I was wondering if the following claim is true.
Claim. Under decisional ${\sf LWE}_{q,m,n,\chi}$, the Regev PKE scheme $\Pi=(\sf KG,Enc,Dec)$ has pseudorandom ciphertexts.
Suppose for contradiction that there exists an adversary ${\cal A}$ that can distinguish Regev's ciphertexts from uniformly random. That is, there exists a polynomial function $\sf poly(\cdot )$ such that $$|\Pr[{\sf PRCtG}_{\Pi,{\cal A}}^1=1]-\Pr[{\sf PRCtG}_{\Pi,{\cal A}}^0=1]|\geq \frac{1}{\sf poly(\lambda)}$$ for some $\lambda \in \Bbb N$. Here, $\sf PRCtG^1$ is the world where $\cal A$ receives proper encryptions of plaintexts of his choice and $\sf PRCtG^0$ random strings.
Then, we show that there exists a PPT solver $\cal D$ for the Decision-$\sf LWE$. So, $\cal D$ receives a pair $(A,y)$ which is either LWE sample $(A,b:=As+e)$, where $A \gets \Bbb Z_q^{m\times n}$, $s \gets \Bbb Z_q^n$ and $e\gets \chi^m$, or uniform sample $(A,u)$, where $A \gets \Bbb Z_q^{m\times n}$ and $u \gets \Bbb Z_q^m$. We denote the first instance by $\sf RealG_{LWE}$ and the second by $\sf RandG_{LWE}$. Then, $\cal D$ is as follows:
$\sf{Algorithm}$ ${\cal D}(A,y)$.
- Return $\eta \gets {\cal A}^{\text{Sim}{\sf OPr}(pk,\cdot)}(pk=(A,y))$, where $\text{Sim}{\sf OPr}(pk,\mu):= (rA,ry+\mu \lfloor q/2 \rfloor)=(c_1,c_2) \in \Bbb Z_q^n \times\Bbb Z_q$, where $r \gets \{0,1\}^m$.
So, $\text{Sim}{\sf OPr}(pk) \in \{(rA,rAs+re+\mu \lfloor q/2\rfloor),(rA,ru+\mu \lfloor q/2\rfloor)\}$ Then, \begin{gather*} \Pr[{\sf PRCtG}_{\Pi,{\cal A}}^1=1]=\Pr[{\sf RealG}_{\sf LWE, {\cal D}}=1], \\ \Pr[{\sf PRCtG}_{\Pi,{\cal A}}^0=1]=\Pr[{\sf RandG}_{\sf LWE, {\cal D}}=1]. \end{gather*}
This is roughly my first idea, but do I miss something? Do we need the LHL (Leftover Hash Lemma) to argue about the equality in the probabilities?
PS 1) Apologies for my writing, I have recently trying to understand deeper LWE. 2) If there is any unclear point please do let me know, I tried to make the question as concise as possible.
Thank you.
