STP-LWE : A Variant of Learning with Error for a Flexible Encryption

We construct a flexible lattice based scheme based on semitensor product learning with errors (STP-LWE), which is a variant of learning with errors problem. We have proved that STP-LWE is hard when LWE is hard. Our scheme is proved to be secure against indistinguishable chosenmessage attacks, and it can achieve a balance between the security and efficiency in the hierarchical encryption systems. In addition, our scheme is almost as efficient as the dual encryption in GPV08.


Introduction
Lattices and lattice-based cryptography have become a hot research topic in public key cryptography in recent years.Lattice-based cryptography is attracted from provable worstcase hardness guarantees, good asymptotic efficiency and parallelism, and resistance to quantum attacks [1].The first provably secure lattice based encryption AD is present by Ajtai and Dwork based on the worst-case hardness of lattice problems [2].After that, several constructions have been proposed [3,4].In 2004, Regev improved AD GGH to R04 based on a harder lattice problem.But its huge key size is unacceptable [5].To overcome its disadvantage, Regev successively constructed Regev05 based on learning with errors (LWE) problem, which can be quantum reduced from traditional SIVP  problem [6].Since LWE problem has been proved to be amazingly versatile, a multitude of cryptographic schemes have been proposed, such as the basis for secure public-key encryption under both chosenplaintext [6] and chosen-ciphertext attacks [7,8], oblivious transfer [9], identity-based encryption [10], various forms of leakage-resilient cryptography [11], and fully homomorphic encryption [12].
In some applications, such as hierarchical encryption systems, the users in different levels will use private keys with different lengths [13].They will retrieve their private key from their domain PKG, who has previously requested their domain secret key from the root PKG.In traditional encryptions, the PKG must save all security parameters and public parameters related to the different lengths of keys for the users in different domains [14].So how to construct a flexible encryption scheme to bring a balance between the security and efficiency requirements is an open problem.
Semitensor product (STP), as a new algebraic approach, is a generalization of the matrix product from the equal dimension case to the multiple dimension case, and it is designed to deal with higher-dimensional data as well as multilinear mappings [15].Recently, STP is applied widely in control theory [16] and physics [17][18][19].However, to the best of our knowledge, all the works in cryptography field based on STP are related to Boolean functions.A method for the conversion between the truth table and the polynomial expression of Boolean functions was proposed [20].In [21], the authors did research on nonlinear feedback shift register (NLFSR), including the calculation of numbers of fixed points and cycles with different lengths of state sequences generated.

Mathematical Problems in Engineering
In this paper, we propose a variant of LWE problem called STP-LWE problem, which is essential to extend the standard LWE problem by using STP.In STP-LWE problem, the dimension of public matrix  may not be equal to the secret .The hardness of STP-LWE can be reduced to the standard LWE problem.In this paper, we will take advantage of the properties of STP-LWE to construct the STP-GPV dual cryptosystem based on the dual encryption in GPV08 [22].The new scheme is more flexible in hierarchical encryption systems since we can flexibly balance the security and efficiency by adjusting the length of messages with the static security parameter.
The rest of this paper is organized as follows.We first introduce some basic concepts of lattices in Section 2. In Section 3, we detail STP product and STP-LWE problem.In Section 4, we propose the STP-GPV dual cryptosystem and analyze the correctness and security.In Section 5, we discuss the efficiency of the STP-GPV dual cryptosystem.Finally, discussions and conclusions are presented in Section 6.

Preliminaries
In this section, we briefly describe the basic concepts about lattices and the learning with errors (LWE) problem.

