Abstract
The Learning with Rounding (LWR) problem is a deterministic variant of the classical Learning with Errors (LWE) problem, for which sampling an instance does not involve discrete Gaussian sampling. We propose the first probabilistic Identity-Based Encryption (IBE) from the LWR problem which is secure in the standard model. The encryption of our IBE scheme does not require discrete Gaussian sampling as it is based on the LWR problem, and hence it is simpler and faster than that of LWE-based IBEs such as ABB scheme. We also present an efficient instantiation employing algebraic ring structure and MP12 trapdoor sampling algorithms with an implementation result. With our proposed parameter sets, the ciphertext sizes can be reduced in a large extent compared to the ABB scheme with the same security level.
This work was supported by the LG Electronics (LGE) grant.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 553–572. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_28
Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange—a new hope. In: 25th USENIX Security Symposium (USENIX Security 16), pp. 327–343. USENIX Association, Austin, August 2016
Apon, D., Fan, X., Liu, F.: Compact identity based encryption from LWE. Cryptology ePrint Archive 2016 (2016)
Albrecht, M.R., Göpfert, F., Virdia, F., Wunderer, T.: Revisiting the expected cost of solving uSVP and applications to LWE. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 297–322. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_11
Ajtai, M.: Generating hard instances of lattice problems. In: Proceedings of the Twenty-eighth Annual ACM Symposium on Theory of Computing, pp. 99–108. ACM (1996)
Ajtai, M.: Generating hard instances of the short basis problem. In: Wiedermann, J., van Emde Boas, P., Nielsen, M. (eds.) ICALP 1999. LNCS, vol. 1644, pp. 1–9. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48523-6_1
Alwen, J., Krenn, S., Pietrzak, K., Wichs, D.: Learning with rounding, revisited. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 57–74. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_4
Albrecht, M.R.: On dual lattice attacks against small-secret LWE and parameter choices in HElib and SEAL. IACR Cryptology ePrint Archive 2017:047 (2017)
Alwen, J., Peikert, C.: Generating shorter bases for hard random lattices. Theory Comput. Syst. 48(3), 535–553 (2011)
Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9(3), 169–203 (2015)
Baan, H., et al.: Round5: KEM and PKE based on (ring) learning with rounding (2019). https://csrc.nist.gov/projects/post-quantum-cryptography/round-2-submissions
Boneh, D., Franklin, M.: Identity-based encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_13
Bert, P., Fouque, P.-A., Roux-Langlois, A., Sabt, M.: Practical implementation of ring-SIS/LWE based signature and IBE. In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 271–291. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-79063-3_13
Bai, S., Galbraith, S.D.: Lattice decoding attacks on binary LWE. In: Susilo, W., Mu, Y. (eds.) ACISP 2014. LNCS, vol. 8544, pp. 322–337. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08344-5_21
Bogdanov, A., Guo, S., Masny, D., Richelson, S., Rosen, A.: On the hardness of learning with rounding over small modulus. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9562, pp. 209–224. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49096-9_9
Banerjee, A., Peikert, C., Rosen, A.: Pseudorandom functions and lattices. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 719–737. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_42
Cheon, J.H., Han, K., Kim, J., Lee, C., Son, Y.: A practical post-quantum public-key cryptosystem based on \(\sf {spLWE}\). In: Hong, S., Park, J.H. (eds.) ICISC 2016. LNCS, vol. 10157, pp. 51–74. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-53177-9_3. https://eprint.iacr.org
Cheon, J.H., Kim, A., Kim, M., Song, Y.: Homomorphic encryption for arithmetic of approximate numbers. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 409–437. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_15
Cheon, J.H., Kim, D., Lee, J., Song, Y.: Lizard: cut off the tail! a practical post-quantum public-key encryption from LWE and LWR. In: Catalano, D., De Prisco, R. (eds.) SCN 2018. LNCS, vol. 11035, pp. 160–177. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98113-0_9
Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_1
Costache, A., Smart, N.P.: Homomorphic encryption without gaussian noise. IACR Cryptology ePrint Archive 2017:163 (2017)
