Keywords

1 Introduction

In this section, we describe a cryptosystem based on the learning with errors problem (LWE) (Micciancio & Regev, 2009; Regev, 2005). First, we introduce the LWE problem. Let p be a prime number, mn be positive integers and consider a list of equations with error as follows:

$$\begin{aligned} \left\{ \begin{array}{c}<s,a_1>\approx _{\chi } v_1\ (\text {mod}\ p),\\<s,a_2>\approx _{\chi } v_2\ (\text {mod}\ p),\\ \vdots \\ <s,a_m>\approx _{\chi } v_m\ (\text {mod}\ p). \end{array} \right. \end{aligned}$$

Here \(s\in \mathbb {Z}_{p}^{n}\), \(a_1,a_2,\dots ,a_m\) are chosen independently and uniformly from \(\mathbb {Z}_{p}^{n}\), and \(v_1,v_2,\dots ,v_m\in \mathbb {Z}_{p}\). \(<s,a_i>\) is the inner product of two vectors s and \(a_i\). The errors in these equations are generated from a probability distribution \(\chi : \mathbb {Z}_{p}\rightarrow \mathbb {R}^{+}\) on \(\mathbb {Z}_{p}\), i.e. for each equation, we have \(v_i=<s,a_i>+e_i\) and \(e_i\in \mathbb {Z}_{p}\) is chosen independently based on the probability distribution \(\chi \). The problem of finding \(s\in \mathbb {Z}_{p}^{n}\) from such equations is called \(\text {LWE}_{p,\chi }\). There is an equivalent description for the LWE problem. The input has a pair (Av) where \(A\in \mathbb {Z}_p^{m\times n}\) is chosen uniformly, and the choices of v have two cases. One case for v is chosen uniformly from \(\mathbb {Z}_{p}^{m}\), the other case is \(As+e\) for a uniformly chosen vector \(s\in \mathbb {Z}_{p}^{n}\) and vector \(e\in \mathbb {Z}_{p}^{m}\) chosen according to \(\chi ^m\). The goal is to distinguish between these two cases with non-negligible probability. It is also equivalent with a decoding problem in q-ary lattices (Regev, 2005).

The short integer solution (SIS) problem was first introduced in the seminal work of Ajtai (1996) and has served as the foundation for one-way and collision-resistant hash functions, identification schemes, digital signatures, and other “minicrypt” primitives. A very important work of Regev from 2005 introduced the LWE problem, which is the “encryption-enabling” analogue of the SIS problem (Regev, 2009). In fact, the two problems are very similar and can meaningfully be seen as duals of each other.

The LWE problem is a very robust problem and can be viewed as an extension of a well-known problem in learning theory. It remains hard even if the attacker learns extra information about the secret and errors. Regev gave the worst-case hardness theorem for LWE (Regev, 2009). The complexity of the best-known algorithm is running in exponential time in n (Ajtai et al., 2001; Blum et al., 2003; Kumar & Sivakumar, 2001). This theorem is proved by giving a quantum polynomial-time reduction that uses an oracle for LWE to solve \(\text {GapSVP}_{\gamma }\) and \(\text {SIVP}_{\gamma }\) in the worst case, thereby transforming any algorithm that solves LWE into a quantum algorithm for lattice problems. The quantum nature of the reduction is meaningful since there are no known quantum algorithms for \(\text {GapSVP}_{\gamma }\) and \(\text {SIVP}_{\gamma }\) that significantly outperform classical ones, beyond generic quantum speedups. It would be very useful to have a completely classical reduction to give further confidence in the hardness of LWE, which was given in 2009 by Peikert (2009). Regev also gave a public-key cryptosystem whose semantic security can provably be based on the LWE problem, and hence on the conjectured quantum hardness of \(\text {GapSVP}_{\gamma }\) and \(\text {SIVP}_{\gamma }\) for \(\gamma =O(n^{3/2})\) Regev (2009). LWE problem has a close relationship with decoding problems in coding theory (Ajtai 2005; Ajtai & Dwork, 1997; Alekhnovich, 2003; Asokan et al., 2007; Ding, 2004; Kawachi et al., 2007; Peikert, 2007; Peikert et al., 2008; Regev, 2004; Signing et al., 2022). Regev’s cryptosystem is secure against passive eavesdroppers since the LWE problem is hard.

