Tightly Secure Ring-LWE Based Key Encapsulation with Short Ciphertexts

Abstract

We provide a tight security proof for an IND-CCA Ring-LWE based Key Encapsulation Mechanism that is derived from a generic construction of Dent (IMA Cryptography and Coding, 2003). Such a tight reduction is not known for the generic construction. The resulting scheme has shorter ciphertexts than can be achieved with other generic constructions of Dent or by using the well-known Fujisaki-Okamoto constructions (PKC 1999, Crypto 1999). Our tight security proof is obtained by reducing to the security of the underlying Ring-LWE problem, avoiding an intermediate reduction to a CPA-secure encryption scheme. The proof technique maybe of interest for other schemes based on LWE and Ring-LWE.

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

The possible advent of a quantum computer would immediately render insecure the vast majority of currently deployed public key cryptography. Hence, over the last few years, there has been considerably effort in trying to establish new public key encryption and signature schemes which are presumably resistant to the threat of quantum computers. Indeed, the US standards body NIST last year launched a Post Quantum Crypto (PQC) Project and published a call for submissions of quantum-resistant public-key cryptographic algorithms [27].

Among the leading candidates for post-quantum public key encryption (PKE) schemes are those based on the Learning with Errors (LWE) problem and its ring equivalent (Ring-LWE). Starting with the seminal work of Regev [29], there has been considerable work on various aspects of designing public key encryption schemes based on LWE and Ring-LWE [9, 25], research into implementation aspects [8, 13, 23, 30, 31], research into attacks [1, 2, 4, 20,21,22], and various applications to advanced cryptographic constructions such as Somewhat Homomorphic Encryption [6, 7, 18].

Much existing work has, however, concentrated on producing encryption schemes meeting only a basic level of security, namely IND-CPA security. The development of schemes achieving the much stronger IND-CCA security notion has received less attention. Of course, given an IND-CPA scheme, we can apply a standard off-the-shelf transform to obtain an IND-CCA scheme. For example, the Fujisaki-Okamoto transform in [14] constructs an IND-CCA secure public-key encryption scheme (PKE) from an IND-CPA (or even one-way secure) secure PKE, if it is also \(\gamma \)-uniform (see Definition 2). This reduction is tight but comes at the cost of also encrypting, under the IND-CPA PKE, the concaternation of the message and a random seed of \(\lambda \) bits, where \(\lambda \) is the security parameter.¹

Since public key encryption is not well-suited to the transmission of long messages, public key encryption is often used to transmit a symmetric key, which is then used in a one-time-secure Authenticated Encryption (AE) scheme to encrypt the actual message. This methodology is often called the KEM-DEM paradigm [10]. It only requires the construction of a key encapsulation mechanism (KEM) rather than a full PKE scheme, and this is usually somewhat easier or leads to more efficient solutions than designing or repurposing a PKE scheme. It turns out that there are general constructions for obtaining IND-CCA secure KEMs from weaker primitives.

In the context of producing a KEM, the Fujisaki-Okamoto transform can be applied by setting the “primary message” to be the random KEM key of size \(\lambda \) bits. Thus one obtains a total message size of \(2\, \lambda \) bits to encrypt under the IND-CPA encryption scheme. However, in LWE schemes the underlying message size directly impacts on the overall ciphertext size and the additional \(\lambda \) bits of random seed produce a ciphertext expansion of at least \(\lambda \) bits.

Dent [11] provides a veritable smörgåsbord of techniques for constructing KEMs from weakly secure PKE schemes, giving five constructions of IND-CCA secure KEMs in total. The constructions in Tables 1–3 of [11] require strong require strong properties from an underlying IND-CPA secure PKE scheme. The construction in Table 4 of [11] requires OW-CPA security for a starting deterministic PKE scheme. This transformation is attractive, since the reduction given in [11, Theorem 8] is tight. On the other hand, ciphertexts are slightly expanded compared to the starting scheme, since they require the inclusion of an extra hash value (whose size must be at least twice the security parameter). It is possible to de-randomise any IND-CPA secure PKE scheme having large message space to achieve OW-CPA security, e.g. by setting the randomness r used during encryption as \(r=H(m)\) for some random oracle \(H(\cdot )\). The proof is a simple exercise. Thus Dent’s Table 4 construction can be used with an LWE-style PKE scheme as a starting point, though again with a cost of some ciphertext expansion.

The construction in Table 5 of [11] and analysed in Theorems 5 and 9 for building IND-CCA secure KEMs is of more interest to us. The construction starts with an OW-CPA secure scheme, but a probabilistic one, and does not introduce any ciphertext overhead. On the other hand, it has a non-tight reduction: the security bound degrades by a factor \(q_D + q_H + q_K\) where \(q_D\) is the number of decryption oracle queries and \(q_K\) resp. \(q_{H}\) is the number of key derivation resp. hash function queries (both modelled as a random oracle).

In the spirit of a KEM-DEM construction is a second generic transform of Fujisaki and Okamoto, given in [15, 16] (see [28] for an application in the context of LWE-based public-key encryption). This yields a hybrid encryption scheme, but it is not in the true KEM-DEM paradigm (since the KEM part depends on the message \(m\)). The underlying symmetric cipher need not be an AE scheme, but can simply be a one-time pad encryption of the message and the message is used to produce the required randomness for the KEM-like part. The method of [15, 16] has two advantages over [14]: firstly a one-time pad is more space efficient than an AE scheme; secondly the public key component does not suffer from the ciphertext expansion noted above for LWE based schemes. However, these benefits come at a cost, because the associated security reduction is not tight. In particular, the security bound degrades by a factor of \(q_{H}\), the number of queries made to a hash function H, modelled as a random oracle. We note that a tight reduction can be achieved [17], either by making stronger assumptions about the underlying primitives or when the underlying primitive permits plaintext checking.

