A Latticed-based Public Key Encryption with KDM Security from R-LWE

. Since the introduction of the ring learning with errors (R-LWE) by Lyubashevsky, Peikert and Regev, many efficient and secure applications were founded in cryptography. In this paper, we mainly present an efficient public-key encryption scheme based on the R-LWE assumption. It is very simple to describe and analyze. As well as it can achieve security against certain key-dependent message (KDM) attacks. Namely, this efficient encryption scheme can securely encrypt its own secret key. The security of this scheme follows from the already proven hardness of the R-LWE problem since the R-LWE assumption is reducible to worst-case problems on the ideal lattice. Besides, the scheme enjoys a high level efficiency and low cost since the operations of the scheme are very simple and fast. The cost of both the encryption and decryption is only polylog(n) bit per message symbol.


Introduction
The well-studied learning with errors (LWE) problem was introduced by Regev [1], which has proved that there is a quantum reduction from the worst-case lattice problem to it.Peikert subsequently showed that hardness of LWE under certain lattice assumption through a classical reduction [2] (γ-SVP to LWE).Furthermore, the LWE assumption is sufficiently flexible to allow for the design of cryptographic constructions.Many interesting cryptographic applications have been founded based on it in the last years ( [1,2,3,4,5,6]).
The LWE problem can be described as the task of recovering the secret element from the linear equations with certain errors.Informally, for a dimension n and a prime q , given many pairs of the form ( ) a , a ,s ∈ is uniform and independent element, s n q ∈ is uniformly random secret and the inner product a ,s i q ∈ is perturbed by a random error term chosen from certain error distribution, the goal of the LWE problem is to recover the secret s from the equations.However, the main drawback of the schemes based on LWE is that they are not efficient enough for practical applications since the key typically contains a random matrix defined over q for a small q .So the space and time requirements seem bound to be at least quadratic with respect to the security parameter n .To solve this problem, an algebraic variant of LWE, called the ring learning with errors (R-LWE), was presented in the independent concurrent work [7].The R-LWE assumption is analogue to LWE.Roughly speaking, given the noisy equations are of the form ( ) ∈ is uniformly random and the product a s ⋅ is perturbed by some random error term, chosen from an error distribution χ , the goal is to recover the secret s from the equations.The R-LWE assumption has very strong hardness guarantees [7].For the features of the R-LWE problem, the applications based on it are more efficient and practical, compared with ones based on LWE assumption.Besides, the most basic task in cryptography is construct secure encryption.Many definitions of security for encryption are under the assumption that the message to be encrypted should not dependent on the secret key.However, some situations need the message depending on the secret key.
So the definition of key dependent message security was introduced by Black, Rogaway and Shrimpton [8].KDM secure encryption is a new area which has attracted much research in recent years ( [9], [10], [11], [12], [13], [14]).An example of the KDM encryption allows the adversary to obtain the ciphertexts of the message dependent on the secret keys.Our Results and Techniques.In this paper, to motivate the efficiency as well as the security of a scheme, we mainly construct a public-key encryption scheme based on the t R-LWE × assumption, which is a variant of the R-LWE assumption.It is efficient and enjoys the KDM security.The construction and security proofs are simple and natural since many applications of the LWE problem can be made much more efficient through the use of the R-LWE problem.This contribution is mainly inspired by the ideas from the work of Applebaum, Cash, Peikert and Sahai [10] based on the LWE problem.The proof of the security is the also similar to it.The t R-LWE × assumption is obtained by applying the invertible techniques and the scaling the noise techniques, introduced in [15] and [9] respectively.It remains hard after the subtle modification.Due to the work [15], an important observation is that the R-LWE assumption is still hard even when , s A χ and ( ) we apply the scaling the noise techniques in [9] to the assumption to get the t R-LWE × assumption our scheme based on.Roughly speaking, given noisy equations in the form of ( ) ∈ , the goal is still to recover the secure s from the equations.As shown in [9], the additional factor of q t * ∈ is not a problem because of the virtue of q t * ∈ and q being relatively prime.
In order to make our scheme provide security for KDM, we generate the secret key s in the noise distribution instead of the uniform one over q R .This modification does not affect the security of the scheme.We will discuss it in the following section.x f x is the ring of all integer polynomials modulo ( ) f x , where ( )

Preliminaries
q x f x denote the ring of all integer polynomials modulo both ( ) f x and q .In our work, we define a ring as [ ] ( ) Lattice.Let { } By mapping polynomials to the vectors of their coefficients, we can see that an ideal of a ring, (here the ring is [ ] ( ) x f x ), corresponds to a sub-lattice of n .So a lattice is an ideal lattice if there Advanced Engineering Forum Vols.6-7 The Gaussian distribution There are several natural computational problems involving lattice.These problems play a fundamental role in various areas.The following standard worst-case problem is of interest.The parameter ( ) n γ is the approximation factor.
The (approximate) shortest vector problem (γ-SVP): Given a basis of the lattice Λ , it is supposed to find the shortest non-zero vector v ∈ Λ such that v ( ) with respect to a fixed approximate factor ( ) n γ .
As shown in [16], this problem with a constant factor is NP-hard for all norms under randomized reductions.Using the famous best known LLL [17] algorithm, this problem with exponential (in the lattice dimension) approximate factor is solvable.The same problem restricted to the ideal lattice is called ISVP.Even though the ideal lattices have a special algebraic structure and is not consider being NP-hard, it is also believed that no algorithm is known to perform non-negligibly better for γ-ISVP than for γ-SVP.The Variant of R-LWE.In this section, we describe the variant of the R-LWE assumption our scheme is based on and discuss its hardness.We called it t R-LWE × .Let n be a power of 2 and let q be a prime satisfying 1mod 2 q n = .Define a probability distribution χ over q R .The distribution , , t s A χ × is obtained by sampling the pair ( ) Definition 1: For an integer ( ) q q n = and an error distribution χ , the problem t R-LWE × is defined as follows: given access to an oracle that produces samples in q q R R × , distinguish whether the oracle outputs sample from the distribution , , t s A χ × or the distribution ( ) Due to the work [1] and [7], we can get the analogous hardness results for t R-LWE × since this problem also shares some nice properties of the standard LWE problem, most notably equivalence between the decision version and the search version, where the goal is to recover the secret s .Especially, there is a probability polynomial-time reduction from solving the t R-LWE × problem to distinguishing between , , t s A χ × and ( )