Another application of LWE is fully homomorphic encryption (FHE) (Rivest et al., 1978). The earliest FHE constructions were based on average-case assumptions about ideal lattices (Gentry, 2009; Dijk et al., 2010). Later, Brakerski and Vaikuntanathan gave the second generation of FHE constructions, which were based on the LWE problem (Brakerski & Vaikuntanathan, 2011a, 2011b). In 2013, Gentry, Sahai, and Waters proposed an LWE-based FHE scheme that has some unique and advantageous properties, such as homomorphic multiplication does not require any key-switching step, and the scheme can be made identity-based. This yields unbounded FHE based on LWE with just an inverse-polynomial \(n^{-O(1)}\) error rate (Gentry et al., 1999).

Now we introduce the efficient lattice-based cryptosystem in the following which has strong theoretical security (Micciancio & Regev, 2009).

  • Private key: \(S\in \mathbb {Z}_{q}^{n\times l}\) is uniformly chosen at random.

  • Public key: \(A\in \mathbb {Z}_{q}^{m\times n}\) is uniformly chosen at random and \(E\in \mathbb {Z}_{q}^{m\times l}\) is chosen from the distribution \(\overline{\psi }_{\alpha }\). The public key is \((A,P=AS+E)\).

  • Encryption: Given \(v\in \mathbb {Z}_{t}^{l}\) from the message space and a public key (AP), choose a vector \(a\in \{-r,-r+1,\cdots ,r\}^m\) uniformly at random, and compute the ciphertext \((u=A^{T}a,c=P^{T}a+f(v))\).

  • Decryption: Given a ciphertext (uc) and a private key S, output \(f^{-1}(c-S^{T}u)\).

Here mnltqr are positive integers and \(\alpha >0\). \(\overline{\psi }_{\alpha }\) is defined to be the distribution on \(\mathbb {Z}_{q}\) obtained by sampling a normal variable with mean 0 and standard deviation \(\alpha q/\sqrt{2\pi }\), rounding the result to the nearest integer and reduced modulo q. f is defined as the function from \(\mathbb {Z}_{t}^{l}\) to \(\mathbb {Z}_{q}^{l}\) by multiplying each coordinate by q/t and rounding to the nearest integer. \(f^{-1}\) is defined to be the “inverse” mapping of f by multiplying each coordinate by t/q and rounding to the nearest integer. The definitions of f and \(f^{-1}\) are in the next section. The probability of decryption error in one letter for this cryptosystem is approximatively estimated in (Micciancio & Regev, 2009) as

$$\begin{aligned} \text {error probability per letter}\approx 2\Bigg (1-\varPhi \bigg (\frac{1}{2t\alpha } \sqrt{\frac{6\pi }{mr(r+1)}}\bigg )\Bigg ), \end{aligned}$$
(1)

where \(\varPhi \) is the cumulative distribution function of the standard normal distribution, i.e. \(\varPhi (x)=\int _{-\infty }^{x} \frac{1}{\sqrt{2\pi }} e^{-\frac{t^2}{2}} \textrm{d}t\). We give here a more precise upper bound estimation

$$\begin{aligned} \text {error probability}\leqslant 2l\Bigg (1-\varPhi \bigg (\frac{q-t}{2\alpha tq} \sqrt{\frac{6\pi }{mr(r+1)}}\bigg )\Bigg ). \end{aligned}$$
(2)

This upper bound probability could be closed to 0 if we choose \(\alpha \) small enough. It means that the probability of decryption error for the cryptosystem could be sufficiently small. However, the above estimation is based on Gaussian disturbance. In our work, we also give the probability of decryption error for the LWE-based cryptosystem with more general disturbance. By central limit theorem (Riauba, 1975), general disturbance could be approximated as Gaussian disturbance, then we get the following probability estimation result which is more advanced than that in (Micciancio & Regev, 2009).

$$\begin{aligned} \text {error probability}\leqslant 2l\Bigg (1-\varPhi \bigg (\frac{q-t}{2\beta t} \sqrt{\frac{3}{mr(r+1)}}\bigg )\Bigg )+l\delta . \end{aligned}$$
(3)

Here \(\beta \) is the standard deviation of disturbance distribution, and \(\delta \) is a positive real number.

1.1 Innovation and Contribution

Our work gives estimation probability of decryption error based on Gaussian disturbances and proves that the decryption error could be sufficiently small. The most salient innovation and contribution is that for any general disturbances, the decryption error could also be small enough. This indicates high security and reliability of LWE-based cryptosystem. In other words, this cryptosystem is secure enough against passive eavesdroppers and could be applied in many kinds of encryption processes.

