Abstract
The main purpose of this chapter is to give an extension on learning with errors problem (LWE)-based cryptosystem about the probability of decryption error with more general disturbance. In the first section, we introduce the LWE cryptosystem with its application and some previous research results. Then we give a more precise estimation probability of decryption error based on independent identical Gaussian disturbances and any general independent identical disturbances. This upper bound probability could be closed to 0 if we choose applicable parameters. It means that the probability of decryption error for the cryptosystem could be sufficiently small. So we verify our core result that the LWE-based cryptosystem could have high security.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
In this section, we describe a cryptosystem based on the learning with errors problem (LWE) (Micciancio & Regev, 2009; Regev, 2005). First, we introduce the LWE problem. Let p be a prime number, m, n be positive integers and consider a list of equations with error as follows:
Here \(s\in \mathbb {Z}_{p}^{n}\), \(a_1,a_2,\dots ,a_m\) are chosen independently and uniformly from \(\mathbb {Z}_{p}^{n}\), and \(v_1,v_2,\dots ,v_m\in \mathbb {Z}_{p}\). \(<s,a_i>\) is the inner product of two vectors s and \(a_i\). The errors in these equations are generated from a probability distribution \(\chi : \mathbb {Z}_{p}\rightarrow \mathbb {R}^{+}\) on \(\mathbb {Z}_{p}\), i.e. for each equation, we have \(v_i=<s,a_i>+e_i\) and \(e_i\in \mathbb {Z}_{p}\) is chosen independently based on the probability distribution \(\chi \). The problem of finding \(s\in \mathbb {Z}_{p}^{n}\) from such equations is called \(\text {LWE}_{p,\chi }\). There is an equivalent description for the LWE problem. The input has a pair (A, v) where \(A\in \mathbb {Z}_p^{m\times n}\) is chosen uniformly, and the choices of v have two cases. One case for v is chosen uniformly from \(\mathbb {Z}_{p}^{m}\), the other case is \(As+e\) for a uniformly chosen vector \(s\in \mathbb {Z}_{p}^{n}\) and vector \(e\in \mathbb {Z}_{p}^{m}\) chosen according to \(\chi ^m\). The goal is to distinguish between these two cases with non-negligible probability. It is also equivalent with a decoding problem in q-ary lattices (Regev, 2005).
The short integer solution (SIS) problem was first introduced in the seminal work of Ajtai (1996) and has served as the foundation for one-way and collision-resistant hash functions, identification schemes, digital signatures, and other “minicrypt” primitives. A very important work of Regev from 2005 introduced the LWE problem, which is the “encryption-enabling” analogue of the SIS problem (Regev, 2009). In fact, the two problems are very similar and can meaningfully be seen as duals of each other.
The LWE problem is a very robust problem and can be viewed as an extension of a well-known problem in learning theory. It remains hard even if the attacker learns extra information about the secret and errors. Regev gave the worst-case hardness theorem for LWE (Regev, 2009). The complexity of the best-known algorithm is running in exponential time in n (Ajtai et al., 2001; Blum et al., 2003; Kumar & Sivakumar, 2001). This theorem is proved by giving a quantum polynomial-time reduction that uses an oracle for LWE to solve \(\text {GapSVP}_{\gamma }\) and \(\text {SIVP}_{\gamma }\) in the worst case, thereby transforming any algorithm that solves LWE into a quantum algorithm for lattice problems. The quantum nature of the reduction is meaningful since there are no known quantum algorithms for \(\text {GapSVP}_{\gamma }\) and \(\text {SIVP}_{\gamma }\) that significantly outperform classical ones, beyond generic quantum speedups. It would be very useful to have a completely classical reduction to give further confidence in the hardness of LWE, which was given in 2009 by Peikert (2009). Regev also gave a public-key cryptosystem whose semantic security can provably be based on the LWE problem, and hence on the conjectured quantum hardness of \(\text {GapSVP}_{\gamma }\) and \(\text {SIVP}_{\gamma }\) for \(\gamma =O(n^{3/2})\) Regev (2009). LWE problem has a close relationship with decoding problems in coding theory (Ajtai 2005; Ajtai & Dwork, 1997; Alekhnovich, 2003; Asokan et al., 2007; Ding, 2004; Kawachi et al., 2007; Peikert, 2007; Peikert et al., 2008; Regev, 2004; Signing et al., 2022). Regev’s cryptosystem is secure against passive eavesdroppers since the LWE problem is hard.