Having a tight security reduction is a very desirable property in practice-oriented cryptographic primitives. Essentially, the tightness of a reduction determines the strength of the security guarantees provided by the security proof; in concrete security terms, a tight reduction shows that an algorithm breaking the security of the scheme can be used to solve an assumed-to-be-hard problem without any significant increase in the running time or loss in success probability. A tight proof thus ensures that breaking the scheme (within the respective adversarial model) is at least as hard as breaking the alleged hard computational problem. On the other hand, a non-tight reduction can only provide much weaker guarantees, giving rise to the argument that the primitive should be instantiated with larger security parameters in order to account for the non-tightness of the proof.

This discussion and the preceding analysis of Dent’s constructions raises the natural question: is it possible to build an IND-CCA secure KEM from simpler primitives with a tight security reduction, and without introducing any ciphertext overhead beyond that of the DEM? In this paper, we provide a positive solution to this question.

To answer the question, we produce a new security analysis for Dent’s second construction (as shown in [11, Table 5]) in Sect. 3. The analysis applies to the case where the underlying OW-CPA scheme is instantiated using a specific construction based on lattices associated to polynomial rings, and which is secure under a natural variant of the Ring-LWE assumption. We name the resulting IND-CCA secure KEM as LIMA (for LattIce MAthematics), cf. Sect. 2 for details. In contrast to the generic case handled in [11], our security reduction for the specific scheme is tight. Our proof exploits some weakly homomorphic properties enjoyed by the underlying encryption scheme. Because it is based on applying Dent’s second construction to a simpler scheme, LIMA has no ciphertext overhead beyond that simpler scheme. Thus, we find that tightness can be maintained, whilst still using a generic construction which at first sight appears to be non-tight. Given the increased interest in LWE-based encryption our proof technique may be of interest in other schemes.

In concurrent and independent work, Hofheinz et al. [19] have shown that, amongst other things, Dent’s second construction can be proven to achieve IND-CCA security in a tight manner, for any starting scheme that is IND-CPA secure (rather than OW-CPA secure as in Dent’s original analysis).

We overview the construction of LIMA here. We start from standard Ring-LWE encryption going back to [24], based on a polynomial ring of dimension N, reduced with respect to a modulus q. The encryption consists of an Ring-LWE sample, consisting of two ring elements \(c_{0},c_{1}\), and thus has ciphertexts of bitsize \(2\cdot N \cdot \lceil \log _{2} q \rceil \). For reference, the reader may think of \(N=1024\) and \(\lceil \log _{2} q \rceil = 17\). Assuming one bit can be encoded per polynomial coefficient, this size can be reduced to \(N \cdot \lceil \log _{2} q \rceil + \ell \cdot \lceil \log _{2} q \rceil \) for \(\ell \)-bit messages by truncating \(c_{0}\). Thus, to transport a \(\lambda \)-bit key, a minimum of \((N+\lambda ) \cdot \lceil \log _{2} q \rceil \) bits of ciphertext need to be sent.²

In Table 1, we compare the tightness and ciphertext expansion of the various constructions mentioned above, as well as in this work. We let \(|\mathsf {AE}(m)|\) denote the ciphertext size of a one-time AE encryption of a message m, which is roughly \(|m|+\lambda '\) where \(\lambda '\) is the space needed for a post-quantum secure authentication code. For the [14] scheme we assume that |m| is too large to be encrypted directly under the transform, and thus the scheme needs to be used in a hybrid format.

Table 1. Ring-LWE ciphertext sizes for various IND-CCA transforms. We write \(\ell _{q}\) for \(\lceil \log _{2} q \rceil \).

Note that our security analysis, like all the prior mentioned works, is in the Random Oracle Model (ROM). To fully assess post-quantum security, one should instead analyse security in the Quantum ROM (QROM), as introduced in [5]. In this model, an adversary can make superposition queries to the Random Oracle, possibly giving it much greater power, and invalidating certain classical ROM proof techniques. One way to achieve QROM security for PKE and KEMs is to add extra hash values to ciphertexts, cf. [32] which does this in the context of the FO transform. This of course increases the ciphertext size and, currently, results in non-tight reductions. It is an important open question whether one can achieve QROM security for a Dent-like KEM construction with a tight reduction and without suffering any ciphertext overhead.

Finally, achieving IND-CCA security also requires handling decryption errors of genuine encryptions. In Ring-LWE systems a validly generated ciphertext may not decrypt correctly if the initial “error term” used to generate the ciphertext is so large that it produces a wrap-around with respect to the modulus q. There are two ways around this issue; either select q so large that the probability of this occuring is vanishingly small, i.e. \(2^{-\lambda }\), or by truncating the distribution used to produce the error term. We note, though, that these two modifications are orthogonal to the refined security proof of Dent’s construction given in this work, since in Dent’s construction the decryption algorithm actually re-encrypts the ciphertext as part of its operation and so can detect whether such an issue occurs.

2 Ring-LWE Key Encapsulation

Our basic scheme is defined over a global ring \(R=\mathbb {Z}[X]/(\varPhi _m(X))\) for some cyclotomic polynomial \(\varPhi _m(X)\), and essentially follows the construction in [25]. We will let \(R_q\) denote the reduction of this ring modulo the integer q, i.e. \(R_q=\mathbb {Z}_q[X]/(\varPhi _m(X))\). We let \(N=\phi (m)\) denote the degree of this ring. On the set \(\mathbb {Z}_q\) we define the distribution \(\chi _\sigma \) which selects an integer with probability approximated by a discrete Gaussian with standard deviation \(\sigma \) centred on \(0\). The parameters \((N,q,\sigma )\) will heavily influence the security of the scheme, and so are functions of a security parameter \(\lambda \). In this paper, we assume suitable choices of the parameters can be selected for given values of \(\lambda \). As noted in the introduction, the reader may think of \(N=1024\) and \(\lceil \log _{2} q \rceil = 17\), while \(\sigma \) will be a small constant \(\approx 3.2\).