2 Methodology

2.1 Preliminary Property

Definition 1

\(\forall x\in \mathbb {R}\), let [x] be the closest integer to x, specially, [x] is defined to be \(x-\frac{1}{2}\) if the fractional part of x is \(\frac{1}{2}\). It is trivial that \(-\frac{1}{2}<x-[x]\leqslant \frac{1}{2}\) for all \(x\in \mathbb {R}\).

Lemma 1

t and q are positive integers, \(t\leqslant q\). \(\forall a \in \mathbb {Z}_t\), let \(f(a)=[\frac{q}{t}a]\in \mathbb {Z}_q\). \(\forall b \in \mathbb {Z}_q\), let \(f^{-1}(b)=[\frac{t}{q}b]\in \mathbb {Z}_t\). Then \(f^{-1}(f(a))=a\) for \(\forall a \in \mathbb {Z}_t\) holds.

Remark 1

If \(a_1 \equiv a_2\ (\text {mod}\ t)\), we have \(f(a_1)\equiv f(a_2)\ (\text {mod}\ q)\), so the definition of f is well defined and reasonable.

Proof of Lemma 1 (1) If \(t=q\), then we have \(f(a)=[a]=a\) and

$$\begin{aligned} f^{-1}(f(a))=f^{-1}(a)=[a]=a,\ \forall a\in \mathbb {Z}_t. \end{aligned}$$

(2) If \(t<q\), then \(\frac{q}{2t}>\frac{1}{2}\), we know

$$\begin{aligned} \frac{q}{t}a-\frac{1}{2}\leqslant \left[ \frac{q}{t}a \right] <\frac{q}{t}a+\frac{1}{2}. \end{aligned}$$

It follows that

$$\begin{aligned} \frac{q}{t}a-\frac{q}{2t}<\frac{q}{t}a-\frac{1}{2}\leqslant \left[ \frac{q}{t}a \right]<\frac{q}{t}a+\frac{1}{2}<\frac{q}{t}a+\frac{q}{2t}. \end{aligned}$$

So we can get

$$\begin{aligned} \frac{q}{t}a-\frac{q}{2t}<\left[ \frac{q}{t}a \right] <\frac{q}{t}a+\frac{q}{2t}. \end{aligned}$$

This is equivalent to

$$\begin{aligned} a-\frac{1}{2}<\frac{t}{q}\left[ \frac{q}{t}a \right] <a+\frac{1}{2}, \end{aligned}$$

and

$$\begin{aligned} -\frac{1}{2}<\frac{t}{q}\left[ \frac{q}{t}a \right] -a<\frac{1}{2}. \end{aligned}$$

Thus,

$$\begin{aligned}{}[\frac{t}{q}[\frac{q}{t}a]-a]=0,\ \text {and}\ \left[ \frac{t}{q} \left[ \frac{q}{t}a \right] \right] =a. \end{aligned}$$

This means that

$$\begin{aligned} f^{-1}(f(a))=a,\ \forall a\in \mathbb {Z}_t. \end{aligned}$$

   \(\square \)

Lemma 2

t and q are positive integers, \(t>q\). If a is uniformly chosen in \(\mathbb {Z}_t\), then

$$\begin{aligned} P\{f^{-1}(f(a))\ne a\}=1-\frac{q}{t}. \end{aligned}$$

Proof of Lemma 2 \(t>q\), from Lemma 1 we have

$$\begin{aligned} \left[ \frac{q}{t}\left[ \frac{t}{q}b \right] \right] =b,\ \forall b\in \mathbb {Z}_q. \end{aligned}$$

This is equivalent to

$$\begin{aligned} f\left( \left[ \frac{t}{q}b \right] \right) =b,\ \forall b\in \mathbb {Z}_q. \end{aligned}$$

So we get

$$\begin{aligned} f^{-1}\left( f\left( \left[ \frac{t}{q}b \right] \right) \right) =f^{-1}(b)= \left[ \frac{t}{q}b \right] ,\ \forall b\in \mathbb {Z}_q. \end{aligned}$$

Here \(0, \left[ \frac{t}{q} \right] , \left[ \frac{2t}{q} \right] ,\dots , \left[ \frac{(q-1)t}{q} \right] \) are different from each other in \(\mathbb {Z}_t\). Next we prove that the number of a in \(\mathbb {Z}_t\) satisfying \(f^{-1}(f(a))=a\) is no more than q. Let A be the set containing all the elements satisfying \(f^{-1}(f(a))=a\) in \(\mathbb {Z}_t\). \(\forall a_1,a_2\in A\), \(a_1\ne a_2\) in \(\mathbb {Z}_t\), then we have \(f(a_1)\not \equiv f(a_2)\ (\text {mod}\ q)\), i.e. \(f(a_1)\ne f(a_2)\) in \(\mathbb {Z}_q\). This means the number of A is no more than q.

