Abstract
The first CCA secure public key encryption (PKE) on the learning parity with noise (LPN) assumption was invented by Döttling et al. (ASIACRYPT 2012). At PKC 2014, Kiltz et al. gave a simpler and more efficient construction, where a double-trapdoor technique was introduced to handle the decryption queries in game simulation. Different from the technique, we build in the standard model the CCA secure PKE on a variant of Extended Knapsack LPN problem (which is provably equivalent to the standard LPN problem). We abstract out an ephemeral key from the LPN assumption, which can then be used to encrypt the underlying plaintext when equipped with several typical classes of cryptographic primitives. Thanks to these techniques, the decryption queries can be correctly answered (yet without relying on a double-trapdoor mechanism) during security reduction from LPN. The resulting simple proposal appears more modular and efficient.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
In cryptography and learning theory, the Learning Parity with Noise (LPN) problem has become a well-known problem. The two versions of LPN have been pointed out to be polynomially equivalent [10]. The decisional one with parameter \( 0<\mu <1/2\) (noise rate), \(m=\mathsf {poly}(n)\), \(n\in {\mathbb {N}} \) posulates that \( ({\mathbf {A}},\langle \mathbf {A,s}\rangle +{\mathbf {e}}) \) is pseudorandom given \( {\mathbf {A}} \) (i.e., computationally indistinguishable from uniform randomness), where \( {\mathbf {A}}\in \{0,1\}^{m\times n}\), \({\mathbf {s}}\in \{0,1\}^{n} \) are chosen uniformly at random, \( {\mathbf {e}}\in \{0,1\}^{m} \) is distributed to \( {\mathcal {B}}_{\mu }^{m} \), (i.e., concatenation of m independent copies of the Bernoulli distribution \( {\mathcal {B}}_{\mu } \) such that \( \mathrm {Pr}[{\mathcal {B}}_{\mu }=1]=\mu \)), \( \langle \cdot ,\cdot \rangle \) denotes the inner product of two vectors and ‘\( +\)’ denotes the XOR operation. The computational version assumes that it is computationally infeasible to find out the random secret binary vector \( {\mathbf {s}}\in \{0,1\}^{n} \) from those noisy linear samples.
LPN Hardness. The computational LPN problem is deemed as a well-known NP-complete problem “decoding random linear codes” [2], which makes LPN be a promising candidate for post-quantum cryptography. Furthermore, the simplicity of LPN makes it more suitable for weak-power devices (e.g., RFID tags) than other post-quantum candidates such as LWE [17]. The best known algorithms for solving constant noise (noise parameter \( 0<\mu <1/2 \)) LPN problem require \( 2^{O(n/\log n)} \) time and samples [4, 12]. When given only polynomially many \( \mathsf {poly}(n) \) samples, the time complexity goes up to \( 2^{O(n/\log \log n)} \) [13], and even \( 2^{O(n)} \) when given only linearly many O(n) samples [14, 19]. Under low-noise rate i.e., the noise rate \( \mu =O(n^{-c}) \) (typically \( c=1/2 \)), the best LPN solvers need only \( 2^{O(n^{1-c})} \) time when given O(n) samples [3, 19].
1.1 Related Work
PKE with CPA security. Retrospectively, Alekhnovich [1] constructed the first CPA-secure public-key encryption scheme from low-noise LPN (i.e., noise rate \( \mu =1/\sqrt{n} \)). Inspired by the schemes of Regev [17] and Gentry et al. [9], Döttling et al. proposed an alternative one [8]. The work of Yu and Zhang [20] in 2016 made a breakthrough in solving the open problem of constructing public-key primitives based on constant-noise LPN problem. In their IND-CPA scheme, they used a variant assumption called LPN on Squared-Log Entropy and gave a tight requirement of secret key’s distribution.
PKE with CCA security. IND-CCA security [16] is one of the strongest known notions of security for public-key encryption schemes. Döttling et al. [8] constructed the first CCA-secure PKE scheme from low-noise LPN by using the correlated products approach of [18]. But the complexity of that scheme was hundreds of times worse than Alekhnovich’s scheme. Kiltz et al. [11] gave a more efficient CCA-secure construction by means of the techniques from LWE-based encryption in [15] with some technical changes. Specifically, they used a double-trapdoor mechanism, together with a trapdoor switching lemma so that there is always an available trapdoor to answer the decryption queries in game simulation. In [20], Yu and Zhang constructed the first constant-noise LPN problem based CCA-secure scheme which uses a tag-based encryption technique.
1.2 Our Contributions
In this work, we propose a simple and efficient PKE scheme which is IND-CCA secure from low-noise LPN . We build a neat construction with noise rate \( \mu \approx O(\sqrt{1/n}) \).
With an IND-CPA secure private-key scheme and a collision resistant hash function \( {\mathsf {H}} \) we plug the \( {\mathsf {H}}({\mathbf {c}}_{1},{\mathbf {c}}_{2},{\mathbf {s}},\mathbf {H_{t}}) \) into \( \mathsf {Enc}'_{{\mathbf {k}}}({\mathbf {m}}) \) where \( {\mathbf {k}}={\mathsf {H}}({\mathbf {c}}_{1},{\mathbf {c}}_{2},{\mathbf {s}},\mathbf {H_{t}}) \) becomes a secret key of the \( \mathsf {Enc}' \) algorithm of an IND-CPA-secure private-key scheme \( \mathrm {\Pi }' \). Intuitively, based on the indistinguishability of LPN samples, it holds that the scheme is IND-sTag-CCA secure (see Definition 4) and can be efficiently transformed into a CCA-secure encryption scheme [5, 11, 20].
2 Preliminaries
2.1 Notations and Definitions
We use capital letters (e.g., X, Y) for random variables and distributions, standard letters (e.g., x, y) for values. Vectors are used in the column form and denoted by bold lower-case letters (e.g., \( {\mathbf {a}} \)). We treat matrices as the sets of its column vectors and denote them by bold capital letters (e.g., \( {\mathbf {A}} \)). For a binary string x, |x| refers to the Hamming weight of x. We use \( {\mathcal {B}}_{\mu } \) to denote the Bernoulli distribution with parameter \( \mu \), i.e., \( \mathrm {Pr}[{\mathcal {B}}_{\mu }=1]=\mu \), \(\mathrm {Pr}[{\mathcal {B}}_{\mu }=0]=1-\mu \), while \( {\mathcal {B}}_{\mu }^{n} \) denotes the concatenation of n independent copies of \( {\mathcal {B}}_{\mu } \). For n, \( \ell \in {\mathbb {N}}\), \( U_{n} \) (resp., \( U_{\ell \times n} \)) denotes the uniform distribution over \( \{0,1\}^{n} \) (resp., \( \{0,1\}^{\ell \times n} \)) and independent of any other random variables in consideration. \( X\sim D \) denotes that random variable X follows distribution D. We use \( s\leftarrow S \) to denote sampling an element s according to distribution S. For random variables X and Y, the statistical distance between them is defined by \( \varDelta (X, Y)=\frac{1}{2}\cdot \sum _{x}\left| \mathrm {Pr}[X=x]-\mathrm {Pr}[Y=x]\right| \). If for probability ensembles \( X=\{X_{n}\} _{n\in {\mathbb {N}}}\) and \( Y=\{Y_{n}\}_{n\in {\mathbb {N}}} \), \( \varDelta (X_{n}, Y_{n})\le \mathsf {negl}(n) \) holds, then X and Y are called statistically indistinguishable, denoted by \( X\overset{s}{\sim }Y \). If for any PPT distinguisher \( {\mathcal {D}} \), \( \left| \mathrm {Pr}[{\mathcal {D}}(X_{n})=1]-\mathrm {Pr}[{\mathcal {D}}(Y_{n})=1]\le \mathsf {negl}(n)\right| \) holds then X and Y are called computationally indistinguishable, denoted by \( X\overset{c}{\sim }Y \).
