In this challenge, I implemented multibit-variant of Regev's cryptosystem.
First, the cryptosystem generates LWE Oracle. The matrix , vector , error vector , and target vector that holds:
and will be a public key.
To encrypt, the cryptosystem generates vector consisting of only 0 or 1 . The ciphertext of will be:
Note that
Decryption will be as follows:
I extended this cryptosystem to encrypt multibit rather than single bit. In this challenge, to encrypt 64-bit plaintext , I defined .
The encryption and decryption are almost the same as the original.
Unfortunately, this trivial extensions do not work.
In this cipher, the following equation holds.
and are known and is hidden.
By taking one row from , recovering the parameter is almost the same with attacking Merkle–Hellman knapsack cryptosystem. It is known that, with certain conditions, Low-Density attack works well for attacking knapsack cryptosystem.
In the condition given, The bit length of the element of A is far longer than 100bit (to make the cryptosystem work with 64bit plaintext). Low-density attack can be applied and can be recoverd.
After is recovered, we can restore the plaintext from the equation .