Research Article  Open Access
STPLWE: A Variant of Learning with Error for a Flexible Encryption
Abstract
We construct a flexible lattice based scheme based on semitensor product learning with errors (STPLWE), which is a variant of learning with errors problem. We have proved that STPLWE is hard when LWE is hard. Our scheme is proved to be secure against indistinguishable chosen message attacks, and it can achieve a balance between the security and efficiency in the hierarchical encryption systems. In addition, our scheme is almost as efficient as the dual encryption in GPV08.
1. Introduction
Lattices and latticebased cryptography have become a hot research topic in public key cryptography in recent years. Latticebased cryptography is attracted from provable worstcase hardness guarantees, good asymptotic efficiency and parallelism, and resistance to quantum attacks [1]. The first provably secure lattice based encryption is present by Ajtai and Dwork based on the worstcase hardness of lattice problems [2]. After that, several constructions have been proposed [3, 4]. In 2004, Regev improved to R04 based on a harder lattice problem. But its huge key size is unacceptable [5]. To overcome its disadvantage, Regev successively constructed Regev05 based on learning with errors (LWE) problem, which can be quantum reduced from traditional problem [6]. Since LWE problem has been proved to be amazingly versatile, a multitude of cryptographic schemes have been proposed, such as the basis for secure publickey encryption under both chosenplaintext [6] and chosenciphertext attacks [7, 8], oblivious transfer [9], identitybased encryption [10], various forms of leakageresilient cryptography [11], and fully homomorphic encryption [12].
In some applications, such as hierarchical encryption systems, the users in different levels will use private keys with different lengths [13]. They will retrieve their private key from their domain PKG, who has previously requested their domain secret key from the root PKG. In traditional encryptions, the PKG must save all security parameters and public parameters related to the different lengths of keys for the users in different domains [14]. So how to construct a flexible encryption scheme to bring a balance between the security and efficiency requirements is an open problem.
Semitensor product (STP), as a new algebraic approach, is a generalization of the matrix product from the equal dimension case to the multiple dimension case, and it is designed to deal with higherdimensional data as well as multilinear mappings [15]. Recently, STP is applied widely in control theory [16] and physics [17–19]. However, to the best of our knowledge, all the works in cryptography field based on STP are related to Boolean functions. A method for the conversion between the truth table and the polynomial expression of Boolean functions was proposed [20]. In [21], the authors did research on nonlinear feedback shift register (NLFSR), including the calculation of numbers of fixed points and cycles with different lengths of state sequences generated.
In this paper, we propose a variant of LWE problem called STPLWE problem, which is essential to extend the standard LWE problem by using STP. In STPLWE problem, the dimension of public matrix may not be equal to the secret . The hardness of STPLWE can be reduced to the standard LWE problem. In this paper, we will take advantage of the properties of STPLWE to construct the STPGPV dual cryptosystem based on the dual encryption in GPV08 [22]. The new scheme is more flexible in hierarchical encryption systems since we can flexibly balance the security and efficiency by adjusting the length of messages with the static security parameter.
The rest of this paper is organized as follows. We first introduce some basic concepts of lattices in Section 2. In Section 3, we detail STP product and STPLWE problem. In Section 4, we propose the STPGPV dual cryptosystem and analyze the correctness and security. In Section 5, we discuss the efficiency of the STPGPV dual cryptosystem. Finally, discussions and conclusions are presented in Section 6.
2. Preliminaries
In this section, we briefly describe the basic concepts about lattices and the learning with errors (LWE) problem.
2.1. Notation
We denote the set of real numbers by and the set of integers by . For a positive integer , [n] denotes . By convention, vectors are assumed to be in column form and written using bold lowercase letters, for example, . The th component of will be denoted by . Matrices are written as bold capital letters, for example, , and the th column vector of a matrix is denoted by . The length of a matrix is the norm of its longest column . We use standard big notation to classify the growth of functions and say that if for some fixed constant . We let be an unspecified function for some constants . A function, denoted generically by , is a function such that for some fixed constant We say that a probability (or fraction) is if it is The between two distributions and over a countable domain is defined to be .
2.2. Lattices and Gaussian Measures
A lattice is a discrete additive subgroup of . Let consist of linearly independent vectors. The dimensional generated by the basis is
For any (ordered) set of linearly independent vectors, let be its GramSchmidt orthogonalization, defined iteratively in the following way: , and for each , is the component of orthogonal to span. Clearly, .