Public Key Encryption
As described in instruction, the theory advances of the R-LWE make lattice-based cryptography truly efficient and practical.In this section, we present the formal description of our KDM secure public-key scheme based on the t R-LWE × problem described in the above section.We also give the detailed analysis, including the techniques used in the construction and the properties of the scheme.The Construction of the Scheme.Let n denote the security parameter.Our scheme relies on appropriate parameters choices, including the prime integer 1mod 2 q n = and a larger prime q t * ∈ such that r t to ensure all but negligible probability The correctness of the construction is apparent for Note that the decryption of this scheme is complete without any decryption failures.
For technical reasons, in the formal construction the secret key s is chosen from the noise distribution χ rather than the uniform distribution ( ) q U R to achieve KDM security without any security loss.The security of the scheme remains from the hardness of the t R-LWE × assumption, actually from its Hermite normal form due to the following lemma.
Lemma: For 1mod 2 q n = and arbitrary q s R ∈ and the error distribution χ , there is a deterministic polynomial-time transformation T, which Proof: The transformation T is given access to distribution D over q q R R × × .Here the distribution is , , t s A χ × or ( ) . Next we prove it in two steps.
The first step is that the transformation T obtains a pair ( ) , the transformation T will turn it to be ( ) We can note that q a R × ′∈ is uniform because q a R × ∈ is invertible modulo q and q a R × ∈ is uniform.On the one hand, if D is the distribution ( ) Therefore, we get The Pseudorandomness and Efficiency.As shown in [7], the t R-LWE × problem has two classical features, efficiency and pseudorandomness.That is, our scheme can be efficiently generated by "cheap" operation such as modular addition and multiplication.Compared with some schemes based on the traditional problems or the LWE problem, our scheme can achieve the same security at lower overhead.In this scheme, the cost of both the encryption and decryption is only polylog(n) bit per message symbol.So this scheme is obviously more efficient than ones ( [10], [11]) based on the LWE problem and the DDH problem respectively.This result stems from the fact an element in the ring can encode n samples from q .So the overhead in this scheme can be reduced by a factor of Advanced Engineering Forum Vols.6-7 401 approximating n .As well as our scheme enjoys the properties of low complexity and pseudorandomness.We can observe that all the size of the keys and ciphertexts is ( ) log O n n .And they actually are the R-LWE instances.So they are all pseudorandom.If the adversary is forced to work without the knowledge of any signed message, key recovery from the public information (such as the public key and the ciphertexts in this scheme) is equivalent to solve the R-LWE problem.The Security of the Scheme.The features of the KDM security in our scheme are similar to the work [10].Namely, this scheme can securely encrypt any liner function of secret key.Consider the ciphertext ( ) 1, c a a s t e = − ⋅ + ⋅ is also exactly an R-LWE instance, which is computationally indistinguishable from the uniform ones.This case can extend to any liner function of secret key.So we can get the following theorem.The proof is straightforward as well as the outline of the proof is analogous to the methodology introduced in [10].Here, it is omitted.Theorem: For parameters mentioned in the formal construction, this scheme is KDM-secure under the t R-LWE × assumption.

Summary
We construct a public-key encryption based on the t R-LWE × problem, which is reducible to the worst-case problems on ideal lattice.So the scheme is simple and efficient.Besides, our scheme enjoys key dependent message security.

Natations.
Throughout the paper, we use n for the security parameter.Other parameters are functions of n .Let D denote a distribution over some set S .d ← D is used to denote that d is chosen from the distribution D .Define ( ) d U S ← that d is chosen from the uniform distribution over a finite S .Let the distribution , n r D Z denote n dimensional discrete Gaussian distribution.[ ] x denote the ring of polynomials over the integers.The ring [ ] ( ) consist of n linearly independent vectors.The n dimensional lattice Λ generated by the basis

D
Λ on Λ with parameter r is proportional to x e r π − to each point x ∈ Λ .The th i successive minimum ( ) i λ Λ is the smallest radius r such that Λ contains i linearly independent vectors of norm at most r .
parameters are public.There are polynomial-time algorithms which can output these parameters.400InformationTechnology for Manufacturing Systems III Key generation ( 1 n ): Sample a ring element s χ ← and define s as the secret key., c ): Given the secret s and the ciphertexts c pair ( ) , a b satisfies b a s t s′ = ⋅ + ⋅ , where s′ is chosen from χ .The second step is to transform samples from D into ones form a different distribution.For a sample ( ) , a b