Our Generic Construction

Originally, in almost all previous encryption schemes ciphertexts are built in a one-time pad manner by adding the message to a random-looking vector coming from an LWE instance. By our modifications, we omit the way of encoding messages and the restrictions made to the parameters. Our aim is to let the ciphertexts re-semble an ordinary A-LWE instance such that the hardness of the scheme can be directly reduced to the plain A-LWE problem. Indeed, the error term hides the message while following the required distribution. This allows for more flexibility, efficiency and larger messages per ciphertext at no cost. Even more, this greatly simplifies the security proof. As we show later, we can even lift up the security to publicly-detectable RCCA (pd-RCCA) with a simple trick ensuring non-malleability of ciphertexts. When applying these functionalities to the error term in the CCA1-secure scheme due to [MP12], the message throughput is about O(m·logαq) while simultaneously providing pd-RCCA security instead of CCA1as before. In addi-tion to that, we give an intuiaddi-tion of how to get a CCA2-secure encrypaddi-tion scheme involving only minor modifications.

In what follows we provide a very basic and simple construction of an A-LWE-based encryption scheme, which will later on be the target of several optimizations.

In particular, we present simple and efficient strategies to enhance the message throughput. Due to our new feature of embedding messages in the error term, we can employ any trapdoor function that allows for error term recovery.

Therefore, let TDF = (KeyGen, g, g⁻¹) be a trapdoor function with g_A(x,y) :=

x^>A+y^>∈Z^m. The algorithmKeyGen outputs a matrixA∈Z^n×mq , that is close to uniform, with an associated trapdoor T used to invert g_A. The trapdoor func-tion satisfiesg_A⁻¹(T,c) = (x,y) withc=g_A(x,y) for arbitraryx∈Zⁿ_q and properly chosen y ∈ Z^m. We note that the random function F is instantiated either by a cryptographic hash function modeled as random oracle or a PRNG in combination with a deterministic function following the standard model variant (see Chapter 3).

The construction of the scheme is depicted below, whereαq=p·p

ln(2(1 + 1/))/π is chosen to allow for data of size logp bits per entry (see Section 4.1.2).

The generic construction is mainly based on the capability of the scheme to recover the error vector. Thus, the underlying trapdoor construction acts as a black box granting full access to the secret s and the error terme, when applying the secret

4. Building Lattice-based Encryption Schemes from A-LWE

Basic Encryption Scheme

KeyGen(1ⁿ): Generate a public matrixC∈Z^t×mq ¹, public keypk:=A∈Z^n×mq

with trapdoor sk:=T where (A,T)←TDF.KeyGen(1ⁿ).

Enc(pk,m ∈ {0,1}^m2·logp): Sample s ←_R Zⁿq and subsequently compute v=encode(F(s,e₁)⊕m)∈Z^mp , wheree₁←_RD_Z^m1,αq.

• Random oracle model: F(s,e₁) :=H(s) withm₁= 0 and m₂ =m

• Standard model: F(s,e₁) :=PRNG(Ce₁modq)

Then, sample e₂ ←_R D_v+pZ^m2,αq. The ciphertext is given by c^> = gA(s,e) for e= (e1,e2).

Dec(sk,c) : Compute g⁻¹_A (T,c) = (s,e).

Return m=decode(e2modp)⊕F(s,e1).

Figure 4.1.: Basic encryption scheme from A-LWE.

trapdoor to a related A-LWE instance. Once having revealed the error term, the message is recovered via the last step of the scheme involving the random function F(·). Improving the quality of the trapdoor and its inversion algorithm directly impacts the efficiency of the encryption scheme, since decoding of the message from eis performed very efficiently. We note that in case of a random oracle instantiation of F(·), it is sufficient to invoke H using only the secret vector s (m₁ = 0), which is always resampled for every encryption query. As a result, the whole bandwidth of the error vector e ∈ Z^m can be exploited for data transmission. The security statement below will, therefore, be based on this particular setting.