Collision Resistant Hash Function. A hash function family \( {\mathcal {H}}=\{{\mathsf {H}}:{\mathcal {X}}\rightarrow {\mathcal {Y}}\} \) is collision resistant if for any PPT adversary \( {\mathcal {A}} \), it satisfies that \( \mathrm {Adv}_{\mathcal {H,A}}^{cr}(n)=\mathrm {Pr}[{\mathsf {H}}\overset{\$}{\leftarrow }{\mathcal {H}},(x,x')\overset{\$}{\leftarrow }{\mathcal {A}}({\mathsf {H}}):{\mathsf {H}}(x)={\mathsf {H}}(x')\wedge x\ne x']\le \mathsf {negl}(n) \).
2.2 Learning Parity with Noise
Definition 1
(Learning Parity with Noise). The decisional \( \mathbf {\mathsf {LPN}}_{n,m,\mu } \) problem is hard if for every \( m=\mathsf {poly}(n) \) we have \( ({\mathbf {A}}, {\mathbf {A}}\cdot \mathbf {s+e})\overset{c}{\sim }({\mathbf {A}},{\mathbf {b}}) \) where \({\mathbf {A}}\sim U_{m\times n} \), \( {\mathbf {s}}\sim U_{n}, {\mathbf {e}}\sim {\mathcal {B}}^{m}_{\mu } \) and \( {\mathbf {b}}\sim U_{m} \) while the secret length is n and the noise rate is \( 0<\mu <1/2 \). The computational \( \mathbf {\mathsf {LPN}}_{n,m,\mu } \) problem is hard if for every \( m=\mathsf {poly}(n) \) and every PPT algorithm \( {\mathcal {D}} \) we have \( \mathrm {Pr}[ {\mathcal {D}}({\mathbf {A}}, {\mathbf {A}}\cdot \mathbf {s+e})={\mathbf {s}} ]=\mathsf {negl}(n) \) where \( {\mathbf {A}}\sim U_{m\times n} \), \( {\mathbf {s}}\sim U_{n} \) and \( {\mathbf {e}}\sim {\mathcal {B}}^{m}_{\mu } \).
Definition 2
(Knapsack LPN-KLPN). The knapsack LPN problem is hard if for \( m>n \) samples we have \( ({\mathbf {A}}, \mathbf {A^{\intercal }t})\overset{c}{\sim }({\mathbf {A}}, {\mathbf {b}}) \) where \( {\mathbf {A}}\sim U_{m\times n} \), \( {\mathbf {t}}\sim {\mathcal {B}}_{\mu }^{m} \), \( {\mathbf {b}}\sim U_{n} \).
With a standard hybrid argument technique, we have results on the \( \ell \)-fold LPN and \( \ell \)-fold KLPN that \( (\mathbf {A,AS+E})\overset{c}{\sim }(\mathbf {A,B_{1}}) \) where \( {\mathbf {A}}\sim U_{m\times n},{\mathbf {S}}\sim U_{n\times \ell },{\mathbf {E}}\sim {\mathcal {B}}_{\mu }^{m\times \ell } \) and \( {\mathbf {B}}_{1}\sim U_{m\times \ell } \); \( (\mathbf {A,T^{\intercal }A})\overset{c}{\sim }(\mathbf {A,B_{2}}) \) where \( {\mathbf {A}}\sim U_{m\times n},{\mathbf {T}}\sim {\mathcal {B}}_{\mu }^{m\times \ell }\) and \({\mathbf {B}}_{2}\sim U_{\ell \times n} \).
Definition 3
(Extended Knapsack LPN-EKLPN). The Extended Knapsack LPN problem is hard if for \( m>n \) samples we have \( ({\mathbf {A}},\mathbf {A^{\intercal }t},{\mathbf {e}},\mathbf {t^{\intercal }e})\overset{c}{\sim }({\mathbf {A}},\mathbf {b,e,t^{\intercal }e}) \) where \( {\mathbf {A}}\sim U_{m\times n},{\mathbf {b}}\sim U_{n} \), \( \mathbf {t,e}\sim {\mathcal {B}}_{\mu }^{m} \).
Lemma 1
Assume that the Extended Knapsack LPN problem is hard then we have \( ({\mathbf {A}},\mathbf {A^{\intercal }t},{\mathbf {e}},\mathbf {t^{\intercal }e})\overset{c}{\sim }({\mathbf {A}},\mathbf {A^{\intercal }t'},\mathbf {e,t^{\intercal }e}) \).
Proof
From Definition 3 we have \( ({\mathbf {A}},\mathbf {A^{\intercal }t},{\mathbf {e}},\mathbf {t^{\intercal }e})\overset{c}{\sim }({\mathbf {A}},\mathbf {b,e,t^{\intercal }e}) \). From Definition 2 we have \( ({\mathbf {A}}, \mathbf {A^{\intercal }t'})\overset{c}{\sim }({\mathbf {A}}, {\mathbf {b}}) \) where \( {\mathbf {A}}\sim U_{m\times n} \), \( \mathbf {t,t',e}\sim {\mathcal {B}}_{\mu }^{m} \). By combining these two equations, we immediately obtain \( ({\mathbf {A}},\mathbf {A^{\intercal }t},{\mathbf {e}},\mathbf {t^{\intercal }e})\overset{c}{\sim }({\mathbf {A}},\mathbf {A^{\intercal }t'},\mathbf {e,t^{\intercal }e}). \)
The Extended Knapsack LPN to standard LPN problem reduction can be referenced to [7].
3 CCA Secure PKE from Low-Noise LPN
In this section, we construct a CCA-secure PKE from low-noise LPN problem. Technically, we construct a tag-based PKE against selective tag and chosen ciphertext attacks from LPN, which can be transformed into a standard CCA-secure PKE by using known techniques [5, 11, 20].
