_1,E_2,\dots ,E_l)\), where \(E_1,E_2,\dots ,E_l\) are all m dimensional column vectors. Let \(f^{-1}(E_i^{T}a+f(v_i))\) be the ith coordinate of \(F^{-1}(E^{T}a+F(v))\), \(1\leqslant i\leqslant l\). According to the definition of rounding function,

$$\begin{aligned} -\frac{1}{2}<\frac{q}{t}v_i-\lfloor \frac{q}{t}v_i\rceil \leqslant \frac{1}{2}, \end{aligned}$$
$$\begin{aligned} -\frac{t}{2q}\leqslant \frac{t}{q}\lfloor \frac{q}{t}v_i\rceil -v_i<\frac{t}{2q}. \end{aligned}$$

So if \(\left| \frac{t}{q}E_i^{T}a\right| <\frac{1}{2}-\frac{t}{2q}\), we get

$$\begin{aligned} \left| \frac{t}{q}E_i^{T}a+\frac{t}{q}\lfloor \frac{q}{t}v_i\rceil -v_i\right| <\frac{1}{2}-\frac{t}{2q}+\frac{t}{2q}=\frac{1}{2}. \end{aligned}$$

It follows that

$$\begin{aligned} \lfloor \frac{t}{q}E_i^{T}a+\frac{t}{q}\lfloor \frac{q}{t}v_i\rceil -v_i\rceil =0, \end{aligned}$$

this means

$$\begin{aligned} \lfloor \frac{t}{q}E_i^{T}a+\frac{t}{q}\lfloor \frac{q}{t}v_i\rceil \rceil =v_i, \end{aligned}$$
$$\begin{aligned} f^{-1}\left( E_i^{T}a+f(v_i)\right) =v_i. \end{aligned}$$

namely if \(|\frac{t}{q}E_i^{T}a|<\frac{1}{2}-\frac{t}{2q}\), we can get \(f^{-1}(E_i^{T}a+f(v_i))=v_i\). Equivalently, if \(f^{-1}\left( E_i^{T}a+f(v_i)\right) \ne v_i\), i.e. the decryption error occurs in the ith letter, then \(\left| \frac{t}{q}E_i^{T}a\right| \geqslant \frac{1}{2}-\frac{t}{2q}\). So the probability of decryption error in one letter is no more than the probability of \(\left| \frac{t}{q}E_i^{T}a\right| \geqslant \frac{1}{2}-\frac{t}{2q}\), i.e.

$$\begin{aligned} Pr\left\{ f^{-1}\left( E_i^{T}a+f(v_i)\right) \ne v_i\right\} \leqslant Pr\left\{ \left| \frac{t}{q}E_i^{T}a\right| \geqslant \frac{1}{2}-\frac{t}{2q}\right\} . \end{aligned}$$

The next step we estimate the probability of \(|\frac{t}{q}E_i^{T}a|\geqslant \frac{1}{2}-\frac{t}{2q}\). Since each coordinate of \(E_i\) is chosen independently from the Gaussian distribution with mean 0 and standard deviation \(\alpha q/\sqrt{2\pi }\) and the sum of independent Gaussian variables is still a Gaussian variable, \(E_i^{T}a\) is also a Gaussian distribution variable. Let \(a=(a_1,a_2,\dots ,a_m)\) and each \(a_i\) is chosen from \(\{-r,-r+1,\cdots ,r\}\) uniformly at random, then

$$\begin{aligned} E(a_i)=\frac{-r+(-r+1)+\cdots +r}{2r+1}=0, \end{aligned}$$
$$\begin{aligned} Var(a_i)=\frac{(-r)^2+(-r+1)^2+\cdots +r^2}{2r+1}=\frac{r(r+1)}{3}. \end{aligned}$$
$$\begin{aligned} E(E_i^{T}a)=0. \end{aligned}$$
$$\begin{aligned} Var\left( E_i^{T}a\right) =\left( \frac{\alpha q}{\sqrt{2\pi }}\right) ^2 \cdot \frac{r(r+1)}{3}m=\frac{\alpha ^2 q^2\,m r(r+1)}{6\pi }. \end{aligned}$$

Therefore \(E_i^{T}a\) is treated as a normal distribution with mean 0 and standard deviation \(\alpha q\sqrt{mr(r+1)}/\sqrt{6\pi }\). We have

$$\begin{aligned} Pr\left\{ \left| \frac{t}{q}E_i^{T}a\right| \geqslant \frac{1}{2}-\frac{t}{2q}\right\} =P\left\{ \left| E_i^{T}a\right| \geqslant \frac{q-t}{2t}\right\} \end{aligned}$$
$$\begin{aligned} =Pr\left\{ \left| E_i^{T}a\right| /\left( \alpha q\sqrt{\frac{mr(r+1)}{6\pi }}\right) \geqslant \frac{q-t}{2t}/ (\alpha q\sqrt{\frac{mr(r+1)}{6\pi }}) \right\} \end{aligned}$$
$$\begin{aligned} =Pr & \left\{ \left| E_i^{T}a\right| /\left( \alpha q\sqrt{\frac{mr(r+1)}{6\pi }}\right) \geqslant \frac{q-t}{2\alpha tq}\sqrt{\frac{6\pi }{mr(r+1)}}\right\} \\ & =2\Big (1-\Phi \big (\frac{q-t}{2\alpha tq} \sqrt{\frac{6\pi }{mr(r+1)}}\big )\Big ). \end{aligned}$$