The distribution \(\chi _\sigma \) can be extended to all of \(R_q\) by generating N values from \(\chi _\sigma \) independently and then assigning these values to the coefficients of an element from \(R_q\), in which case we write \(a \leftarrow \chi _\sigma ^N\). If we wish to select an element in \(R_q\) uniformly at random we will write \(a \leftarrow R_q\). If we want to be precise about what random coins we use then we write \(a \leftarrow _r R_q\).

To aid bandwidth efficiency we sometimes truncate a ring element to a vector of integers modulo q of smaller size. Given a ring element \(a \in R_q\), representing the element

$$\begin{aligned} a = a_0 + a_1 \cdot X + \cdots + a_{N-1} \cdot X^{N-1} \end{aligned}$$

we define, for \(1 \le T \le N\),

$$\begin{aligned} \mathsf {Trunc}(a,T) = a_0 + a_1 \cdot X + \cdots + a_{T-1} \cdot X^{T-1}. \end{aligned}$$

This is encoded, for transmission and storage, as the vector of T integers

$$\begin{aligned} a_0 \Vert a_1 \ldots \Vert a_{T-1}. \end{aligned}$$

2.1 IND-CPA Secure PKE

To define our KEM we first define a basic PKE scheme which is only IND-CPA secure. We give this as a tuple of algorithms \((\mathsf {KeyGen},\mathsf {Enc} \text {-}\mathsf {CPA} ,\mathsf {Dec} \text {-}\mathsf {CPA} )\).

Key generation proceeds as follows

1. 1.

   \(a \leftarrow R_q\).

2. 2.

   \(s \leftarrow \chi _\sigma ^N\).

3. 3.

   \(e' \leftarrow \chi _\sigma ^N\).

4. 4.

   \(b \leftarrow a \cdot s + e'\).

5. 5.

   \(\mathfrak {sk}\leftarrow s\).

6. 6.

   \(\mathfrak {pk}\leftarrow (a,b)\).

7. 7.

   Return \((\mathfrak {pk},\mathfrak {sk})\).

The encryption mechanism takes as input the public key \(\mathfrak {pk}= (a,b)\), a message \(\mathbf {m}\in \{0,1\}^{\ell }\), and random coins r. We assume that \(\ell = |\mathbf {m}| \le N\). We map this bit string (interpreted as a bit-vector) to a ring element (with binary coefficients) via the function \(\mathsf {BV{\text {-}}2{\text {-}}RE}(\mathbf {m})\), and perform the inverse mapping via a function \(\mathsf {RE{\text {-}}2{\text {-}}BV}(\mu )\). The function \(\mathsf {BV{\text {-}}2{\text {-}}RE}\) takes a bit string of length \(\ell \) and maps it to a polynomial whose first \(\ell \) coefficients are the associated bits, and all other coefficients are zero. (Here we identify bit values with 0 and 1 \(\bmod \ q\).)

1. 1.

   \(\mu \leftarrow \mathsf {BV{\text {-}}2{\text {-}}RE}(\mathbf {m})\).

2. 2.

   \(v, e, d \leftarrow _r \chi _\sigma ^N\).

3. 3.

   \(x\leftarrow d + \varDelta _q \cdot \mu \pmod {q}\). (Here, \(\varDelta _q = \lfloor q/2 \rfloor \).)

4. 4.

   \(t \leftarrow b \cdot v + x\).

5. 5.

   \(c_0 \leftarrow \mathsf {Trunc}(t,\ell )\).

6. 6.

   \(c_1 \leftarrow a \cdot v + e\).

7. 7.

   Return \(\mathbf {c}=(c_0,c_1)\).

Note that \(c_0\) is the ring element \(b \cdot v+d+\varDelta _q \cdot \mathbf {m}\) truncated to \(\ell \) coefficients, thus the bit-size of a ciphertext is equal to \((N+\ell ) \cdot \lceil \log _2 q \rceil = (N+|\mathbf {m}|) \cdot \lceil \log _2 q \rceil \).

On input of a ciphertext \(\mathbf {c}=(c_0,c_1)\), and a secret key \(\mathfrak {sk}= s\) the decryption is performed as follows:

1. 1.

   Define \(\ell \) to be the length of \(c_0\), i.e. the number of field elements used to represent \(c_0\).

2. 2.

   \(v \leftarrow s \cdot c_1\).

3. 3.

   \(t \leftarrow \mathsf {Trunc}(v,\ell )\).

4. 4.

   \(f \leftarrow c_0 - t\).

5. 5.

   Convert f into centered-representation. That is, let \(f=(f_0,\ldots ,f_{\ell -1})\) where each \(f_i\in \mathbb {Z}_q\). For each i, if \(0\le f_i\le \frac{q-1}{2}\) then leave it unchanged. Else, if \(\frac{q}{2}< f_i\le q-1\), then set \(f_i \leftarrow f_i-q\) (over the integers).

6. 6.

   \(\mu \leftarrow \left| \Bigl \lfloor \frac{2}{q} f \Bigr \rceil \right| \) (i.e., round component-wise to the nearest integer and take the absolute value; the result will be a binary vector).

7. 7.

   \(\mathbf {m}\leftarrow \mathsf {RE{\text {-}}2{\text {-}}BV}(\mu )\).

8. 8.

   Return \(\mathbf {m}\).

We will prove that this PKE scheme is IND-CPA secure under an LWE-style assumption in Sect. 3.

2.2 IND-CCA Secure PKE

Before proceeding to define our KEM, we explain how to use the above IND-CPA-secure PKE scheme to obtain an IND-CCA secure PKE scheme using the Fujisaki—Okamoto transform of [14]. This is for later comparison with our proposed IND-CCA secure KEM.

We take the tuple of algorithms \((\mathsf {KeyGen},\mathsf {Enc} \text {-}\mathsf {CPA} ,\mathsf {Dec} \text {-}\mathsf {CPA} )\) and produce a new tuple \((\mathsf {KeyGen} \), \(\mathsf {Enc} \text {-}\mathsf {CCA} \), \(\mathsf {Dec} \text {-}\mathsf {CCA} )\). The key generation algorithm stays the same and we do not repeat it.