Another application of LWE is fully homomorphic encryption (FHE) (Rivest et al., 1978). The earliest FHE constructions were based on average-case assumptions about ideal lattices (Gentry, 2009; Dijk et al., 2010). Later, Brakerski and Vaikuntanathan gave the second generation of FHE constructions, which were based on the LWE problem (Brakerski & Vaikuntanathan, 2011a, 2011b). In 2013, Gentry, Sahai, and Waters proposed an LWE-based FHE scheme that has some unique and advantageous properties, such as homomorphic multiplication does not require any key-switching step, and the scheme can be made identity-based. This yields unbounded FHE based on LWE with just an inverse-polynomial \(n^{-O(1)}\) error rate (Gentry et al., 1999).
Now we introduce the efficient lattice-based cryptosystem in the following which has strong theoretical security (Micciancio & Regev, 2009).
-
Private key: \(S\in \mathbb {Z}_{q}^{n\times l}\) is uniformly chosen at random.
-
Public key: \(A\in \mathbb {Z}_{q}^{m\times n}\) is uniformly chosen at random and \(E\in \mathbb {Z}_{q}^{m\times l}\) is chosen from the distribution \(\overline{\psi }_{\alpha }\). The public key is \((A,P=AS+E)\).
-
Encryption: Given \(v\in \mathbb {Z}_{t}^{l}\) from the message space and a public key (A, P), choose a vector \(a\in \{-r,-r+1,\cdots ,r\}^m\) uniformly at random, and compute the ciphertext \((u=A^{T}a,c=P^{T}a+f(v))\).
-
Decryption: Given a ciphertext (u, c) and a private key S, output \(f^{-1}(c-S^{T}u)\).
Here m, n, l, t, q, r are positive integers and \(\alpha >0\). \(\overline{\psi }_{\alpha }\) is defined to be the distribution on \(\mathbb {Z}_{q}\) obtained by sampling a normal variable with mean 0 and standard deviation \(\alpha q/\sqrt{2\pi }\), rounding the result to the nearest integer and reduced modulo q. f is defined as the function from \(\mathbb {Z}_{t}^{l}\) to \(\mathbb {Z}_{q}^{l}\) by multiplying each coordinate by q/t and rounding to the nearest integer. \(f^{-1}\) is defined to be the “inverse” mapping of f by multiplying each coordinate by t/q and rounding to the nearest integer. The definitions of f and \(f^{-1}\) are in the next section. The probability of decryption error in one letter for this cryptosystem is approximatively estimated in (Micciancio & Regev, 2009) as
where \(\varPhi \) is the cumulative distribution function of the standard normal distribution, i.e. \(\varPhi (x)=\int _{-\infty }^{x} \frac{1}{\sqrt{2\pi }} e^{-\frac{t^2}{2}} \textrm{d}t\). We give here a more precise upper bound estimation
This upper bound probability could be closed to 0 if we choose \(\alpha \) small enough. It means that the probability of decryption error for the cryptosystem could be sufficiently small. However, the above estimation is based on Gaussian disturbance. In our work, we also give the probability of decryption error for the LWE-based cryptosystem with more general disturbance. By central limit theorem (Riauba, 1975), general disturbance could be approximated as Gaussian disturbance, then we get the following probability estimation result which is more advanced than that in (Micciancio & Regev, 2009).
Here \(\beta \) is the standard deviation of disturbance distribution, and \(\delta \) is a positive real number.
1.1 Innovation and Contribution
Our work gives estimation probability of decryption error based on Gaussian disturbances and proves that the decryption error could be sufficiently small. The most salient innovation and contribution is that for any general disturbances, the decryption error could also be small enough. This indicates high security and reliability of LWE-based cryptosystem. In other words, this cryptosystem is secure enough against passive eavesdroppers and could be applied in many kinds of encryption processes.
2 Methodology
2.1 Preliminary Property
Definition 1
\(\forall x\in \mathbb {R}\), let [x] be the closest integer to x, specially, [x] is defined to be \(x-\frac{1}{2}\) if the fractional part of x is \(\frac{1}{2}\). It is trivial that \(-\frac{1}{2}<x-[x]\leqslant \frac{1}{2}\) for all \(x\in \mathbb {R}\).