So we get the following inequality for probability of decryption error of the LWE cryptosystem

$$\begin{aligned} Pr\{F^{-1}(E^{T}a+F(v))\ne v\} \end{aligned}$$
$$\begin{aligned} \leqslant l Pr\left\{ f^{-1}\left( E_i^{T}a+f(v_i)\right) \ne v_i\right\} \end{aligned}$$
$$\begin{aligned} \leqslant lPr\left\{ \left| \frac{t}{q}E_i^{T}a\right| \geqslant \frac{1}{2}-\frac{t}{2q}\right\} \end{aligned}$$
$$\begin{aligned} = 2l\Big (1-\Phi \big (\frac{q-t}{2\alpha tq} \sqrt{\frac{6\pi }{mr(r+1)}}\big )\Big ). \end{aligned}$$

   \(\square \)

The upper bound could be as closed as 0 if we choose \(\alpha \) small enough. It means that the probability of decryption error for the LWE cryptosystem could be made very small with an appropriate setting of parameters.

4.5 Probability of Decryption Error for General Disturbance

In this section we estimate the probability of decryption error for the LWE cryptosystem when the noise matrix \(E=(E_{ij})_{m\times l}\) is chosen independently from a general common variable, rather than Gauss distribution. We have the following theorem.

Theorem 4.5.1

\(q>t\), \(E=(E_{ij})_{m\times l}\), each element \(E_{ij}\) is selected independently from a common random variable of mean 0 and standard deviation \(\beta \). For any \(\delta >0\), we can find positive integer m, such that the following inequality of the probability of decryption error holds,

$$\begin{aligned} Pr\{F^{-1}(E^{T}a+F(v))\ne v\}\leqslant 2l\Big (1-\Phi \big (\frac{q-t}{2\beta t} \sqrt{\frac{3}{mr(r+1)}}\big )\Big )+l\delta , \end{aligned}$$
(4.5.1)

Here \(\Phi \) is the cumulative distribution function of the standard normal distribution, i.e. \(\Phi (x)=\int _{-\infty }^{x} \frac{1}{\sqrt{2\pi }} e^{-\frac{t^2}{2}} \textrm{d}t\).

Proof

Similarly as the proof of Theorem 4.4.1, we need to estimate the probability of \(|\frac{t}{q}E_i^{T}a|\geqslant \frac{1}{2}-\frac{t}{2q}\). Since the coordinates of \(E_i^{T}\) are independent identically distributed, \(E_i^{T}\) and a are also independent. By central limit theorem Riauba (1975), \(E_i^{T}a\) is approximately normal distribution with mean 0 and standard deviation \(d=\sqrt{mVar(E_{ij}) Var(a_i)}=\beta \sqrt{\frac{mr(r+1)}{3}}\). Thus, for any sufficiently small \(\delta >0\), there is a positive integer m such that

$$\begin{aligned} P\left\{ \left| \frac{t}{q}E_i^{T}a\right| \geqslant \frac{1}{2}-\frac{t}{2q}\right\} =P\left\{ \left| E_i^{T}a\right| \geqslant \frac{q-t}{2t}\right\} \end{aligned}$$
$$\begin{aligned} =P\left\{ \left| E_i^{T}a\right| /\left( \beta \sqrt{\frac{mr(r+1)}{3}}\right) \geqslant \frac{q-t}{2t}/ \left( \beta \sqrt{\frac{mr(r+1)}{3}}\right) \right\} \end{aligned}$$
$$\begin{aligned} =P\left\{ \left| E_i^{T}a\right| /\left( \beta \sqrt{\frac{mr(r+1)}{3}}\right) \geqslant \frac{q-t}{2\beta t}\sqrt{\frac{3}{mr(r+1)}}\right\} \end{aligned}$$
$$\begin{aligned} =2\Big (1-\Phi \big (\frac{q-t}{2\beta t} \sqrt{\frac{3}{mr(r+1)}}\big )\Big )+\varepsilon , \end{aligned}$$

