#### Abstract

We construct a flexible lattice based scheme based on semitensor product learning with errors (STP-LWE), which is a variant of learning with errors problem. We have proved that STP-LWE is hard when LWE is hard. Our scheme is proved to be secure against indistinguishable chosen message attacks, and it can achieve a balance between the security and efficiency in the hierarchical encryption systems. In addition, our scheme is almost as efficient as the dual encryption in GPV08.

#### 1. Introduction

Lattices and lattice-based cryptography have become a hot research topic in public key cryptography in recent years. Lattice-based cryptography is attracted from provable worst-case hardness guarantees, good asymptotic efficiency and parallelism, and resistance to quantum attacks [1]. The first provably secure lattice based encryption is present by Ajtai and Dwork based on the worst-case hardness of lattice problems [2]. After that, several constructions have been proposed [3, 4]. In 2004, Regev improved to R04 based on a harder lattice problem. But its huge key size is unacceptable [5]. To overcome its disadvantage, Regev successively constructed Regev05 based on learning with errors (LWE) problem, which can be quantum reduced from traditional problem [6]. Since LWE problem has been proved to be amazingly versatile, a multitude of cryptographic schemes have been proposed, such as the basis for secure public-key encryption under both chosen-plaintext [6] and chosen-ciphertext attacks [7, 8], oblivious transfer [9], identity-based encryption [10], various forms of leakage-resilient cryptography [11], and fully homomorphic encryption [12].

In some applications, such as hierarchical encryption systems, the users in different levels will use private keys with different lengths [13]. They will retrieve their private key from their domain PKG, who has previously requested their domain secret key from the root PKG. In traditional encryptions, the PKG must save all security parameters and public parameters related to the different lengths of keys for the users in different domains [14]. So how to construct a flexible encryption scheme to bring a balance between the security and efficiency requirements is an open problem.

Semitensor product (STP), as a new algebraic approach, is a generalization of the matrix product from the equal dimension case to the multiple dimension case, and it is designed to deal with higher-dimensional data as well as multilinear mappings [15]. Recently, STP is applied widely in control theory [16] and physics [17–19]. However, to the best of our knowledge, all the works in cryptography field based on STP are related to Boolean functions. A method for the conversion between the truth table and the polynomial expression of Boolean functions was proposed [20]. In [21], the authors did research on nonlinear feedback shift register (NLFSR), including the calculation of numbers of fixed points and cycles with different lengths of state sequences generated.

In this paper, we propose a variant of LWE problem called STP-LWE problem, which is essential to extend the standard LWE problem by using STP. In STP-LWE problem, the dimension of public matrix may not be equal to the secret . The hardness of STP-LWE can be reduced to the standard LWE problem. In this paper, we will take advantage of the properties of STP-LWE to construct the STP-GPV dual cryptosystem based on the dual encryption in GPV08 [22]. The new scheme is more flexible in hierarchical encryption systems since we can flexibly balance the security and efficiency by adjusting the length of messages with the static security parameter.

The rest of this paper is organized as follows. We first introduce some basic concepts of lattices in Section 2. In Section 3, we detail STP product and STP-LWE problem. In Section 4, we propose the STP-GPV dual cryptosystem and analyze the correctness and security. In Section 5, we discuss the efficiency of the STP-GPV dual cryptosystem. Finally, discussions and conclusions are presented in Section 6.

#### 2. Preliminaries

In this section, we briefly describe the basic concepts about lattices and the learning with errors (LWE) problem.

##### 2.1. Notation

We denote the set of real numbers by and the set of integers by . For a positive integer , [*n*] denotes . By convention, vectors are assumed to be in column form and written using bold lowercase letters, for example, . The th component of will be denoted by . Matrices are written as bold capital letters, for example, , and the th column vector of a matrix is denoted by . The length of a matrix is the norm of its longest column . We use standard big- notation to classify the growth of functions and say that if for some fixed constant . We let be an unspecified function for some constants . A function, denoted generically by , is a function such that for some fixed constant We say that a probability (or fraction) is if it is The between two distributions and over a countable domain is defined to be .

