Designs, Codes and Cryptography

, Volume 87, Issue 12, pp 2847–2884 | Cite as

Practical \(\mathsf {MP} \text{- }\mathsf {LWE} \)-based encryption balancing security-risk versus efficiency

  • Ron SteinfeldEmail author
  • Amin Sakzad
  • Raymond K. Zhao


Middle-product learning with errors (\(\mathsf {MP} \text{- }\mathsf {LWE} \)) is a variant of the \(\mathsf {LWE}\) problem introduced at CRYPTO 2017 by Rosca et al. (Advances in cryptology—CRYPTO, Springer, Berlin, 2017). Asymptotically, the theoretical results of Rosca et al. (2017) suggest that \(\mathsf {MP} \text{- }\mathsf {LWE} \) gives lattice-based public-key cryptosystems offering a ‘security-risk vs. efficiency’ trade-off: higher performance than cryptosystems based on unstructured lattices (\(\mathsf {LWE}\) problem) and lower risk than cryptosystems based on structured lattices (Polynomial/Ring \(\mathsf {LWE}\) problem). However, although promising in theory, Rosca et al. (2017) left the practical implications of \(\mathsf {MP} \text{- }\mathsf {LWE} \) for lattice-based cryptography unclear. In this paper, we show how to build practical public-key cryptosystems with strong security guarantees based on \(\mathsf {MP} \text{- }\mathsf {LWE} \). On the implementation side, we present optimised fast algorithms for computing the middle-product operation over polynomial rings \({\mathbb {Z}}_q[x]\), the dominant computation for \(\mathsf {MP} \text{- }\mathsf {LWE} \)-based cryptosystems. On the security side, we show how to obtain a nearly tight security proof for \(\mathsf {MP} \text{- }\mathsf {LWE} \) from the hardest Polynomial LWE problem over a large family of rings, improving on the loose reduction of Rosca et al. (2017). We also show and analyze an optimised cryptanalysis of \(\mathsf {MP} \text{- }\mathsf {LWE} \) that narrows the complexity gap between best known attacks on \(\mathsf {MP} \text{- }\mathsf {LWE} \) and Polynomial \(\mathsf {LWE}\). To evaluate the practicality of \(\mathsf {MP} \text{- }\mathsf {LWE} \), we apply our results to construct, implement and optimise parameters for a practical \(\mathsf {MP} \text{- }\mathsf {LWE} \)-based public-key cryptosystem, \(\mathsf {Titanium} \), and compare its benchmarks to other lattice-based systems. Our results show that \(\mathsf {MP} \text{- }\mathsf {LWE} \) offers a new ‘security-risk vs. efficiency’ trade-off in lattice-based cryptography in practice, not only asymptotically in theory.


Middle-product learning with errors (\(\mathsf {MP} \text{- }\mathsf {LWE} \)Lattice-based cryptography Quantum-resistant cryptography Public-key encryption KEM Cryptography implementation 

Mathematics Subject Classification




Funding was provided by Australian Research Council (Grant No. DP150100285).


