CTJV801 A Practical Public Key Encryption Scheme Based On Learning Parity With Noise

This article has been accepted for publication in a future issue of this journal, but has not been
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2840119, IEEE
Access
A Practical Public Key Encryption

Scheme Based on Learning Parity with
Noise
Zhimin Yu1, Chong-zhi Gao2,4, Zhengjun Jing1, Brij Bhooshan Gupta3, Qiuru Cai1
1
School of Computer Engineering Jiangsu University of Technology, Changzhou Jiangsu 213001, China
2
School of Computer Science and Educational Software, Guangzhou University, China
3
Department of Computer Engineering, National Institute of Technology Kurukshetra, India
4
State Key Laboratory of Cryptology, P.O. Box 5159, Beijing, China
Corresponding author: Chong-zhi Gao (e-mail: [email protected]).
This work was financially supported by the National Natural Science Foundation of China (Grant
Nos. 61672270, 61602216, 61702236), the Changzhou Applied Basic Research Guidance Project
(2016365), the Changzhou Science and Technology Program (CJ20179027) and the State Key
Laboratory of Cryptology, China.
Abstract To protect cyber security and privacy, it is critical to design security and practical public key
encryption schemes. Today, big data and cloud computing bring not only unprecedented opportunities
but also fundamental security challenges. Big data faces many security risks in the collection, storage
and use of data and brings serious problems regarding the disclosure of private user data. It is
challenging to achieve security and privacy protection in the big data environment. Thus, to meet the
growing demand of public key encryption in this environment, we proposed a single-bit public key
encryption scheme based on a variant of LPN (Learning Parity with Noise) and extended it to a
multi-bit public key encryption scheme. We proved the correctness and CPA (Chosen Plaintext Attack)
security of the proposed method. Our schemes solved encoding error rate problems of the existing
public key schemes based on LPN, and the encoding error rate in our schemes is negligible.
INDEX TERMS CPA, Encoding error ratio, Encryption, LPN, Public key encryption
I. INTRODUCTION [6, 7]. The main classical public key schemes

With the development and application of big were designed based on a number of difficult
data and cloud computing technology, the number theory problems, such as large number
large data environment has put forward higher factorization and discrete logarithms [8-11].
requirements for data encryption, and the However, many traditional number theory
design of a practical and secure public key assumptions on which the above schemes are
encryption scheme has important practical based can be solved by quantum algorithms
significance. Considering data security in the [12]. That is, in the era of quantum computing,
big data environment, many valuable schemes these public key encryption schemes have been
have been put forward [1-3]. They have been broken. Therefore, in the post quantum era,
shown to be useful in applications such as new public key encryption schemes based on
protecting the privacy in machine learning [4, new difficult problems need to be designed and
5], and protecting security in cloud computing
1
2169-3536 (c) 2018 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2018.2840119, IEEE
Access
implemented [13-14] for the new computing $

(a, r ), r  Z 2 , the attacker can solve the DLPN
environments and applications.
In 2003, Boneh and Silverberg defined the problem (decisional LPN).
concept of ideal multilinear mapping and To date, there are two kinds of non-trivial
demonstrated its application scenarios [15]. solving methods for LPN problems. One kind of
However, until 2013, Garg, Gentry and Halevi method intends to exhaust all possible noise
(GGH) proposed the first realistic multilinear vectors, and the other solves the LPN problem
mapping based on ideal lattice [16], with its based on the Blum-Kalai-Wasserman (BKW)
security based on the multi-level algorithm [29]. The original BKW algorithm
Diffie-Hellman computation and decision has sub index time complexity 2O ( n log n ) with
problem (GCDH/GDDH). Many new schemes sampling times 2O ( n log n ) . Lyubashevsky gives
have been designed based on the GGH scheme a BKW algorithm variant that requires higher
[17, 18]. Recently, the GGH scheme was time complexity 2O ( n log log n ) but with sampling
proved to be insecure [19], and new multilinear times n1  [30]. Recently, Kirchner also
mapping construction is being explored. proposed an improved algorithm with less
Regev proposed LWE (Learning with Error) running time [31]. Although there are many
based on lattice theory [20], which has been solving algorithms for a variety of LPN
widely used in public key cryptosystem design problems, there are no polynomial time
and applications of data encryption in cloud algorithms or quantum algorithms.
computing [21-28]. Although LWE issues can The creation and calculation of LPN
resist quantum attacks, the public key size in instances are very simple, but it is very difficult
schemes designed based on LWE is too large, to solve the DLPN problem. Therefore, it is
and the reduction of this size is a public very attractive to design cryptographic
problem. applications based on LPN. The LPN problem
If we design public key schemes based on the has been widely used in symmetric encryption
variety of LPN that is the special case of LWE [32-36], but there has been little progress in the
in F2 , the size of public key is small. There is a design of the public key scheme. In 2003,
randomly selected open n -dimensional vector Alekhnovich proposed a public-key encryption
scheme based on a decisional LPN problem
a  Z 2n and a randomly selected private
[37].
n -dimensional vector s  Z 2n in an LPN In this scheme, the noise ratio is   1 n
(Learning parity with noise) problem. An instead of a constant defined in a standard LPN
problem. Subsequently, Damgård et al.
attacker can get a sample set (a, a, s  e) ,
proposed not only a public key encryption
where e  Ber . Ber represents the scheme based on decisional LPN problem but
Bernoulli distribution that is discrete 0, 1 also a public-key encryption scheme based on a
probability distribution, and the probability of ring-LPN problem [38]. Damgård et al. proved
an occurrence of 1 is 0    1 . The parameter the security of these schemes. Meanwhile, these
in the standard LPN problem is 0    0.5 , schemes are practical. Damgård et al. compared
which is essentially the noise rate. On this basis, some practical public key encryption algorithms
if the attacker is able to distinguish between the such as RSA for computational efficiency,
sampling element and the random element public key size and ciphertext. Although the
RSA algorithm does not have an anti-quantum
Access
offensive, the performance comparison is bit-vector involved in cryptographic operations.

