Practical \(\mathsf {MP} \text{- }\mathsf {LWE} \)-based encryption balancing security-risk versus efficiency

Abstract

Middle-product learning with errors (\(\mathsf {MP} \text{- }\mathsf {LWE} \)) is a variant of the \(\mathsf {LWE}\) problem introduced at CRYPTO 2017 by Rosca et al. (Advances in cryptology—CRYPTO, Springer, Berlin, 2017). Asymptotically, the theoretical results of Rosca et al. (2017) suggest that \(\mathsf {MP} \text{- }\mathsf {LWE} \) gives lattice-based public-key cryptosystems offering a ‘security-risk vs. efficiency’ trade-off: higher performance than cryptosystems based on unstructured lattices (\(\mathsf {LWE}\) problem) and lower risk than cryptosystems based on structured lattices (Polynomial/Ring \(\mathsf {LWE}\) problem). However, although promising in theory, Rosca et al. (2017) left the practical implications of \(\mathsf {MP} \text{- }\mathsf {LWE} \) for lattice-based cryptography unclear. In this paper, we show how to build practical public-key cryptosystems with strong security guarantees based on \(\mathsf {MP} \text{- }\mathsf {LWE} \). On the implementation side, we present optimised fast algorithms for computing the middle-product operation over polynomial rings \({\mathbb {Z}}_q[x]\), the dominant computation for \(\mathsf {MP} \text{- }\mathsf {LWE} \)-based cryptosystems. On the security side, we show how to obtain a nearly tight security proof for \(\mathsf {MP} \text{- }\mathsf {LWE} \) from the hardest Polynomial LWE problem over a large family of rings, improving on the loose reduction of Rosca et al. (2017). We also show and analyze an optimised cryptanalysis of \(\mathsf {MP} \text{- }\mathsf {LWE} \) that narrows the complexity gap between best known attacks on \(\mathsf {MP} \text{- }\mathsf {LWE} \) and Polynomial \(\mathsf {LWE}\). To evaluate the practicality of \(\mathsf {MP} \text{- }\mathsf {LWE} \), we apply our results to construct, implement and optimise parameters for a practical \(\mathsf {MP} \text{- }\mathsf {LWE} \)-based public-key cryptosystem, \(\mathsf {Titanium} \), and compare its benchmarks to other lattice-based systems. Our results show that \(\mathsf {MP} \text{- }\mathsf {LWE} \) offers a new ‘security-risk vs. efficiency’ trade-off in lattice-based cryptography in practice, not only asymptotically in theory.

Appendices

Appendix A: Concrete correctness conditions of \(\mathsf {Titanium\text{- }CPA}\) and computation of \(p_e\)

This Section contains the proof of correctness for our \(\mathsf {Titanium\text{- }CPA}\) algorithm and explains our method of computing a numerical provable upper bound on the error probability of decryption, that is also used in our \(\mathsf {IND} \text{- }\mathsf {CCA} \) security proof. We first define the concept of \(\delta \)-correct \(\mathsf {Titanium\text{- }CPA}\).

Definition 6

Our \(\mathsf {Titanium\text{- }CPA}\) scheme is called \(\delta \)-correct if for any functions f, we have

$$\begin{aligned} ~ \Pr \left[ \mathsf {Decrypt}(\mathsf {sk}, \mathsf {ct}) \ne m~:\left\{ \begin{array}{l}(\mathsf {pk}, \mathsf {sk})\leftarrow \mathsf {KeyGen};\\ m=f(\mathsf {pk},\mathsf {sk}); \\ \mathsf {ct}\leftarrow \mathsf {Encrypt}(\mathsf {pk},m) \end{array}\right. \right] \le \delta . \end{aligned}$$

(31)

We remark that the above definition of decryption error probability over the choice of both public key and encryption randomness (for any, even key-dependent, messages), matches the definition of \(\delta \)-correctness in [20], which allows us to apply the security analysis of [20] to the Fujisaki–Okamoto transform applied to \(\mathsf {Titanium\text{- }CPA}\), which yields our \(\mathsf {Titanium\text{- }CCA}\) scheme.