The original encryption scheme \((\mathsf {KeyGen},\mathsf {Enc} \text {-}\mathsf {CPA} ,\mathsf {Dec} \text {-}\mathsf {CPA} )\) can encrypt N-bit messages, while the IND-CCA scheme encrypts messages that are \(N-\lambda \) bits in length. The encryption scheme makes use of a hash function H to produce the random coins r for the underlying IND-CPA secure scheme; we model H as a Random Oracle in the security analysis.

1. 1.

   \(u \leftarrow \{0,1\}^{\lambda }\).

2. 2.

   \(\mu \leftarrow \mathbf {m}\Vert u\).

3. 3.

   \(r \leftarrow H(\mu )\).

4. 4.

   \((c_0,c_1) \leftarrow \mathsf {Enc} \text {-}\mathsf {CPA} (\mu ,\mathfrak {pk},r)\).

5. 5.

   Return \(\mathbf {c}=(c_0,c_1)\).

1. 1.

   \(\mu \leftarrow \mathsf {Dec} \text {-}\mathsf {CPA} (\mathbf {c},\mathfrak {sk})\).

2. 2.

   \(\mathbf {m}\Vert u \leftarrow \mu \), where u is \(\lambda \) bits long.

3. 3.

   \(r \leftarrow H(\mu )\).

4. 4.

   \(\mathbf {c}' \leftarrow \mathsf {Enc} \text {-}\mathsf {CPA} (\mu ,\mathfrak {pk},r)\).

5. 5.

   If \(\mathbf {c}\ne \mathbf {c}'\) then return \(\perp \).

6. 6.

   Return \(\mathbf {m}\).

Note for this scheme the bit-size of a ciphertext is equal to \((N+ |\mathbf {m}|+\lambda ) \cdot \lceil \log _2 q \rceil \), since we require N elements to represent \(c_1\), and \(|\mathbf {m}|+\lambda \) elements to represent \(c_0\), as the message for the underlying CPA scheme is equal to the actual message plus \(\lambda \) bits of randomness. We provide a security theorem establishing the IND-CCA security of this PKE scheme in Sect. 3. This is based on the results of [14].

2.3 LIMA: A CCA-Secure Key Encapsulation Mechanism

One could use the above encryption scheme directly as a KEM by simply using it to encrypt one-time \(\ell \le N-\lambda \) bit keys, with a resulting ciphertext size of \((N+\ell +\lambda ) \cdot \lceil \log _{2} q \rceil \) bits. However, the following scheme (which we call LIMA and which follows the generic construction methodology of [11, Table 5]), enables us to transmit a key with \(\ell \) bits of entropy using a ciphertext of bit-size \((N+ \ell ) \cdot \lceil \log _{2} q \rceil \), thus reducing by \(\lambda \cdot \lceil \log _{2} q \rceil \) the number of bits needed to represent a ciphertext. The method makes use not only of a random oracle H to produce the randomness needed for the encryption function, but also a key derivation function \(K^{(\ell ')}\) (also modelled as a random oracle) to produce the actual encapsulated key (which can be of any length \(\ell '\)). Again the scheme is presented as a tuple of algorithms \(\textsf {LIMA} ={}(\mathsf {KeyGen},\mathsf {Encap} \text {-}\mathsf {CCA} ,\mathsf {Decap} \text {-}\mathsf {CCA} )\) in which \(\mathsf {KeyGen} \) is as for the basic encryption scheme above.

This takes as input a public key \(\mathfrak {pk}\) and two bit lengths \(\ell \), \(\ell '\), and outputs an encapsulation \(\mathbf {c}=(c_0,c_1)\) and the key \(\mathbf {k}\in \{0,1\}^{\ell '}\) it encapsulates. The bit length \(\ell \) controls the ciphertext size and the associated entropy in the output key \(\mathbf {k}\).

1. 1.

   \(x \leftarrow \{0,1\}^\ell \).

2. 2.

   \(r \leftarrow H(x)\).

3. 3.

   \((c_0,c_1) \leftarrow \mathsf {Enc} \text {-}\mathsf {CPA} (x,\mathfrak {pk},r)\).

4. 4.

   \(\mathbf {k}\leftarrow K^{(\ell ')}(x)\).

5. 5.

   Return \((\mathbf {c}=(c_0,c_1),\mathbf {k})\).

This takes as input a secret key key \(\mathfrak {sk}\) and an encapsulation \(\mathbf {c}=(c_0,c_1)\), and outputs the key \(\mathbf {k}\) it encapsulates.

1. 1.

   \(x \leftarrow \mathsf {Dec} \text {-}\mathsf {CPA} (\mathbf {c},\mathfrak {sk})\).

2. 2.

   \(r \leftarrow H(x)\).

3. 3.

   \(\mathbf {c}' \leftarrow \mathsf {Enc} \text {-}\mathsf {CPA} (x,\mathfrak {pk},r)\).

4. 4.

   If \(\mathbf {c}\ne \mathbf {c}'\) then return \(\perp \).

5. 5.

   \(\mathbf {k}\leftarrow K^{(\ell ')}(x)\).

6. 6.

   Return \(\mathbf {k}\).

The IND-CCA security of this KEM is established in the next section, with a tight reduction to an LWE-style hardness assumption.

3 Security Proofs

In this section we present the hard problem on which the security of our scheme LIMA rests, survey prior security results on the Fujisaki-Okamoto transform and Dent’s construction, and finally present our tight proof of security for LIMA.

3.1 Hard Problems

We recall the definition of Ring-LWE problem in normal form [3, 24, 26]. In the definition below we directly consider all elements in \(R_{q}\) instead of the appropriate dual and canonical spaces associated to with it.