meaningful. When a ciphertext is decrypted, if the hamming
However, non-negligible encoding error weight of the n dimensional vector is less than
exists in all existing public key schemes based n , the plaintext bit is 0, and vice versa, the
on an LPN variant [37-38]. To solve this 2
problem, we designed a new public-key plaintext bit is 1. The probability of the
encryption scheme. First, our issue will extend hamming weight exceeding expectations will
the LPN variant to a matrix LPN problem, and a exponentially decay rapidly to a value that is
new public key encryption scheme will be negligible; thus, decryption error probability is
proposed based on an LPN variant. There are negligible. Thirdly, we extend the single-bit
two advantages to the proposed scheme. First, scheme to the multi-bit public key encryption
we maintain the largest advantages of LPN, algorithm.
which are rapid instance generation, and rapid In our single-bit and multi-bit schemes, even
and efficient encryption and decryption if we choose a larger parameter   1/ n , it
computing; second, we solve the encoding error can also ensure that the decryption error can be
problem of existing public key encryption ignored. Therefore, under the promise of
schemes. There are two vectors in Damgård’s security, the size of the public key is smaller
than in Damgård’s scheme. Meanwhile, total
scheme f , e  Bern . The correctness of the
encryption and decryption time of our
scheme relies on the fact that the inner product algorithms is greatly reduced.
f T e will be zero with the greater probability The remainder of this paper is organized as
follows. In section 2, preliminary knowledge
Pr(f T e  0)  1  (1  2 )
2 n
if the
2 2 will be given. In section 3, we propose a
parameter is selected carefully. As this single-bit and a multi-bit public key encryption
probability is greater but not negligible, there is scheme. Then, in section 4, we give the
an encoding error in the decryption. Damgård comparison between our scheme and the
chose parameters to ensure the decryption error existing scheme. The conclusion is given in
rate is less than 25% and chose the ciphertext section 5.
expansion as 5. However, all the five bits of II. Preliminaries
decoding error probability are still We first introduce the notation used in this
 1 4    1 2  . Meanwhile, Damgård chose a paper and present the definition of the LPN
5
10
problem [39].
small noise rate   (1/ n ) to meet this A. Notation
condition. Obviously, if  is too small, the We will completely work in the field GF2 .
attacker will crack the scheme easily. For a vector u   k2 ,the i -th entry of column
Our contributions include the following:
Firstly, we reduce the DLPN variety problem vector u will be denoted by ui . The i -th
column vector of matrix U will be denoted
with S  Bernn to the normal DLPN by ui . x  D means that x is drawn from
problem. So, our schemes are under the normal distribution D . Assuming A be n order
DLPN assumption. Secondly, we construct a matrix, A  denotes the transpose of A and
new single-bit public key encryption algorithm A 1 denotes the inverse matrix of A . A
in which a plaintext bit will be converted to a probability  (n) is said to be negligible if
Access
 (n)  1 p(n) for an arbitrarily large enough III. Public Key Encryption Scheme Based on
integer n . A Bernoulli distribution with DLPN
In this section, we first give a single-bit public
parameter  will be denoted by Ber . Berk
key encryption scheme based DLPN, and then
we prove the correctness and security of the
denotes the distribution of vectors a   k2
scheme. Second, we extend a single-bit
where each entry of the vector is drawn scheme to the multi-bit public key encryption
scheme and prove its correctness and security.
independently from Ber . Binn , denotes the
binomial distribution with n trials, each with A. Single-Bit Public Key Encryption Scheme
1) CONSTRUCTION OF THE SCHEME