From now on, we let \(p_e\) denotes the LHS of (31). We now analyse the correctness of \(\mathsf {Titanium\text{- }CPA}\). Let us first expand the main operation in decryption of \(\mathsf {Titanium\text{- }CPA}\):

$$\begin{aligned} c'= & {} c_2' - \mathsf {Rev} (c_1') \odot _{_d} s \nonumber \\= & {} \sum ^t_{i=1} \mathsf {Rev} (r_i) \odot _{_d} b_i + \lfloor q/p \rfloor \cdot m - \mathsf {Rev} \left( \sum ^t_{i=1} r_i \cdot \bar{a_i}\right) \odot _{_d} s\nonumber \\= & {} \sum ^t_{i=1} \mathsf {Rev} (r_i) \odot _{_d} (\mathsf {Rev} (a_i) \odot _{_{d+k}} s + e_i) \nonumber \\+ & {} \lfloor q/p \rfloor \cdot m - \sum ^t_{i=1} \mathsf {Rev} (r_i) \cdot \mathsf {Rev} (a_i) \odot _{_d} s \end{aligned}$$

(32)

$$\begin{aligned}= & {} \sum ^t_{i=1} \mathsf {Rev} (r_i) \cdot \mathsf {Rev} (a_i) \odot _{_{d+k}} s + \sum ^t_{i=1} \mathsf {Rev} (r_i) \cdot e_i \nonumber \\+ & {} \lfloor q/p \rfloor \cdot m - \sum ^t_{i=1} \mathsf {Rev} (r_i) \cdot \mathsf {Rev} (a_i) \odot _{_d} s \nonumber \\= & {} \lfloor q/p \rfloor \cdot m + \sum ^t_{i=1} \mathsf {Rev} (r_i) \odot _{_d} e_i\in {\mathbb {Z}}_q^d[x], \end{aligned}$$

(33)

where (32) and (33) are obtained using (1) and Lemma 2, respectively. Therefore, in Decryption algorithm of \(\mathsf {Titanium\text{- }CPA}\) we have

$$\begin{aligned} m'= & {} \mathsf {Round} \left( \lfloor q/p \rfloor ,c'\right) \\= & {} \mathsf {Round} \left( \lfloor q/p \rfloor ,\lfloor q/p \rfloor \cdot m + \sum ^t_{i=1} \mathsf {Rev} (r_i) \odot _{_d} e_i\right) \\= & {} m, \end{aligned}$$

if \(\sum ^t_{i=1} \mathsf {Rev} (r_i) \odot _{_d} e_i\) computed over \({\mathbb {Z}}_q^d[x]\) (i.e., with reduction mod q) has coefficients smaller than \(\lfloor q/p \rfloor /2\), i.e., if

$$\begin{aligned} \left\| \sum ^t_{i=1}\mathsf {Rev} (r_i) \odot _{_d} e_i\right\| _{\infty } < \lfloor q/p \rfloor /2, \end{aligned}$$

(34)

with the computations performed over \({\mathbb {Z}}^d[x]\). We upper bound the probability \(p_e\) that (34) does not hold, over the choice of the encryption randomness \((r_1,\ldots ,r_t)\) from the distribution \(\chi _r\) and the choice of key generation errors \((e_1,\ldots ,e_t)\) from the distribution \(\chi _e\).

We recall that \(\chi _r\) has the form:

$$\begin{aligned} \chi _r = \mathsf {ZeIntU} (B_1)^{N_{\mathsf {dec} 1}} \times \mathsf {ZeIntU} (B_2)^{N_{\mathsf {dec} } - N_{\mathsf {dec} 1}}, \end{aligned}$$

i.e., the first \(N_{\mathsf {dec} 1}\) integer coefficients of the concatenated coefficient vectors of the \(r_i\)’s are sampled from \(\mathsf {ZeIntU} (B_1)\) and the remaining \(N_{\mathsf {dec} } - N_{\mathsf {dec} 1}\) coefficients sampled from \(\mathsf {ZeIntU} (B_2)\). Also, \(\chi _e\) samples each integer coefficient of \((e_1,\ldots ,e_t)\) from the \(\mathsf {BinDiff} (\eta )\) distribution. For \(i=1,2\), let us define the distributions \(\chi _i\) over \({\mathbb {Z}}\) as the distribution of the product (over \({\mathbb {Z}}\)) of a sample from \(\mathsf {ZeIntU} (B_i)\) and an independent sample from \(\mathsf {BinDiff} (\eta )\). Let us define \(\bar{r_i}\) as \(\mathsf {Rev} (r_i)\). Then we observe that for each \(1\le i\le t\), each coefficient of \(\bar{r_i} \odot _{_d} e_i\) is an inner product between a row of \(\mathsf {Toep}^{d,k}(\bar{r_i})\) and the coefficient vector \(\mathbf{e}_i\) of \(e_i\). Therefore, by the independence of the \(r_i\) and \(e_i\) coefficients, the distribution of each coefficient of \(\sum ^t_{i=1} \bar{r_i} \odot _{_d} e_i\) is the distribution of a sum \(\sum _{i=1}^{N_{\mathsf {dec} }}x_i\) of independent random variables \(x_i\), where \(x_i\) is sampled from the distribution \(\chi _i\) with