Above all, it shows that \(0, \left[ \frac{t}{q} \right] , \left[ \frac{2t}{q} \right] ,\dots , \left[ \frac{(q-1)t}{q} \right] \) are just all the numbers in \(\mathbb {Z}_t\) such that \(f^{-1}(f(a))=a\). Based on a is uniformly chosen in \(\mathbb {Z}_t\), then

$$\begin{aligned} P\{f^{-1}(f(a))\ne a\}=1-\frac{q}{t}. \end{aligned}$$

   \(\square \)

Corollary 1

t, q, and l are positive integers. \(\forall a=(a_1,a_2,\dots ,a_l) \in \mathbb {Z}_t^l\), let \(f(a)= \left( \left[ \frac{q}{t}a_1 \right] , \left[ \frac{q}{t}a_2 \right] ,\dots , \left[ \frac{q}{t}a_l \right] \right) \in \mathbb {Z}_q^l\). \(\forall b=(b_1,b_2,\dots ,b_l) \in \mathbb {Z}_q^l\), let \(f^{-1}(b)= \left( \left[ \frac{t}{q}b_1 \right] ,\left[ \frac{t}{q}b_2 \right] ,\dots , \left[ \frac{t}{q}b_l \right] \right) \in \mathbb {Z}_t^l\). If a is uniformly chosen in \(\mathbb {Z}_t^l\) and \(a_1,a_2,\dots ,a_l\) are independent, then

$$\begin{aligned} P\{f^{-1}(f(a))\ne a\}=\max \left\{ 0,1-\left( \frac{q}{t} \right) ^l \right\} . \end{aligned}$$

Proof of Corollary 1 If \(t\leqslant q\), from Lemma 1, we have

$$\begin{aligned} f^{-1}(f(a_i))=a_i,\ \forall a_i\in \mathbb {Z}_t,\ \forall 1\leqslant i\leqslant l. \end{aligned}$$

So

$$\begin{aligned} f^{-1}(f(a))=a,\ \forall a\in \mathbb {Z}_t^l. \end{aligned}$$
$$\begin{aligned} P\{f^{-1}(f(a))\ne a\}=0=\max \left\{ 0,1-\left( \frac{q}{t} \right) ^l \right\} . \end{aligned}$$

If \(t>q\), from Lemma 2, we have

$$\begin{aligned} P\{f^{-1}(f(a_i))=a_i\}=\frac{q}{t},\ a_i\in \mathbb {Z}_t,\ \forall 1\leqslant i\leqslant l. \end{aligned}$$

Since \(a_1,a_2,\dots ,a_l\) are independent, therefore,

$$\begin{aligned} P\{f^{-1}(f(a))=a\}= \left( \frac{q}{t} \right) ^l,\ a\in \mathbb {Z}_t^l. \end{aligned}$$
$$\begin{aligned} P\{f^{-1}(f(a))\ne a\}=1-\left( \frac{q}{t}\right) ^l=\max \left\{ 0,1-\left( \frac{q}{t} \right) ^l \right\} . \end{aligned}$$

   \(\square \)

2.2 Probability of Decryption Error Based on Gaussian Disturbance

Now we can calculate the probability of decryption error for the LWE-based cryptosystem. As described in the first section, assume S be the private key, (AP) be the public key, and we choose \(v\in \mathbb {Z}_t^l\) from the message space, encrypt v, and then decrypt it. The ciphertext is \((u=A^{T}a,c=P^{T}a+f(v))\). The decryption result is

$$\begin{aligned} f^{-1}(c-S^{T}u)=f^{-1}(P^{T}a+f(v)-S^{T}u) \end{aligned}$$
$$\begin{aligned} \qquad \qquad \qquad \qquad \qquad \quad =f^{-1}((AS+E)^{T}a+f(v)-S^{T}A^{T}a) \end{aligned}$$
$$\begin{aligned} \qquad \quad \ =f^{-1}(E^{T}a+f(v)). \end{aligned}$$

Here the decryption result \(f^{-1}(E^{T}a+f(v))\in \mathbb {Z}_t^l\). The decryption error occurs if \(f^{-1}(E^{T}a+f(v))\ne v\). Since all the parameters are taken to guarantee security and efficiency of the cryptosystem, here we set \(q>t\) and obtain the following theorem.