El Bansarkhani, R., Buchmann, J.: Improvement and efficient implementation of a lattice-based signature scheme. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 48–67. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43414-7_3
Fang, F., Li, B., Lu, X., Liu, Y., Jia, D., Xue, H.: (Deterministic) hierarchical identity-based encryption from learning with rounding over small modulus. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pp. 907–912. ACM (2016)
Genise, N., Micciancio, D.: Faster gaussian sampling for trapdoor lattices with arbitrary modulus. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 174–203. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_7
Gür, K.D., Polyakov, Y., Rohloff, K., Ryan, G.W., Savas, E.: Implementation and evaluation of improved gaussian sampling for lattice trapdoors. In: Proceedings of the 6th Workshop on Encrypted Computing & Applied Homomorphic Cryptography, pp. 61–71. ACM (2018)
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Proceedings of the Fortieth Annual ACM Symposium on Theory of Computing, pp. 197–206. ACM (2008)
Kannan, R.: Minkowski’s convex body theorem and integer programming. Math. Oper. Res. 12(3), 415–440 (1987)
Lee, J., Kim, D., Lee, H., Lee, Y., Cheon, J.H.: Rlizard: post-quantum key encapsulation mechanism for IoT devices. IEEE Access 7, 2080–2091 (2018)
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_1
Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237. Springer, Berlin (2012). https://doi.org/10.1007/978-3-642-29011-4_41
Polyakov, Y., Rohloff, K., Ryan, G.: Palisade lattice cryptography library. https://palisade-crypto.org/. Accessed 2019 Sept 04
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Proceedings of the Thirty-Seventh Annual ACM Symposium on Theory of Computing, STOC 2005, pp. 84–93. ACM, New York (2005)
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM (JACM) 56(6), 34 (2009)
Schnorr, C.P.: Lattice reduction by random sampling and birthday methods. In: Alt, H., Habib, M. (eds.) STACS 2003. LNCS, vol. 2607, pp. 145–156. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36494-3_14
Schnorr, C.-P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66(1–3), 181–199 (1994)
Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985). https://doi.org/10.1007/3-540-39568-7_5
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Cryptanalytic Hardness of the LWR Problem
A Cryptanalytic Hardness of the LWR Problem
In this section, we analyze the attack complexity for an LWR instance using lattice basis reduction algorithms, e.g., the BKZ algorithm [CN11, SE94]. We remark that the attack strategy to analyze the LWR problem shares the essence of the LWE attacks which has been studied in the recent papers [Alb17, CHK+16, AGVW17]. Actually, we surveyed all the LWE attacks and concluded that the primal and dual attack strategies are the most powerful in our usage. We focus on how to apply the primal attack strategy to analyze LWR, and for dual attack strategy applied to LWR, we recommend to see the analysis in [CKKS17].
The conclusion of this section is as follows.
Remark 2
the attack complexity of the LWR problem of dimension n, modulus q, and the rounding modulus p is equal to that of the LWE problem of the same dimension n, the same modulus q, and an error rate \(\alpha = p^{-1}\cdot \sqrt{\pi /6}\).
This agrees with the view that an LWR sample \((\mathbf {a},b=\left\lfloor {(p/q)\cdot \langle \mathbf {a},\mathbf {r}\rangle }\right\rceil )\in {\mathbb Z}_q^n\times {\mathbb Z}_p\) can be naturally seen as a kind of an LWE sample by sending back the value b to an element of \({\mathbb Z}_q\), i.e., \(b'=(q/p)\cdot b\in {\mathbb Z}_q\) satisfies \(b'=\langle \mathbf {a},\mathbf {r}\rangle +f \pmod q\) for a small error \(f=-\langle \mathbf {a},\mathbf {r}\rangle \pmod {q/p}\). Note that, in this view, the inserted error is deterministically chosen by random part \(\mathbf {a}\) and secret \(\mathbf {r}\), but it does not affect on the attack complexity.
1.1 A.1 Primal Attack for LWR
The key idea of the primal attack is the reduction from LWR to unique-SVP over a special lattice generated by an LWR instance. As described in [ADPS16] and [AGVW17], we use geometric series assumption (GSA) on the BKZ-reduced basis, and detect the shortest vector in the projected lattice.
Let \(\varLambda \) be a d-dimensional lattice. GSA asserts that the norms of Gram-Schmidt vectors of the lattice basis after lattice reduction forms a geometric series as follows.
Definition 6
(Geometric Series Assumption [Sch03]). For a lattice \(\varLambda = {\mathbb Z}\cdot \mathbf {b}_1 + \cdots {\mathbb Z}\cdot \mathbf {b}_d\) of dimension d, the norm of the Gram-Schmidt vectors after lattice reduction satisfy
for some \(0<\alpha <1\).