success probability  . X  Binn , denotes
A single-bit public key encryption scheme
that X is drawn from distribution Binn , . includes three PPT algorithms (KeyGen, Enc,
Dec) following these steps:
(1) The key generation algorithm
For a vector a   k2 , its hamming weight is
KeyGen( 1 , ) takes as input an integer n
n
the number of ones in a . A function h(a)

and noise rate  . Choose matrix A   n2n
calculates the hamming weight of a   . Let k
2
randomly and choose S  Bern n ,

  (1,1,...,1)   . n
2
E  Bern n . Compute B = AS + E . It returns

B. Decisional LPN Problem a public key pk  ( A, B) and a private key
Definition 1 (Decisional LPN Problem) sk = (S) .
Given parameters n ,   , (2) The encryption algorithm Enc( pk , m )
  (1 / n ) and randomly selected matrix takes as input the public key pk and message
m  Z2 . Compute
A   n2n , S   n2 n . An attacker can obtain a c1 = rT A  e1T ,c 2 = rT B  eT2  m . It returns a
sample set (A, AS  E) , where E  Bern n . ciphertext c  (c1 ,c2 ) .

(3) The decryption algorithm Dec( sk , c ) takes
If the attacker can distinguish between a new the private key sk and a ciphertext
$ c  (c1 ,c2 ) as input. Compute d  c1  S + c 2 .
sample (A, AS  E) and (A, R ), R   n2 n
If h(d)  n / 2 , it returns m  0 , else it
with non-negligible probability after obtaining returns m  1 .
enough samples; then, the attacker is able to
2) CORRECTNESS
solve the decisional LPN (DLPN) problem.
Before giving proof of the correctness of the
Definition 2 (Decisional LPN Assumption)
scheme, we introduce lemma 3, whose proof
The probability of any probabilistic
can be found in reference [38].
polynomial time (PPT) attacker to solve the
decisional LPN problem with parameters Lemma 3 ([38] Lemma 2.5). Let X  Binn, .
(n, ) is negligible. Alekhnovich defined the
Then, the probability that X is even is
noise ratio   (1/ n ) [37].
1  (1  2 )
2 n
.
2 2
Access
Lemma 4 The probability of decryption error According to parameters selected in the

of the single-bit public key encryption scheme
scheme, h(rT E  e1T S  eT2 )  n can be met.
is negligible. 2
Proof: Because d  c1  S + c 2 and Obviously, if plaintext is 1, it is equivalent to
d  (rT A  e1T )  S  rT B  eT2  m , do the inverse operation on eT2 , and if the
substituting B = AS + E into the above

plaintext is 0, eT2 remains unchanged. So, if
equations, we can get d  rT E  e1T S  eT2  m .
m  0 , then h(rT E  e1T S  eT2 )  n , on the
2
As we know r  Bern , E  Bern n , each
contrary, there must be
n
entry of c = rT E is ci =  rj ei , j . From h(rT E  e1T S  eT2 )  n . 
j 1
2
Lemma 3, the probability that ci is 0 will be
The function h(rT E  e1T S  eT2 ) takes as
1  (1  2 )
2 n
. Similarly, the probability
2 2 input different integer n and larger noise rate
  1 / n . We give in Table I the
that each entry of e1T S is 0 will be
mathematical expectation of
1  (1  2 )
2 n
. Lastly, because eT2  Bern , h(rT E  e1T S  eT2 ) when the plaintext m  0 .
2 2
we can reach the following conclusions:
h(rT E  e1T S  eT2 )  h(rT E)  h(e1T S)  h(eT2 ) ,
h(rT E)  h(e1T S)  h(eT2 )  n(1  (1  2 2 ) n   ) .
TABLE I
Mathematical expectation of h(d) when m  0 .
n n   1/ n E (h(rT E)) E (h(e1T S)) E (h(eT2 )) E (h (d))

2
9000 4500 0.010541 514 514 95 ≈1123
21000 10500 0.006901 1276 1276 145 ≈2697
29000 14500 0.005872 1795 1795 166 ≈3755
80000 40000 0.003536 5131 5131 282 ≈10544
145000 72500 0.002626 9431 9431 381 ≈19243
3) SECURITY PROOF Lemma 5 Choose A   n2 n , S  Bern n