The following useful lemma says that any fullrank set of vectors in a lattice can be efficiently converted to a basis of the lattice, without increasing the lengths of the GramSchmidt vectors.
Lemma 1 (see [23]). There is a deterministic polynomialtime algorithm that, given an arbitrary basis of a ndimensional lattice and a fullrank set of lattice vectors , the output is a basis of such that for all .
The dual lattice of , denoted , is defined as . By symmetry, it can be seen that . If is a basis of , the dual basis is in fact a basis of .
The following standard fact relates to the GramSchmidt orthogonalizations of a basis and its dual (the proof can be found in [5]).
Lemma 2. Let be an ordered basis, and let be its dual basis in reversed order (i.e., ). Then for all . In particular, .
We now review the Gaussian measures over lattices. For any , the Gaussian function on centered at with parameter is defined as
The subscripts and are taken to be 1 and 0 (resp.,) when omitted.
For any , real , and ndimensional lattice , the discrete Gaussian distribution over is defined as where .
Micciancio and Regev [24] proposed a lattice quantity called the smoothing parameter.
Definition 3 (see [24]). For any ndimensional lattice and a positive real , the smoothing parameter is the smallest real such that , where .
A bound on the smoothing parameter is also given in [24].
Lemma 4 (see [25]). For any ndimensional lattice and real , one has
Then for any function, there is a negligible for which .
We notice that a sample from a discrete Gaussian with parameter is at most away from its center (in the norm), with overwhelming probability.
Lemma 5 (see [24]). For any ndimensional lattice , , real , and ,
2.3. Some Lattice Problems
We now redescribe the learning with errors (LWE) problem [6].
For an integer , some probability distribution over , an integer dimension , and a vector , define as the distribution on of the variable , where and are uniform and independent, and all operations are performed in .
Definition 6 (LWE). For an integer and a distribution on , the goal of the (averagecase) problem is to distinguish (with nonnegligible probability) between the distribution for some uniform (secret) and the uniform distribution on (via oracle access to the given distribution). In other words, if LWE is hard, then the collection of distributions is pseudorandom.
as the group of reals with mod 1 addition. For , is the distribution on of a normal variable with mean 0 and standard deviation , reduced modulo 1. For any probability distribution over and an integer its discretization is the discrete distribution over of the random variable , where has distribution .
Then, we recall two standard worstcase approximation problems on lattices. In both problems, is the approximation factor as a function of the dimension.
Definition 7 (see [24] shortest vector problem (decision version)). An input to is a basis of a fullrank dimensional lattice. It is a YES instance if and is a NO instance if , where .
Definition 8 (see [24] shortest independent vectors problem). An input to is a fullrank basis of an dimensional lattice. The goal is to output a set of linearly independent lattice vectors such that .
Regev demonstrated that for certain modulo and Gaussian error distributions , is as hard as several standard worstcase lattice problems using a quantum algorithm.
Proposition 9 (see [6]). Let and let be a prime such that . If there exists an efficient (possibly quantum) algorithm that solves , then there exists an efficient quantum algorithm for approximating SIVP and GapSVP in the norm, in the worst case, within factors.
The result can be subsequently extended to SIVP and GapSVP in any norm, , for essentially the same approximation factors [25].
3. STPLWE
3.1. Semitensor Product
In this section, we introduce the semitensor product (STP) of matrices. The STPformalism of matrices not only is a generalization of a conventional matrix product, but also makes all the fundamental properties of the conventional matrix product remain true.
Definition 10 (see [15]). Let be a row vector of dimension , and let be a column vector of dimension . Then we split into equalsize blocks named , which are row vectors of dimension . Define a semitensor product, denoted by , as
Let and . If either is a factor of , say and denote it by , or is a factor of , say and denote it by , then define the STP of and , denoted by , as the following: consists of blocks as and each block is
where is the th row of and is the th column of .
The dimension of the STP of two matrices can be described by deleting the largest common factor of the dimensions of the two factor matrices; for example, where is the Kronecker product and is the identity matrix.
If the related products are well defined, the STP satisfies the following laws.(1)Distributive rule is as follows: where .(2)Associative rule is as follows:
3.2. STPLWE
In this section, we propose a new hardness problem that is called STPLWE problem which is based on the STP product. The main idea is that we replace the ordinary multiplication of LWE problem with STP. A distribution should be introduced before giving the definition of STPLWE problem.
For an integer and some probability distribution over , an integer dimension , and a vector , define as the distribution on of the variable , where is uniform and are independent, and all operations are performed in .