3.1 Tag-Based Encryption
A tag-based encryption (TBE) scheme with tag-space \( {\mathcal {T}} \) and message-space \( {\mathcal {M}} \) consists of three PPT algorithms \( \mathcal {TBE}=(\mathsf {KeyGen,Enc,Dec}) \). The randomized key generation algorithm \( \mathsf {KeyGen} \) takes the security parameter n as input, outputs a public key pk and a secret key sk, denoted as \( (pk,sk)\leftarrow \mathsf {KeyGen}(1^{n}) \). The randomized encryption algorithm \( \mathsf {Enc} \) takes pk, a tag \( {\mathbf {t}}\in {\mathcal {T}} \), and a plaintext \( {\mathbf {m}}\in {\mathcal {M}} \) as input, outputs a ciphertext C, denoted as \( C\leftarrow \mathsf {Emc}(pk,\mathbf {t,m}) \). The deterministic algorithm \( \mathsf {Dec} \) takes sk and C as inputs, outputs a plaintext \( {\mathbf {m}} \), or a special symbol \( \perp \), which is denoted as \( {\mathbf {m}}\leftarrow \mathsf {Dec}(sk,{\mathbf {t}},C) \). For correctness, we require that for all \( (pk,sk)\leftarrow \mathsf {KeyGen}(1^{n}) \), any tag \( {\mathbf {t}} \), any plaintext \( {\mathbf {m}} \) and any \( C\leftarrow \mathsf {Enc}(pk,{\mathbf {t}},{\mathbf {m}}) \), the equation \( \mathsf {Dec}(sk,{\mathbf {t}},C) ={\mathbf {m}}\) holds with overwhelming probability.
We consider the following game between a challenger \( {\mathcal {C}} \) and an adversary \( {\mathcal {A}} \).
-
Init. The adversary \( {\mathcal {A}} \) takes the security parameter n as input, and outputs a target \( {\mathbf {t}}^{*} \) to the challenger \( {\mathcal {C}} \).
-
KeyGen. The challenger \( {\mathcal {C}} \) computes \( (pk,sk)\leftarrow \mathsf {KeyGen}(1^{n}) \), gives the public key pk to the adversary \( {\mathcal {A}} \), and keeps the secret key sk.
-
Phase 1. The adversary \( {\mathcal {A}} \) can make decryption queries polynomial times for any pair \( ({\mathbf {t}},C) \), with a restriction that \( {\mathbf {t}}\ne {\mathbf {t}}^{*} \), and the challenger \( {\mathcal {C}} \) returns \( {\mathbf {m}}\leftarrow \mathsf {Dec}(sk,{\mathbf {t}},C) \) to \( {\mathcal {A}} \) accordingly.
-
Challenge. The adversary \( {\mathcal {A}} \) outputs two equal length plaintexts \( {\mathbf {m}}_{0},{\mathbf {m}}_{1}\in {\mathcal {M}} \). The challenger \( {\mathcal {C}} \) randomly chooses a bit \( b^{*}\overset{\$}{\leftarrow }\{0,1\} \), and returns the challenge ciphertext \( C^{*}\leftarrow \mathsf {Enc}(pk,{\mathbf {t}}^{*},{\mathbf {m}}_{b^{*}}) \) to the adversary \( {\mathcal {A}} \).
-
Phase 2. The adversary can make more decryption queries as in Phase 1.
-
Guess. Finally, \( {\mathcal {A}} \) outputs a guess \( b\in \{0,1\} \). If \( b=b^{*} \), the challenger \( {\mathcal {C}} \) outputs 1, else outputs 0.
-
Advantage. \( {\mathcal {A}} \)’s advantage is defined as \(\mathrm {Adv}_{\mathcal {TBE,A}}^{\mathrm {ind-stag-cca}}(1^{n})\overset{\mathrm {def}}{=}|\mathrm {Pr}[b=b^{*}]-\frac{1}{2}| \).
Definition 4
(IND-sTag-CCA.) We say that a TBE scheme \( \mathcal {TBE} \) is IND-sTag-CCA secure if for any PPT adversary \( {\mathcal {A}} \), its advantage is negilible in n.
3.2 The Construction
Our TBE scheme \( \mathcal {TBE} \) is constructed by using the following parameters and building blocks. Let k be the security parameter, \( n=\varTheta (k^{2}) \), \( m\in {\mathbb {Z}} \) such that \( m\ge 2n \). A constant \( 0<c<\frac{1}{6} \) (recall that we set \( 6c<\alpha <1 \)) defining: The Bernoulli parameter \( \mu =\sqrt{c/m} \) and the bounding parameter \( \beta =2\sqrt{cm} \) to check consistency during decryption. A generator matrix \( {\mathbf {G}}\in {\mathbb {Z}}_{2}^{m\times n} \) of a binary linear error-correcting code \( {\mathcal {C}}={\mathcal {C}}({\mathbf {G}}) \) and has efficient decode algorithm \( \mathsf {Decode}_{{\mathbf {G}}} \) correcting up to \( \alpha m \) errors (we refer to [11] for details about error-correcting code). Let the tag-space \( {\mathcal {T}}={\mathbb {F}}_{2^{n}} \). We use a matrix representation \( {\mathbf {H}}_{{\mathbf {t}}}\in \{0,1\}^{n\times n} \) for finite field elements \( {\mathbf {t}}\in {\mathbb {F}}_{2^{n}} \) [5, 6, 11] such that \( \mathbf {H_{0}}={\mathbf {0}} \), \( \mathbf {H_{t}} \) is invertible for any \( {\mathbf {t}}\ne {\mathbf {0}} \), and \( \mathbf {H_{t_{1}}}+\mathbf {H_{t_{2}}}=\mathbf {H_{t_{1}+t_{2}}} \). A family of collision resistant hash functions \( {\mathcal {H}}:=\{{\mathsf {H}}:{\mathbb {Z}}_{2}^{m}\times {\mathbb {Z}}_{2}^{m}\times {\mathbb {Z}}_{2}^{n}\times {\mathbb {Z}}_{2}^{n\times n}\rightarrow {\mathbb {Z}}_{2}^{\ell }\} \). Let \( \mathrm {\Pi }' =(\mathsf {Enc}',\mathsf {Dec}')\) be a private-key encryption scheme for messages \( {\mathbf {m}}\in \{0,1\}^{\ell '} \) (\( \ell '\ll n \), say \( \ell '=128 \) typically). We present the construction of \( \mathcal {TBE}=(\mathsf {KeyGen, Enc, Dec}) \) with message space \( \{0,1\}^{\ell '} \) in Fig. 1.
