An Efficient Post-Quantum PKE from RLWR with Simple Security Proof

Abstract

In this paper, we propose a public-key encryption scheme based on the Ring Learning With Rounding (RLWR) problem. Our scheme is seen as RLWR based variant of Saber (NIST PQC standardization round 3 candidate scheme). The design motivation is to overcome the very involved security proofs of LWR based public-key encryption schemes. To simplify the previous very involved security proofs, we introduce an intermediate problem which is at least as hard as RLWE problem. In contradiction to the previous LWR based schemes, our construction shares simple and intuitive security proof. We first present an IND-CPA public-key encryption scheme, and then apply a variant of the Fujisaki–Okamoto transforms to create a CCA- secure KEM. Our parameterization of the final KEM and the reference implementation shows that the performance of our scheme is comparable with the NIST PQC standardization round 3 candidates.

A Appendix

1.1 A.1 Proof of Lemma 3.4

Proof

We show the lemma by contradiction. Namely, we show that if there is an algorithm \(\mathcal {A}\) that can solve the problem \( R\text{- }\mathsf {LWR}\text{- }\mathsf {AE}_{n,p,q,\chi }\), then we can construct a simulator \(\mathsf {Sim}\) which solves the RLWR challenge with the same advantage. Our construction of \(\mathsf {Sim}\) is as follows:

• \(\mathsf {Sim}(a,b)\)

  On input the pair \((a,b) \in R_q \times R_p\) of RLWR challenge, it gives the pair \((\lceil a\rfloor _{q\rightarrow p}, b)\) to the algorithm \(\mathcal {A}\). If \(\mathcal {A}\) outputs 1 (mean that the input pair \((\lceil a\rfloor _{q\rightarrow p}, b)\) is from the \( R\text{- }\mathsf {LWR}\text{- }\mathsf {AE}_{n,p,q,\chi }\) distribution), then \(\mathsf {Sim}\) also outputs 1 to mean that (a, b) is from the \(R\text{- }\mathsf {LWR}_{n,p,q,\chi }\) distribution. Otherwise, if the \(\mathcal {A}\) outputs 0 (mean that the input pair is from a uniform distribution over \(R_p\times R_p\)), then \(\mathsf {Sim}\) also outputs 0 to mean that the pair (a, b) is from uniform distribution over \(R_q\times R_p\).

Note that showing the following two statements suffices for the lemma: (1) if the input pair (a, b) is from uniform distribution over \(R_q\times R_p\), then from \(\mathcal {A}\)’s view the pair \((\lceil a\rfloor _{q\rightarrow p}, b)\) is from the uniform distribution over \(R_p\times R_p\), (2) if the input pair (a, b) is from \(R\text{- }\mathsf {LWR}_{n,p,q,\chi }\) distribution, then from \(\mathcal {A}\)’s view the pair \((\lceil a\rfloor _{q\rightarrow p}, b)\) is a sample from the distribution \( R\text{- }\mathsf {LWR}\text{- }\mathsf {AE}_{n,p,q,\chi }\).

The statement (1) is straight from the fact the 2p|q and the definition of the rounding function \(\lceil *\rfloor _{q\rightarrow p}\), namely the rounding procedure maps a uniform element in \(R_q\) to a uniform element in \(R_p\).

Next we show (2), if \(b = \lceil a \cdot s\rfloor _{q\rightarrow p}\) for the \(a\xleftarrow {\$} R_q\) and an element \(s \in R_q\), then we prove that \(b = \lceil (\frac{q}{p} a'+ u) \cdot s\rfloor _{q\rightarrow p}\) for a uniform \(a' := \lceil a\rfloor _{q\rightarrow p}\), and a uniform ring element \(u = a - \frac{q}{p}a'\) whose coefficients are in \([\frac{q}{2p}, \frac{q}{2p})\), where the uniformity is taken over the uniformity of \(a\in R_q\). Note that the uniformity of \(a'\) is by a same argument as the argument of the statement (1), and it’s easy to see that the coefficients of u in \([\frac{q}{2p}, \frac{q}{2p})\). Therefore, we now show uniformity of u. In other words, for any \(u_0 \in [\frac{q}{2p}, \frac{q}{2p})\), we show that \(\mathsf {Pr}_a[u = u_0] = \left( \frac{p}{q}\right) ^n\), that is

$$\begin{aligned} \mathsf {Pr}_a[u = u_0]&= \mathsf {Pr}_a[ a = \frac{q}{p}a' + u_0] \\&= \sum _{a_p \in R_p} \mathsf {Pr}_a[ a = \frac{q}{p}a' + u_0 \wedge a' = a_p] \\&= \sum _{a_p \in R_p} \frac{1}{q^n} = \left( \frac{p}{q}\right) ^n, \end{aligned}$$

where the second equality is by the union bound; the third equality is by the uniformity of a over \(R_q\). This completes the proof.    \(\square \)