Lemma 1
t and q are positive integers, \(t\leqslant q\). \(\forall a \in \mathbb {Z}_t\), let \(f(a)=[\frac{q}{t}a]\in \mathbb {Z}_q\). \(\forall b \in \mathbb {Z}_q\), let \(f^{-1}(b)=[\frac{t}{q}b]\in \mathbb {Z}_t\). Then \(f^{-1}(f(a))=a\) for \(\forall a \in \mathbb {Z}_t\) holds.
Remark 1
If \(a_1 \equiv a_2\ (\text {mod}\ t)\), we have \(f(a_1)\equiv f(a_2)\ (\text {mod}\ q)\), so the definition of f is well defined and reasonable.
Proof of Lemma 1 (1) If \(t=q\), then we have \(f(a)=[a]=a\) and
(2) If \(t<q\), then \(\frac{q}{2t}>\frac{1}{2}\), we know
It follows that
So we can get
This is equivalent to
and
Thus,
This means that
\(\square \)
Lemma 2
t and q are positive integers, \(t>q\). If a is uniformly chosen in \(\mathbb {Z}_t\), then
Proof of Lemma 2 \(t>q\), from Lemma 1 we have
This is equivalent to
So we get
Here \(0, \left[ \frac{t}{q} \right] , \left[ \frac{2t}{q} \right] ,\dots , \left[ \frac{(q-1)t}{q} \right] \) are different from each other in \(\mathbb {Z}_t\). Next we prove that the number of a in \(\mathbb {Z}_t\) satisfying \(f^{-1}(f(a))=a\) is no more than q. Let A be the set containing all the elements satisfying \(f^{-1}(f(a))=a\) in \(\mathbb {Z}_t\). \(\forall a_1,a_2\in A\), \(a_1\ne a_2\) in \(\mathbb {Z}_t\), then we have \(f(a_1)\not \equiv f(a_2)\ (\text {mod}\ q)\), i.e. \(f(a_1)\ne f(a_2)\) in \(\mathbb {Z}_q\). This means the number of A is no more than q.
Above all, it shows that \(0, \left[ \frac{t}{q} \right] , \left[ \frac{2t}{q} \right] ,\dots , \left[ \frac{(q-1)t}{q} \right] \) are just all the numbers in \(\mathbb {Z}_t\) such that \(f^{-1}(f(a))=a\). Based on a is uniformly chosen in \(\mathbb {Z}_t\), then
\(\square \)
Corollary 1
t, q, and l are positive integers. \(\forall a=(a_1,a_2,\dots ,a_l) \in \mathbb {Z}_t^l\), let \(f(a)= \left( \left[ \frac{q}{t}a_1 \right] , \left[ \frac{q}{t}a_2 \right] ,\dots , \left[ \frac{q}{t}a_l \right] \right) \in \mathbb {Z}_q^l\). \(\forall b=(b_1,b_2,\dots ,b_l) \in \mathbb {Z}_q^l\), let \(f^{-1}(b)= \left( \left[ \frac{t}{q}b_1 \right] ,\left[ \frac{t}{q}b_2 \right] ,\dots , \left[ \frac{t}{q}b_l \right] \right) \in \mathbb {Z}_t^l\). If a is uniformly chosen in \(\mathbb {Z}_t^l\) and \(a_1,a_2,\dots ,a_l\) are independent, then
Proof of Corollary 1 If \(t\leqslant q\), from Lemma 1, we have
So
If \(t>q\), from Lemma 2, we have
Since \(a_1,a_2,\dots ,a_l\) are independent, therefore,
\(\square \)
2.2 Probability of Decryption Error Based on Gaussian Disturbance
Now we can calculate the probability of decryption error for the LWE-based cryptosystem. As described in the first section, assume S be the private key, (A, P) be the public key, and we choose \(v\in \mathbb {Z}_t^l\) from the message space, encrypt v, and then decrypt it. The ciphertext is \((u=A^{T}a,c=P^{T}a+f(v))\). The decryption result is
Here the decryption result \(f^{-1}(E^{T}a+f(v))\in \mathbb {Z}_t^l\). The decryption error occurs if \(f^{-1}(E^{T}a+f(v))\ne v\). Since all the parameters are taken to guarantee security and efficiency of the cryptosystem, here we set \(q>t\) and obtain the following theorem.