3.3 Correctness
Lemma 2
(Chernoff Bound [11, 20] ). For any \( 0<\mu <1 \) and any \( \delta >0 \), we have \( \mathrm {Pr}[|{\mathcal {B}}_{\mu }^{m}|>(1+\delta )\mu m]<e^{\frac{-\mathsf {min}(\delta ,\delta ^{2})}{3}\mu m}, \) in particular, for \( \delta =1 \) \( \mathrm {Pr}[|{\mathcal {B}}_{\mu }^{m}|>2\mu m]<e^{-\mu m/3}. \)
Obviously, for the chosen \( {\mathbf {e}}_{1}\overset{\$}{\leftarrow }{\mathcal {B}}_{\mu }^{m} \), the Chernoff Bound yields: \( \mathrm {Pr}[|{\mathbf {e}}_{1}|>\underbrace{\beta }_{{=2\mu m}}]<e^{-\mu m/3}=2^{-\varTheta (\sqrt{m})}. \)
Theorem 1
(Correctness). Let parameters be chosen as in our construction then with overwhelming probability over the choice of the public and secret keys and for all \( {\mathbf {m}}\in \{0,1\}^{\ell '} \), \(\mathsf {Dec}(sk,c) \) outputs \( {\mathbf {m}} \) correctly over \( c\leftarrow \mathsf {Enc}(pk,{\mathbf {m}}) \).
Proof
The scheme’s correctness requires the following:
-
1.
\( |(\mathbf {T'-T}){\mathbf {e}}_{1}|\le \alpha m \) (to let \( \mathsf {Decode}_{{\mathbf {G}}} \) reconstruct \( {\mathbf {s}} \) from \( {\mathbf {y}}={\mathbf {c}}_{2}-\mathbf {Tc}_{1} \)).
-
2.
\( |{\mathbf {c}}_{1}-\mathbf {As}|\le \beta \wedge |{\mathbf {c}}_{2}-(\mathbf {GH_{t}+B}){\mathbf {s}}|\le \frac{\alpha m}{3} \).
For the decryption algorithm we require that the Hamming weight of the inner-product of a matrix \( {\mathbf {T}}\overset{\$}{\leftarrow }{\mathcal {B}}_{\mu }^{m\times m} \) and a vector \( {\mathbf {e}}_{1}\overset{\$}{\leftarrow }{\mathcal {B}}_{\mu }^{m} \) is upper bounded by \( \frac{1}{3}\alpha m \) with overwhelming probability. We firstly analyze the inner-product of a vector \( {\mathbf {t}}\overset{\$}{\leftarrow }{\mathcal {B}}_{\mu }^{m} \) and the vector \( {\mathbf {e}}_{1}\overset{\$}{\leftarrow }{\mathcal {B}}_{\mu }^{m} \) whose Hamming weight is at most \( \beta \) described as above. Since \( |{\mathbf {e}}_{1}|\le \beta \), a necessary condition for \( {\mathbf {t}}^{\intercal }{\mathbf {e}}_{1}=1 \) is that \( {\mathbf {t}}[i]=1 \) for at least one of the i’s where \( {\mathbf {e}}_{1}[i]=1 \). By a simple XOR-Lemma, it holds that \( \mu '=\mathrm {Pr}[{\mathbf {t}}^{\intercal }{\mathbf {e}}_{1}=1]\le \beta \mu =2c. \)
By the Chernoff Bound (1) and with \( \delta =\alpha /(3\mu ')-1 \) (where \( \mu '\le 2c<\alpha /3 \)) \( \mathrm {Pr}\left[ |\mathbf {Te}_{1}|>\frac{1}{3}\alpha m\right] = \mathrm {Pr}\left[ |\mathbf {Te}_{1}|>(1+\delta )\mu ' m\right] < e^{\frac{-\mathsf {min}(\delta ,\delta ^{2})}{3}\mu ' m}. \)
Since \( \delta \mu '=\alpha /3-\mu '\ge \alpha /3-2c>0 \) and \( \delta =\alpha /(3\mu ')-1\ge \alpha /(6c)-1>0 \) are lower bounded by constants and therefore \( \mathrm {Pr}\left[ |\mathbf {Te}_{1}|>\frac{1}{3}\alpha m\right] <e^{\frac{-\mathsf {min}(\delta ,\delta ^{2})}{3}\mu ' m}=2^{-\varTheta (m)}. \)
Finally, in the ciphertext of our construction we have \( |{\mathbf {c}}_{1}-\mathbf {As}|=|{\mathbf {e}}_{1}|\le \beta \wedge |{\mathbf {c}}_{2}-(\mathbf {GH_{t}+B}){\mathbf {s}}|=|\mathbf {T'e}_{1}|\le \frac{1}{3}\alpha m \) holds with overwhelming probability \( 1-2^{-\varTheta (\sqrt{m})} \). In the decrption operation, \( {\mathbf {y}} ={\mathbf {c}}_{2}-{\mathbf {T}}\cdot {\mathbf {c}}_{1} =(\mathbf {GH_{t}+B})\cdot {\mathbf {s}}+\mathbf {T'e}_{1}-{\mathbf {T}}(\mathbf {A\cdot {\mathbf {s}}+{\mathbf {e}}_{1}}) =\mathbf {GH_{t}}\cdot {\mathbf {s}}+(\mathbf {T'-T})\cdot {\mathbf {e}}_{1} \) it is sufficient to bound the error item \( |(\mathbf {T'-T}){\mathbf {e}}_{1}| \). It holds that \( |(\mathbf {T'-T}){\mathbf {e}}_{1}|\le |\mathbf {T'e}_{1}|+|\mathbf {Te}_{1}|\le \frac{2}{3}\alpha m<\alpha m. \) Therefore, the decoding-procedure \( \mathsf {Decode}_{{\mathbf {G}}} \) will successfully recover \( {\mathbf {s}} \).
In all, the message \( {\mathbf {m}} \) can be decrypted with overwhelming probability. \(\square \)
3.4 Security
Theorem 2
Assume that the LPN problem is hard, \( {\mathsf {H}} \) is a collision resistant hash function and \( \mathrm {\Pi }'\) is an IND-CPA-secure private-key encryption scheme then our TBE scheme \( \mathcal {TBE} \) in Fig. 1. is IND-sTag-CCA secure.
Proof
Let \( {\mathcal {A}} \) be any PPT adversary that can attack our scheme \( \mathcal {TBE} \) with advantage \( \varepsilon \). We show that \( \varepsilon \) must be negligible in n. We continue the proof by using a sequence of games, where the first game is the real game, while the last is a random game in which the challenge ciphertext contains one component from an IND-CPA secure private-key encryption. Thus if \( {\mathcal {A}} \) can win in the last game he breaks the IND-CPA secure private-key encryption as well which violates the assumption. The security of \( \mathcal {TBE} \) can be established by showing that \( {\mathcal {A}} \)’s advantage in any two consecutive games are negligibly close.
