Efficient Identity-Based Encryption from LWR

Abstract

The Learning with Rounding (LWR) problem is a deterministic variant of the classical Learning with Errors (LWE) problem, for which sampling an instance does not involve discrete Gaussian sampling. We propose the first probabilistic Identity-Based Encryption (IBE) from the LWR problem which is secure in the standard model. The encryption of our IBE scheme does not require discrete Gaussian sampling as it is based on the LWR problem, and hence it is simpler and faster than that of LWE-based IBEs such as ABB scheme. We also present an efficient instantiation employing algebraic ring structure and MP12 trapdoor sampling algorithms with an implementation result. With our proposed parameter sets, the ciphertext sizes can be reduced in a large extent compared to the ABB scheme with the same security level.

This work was supported by the LG Electronics (LGE) grant.

A Cryptanalytic Hardness of the LWR Problem

In this section, we analyze the attack complexity for an LWR instance using lattice basis reduction algorithms, e.g., the BKZ algorithm [CN11, SE94]. We remark that the attack strategy to analyze the LWR problem shares the essence of the LWE attacks which has been studied in the recent papers [Alb17, CHK+16, AGVW17]. Actually, we surveyed all the LWE attacks and concluded that the primal and dual attack strategies are the most powerful in our usage. We focus on how to apply the primal attack strategy to analyze LWR, and for dual attack strategy applied to LWR, we recommend to see the analysis in [CKKS17].

The conclusion of this section is as follows.

Remark 2

the attack complexity of the LWR problem of dimension n, modulus q, and the rounding modulus p is equal to that of the LWE problem of the same dimension n, the same modulus q, and an error rate \(\alpha = p^{-1}\cdot \sqrt{\pi /6}\).

This agrees with the view that an LWR sample \((\mathbf {a},b=\left\lfloor {(p/q)\cdot \langle \mathbf {a},\mathbf {r}\rangle }\right\rceil )\in {\mathbb Z}_q^n\times {\mathbb Z}_p\) can be naturally seen as a kind of an LWE sample by sending back the value b to an element of \({\mathbb Z}_q\), i.e., \(b'=(q/p)\cdot b\in {\mathbb Z}_q\) satisfies \(b'=\langle \mathbf {a},\mathbf {r}\rangle +f \pmod q\) for a small error \(f=-\langle \mathbf {a},\mathbf {r}\rangle \pmod {q/p}\). Note that, in this view, the inserted error is deterministically chosen by random part \(\mathbf {a}\) and secret \(\mathbf {r}\), but it does not affect on the attack complexity.

1.1 A.1 Primal Attack for LWR

The key idea of the primal attack is the reduction from LWR to unique-SVP over a special lattice generated by an LWR instance. As described in [ADPS16] and [AGVW17], we use geometric series assumption (GSA) on the BKZ-reduced basis, and detect the shortest vector in the projected lattice.

Let \(\varLambda \) be a d-dimensional lattice. GSA asserts that the norms of Gram-Schmidt vectors of the lattice basis after lattice reduction forms a geometric series as follows.

Definition 6

(Geometric Series Assumption [Sch03]). For a lattice \(\varLambda = {\mathbb Z}\cdot \mathbf {b}_1 + \cdots {\mathbb Z}\cdot \mathbf {b}_d\) of dimension d, the norm of the Gram-Schmidt vectors after lattice reduction satisfy

$$ \Vert {\mathbf {b}_i^*}\Vert = \alpha ^{i-1}\cdot \Vert {\mathbf {b}_1}\Vert , $$

for some \(0<\alpha <1\).

Since \(\Vert {\mathbf {b}_1}\Vert = \delta ^d \cdot Vol(\varLambda )\) where \(\delta \) is a root Hermite factor and \(Vol(\varLambda ) = \prod _{i=1}^d\Vert {\mathbf {b}_i^*}\Vert \) by definition, \(\alpha \approx \delta ^{-2}\).

Suppose there exists a vector \(\mathbf {v}\in \varLambda \) of small norm such that

$$\begin{aligned} \sqrt{b/d}\cdot \Vert {\mathbf {v}}\Vert \le \delta ^{2b-d} Vol(\varLambda )^{1/d}. \end{aligned}$$

(1)

Then, running the BKZ algorithm, when the SVP oracle is called on the last full projected block of size b, the projection \(\pi _{d-b+1}(\mathbf {v})\) of \(\mathbf {v}\) is contained in the lattice

$$ \varLambda _{d-b+1} := {\mathbb Z}\cdot \pi _{d-b+1}(\mathbf {b}_{d-b+1}) + \cdots + {\mathbb Z}\cdot \pi _{d-b+1}(\mathbf {b}_d). $$

Note that, based on the following analysis, \(\pi _{d-b+1}(\mathbf {v})\) is unusually short so that SVP oracle finds \(\pi _{d-b+1}(\mathbf {v})\) in \(\varLambda _{d-b+1}\).