Theorem 1

t, q, l, m, r are positive integers and \(q>t\). \(v\in \mathbb {Z}_t^l\), f is defined in the previous section, \(E_{m\times l}\) is a Gaussian disturbance matrix with each element chosen independently from the Gaussian distribution with mean 0 and standard deviation \(\alpha q/\sqrt{2\pi }\), \(a\in \{-r,-r+1,\cdots ,r\}^m\) is uniformly chosen at random. Then we have the following inequality of the probability of decryption error.

$$\begin{aligned} P\{f^{-1}(E^{T}a+f(v))\ne v\}\leqslant 2l\left( 1-\varPhi \left( \frac{q-t}{2\alpha tq} \sqrt{\frac{6\pi }{mr(r+1)}}\right) \right) . \end{aligned}$$

Here \(\varPhi \) is the cumulative distribution function of the standard normal distribution, i.e. \(\varPhi (x)=\int _{-\infty }^{x} \frac{1}{\sqrt{2\pi }} e^{-\frac{t^2}{2}} \textrm{d}t\).

Proof of Theorem 1 In order to compute the probability of decryption error, we consider one letter first, i.e. the probability of \(f^{-1}(E_i^{T}a+f(v_i))\ne v_i\), here \(v_i\) is the ith coordinate of v, \(E_{m\times l}=(E_1,E_2,\dots ,E_l)\), and \(f^{-1}(E_i^{T}a+f(v_i))\) is the ith coordinate of \(f^{-1}(E^{T}a+f(v))\). From Lemma 1, we know that \(f^{-1}(f(v_i))=v_i\) for any \(v_i\in \mathbb {Z}_t\) under this condition. We have

$$\begin{aligned} -\frac{1}{2}<\frac{q}{t}v_i-\left[ \frac{q}{t}v_i \right] \leqslant \frac{1}{2}. \end{aligned}$$
$$\begin{aligned} -\frac{t}{2q}\leqslant \frac{t}{q}\left[ \frac{q}{t}v_i \right] -v_i<\frac{t}{2q}. \end{aligned}$$

So if \(|\frac{t}{q}E_i^{T}a|<\frac{1}{2}-\frac{t}{2q}\), we get

$$\begin{aligned} \left| \frac{t}{q}E_i^{T}a+\frac{t}{q}\left[ \frac{q}{t}v_i \right] -v_i \right| <\frac{1}{2}-\frac{t}{2q}+\frac{t}{2q}=\frac{1}{2}. \end{aligned}$$
$$\begin{aligned} \left[ \frac{t}{q}E_i^{T}a+\frac{t}{q}\left[ \frac{q}{t}v_i \right] -v_i \right] =0. \end{aligned}$$
$$\begin{aligned} \left[ \frac{t}{q}E_i^{T}a+\frac{t}{q}\left[ \frac{q}{t}v_i \right] \right] =v_i. \end{aligned}$$
$$\begin{aligned} f^{-1}(E_i^{T}a+f(v_i))=v_i. \end{aligned}$$

It means that if \(|\frac{t}{q}E_i^{T}a|<\frac{1}{2}-\frac{t}{2q}\), we can get \(f^{-1}(E_i^{T}a+f(v_i))=v_i\). Equivalently, if \(f^{-1}(E_i^{T}a+f(v_i))\ne v_i\), i.e. the decryption error occurs in the ith letter, then \(|\frac{t}{q}E_i^{T}a|\geqslant \frac{1}{2}-\frac{t}{2q}\). So the probability of decryption error in one letter is no more than the probability of \(|\frac{t}{q}E_i^{T}a|\geqslant \frac{1}{2}-\frac{t}{2q}\), i.e.

$$\begin{aligned} P\{f^{-1}(E_i^{T}a+f(v_i))\ne v_i\}\leqslant P \left\{ \left| \frac{t}{q}E_i^{T}a \right| \geqslant \frac{1}{2}-\frac{t}{2q} \right\} . \end{aligned}$$

