Fractional LWE: a nonlinear variant of LWE

Abstract

Many cryptographic constructions are based on the famous problem LWE [Reg05]. In particular, this cryptographic problem is currently the most relevant to build FHE [GSW13, BV11]. In [BV11], encrypting x consists of randomly choosing a vector \\(\\varvec{c}\\) satisfying \\(\\langle \\varvec{s},\\varvec{c}\\rangle =x+\\textsf {noise}\\pmod q\\) where \\(\\varvec{s}\\) is a secret size-n vector. While the vector sum is a homomorphic operator, such a scheme is intrinsically vulnerable to lattice-based attacks. To overcome this, we propose to define \\(\\varvec{c}\\) as a pair of vectors \\((\\varvec{u},\\varvec{v})\\) satisfying \\(\\langle \\varvec{s},\\varvec{u}\\rangle /\\langle \\varvec{s},\\varvec{v}\\rangle =x+\\textsf {noise}\\pmod q\\). This simple scheme is based on a new cryptographic problem intuitively not easier than LWE, called Fractional LWE (FLWE). While some homomorphic properties are lost, the secret vector \\(\\varvec{s}\\) could be hopefully chosen shorter leading to more efficient constructions. We extensively study the hardness of FLWE. We first prove that the decision and search versions are equivalent provided q is a small prime. We then propose lattice-based cryptanalysis showing that n could be chosen logarithmic in \\(\\log q\\) instead of polynomial for LWE.