• \(\Vert {\pi _{d-b+1}(\mathbf {v})}\Vert \approx \sqrt{b/d}\Vert {\mathbf {v}}\Vert \le \delta ^{2b-d} Vol(\varLambda )^{1/d}\).

• We remark that \(\mathbf {b}_{d-b+1}^*\le \lambda _1(\varLambda _{d-b+1})\). By GSA, \(\mathbf {b}_{d-b+1}^* = (\delta ^{-2})^{d-b}\cdot \lambda _1(\varLambda ) = \delta ^{-2(d-b)+d} \cdot Vol(\varLambda )^{1/d}\).

Hence, we can conclude that if there exists \(\mathbf {v}\) of norm \(\delta ^{2b-d} Vol(\varLambda )^{1/d}\), then an attacker can detect it running BKZ algorithm. Now we describe the lattices induced from an LWR instance in which an unusually short vector exists using the two embedding strategies in [Kan87, BG14].

Kannan’s Embedding for LWR. Let \(\left( A, ~\mathbf {b} = \left\lfloor \frac{p}{q}\cdot A\mathbf {r}\right\rceil \right) \in {\mathbb Z}_q^{m\times n}\times {\mathbb Z}_p^{m}\) be a given \(\mathsf {LWR}_{n,m,q,p}(\mathcal {D}_r)\) instance. For a reduced row echelon form \([I_n|A']\) for A, consider the \((m+1)\) dimensional lattice

$$ \varLambda = {\mathbb Z}^{m+1}\cdot \begin{pmatrix} I_n&{}A'&{}0\\ \mathbf {0}&{}q I_{m-n}&{}0\\ (q/p)\cdot \mathbf {b}^T&{}&{}1 \end{pmatrix}, $$

which is an LWR version of the Kannan’s embedding [Kan87] when the embedding factor is 1. The lattice contains a vector of norm \(\Vert {(\mathbf {f} ^T|1)}\Vert \), where \(\mathbf {f} = (q/p)\left\lfloor {(p/q)\cdot A\mathbf {r}}\right\rceil - A\mathbf {r}\). The lattice \(\Lambda \) has dimension \((m+1)\) and volume \(q^{m-n}\).

Hence, the attack is successful if

$$ \sqrt{b}\cdot (q/p\cdot \sqrt{\pi /6})\le \delta ^{2b-m-1}q^{(m-n)/m+1}, $$

by (1).

Bai-Galbraith’s Embedding for LWR. For a given \(\mathsf {LWR}_{n,m,q,p}(\mathcal {D}_r)\) instance \(\left( A, ~\mathbf {b} = \left\lfloor \frac{p}{q}\cdot A\mathbf {r}\right\rceil \right) \in {\mathbb Z}_q^{m\times n}\times {\mathbb Z}_p^{m}\), construct the lattice

$$\varLambda =\{\mathbf {v}\in {\mathbb Z}^{n+m+1}: \left( A\Vert I_{m}\Vert -(q/p)\cdot \mathbf {b}\right) \mathbf {v} = 0 \pmod q\}.$$

with the unique shortest vector \((\mathbf {r}, \mathbf {f}, 1)\). Similarly to the case of dual attack, we consider the weighted lattice

$$\varLambda '=\{(\mathbf {x}, \mathbf {y}, z)\in {\mathbb Z}^n\times (w^{-1}{\mathbb Z})^m\times {\mathbb Z}:(\mathbf {x}, w\cdot \mathbf {y}, z)\in \varLambda \}.$$

for the constant \(w=(q/\sqrt{12}p)\cdot \sigma _r^{-1}\) where \(\sigma _r^2\) is the variance of component of secret vector \(\mathbf {r}\). which contains the short vector \(\mathbf {v}=(\mathbf {r}, w^{-1}\cdot \mathbf {f}, 1)\). Let \(\hat{q}=q/w = \sqrt{12}p/\sigma _r\), then the dimension and the volume of \(\varLambda '\) are \((n+m+1)\) and \(\hat{q}^{m}\) respectively.

Therefore, the attack is successful if

$$ \sqrt{b/(m+n+1)}\Vert {(\mathbf {r}, w^{-1}\cdot \mathbf {f}, 1)}\Vert \approx \sqrt{b}\cdot \sigma _r \le \delta ^{2b-m-n-1}\hat{q}^{m/(m+n+1)}, $$

by (1). In other words,

$$ \sqrt{b}\cdot \sigma _r^{(n+1)/(m+n+1)} \le \delta ^{2b-m-n-1}(\sqrt{12}p)^{m/(m+n+1)}. $$