  1. 1.
    Albrecht M.R., Amit D.: Large modulus ring-lwe \(\ge \) module-lwe. In: Advances in Cryptology—ASIACRYPT 2017, pp. 267–296 (2017).CrossRefGoogle Scholar
  2. 2.
    Albrecht M.R., Fitzpatrick R., Göpfert F.: On the efficacy of solving LWE by reduction to unique-svp. In: Information Security and Cryptology—ICISC 2013—16th International Conference, Seoul, Korea, 27–29 November, 2013, Revised Selected Papers, pp. 293–310 (2013).Google Scholar
  3. 3.
    Alkim E., Ducas L., Pöppelmann T., Schwabe P.: Post-quantum key exchange—a new hope. In: 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, 10–12 August 2016, pp. 327–343 (2016).Google Scholar
  4. 4.
    Alkim E., Bos JW., Ducas L., Longa P., Mironov I., Naehrig M., Nikolaenko V., Peikert C., Raghunathan A., Stebila D., Easterbrook K., LaMacchia B.: FrodoKEM learning with errors key encapsulation. (2017).
  5. 5.
    Bernstein D.J., Chuengsatiansup C., Lange T., van Vredendaal C.: NTRU Prime. Cryptology ePrint Archive. (2016).
  6. 6.
    Bos J.W., Costello C., Ducas L., Mironov I., Naehrig M., Nikolaenko V., Raghunathan A., Stebila D.: Frodo: take off the ring! practical, quantum-secure key exchange from LWE. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, 24–28 Oct 2016, pp. 1006–1018 (2016).Google Scholar
  7. 7.
    Bos J.W., Ducas L., Kiltz E., Lepoint T., Lyubashevsky V., Schanck J.M., Schwabe P., Stehlé D.: CRYSTALS—kyber: a cca-secure module-lattice-based KEM. IACR Cryptology ePrint Archive 2017, 634 (2017).Google Scholar
  8. 8.
    Boucheron S., Lugosi G., Massart P.: Concentration Inequalities: A Nonasymptotic Theory of Independence. Oxford University Press, Oxford (2013).CrossRefGoogle Scholar
  9. 9.
    Brakerski Z., Vaikuntanathan V.: Efficient fully homomorphic encryption from (standard) LWE. Proceedings of FOCS, pp. 97–106. IEEE Computer Society Press, Washington, DC (2011).Google Scholar
  10. 10.
    Castryck W., Iliashenko I., Vercauteren F.: Provably weak instances of Ring-LWE revisited. Proceedings of EUROCRYPT, pp. 147–167. Springer, Berlin (2016).zbMATHGoogle Scholar
  11. 11.
    Cramer R., Ducas L., Wesolowski B.: Short Stickelberger class relations and application to Ideal-SVP. Cryptology ePrint Archive. (2016).
  12. 12.
    Cramer R., Ducas L., Peikert C., Regev O.: Recovering short generators of principal ideals in cyclotomic rings. Proceedings of EUOCRYPT. Springer, Berlin (2016).zbMATHGoogle Scholar
  13. 13.
    D’Anvers J-P., Karmakar A., Roy S.S., Vercauteren F.: SABER: Mod-LWR based KEM. (2017).
  14. 14.
    Dodis Y., Ostrovsky R., Reyzin L., Smith A.D.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. SIAM J. Comput. 38(1), 97–139 (2008).MathSciNetCrossRefGoogle Scholar
  15. 15.
    Eisenträger K., Hallgren S., Lauter K.: Weak instances of PLWE. Proceedings of SAC. Springer, Berlin (2014).zbMATHGoogle Scholar
  16. 16.
    Elias Y., Lauter K.E., Ozman E., Stange K.E.: Provably weak instances of Ring-LWE. Proceedings of CRYPTO. Springer, Berlin (2015).zbMATHGoogle Scholar
  17. 17.
    Fujisaki E., Okamoto T.: Secure integration of asymmetric and symmetric encryption schemes. In: Advances in Cryptology–CRYPTO’99, 19th Annual International Cryptology Conference, Santa Barbara, CA, USA, 15–19 August, 1999, pp. 537–554 (1999).Google Scholar
  18. 18.
    Hanrot G., Quercia M., Zimmermann P.: The middle product algorithm I. Appl. Algebra Eng. Commun. Comput. 14(6), 415–438 (2004).MathSciNetCrossRefGoogle Scholar
  19. 19.
    Harvey D.: Faster arithmetic for number-theoretic transforms. J. Symb. Comput. 60, 113–119 (2014).MathSciNetCrossRefGoogle Scholar