The next step we estimate the probability of \(|\frac{t}{q}E_i^{T}a|\geqslant \frac{1}{2}-\frac{t}{2q}\). Since each coordinate of \(E_i\) is chosen independently from the Gaussian distribution with mean 0 and standard deviation \(\alpha q/\sqrt{2\pi }\) and the sum of independent Gaussian variables is still a Gaussian variable, \(E_i^{T}a\) is also a Gaussian distribution variable. \(a=(a_1,a_2,\dots ,a_m)\) and each \(a_i\) is chosen from \(\{-r,-r+1,\cdots ,r\}\) uniformly at random, then

$$\begin{aligned} E(a_i)=\frac{-r+(-r+1)+\cdots +r}{2r+1}=0. \end{aligned}$$
$$\begin{aligned} \text {Var}(a_i)=\frac{(-r)^2+(-r+1)^2+\cdots +r^2}{2r+1}=\frac{r(r+1)}{3}. \end{aligned}$$
$$\begin{aligned} E(E_i^{T}a)=0. \end{aligned}$$
$$\begin{aligned} \text {Var}(E_i^{T}a)= \left( \frac{\alpha q}{2\pi } \right) ^2 \cdot \frac{r(r+1)}{3}m=\frac{\alpha ^2 q^2 m r(r+1)}{6\pi }. \end{aligned}$$

Therefore, \(E_i^{T}a\) is treated as a normal distribution with mean 0 and standard deviation \(\alpha q\sqrt{mr(r+1)}/\sqrt{6\pi }\). We have

$$\begin{aligned} P\left\{ \left| \frac{t}{q}E_i^{T}a \right| \geqslant \frac{1}{2}-\frac{t}{2q} \right\} =P\left\{ \left| E_i^{T}a \right| \geqslant \frac{q-t}{2t} \right\} \end{aligned}$$
$$\begin{aligned} =P\left\{ \left| E_i^{T}a\right| \Big / \left( \alpha q\sqrt{\frac{mr(r+1)}{6\pi }} \right) \geqslant \frac{q-t}{2t} \Big / \left( \alpha q\sqrt{\frac{mr(r+1)}{6\pi }} \right) \right\} \end{aligned}$$
$$\begin{aligned} =P\left\{ |E_i^{T}a|/(\alpha q\sqrt{\frac{mr(r+1)}{6\pi }}) \geqslant \frac{q-t}{2\alpha tq}\sqrt{\frac{6\pi }{mr(r+1)}} \right\} \qquad \ \end{aligned}$$
$$\begin{aligned} =2\left( 1-\varPhi \left( \frac{q-t}{2\alpha tq} \sqrt{\frac{6\pi }{mr(r+1)}}\right) \right) .\qquad \qquad \qquad \qquad \qquad \ \ \end{aligned}$$

So we get the following inequality for the probability of decryption error of the LWE-based cryptosystem

$$\begin{aligned} P\{f^{-1}(E^{T}a+f(v))\ne v\} \end{aligned}$$
$$\begin{aligned} \leqslant l P\{f^{-1}(E_i^{T}a+f(v_i))\ne v_i\} \end{aligned}$$
$$\begin{aligned} \leqslant lP\left\{ \left| \frac{t}{q}E_i^{T}a \right| \geqslant \frac{1}{2}-\frac{t}{2q} \right\} \qquad \end{aligned}$$
$$\begin{aligned} \qquad = 2l\Big (1-\varPhi \left( \frac{q-t}{2\alpha tq} \sqrt{\frac{6\pi }{mr(r+1)}}\right) \Big ).\ \end{aligned}$$

   \(\square \)

This upper bound probability estimation is more precise than (1). The upper bound could be as closed as 0 if we choose \(\alpha \) small enough. It means that the probability of decryption error for the LWE-based cryptosystem could be made very small with an appropriate setting of parameters.

2.3 Probability of Decryption Error for General Disturbance

In this section, we estimate the probability of decryption error for the LWE-based cryptosystem when the noise matrix \(E=(E_{ij})_{m\times l}\) is chosen independently from a general common variable.

Theorem 2

t, q, l, r are positive integers and \(q>t\), m is a undetermined positive integer. \(v\in \mathbb {Z}_t^l\), f is defined in the second section, \(E_{m\times l}\) is a general disturbance matrix with each element chosen independently from a common random variable of mean 0 and standard deviation \(\beta \), \(a\in \{-r,-r+1,\cdots ,r\}^m\) is uniformly chosen at random. For any \(\delta >0\), we can find positive integer m, such that the following inequality of the probability of decryption error holds.

$$\begin{aligned} P\{f^{-1}(E^{T}a+f(v))\ne v\}\leqslant 2l\Big (1-\varPhi \left( \frac{q-t}{2\beta t} \sqrt{\frac{3}{mr(r+1)}}\right) \Big )+l\delta . \end{aligned}$$

Here \(\varPhi \) is the cumulative distribution function of the standard normal distribution, i.e. \(\varPhi (x)=\int _{-\infty }^{x} \frac{1}{\sqrt{2\pi }} e^{-\frac{t^2}{2}} \textrm{d}t\).