Here \(|\varepsilon |\leqslant \delta \). Then we get the following inequality for probability of decryption error of the LWE cryptosystem for general disturbance

$$\begin{aligned} Pr\{F^{-1}(E^{T}a+F(v))\ne v\} \end{aligned}$$
$$\begin{aligned} \leqslant l Pr\left\{ f^{-1}\left( E_i^{T}a+f(v_i)\right) \ne v_i\right\} \end{aligned}$$
$$\begin{aligned} \leqslant lPr\left\{ \left| \frac{t}{q}E_i^{T}a\right| \geqslant \frac{1}{2}-\frac{t}{2q}\right\} \end{aligned}$$
$$\begin{aligned} =2l\Big (1-\Phi \big (\frac{q-t}{2\beta t} \sqrt{\frac{3}{mr(r+1)}}\big )\Big )+l\varepsilon .\end{aligned}$$
$$\begin{aligned} \leqslant 2l\Big (1-\Phi \big (\frac{q-t}{2\beta t} \sqrt{\frac{3}{mr(r+1)}}\big )\Big )+l\delta .\end{aligned}$$

   \(\square \)

This probability could be also closed to 0 if we choose the parameter \(\beta \sqrt{m}\) and \(\delta \) small enough. Therefore the probability of decryption error of the LWE cryptosystem for general disturbance could be made very small, which leads to high security.

Example 4.5.1

Let \(t=2\), \(q=5\), \(l=1\), \(m=1\), \(r=1\), \(\delta =10^{-3}\), \(\beta =10^{-3}\), \(v\in \mathbb {Z}_2\) is uniformly chosen at random, the disturbance E is a random variable with the distribution \(\psi _{\beta }\) such that \(P\{E=k\}=\frac{\beta ^k}{2\cdot k!} e^{-\beta }\) for positive integer k and \(Pr\{E=0\}=e^{-\beta }\), \(a\in \{-1,0,1\}\) is uniformly chosen at random. Then the probability of decryption error

$$\begin{aligned} Pr\{F^{-1}(Ea+F(v))\ne v\}=Pr\left\{ \lfloor \frac{2}{5}\left( Ea+\lfloor \frac{5}{2}v\rceil \right) \rceil \ne v\right\} \end{aligned}$$
$$\begin{aligned} =\frac{1}{2}Pr\left\{ \lfloor \frac{2}{5}Ea\rceil \ne 0\right\} +\frac{1}{2}Pr\left\{ \lfloor \frac{2}{5}(Ea+2)\rceil \ne 1\right\} \end{aligned}$$
$$\begin{aligned} \leqslant \frac{1}{2}Pr\{E\ne 0\}+\frac{1}{2}Pr\{E\ne 0\} \end{aligned}$$
$$\begin{aligned} =1-Pr\{E=0\}=1-e^{-0.001}<10^{-3}. \end{aligned}$$

On the other hand,

$$\begin{aligned} 2l\Big (1-\Phi \big (\frac{q-t}{2\beta t} \sqrt{\frac{3}{mr(r+1)}}\big )\Big )+l\delta >10^{-3}. \end{aligned}$$

So it follows that

$$\begin{aligned} Pr\{F^{-1}(Ea+F(v))\ne v\}<2l\Big (1-\Phi \big (\frac{q-t}{2\beta t} \sqrt{\frac{3}{mr(r+1)}}\big )\Big )+l\delta , \end{aligned}$$

The inequality in Theorem 4.5.1 holds.

Example 4.5.2

Let \(t=2\), \(q=5\), \(l=1\), \(m=1\), \(r=1\), \(\delta =10^{-4}\), \(\lambda =0.05\), \(v\in \mathbb {Z}_2\) is uniformly chosen at random, the disturbance E is a Laplace distribution variable with probability density function \(f(x)=\frac{1}{2\lambda }e^{-\frac{|x|}{\lambda }}\) rounding to the nearest integer, \(a\in \{-1,0,1\}\) is uniformly chosen at random. Similarly as Example 4.5.1, the probability of decryption error

$$\begin{aligned} Pr\{F^{-1}(Ea+F(v))\ne v\}=Pr\left\{ \lfloor \frac{2}{5}\left( Ea+\lfloor \frac{5}{2}v\rceil \right) \rceil \ne v\right\} \end{aligned}$$
$$\begin{aligned} \leqslant 1-Pr\{E=0\}=1-\int \limits _{-\frac{1}{2}}^{\frac{1}{2}} \frac{1}{2\lambda }e^{-\frac{|x|}{\lambda }} \textrm{d}x=e^{-10}<10^{-4}. \end{aligned}$$

On the other hand,

$$\begin{aligned} 2l\Big (1-\Phi \big (\frac{q-t}{2\beta t} \sqrt{\frac{3}{mr(r+1)}}\big )\Big )+l\delta >10^{-4}. \end{aligned}$$

We have

$$\begin{aligned} Pr\{F^{-1}(Ea+F(v))\ne v\}<2l\Big (1-\Phi \big (\frac{q-t}{2\beta t} \sqrt{\frac{3}{mr(r+1)}}\big )\Big )+l\delta , \end{aligned}$$

The inequality in Theorem 4.5.1 holds.