Notation.
We denote the set of real numbers by R and the set of integers by Z.For a positive integer , [n] denotes {1, . . ., }.By convention, vectors are assumed to be in column form and written using bold lowercase letters, for example, x.The th component of x will be denoted by   .Matrices are written as bold capital letters, for example, X, and the th column vector of a matrix X is denoted by x  .The length of a matrix is the norm of its longest column ‖X‖ = max  ‖x  ‖.We use standard big- notation to classify the growth of functions and say that () = Õ(()) if () = (() ⋅ log  ) for some fixed constant .We let poly() be an unspecified function () = (  ) for some constants .A  function, denoted generically by negl(), is a function () such that () = ( − ) for some fixed constant .We say that a probability (or fraction) is Vℎ if it is 1 − negl().The   between two distributions  and  over a countable domain  is defined to be (1/2) ∑ ∈ |() − ()|.
The following useful lemma says that any full-rank set of vectors in a lattice can be efficiently converted to a basis of the lattice, without increasing the lengths of the Gram-Schmidt vectors.
Lemma 1 (see [23]).There is a deterministic polynomial-time algorithm that, given an arbitrary basis B of a n-dimensional lattice Λ = L(B) and a full-rank set of lattice vectors S ⊂ Λ, the output is a basis T of Λ such that ‖ t ‖ ≤ ‖s  ‖ for all  ∈ [].
The dual lattice of Λ, denoted Λ * , is defined as Λ * = {x ∈ R  : ∀k ∈ Λ, ⟨x, k⟩ ∈ Z}.By symmetry, it can be seen that is in fact a basis of Λ * .
The following standard fact relates to the Gram-Schmidt orthogonalizations of a basis and its dual (the proof can be found in [5]).We now review the Gaussian measures over lattices.For any  > 0, the Gaussian function on R  centered at c with parameter  is defined as The subscripts  and c are taken to be 1 and 0 (resp.,)when omitted.
For any c ∈ R  , real  > 0, and n-dimensional lattice Λ, the discrete Gaussian distribution over Λ is defined as where Micciancio and Regev [24] proposed a lattice quantity called the smoothing parameter.
Definition 3 (see [24]).For any n-dimensional lattice Λ and a positive real  > 0, the smoothing parameter A bound on the smoothing parameter is also given in [24].
Lemma 4 (see [25]).For any n-dimensional lattice Λ and real  > 0, one has Then for any (√log ) function, there is a negligible () We notice that a sample from a discrete Gaussian with parameter  is at most √ away from its center (in the ℓ 2 norm), with overwhelming probability.
For an integer  ≥ 2, some probability distribution  over Z  , an integer dimension  ∈ Z + , and a vector s ∈ Z   , define A s, as the distribution on Z   × Z  of the variable (a, a  s +), where a ← Z   and  ←  are uniform and independent, and all operations are performed in Z  .Definition 6 (LWE).For an integer  = () and a distribution  on Z  , the goal of the (average-case)  ℎ  problem LWE , is to distinguish (with nonnegligible probability) between the distribution A s, for some uniform (secret) s ← Z   and the uniform distribution on Z   × Z  (via oracle access to the given distribution).In other words, if LWE is hard, then the collection of distributions A s, is pseudorandom.T = R/Z as the group of reals [0, 1) with mod 1 addition.For  ∈ R + , Ψ  is the distribution on T of a normal variable with mean 0 and standard deviation / √ 2, reduced modulo 1.For any probability distribution  over T and an integer  ∈ Z + its discretization  is the discrete distribution over Z  of the random variable ⌊ ⋅   ⌉ mod , where   has distribution .
Then, we recall two standard worst-case approximation problems on lattices.In both problems,  = () is the approximation factor as a function of the dimension.Definition 7 (see [24] shortest vector problem (decision version)).An input to GapSVP  is a basis B of a full-rank Definition 8 (see [24] shortest independent vectors problem).An input to SIVP  is a full-rank basis B of an -dimensional lattice.The goal is to output a set of  linearly independent lattice vectors S ⊂ L(B) such that ‖ S ‖≤ () ⋅   (L(B)).
Regev demonstrated that for certain modulo  and Gaussian error distributions , LWE , is as hard as several standard worst-case lattice problems using a quantum algorithm.
The result can be subsequently extended to SIVP and GapSVP in any   norm, 2 ≤  ≤ ∞, for essentially the same Õ(/) approximation factors [25].