Theorem 4.3. LetF be instantiated in the random oracle model. Then, the generic encryption scheme above is CPA-secure assuming the hardness of decision A-LWE^RO_n,0,m,αq for αq≥p·p

ln(2(1 + 1/))/π≥2√ n .

Proof. Ciphertexts generated according to the generic encryption scheme from above correspond to plain A-LWE samples with m₁ = 0, where H is invoked once on the fresh input s. By assumption decision A-LWE^RO_n,0,m,αq is hard, and consequently, an adversary is not able to distinguish a challenge ciphertext from uniformly chosen samples.

In the standard model variant, ciphertexts exactly correspond to plain A-LWE samples as proposed in Chapter 3. Hence, the decision version of A-LWE applies.

Theorem 4.4. LetF be instantiated in the standard model. The generic encryption scheme above is CPA-secure assuming the hardness of decision A-LWE^S_n,m1,m2,αq for αq≥p·p

ln(2(1 + 1/))/π≥2√ n .

4. Building Lattice-based Encryption Schemes from A-LWE

4.2.1. High Data Load Encryption (HDL Mode)

In certain application scenarios one wishes to encrypt huge amounts of data. This is interesting within the context of financial transactions, secure backups, and high media traffic via the internet. In this case, a fast encryption and decryption engine is desired. The key idea underlying this goal is to extend the public key by an arbitrary number of random columns in order to ensure a more efficient encryption scheme at essentially the same security level. That is, in the key generation stepKeyGen(1ⁿ) a public keyA⁰⁰is output with a corresponding trapdoor T. By extending the public key to A = [A⁰ | A⁰⁰] with a uniform random matrix A⁰ ∈ Z^n×l_q , the message size increases due to additional samples related toA⁰. In fact, ciphertexts are generated following the basic encryption scheme

c⁰ c⁰⁰

=A^>s+ e⁰

e⁰⁰

modq.

However,c⁰⁰is the only ciphertext part that is by construction required to recover s and, hence, (e⁰,e⁰⁰) since

e⁰ e⁰⁰

= c⁰

c⁰⁰

−A^>smodq .

As a result, one observes a performance boost as well as an increased message throughput per ciphertext. This can be attributed to the following facts. First, the additional samples c⁰ are obtained using the same secret vector. Furthermore, the performance of the decryption engine benefits from the already recovered secret.

That is, the error term e⁰ is retrieved using the same secret as opposed to invoke the complete decryption engine in case one encrypts c⁰ and c⁰⁰ separately. Finally, the error size employed to embed the data into e⁰ is not restricted to any condition and can thus be chosen as large as possible. This opportunity will be discussed in the following sections.

4.2.2. Improved Message Throughput

In this section we highlight three further strategies to enhance the data throughput per ciphertext. The first and second variant require to operate the encryption scheme in the mode for high data load encryption (HDL mode). The last approach, however, aims at exploiting the secrets as another message carrier. All approaches can easily be combined and remain secure in the standard model. The resulting schemes taking these improvements into account are presented in Section 4.2.3 and Section 4.3. The first two approaches are only applicable in the HDL mode, since modifications are restricted solely to the error term related toA⁰.

Maximum Discrete Gaussians. The first approach is applicable, whenever A⁰ ∈ Z^n×lq contains at least one column l > 0. In this case the scheme is

oper-4. Building Lattice-based Encryption Schemes from A-LWE

ating in theHDL mode, which stands out due to its performance and high message throughput at essentially some small overhead. Previously, a single parameter αq was used in order to inject data into the error vector. This, however, is not opti-mal, since the error term associated to A⁰ is not touched in order to recover s and hence does not represent a bottleneck. In fact, this part is ignored when decrypt-ing ciphertexts. Once havdecrypt-ing recovered the secret s and e1, we can very efficiently recover the data injected into the error term. Hence, we can use the full band-width of the error term. That is, we can introduce a second parameter βq, which is used for the error vector corresponding to A⁰. This parameter can be as large as bq/(2·4.7)c such that the error term does not wrap around and thus allows for errorless message recovery. Indeed, using βq = p·ω(√