Game 1. This is the IND-sTag-CCA experiment. The challenger \( {\mathcal {C}} \) honestly runs the adversary \( {\mathcal {A}} \) with the security parameter k and obtains a target tag \( {\mathbf {t}}^{*} \) from \( {\mathcal {A}} \). Then, it simulates the IND-sTag-CCA security game for \( {\mathcal {A}} \) as follows:
-
KeyGen. First uniformly choose a collision resistant hash function \( {\mathsf {H}}\overset{\$}{\leftarrow }{\mathcal {H}} \) and matrices \( {\mathbf {A}}\overset{\$}{\leftarrow }U_{m\times n} \), \( {\mathbf {T}}\overset{\$}{\leftarrow }{\mathcal {B}}_{\mu }^{m\times m} \). Then, compute \( {\mathbf {B}}=\mathbf {TA}\in \{0,1\}^{m\times n} \). Finally, \( {\mathcal {C}} \) sends \( pk=({\mathbf {A}},{\mathbf {B}}) \) to the adversary \( {\mathcal {A}} \), and keeps \( sk={\mathbf {T}} \) to itself.
-
Phase 1. While receiving a decryption query \( c=({\mathbf {t}},({\mathbf {c}}_{1},{\mathbf {c}}_{2},{\mathbf {c}}_{3})) \) from adversary \( {\mathcal {A}} \), the challenger \( {\mathcal {C}} \) directly returns \( \perp \) if \( {\mathbf {t}}=\mathbf {t^{*}} \). Otherwise it first computes \( {\mathbf {y}} ={\mathbf {c}}_{2}-{\mathbf {T}}\cdot {\mathbf {c}}_{1} =(\mathbf {GH_{t}+B})\cdot {\mathbf {s}}+\mathbf {T'e}_{1}-{\mathbf {T}}(\mathbf {A\cdot {\mathbf {s}}+{\mathbf {e}}_{1}}) =\mathbf {GH_{t}}\cdot {\mathbf {s}}+(\mathbf {T'-T}){\mathbf {e}}_{1} \). Then the challenger reconstructs \( \mathbf {b=H_{t}s} \) from the error \( (\mathbf {T'-T}){\mathbf {e}}_{1} \) by using the error correction peoperty of \( {\mathbf {G}} \) and computes \( \mathbf {s=H_{t}^{-1}b} \). Then the challenger \( {\mathcal {C}} \) checks that whether it satisfies that \(|{\mathbf {c}}_{1}-\mathbf {As}|\le \beta \wedge |{\mathbf {c}}_{2}-(\mathbf {GH_{t}+B}){\mathbf {s}}|\le \frac{1}{3}\alpha m \). If yes it computes \( {\mathbf {k}}={\mathsf {H}}({\mathbf {c}}_{1},{\mathbf {c}}_{2},{\mathbf {s}},\mathbf {H_{t}}), {\mathbf {m}}=\mathsf {Dec}_{{\mathbf {k}}}'({\mathbf {c}}_{3}) \) otherwise lets \( {\mathbf {m}}=\perp \). Finally it returns \( {\mathbf {m}} \) to \( {\mathcal {A}} \).
-
Challenge. After receiving two equal length plaintexts \( {\mathbf {m}}_{0} \), \( {\mathbf {m}}_{1}\in \{0,1\}^{\ell '} \) from the adversary \( {\mathcal {A}} \), the challenger \( {\mathcal {C}} \) first randomly chooses a bit \( b^{*} \overset{\$}{\leftarrow }\{0,1\} \), and \( {\mathbf {s}}\overset{\$}{\leftarrow }U_{n}, {\mathbf {e}}_{1}\overset{\$}{\leftarrow }{\mathcal {B}}_{\mu }^{m} ,\mathbf {T'}\overset{\$}{\leftarrow }{\mathcal {B}}_{\mu }^{m\times m}. \) Then, it calculates \( {\mathbf {c}}_{1}^{*}:=\mathbf {As}+{\mathbf {e}}_{1}\in \{0,1\}^{m}, {\mathbf {c}}_{2}^{*}:=(\mathbf {GH_{{\mathbf {t}}^{*}}+B}){\mathbf {s}}+\mathbf {T'}{\mathbf {e}}_{1}\in \{0,1\}^{m}, {\mathbf {k}}={\mathsf {H}}({\mathbf {c}}_{1}^{*},{\mathbf {c}}_{2}^{*},{\mathbf {s}},\mathbf {H_{t^{*}}}) \in \{0,1\}^{\ell }, {\mathbf {c}}_{3}^{*}:=\mathsf {Enc}'_{{\mathbf {k}}}({\mathbf {m}}_{b^{*}})\in \{0,1\}^{\ell '} \), and returns the challenge ciphertext \( ({\mathbf {c}}_{1}^{*},{\mathbf {c}}_{2}^{*},{\mathbf {c}}_{3}^{*}) \) to the adversary \( {\mathcal {A}} \).
-
Phase 2. The adversary can make more decryption queries and the challenger \( {\mathcal {C}} \) responds to \( {\mathcal {A}} \) as in Phase 1.
-
Guess. Finally, \( {\mathcal {A}} \) outputs a guess \( b\in \{0,1\} \). If \( b=b^{*} \), the challenger \( {\mathcal {C}} \) outputs 1, else outputs 0.
Let \( W_{i} \) be the event that \( {\mathcal {C}} \) outputs 1 in Game i for i in \( \{1,2,3\} \).
Game 2. This Game is identical to Game 1 except that the challenge phase is changed as follows:
-
Challenge. After receiving two equal length plaintexts \( {\mathbf {m}}_{0} \), \( {\mathbf {m}}_{1}\in \{0,1\}^{\ell '} \) from the adversary \( {\mathcal {A}} \), the challenger \( {\mathcal {C}} \) first randomly chooses a bit \( b^{*} \overset{\$}{\leftarrow }\{0,1\} \), and \( {\mathbf {s}}\overset{\$}{\leftarrow }U_{n}, {\mathbf {e}}_{1}\overset{\$}{\leftarrow }{\mathcal {B}}_{\mu }^{m} \). Then, it calculates \( {\mathbf {c}}_{1}^{*}:=\mathbf {As}+{\mathbf {e}}_{1}\in \{0,1\}^{m}, {\mathbf {c}}_{2}^{*}:=(\mathbf {GH_{{\mathbf {t}}^{*}}+B}){\mathbf {s}}+{\mathbf {T}}{\mathbf {e}}_{1}\in \{0,1\}^{m}, {\mathbf {k}}={\mathsf {H}}({\mathbf {c}}_{1}^{*},{\mathbf {c}}_{2}^{*},{\mathbf {s}},\mathbf {H_{t^{*}}}) \in \{0,1\}^{\ell }, {\mathbf {c}}_{3}^{*}:=\mathsf {Enc}'_{{\mathbf {k}}}({\mathbf {m}}_{b^{*}}) \in \{0,1\}^{\ell '} \), and returns the challenge ciphertext \( ({\mathbf {c}}_{1}^{*},{\mathbf {c}}_{2}^{*},{\mathbf {c}}_{3}^{*}) \) to the adversary \( {\mathcal {A}} \).