Definition 1

(Ring-LWE). Let \(\chi _\sigma \) denote the distribution defined earlier. Consider the following experiment: a challenger picks \(s \in \chi _\sigma ^N \subset R_q\) and a bit \(\beta \in \{0,1\}\). The adversary \(\mathcal {A}\) is given an oracle which on empty input returns a pair \((a,b) \in R_q^2\), where if \(\beta =0\) the two elements are chosen uniformly at random, and if \(\beta =1\) the value a is chosen uniformly at random and b is selected such that \(b=a \cdot s + e\) where \(e \in \chi _\sigma ^N \subset R_q\). At the end of the experiment the adversary outputs its guess \(\beta '\) as to the hidden bit \(\beta \). For an adversary which makes \(n_Q\) calls to its oracle and running in time t, we define

$$\begin{aligned} \mathsf {Adv}^{\mathsf {LWE}}(\mathcal {A},n_Q,t) = 2 \cdot \Big | \Pr [\beta =\beta ']-\frac{1}{2} \Big |. \end{aligned}$$

We conjecture that \(\mathsf {Adv}^{\mathsf {LWE}}(\mathcal {A},n_Q,t)\) is negligible for all adversaries.

Conjecture 1

For suitable choices of \(\sigma , N\) and q (which depend on the security parameter \(\lambda \)) we conjecture that \(\epsilon =\mathsf {Adv}^{\mathsf {LWE}}(A,n_Q,t)\) is a negligible function in the security parameter \(\lambda \). In particular, for all adversaries running in time t we have \(t/\epsilon ^{2} \ge 2^{\lambda }\).

We note that in the conjecture above we normalize the running time by success probability as \(1/\epsilon ^{2}\) — instead of the more customary \(1/\epsilon \) — because we are considering a decision problem.

3.2 Provable Security of the Basic Encryption Scheme

The IND-CPA security of our basic encryption scheme \((\mathsf {KeyGen},\mathsf {Enc} \text {-}\mathsf {CPA} ,\mathsf {Dec} \text {-}\mathsf {CPA} )\) is established in the following theorem.

Theorem 1

In the random oracle model, if the LWE problem is hard, then the scheme \((\mathsf {KeyGen}, \mathsf {Enc} \text {-}\mathsf {CPA} , \mathsf {Dec} \text {-}\mathsf {CPA} )\) is IND-CPA secure. In particular, if there is an adversary \(\mathcal {A}\) against the IND-CPA security of \((\mathsf {KeyGen}, \mathsf {Enc} \text {-}\mathsf {CPA} , \mathsf {Dec} \text {-}\mathsf {CPA} )\) in the random oracle model, then there are adversaries \(\mathcal {B}\) and \(\mathcal {D}\) such that

$$\begin{aligned} \mathsf {Adv}^{\mathsf {IND}\text {-}\mathsf {CPA}}(\mathcal {A}) \le 2 \cdot \mathsf {Adv}^{\mathsf {LWE}}(\mathcal {B},1,t) + 2 \cdot \mathsf {Adv}^{\mathsf {LWE}}(\mathcal {D},2,t). \end{aligned}$$

We provide a proof of this theorem in the full version of this work.

3.3 Provable Security of Our IND-CCA Secure PKE Scheme

Our construction of an IND-CCA secure encryption scheme uses the Fujisaki-Okamoto transform [14] applied to our basic scheme. Before we can apply this transform, we first need to establish its \(\gamma \)-uniformity.

Definition 2

( \(\gamma \) -Uniformity). Consider an IND-CPA encryption scheme given by the tuple of algorithms \((\mathsf {KeyGen} \), \(\mathsf {Enc} \text {-}\mathsf {CPA} \), \(\mathsf {Dec} \text {-}\mathsf {CPA} )\) with \(\mathsf {Enc} \text {-}\mathsf {CPA} : \mathcal {M}\times \mathcal {R}\longrightarrow \mathcal {C}\) being the encryption function mapping messages and randomness to ciphertexts. Such a scheme is said to be \(\gamma \)-uniform if for all public keys \(\mathfrak {pk}\) output by \(\mathsf {KeyGen} \), all \(m \in \mathcal {M}\) and all \(c \in \mathcal {C}\) we have \(\gamma (\mathfrak {pk},m,c)\le \gamma \),³ where

$$\begin{aligned} \gamma (\mathfrak {pk},m,c)=\Pr [r \in \mathcal {R}: c=\mathsf {Enc} \text {-}\mathsf {CPA} (m,\mathfrak {pk},r)]. \end{aligned}$$

The lemma below establishes that Ring-LWE-based encryption has low \(\gamma \)-uniformity.

Lemma 1

Let \((\mathsf {KeyGen},\mathsf {Enc} \text {-}\mathsf {CPA} ,\mathsf {Dec} \text {-}\mathsf {CPA} )\) with parameters \(N, \chi _{\sigma }, q\) be the basic PKE scheme described in Sect. 2.1 and let \(\sigma \) such that \(\Pr [X = x \mid X \leftarrow _{r} \chi _\sigma ] \le 1/2\) for any \(x\), then this scheme is \(\gamma \)-uniform with \(\gamma \le 2^{-N}\).

Proof

For simplicity, we consider the case of encryption without truncation, where we will prove a stronger bound. Our argument extends easily to the case of truncated ciphertexts. Recall that encryption can be written as

$$\begin{aligned} \mathbf {c}= (c_{0},c_{1}) = (b\cdot v + e, a \cdot v + d + \varDelta _q \cdot \mu \pmod {q}). \end{aligned}$$

