EMBLEM: (R)LWE-based key encapsulation with a new multi-bit encoding method

Abstract

Lattice-based cryptography is a promising candidate for post-quantum cryptosystems, and a large amount of research has been conducted on learning with errors (LWE) problems, which are believed to be resistant against quantum attacks. In this paper, we propose two new key encapsulation mechanisms (KEMs), called EMBLEM and R.EMBLEM, based on (ring) LWE problems. The new KEMs have two main features: (1) Their security is based on the (ring) LWE problem with small secrets, which leads to both a secret key of constant size (regardless of the LWE parameters) and a relatively large standard deviation of the discrete Gaussian distributions. (2) They rely on a new multi-bit encoding method that is suitable for (ring) LWE-based encryption schemes. Compared to Regev’s encoding method, the proposed method does not require any rounding operation for decoding, and in this sense, it is conceptually simpler and easier to understand. Concrete parameters of the KEMs targeting 128-bit security level (against classical attacks) are provided, and their performance is compared with that of previous (ring) LWE-based KEMs in the literature.

This is a preview of subscription content, log in to check access.

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Notes

  1. 1.

    The standard deviation \(\rho \) of \({{\mathscr {G}}}{{\mathscr {D}}}_{s}\) is then \(\rho =s/\sqrt{2 \pi }\).

  2. 2.

    The secret matrix \(\mathbf{X }\) can be generated using a PRF and a short key \(seed_{\mathbf{X }}\), so that a user need only store \(seed_{\mathbf{X }}\) instead of the entire matrix \(\mathbf{X }\). Similarly, the matrix \(\mathbf{A }\) in the public key can also be derived from a seed by using PRF. In [17], AES128-ECB was used as a PRF with a 256-bit seed.

  3. 3.

    As in EMBLEM.CPA, the coefficients of x can be generated using PRF, and thus, it is possible to store only a seed.

  4. 4.

    https://bitbucket.org/malb/lwe-estimator

  5. 5.

    https://github.com/Microsoft/PQCrypto-LWEKE

  6. 6.

    https://www2.nict.go.jp/security/lotus/impl.html

  7. 7.

    https://newhopecrypto.org/software.shtml

  8. 8.

    https://github.com/pq-crystals/kyber

References

  1. 1.

    Ajtai, M.: Generating hard instances of lattice problems. In: Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing, pp. 99–108. ACM (1996)

  2. 2.

    Albrecht, M.R.: On dual lattice attacks against small-secret lwe and parameter choices in helib and seal. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 103–129. Springer (2017)

  3. 3.

    Albrecht, M.R., Curtis, B.R., Deo, A., Davidson, A., Player, R., Postlethwaite, E.W., Virdia, F., Wunderer, T.: Estimate all the LWE, NTRU schemes!. Secur. Cryptogr. Netw. SCN 2018, 351–367 (2018)

    MathSciNet  Article  Google Scholar 

  4. 4.

    Albrecht, M.R., Orsini, E., Paterson, K.G., Peer, G., Smart, N.P.: Tightly secure ring-lwe based key encapsulation with short ciphertexts. In: Computer Security-ESORICS 2017, Part I, pp. 29–46. Springer (2017)

  5. 5.

    Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9(3), 169–203 (2015)

    MathSciNet  Article  Google Scholar 

  6. 6.

    Alkim, E., Avanzi, R., Bos, J., Ducas, L., Piedra, A., Pöppelmann, T., Schwabe, P., Stebila, D.: Newhope–algorithm specifications and supporting documentation (2017). URL https://newhopecrypto.org/data/NewHope_2017_12_21.pdf. Accessed 01 Nov 2018

  7. 7.

    Alkim, E., Bos, J., Ducas, L., Longa, P., Mironov, I., Naehrig, M., Nikolaenko, V., Peikert, C., Raghunathan, A., Stebila, D., Easterbrook, K., LaMacchia, B.: Frodokem–learning with errors key encapsulation (2017). URL https://frodokem.org/files/FrodoKEM-specification-20171130.pdf. Accessed 01 Nov 2018

  8. 8.

    Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange-a new hope. In: USENIX Security Symposium, pp. 327–343 (2016)

  9. 9.

    Alwen, J., Krenn, S., Pietrzak, K., Wichs, D.: Learning with rounding, revisited. In: Advances in Cryptology–CRYPTO 2013, pp. 57–74. Springer (2013)

  10. 10.

    Baan, H., Bhattacharya, S., Fluhrer, S., Garcia-Morchon, O., Laarhoven, T., Rietman, R., Saarinen, M.J.O., Tolhuizen, L., Zhang, Z.: Round5: Compact and fast post-quantum public-key encryption. Cryptology ePrint Archive, Report 2019/090 (2019). https://eprint.iacr.org/2019/090. Accessed 01 Apr 2019

  11. 11.

    Bai, S., Galbraith, S.D.: Lattice decoding attacks on binary lwe. In: Australasian Conference on Information Security and Privacy, pp. 322–337. Springer (2014)

  12. 12.