$$\begin{aligned} ~ \chi _i:=\left\{ \begin{array}{ll} \chi _1 &{} 1\le i\le N_{\mathsf {dec} 1},\\ \chi _2 &{} N_{\mathsf {dec} 1}<i\le N_{\mathsf {dec} }. \end{array}\right. \end{aligned}$$

(35)

The probability of error \(\bar{p_e}\) for any fixed coordinate of the message can therefore be upper bounded as follows:

$$\begin{aligned} \bar{p_e} = \Pr \left[ \sum _{i=1}^Nx_i\ge \lfloor q/p \rfloor /2\right] , \end{aligned}$$

with \(x_i\) distributed as in (35). Since the \(x_i\)’s are independent with \({\mathbb {E}}[x_i]=0\) for \(1\le i\le N_{\mathsf {dec} }\), we have

$$\begin{aligned} \bar{p_e}= & {} \Pr \left[ \sum _{i=1}^{N_{\mathsf {dec} }}x_i\ge \lfloor q/p \rfloor /2\right] \end{aligned}$$

(36)

$$\begin{aligned}= & {} \Pr \left[ \exp \left( s\cdot \sum _{i=1}^{N_{\mathsf {dec} }}x_i\right) \ge \exp \left( s\cdot \lfloor q/p \rfloor /2\right) \right] \end{aligned}$$

(37)

$$\begin{aligned}\le & {} \frac{{\mathbb {E}}\left[ \exp \left( s\cdot \sum _{i=1}^{N_{\mathsf {dec} }}x_i\right) \right] }{\exp \left( s\cdot \lfloor q/p \rfloor /2\right) } \end{aligned}$$

(38)

$$\begin{aligned}= & {} \frac{{\mathbb {E}}\left[ \prod _{i=1}^{N_{\mathsf {dec} }}\exp \left( s\cdot x_i\right) \right] }{\exp \left( s\cdot \lfloor q/p \rfloor /2\right) }\nonumber \\= & {} \frac{\prod _{i=1}^{N_{\mathsf {dec} }}{\mathbb {E}}\left[ \exp \left( s\cdot x_i\right) \right] }{\exp \left( s\cdot \lfloor q/p \rfloor /2\right) }, \end{aligned}$$

(39)

where (37) is true because the mapping \(x\mapsto \exp (s\cdot x)\) is monotonically increasing, (38) is obtained using Markov inequality [8], and (39) is valid due to the fact that \(x_i\)’s are independent of each other. Let us further define

$$\begin{aligned} M_{\chi _j}(s) :={\mathbb {E}}_{x\hookleftarrow \chi _j}[\exp (s\cdot x)], \end{aligned}$$

for \(j\in \{1,2\}\). Therefore, (39) can be re-written as:

$$\begin{aligned} ~ \bar{p_e}\le \frac{\prod _{i=1}^{N_{\mathsf {dec} }}{\mathbb {E}}\left[ \exp \left( s\cdot x_i\right) \right] }{\exp \left( s\cdot \lfloor q/p \rfloor /2\right) }=\frac{M_{\chi _1}^{N_{\mathsf {dec} 1}}(s)M_{\chi _2}^{N_{\mathsf {dec} }-N_{\mathsf {dec} 1}}(s)}{\exp \left( s\cdot \lfloor q/p \rfloor /2\right) }. \end{aligned}$$

(40)