Although we sample private key S  Bern n
and E  Bern n randomly. Compute
n n
instead of  2 , its security is still based on B = AS + E . Under the assumption f DLPN, it
is indistinguishable between ( A, B) and
the DLPN. Therefore, before given a security
proof, we introduce lemma 5.  n2 n × n2 n sampled from uniform distribution.
Access
Proof: Given a set of LPN sample

rT R  eT , where e   22n ,
n n
( A i , B i  A i S  Ei ) , where Ai   2 ,
 (e ) , 1  i  n
ei    1 i . According DLPN
(e2 )i , n  i  2n
S   n2 n and Ei  Bern n . Without loss of
assumptions, it is indistinguishable between
generality, if we assume A11   n2 n , then (R, rT R  eT ) and (S, r T S  eT ) , where
( A i A11 , Bi  A i A11B1 ) S  Z n 2 n , r   Bern and e  Ber2n .

 ( A i A11 , Bi'  Ei  A i A11E1 ) , where
 ( A , B  A E1  Ei )
'
i
'
i
'
i
Furthermore, (S, r T S  eT ) and (S, r T )
also cannot be distinguished, in which r  is

A i'  A i A11 . If ( A i , B i ) is the LPN sample
randomly chosen from  2n .
selected according to the definition 2 instead of
If the plaintext is m  1 , eT2  m does
uniform distribution  n2n × n2n , then
not change the distribution of eT2 and only
' '
( A , B ) meets the definition in section 3.1.1.
i i
makes a negated operation to eT2 . Hence, a

When there is a PPT algorithm that can
ciphertext is indistinguishable from random
distinguish ( A i' , Bi' ) and a uniform
digits.
distribution  n2n × n2n , then this algorithm

B. Multi-Bit Public key Encryption Scheme
can distinguish ( A i , Bi ) and a uniform 1) CONSTRUCTION OF THE SCHEME
A multi-bit public key encryption scheme
distribution  n2n × n2n .
includes three PPT algorithms (KeyGen, Enc,
Therefore, the DLPN variety problem with Dec) following these steps:
(1) The key generation algorithm
S  Bernn can be reduced to the normal
KeyGen( 1 , ) takes as input an integer n
n
DLPN problem.
and noise rate  . Choose matrix A   n2n
Theorem 6 (Security). Under the DLPN
assumption, the single-bit public key scheme is
randomly and choose S  Bern n ,
secure against a chosen plaintext attack.
Proof: Suppose the single-bit public key
E  Bern n . Compute B = AS + E . It returns
scheme defined in section 3.1.1 has parameters
n, and public key pk  ( A, B) . Let a public key pk  ( A, B) and private key
sk = (S) .
ai , j 1  i  n,1  j  n
R   n22 n be ri , j   . (2) The encryption algorithm Enc( pk , m )
 bi , j 1  i  n, n  j  2n
takes as input the public key pk and message
Obviously, R has the same distribution as
m   n2 . First, convert m to a square matrix
pk  ( A, B) .
If plaintext is m  0 , the ciphertext is
M    n2 n , if mi  0 , each entry of the i  th
r T
A  e1T ,rT B  eT2  , which can be written as
column of M  are 0, and vice versa, each
Access
entry of the i  th column are 1, e.g.,

then h(rT E  e1T S  eT2 )  n ; in contrast,
1 1 0 0 2
 
1 1 0 0
m  (1,1, 0, 0) , then M   . there must be h(rT E  e1T S  eT2 )  n if
1 1 0 0 2
 
1 1 0 0 mi  1 . □
Choose R, E1 , E 2  Bern n , compute 3) SECURITY PROOF

Theorem 8 (Security) Under the DLPN
C1 = RA  E1 , C2 = RB  E2  M . It returns  assumption, the multi-bit public key scheme is
secure against the chosen plaintext attack.
a ciphertext C  (C1 ,C2 ) .
Proof: Suppose the multi-bit public key
(3) The decryption algorithm Dec( sk , c ) takes scheme defined in section 3.2.1 has parameters
as input the private key sk and a ciphertext n, and public key pk  ( A, B) . Let
C  (C1 ,C2 ) . Compute D  C1  S + C2 . If
hamming weight of the i  th column of D ai , j 1  i  n,1  j  n
Q   n2 2 n , qi , j   .
is h(d)  n / 2 , then mi  0 , mi  1 . At last it  bi , j 1  i  n, n  j  2n
returns m . Obviously, Q has the same distribution as
2) CORRECTNESS pk  ( A, B) .
Lemma 7 The probability of decryption error If each entry of plaintext is mi  0 , the
of the multi-bit public key encryption scheme
ciphertext is  RA  E1 , RB  E2  , which can
is negligible.
Proof:
be written as RQ  E , where E   n2 2 n ,
It is very easy to verify that
D  C1  S + C2  (RA  E1 )  S  RB  E 2  M  ,
 (e1 )i , j 1  i  n,1  j  n
substituting B = AS + E into the above (e )i , j   .
(e 2 )i , j 1  i  n, n  j  2n
equations, we get D  RE  E1S  E2  M  ,
According to the DLPN assumptions, it is
where R, E1 , E2  Bern n . According to indistinguishable between (Q, RQ  E ) and
Lemma 3, the hamming weight of each column