Lemma 3
\(|\mathrm {Pr}[W_{1}]-\mathrm {Pr}[W_{2}]|\le \mathsf {negl}(n) \)
Proof
The only difference between Game 1 and Game 2 is that \( {\mathcal {C}} \) replaces \( {\mathbf {c}}_{2}^{*}:=(\mathbf {GH_{{\mathbf {t}}^{*}}+B}){\mathbf {s}}+\mathbf {T'}{\mathbf {e}}_{1} \) in Game 1 with \( {\mathbf {c}}_{2}^{*}:=(\mathbf {GH_{{\mathbf {t}}^{*}}+B}){\mathbf {s}}+{\mathbf {T}}{\mathbf {e}}_{1} \) in Game 2. Next, we introduce a sequence of games {\(\hbox {Game}_{1,i} \)}\( _{i\in [0,m]} \) between Game 1 and Game 2 to replace \( \mathbf {T'} \) in the \( {\mathbf {c}}_{2}^{*} \) row by row. Firstly, we define \( {\mathbf {T}}=({\mathbf {t}}_{1},\cdots ,{\mathbf {t}}_{m})^{\intercal }, \mathbf {T'} = ({\mathbf {t}}_{1}',\cdots ,{\mathbf {t}}_{m}')^{\intercal }\).
-
- \(\hbox {Game}_{1,i} \), \( i\in [m] \). This game is a hybrid of Game 1 and Game 2: the challenger \( {\mathcal {C}} \) replaces \( {\mathbf {t}}_{i}'^{\intercal } \) with \( {\mathbf {t}}_{i}^{\intercal } \) in \( {\mathbf {c}}_{2}^{*} \) during the challenge phase and keeps the remaining rows as in Game\( _{1,i-1} \). Let Game\( _{1,0} \) be Game 1. Obviously, Game\( _{1,m} \) is identical to Game 2.
It suffices to show that \( |\mathrm {Pr}[W_{1,i}]-\mathrm {Pr}[W_{1,i-1}]|\le \mathsf {negl}(n) \) for any \( i\in [m] \). The hardness of the EKLPN problem ensures that the probability for adversary \( {\mathcal {A}} \) to distinguish Game\( _{1,i} \) from Game\( _{1,i-1} \) is negligible. Otherwise we can construct an algorithm \( {\mathcal {B}} \) to solve EKLPN problem. Precisely, \( {\mathcal {B}} \) is constructed by simulating Game\( _{1,i} \) or Game \( _{1,i-1} \) for \( {\mathcal {A}} \). \( {\mathcal {B}} \) is given a quadruple \(({\mathbf {A}},(\bar{{\mathbf {t}}}_{i}^{\intercal }{\mathbf {A}})^{\intercal },{\mathbf {e}}_{1},{\bar{z}}_{i})\), where \( {\bar{z}}_{i} \) is either \( \bar{{\mathbf {t}}}_{i}^{\intercal }{\mathbf {e}}_{1} \) or \( \bar{{\mathbf {t}}}_{i}'^{\intercal }{\mathbf {e}}_{1} \). \( {\mathcal {B}} \)’s behavior is as follows.
-
KeyGen. \( {\mathcal {B}} \) picks \( {\mathsf {H}}\overset{\$}{\leftarrow }{\mathcal {H}} \), \( {\mathbf {T}}_{i} = \left( {\mathbf {t}}_{1},\cdots ,{\mathbf {r}}_{i},\cdots ,{\mathbf {t}}_{m} \right) ^{\intercal } \) and then \( {\mathcal {B}} \) sets \( {\mathbf {B}}=\left( {\mathbf {A}}^{\intercal }{\mathbf {t}}_{1},\cdots , \boxed {{\mathbf {A}}^{\intercal }\bar{{\mathbf {t}}}_{i}},\cdots ,{\mathbf {A}}^{\intercal }{\mathbf {t}}_{m} \right) ^{\intercal } \). Finally, \( {\mathcal {B}} \) sends \( pk=({\mathbf {A}},{\mathbf {B}}) \) to the adversary \( {\mathcal {A}} \), and keeps \( sk={\mathbf {T}}_{i} \) to itself. Note that the \( i^{th} \) row in \( {\mathbf {T}}_{i} \) is chosen randomly and the \( i^{th} \) row in \( {\mathbf {B}} \) is independent of it.
-
Phase 1. While receiving a decryption query \( c=({\mathbf {t}},({\mathbf {c}}_{1},{\mathbf {c}}_{2},{\mathbf {c}}_{3})) \) from adversary \( {\mathcal {A}} \), \( {\mathcal {B}} \) directly returns \( \perp \) if \( {\mathbf {t}}=\mathbf {t^{*}} \). Otherwise it first computes \( {\mathbf {y}} ={\mathbf {c}}_{2}-{\mathbf {T}}_{i}\cdot {\mathbf {c}}_{1} =(\mathbf {GH_{t}+B})\cdot {\mathbf {s}}+\mathbf {T'e}_{1}-{\mathbf {T}}_{i}({\mathbf {A}}\cdot {\mathbf {s}}+{\mathbf {e}}_{1}) =\mathbf {GH_{t}}\cdot {\mathbf {s}}+ \underbrace{ \left( \begin{array}{c} 0 \\ \vdots \\ (\bar{{\mathbf {t}}}_{i}^{\intercal }-{\mathbf {r}}_{i}^{\intercal })\mathbf {As}\\ \vdots \\ 0 \end{array} \right) +\left( \begin{array}{c} ({{\mathbf {t}}}_{1}'^{\intercal }-{\mathbf {t}}_{1}^{\intercal }){\mathbf {e}}_{1} \\ \vdots \\ ({{\mathbf {t}}}_{i}'^{\intercal }-{\mathbf {r}}_{i}^{\intercal }){\mathbf {e}}_{1}\\ \vdots \\ ({{\mathbf {t}}}_{m}'^{\intercal }-{\mathbf {t}}_{m}^{\intercal }){\mathbf {e}}_{1} \end{array} \right) }_{\mathrm {\varDelta }_{i}} \), \( \mathbf {H_{t}s}=\mathsf {Decode}({\mathbf {y}}) \). Let \( {\mathbf {y}}=\mathbf {GH_{t}}{\mathbf {s}}+\mathrm {\varDelta }_{i} \), where \( |\mathrm {\varDelta }_{i}|\le \frac{2}{3}\alpha m+1 < \alpha m \), \( \mathsf {Decode}_{{\mathbf {G}}} \) also can handle correct \( {\mathbf {s}} \) from \( {\mathbf {y}} \). Then \( {\mathcal {B}} \) checks that whether it satisfies that \(|{\mathbf {c}}_{1}-\mathbf {As}|\le \beta \wedge |{\mathbf {c}}_{2}-(\mathbf {GH_{t}+B}){\mathbf {s}}|\le \frac{1}{3}\alpha m \). If yes it computes \( {\mathbf {k}}={\mathsf {H}}({\mathbf {c}}_{1},{\mathbf {c}}_{2},{\mathbf {s}},\mathbf {H_{t}}), {\mathbf {m}}=\mathsf {Dec}_{{\mathbf {k}}}'({\mathbf {c}}_{3}) \) otherwise lets \( {\mathbf {m}}=\perp \). Finally it returns \( {\mathbf {m}} \) to \( {\mathcal {A}} \). Therefore, the decryption oracle can behave correctly.