Here \(\mu \) is a deterministic encoding of the message \(\mathbf {m}\). Recall also that \(v, e, d \leftarrow _r \chi _\sigma ^N\). We see that for fixed \(\mathbf {m}\), and fixed \(\mathbf {c}=(c_{0},c_{1})\), if v is also fixed, then d and e are determined (by solving a simple linear system of equations). Thus we can write (for a fixed public key) \(d=f_1(v)\) and \(e=f_2(v)\) for functions \(f_1, f_2\) that depend on \(\mathbf {m}\) and \(\mathbf {c}\). Letting V, E, D denote random variables that are distributed as \(\chi _\sigma ^N\), and letting \(\mathbf {1}_{g}\) denote an indicator function for a predicate g, it follows that

$$\begin{aligned} \gamma (\mathfrak {pk},m,c)&= \Pr [(v,e,d) \leftarrow _r (\chi _\sigma ^N)^3: \mathbf {c}=\mathsf {Enc} \text {-}\mathsf {CPA} (\mathbf {m},\mathfrak {pk},(v,e,d))] \\&= \sum _{v,e,d} \mathbf {1}_{\mathbf {c}=\mathsf {Enc} \text {-}\mathsf {CPA} (\mathbf {m},\mathfrak {pk},(v,e,d))} \cdot \Pr [(V,E,D)=(v,e,d)] \\&= \sum _{v,e,d} \mathbf {1}_{\mathbf {c}=\mathsf {Enc} \text {-}\mathsf {CPA} (\mathbf {m},\mathfrak {pk},(v,e,d))} \cdot \Pr [V=v] \cdot \Pr [E=e] \cdot \Pr [D=d] \\&\le 2^{-2N} \sum _{v,e,d} \mathbf {1}_{\mathbf {c}=\mathsf {Enc} \text {-}\mathsf {CPA} (\mathbf {m},\mathfrak {pk},(v,e,d))} \cdot \Pr [V=v] \\&= 2^{-2N} \sum _{v} \mathbf {1}_{\mathbf {c}=\mathsf {Enc} \text {-}\mathsf {CPA} (\mathbf {m},\mathfrak {pk},(v,f_2(v),f_1(v)))} \cdot \Pr [V=v] \\&\le 2^{-2N} \sum _{v} 1 \cdot \Pr [V=v] \\&= 2^{-2N}. \end{aligned}$$

Here, we first used the independence of the random variables V, E, D to simplify. Then, we used that if \(X \sim \chi _\sigma ^N\), then \(\Pr [X = x] \le 2^{-N}\) for any value x by our assumption for each coordinate and the independence of the coordinates. After that, we used the fact that if v is fixed, then e and d are determined as functions of v to simplify the sum to one over a single variable v. Finally, we used the fact that the sum over a distribution’s probabilities equals 1.    \(\square \)

Note that in our construction the condition \(\forall x, \Pr [X = x \mid X \leftarrow _{r} \chi _\sigma ^N] \le 1/2\) is always satisfied by picking \(\sigma > 1\). Also note that if we truncate \(c_{0}\) to \(\ell \) components then the above bound becomes \(2^{-(N+\ell )}\) by considering \(d\) truncated to \(\ell \) components directly as being sampled from \(\chi _\sigma ^{\ell }\).

Applying the main result (Theorem 3) of Fujisaki and Okamoto [14], we obtain the following:⁴

Theorem 2

Suppose that \((\mathsf {KeyGen}, \mathsf {Enc} \text {-}\mathsf {CPA} , \mathsf {Dec} \text {-}\mathsf {CPA} )\) is \((t'\), \(\epsilon ')\) IND-CPA secure and \(\gamma \)-uniform. For any \(q_H,q_D\), the scheme \((\mathsf {KeyGen},\,\mathsf {Enc} \text {-}\mathsf {CCA} ,\,\mathsf {Dec} \text {-}\mathsf {CCA} )\), derived from (\(\mathsf {KeyGen}\), \(\mathsf {Enc} \text {-}\mathsf {CPA} \), \(\mathsf {Dec} \text {-}\mathsf {CPA} \)) as in Sect. 2.2, is \((t,\epsilon )\) IND-CCA secure for any adversary making at most \(q_H\) queries to H (modelled as a random oracle) and at most \(q_D\) queries to the decryption oracle, where

$$\begin{aligned} t&= t'-q_H \cdot (T_\mathsf {Enc} + v \cdot N), \\ \epsilon&= \epsilon ' \cdot (1-\gamma )^{-q_D}+q_H \cdot 2^{-\lambda +1}, \end{aligned}$$

where \(T_\mathsf {Enc} \) is the running time of the encryption function and v is a constant.

3.4 Provable Security of LIMA

As remarked earlier our KEM construction LIMA is obtained by applying the construction of Dent [11, Table 5]. This builds an IND-CCA secure KEM from a OW-CPA secure PKE scheme. By Theorem 1, we know that our underlying encryption scheme is IND-CPA secure. It also has large message space. It follows that it is OW-CPA secure. Directly applying the generic result [11, Theorem 5], we would obtain the following security theorem for LIMA.

Theorem 3

Suppose there is an adversary \(\mathcal {A}\) which breaks the IND-CCA security of LIMA in the random oracle model, with advantage \(\epsilon \), running in time \(t\) making at most \(q_D\) decapsulation queries, \(q_H\) queries to the random oracle implementing the PRG function and \(q_K\) queries to the random oracle implementing the KDF. Then there is an adversary \(\mathcal {B}\) breaking the OW-CPA security of the underlying encryption scheme running in time essentially \(t\), with advantage \(\epsilon '\) such that

$$\begin{aligned} \varepsilon \le (q_D+q_H+q_K) \cdot \varepsilon ' +\frac{q_D}{2^\ell } + \gamma \cdot q_D \end{aligned}$$

where \(\ell \) is the size of the message being encrypted in the underlying encryption scheme, i.e. the size of x in our construction.,

The problem with this result is that it does not give a very tight reduction. We thus present a new tight proof of our construction, which is not generic, i.e. we make explicit use of the Ring-LWE based construction of the underlying encryption scheme.

Theorem 4

In the random oracle model, if the LWE problem is hard then LIMA is an IND-CCA secure KEM. In particular if \(\mathcal {A}\) is an adversary against the IND-CCA security of LIMA running in time \(t\), then there are adversaries \(\mathcal {B}\) and \(\mathcal {D}\) such that

$$\begin{aligned} \epsilon \le 2 \cdot \left( \epsilon ' + \epsilon '' + \frac{q_H+q_K}{2^\ell } + \gamma \cdot q_D \right) , \end{aligned}$$

where \(\epsilon =\mathsf {Adv}^{\mathsf {IND}\text {-}\mathsf {CCA}}(\mathcal {A},t)\), \(\epsilon '=\mathsf {Adv}^{\mathsf {LWE}}(\mathcal {B},1,t)\) and \(\epsilon ''= \mathsf {Adv}^{\mathsf {LWE}}(\mathcal {D},2,t)\).