  20. 20.
    Hofheinz D., Hövelmanns K., Kiltz E.: A modular analysis of the Fujisaki–Okamoto transformation. Cryptology ePrint Archive, Report 2017/604 (2017).
  21. 21.
    Kannan R.: Minkowski’s convex body theorem and integer programming. Math. Oper. Res. 12(3), 415–440 (1987).MathSciNetCrossRefGoogle Scholar
  22. 22.
    Laarhoven T., Mosca M., van de Pol J.: Finding shortest lattice vectors faster using quantum search. Des. Codes Cryptogr. 77(2), 375–400 (2015).MathSciNetCrossRefGoogle Scholar
  23. 23.
    Langlois A., Stehlé D.: Worst-case to average-case reductions for module lattices. Des. Codes Cryptogr. 75(3), 565–599 (2015).MathSciNetCrossRefGoogle Scholar
  24. 24.
    Lyubashevsky V.: Digital signatures based on the hardness of ideal lattice problems in all rings. Proceedings of ASIACRYPT, pp. 196–214. Springer, Berlin (2016).zbMATHGoogle Scholar
  25. 25.
    Lyubashevsky V., Micciancio D.: Generalized compact knapsacks are collision resistant. Proceedings of ICALP, pp. 144–155. Springer, Berlin (2006).Google Scholar
  26. 26.
    Lyubashevsky V., Peikert C., Regev O.: On ideal lattices and learning with errors over rings. Proceedings of EUROCRYPT. LNCS, pp. 1–23. Springer, Berlin (2010).Google Scholar
  27. 27.
  28. 28.
    NIST. SHA-3 standard: Permutation-based hash and extendable-output functions. Accessed 29 Sept 2017.
  29. 29.
    Peikert, C.: Lattice cryptography for the internet. In: Post-Quantum Cryptography–6th International Workshop, PQCrypto 2014, Waterloo, ON, Canada, Oct 1–3, 2014, pp. 197–219 (2014).CrossRefGoogle Scholar
  30. 30.
    Peikert C.: How not to instantiate Ring-LWE. Proceedings of SCN. LNCS, vol. 9841, pp. 411–430. Springer, Berlin (2016).Google Scholar
  31. 31.
    Regev O.: On lattices, learning with errors, random linear codes, and cryptography. In: Proceedings of STOC, pp. 84–93 (2005).Google Scholar
  32. 32.
    Regev O.: On lattices, learning with errors, random linear codes, and cryptography. JACM 56, 34 (2009).MathSciNetCrossRefGoogle Scholar
  33. 33.
    Roşca M., Sakzad A., Stehlé D., Steinfeld R.: Middle-product learning with errors. Advances in Cryptology—CRYPTO 2017, pp. 283–297. Springer, Berlin (2017).CrossRefGoogle Scholar
  34. 34.
    Rosca M., Stehlé D., Wallet A.: On the ring-lwe and polynomial-lwe problems. Advances in Cryptology—EUROCRYPT, vol. 2018, pp. 146–173. Springer, Berlin (2018).Google Scholar
  35. 35.
    Schnorr C.P.: Lattice Reduction by Random Sampling and Birthday Methods, pp. 145–156. Springer, Berlin (2003).zbMATHGoogle Scholar
  36. 36.
    Seiler G.: Faster AVX2 optimized NTT multiplication for Ring-LWE lattice cryptography. (2018).
  37. 37.
    Sorensen H.V., Burrus C.S.: Efficient computation of the DFT with only a subset of input or output points. IEEE Trans. Signal Process. 41(3), 1184–1200 (1993).CrossRefGoogle Scholar
  38. 38.
    Stehlé D., Steinfeld R., Tanaka K., Xagawa K.: Efficient public key encryption based on ideal lattices. Proceedings of ASIACRYPT, pp. 617–635. Springer, Berlin (2009).Google Scholar
  39. 39.
    Steinfeld R., Sakzad A., Zhao R.K.: Titanium: post-quantum public-key encryption and Kem algorithms. Accessed 1 May 2018.
  40. 40.
    Steinfeld R., Sakzad A., Zhao R.K.: Titanium: post-quantum public-key encryption and Kem algorithms. NIST PQC Standardisation Process submission. Accessed 1 May 2018.Google Scholar

Copyright information

© Springer Science+Business Media, LLC, part of Springer Nature 2019

Authors and Affiliations

  1. 1.Faculty of Information TechnologyMonash UniversityClaytonAustralia

Personalised recommendations