    Banaszczyk, W.: Inequalities for convex bodies and polar reciprocal lattices in r n. Discrete Comput. Geom. 13(1), 217–231 (1995)

    MathSciNet  Article  Google Scholar 

  13. 13.

    Banerjee, A., Peikert, C., Rosen, A.: Pseudorandom functions and lattices. Adv. Cryptol. EUROCRYPT 2012, 719–737 (2012)

    MathSciNet  MATH  Google Scholar 

  14. 14.

    Bhattacharya, S., Garcia-Morchon, O., Laarhoven, T., Rietman, R., Saarinen, M.J.O., Tolhuizen, L., Zhang, Z.: Round5: Compact and fast post-quantum public-key encryption. Submitted for publication, August (2018)

  15. 15.

    Bodrato, M.: Towards optimal toom-cook multiplication for univariate and multivariate polynomials in characteristic 2 and 0. In: International Workshop on the Arithmetic of Finite Fields, pp. 116–133. Springer (2007)

  16. 16.

    Bogdanov, A., Guo, S., Masny, D., Richelson, S., Rosen, A.: On the hardness of learning with rounding over small modulus. In: Theory of Cryptography Conference, pp. 209–224. Springer (2016)

  17. 17.

    Bos, J., Costello, C., Ducas, L., Mironov, I., Naehrig, M., Nikolaenko, V., Raghunathan, A., Stebila, D.: Frodo: Take off the ring! practical, quantum-secure key exchange from lwe. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1006–1018. ACM (2016)

  18. 18.

    Bos, J., Ducas, L., Kiltz, E., Lepoint, T., Lyubashevsky, V., Schanck, J.M., Schwabe, P., Seiler, G., Stehlé, D.: Crystals-kyber: a cca-secure module-lattice-based kem. In: 2018 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE (2018)

  19. 19.

    Bos, J.W., Costello, C., Naehrig, M., Stebila, D.: Post-quantum key exchange for the tls protocol from the ring learning with errors problem. In: 2015 IEEE Symposium on Security and Privacy (SP), pp. 553–570. IEEE (2015)

  20. 20.

    Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. ACM Trans. Comput. Theory 6(3), 13 (2014)

    MathSciNet  Article  Google Scholar 

  21. 21.

    Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: Proceedings of the forty-fifth annual ACM symposium on Theory of computing, pp. 575–584. ACM (2013)

  22. 22.

    Brakerski, Z., Vaikuntanathan, V.: Fully homomorphic encryption from ring-lwe and security for key dependent messages. In: Annual cryptology conference, pp. 505–524. Springer (2011)

  23. 23.

    Bruinderink, L.G., Hülsing, A., Lange, T., Yarom, Y.: Flush, gauss, and reload–a cache attack on the bliss lattice-based signature scheme. In: International Conference on Cryptographic Hardware and Embedded Systems, pp. 323–345. Springer (2016)

  24. 24.

    Castryck, W., Iliashenko, I., Vercauteren, F.: Provably weak instances of ring-lwe revisited. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 147–167. Springer (2016)

  25. 25.

    Chen, L., Chen, L., Jordan, S., Liu, Y.K., Moody, D., Peralta, R., Perlner, R., Smith-Tone, D.: Report on post-quantum cryptography. US Department of Commerce, National Institute of Standards and Technology (2016)

  26. 26.

    Cheon, J.H., Han, K., Kim, J., Lee, C., Son, Y.: A practical post-quantum public-key cryptosystem based on spLWE. In: International Conference on Information Security and Cryptology, pp. 51–74. Springer (2016)

  27. 27.

    Cheon, J.H., Kim, D., Lee, J., Song, Y.: Lizard: Cut off the tail! a practical post-quantum public-key encryption from lwe and lwr. In: International Conference on Security and Cryptography for Networks, pp. 160–177. Springer (2018)

  28. 28.

    D’Anvers, J.P., Karmakar, A., Roy, S.S., Vercauteren, F.: Saber: Module-lwr based key exchange, cpa-secure encryption and cca-secure kem. In: International Conference on Cryptology in Africa, pp. 282–305. Springer (2018)

  29. 29.

    Diffie, W., Hellman, M.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)

    MathSciNet  Article  Google Scholar 

  30. 30.

    Ding, J., Xie, X., Lin, X.: A simple provably secure key exchange scheme based on the learning with errors problem. IACR Cryptol. EPrint Arch. 2012, 688 (2012)

    Google Scholar 

  31. 31.

    Elias, Y., Lauter, K.E., Ozman, E., Stange, K.E.: Provably weak instances of ring-lwe. In: Annual Cryptology Conference, pp. 63–92. Springer (2015)

  32. 32.

    Gentry, C., Halevi, S., Smart, N.P.: Homomorphic evaluation of the aes circuit. In: Advances in cryptology–crypto 2012, pp. 850–867. Springer (2012)

  33. 33.

    Goldwasser, S., Kalai, Y.T., Peikert, C., Vaikuntanathan, V.: Robustness of the learning with errors assumption (2010)

  34. 34.