##### 2.2. Lattices and Gaussian Measures

A lattice is a discrete additive subgroup of . Let consist of linearly independent vectors. The -dimensional generated by the basis is

For any (ordered) set of linearly independent vectors, let be its Gram-Schmidt orthogonalization, defined iteratively in the following way: , and for each , is the component of orthogonal to span. Clearly, .

The following useful lemma says that any full-rank set of vectors in a lattice can be efficiently converted to a basis of the lattice, without increasing the lengths of the Gram-Schmidt vectors.

Lemma 1 (see [23]). *There is a deterministic polynomial-time algorithm that, given an arbitrary basis of a n-dimensional lattice and a full-rank set of lattice vectors , the output is a basis of such that for all .**The dual lattice of , denoted , is defined as . By symmetry, it can be seen that . If is a basis of , the dual basis is in fact a basis of .*

The following standard fact relates to the Gram-Schmidt orthogonalizations of a basis and its dual (the proof can be found in [5]).

Lemma 2. *Let be an ordered basis, and let be its dual basis in reversed order (i.e., ). Then for all . In particular, .*

We now review the Gaussian measures over lattices. For any , the Gaussian function on centered at with parameter is defined as

The subscripts and are taken to be 1 and 0 (resp.,) when omitted.

For any , real , and* n*-dimensional lattice , the discrete Gaussian distribution over is defined as
where .

Micciancio and Regev [24] proposed a lattice quantity called the smoothing parameter.

*Definition 3 (see [24]). *For any* n*-dimensional lattice and a positive real , the smoothing parameter is the smallest real such that , where .

A bound on the smoothing parameter is also given in [24].

Lemma 4 (see [25]). *For any n-dimensional lattice and real , one has
**Then for any function, there is a negligible for which .*

We notice that a sample from a discrete Gaussian with parameter is at most away from its center (in the norm), with overwhelming probability.

Lemma 5 (see [24]). *For any n-dimensional lattice , , real , and ,
*

##### 2.3. Some Lattice Problems

We now redescribe the learning with errors (LWE) problem [6].

For an integer , some probability distribution over , an integer dimension , and a vector , define as the distribution on of the variable , where and are uniform and independent, and all operations are performed in .

*Definition 6 (LWE). *For an integer and a distribution on , the goal of the (average-case) problem is to distinguish (with nonnegligible probability) between the distribution for some uniform (secret) and the uniform distribution on (via oracle access to the given distribution). In other words, if LWE is hard, then the collection of distributions is pseudorandom.

as the group of reals with mod 1 addition. For , is the distribution on of a normal variable with mean 0 and standard deviation , reduced modulo 1. For any probability distribution over and an integer its discretization is the discrete distribution over of the random variable , where has distribution .

Then, we recall two standard worst-case approximation problems on lattices. In both problems, is the approximation factor as a function of the dimension.

*Definition 7 (see [24] shortest vector problem (decision version)). *An input to is a basis of a full-rank -dimensional lattice. It is a YES instance if and is a NO instance if , where .

*Definition 8 (see [24] shortest independent vectors problem). *An input to is a full-rank basis of an -dimensional lattice. The goal is to output a set of linearly independent lattice vectors such that .

Regev demonstrated that for certain modulo and Gaussian error distributions , is as hard as several standard worst-case lattice problems using a quantum algorithm.

Proposition 9 (see [6]). *Let and let be a prime such that . If there exists an efficient (possibly quantum) algorithm that solves , then there exists an efficient quantum algorithm for approximating SIVP and GapSVP in the norm, in the worst case, within factors.**The result can be subsequently extended to SIVP and GapSVP in any norm, , for essentially the same approximation factors [25].*

#### 3. STP-LWE

##### 3.1. Semitensor Product

In this section, we introduce the semitensor product (STP) of matrices. The STP-formalism of matrices not only is a generalization of a conventional matrix product, but also makes all the fundamental properties of the conventional matrix product remain true.