logn) for p = 2^k and k = blog( ^q

2·4.7√

ln(2(1+1/))/π)c ≈ blog(_2·4.7^q ₂)c seems to be the best choice with re-gard to data load. Sampling such large discrete Gaussian vectors remains almost as efficient as with small parameters, as we will point out in Section 5.1. The parameter αq associated to A⁰⁰ is, however, chosen to allow for an optimal trade-off between performance and data throughput. In this setting, the A-LWE instances produced by means of A⁰ contain also statistical min-entropy beside of computational en-tropy when ignoring the A-LWE instances corresponding to A⁰⁰, which maintain only computational entropy. Due to this, the additional samples do not make the underlying problem easier. In fact, it is even worthwhile to ignore the respective samples when estimating the hardness of the corresponding A-LWE problem using current state-of-the-art lattice attack algorithms.

Maximum Uniform Error. Instead of letting the error vectors corresponding to A⁰ ∈Z^n×lq be distributed following the discrete Gaussian distribution, an improved message throughput is obtained in case the error term is selected uniformly at ran-dom from Z^lq via a random function such as a PRNG. At the same time the en-cryption engine speeds up since the discrete Gaussian step is omitted and the space complexity also improves. Formally, ciphertexts are of the following shape

A^>·s+ u

e

∈Z^l+mq ,

where A = [A⁰ | A⁰⁰], u is uniform random over Z^lq, and e is sampled from the discrete Gaussian distribution such that the secret s can efficiently be recovered with the aid of our generalized LWE inversion algorithm described in Chapter 5 (original LWE inversion algorithm [MP12] works only for q = 2^k). Due to the fact that the error term is uniform in Z^l_q any vector could have been the secret (information-theoretically), if samples related toA⁰⁰ are not revealed. Hence, these samples do ideally not provide more information.

Message Injection into the Secret. The last approach to increase the data load involves the secret vector s and is applicable whenever it is sampled uniformly at

4. Building Lattice-based Encryption Schemes from A-LWE

random over Zⁿq. It is exploited as a further container carrying messages. There exist two ways of doing this. First, in the random oracle model we can sample the secret vector via s = (r, H(r)⊕m₂) such that a part of the message is embedded into the secret vector using a second cryptographic hash function, where r∈Z^lq for l ≤ n denotes a uniform random seed . The second approach is more general and utilizes parts of the ciphertext as the secret vector. For instance, let the vector c be a standard ciphertext generated according to the CCA1-secure scheme that we present in Section 4.3. Splittingcinto equally-sized chunksciofnelements opens up the opportunity to employ every chunk as a secret for a fresh ciphertext. Since each blockc_i incis computationally indistinguishable from uniform even given the other elements, we can generate a new ciphertext for each block ci by settingsi =ci and leaving this block out of c. The remaining steps for encryption remain unchanged.

Following this, we can additionally pack the data of size at mostbnlogqcbits into a single ciphertext. In the extreme case, we can pack all chunksc= (c1, . . . ,c_(l+m)/n) into (l+m)/nnewly generated ciphertext vectors. We decrypt via the LWE inver-sion algorithm invoked on all ciphertext vectors in order to recover s_i =c_i prior to the last ciphertext part c.

Applying the first two concepts results in an optimized and generic encryption scheme, which is detailed in the following section.

4.2.3. Optimized Generic Encryption Scheme from A-LWE

Letl, m=m₁+m₂, qbe integers andTDF= (KeyGen, g, g⁻¹) be a trapdoor function with gA(x,y) := x^>A+y^>modq ∈ Z^l+m_q . Via g⁻¹_A (T,c) = (x,y) involving the trapdoorT, we retrieve the input vectorsxandyback for properly choseny∈Z^l+m. Define by

• αq= 2^k1 ·p

ln(2(1 + 1/))/πand p1 = 2^k1, k1∈N

• βq = 2^k2·p

ln(2(1 + 1/))/π withp2 = 2^k2, k2=blog(_2·4.7^q 2)c

the different Gaussian parameters following Section 4.2.2. If the scheme is operated in the high data load encryption mode with l > 0, a large error parameter βq is used to sample the discrete Gaussian vector e3, thus, allowing for a huge message throughput. In fact, we encrypt k₂ = logp₂ bits per entry.