(S, R S  E) , where S   n 2 n , R   Bern n
of RE and E1S is n  1  (1  2 )  .
  2 n
 2 2
and E  Bern 2 n . (S, R S  E ) and

When each entry of the column vector m i is
(S, R  ) can also not be distinguished, in
zero, the hamming weight h(di ) is at most
n(1  (1  2 2 ) n   ) . According to the which R  is randomly chosen from  n2 2 n .
parameters selected in the scheme,

If a plaintext entry is mi  1 , (e 2 ) i T  m
h(di )  n can be met. Obviously, if the
2
does not change the distribution of (e 2 ) i T and
plaintext is mi  0 , it is equivalent to doing an
inverse operation on eT2i ; if the plaintext is 0, simply makes a negated operation to (e2 ) i T .
Hence, the ciphertext is indistinguishable from

eT2 remains unchanged. Therefore, if m  0 ,
random.
Access
IV. Performance Analysis

F2 . Therefore, the multiplication and addition
We choose for 80-, 112-, and 128-bit security,
respectively, n  9000, 21000 and 29000, have the same overhead. Thus, the
which are suitable and correspond to the computational times in the table are the sum of
security levels of 1024-, 2048-, 3072-bit RSA the multiplication and addition results. Our
[23]. Table 2 lists the comparison between our scheme has the same public key size as in the
schemes and the Damgård schemes in Damgård scheme. Although our scheme
computational efficiency. All calculations in increases slightly in ciphertext size and
the schemes based on LPN are on all fields computational overhead, the decryption error
can be negligible.
TABLE Ⅱ
COMPARISON BETWEEN OUR SCHEME AND DAMGÅRD’S SCHEME IN SIZE OF PUBLIC KEY AND CIPHERTEXT
Scheme Size of public key (bit) Size of ciphertext (bit) Encoding error
Damgård’s single-bit 2n 2  2n n 1 have

Our single-bit 2n 2 2n no
Damgård’s multi-bit 4n 2 2n have
2 2
Our multi-bit 2n 2n no
We compare the performance of our RSA and the decryption in our scheme is faster
multi-bit scheme with RSA(not padding) and than in RSA. We get the opposite result when
Damgård’s scheme in implementation for compared with Damgård’s multi-bit scheme.
various security levels as shown in Table 3. The limitation of our approach is that it
The implementation was written in C++ and does not meet the stronger CCA security.
made use of the NTL library for some Overcoming this shortcoming is one of our
mathematical operations. We can see that the future research directions.
encryption in our scheme is slower than in
TABLE III
COMPARISON WITH DAMGÅRD SCHEME AND RSA PUBLIC KEY ENCRYPTION SCHEME
Time per encryption (ms) Time per decryption

Security level (bits) 80 112 128 80 112 128
RSA scheme(not padding) 0.010 0.030 0.060 0.140 0.940 2.890

Damgård’s multi-bit 25.80 128.40 241.70 0.052 0.098 0.128
Our multi-bit scheme 15.60 45.30 102.10 0.11 0.221 0.258
encryption scheme. Our scheme solved the

V. Conclusions decryption error problem of the existing public
In the post quantum era, the design of public key encryption schemes based on DLPN.
key cryptography under the DLPN assumption Compared to existing schemes, there is an
is an important research direction. Such increase in only a small amount of ciphertext
schemes have many advantages such as shorter space and computing overhead in our scheme.
public key and ciphertext, faster encryption Our scheme not only is able to withstand
and decryption. But the existing scheme is still quantum attack but also provides strong
having the problem of decryption error, which practical security at the same time. In the
is not satisfactory. future, we will design a public key scheme
Based on the LPN variants problem, we based DLPN with high security, smaller public
proposed a single-bit and a multi-bit public key key and ciphertext size, and smaller
8
Access
computational overhead. Furthermore, [10] Yang L, Xiang Y, Peng D, “Precoding-Based Blind
designing public key cryptography that Separation of MIMO FIR Mixtures,” IEEE Access, no.99,
satisfies CCA security is also one of our future pp. 1-1. 2017.
work. [11] Neal Koblitz, Alfred Menezes and Scott Vanstone,
References “The State of Elliptic Curve Cryptography,” Journal of the