Fig. 1.

Game \(\mathbb {G}_0\): IND-CCA Security of our KEM

Proof

Consider the game \(\mathbb {G}_0\), defined in Fig. 1, defining IND-CCA security of our KEM construction. As this is run in the Random Oracle model we model the PRG by a random oracle H, and the KDF by a random oracle K, each of which are maintained by the challenger as lists (H-List and K-List) of pairs of input/output values. We define the advantage in the usual way in this game

$$\begin{aligned} \epsilon = \mathsf {Adv}^{\mathsf {IND}\text {-}\mathsf {CCA}}(\mathcal {A},t) =2 \cdot \Big | \Pr [\beta =\beta ' ] - \frac{1}{2} \Big | =2 \cdot \Big | \Pr [ \mathcal {A} \text{ wins } \text{ game } \mathbb {G}_0] - \frac{1}{2} \Big |. \end{aligned}$$

We now make a game hop as follows. We replace the real decapsulation algorithm used in Game \(\mathbb {G}_0\) to one which operates as in Fig. 2. Note that as written the oracle takes time \(O(q_H)\) to execute. However, by also storing the associated \((c_0',c_1')\) in the H-List, we can obtain a logarithmic cost to evaluate the oracle. The game with this new decapsulation oracle is called \(\mathbb {G}_1\). Clearly \(\mathbb {G}_0\) and \(\mathbb {G}_1\) are identical except when the adversary submits an encapsulation to the decapsulation oracle for which it has not queried the random oracle H on the underlying message x.

Fig. 2.

Decapsulation oracle in Game \(\mathbb {G}_1\)

Let E denote the event that decapsulation of a ciphertext in Game \(\mathbb {G}_0\) is correctly handled, but it is not correctly handled in Game \(\mathbb {G}_1\). We have

$$\begin{aligned} \Pr [\mathcal {A} \text{ wins } \text{ game } \mathbb {G}_0]&= \Pr [\mathcal {A} \text{ wins } \text{ game } \mathbb {G}_0 | E] \cdot \Pr [E] \\&\qquad + \Pr [\mathcal {A} \text{ wins } \text{ game } \mathbb {G}_0 | \lnot E] \cdot \Pr [\lnot E] \\&\le \Pr [E]+\Pr [\mathcal {A} \text{ wins } \text{ game } \mathbb {G}_0 | \lnot E] \\&\le \gamma \cdot q_D +\Pr [\mathcal {A} \text{ wins } \text{ game } \mathbb {G}_1]. \end{aligned}$$

Here we apply a union bound across each of the \(q_D\) decapsulation queries and use the fact that, for each decapsulation query, the probability of event E is bounded by \(\gamma \), relating to the uniformity of the encryption scheme. This is because E occurs only if the value of x underlying the query \(\mathbf {c}\) has not been queried to H, in which case the random value used to encrypt x is still uniformly random from the adversary’s perspective; hence the probability that x actually encapsulates to \(\mathbf {c}\) is bounded by \(\gamma \).

We now make a game hop to the game in which instead of picking \(b=a\cdot s+e'\) we select \(b \in R_q\) uniformly at random. We call this game \(\mathbb {G}_2\) and define it in Fig. 3. If is then clear that if the adversary can distinguish playing \(\mathbb {G}_1\) from \(\mathbb {G}_2\) then it can solve the LWE problem. Thus we have, for some adversary \(\mathcal {B}\),

$$\begin{aligned} \epsilon '= \mathsf {Adv}^{\mathsf {LWE}}(\mathcal {B},1,t) = \Big | \Pr [ \mathcal {A} \text{ wins } \text{ game } \mathbb {G}_1 ] - \Pr [ \mathcal {A} \text{ wins } \text{ game } \mathbb {G}_2 ] \Big | . \end{aligned}$$

Fig. 3.

Game \(\mathbb {G}_2\)

At this point in the proof of IND-CPA security for the basic PKE scheme we made a game hop to a game in which \(a'\) and \(b'\) are chosen uniformly at random, and then remarked that if the adversary can spot this hop then we can turn the adversary into an algorithm which attacks the LWE problem with two samples. The same direct approach cannot be used here, as the input to the random oracle H depends on the message. Thus an adversary could distinguish which game it is in, if it was able to recover the message x in some way.

Instead of performing a game hop at this point we construct an adversary \(\mathcal {D}\), given in Fig. 4, which uses the adversary \(\mathcal {A}\) in game \(\mathbb {G}_2\) to solve the same LWE problem. The algorithm \(\mathcal {D}\) is given as input (obtained via two calls to the LWE oracle) a tuple \((a,b,a',b')\), where a, b are chosen uniformly random in \(R_q\), and is asked to distinguish whether \((a',b')\) are also selected uniformly at random or whether \(a'=a \cdot v+e\) and \(b'=b\cdot v+d\) for some values \(v, e, d \in \chi _\sigma \).

Fig. 4.

Adversary \(\mathcal {D}\) breaking LWE

First note that the encapsulation which is passed to \(\mathcal {A}\) by \(\mathcal {D}\) is not a valid encapsulation of any key, irrespective of what \(\mathcal {D}\)’s input is. This is because, even if \(\mathcal {D}\)’s input was a pair of LWE samples the randomness used to produce the samples did not come from applying H to the encoded message x.