STP-LWE
3.1.Semitensor Product.In this section, we introduce the semitensor product (STP) of matrices.The STP-formalism of matrices not only is a generalization of a conventional matrix product, but also makes all the fundamental properties of the conventional matrix product remain true.
Definition 10 (see [15]).(1) Let a be a row vector of dimension , and let b be a column vector of dimension .Then we split a into  equal-size blocks named a 1 , . . ., a  , which are row vectors of dimension .Define a semitensor product, denoted by ⋉, as (2) Let P ∈  × and Q ∈  × .If either  is a factor of , say  =  and denote it by P≺  Q, or  is a factor of , say  =  and denote it by P≻  Q, then define the STP of P and Q, denoted by W = P ⋉ Q, as the following: W consists of  ×  blocks as W = (W  ) and each block is where P  is the th row of P and Q  is the th column of Q.
The dimension of the STP of two matrices can be described by deleting the largest common factor of the dimensions of the two factor matrices; for example, where ⊗ is the Kronecker product and I  is the identity matrix.
If the related products are well defined, the STP satisfies the following laws.
(2) Associative rule is as follows: x 1 , x 2 ←   .Suppose we find the vector s ∈ Z /2  is an easy thing.
Based on the property of STP, we have where , It is equivalent to It is easy to see that this equation contains two LWE , instances.From the assumption that it is a simple question to find the vector s 13) is also easily solved.That is, the LWE , instance can be solved.This apparently contradicts with the hardness assumption of LWE , problem.
Case 2. It is clear that when  > 2, /-dimensional the STP-LWE problem still holds.The proof of this case is similar to Case 1.This completes the proof.
With the increase of  value, the security of the /dimensional STP-LWE problem will be reduced.In order to prevent this from happening, / in the STP-LWE problem must match the security requirements when the scheme can be reduced to lattice problems resisted to the quantum computing.In GPV08 [22], / should be larger than 2 log .

Our Scheme
In this section, we give a variant of GPV dual cryptosystem.First, we recall the dual cryptosystem in GPV08 [22].Then, we give our construction based on /-dimensional STP-LWE problem.Meanwhile, the correctness and security are also shown.

GPV Dual Cryptosystem.
It is parameterized by some  ≥ (√log ), which specifies the discrete Gaussian distribution D Z  , from which secret keys are chosen.All the share a common matrix A ∈ Z ×m  (an implicit input to all algorithms) chosen uniformly at random, which is the index of the function  A (e) = Ae mod .All the operations are performed over Z  .
(i) : choose an error vector e ←  Z  , (i.e., the input distribution to  A ), as the secret key.The public key is the syndrome u =  A (e).
The correctness and security are given in GPV08 [22], and readers can refer to it for more details.(ii) (u 1 , u 2 ,

Correctness and Security.
The correctness of our scheme is mainly inherited by GPV dual cryptosystem.We can show the correctness as follows: Since The security of this scheme is similar to that of the GPV dual cryptosystem; that is, our scheme is CPA-secure and anonymous under the /-dimensional LWE , assumption.

Performance
The GPV dual cryptosystem and our scheme are implemented in Matlab 2010 in Windows 7 Service Pack1 64 bits operating system.We use a desktop which has a 4-core Intel(R) Core (TM) i3-2120 processor running at 3.30 GHz and 2 GB of RAM.
In this section, we analyze the efficiency of the above schemes from the following two aspects.On one hand, we compare the size of public keys, private keys, and ciphertext expansion of GPV dual cryptosystem with our scheme.From the Table 1, the efficiency of our algorithm and the ciphertext expansion rate has significant advantage compared with GPV dual cryptosystem.On the other hand, we compare the time cost of VarKeyGen, VarEnc, and VarDec with the GPV dual cryptosystem and the STP-GPV dual cryptosystem.Table 2 has demonstrated the time of key generation, encryption, and decryption for 1 bit in GPV dual cryptosystem, and the By experiments, it is proved that the key generation time and encryption time of our scheme are only half of that of the GPV dual cryptosystem's, while the decryption time is roughly equal to GPV dual cryptosystem's.