Definition 11 (decision dimensional STPLWE problem). For an integer and a distribution on , the goal of the decision version (average case) STP is to distinguish (with nonnegligible probability) between the distribution for some uniform (secret) and the uniform distribution on (via oracle access to the given distribution).
Definition 12 (search dimensional STPLWE problem). For an integer and a distribution on , the goal of the search version (average case) STP is to find the vector giving a sample from the distribution .
The STPLWE problem is a generalization of the primal LWE problem. It is obvious that the decision dimensional STPLWE problem and the search dimensional STPLWE problem are equal to the primal LWE problem when . The STPLWE problem could be shown in the form of matrices, consisting of vectors, and each vector is an instance of LWE problem. Then an instance of STPLWE problem can be express as , where , is a secret vector, and are from the distribution The following theorem shows the hardness of search version dimensional STPLWE problem.
Theorem 13. The search version dimensional STP problem is hard under the assumption that is hard.
Proof. We use proof by contradiction to prove this theorem.
Case . Let ; then given a search version STP instance , where and . Suppose we find the vector is an easy thing.
Based on the property of STP, we have , where
Therefore, can be written as
It is equivalent to
It is easy to see that this equation contains two instances. From the assumption that it is a simple question to find the vector in the search version STP instance , then (13) is also easily solved. That is, the instance can be solved. This apparently contradicts with the hardness assumption of problem.
Case 2. It is clear that when , dimensional the STPLWE problem still holds. The proof of this case is similar to Case 1. This completes the proof.
With the increase of value, the security of the dimensional STPLWE problem will be reduced. In order to prevent this from happening, in the STPLWE problem must match the security requirements when the scheme can be reduced to lattice problems resisted to the quantum computing. In GPV08 [22], should be larger than
4. Our Scheme
In this section, we give a variant of GPV dual cryptosystem. First, we recall the dual cryptosystem in GPV08 [22]. Then, we give our construction based on dimensional STPLWE problem. Meanwhile, the correctness and security are also shown.
4.1. GPV Dual Cryptosystem
It is parameterized by some , which specifies the discrete Gaussian distribution from which secret keys are chosen. All the users share a common matrix (an implicit input to all algorithms) chosen uniformly at random, which is the index of the function . All the operations are performed over .(i): choose an error vector (i.e., the input distribution to ), as the secret key. The public key is the syndrome .(ii): to encrypt a bit , choose uniformly and , where . Output the ciphertext , where .(iii): compute . Output 0 if is closer to 0 than to modulo ; otherwise output 1.
The correctness and security are given in GPV08 [22], and readers can refer to it for more details.
4.2. STPGPV Dual Cryptosystem
Our publickey dual cryptosystem is based on dimensional STPLWE problem, and we let . It is parameterized by some , which specifies the discrete Gaussian distribution from which secret keys are chosen. All the users share a common matrix (an implicit input to all algorithms) chosen uniformly at random, which is the index of the function . All the operations are performed over .(i): choose an error vector (i.e., the input distribution to ), which is the secret key. The public key is the syndrome , and let .(ii): to encrypt two bits , choose uniformly and , where . Output the ciphertext , where .(iii): compute . Output 0 if and are closer to 0 than to modulo ; otherwise output 1.
4.3. Correctness and Security
The correctness of our scheme is mainly inherited by GPV dual cryptosystem. We can show the correctness as follows:
Since and , let , , . Based on GPV08, we have and . Therefore, .
The security of this scheme is similar to that of the GPV dual cryptosystem; that is, our scheme is CPAsecure and anonymous under the dimensional assumption.
5. Performance
The GPV dual cryptosystem and our scheme are implemented in Matlab 2010 in Windows 7 Service Pack1 64 bits operating system. We use a desktop which has a 4core Intel(R) Core (TM) i32120 processor running at 3.30 GHz and 2 GB of RAM.
In this section, we analyze the efficiency of the above schemes from the following two aspects. On one hand, we compare the size of public keys, private keys, and ciphertext expansion of GPV dual cryptosystem with our scheme. From the Table 1, the efficiency of our algorithm and the ciphertext expansion rate has significant advantage compared with GPV dual cryptosystem. On the other hand, we compare the time cost of VarKeyGen, VarEnc, and VarDec with the GPV dual cryptosystem and the STPGPV dual cryptosystem. Table 2 has demonstrated the time of key generation, encryption, and decryption for 1 bit in GPV dual cryptosystem, and the time of key generation encryption and decryption for 1 time (which encryption and decryption 2 bits) in STPGPV dual cryptosystem. The experimental parameters are depicted as follows: , , and We obtain these results by running 100 times VarKeyGen, VarEnc, and VarDec and taking the averages.