[1] Xiaochao Sun, Bao Li, Xianhui Lu, Fuyang Fang, Designs, Codes and Cryptography, vol. 19, no.(2-3), pp.
“CCA Secure Public Key Encryption Scheme Based on 173-1193, 2000.
LWE Without Gaussian Sampling,” Lecture Notes in [12] Shor, P.W, “Polynomial-time algorithms for prime
Computer Science, vol. 9589, pp. 361-378, 2015. factorization and discrete logarithms on a quantum
[2] Jian Xu, Laiwen Wei, Yu Zhang, Andi Wang, Fucai computer,” Journal of the SIAM J Comput, vol. 26, no.5,
Zhou, and Chong-zhi Gao, "Dynamic Fully Homomorphic pp. 1484-1509, 1997.
Encryption-based Merkle Tree for Lightweight Streaming [13] Zhengan Huang, Shengli Liu, Xianping Mao, Kefei
Authenticated Data Structures", Journal of Network and Chen, and Jin Li, “Insight of the Protection for Data
Computer Applications, Vol.107, pp.113-124, 2018. Security under Selective Opening Attacks,” Information
Sciences, vol.412–413, pp. 223–241, 2017.
[3] Zheli Liu, Yanyu Huang, Jin Li, Xiaochun Cheng, and
[14]Qun Lin, Hongyang Yan, Zhengan Huang, Wenbin
Chao Shen, "DivORAM: Towards a Practical Oblivious
Chen, Jian Shen, Yi Tang. An ID-based linearly
RAM with Variable Block Size", Information Sciences,
homomorphic signature scheme and its application in
447: 1-11, 2018.
blockchain. IEEE Access. DOI ：
[4] Tong Li, Jin Li, Zheli Liu, Ping Li, and Chunfu Jia, 10.1109/ACCESS.2018.2809426.[15] Dan Boneh, Alice
"Differentially Private Naive Bayes Learning over Silverberg, “Applications of multilinear forms to
Multiple Data Sources", Information Sciences, 444: cryptography,” Journal of the Contemporary Mathematics,
89-104, 2018. vol. 324, pp. 71-90, 2003.
[5] Chong-zhi Gao, Qiong Cheng, Pei He, Willy Susilo, [16] Sanjam Garg, Craig Gentry, and Shai Halevi,
“Candidate multilinear maps from ideal lattices,” Lecture
and Jin Li, "Privacy-Preserving Naive Bayes Classifiers
Notes in Computer Science, vol. 7881, pp. 1-17), 2013.
Secure against the Substitution-then-Comparison Attack",
[17] Jean-Sébastien Coron, Tancrède Lepoint, and Mehdi
Information Sciences, 444: 72-88, 2018.
Tibouchi, “Practical multilinear maps over the integers,”
[6] Jin Li, Jingwei Li, Xiaofeng Chen, Chunfu Jia,
Lecture Notes in Computer Science, vol. 8042, pp.
Wenjing Lou, “Identity-based Encryption with Outsourced 476-493, 2013.
Revocation in Cloud Computing, ” IEEE Transactions on [18] Susan Hohenberger, Amit Sahai, and Brent Waters,
Computers, vol. 64, no. 2, pp. 425-437, 2015. “Full domain hash from (leveled) multilinear maps and
[7] Ping Li, Jin Li, Zhengan Huang, Tong Li, Chong-Zhi identity-based aggregate signatures,” Cryptology ePrint
Gao, Siu-Ming Yiu, Kai Chen, “Multi-key Archive, http://eprint.iacr.org/2013/434.pdf, July 10,
2013.
privacy-preserving deep learning in cloud computing, ”
[19] Yupu Hu and Huiwen Jia, “Cryptanalysis of GGH
Future Generation Computer Systems, vol. 74, pp. 76-85,
Map,” Cryptology ePrint Archive,
2017.
http://eprint.iacr.org/2015/301.pdf, Feb 19, 2016.
[8] Applebaum, B., Cash, D., Peikert, C., Sahai, A., “Fast
[20] O. Regev, “On lattices, learning with errors, random
cryptographic primitives and circular-secure encryption linear codes, and cryptography,” Journal of the ACM, vol.
based on hard learning problems,” Lecture Notes in 56, no.6, pp.1-40, 2009.
Computer Science, vol. 5677, pp. 595-618, 2009. [21] Gentry, C., Peikert, C., Vaikuntanathan, V.,
[9] G. Liu, H. Li, L. Yang, “A Topology Preserving “Trapdoors for hard lattices and new cryptographic
Method of Evolving Contours Based on Sparsity constructions,” Journal of the Electronic Colloquium on
Constraint for Object Segmentation, ” IEEE Access, vol. 5, Computational Complexity, vol. 2008, no.14, pp.197-206,
no.99, pp. 19971-19982, 2017. 2008.
Access
[22] Brakerski, Z., Vaikuntanathan, V., “Efficient fully [35] Jonathan Katz, Ji Sun Shin, and Adam Smith,