In order to minimize \(\bar{p_e}\), one needs to find s that minimizes (40). Letting

$$\begin{aligned} f(s):=\frac{M_{\chi _1}^{N_{\mathsf {dec} 1}}(s)M_{\chi _2}^{N_{\mathsf {dec} }-N_{\mathsf {dec} 1}}(s)}{\exp \left( s\cdot \lfloor q/p \rfloor /2\right) }, \end{aligned}$$

one can differentiate f to find the critical point \(s^*\), such that \(f(s^*)=0\) minimizing the right hand side of (40). The well-known bi-section method is now used to numerically evaluate \(s^*\) and hence \(\bar{p_e}^{\small {\mathsf {Hoeffding} }}\) such that \(\bar{p_e}\le \bar{p_e}^{\small {\mathsf {Hoeffding} }}\). The above analysis and a union bound over the d coordinates of \(\sum ^t_{i=1} \bar{r_i} \odot _{_d} e_i\) ensures that our \(\mathsf {Titanium\text{- }CPA}\) is \(p_e^{\small {\mathsf {Hoeffding} }} \le d \cdot \bar{p_e}^{\small {\mathsf {Hoeffding} }}\)-correct.

Instead of the above Hoeffding approach, one could use CLT heuristic analysis to upper bound (36). In particular, by the independence of the \(x_i\)’s, we can approximate the distribution of \(\sum _{i=1}^{N_{\mathsf {dec} }}x_i\) by a Gaussian distribution with mean \(\mu \) and standard deviation \(\sigma \) that we can explicitly compute and then use standard Gaussian tail bounds to bound \(p_e\). To be more precise, a straightforward computation using the independence of the \(x_i\), and that the standard deviation of \(\chi _e\) is \(\sqrt{2\eta /4}=\sqrt{\eta /2}\) shows that the standard deviation of \(\sum _{i=1}^{N_{\mathsf {dec} }}x_i\) is given by

$$\begin{aligned} \sigma = \sqrt{(B_{\mathsf {eff} }^2/12+B_{\mathsf {eff} }/4+1/6)\cdot (\eta /2)\cdot N_{\mathsf {dec} }}, \end{aligned}$$

(41)

where

$$\begin{aligned} B_{\mathsf {eff} } = \sqrt{\rho B_1^2+(1-\rho )B_2^2}, \end{aligned}$$

and

$$\begin{aligned} \rho =N_{\mathsf {dec} 1}/N_{\mathsf {dec} }. \end{aligned}$$

Using a standard Gaussian tail bound along with union bound over the d coordinates as above, one gets

$$\begin{aligned} ~ p_e^{{\mathsf {\small clt} }}\le (2d)\cdot \exp (-z_{\mathsf {\small clt} }^2/2), \end{aligned}$$

(42)

where

$$\begin{aligned} ~ z_{\small \mathsf {clt} }=\lfloor q/p \rfloor /(2\sigma ). \end{aligned}$$

(43)

Furthermore, using union bound one can calculate \(z_{\small \mathsf {Hoeffding} }\) such that the calculated \(p_e^{\small {\mathsf {Hoeffding} }}\) satisfies the following inequality

$$\begin{aligned} ~ p_e^{\small {\mathsf {Hoeffding} }}\le (2d)\cdot \exp (-z_{\small \mathsf {Hoeffding} }^2/2). \end{aligned}$$

(44)

In Tables 9 and 10, we compare our derived \(z_{\small \mathsf {Hoeffding} }\) in (44) with that of \(z_{\small \mathsf {clt} }\) in (43) for our different parameter sets. The results suggest that our provable Hoeffding bounds on the decryption error probability are close optimal, as they are not much higher than the bounds obtained from the CLT heuristic.

Table 9 The values of \(z_{\small \mathsf {Hoeffding} }\) in (44) and \(z_{\small \mathsf {clt} }\) defined in (43) for \(\mathsf {Titanium\text{- }CPA}\)

Table 10 The values of \(z_{\small \mathsf {Hoeffding} }\) in (44) and \(z_{\small \mathsf {clt} }\) defined in (43) for \(\mathsf {Titanium\text{- }CCA}\)

1.1 Appendix A.1: Concrete correctness condition of \(\mathsf {Titanium\text{- }CCA}\)

We similarly define the following correctness for \(\mathsf {Titanium\text{- }CCA}\)

Definition 7

Our \(\mathsf {Titanium\text{- }CCA}\) scheme is called \(\delta \)-correct if

$$\begin{aligned} \Pr [\mathsf {Decrypt}(\mathsf {sk}, \mathsf {ct}) \ne k | (\mathsf {pk}, \mathsf {sk})\leftarrow \mathsf {KeyGen}; (k,\mathsf {ct})\leftarrow \mathsf {Encrypt}(\mathsf {pk})]\le \delta . \end{aligned}$$

As we follow the KEM construction given in [20], the following result is outstanding.

