Fractional LWE: a nonlinear variant of LWE [article]

Gérald Gavin, Stéphane Bonnevay
2019 IACR Cryptology ePrint Archive  
Many cryptographic constructions are based on the famous problem LWE [Reg05] . In particular, this cryptographic problem is currently the most relevant to build FHE [GSW13], [BV11] . In [BV11], encrypting x consists of randomly choosing a vector c satisfying ⟨s, c⟩ = x + noise (mod q) where s is a secret size-n vector. While the vector sum is a homomorphic operator, such a scheme is intrinsically vulnerable to lattice-based attacks. To overcome this, we propose to define c as a pair of vectors
more » ... u, v) satisfying ⟨s, u⟩/⟨s, v⟩ = x + noise (mod q). This simple scheme is based on a new cryptographic problem intuitively not easier than LWE, called Fractional LWE (FLWE). While some homomorphic properties are lost, the secret vector s could be hopefully chosen shorter leading to more efficient constructions. We extensively study the hardness of FLWE. We first prove that the decision and search versions are equivalent provided q is a small prime. We then propose a lattice-based cryptanalysis showing that n could be chosen logarithmic in log q instead of polynomial for LWE. 14 randomness coming from the choice of F, i.e. w1, . . . , wm 15 Recall that m(ϕ) refers to the number of monomials of ϕ. 16 a quantity exponentially close to 2 n+1 .
dblp:journals/iacr/GavinB19 fatcat:l5al3anaive6vc62ri22dgoxwq