homomorphic encryption from (standard) LWE,” IEEE “Parallel and Concurrent Security of the HB and HB+
Symposium on Foundations of Computer Science, vol. 54, Protocols,” Journal of the Cryptology, vol. 23, pp. 402-421,
no.2, pp.97-106, 2011. 2010.
[23] Jin Li, Yatkit Li, Xiaofeng Chen, Patrick Lee, [36] Benny Applebaum et al., “Fast Cryptographic
Wenjing Lou. A Hybrid Cloud Approach for Secure Primitives and Circular-Secure Encryption Based on Hard
Authorized Deduplication. IEEE Transactions on Parallel Learning Problems,” Lecture Notes in Computer Science,
and Distributed Systems. 26(5), pp. 1206-1216. 2015.
vol. 5677, pp. 595-618, 2009.
[24] Cabarcas, D., Göpfert, F., Weiden, P., “Provably [37] Michael Alekhnovich, “More on Average Case vs
secure LWE encryption with smallish uniform noise and Approximation Complexity,” IEEE Symposium on
secret,” Journal of the ACM, vol. 2014, pp.33-42, 2014. Foundations of Computer Science, vol.20, no.4, pp.
[25] Wenbin Chen, Hao Lei, Ke Qi. Lattice-Based 755-786, 2003.
Linearly Homomorphic Signatures in the Standard Model. [38] Ivan Damgård and Sunoo Park, “How Practical is
Theoretical Computer Science, Vol 634. pp:47-54,2016.
Public-Key Encryption Based on LPN and Ring-LPN?,”
[26] Lindner, R., Peikert, C., “Better key sizes (and attacks)
Cryptology ePrint Archive,
for LWE-based encryption,” Lecture Notes in Computer
http://eprint.iacr.org/2012/699.pdf, June 20, 2016.
Science, vol. 6558, pp.319-339, 2011.
[39] Avrim Blum et al., “Cryptographic Primitives Based
[27] Garg S, Gentry C, Halevi S, et al., “Candidate
on Hard Learning Problems,” Lecture Notes in Computer
indistinguishability obfuscation and functional encryption
Science, vol. 773, pp. 278-291, 2001.
for all circuits,” Annual IEEE Symposium on Foundations
of Computer Science, vol.311, no.2, pp.40-49, 2013.
Zhimin Yu was born in
[28] Qun Lin, Jin Li, Zhengan Huang, Wenbin Chen, Jian
Meihekou, China in October
Shen. A short linearly homomorphic proxy signature
1973. He received a B.S. degree
scheme," IEEE Access. Volume: 6: 12966-12972, 2018.
in Computer Engineering from
[29] Avrim Blum, Adam Kalai, and Hal Wasserman,
Tongji University, Shanghai,
“Noise-tolerant learning, the parity problem, and the
China, in 1996 and an M.S.
statistical query model,” Journal of the ACM, vol.50, no.4,
degree in Computer Application
pp. 506-519, 2003.
from Tongji University, Shanghai, China, in 2004. He is
[30] Vadim Lyubashevsky, “The Parity Problem in the
currently a lecturer at School of Computer Engineering of
Presence of Noise, Decoding Random Linear Codes, and
Jiangsu University of Technology in China. His research
the Subset Sum Problem,” Lecture Notes in Computer
interests include cryptology and information security.
Science, vol. 3624, pp.378-389, 2005.
Chong-zhi Gao received his
[31] Paul Kirchner, “Improved Generalized Birthday
Ph.D. (2004) in Applied
Attack,” Cryptology ePrint Archive,
Mathematics from Sun Yat-sen
http://eprint.iacr.org/2011/377.pdf, June 15, 2016.
University. Currently, he is a
[32] Nicholas J. Hopper, Manuel Blum, “Secure Human
professor at the School of
Identification Protocols,” Lecture Notes in Computer
Computer Science of Guangzhou
Science, vol. 2248 , pp.52-66, 2001.
University. His research interests
[33] Ari Juels, Stephen A, “Weis: Authenticating
include cryptography and privacy in machine learning.
Pervasive Devices with Human Protocols,” Lecture Notes
Zhengjun Jing was born in
in Computer Science, vol. 3621, pp. 293-308, 2005.
Danyang, China in October 1978.
[34] Henri Gilbert, Matthew J. B. Robshaw, and Yannick
He received his Ph.D. in
Seurin, “How to Encrypt with the LPN Problem,” Lecture
Information and Security from
Notes in Computer Science, vol. 5126, pp. 679-690, 2008.
Nanjing University of Posts and
10
Access
Telecommunications in 2015. Since 2016, he has been an