*Definition 10 (see [15]). * Let be a row vector of dimension , and let be a column vector of dimension . Then we split into equal-size blocks named , which are row vectors of dimension . Define a semitensor product, denoted by , as

Let and . If either is a factor of , say and denote it by , or is a factor of , say and denote it by , then define the STP of and , denoted by , as the following: consists of blocks as and each block is
where is the th row of and is the th column of .

The dimension of the STP of two matrices can be described by deleting the largest common factor of the dimensions of the two factor matrices; for example, where is the Kronecker product and is the identity matrix.

If the related products are well defined, the STP satisfies the following laws.(1)Distributive rule is as follows: where .(2)Associative rule is as follows:

##### 3.2. STP-LWE

In this section, we propose a new hardness problem that is called STP-LWE problem which is based on the STP product. The main idea is that we replace the ordinary multiplication of LWE problem with STP. A distribution should be introduced before giving the definition of STP-LWE problem.

For an integer and some probability distribution over , an integer dimension , and a vector , define as the distribution on of the variable , where is uniform and are independent, and all operations are performed in .

*Definition 11 (decision -dimensional STP-LWE problem). *For an integer and a distribution on , the goal of the decision version (average case) STP- is to distinguish (with nonnegligible probability) between the distribution for some uniform (secret) and the uniform distribution on (via oracle access to the given distribution).

*Definition 12 (search -dimensional STP-LWE problem). *For an integer and a distribution on , the goal of the search version (average case) STP- is to find the vector giving a sample from the distribution .

The STP-LWE problem is a generalization of the primal LWE problem. It is obvious that the decision -dimensional STP-LWE problem and the search -dimensional STP-LWE problem are equal to the primal LWE problem when . The STP-LWE problem could be shown in the form of matrices, consisting of vectors, and each vector is an instance of LWE problem. Then an instance of STP-LWE problem can be express as , where , is a secret vector, and are from the distribution The following theorem shows the hardness of search version -dimensional STP-LWE problem.

Theorem 13. *The search version -dimensional STP- problem is hard under the assumption that is hard.*

*Proof. *We use proof by contradiction to prove this theorem.*Case *. Let ; then given a search version STP- instance , where and . Suppose we find the vector is an easy thing.

Based on the property of STP, we have , where
Therefore, can be written as
It is equivalent to
It is easy to see that this equation contains two instances. From the assumption that it is a simple question to find the vector in the search version STP- instance , then (13) is also easily solved. That is, the instance can be solved. This apparently contradicts with the hardness assumption of problem.*Case *2*.* It is clear that when , -dimensional the STP-LWE problem still holds. The proof of this case is similar to Case 1. This completes the proof.

With the increase of value, the security of the -dimensional STP-LWE problem will be reduced. In order to prevent this from happening, in the STP-LWE problem must match the security requirements when the scheme can be reduced to lattice problems resisted to the quantum computing. In GPV08 [22], should be larger than

#### 4. Our Scheme

In this section, we give a variant of GPV dual cryptosystem. First, we recall the dual cryptosystem in GPV08 [22]. Then, we give our construction based on -dimensional STP-LWE problem. Meanwhile, the correctness and security are also shown.

##### 4.1. GPV Dual Cryptosystem

It is parameterized by some , which specifies the discrete Gaussian distribution from which secret keys are chosen. All the users share a common matrix (an implicit input to all algorithms) chosen uniformly at random, which is the index of the function . All the operations are performed over .(i): choose an error vector (i.e., the input distribution to ), as the secret key. The public key is the syndrome .(ii): to encrypt a bit , choose uniformly and , where . Output the ciphertext , where .(iii): compute . Output 0 if is closer to 0 than to modulo ; otherwise output 1.

The correctness and security are given in GPV08 [22], and readers can refer to it for more details.