    Halevi, S., Shoup, V.: Algorithms in helib. In: International Cryptology Conference, pp. 554–571. Springer (2014)

  35. 35.

    Hamburg, M.: Module-lwe key exchange and encryption: The three bears (2017)

  36. 36.

    Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the fujisaki-okamoto transformation. In: Theory of Cryptography Conference, pp. 341–371. Springer (2017)

  37. 37.

    Impagliazzo, R., Zuckerman, D.: How to recycle random bits. In: 30th Annual Symposium on Foundations of Computer Science, pp. 248–253. IEEE (1989)

  38. 38.

    Jiang, H., Zhang, Z., Chen, L., Wang, H., Ma, Z.: Ind-cca-secure key encapsulation mechanism in the quantum random oracle model, revisited. In: Annual International Cryptology Conference, pp. 96–125. Springer (2018)

  39. 39.

    Langlois, A., Stehlé, D.: Worst-case to average-case reductions for module lattices. Des. Codes Cryptogr. 75(3), 565–599 (2015)

    MathSciNet  Article  Google Scholar 

  40. 40.

    Lindner, R., Peikert, C.: Better key sizes (and attacks) for lwe-based encryption. In: CT-RSA, vol. 6558, pp. 319–339. Springer (2011)

  41. 41.

    Lyubashevsky, V.: Digital signatures based on the hardness of ideal lattice problems in all rings. In: Advances in Cryptology–ASIACRYPT 2016: 22nd International Conference on the Theory and Application of Cryptology and Information Security, Hanoi, Vietnam, Dec 4–8, 2016, Proceedings, Part II 22, pp. 196–214. Springer (2016)

  42. 42.

    Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 1–23. Springer (2010)

  43. 43.

    Lyubashevsky, V., Peikert, C., Regev, O.: A toolkit for ring-lwe cryptography. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 35–54. Springer (2013)

  44. 44.

    Micciancio, D., Peikert, C.: Hardness of sis and lwe with small parameters. In: Advances in Cryptology–CRYPTO 2013, pp. 21–39. Springer (2013)

  45. 45.

    Peikert, C.: Lattice cryptography for the internet. In: International Workshop on Post-Quantum Cryptography, pp. 197–219. Springer (2014)

  46. 46.

    Peikert, C.: How (not) to instantiate ring-lwe. In: International Conference on Security and Cryptography for Networks, pp. 411–430. Springer (2016)

  47. 47.

    Peikert, C., Vaikuntanathan, V., Waters, B.: A framework for efficient and composable oblivious transfer. In: Crypto, vol. 5157, pp. 554–571. Springer (2008)

  48. 48.

    Phong, L.T., Hayashi, T., Aono, Y., Moriai, S.: Lotus: Algorithm specifications and supporting documentation (2017). URL https://www2.nict.go.jp/security/lotus/LOTUS_specifications.pdf. Accessed 01 Nov 2018

  49. 49.

    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: In STOC (2005)

  50. 50.

    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 34 (2009)

    MathSciNet  Article  Google Scholar 

  51. 51.

    Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)

    MathSciNet  Article  Google Scholar 

  52. 52.

    Saarinen, M.J.O.: Hila5: On reliability, reconciliation, and error correction for ring-lwe encryption. In: International Conference on Selected Areas in Cryptography, pp. 192–212. Springer (2017)

  53. 53.

    Saito, T., Xagawa, K., Yamakawa, T.: Tightly-secure key-encapsulation mechanism in the quantum random oracle model. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 520–551. Springer (2018)

  54. 54.

    Shor, P.W.: Algorithms for quantum computation: Discrete logarithms and factoring. In: 1994 Proceedings 35th Annual Symposium on Foundations of Computer Science, pp. 124–134. IEEE (1994)

  55. 55.

    Steinfeld, R., Sakzad, A., Zhao, R.K.: Titanium: Proposal for a nist post-quantum public-key encryption and kem standard (2017)

  56. 56.

    Targhi, E.E., Unruh, D.: Post-quantum security of the fujisaki-okamoto and oaep transforms. In: Theory of Cryptography Conference, pp. 192–216. Springer (2016)

Download references

Acknowledgements

This work was supported as part of Military Crypto Research Center (UD170109ED) funded by Defense Acquisition Program Administration (DAPA) and Agency for Defense Development (ADD).

Funding

This study was funded by Defense Acquisition Program Administration (DAPA) and Agency for Defense Development (ADD) (UD170109ED).

Author information

Affiliations

Authors

Corresponding author

Correspondence to Jong Hwan Park.

Ethics declarations

Conflict of interest

The authors declare that they have no conflict of interest.

Ethical approval

This article does not contain any studies with human participants or animals performed by any of the authors.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Seo, M., Kim, S., Lee, D.H. et al. EMBLEM: (R)LWE-based key encapsulation with a new multi-bit encoding method. Int. J. Inf. Secur. 19, 383–399 (2020). https://doi.org/10.1007/s10207-019-00456-9

Download citation

Keywords

  • Lattice-based cryptography
  • Chosen-ciphertext security
  • Key encapsulation mechanism
  • Small secret LWE