Proof of Theorem 2 Similarly as the proof of Theorem 1, we need to estimate the probability of \(|\frac{t}{q}E_i^{T}a|\geqslant \frac{1}{2}-\frac{t}{2q}\). Since the coordinates of \(E_i^{T}\) are independent identically distributed, \(E_i^{T}\) and a are also independent, by central limit theorem (Riauba, 1975), \(E_i^{T}a\) is approximately normal distribution with mean 0 and standard deviation \(d=\sqrt{mVar(E_{ij}) Var(a_i)}=\beta \sqrt{\frac{mr(r+1)}{3}}\). Thus, for any sufficiently small \(\delta >0\), there is a positive integer m such that

$$\begin{aligned} P\left\{ \left| \frac{t}{q}E_i^{T}a \right| \geqslant \frac{1}{2}-\frac{t}{2q} \right\} =P\left\{ \left| E_i^{T}a \right| \geqslant \frac{q-t}{2t} \right\} \end{aligned}$$
$$\begin{aligned} =P\left\{ \left| E_i^{T}a \right| \Big /\left( \beta \sqrt{\frac{mr(r+1)}{3}} \right) \geqslant \frac{q-t}{2t} \Big / \left( \beta \sqrt{\frac{mr(r+1)}{3}} \right) \right\} \end{aligned}$$
$$\begin{aligned} =P\left\{ \left| E_i^{T}a \right| \Big / \left( \beta \sqrt{\frac{mr(r+1)}{3}} \right) \geqslant \frac{q-t}{2\beta t}\sqrt{\frac{3}{mr(r+1)}} \right\} \qquad \end{aligned}$$
$$\begin{aligned} =2\Big (1-\varPhi \left( \frac{q-t}{2\beta t} \sqrt{\frac{3}{mr(r+1)}}\right) \Big )+\varepsilon .\qquad \qquad \qquad \qquad \end{aligned}$$

Here \(|\varepsilon |\leqslant \delta \). Then we get the following inequality for the probability of decryption error of the LWE-based cryptosystem for general disturbance

$$\begin{aligned} P\{f^{-1}(E^{T}a+f(v))\ne v\} \end{aligned}$$
$$\begin{aligned} \leqslant l P\{f^{-1}(E_i^{T}a+f(v_i))\ne v_i\} \end{aligned}$$
$$\begin{aligned} \leqslant lP \left\{ \left| \frac{t}{q}E_i^{T}a \right| \geqslant \frac{1}{2}-\frac{t}{2q} \right\} \qquad \ \end{aligned}$$
$$\begin{aligned} \qquad \qquad =2l\Big (1-\varPhi \left( \frac{q-t}{2\beta t} \sqrt{\frac{3}{mr(r+1)}}\right) \Big )+l\varepsilon .\ \ \end{aligned}$$
$$\begin{aligned} \qquad \qquad \leqslant 2l\Big (1-\varPhi \left( \frac{q-t}{2\beta t} \sqrt{\frac{3}{mr(r+1)}}\right) \Big )+l\delta .\ \ \end{aligned}$$

   \(\square \)

This probability could be also closed to 0 if we choose the parameter \(\beta \sqrt{m}\) and \(\delta \) small enough. Therefore, the probability of decryption error of the LWE-based cryptosystem for general disturbance could be made very small, which leads to high security.