In order to realize the second approach with an error term distributed uniformly at random over Z^lq, we omit the step to sample e3 and directly apply e= (v2,e2,e1) as the error, where v₂ ∈ Z^lq with p₂ = q. In this case, the full bandwidth is ex-ploited such that the complete error term encompasses data of size l·logq+m₂·k₁ bits. Moreover, denote by F : Zⁿ_q ×Z^m1 → {0,1}^c a random function with c = (m₂ ·k₁ + l ·k₂). The scheme is applicable in the random oracle model with F(s,e₁) := H(s) and m₂ = m (avoiding to sample C) or in the standard model withF(s,e1) :=PRNG(Ce1modq).

4. Building Lattice-based Encryption Schemes from A-LWE

Generic Encryption Scheme

KeyGen(1ⁿ): Generate a public matrix C ∈ Z^t×mq ¹, public key pk :=

A = [A⁰ | A⁰⁰] ∈ Z^n×l+mq with trapdoor sk := T where (A⁰⁰,T)← TDF.KeyGen(1ⁿ) and a matrix A⁰ sampled uniformly at ran-dom.

• Without high data load encryption l= 0.

• With high data load encryption l >0.

Enc(pk,m∈ {0,1}^c):

1. Samples←_RZⁿ_q,e₁ ←_RD_Z^m1,αq

2. Compute (v₁,v₂) =encode(F(s,e₁)⊕m)∈Z^mp1²×Z^lp2.

• Random oracle model: F(s,e₁) :=H(s)

• Standard model: F(s,e₁) :=PRNG(Ce₁ modq) 3. Samplee₂ ←_RD_v1+p1Z^m2,αq and e₃ ←_RD_v2+p2Zl,βq. 4. Output ciphertext c^> =g_A(s,e) withe= (e₃,e₂,e₁)^>. Dec(sk,c) : Compute g⁻¹_A (T,c) = (s,e).

Return m=decode(e₂modp₁,e₃modp₂)⊕H(Ce₁ modq).

Figure 4.2.: Generic encryption scheme from A-LWE involving several optimizations.

The statements below represent adapted variants of Theorem 4.3 and Theorem 4.4 restricted to the caseβq=αqfor the sake of simplicity. TheHDL modewith a larger parameterβqdoes not change the security proof, since ciphertexts still remain plain A-LWE samples.

Theorem 4.5. Letn, m, p, qbe integers. Then, the generic encryption scheme above is CPA-secure assuming the hardness of decision A-LWE^RO_n,0,m+l,αq for αq=p·p

ln(2(1 + 1/))/π≥2√

n and=negl(n).

Proof. A quick view to the scheme reveals that ciphertexts c ←_R L^A-LWEn,0,m+l,α,q(m) are built following the A-LWE distribution, where A is either statistically or com-putationally close to uniform. Hence, Theorem 3.9 holds, where the ciphertext is still uniform random even given the message by an adversary.

The corresponding security statement for a standard model instantiation of the scheme is given in Theorem 4.6.

4. Building Lattice-based Encryption Schemes from A-LWE

Theorem 4.6. Let n, m = m₁+m₂, p, q be integers. Then, the generic encryp-tion scheme is CPA-secure assuming the hardness of decision A-LWE^S_{n,m1,m2+l,αq} for αq=p·p

ln(2(1 + 1/))/π≥2√

n and=negl(n).

Im Dokument On the Design and Improvement of Lattice-based Cryptosystems (Seite 61-67)