By experiments, it is proved that the key generation time and encryption time of our scheme are only half of that of the GPV dual cryptosystem’s, while the decryption time is roughly equal to GPV dual cryptosystem’s.
6. Discussion and Conclusions
In this section, we apply dimensional STPLWE in the GPV dual cryptosystem problem and build an extended GPV dual cryptosystem. We know that the size of the secret key space varies inversely with the value of in this proposed extended cryptosystem. For different , secret keys of length should satisfy the following security requirements. The first restrict is that the value of should be greater than in order to resist the latticebased reduction algorithm. In this paper, since we pick , , and , we should choose .
The second condition is that the private key should satisfy the inequality in order to resist bruteforce attacks. Considering the value , , and , we require . The following table lists the time of key generation, encryption, and decryption for one time in 5 different security levels.
In Table 3, it shows that the time of key generation and the time required for encryption one bit plaintext is reduced gradually with the increasing value of . At the same time, the time for decrypting one bit ciphertext in different security levels has changed a little.

In this paper, we construct a flexible lattice based scheme based on STPLWE, which is a variant of learning with errors problem. Our scheme can achieve a balance between the security and efficiency in the hierarchical encryption systems. By using STPGPV dual cryptosystem, the whole system can reset the security level for messages with the same security parameter.
Conflict of Interests
The authors declare that there is no conflict of interests regarding the publication of this paper.
Acknowledgments
The authors would like to thank the reviewers for their helpful advices. The National Natural Science Foundation of China (Grant nos. 61170269 and 61121061), the Beijing Natural Science Foundation (Grant no. 4142016), the Program for New Century Excellent Talents in University (no. NCET110565), the Fundamental Research Funds for the Central Universities (no. 2012JBZ010), and the Program for Changjiang Scholars and Innovative Research Team in University (no. IRT201206) are gratefully acknowledged.
References
 M. Ajtai, “Generating hard instances of lattice problems (extended abstract),” in Proceedings of the 28th Annual ACM Symposium on the Theory of Computing (STOC '96), pp. 99–108, ACM, 1996. View at: Publisher Site  Google Scholar  MathSciNet
 M. Ajtai and C. Dwork, “The first and fourth publickey cryptosystems with worstcase/ averagecase equivalence,” Electronic Colloquium on Computational Complexity (ECCC), vol. 14, no. 097, 2007. View at: Google Scholar
 O. Goldreich, S. Goldwasser, and S. Halevi, “Eliminating decryption errors in the AjtaiDwork cryptosystem,” in Advances in Cryptology—CRYPTO '97, vol. 1294 of Lecture Notes in Computer Science, pp. 105–111, Springer, Berlin, Germany, 1997. View at: Publisher Site  Google Scholar  Zentralblatt MATH  MathSciNet
 J. Hoffstein, J. Pipher, and J. H. Silverman, “NTRU: a ringbased public key cryptosystem,” in Algorithmic Number Theory, vol. 1423 of Lecture Notes in Computer Science, pp. 267–288, Springer, Berlin, Germany, 1998. View at: Publisher Site  Google Scholar  Zentralblatt MATH  MathSciNet
 O. Regev, “New latticebased cryptographic constructions,” Journal of the ACM, vol. 51, no. 6, pp. 899–942, 2004. View at: Publisher Site  Google Scholar  Zentralblatt MATH  MathSciNet
 O. Regev, “On lattices, learning with errors, random linear codes, and cryptography,” Journal of the ACM, vol. 56, no. 6, article 34, 2009. View at: Publisher Site  Google Scholar  MathSciNet
 N. Dottling, J. MllerQuade, and A. C. A. Nascimento, “INDCCA secure cryptography based on a variant of the LPN problem,” in Advances in Cryptology—ASIACRYPT 2012, vol. 7658 of Lecture Notes in Computer Science, pp. 485–503, Springer, Berlin, Germany, 2012. View at: Google Scholar