Theorem 1
t, q, l, m, r are positive integers and \(q>t\). \(v\in \mathbb {Z}_t^l\), f is defined in the previous section, \(E_{m\times l}\) is a Gaussian disturbance matrix with each element chosen independently from the Gaussian distribution with mean 0 and standard deviation \(\alpha q/\sqrt{2\pi }\), \(a\in \{-r,-r+1,\cdots ,r\}^m\) is uniformly chosen at random. Then we have the following inequality of the probability of decryption error.
Here \(\varPhi \) is the cumulative distribution function of the standard normal distribution, i.e. \(\varPhi (x)=\int _{-\infty }^{x} \frac{1}{\sqrt{2\pi }} e^{-\frac{t^2}{2}} \textrm{d}t\).
Proof of Theorem 1 In order to compute the probability of decryption error, we consider one letter first, i.e. the probability of \(f^{-1}(E_i^{T}a+f(v_i))\ne v_i\), here \(v_i\) is the ith coordinate of v, \(E_{m\times l}=(E_1,E_2,\dots ,E_l)\), and \(f^{-1}(E_i^{T}a+f(v_i))\) is the ith coordinate of \(f^{-1}(E^{T}a+f(v))\). From Lemma 1, we know that \(f^{-1}(f(v_i))=v_i\) for any \(v_i\in \mathbb {Z}_t\) under this condition. We have
So if \(|\frac{t}{q}E_i^{T}a|<\frac{1}{2}-\frac{t}{2q}\), we get
It means that if \(|\frac{t}{q}E_i^{T}a|<\frac{1}{2}-\frac{t}{2q}\), we can get \(f^{-1}(E_i^{T}a+f(v_i))=v_i\). Equivalently, if \(f^{-1}(E_i^{T}a+f(v_i))\ne v_i\), i.e. the decryption error occurs in the ith letter, then \(|\frac{t}{q}E_i^{T}a|\geqslant \frac{1}{2}-\frac{t}{2q}\). So the probability of decryption error in one letter is no more than the probability of \(|\frac{t}{q}E_i^{T}a|\geqslant \frac{1}{2}-\frac{t}{2q}\), i.e.
The next step we estimate the probability of \(|\frac{t}{q}E_i^{T}a|\geqslant \frac{1}{2}-\frac{t}{2q}\). Since each coordinate of \(E_i\) is chosen independently from the Gaussian distribution with mean 0 and standard deviation \(\alpha q/\sqrt{2\pi }\) and the sum of independent Gaussian variables is still a Gaussian variable, \(E_i^{T}a\) is also a Gaussian distribution variable. \(a=(a_1,a_2,\dots ,a_m)\) and each \(a_i\) is chosen from \(\{-r,-r+1,\cdots ,r\}\) uniformly at random, then
Therefore, \(E_i^{T}a\) is treated as a normal distribution with mean 0 and standard deviation \(\alpha q\sqrt{mr(r+1)}/\sqrt{6\pi }\). We have
So we get the following inequality for the probability of decryption error of the LWE-based cryptosystem
\(\square \)
This upper bound probability estimation is more precise than (1). The upper bound could be as closed as 0 if we choose \(\alpha \) small enough. It means that the probability of decryption error for the LWE-based cryptosystem could be made very small with an appropriate setting of parameters.
2.3 Probability of Decryption Error for General Disturbance
In this section, we estimate the probability of decryption error for the LWE-based cryptosystem when the noise matrix \(E=(E_{ij})_{m\times l}\) is chosen independently from a general common variable.
Theorem 2
t, q, l, r are positive integers and \(q>t\), m is a undetermined positive integer. \(v\in \mathbb {Z}_t^l\), f is defined in the second section, \(E_{m\times l}\) is a general disturbance matrix with each element chosen independently from a common random variable of mean 0 and standard deviation \(\beta \), \(a\in \{-r,-r+1,\cdots ,r\}^m\) is uniformly chosen at random. For any \(\delta >0\), we can find positive integer m, such that the following inequality of the probability of decryption error holds.
Here \(\varPhi \) is the cumulative distribution function of the standard normal distribution, i.e. \(\varPhi (x)=\int _{-\infty }^{x} \frac{1}{\sqrt{2\pi }} e^{-\frac{t^2}{2}} \textrm{d}t\).