Lemma 6

If \(\mathsf {Titanium\text{- }CPA}\) is \(\delta \)-correct and \(\mathsf {G} \) and \(\mathsf {H} \) are random oracles, then our \(\mathsf {Titanium\text{- }CCA}\) is \(\delta \)-correct.

Appendix B: \(\mathsf {Titanium\text{- }CCA}\) algorithms

We use hash functions for our \(\mathsf {Titanium\text{- }CCA}\). Cryptographic Hash functions \(\mathsf {G} \) and \(\mathsf {H} \) are modelled as a ‘random oracle’ in the security analysis, and are instantiated using the \(\mathsf {SHAKE256} \) mode in [28].

Appendix C: Leftover hash lemma and Proof of Theorem 3

We use the following variant of the LHL [14].

Lemma 7

Let X, Y, Z denote finite sets. Let \({\mathcal {H}}\) be a universal family of hash functions \(h : X \rightarrow Y\). Let \(f: X \rightarrow Z\) be arbitrary. Then for any random variable T taking values in X, we have:

$$\begin{aligned} \varDelta \left( (h, h(T), f(T) ),(h, U(Y), f(T))\right) \ \le \ \frac{1}{2}\cdot \sqrt{ \gamma (T)\cdot |Y| \cdot |Z|}, \end{aligned}$$

where \(\gamma (T) = \max _{t \in X}\Pr [T=t]\).

We will apply the LHL to the following universal hash family that arises in our construction.

Lemma 8

(Adapted from [33]) Let \(q, k, d \ge 2\), q prime, and \(\mathsf {Supp} _r \subseteq {\mathbb {Z}}^{<k+1}_q[x]\). For \((b_i)_i \in ({\mathbb {Z}}_q^{<d+k}[x])^t\), we let \(h_{(b_i)_i}\) denote the map that sends \((r_i)_{i \le t} \in (\mathsf {Supp} _r)^t\) to \(\sum _{i \le t} r_i \odot _{_d} b_i \in {\mathbb {Z}}_q^{<d}[x]\). Then the hash function family \((h_{(b_i)_i})_{(b_i)_i}\) is universal.

Proof

Our aim is to show that for \(r_1,\ldots ,r_t\) not all 0 in \(\mathsf {Supp} _r\), we have

$$\begin{aligned} \Pr _{(b_i^{})_i, (b'_i)_i} \Big [ \sum _{i\le t} r_i \odot _{_d} b_i =\sum _{i\le t} r_i \odot _{_d} b'_i \\textbf{b}ig] = q^{-d}. \end{aligned}$$

W.l.o.g. we may assume that \(r_1 \ne 0\). By linearity, it suffices to prove that for all \(y \in {\mathbb {Z}}_q^{<d}[x]\),

$$\begin{aligned} \Pr _{b_1} \big [ r_1 \odot _{_d} b_1 = y\big ] = q^{-d}. \end{aligned}$$

Let j be minimal such that the coefficient in \(x^j\) of \(r_1\) is non-zero and hence co-prime to q. Then the equation \(r_1 \odot _{_d} b_1 = y\) restricted to entries \(j+1\) to \(j+d\) is a triangular linear system in the coefficients of \(b_1\) with diagonal coefficients invertible mod q. The map \(b_1 \mapsto r_1 \odot _{_d} b_1\) restricted to these coefficients of \(b_1\) is hence a bijection. This gives the equality above. \(\square \)

1.1 Appendix C.1: Proof of Theorem 3

Proof

We summarize the modifications of the argument in [33] and the concrete reduction cost. The proof consists in three games (let \(p_i\) be the attacker \(\mathsf {A} \)’s success probability in \(\mathsf {Game} _i\)).

• \(\mathsf {Game} _0:\) The original \(\mathsf {IND} \text{- }\mathsf {CPA} \) game.