-
Challenge. After receiving two equal length plaintexts \( {\mathbf {m}}_{0} \), \( {\mathbf {m}}_{1}\in \{0,1\}^{\ell '} \) from the adversary \( {\mathcal {A}} \), \( {\mathcal {B}} \) first randomly chooses a bit \( b^{*} \overset{\$}{\leftarrow }\{0,1\} \), and \( {\mathbf {s}}\overset{\$}{\leftarrow }U_{n}, {\mathbf {e}}_{1}\overset{\$}{\leftarrow }{\mathcal {B}}_{\mu }^{m} \). Then, it calculates \( {\mathbf {c}}_{1}^{*}:=\mathbf {As}+{\mathbf {e}}_{1}\in \{0,1\}^{m}, \mathbf {c_{2}^{*}}= \mathbf {(GH_{t^{*}}+B)s}+ \left( {\mathbf {e}}_{1}^{\intercal }{\mathbf {t}}_{1},\cdots ,{\mathbf {e}}_{1}^{\intercal }{\mathbf {t}}_{i-1} \boxed {\bar{{z}}_{i}},{\mathbf {e}}_{1}^{\intercal }{\mathbf {t}}^{'}_{i+1}\cdots ,{\mathbf {e}}_{1}^{\intercal }{\mathbf {t}}^{'}_{m} \right) ^{\intercal } \in \{0,1\}^{m}, {\mathbf {k}}={\mathsf {H}}({\mathbf {c}}_{1}^{*},{\mathbf {c}}_{2}^{*},{\mathbf {s}},\mathbf {H_{t^{*}}}) \in \{0,1\}^{\ell },{\mathbf {c}}_{3}^{*}:=\mathsf {Enc}'_{{\mathbf {k}}}({\mathbf {m}}_{b^{*}})\in \{0,1\}^{\ell '} \), and returns the challenge ciphertext \( ({\mathbf {c}}_{1}^{*},{\mathbf {c}}_{2}^{*},{\mathbf {c}}_{3}^{*}) \) to the adversary \( {\mathcal {A}} \).
-
Phase 2. The adversary can make more decryption queries and \( {\mathcal {B}} \) responds to \( {\mathcal {A}} \) as in Phase 1.
-
Guess. Finally, \( {\mathcal {A}} \) outputs a guess \( b\in \{0,1\} \). If \( b=b^{*} \), \( {\mathcal {B}} \) outputs 1, else outputs 0.
If \( {\bar{z}}_{i}=\bar{{\mathbf {t}}}_{i}'^{\intercal }{\mathbf {e}}_{1} \), then \( {\mathcal {B}} \) simulates the behavior of the challenger in Game\( _{1,i-1} \) exactly. Hence, \( \mathrm {Pr}[W_{1,i-1}] = \mathrm {Pr}\left[ {\mathcal {B}}({\mathbf {A}},(\bar{{\mathbf {t}}}_{i}^{\intercal }{\mathbf {A}})^{\intercal },{\mathbf {e}}_{1},\bar{{\mathbf {t}}}_{i}'^{\intercal }{\mathbf {e}}_{1})=1\right] \).
If \( {\bar{z}}_{i}=\bar{{\mathbf {t}}}_{i}^{\intercal }{\mathbf {e}}_{1} \), then \( {\mathcal {B}} \) simulates the behavior of the challenger in Game\( _{1,i}\) exactly. Hence, \( \mathrm {Pr}[W_{1,i-1}] = \mathrm {Pr}\left[ {\mathcal {B}}({\mathbf {A}},(\bar{{\mathbf {t}}}_{i}^{\intercal }{\mathbf {A}})^{\intercal },{\mathbf {e}}_{1},\bar{{\mathbf {t}}}_{i}^{\intercal }{\mathbf {e}}_{1})=1\right] \).
Therefore, for \( i\in [m] \), we have \( |\mathrm {Pr}[W_{1,i-1}]-\mathrm {Pr}[W_{1,i}]| \le \mathsf {negl}(n) \).
Game 3. This Game is identical to Game 2 except that the challenger \( {\mathcal {C}} \) replaces \( \mathbf {B=TA} \) with \( \mathbf {B'=B-GH_{t^{*}}}\in \{0,1\}^{m\times n} \) in the key generation phase.
Lemma 4
\( \mathrm {Pr}[W_{3}]=\mathrm {Pr}[W_{2}] \).
Proof
The only difference between Game 2 and Game 3 is that \( {\mathcal {C}} \) replaces \( \mathbf {B=TA} \) in Game 2 with \( \mathbf {B'=B-GH_{t^{*}}} \) in Game 3. This means that the public key in Game 3 has the same distribution in Game 2. Thus we have \( \mathrm {Pr}[W_{3}]=\mathrm {Pr}[W_{2}] \).
Game 4. This Game is identical to Game 3 except that the challenger \( {\mathcal {C}} \) replaces \( {\mathbf {c}}_{1}^{*}=\mathbf {As}+{\mathbf {e}}_{1}\in \{0,1\}^{m}\) with \( {\mathbf {c}}_{1}^{*}={\mathbf {u}}\in \{0,1\}^{m} \) in the challenge phase. Note that in Game 2, \( {\mathbf {c}}_{2}^{*}=(\mathbf {GH_{t^{*}}+B}){\mathbf {s}}+{\mathbf {T}}{\mathbf {e}}_{1}=\mathbf {GH_{t^{*}}s}+{\mathbf {T}}{\mathbf {c}}_{1}^{*} \). Therefore, in Game 3 we have \( {\mathbf {c}}_{2}^{*}=(\mathbf {GH_{t^{*}}+B'}){\mathbf {s}}+{\mathbf {T}}{\mathbf {e}}_{1}={\mathbf {T}}{\mathbf {c}}_{1}^{*} \).