1.2 A.2 Proof of Lemma 3.7

Proof

We show the lemma by two steps: (1) we show that the advantage of \(\mathcal {A}\) in \(\mathsf {Game}_2\) is no larger than that of an intermediate game \(\mathsf {Game}_3'\) we introduced, and (2) from the view of \(\mathcal {A}\) the two games \(\mathsf {Game}_3'\) and \(\mathsf {Game}_3\) is indistinguishable if the \(R\text{- }\mathsf {LWR}_{2n,p,q,\mathsf {Bin}_{\beta }}\) problem is hard. The difference between the \(\mathsf {Game}_2\) and the intermediate game \(\mathsf {Game}_3'\) is the way they generate b and \(c_1\) as follow

$$ b\xleftarrow {\$} R_p, c_1 = \lceil ( \frac{q}{p}b+ u)\cdot r\rfloor _{q\rightarrow p} \text{, } \text{ and } b\xleftarrow {\$} R_q, c_1 = \lceil b\cdot r\rfloor _{q\rightarrow p} $$

Note that (1) is follows from the Lemma 3.4 that the advantage of \(\mathcal {A}\) in \(\mathsf {Game}_2\) is no larger than that of \(\mathsf {Game}_3'\). Furthermore, an analogue reduction as in the proof of Lemma 3.6 shows (2). This completes the proof.

   \(\square \)

1.3 A.3 Proof of Lemma 3.6

Proof

The \(\mathsf {Game}_2\) is different from the \(\mathsf {Game}_1\) by the way the \(\mathsf {pk}\) generated, that b is generated by computing the rounding function \(\lceil a\cdot s\rfloor _{q\rightarrow p}\) for some secret \(s\in R_q\), but it is sampled uniformly over the ring \(R_p\) in the \(\mathsf {Game}_2\). The lemma follows if from the view of \(\mathcal {A}\) the two games are indifferent. We show this by contradiction. Assume that \(\mathcal {A}\) can distinguish these two games, then we construct an algorithm \(\mathsf {Sim}\) as follows that can solve the \(R\text{- }\mathsf {LWR}_{n,p,q,\mathsf {Bin}_{\beta }}\).

• \(\mathsf {Sim}(a,b)\)

  On input the pair \((a,b) \in R_q \times R_p\) of \(R\text{- }\mathsf {LWR}_{n,p,q,\mathsf {Bin}_{\beta }}\) challenge, it simulate every step in \(\mathsf {Game}_1\)( or \(\mathsf {Game}_2\)) for \(\mathcal {A}\) except the step2 and step 4 that it uses (a, b) instead of sampling or computing them.

Note that if the pair (a, b) is from \(R\text{- }\mathsf {LWR}_{n,p,q,\mathsf {Bin}_{\beta }}\), then \(\mathsf {Sim}\) exactly simulated the \(\mathsf {Game}_1\) for \(\mathcal {A}\), if the pair (a, b) is from uniform distribution over \(R_q\times R_p\), then \(\mathsf {Sim}\) exactly simulated the \(\mathsf {Game}_2\) for \(\mathcal {A}\). Therefore, if \(\mathcal {A}\) can distinguishes the two games with noticeable probability, then \(\mathsf {Sim}\) can solve \(R\text{- }\mathsf {LWR}_{n,p,q,\mathsf {Bin}_{\beta }}\) problem with same probability. This is contradicts the lemma assumption that \(R\text{- }\mathsf {LWR}_{n,p,q,\mathsf {Bin}_{\beta }}\) problem is hard. Thus from the view of \(\mathcal {A}\) the two games are indifferent, and the lemma follows.    \(\square \)