Proof of Theorem 2 Similarly as the proof of Theorem 1, we need to estimate the probability of \(|\frac{t}{q}E_i^{T}a|\geqslant \frac{1}{2}-\frac{t}{2q}\). Since the coordinates of \(E_i^{T}\) are independent identically distributed, \(E_i^{T}\) and a are also independent, by central limit theorem (Riauba, 1975), \(E_i^{T}a\) is approximately normal distribution with mean 0 and standard deviation \(d=\sqrt{mVar(E_{ij}) Var(a_i)}=\beta \sqrt{\frac{mr(r+1)}{3}}\). Thus, for any sufficiently small \(\delta >0\), there is a positive integer m such that
Here \(|\varepsilon |\leqslant \delta \). Then we get the following inequality for the probability of decryption error of the LWE-based cryptosystem for general disturbance
\(\square \)
This probability could be also closed to 0 if we choose the parameter \(\beta \sqrt{m}\) and \(\delta \) small enough. Therefore, the probability of decryption error of the LWE-based cryptosystem for general disturbance could be made very small, which leads to high security.
Example 1
Let \(t=2\), \(q=5\), \(l=1\), \(m=1\), \(r=1\), \(\delta =10^{-3}\), \(v\in \mathbb {Z}_2\) is uniformly chosen at random, the disturbance E is a random variable with the distribution \(\psi _{\beta }\) such that \(P\{E=k\}=\frac{\beta ^k}{2\cdot k!} e^{-\beta }\) for integer k and \(P\{E=0\}=e^{-\beta }\) with parameter \(\beta =10^{-3}\), \(a\in \{-1,0,1\}\) is uniformly chosen at random. Then the probability of decryption error
On the other hand,
So it follows that
The inequality in Theorem 2 holds.
Example 2
Let \(t=2\), \(q=5\), \(l=1\), \(m=1\), \(r=1\), \(\delta =10^{-4}\), \(v\in \mathbb {Z}_2\) is uniformly chosen at random, the disturbance E is a Laplace distribution variable with parameter \(\lambda =0.05\) and probability density function \(f(x)=\frac{1}{2\lambda }e^{-\frac{|x|}{\lambda }}\) rounding to the nearest integer, \(a\in \{-1,0,1\}\) is uniformly chosen at random. Similarly as Example 1, the probability of decryption error
On the other hand,
It follows that
The inequality in Theorem 2 holds.
3 Results and Conclusions
In this work, we first introduce the LWE problem and LWE-based cryptosystem. We give a more precise estimation probability of decryption error based on independent identical Gaussian disturbances. The salient significance of our work is that for any general independent identical disturbances, we also give the estimation probability of decryption error using central limit theorem. The upper bound probability could be closed to 0 if we choose applicable parameters. It means that the probability of decryption error for the cryptosystem could be sufficiently small. Then we confirm that the LWE-based cryptosystem could have high security.
4 Discussions
4.1 Future Work
Although we have reached our objective in this work, there are still many interesting works to study in this research area in the future. We will focus on the fully homomorphic encryption (FHE)-based cryptosystem later, which is an application of LWE (Brakerski & Vaikuntanathan, 2011a, 2011b; Dijk et al. 2010; Gentry, 2009; Gentry et al., 1999). Fully homomorphic encryption was known to have abundant applications in cryptography, but for three decades no plausibly secure scheme was known until 2009. To date, the FHE-based cryptography has more than three generations. The third generation FHE scheme based on LWE problem is proved that has some unique and advantageous properties (Gentry et al., 1999). It also remains some improvable technique which needs to be studied in depth.
References
Ajtai, M. (1996). Generating hard instances of lattice problems. Quaderni di Matematica, 1–32.
Ajtai, M. (2005). Representing hard lattices with O(NLOGN) bits. In Proceedings of the 37th ACM Symposium (pp. 94–103).
Ajtai, M., & Dwork, C. (1997). A public-key cryptosystem with worst-case/average-case equivalence. In Proceedings of the 29th ACM Symposium (pp. 284–293).
Ajtai, M., Kumar, R., & Sivakumar, D. (2001). A sieve algorithm for the shortest lattice vector problem. In Proceedings of the 33rd ACM Symposium (pp. 601–610).
Alekhnovich, M. (2003). More on average case versus approximation complexity. In Proceedings of the 44th Annual IEEE Symposium (pp. 298–307).