Discussion and Conclusions
In this section, we apply /-dimensional STP-LWE in the GPV dual cryptosystem problem and build an extended GPV dual cryptosystem.We know that the size of the secret key space varies inversely with the value of  in this proposed extended cryptosystem.For different  ∈ Z, secret keys of length / should satisfy the following security requirements.The first restrict is that the value of / should be greater than 2 log  in order to resist the lattice-based reduction algorithm.In this paper, since we pick  = 250,  = 8000, and  = 127, we should choose  < 3.
The second condition is that the private key should satisfy the inequality  / > 2 80 in order to resist brute-force attacks.Considering the value , , and , we require  < 700.The following table lists the time of key generation, encryption, and decryption for one time in 5 different security levels.
In Table 3, it shows that the time of key generation and the time required for encryption one bit plaintext is reduced gradually with the increasing value of .At the same time, the time for decrypting one bit ciphertext in different security levels has changed a little.
In this paper, we construct a flexible lattice based scheme based on STP-LWE, which is a variant of learning with errors problem.Our scheme can achieve a balance between the security and efficiency in the hierarchical encryption systems.By using STP-GPV dual cryptosystem, the whole system can reset the security level for messages with the same security parameter.
Cryptosystem.Our public-key dual cryptosystem is based on /-dimensional STP-LWE problem, and we let  = 2.It is parameterized by some  ≥ (√log ), which specifies the discrete Gaussian distribution D Z /2 , from which secret keys are chosen.All the users share a common matrix A ∈ Z ×  (an implicit input to all algorithms) chosen uniformly at random, which is the index of the function  A (e) = A ⋉ e mod .All the operations are performed over Z  .(i) : choose error vector e ←  Z /2 , (i.e., the input distribution to   ), which is the secret key.The public key is the syndrome u =  A (e) = A ⋉ e, and let u = [u 1 , u 2 ], where u 1 , u 2 ← Z   .
) 3.2.STP-LWE.In this section, we propose a new hardness problem that is called STP-LWE problem which is based on the STP product.The main idea is that we replace the ordinary multiplication of LWE problem with STP.A distribution A s, , , . . .,  ⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟  ⋉ s +( 1 ,  2 , . . .,   )), where a ← Z   is uniform and  1 ,  2 , . . .,   ←  are independent, and all operations are performed in Z  .Definition 11 (decision /-dimensional STP-LWE problem).For an integer  = () and a distribution  on Z  , the goal of the decision version (average case) STP-LWE , , , . . .,  ⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟ LWE problem is a generalization of the primal LWE problem.It is obvious that the decision /-dimensional STP-LWE problem and the search /-dimensional STP-LWE problem are equal to the primal LWE problem when  = 1.The STP-LWE problem could be shown in the form of matrices, consisting of  vectors, and each vector is an instance of LWE problem.Then an instance of STP-LWE problem can be express as (A, A  ⋉ s + (x 1 , x 2 , . . ., x  )), where A ∈ Z ×  , s ∈ Z /  is a secret vector, and (x 1 , x 2 , . . ., x  ) are from the distribution   .The following theorem shows the hardness of search version /-dimensional STP-LWE problem.

Table 3 𝑘
time of key generation encryption and decryption for 1 time (which encryption and decryption 2 bits) in STP-GPV dual cryptosystem.The experimental parameters are depicted as follows:  = 250,  = 8000, and  = 127.We obtain these results by running 100 times VarKeyGen, VarEnc, and VarDec and taking the averages.