Lemma 5
\( | \mathrm {Pr}[W_{4}]-\mathrm {Pr}[W_{3}] |\le \mathsf {negl}(n) \).
Proof
Since the only difference between Game 3 and Game 4 is that \( {\mathcal {C}} \) replaces \( {\mathbf {c}}_{1}^{*}=\mathbf {As}+{\mathbf {e}}_{1}\in \{0,1\}^{m}\) in Game 3 with \( {\mathbf {c}}_{1}^{*}={\mathbf {u}}\in \{0,1\}^{m} \) in Game 4, we can construct a distinguisher \( {\mathcal {D}} \) that distinguishes the distributions \( ({\mathbf {A}},\mathbf {A\cdot s}+{\mathbf {e}}) \) and \( ({\mathbf {A}},{\mathbf {u}}) \) (where \( {\mathbf {u}}\overset{\$}{\leftarrow } U_{m}\)) with advantage \( \mathsf {adv}(n) \) (assuming that \( {\mathcal {A}} \) distinguishes 3 and Game 4 with non-negligible \( \mathsf {adv}(n) \)), contradicting the assumption. Thus we have \(| \mathrm {Pr}[{\mathcal {D}}({\mathbf {A}},\mathbf {A\cdot s}+{\mathbf {e}})] |-| \mathrm {Pr}[{\mathcal {D}}({\mathbf {A}},{\mathbf {u}})] |=| \mathrm {Pr}[W_{3}] |-| \mathrm {Pr}[W_{4}] |=\mathsf {adv}(n) \), which contradicts the assumption. This means that we have \( | \mathrm {Pr}[W_{3}] |-| \mathrm {Pr}[W_{4}] |\le \mathsf {negl}(n) \).
Lemma 6
\( \mathrm {Pr}[W_{4}]=\frac{1}{2}+\mathsf {negl}(n) \).
Proof
This lemma follows from that the challenge ciphertext \( ({\mathbf {c}}_{1}^{*},{\mathbf {c}}_{2}^{*}) \) in game 4 is uniformly distributed. From \( {\mathcal {A}} \)’s view, \( {\mathbf {s}} \) is perfectly hidden since \( {\mathbf {c}}_{1}^{*} \) is uniformly distributed. The collision resistant hash function implies that it’s nearly impossible for \( {\mathcal {A}} \) to guess \( {\mathbf {k}} \) correctly. Combining with the IND-CPA secure private-key encryption scheme it ensures that the advantage of the adversary \( {\mathcal {A}} \) is negligible.
Note that the security requirement of private-key encryption scheme \( \mathrm {\Pi }' \) is IND-CPA secure, for example an one-time pad scheme, since the replacement of the pseudorandomness with randomness makes the challenge ciphertext perfectly random thus it is impossible for adversary to guess correctly with probability more than 1 / 2. Meanwhile it answers the decryption queries correctly. In all, we have \( \mathrm {Pr}[W_{1}]=\frac{1}{2}+\mathsf {negl}(n) \), such that \( \varepsilon =\mathsf {negl}(n) \). Thus we complete the proof.
References
Alekhnovich, M.: More on average case vs approximation complexity. In: 44th Annual Symposium on Foundations of Computer Science, pp. 298–307. IEEE, Cambridge, October 2003
Berlekamp, E., McEliece, R.J., van Tilborg, H.: On the inherent intractability of certain coding problems. IEEE Trans. Inf. Theor. 24(3), 384–386 (1978)
Bernstein, D.J., Lange, T., Peters, C.: Smaller decoding exponents: ball-collision decoding. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 743–760. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_42
Blum, A., Kalai, A., Wasserman, H.: Noise-tolerant learning, the parity problem, and the statistical query model. J. ACM 50(4), 506–519 (2003)
Boneh, D., Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from identity-based encryption. SIAM J. Comput. 36(5), 1301–1328 (2006). https://doi.org/10.1137/S009753970544713X
Cramer, R., Damgård, I.: On the amortized complexity of zero-knowledge protocols. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 177–191. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_11
Döttling, N.: Low noise LPN: KDM secure public key encryption and sample amplification. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 604–626. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46447-2_27
Döttling, N., Müller-Quade, J., Nascimento, A.C.A.: IND-CCA secure cryptography based on a variant of the LPN problem. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 485–503. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_30
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Ladner, R.E., Dwork, C. (eds.) Proceedings of the 40th Annual ACM Symposium on Theory of Computing, pp. 197–206. ACM, Victoria, 17–20 May 2008
Katz, J., Shin, J.S.: Parallel and concurrent security of the HB and HB + Protocols. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 73–87. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_6
Kiltz, E., Masny, D., Pietrzak, K.: Simple chosen-ciphertext security from low-noise LPN. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 1–18. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54631-0_1
Levieil, É., Fouque, P.-A.: An improved LPN algorithm. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 348–359. Springer, Heidelberg (2006). https://doi.org/10.1007/11832072_24
Lyubashevsky, V.: The parity problem in the presence of noise, decoding random linear codes, and the subset sum problem. In: Chekuri, C., Jansen, K., Rolim, J.D.P., Trevisan, L. (eds.) APPROX/RANDOM -2005. LNCS, vol. 3624, pp. 378–389. Springer, Heidelberg (2005). https://doi.org/10.1007/11538462_32
May, A., Meurer, A., Thomae, E.: Decoding random linear codes in \(\tilde{\cal{O}}(2^{0.054n})\). In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 107–124. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_6
Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_41
Rackoff, C., Simon, D.R.: Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 433–444. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_35
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) STOC, pp. 84–93. ACM (2005)
Rosen, A., Segev, G.: Chosen-ciphertext security via correlated products. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 419–436. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00457-5_25
Stern, J.: A method for finding codewords of small weight. In: Cohen, G., Wolfmann, J. (eds.) Coding Theory 1988. LNCS, vol. 388, pp. 106–113. Springer, Heidelberg (1989). https://doi.org/10.1007/BFb0019850
Yu, Y., Zhang, J.: Cryptography with auxiliary input and trapdoor from constant-noise LPN. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 214–243. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_9
Acknowledgement
The work was supported by the National Cryptography Development Fund (Grant No. MMJJ20180106).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Cheng, H., Li, X., Qian, H., Yan, D. (2018). Simpler CCA Secure PKE from LPN Problem Without Double-Trapdoor. In: Naccache, D., et al. Information and Communications Security. ICICS 2018. Lecture Notes in Computer Science(), vol 11149. Springer, Cham. https://doi.org/10.1007/978-3-030-01950-1_46
Download citation
DOI: https://doi.org/10.1007/978-3-030-01950-1_46
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-01949-5
Online ISBN: 978-3-030-01950-1
eBook Packages: Computer ScienceComputer Science (R0)