Since \(\Vert {\mathbf {b}_1}\Vert = \delta ^d \cdot Vol(\varLambda )\) where \(\delta \) is a root Hermite factor and \(Vol(\varLambda ) = \prod _{i=1}^d\Vert {\mathbf {b}_i^*}\Vert \) by definition, \(\alpha \approx \delta ^{-2}\).
Suppose there exists a vector \(\mathbf {v}\in \varLambda \) of small norm such that
Then, running the BKZ algorithm, when the SVP oracle is called on the last full projected block of size b, the projection \(\pi _{d-b+1}(\mathbf {v})\) of \(\mathbf {v}\) is contained in the lattice
Note that, based on the following analysis, \(\pi _{d-b+1}(\mathbf {v})\) is unusually short so that SVP oracle finds \(\pi _{d-b+1}(\mathbf {v})\) in \(\varLambda _{d-b+1}\).
-
\(\Vert {\pi _{d-b+1}(\mathbf {v})}\Vert \approx \sqrt{b/d}\Vert {\mathbf {v}}\Vert \le \delta ^{2b-d} Vol(\varLambda )^{1/d}\).
-
We remark that \(\mathbf {b}_{d-b+1}^*\le \lambda _1(\varLambda _{d-b+1})\). By GSA, \(\mathbf {b}_{d-b+1}^* = (\delta ^{-2})^{d-b}\cdot \lambda _1(\varLambda ) = \delta ^{-2(d-b)+d} \cdot Vol(\varLambda )^{1/d}\).
Hence, we can conclude that if there exists \(\mathbf {v}\) of norm \(\delta ^{2b-d} Vol(\varLambda )^{1/d}\), then an attacker can detect it running BKZ algorithm. Now we describe the lattices induced from an LWR instance in which an unusually short vector exists using the two embedding strategies in [Kan87, BG14].
Kannan’s Embedding for LWR. Let \(\left( A, ~\mathbf {b} = \left\lfloor \frac{p}{q}\cdot A\mathbf {r}\right\rceil \right) \in {\mathbb Z}_q^{m\times n}\times {\mathbb Z}_p^{m}\) be a given \(\mathsf {LWR}_{n,m,q,p}(\mathcal {D}_r)\) instance. For a reduced row echelon form \([I_n|A']\) for A, consider the \((m+1)\) dimensional lattice
which is an LWR version of the Kannan’s embedding [Kan87] when the embedding factor is 1. The lattice contains a vector of norm \(\Vert {(\mathbf {f} ^T|1)}\Vert \), where \(\mathbf {f} = (q/p)\left\lfloor {(p/q)\cdot A\mathbf {r}}\right\rceil - A\mathbf {r}\). The lattice \(\Lambda \) has dimension \((m+1)\) and volume \(q^{m-n}\).
Hence, the attack is successful if
by (1).
Bai-Galbraith’s Embedding for LWR. For a given \(\mathsf {LWR}_{n,m,q,p}(\mathcal {D}_r)\) instance \(\left( A, ~\mathbf {b} = \left\lfloor \frac{p}{q}\cdot A\mathbf {r}\right\rceil \right) \in {\mathbb Z}_q^{m\times n}\times {\mathbb Z}_p^{m}\), construct the lattice
with the unique shortest vector \((\mathbf {r}, \mathbf {f}, 1)\). Similarly to the case of dual attack, we consider the weighted lattice
for the constant \(w=(q/\sqrt{12}p)\cdot \sigma _r^{-1}\) where \(\sigma _r^2\) is the variance of component of secret vector \(\mathbf {r}\). which contains the short vector \(\mathbf {v}=(\mathbf {r}, w^{-1}\cdot \mathbf {f}, 1)\). Let \(\hat{q}=q/w = \sqrt{12}p/\sigma _r\), then the dimension and the volume of \(\varLambda '\) are \((n+m+1)\) and \(\hat{q}^{m}\) respectively.
Therefore, the attack is successful if
by (1). In other words,
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Cheon, J.H., Cho, H., Jung, J., Lee, J., Lee, K. (2020). Efficient Identity-Based Encryption from LWR. In: Seo, J. (eds) Information Security and Cryptology – ICISC 2019. ICISC 2019. Lecture Notes in Computer Science(), vol 11975. Springer, Cham. https://doi.org/10.1007/978-3-030-40921-0_14
Download citation
DOI: https://doi.org/10.1007/978-3-030-40921-0_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-40920-3
Online ISBN: 978-3-030-40921-0
eBook Packages: Computer ScienceComputer Science (R0)