**Fractional LWE: a nonlinear variant of LWE**

*Gérald Gavin and Stéphane Bonnevay*

**Abstract: **Many cryptographic constructions are based on the famous problem LWE \cite{LWERegev05}. In particular, this cryptographic problem is currently the most relevant to build FHE. In some LWE-based schemes, encrypting $x$ consists of randomly choosing a vector $c$ satisfying $\langle s,c\rangle=x+\textsf{noise}\pmod q$ where $s$ is a secret size-$n$ vector. While the vector sum is a homomorphic operator, such a scheme is intrinsically vulnerable to lattice-based attacks. To overcome this, we propose to define $c$ as a pair of vectors $(u,v)$ satisfying $\langle s,u\rangle/\langle s,v\rangle=x+\textsf{noise}\pmod q$.
This simple scheme is based on a new cryptographic problem intuitively not easier than LWE, called Fractional LWE (FLWE).
While some homomorphic properties are lost, the secret vector $s$ could be hopefully chosen shorter leading to more efficient constructions. We extensively study the hardness of FLWE. We first prove that the decision and search versions are equivalent provided $q$ is a \textit{small} prime. We then propose lattice-based cryptanalysis showing that $n$ could be chosen logarithmic in $\log q$.

**Category / Keywords: **secret-key cryptography / LWE, lattice-based cryptanalysis, homomorphic encryption

**Date: **received 5 Aug 2019, last revised 5 Aug 2019

**Contact author: **gavin at univ-lyon1 fr

**Available format(s): **PDF | BibTeX Citation

**Version: **20190808:063711 (All versions of this report)

**Short URL: **ia.cr/2019/902

[ Cryptology ePrint archive ]