##### 4.2. STP-GPV Dual Cryptosystem

Our public-key dual cryptosystem is based on -dimensional STP-LWE problem, and we let . It is parameterized by some , which specifies the discrete Gaussian distribution from which secret keys are chosen. All the users share a common matrix (an implicit input to all algorithms) chosen uniformly at random, which is the index of the function . All the operations are performed over .(i): choose an error vector (i.e., the input distribution to ), which is the secret key. The public key is the syndrome , and let .(ii): to encrypt two bits , choose uniformly and , where . Output the ciphertext , where .(iii): compute . Output 0 if and are closer to 0 than to modulo ; otherwise output 1.

##### 4.3. Correctness and Security

The correctness of our scheme is mainly inherited by GPV dual cryptosystem. We can show the correctness as follows:

Since and , let , , . Based on GPV08, we have and . Therefore, .

The security of this scheme is similar to that of the GPV dual cryptosystem; that is, our scheme is CPA-secure and anonymous under the -dimensional assumption.

#### 5. Performance

The GPV dual cryptosystem and our scheme are implemented in Matlab 2010 in Windows 7 Service Pack1 64 bits operating system. We use a desktop which has a 4-core Intel(R) Core (TM) i3-2120 processor running at 3.30 GHz and 2 GB of RAM.

In this section, we analyze the efficiency of the above schemes from the following two aspects. On one hand, we compare the size of public keys, private keys, and ciphertext expansion of GPV dual cryptosystem with our scheme. From the Table 1, the efficiency of our algorithm and the ciphertext expansion rate has significant advantage compared with GPV dual cryptosystem. On the other hand, we compare the time cost of VarKeyGen, VarEnc, and VarDec with the GPV dual cryptosystem and the STP-GPV dual cryptosystem. Table 2 has demonstrated the time of key generation, encryption, and decryption for 1 bit in GPV dual cryptosystem, and the time of key generation encryption and decryption for 1 time (which encryption and decryption 2 bits) in STP-GPV dual cryptosystem. The experimental parameters are depicted as follows: , , and We obtain these results by running 100 times VarKeyGen, VarEnc, and VarDec and taking the averages.

By experiments, it is proved that the key generation time and encryption time of our scheme are only half of that of the GPV dual cryptosystem’s, while the decryption time is roughly equal to GPV dual cryptosystem’s.

#### 6. Discussion and Conclusions

In this section, we apply -dimensional STP-LWE in the GPV dual cryptosystem problem and build an extended GPV dual cryptosystem. We know that the size of the secret key space varies inversely with the value of in this proposed extended cryptosystem. For different , secret keys of length should satisfy the following security requirements. The first restrict is that the value of should be greater than in order to resist the lattice-based reduction algorithm. In this paper, since we pick , , and , we should choose .

The second condition is that the private key should satisfy the inequality in order to resist brute-force attacks. Considering the value , , and , we require . The following table lists the time of key generation, encryption, and decryption for one time in 5 different security levels.

In Table 3, it shows that the time of key generation and the time required for encryption one bit plaintext is reduced gradually with the increasing value of . At the same time, the time for decrypting one bit ciphertext in different security levels has changed a little.

In this paper, we construct a flexible lattice based scheme based on STP-LWE, which is a variant of learning with errors problem. Our scheme can achieve a balance between the security and efficiency in the hierarchical encryption systems. By using STP-GPV dual cryptosystem, the whole system can reset the security level for messages with the same security parameter.

#### Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

#### Acknowledgments

The authors would like to thank the reviewers for their helpful advices. The National Natural Science Foundation of China (Grant nos. 61170269 and 61121061), the Beijing Natural Science Foundation (Grant no. 4142016), the Program for New Century Excellent Talents in University (no. NCET-11-0565), the Fundamental Research Funds for the Central Universities (no. 2012JBZ010), and the Program for Changjiang Scholars and Innovative Research Team in University (no. IRT201206) are gratefully acknowledged.