 X.Y. Yang, L.Q. Wu, M.Q. Zhang, and X.F. Chen, “An efficient CCAsecure cryptosystem over ideal lattices from identitybased encryption,” Computers and Mathematics with Applications, vol. 65, no. 9, pp. 1254–1263, 2013. View at: Publisher Site  Google Scholar
 C. Peikert, V. Vaikuntanathan, and B. Waters, “A framework for efficient and composable oblivious transfer,” in Advances in Cryptology—CRYPTO 2008, vol. 5157 of Lecture Notes in Computer Science, pp. 554–571, Springer, Berlin, Germany, 2008. View at: Publisher Site  Google Scholar  Zentralblatt MATH  MathSciNet
 S. Agrawal, D. Boneh, and X. Boyen, “Efficient lattice (H)IBE in the standard model,” in Advances in Cryptology—EUROCRYPT 2010, vol. 6110 of Lecture Notes in Computer Science, pp. 553–572, Springer, Berlin, Germany, 2010. View at: Publisher Site  Google Scholar  Zentralblatt MATH  MathSciNet
 S. S. M. Chow, Y. Dodis, Y. Rouselakis, and B. Waters, “Practical leakageresilient identitybased encryption from simple assumptions,” in Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS '10), pp. 152–161, October 2010. View at: Publisher Site  Google Scholar
 Z. Brakerski, C. Gentry, and V. Vaikuntanathan, “(Leveled) fully homomorphic encryption without bootstrapping,” in Proceedings of the 3rd Conference on Innovations in Theoretical Computer Science (ITCS '12), pp. 309–325, January 2012. View at: Publisher Site  Google Scholar
 D. Cash, D. Hofheinz, and E. Kiltz, “How to delegate a lattice basis,” IACR Cryptology EPrint Archive, vol. 2009, no. 351, 2009. View at: Google Scholar
 D. Boneh, X. Boyen, and E.J. Goh, “Hierarchical identity based encryption with constant size ciphertext,” in Advances in Cryptology—EUROCRYPT 2005, vol. 3494 of Lecture Notes in Computer Science, pp. 440–456, Springer, Berlin, Germany, 2005. View at: Publisher Site  Google Scholar  Zentralblatt MATH  MathSciNet
 D.Z. Cheng and L.J. Zhang, “On semitensor product of matrices and its applications,” Acta Mathematicae Applicatae Sinica. English Series, vol. 19, no. 2, pp. 219–228, 2003. View at: Publisher Site  Google Scholar  Zentralblatt MATH  MathSciNet
 B. Gao, H. Peng, D. Zhao, W. Zhang, and Y. Yang, “Attractor transformation by impulsive control in boolean control network,” Mathematical Problems in Engineering, vol. 2013, Article ID 674571, p. 5, 2013. View at: Publisher Site  Google Scholar
 B. Gao, L. Li, H. Peng et al., “Principle for performing attractor transits with single control in Boolean networks,” Physical Review E, vol. 88, no. 6, Article ID 062706, 2013. View at: Google Scholar
 Z. Wang, S. Kokubo, J. Tanimoto et al., “Insight into the socalled spatial reciprocity,” Physical Review E, vol. 88, no. 4, Article ID 042145, 2013. View at: Google Scholar
 W. J. Yuan, J. F. Zhou, Q. Li et al., “Spontaneous scalefree structure in adaptive networks with synchronously dynamical linking,” Physical Review E, vol. 88, no. 2, Article ID 022818, 2013. View at: Google Scholar
 Y. Zhao, X. Gao, and D. Cheng, “Semitensor product approach to Boolean functions,” Preprint, 2010. View at: Google Scholar
 D. W. Zhao, H. P. Peng, L. X. Li et al., “Novel way to research nonlinear feedback shift register,” Science China Information Sciences, 2014. View at: Publisher Site  Google Scholar
 C. Gentry, C. Peikert, and V. Vaikuntanathan, “Trapdoors for hard lattices and new cryptographic constructions,” in Proceedings of the 40th Annual ACM Symposium on Theory of Computing (STOC '08), pp. 197–206, May 2008. View at: Google Scholar
 D. Micciancio and S. Goldwasser, Complexity of Lattice Problems: A Cryptographic Perspective, Springer, 2002. View at: Publisher Site  MathSciNet
 D. Micciancio and O. Regev, “Worstcase to averagecase reductions based on Gaussian measures,” SIAM Journal on Computing, vol. 37, no. 1, pp. 267–302, 2007. View at: Publisher Site  Google Scholar  Zentralblatt MATH  MathSciNet
 C. Peikert, “Limits on the hardness of lattice problems in ${l}_{p}$ norms,” Computational Complexity, vol. 17, no. 2, pp. 300–351, 2008. View at: Publisher Site  Google Scholar  Zentralblatt MATH  MathSciNet
Copyright
Copyright © 2014 Bo Gao et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.