Example 1

Let \(t=2\), \(q=5\), \(l=1\), \(m=1\), \(r=1\), \(\delta =10^{-3}\), \(v\in \mathbb {Z}_2\) is uniformly chosen at random, the disturbance E is a random variable with the distribution \(\psi _{\beta }\) such that \(P\{E=k\}=\frac{\beta ^k}{2\cdot k!} e^{-\beta }\) for integer k and \(P\{E=0\}=e^{-\beta }\) with parameter \(\beta =10^{-3}\), \(a\in \{-1,0,1\}\) is uniformly chosen at random. Then the probability of decryption error

$$\begin{aligned} P\{f^{-1}(Ea+f(v))\ne v\}=P \left\{ \left[ \frac{2}{5}\left( Ea+\left[ \frac{5}{2}v\right] \right) \right] \ne v \right\} \end{aligned}$$
$$\begin{aligned} =\frac{1}{2}P\left\{ \left[ \frac{2}{5}Ea \right] \ne 0 \right\} +\frac{1}{2}P\left\{ \left[ \frac{2}{5}(Ea+2)\right] \ne 1 \right\} \qquad \qquad \end{aligned}$$
$$\begin{aligned} \leqslant \frac{1}{2}P\{E\ne 0\}+\frac{1}{2}P\{E\ne 0\}\qquad \qquad \qquad \qquad \qquad \end{aligned}$$
$$\begin{aligned} =1-P\{E=0\}=1-e^{-0.001}<10^{-3}.\qquad \qquad \quad \ \ \end{aligned}$$

On the other hand,

$$\begin{aligned} 2l\Big (1-\varPhi \left( \frac{q-t}{2\beta t} \sqrt{\frac{3}{mr(r+1)}}\right) \Big )+l\delta >10^{-3}. \end{aligned}$$

So it follows that

$$\begin{aligned} P\{f^{-1}(Ea+f(v))\ne v\}<2l\Big (1-\varPhi \left( \frac{q-t}{2\beta t} \sqrt{\frac{3}{mr(r+1)}}\right) \Big )+l\delta . \end{aligned}$$

The inequality in Theorem 2 holds.

Example 2

Let \(t=2\), \(q=5\), \(l=1\), \(m=1\), \(r=1\), \(\delta =10^{-4}\), \(v\in \mathbb {Z}_2\) is uniformly chosen at random, the disturbance E is a Laplace distribution variable with parameter \(\lambda =0.05\) and probability density function \(f(x)=\frac{1}{2\lambda }e^{-\frac{|x|}{\lambda }}\) rounding to the nearest integer, \(a\in \{-1,0,1\}\) is uniformly chosen at random. Similarly as Example 1, the probability of decryption error

$$\begin{aligned} P\{f^{-1}(Ea+f(v))\ne v\}=P\left\{ \left[ \frac{2}{5}\left( Ea+\left[ \frac{5}{2}v \right] \right) \right] \ne v \right\} \end{aligned}$$
$$\begin{aligned} \leqslant 1-P\{E=0\}=1-\int \limits _{-\frac{1}{2}}^{\frac{1}{2}} \frac{1}{2\lambda }e^{-\frac{|x|}{\lambda }} \textrm{d}x=e^{-10}<10^{-4}. \end{aligned}$$

On the other hand,

$$\begin{aligned} 2l\Big (1-\varPhi \left( \frac{q-t}{2\beta t} \sqrt{\frac{3}{mr(r+1)}}\right) \Big )+l\delta >10^{-4}. \end{aligned}$$

It follows that

$$\begin{aligned} P\{f^{-1}(Ea+f(v))\ne v\}<2l\Big (1-\varPhi \left( \frac{q-t}{2\beta t} \sqrt{\frac{3}{mr(r+1)}}\right) \Big )+l\delta . \end{aligned}$$

The inequality in Theorem 2 holds.

3 Results and Conclusions

In this work, we first introduce the LWE problem and LWE-based cryptosystem. We give a more precise estimation probability of decryption error based on independent identical Gaussian disturbances. The salient significance of our work is that for any general independent identical disturbances, we also give the estimation probability of decryption error using central limit theorem. The upper bound probability could be closed to 0 if we choose applicable parameters. It means that the probability of decryption error for the cryptosystem could be sufficiently small. Then we confirm that the LWE-based cryptosystem could have high security.

4 Discussions

4.1 Future Work

Although we have reached our objective in this work, there are still many interesting works to study in this research area in the future. We will focus on the fully homomorphic encryption (FHE)-based cryptosystem later, which is an application of LWE (Brakerski & Vaikuntanathan, 2011a, 2011b; Dijk et al. 2010; Gentry, 2009; Gentry et al., 1999). Fully homomorphic encryption was known to have abundant applications in cryptography, but for three decades no plausibly secure scheme was known until 2009. To date, the FHE-based cryptography has more than three generations. The third generation FHE scheme based on LWE problem is proved that has some unique and advantageous properties (Gentry et al., 1999). It also remains some improvable technique which needs to be studied in depth.