CPC (2013.01) [H04L 9/3006 (2013.01); H04L 9/0861 (2013.01)]H04L 9/0894 |
1 Claim |

1. A computer-implemented method of decrypting a ciphertext, the method comprising:
receiving, by a processor, a ciphertext c, over a network; and
decrypting, by a processor, the ciphertext c to obtain a message (m) which is
s being a secret key;
wherein a public key and the secret key are generated by a method comprising:
a step of determining, by a processor, the secret key (s) by sampling from WT
_{n}(h_{s})^{d};a step of determining, by a processor, an error vector (e) by sampling from (D
_{αq}^{n})^{d }and an error value (e′) by sampling from D_{αq}^{n};a step of choosing, by a processor, a randomly uniform matrix A∈R
_{q}^{d×d }which satisfies A·s=e (mod q);a step of choosing, by a processor, a random column vector b∈R
_{q}^{d }which satisfiesand
a step of determining, by a processor, (A∥b)∈R
_{q}^{d×(d+1) }as the public key (pk);wherein the ciphertext c is generated by a method comprising a step of receiving, by a processor, the public key (pk) and a message (m∈R
_{2}); and a step of generating, by a processor, the ciphertext bywherein a column vector (r) is determined by sampling from WT
_{n}(h_{s})^{d}; and wherein:α is an error parameter which satisfies 0<α<1;
q is a positive integer;
p is a positive integer less than q;
d is a positive integer;
n is a power of 2;
h
_{s }is a positive integer less than n;h
_{r }is a positive integer less than n;D
_{αq }is a discrete Gaussian distribution;D
_{αq}^{n }is a product distribution of independent and identically distributed n random variables according to the distribution D_{αq};(D
_{αq}^{n})^{d }is a product distribution of independent and identically distributed d random variables according to the distribution D_{αq}^{n}; andWT
_{n}(h_{s})^{d }and WT_{n}(h_{r})^{d }are distributions of randomly sampled d polynomials of degree (n−1), the coefficients of which are −1, 0, or +1, from WT_{n}(h_{s}) andWT
_{n}(h_{r}), respectively, wherein WT_{n}(h_{s}) and WT_{n}(h_{r}) are distributions of uniformly sampled vectors from {−1, 0, 1}^{n}, under the condition that said vectors have h_{s }and h_{r }non-zero elements, respectively. |