Decryption analysis for Regev's Public Key Cryptosystem

P_Gate

11/21/23, 3:47 PM

Regev's Public Key Cryptosystem is defined as follows:

I want to proof the correctness. For this it must be shown that a 0 is decoded correctly and equally that a 1 is decoded correctly. I would present here once my proof:

Case: Encryption of 0

$$b = \sum_{i \in S} b_i = \sum_{i \in S} ( \langle \mathbf{a_i},\mathbf{s} \rangle + e_i) = \langle \mathbf{a},\mathbf{s} \rangle + \sum_{i \in S} e_i \Rightarrow b - \langle \mathbf{a},\mathbf{s} \rangle = \sum_{i \in S} e_i$$ We know from the definition that $|e| < \frac{\lfloor \frac{p}{2} \rfloor}{2} $ using this fact we can write: $$|b - \langle \mathbf{a},\mathbf{s} \rangle | = \left| \sum_{i \in S} e_i \right| < \frac{\lfloor \frac{p}{2} \rfloor}{2}$$ This is closer to 0 than to $\lfloor \frac{p}{2} \rfloor$, so the decryption of a 0 is correct.

Case: Encryption of 1

$$b = \lfloor \frac{p}{2} \rfloor + \sum_{i \in S} b_i = \lfloor \frac{p}{2} \rfloor + \sum_{i \in S} ( \langle \mathbf{a_i},\mathbf{s} \rangle + e_i) = \lfloor \frac{p}{2} \rfloor +\langle \mathbf{a},\mathbf{s} \rangle + \sum_{i \in S} e_i \Rightarrow b - \langle \mathbf{a},\mathbf{s} \rangle = \lfloor \frac{p}{2} \rfloor + \sum_{i \in S} e_i$$

Using the triangle inequality we can write:

Since $-|e| > -\frac{\lfloor \frac{p}{2} \rfloor}{2} $ we can write:

$$| b - \langle \mathbf{a},\mathbf{s} \rangle | = \left| \lfloor \frac{p}{2} \rfloor + \sum_{i \in S} e_i \right| \geq -\left| \sum_{i \in S} e_i \right| + \left| \lfloor \frac{p}{2} \rfloor \right| > -\frac{\lfloor \frac{p}{2} \rfloor}{2} + \left| \lfloor \frac{p}{2} \rfloor \right|$$

And this is closer to $\lfloor \frac{p}{2} \rfloor$ than to 0, so the decryption of a 1 is correct.

I am not sure about the second case of my proof, so I would appreciate a correction or confirmation. Another question is about the limits of decryption. If I'm not misleading, then everything in the range $-\frac{\lfloor \frac{p}{2} \rfloor}{2} < x < \frac{\lfloor \frac{p}{2} \rfloor}{2}$ is interpreted as 0 and everything in the range $\frac{\lfloor \frac{p}{2} \rfloor}{2} < x < \frac{3 \lfloor \frac{p}{2} \rfloor}{2}$ is interpreted as 1, can you say that?

1 + 0

lattice-crypto

lwe

Score:1

Crypto

Daniel S

11/25/23, 10:32 AM

This is largely correct though your second case also needs the two-sided bound $$\lfloor\frac p2\rfloor-\frac{\lfloor\frac p2\rfloor} 2<b-\langle\mathbf a,\mathbf s\rangle<\lfloor\frac p2\rfloor+\frac{\lfloor\frac p2\rfloor} 2$$ whereas your argument only covers the left-hand inequality. Instead, if we just note that $$-\frac{\lfloor\frac p2\rfloor} 2<\sum e_i<\frac{\lfloor\frac p2\rfloor} 2$$ with very high probability (whether we can say this with certainty depends on $\chi$) and then note that $\lfloor\frac p2\rfloor+\sum e_i=b-\langle \mathbf a,\mathbf s\rangle$ then everything follows neatly.

+ 1

P_Gate

11/25/23, 11:22 AM

Thanks for your great answer! Unfortunately the absolute value makes it more complicated in the second case. If you omit it and use the inequality of $\sum e_i$, as you also suggest, then the result is really easier to see. It would be interesting to see if one could also derive the other side of the inequality by solving for the absolute value at the top of my calculation.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Decryption analysis for Regev's Public Key Cryptosystem

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.