• \(\mathsf {Game} _1:\) Instead of generating \(\mathsf {pk}=({\bar{a}}_i,b_i)_{i \le t}\) with \(b_i = a_i \ \odot _{_{d+k}} s + e_i \in {\mathbb {Z}}_q^{<d+k}[x]\) using \(\mathsf {Titanium\text{- }CPA}.\mathsf {KeyGen} \), where we define \(a_i = \mathsf {Rev} ({\bar{a}}_i)\) for \(i=1,\ldots ,t\), the challenger sets \(b_i \hookleftarrow U({\mathbb {Z}}_q^{<d+k}[x])\) independently of \(a_i\).

  We can construct a distinguishing attacker against \(\mathsf {MP} \text{- }\mathsf {LWE} _{q,n,d+k,D_{\alpha q}}\) given t samples, that has run-time \(T_{\mathsf {MP} \text{- }\mathsf {LWE} } = T+O(t \cdot (n+d+k) \cdot \log q)\) and distinguishing advantage \(\varepsilon _{\mathsf {MP} \text{- }\mathsf {LWE} } = |p_1 - p_0|\). Given t\(\mathsf {MP} \text{- }\mathsf {LWE} \) samples \((a'_i, b'_i)_{ i \le t}\), the \(\mathsf {MP} \text{- }\mathsf {LWE} \) attacker computes \({\bar{a}}_i = \mathsf {Rev} (a'_i)\) and \(b_i = b'_i\) for \(i=1,\ldots ,t\), and sets \(\mathsf {pk}=({\bar{a}}_i,b_i)_{i \le t}\) as the public key. If \((a'_i,b'_i)\) have the \(\mathsf {MP} \) distribution (resp. uniform distribution), then \(({\bar{a}}_i,b_i)_{i \le t}\) have the correct public key distribution as in \(\mathsf {Game} _0\) (resp. \(\mathsf {Game} _1\)), using the fact that \(\mathsf {Rev} \) is an injective mapping on \({\mathbb {Z}}_q^{<n}[x]\).

• \(\mathsf {Game} _2:\) Instead of generating the second challenge ciphertext component \(c_2\) as \(c'_2 = \sum ^t_{i=1} \mathsf {Rev} (r_i) \odot _{_d} b_i + \lfloor q/p \rfloor \cdot m \in {\mathbb {Z}}_q^{<d}[x]\), the challenger sets \(c_2 \hookleftarrow U({\mathbb {Z}}_q^{<d}[x])\), but leaves \(c_1 = \sum _{i\le t} r_i \cdot a_i\) as before. By the LHL 7 with \(\gamma (T) = B_1^{N_{\mathsf {dec1} }} \cdot B_2^{N_{\mathsf {dec} }-N_{\mathsf {dec1} }}\) the (exponential of) the inverse min-entropy of the input \((\mathsf {Rev} (r_1),\ldots ,\mathsf {Rev} (r_t))\) to the universal hash family in Lemma 8, \(|Y|=q^d\) the hash output space size, and \(|Z| = q^{n+k}\) the size of the leakage space due to \(c_1\), the statistical distance between the distributions of the challenge ciphertext in \(\mathsf {Game} _2\) and \(\mathsf {Game} _1\) is at most \(\varDelta _{\mathsf {LHL} }\) if the condition

  $$\begin{aligned} \frac{1}{2} \cdot \sqrt{B_1^{-N_{\mathsf {dec1} }} \cdot B_2^{-(N_{\mathsf {dec} }-N_{\mathsf {dec1} })} q^{n+d+k}} \le \varDelta _{\mathsf {LHL} } \end{aligned}$$

  (45)

  holds, which is equivalent to (26), using the definitions \(N_{\mathsf {dec} } {\mathop {=}\limits ^{\mathrm {def}}}(k+1) \cdot t\), \(B_1=2^{b_1+1}\) and \(B_2=2^{b_2+1}\).

In the last game, the attacker’s view is independent of the encrypted challenge message, so \(p_2=1/2\). It follows that \(|p_0-p_2| = |p_0-1/2| = \varepsilon /2 \le |p_1-p_0| + |p_2-p_1| \le \varepsilon _{\mathsf {MP} \text{- }\mathsf {LWE} } + \varDelta _{\mathsf {LHL} }\), which gives (30). \(\square \)