Associate Professor in the Department of Computer
Engineering, Jiangsu University of Technology. His
interests are in the cryptanalysis and design of
cryptography.
Brij B. Gupta received the Ph.D.
degree in information and cyber
security from IIT Roorkee,
Roorkee, India. He is currently an
Assistant Professor with the
Department of Computer
Engineering, National Institute of Technology,
Kurukshetra, India. His research interest includes
information security, cyber security, cloud computing, web
security, intrusion detection, and phishing.
Qiuru Cai was born in
Qinhuangdao, China in
September 1972. She received a
B.S. degree in Computer
Engineering from Northeastern
University, Shenyang, China, in
1996 and an M.S. degree in
Computer Application from
Nanjing University of Aeronautics and Astronautics,
Nanjing, China, in 2008. She is currently a lecturer at the
School of Computer Engineering of Jiangsu University of
Technology in China. Her research interests include
cryptology and information security.
11

CTJV801 A Practical Public Key Encryption Scheme Based On Learning Parity With Noise

Uploaded by

Copyright:

Available Formats

CTJV801 A Practical Public Key Encryption Scheme Based On Learning Parity With Noise

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CTJV801 A Practical Public Key Encryption Scheme Based On Learning Parity With Noise

Uploaded by

Copyright:

Available Formats

This article has been accepted for publication in a future issue of this journal, but has not been

A Practical Public Key Encryption

I. INTRODUCTION [6, 7]. The main classical public key schemes

implemented [13-14] for the new computing $

n -dimensional vector s  Z 2n in an LPN In this scheme, the noise ratio is   1 n

offensive, the performance comparison is bit-vector involved in cryptographic operations.

small noise rate   (1/ n ) to meet this A. Notation

1) CONSTRUCTION OF THE SCHEME

the number of ones in a . A function h(a)

randomly and choose S  Bern n ,

E  Bern n . Compute B = AS + E . It returns

sample set (A, AS  E) , where E  Bern n . ciphertext c  (c1 ,c2 ) .

Lemma 4 The probability of decryption error According to parameters selected in the

d  (rT A  e1T )  S  rT B  eT2  m , do the inverse operation on eT2 , and if the

substituting B = AS + E into the above

h(rT E  e1T S  eT2 )  h(rT E)  h(e1T S)  h(eT2 ) ,

h(rT E)  h(e1T S)  h(eT2 )  n(1  (1  2 2 ) n   ) .

n n   1/ n E (h(rT E)) E (h(e1T S)) E (h(eT2 )) E (h (d))

3) SECURITY PROOF Lemma 5 Choose A   n2 n , S  Bern n

Proof: Given a set of LPN sample

( A i A11 , Bi  A i A11B1 ) S  Z n 2 n , r   Bern and e  Ber2n .

also cannot be distinguished, in which r  is

makes a negated operation to eT2 . Hence, a

distribution  n2n × n2n , then this algorithm

entry of the i  th column are 1, e.g.,

Choose R, E1 , E 2  Bern n , compute 3) SECURITY PROOF

where R, E1 , E2  Bern n . According to indistinguishable between (Q, RQ  E ) and

Lemma 3, the hamming weight of each column

n(1  (1  2 2 ) n   ) . According to the which R  is randomly chosen from  n2 2 n .

parameters selected in the scheme,

Hence, the ciphertext is indistinguishable from

IV. Performance Analysis

Damgård’s single-bit 2n 2  2n n 1 have

Time per encryption (ms) Time per decryption

RSA scheme(not padding) 0.010 0.030 0.060 0.140 0.940 2.890

encryption scheme. Our scheme solved the

computational overhead. Furthermore, [10] Yang L, Xiang Y, Peng D, “Precoding-Based Blind

work. [11] Neal Koblitz, Alfred Menezes and Scott Vanstone,

References “The State of Elliptic Curve Cryptography,” Journal of the

Telecommunications in 2015. Since 2016, he has been an

You might also like