Let F denote the event that the adversary \(\mathcal {A}\) queries the random oracle H on the value x, and let G denote the event that \(\mathcal {A}\) queries the random oracle K on x. If neither F nor G occurs then \(\mathcal {A}\) has no advantage in winning the Game \(\mathbb {G}_2\), so we have

$$\begin{aligned} \Pr [\mathcal {A}&\text{ wins } \text{ game } \mathbb {G}_2] \end{aligned}$$

(1)

$$\begin{aligned}&= \Pr [ \mathcal {A} \text{ wins } \text{ game } \mathbb {G}_2 | F \vee G] \cdot \Pr [F \vee G \text{ in } \text{ game } \mathbb {G}_2] \nonumber \\&\quad + \Pr [ \mathcal {A} \text{ wins } \text{ game } \mathbb {G}_2 | \lnot (F \vee G)] \cdot \Pr [\lnot (F \vee G) \text{ in } \text{ game } \mathbb {G}_2] \nonumber \\&\le \Pr [F \vee G \text{ in } \text{ game } \mathbb {G}_2] \nonumber \\&\quad + \Pr [ \mathcal {A} \text{ wins } \text{ game } \mathbb {G}_2 | \lnot F \wedge \lnot G \text{ in } \text{ game } \mathbb {G}_2] \nonumber \\&= \Pr [F \vee G \text{ in } \text{ game } \mathbb {G}_2] + \frac{1}{2}. \end{aligned}$$

(2)

We examine the behaviour of \(\mathcal {D}\) when it is given the two different inputs.

• If the input to \(\mathcal {D}\) is a uniformly random tuple then the target encapsulation \((c_0^*,c_1^*)\) contains no information about x. Thus the probability that F or G happens is essentially \((q_H+q_K) \cdot 2^{-\ell }\), where \(q_H\) is the number of queries to H made by \(\mathcal {A}\) and \(q_K\) is the number of queries made to K. So we have

  $$\begin{aligned} \Pr [\mathcal {D} \text{ wins } \text{ its } \text{ game } | \text{ Input } \text{ is } \text{ random }] = \left( 1 - \frac{q_H+q_K}{2^\ell }\right) . \end{aligned}$$

• If the input to \(\mathcal {D}\) is a pair of LWE samples then \(\mathcal {A}\) is running in a perfect simulation of the game \(\mathbb {G}_2\), until (and if) event F or G happens. If F or G happens then \(\mathcal {D}\) wins its game, otherwise \(\mathcal {D}\) loses its game. So we have

  $$\begin{aligned} \Pr [\mathcal {D} \text{ wins } \text{ its } \text{ game } | \text{ Input } \text{ is } \text{ an } \text{ LWE } \text{ sample }] = \Pr [F \vee G \text{ in } \text{ game } \mathbb {G}_2]. \end{aligned}$$

Putting this all together we have

$$\begin{aligned} \Pr [\mathcal {D}&\text{ wins } \text{ its } \text{ game }] \\&= \Pr [\mathcal {D} \text{ wins } \text{ its } \text{ game } | \text{ Input } \text{ is } \text{ random }] \cdot \Pr [\text{ Input } \text{ is } \text{ random }] \\&\quad + \Pr [\mathcal {D} \text{ wins } \text{ its } \text{ game } | \text{ Input } \text{ is } \text{ LWE } \text{ sample }] \\&\qquad \qquad \cdot \Pr [ \text{ Input } \text{ is } \text{ LWE } \text{ sample }] \\&= \left( 1 - \frac{q_H+q_K}{2^\ell }\right) \cdot \frac{1}{2} + \Pr [F \vee G \text{ in } \text{ game } \mathbb {G}_2] \cdot \frac{1}{2} \\ \end{aligned}$$

Now, combining this with Eq. 2 we obtain

$$\begin{aligned} \Pr [\mathcal {A} \text{ wins } \text{ game } \mathbb {G}_2]&\le \Pr [F \vee G \text{ in } \text{ game } \mathbb {G}_2] + \frac{1}{2} \\&= 2 \cdot \Pr [\mathcal {D} \text{ wins } \text{ its } \text{ game }] - \left( 1 - \frac{q_H+q_K}{2^\ell }\right) + \frac{1}{2} \end{aligned}$$

Thus we have a bound on the total advantage of \(\mathcal {A}\) in game \(\mathbb {G}_0\) of

$$\begin{aligned} \epsilon&\le 2 \cdot \Big | \Pr [\mathcal {A} \text{ wins } \text{ game } \mathbb {G}_0] - \frac{1}{2} \Big | \\&\le 2 \cdot \Big | \gamma \cdot q_D +\Pr [\mathcal {A} \text{ wins } \text{ game } \mathbb {G}_1] -\frac{1}{2} \Big | \\&= 2\cdot \Big | \gamma \cdot q_D +\Pr [\mathcal {A} \text{ wins } \text{ game } \mathbb {G}_1] \\&\qquad \qquad -\Pr [\mathcal {A} \text{ wins } \text{ game } \mathbb {G}_2] +\Pr [\mathcal {A} \text{ wins } \text{ game } \mathbb {G}_2] -\frac{1}{2}\Big | \\&\le 2 \cdot \gamma \cdot q_D + 2\cdot \epsilon ' + 2\cdot \Big | \Pr [\mathcal {A} \text{ wins } \text{ game } \mathbb {G}_2] -\frac{1}{2} \Big | \\&\le 2 \cdot \gamma \cdot q_D + 2\cdot \epsilon ' + 2\cdot \Big | 2 \cdot \Pr [\mathcal {D} \text{ wins } \text{ its } \text{ game }] - 1 + \frac{q_H+q_K}{2^\ell } \Big | \\&\le 2 \cdot \gamma \cdot q_D + 2\cdot \epsilon ' + 4\cdot \Big | \Pr [\mathcal {D} \text{ wins } \text{ its } \text{ game }] - \frac{1}{2} \Big | + 2 \cdot \frac{q_H+q_K}{2^\ell } \\&\le 2 \cdot \gamma \cdot q_D + 2\cdot \epsilon ' + 2 \cdot \epsilon '' + 2 \cdot \frac{q_H+q_K}{2^\ell }. \end{aligned}$$

This completes the proof of Theorem 4.