Asokan, N., Kostiainen, K., Ginzboorg, P., Ott, J., Luo, C., Asokan, P., Ginzboorg, P., & Ott, P. (2007). Applicability of identity-based cryptography for disruption-tolerant networking. In International MobiSys Workshop on Mobile Opportunistic Networking (pp. 52–56).
Blum, A., Kalai, A., & Wasserman, H. (2003). Noise-tolerant learning, the parity problem, and the statistical query model. Journal of the ACM, 506–519.
Brakerski, Z., & Vaikuntanathan, V. (2011a). Fully homomorphic encryption from ring-LWE and security for key dependent messages. Annual Cryptology Conference (pp. 505–524).
Brakerski, Z., & Vaikuntanathan, V. (2011b). Efficient fully homomorphic encryption from (standard) LWE. In Proceedings of 52nd IEEE Foundations of Computer Science (pp. 831–871).
Dijk, M., Gentry, C., Halevi, S., & Vaikuntanathan, V. (2010). Fully homomorphic encryption over the integers. In International Conference on Theory and Applications of Cryptographic Techniques (pp. 24–43).
Ding, J. (2004). A new variant of the Matsumoto-Imai cryptosystem through perturbation. In Public Key Cryptography PKC, 2004, 305–318.
Gentry, C. (2009). Fully homomorphic encryption using ideal lattices. In STOC (pp. 169–178).
Gentry, C., Sahai, A., & Waters, B. (2013). Homomorphic encryption from learning with errors: Conceptually-simpler, asymptotically-faster, attribute-based. Annual Cryptology Conference (pp. 75–92).
Kawachi, A., Tanaka, K., & Xagawa, K. (2007). Multi-bit cryptosystems based on lattice problems. In Public Key Cryptography PKC 2007 (pp. 315–329).
Kumar, R., & Sivakumar, D. (2001). On polynomial approximation to the shortest lattice vector length. In Proceedings of the 12th ACM Symposium (pp. 126–127).
Micciancio, D., & Regev, O. (2009). Lattice-based cryptography. In D. J. Bernstein, J. Buchmann, & E. Dahmen (Eds.), Post-quantum cryptography (pp. 147–191). Springer.
Peikert, C. (2007). Limits on the hardness of lattice problems in \(l_p\) norms. In Proceedings of the 22nd IEEE Annual CCC (pp. 333–346).
Peikert, C. (2009). Public-key cryptosystems from the worst-case shortest vector problem. In Proceedings of the 41st ACM Symposium (pp. 333–342).
Peikert, C., Vaikuntanathan, V., & Waters, B. (2008). A framework for efficient and composable oblivious transfer. In Annual Cryptology Conference (pp. 1–28).
Regev O. (2004). New lattice based cryptographic constructions. Journal of the ACM, 899–942.
Regev, O. (2005). On lattices, learning with errors, random linear codes, and cryptography. In Proceedings of the 37th ACM Symposium (pp. 84–93).
Regev, O. (2009). On lattices, learning with errors, random linear codes, and cryptography. Journal of the ACM, 1–40.
Riauba, B. (1975). A central limit theorem for dependent random variables. Lithuanian Mathematical Journal, 185–200.
Rivest, R., Adleman, L., & Dertouzos, M. (1978). On data banks and privacy homomorphisms. In Foundations of secure computation (pp. 169–180).
Signing, V., Tegue, G., Kountchou, M., Njitacke, Z., Tsafack, N., Nkapkop, J., Etoundi, C., & Kengne, J. (2022). A cryptosystem based on a chameleon chaotic system and dynamic DNA coding. Chaos, Solitons and Fractals,111777.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Copyright information
© 2023 The Author(s)
About this paper
Cite this paper
Zhiyong, Z., Kun, T. (2023). On the LWE Cryptosystem with More General Disturbance. In: Zheng, Z. (eds) Proceedings of the Second International Forum on Financial Mathematics and Financial Technology. IFFMFT 2021. Financial Mathematics and Fintech. Springer, Singapore. https://doi.org/10.1007/978-981-99-2366-3_8
Download citation
DOI: https://doi.org/10.1007/978-981-99-2366-3_8
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-2365-6
Online ISBN: 978-981-99-2366-3
eBook Packages: Economics and FinanceEconomics and Finance (R0)