1 Introduction

In 1994, Shor proposed quantum algorithms that can solve the factorization problem and the discrete logarithm problem in polynomial time [30]. This implies that elliptic curve cryptosystems and the RSA cryptosystem will no longer be secure once a quantum computer is built. Due to this, the importance of “Post-quantum cryptosystems” (PQCs) that will still be secure after the development of quantum computers has been recognized. With the recent active studies to develop quantum computers, NIST announced that the process of PQC standardization will begin in the end of 2017 [25]. Possible candidates for a PQC include lattice-based encryptions, code-based encryptions, and multivariate encryptions.

First lattice-based encryption was proposed in 1997 by Ajtai and Dwork [1]. Its security depends on the unique shortest vector problem in lattices. Goldreich et al. proposed the GGH cryptosystem, whose security is based on the closest vector problem for an integer lattice [14]. However, According to Nguyen and Stern, these schemes are not practical since they require large size parameters for security reasons [23, 24]. Hoffstein et al. proposed the NTRU cryptosystem, whose security depends on the shortest vector problem for polynomial ring lattices [15]. In 2009, Regev proposed an LWE cryptosystem, whose security depends on the “learning with error” (LWE) problem [28]. Currently, NTRU, LWE, and their variants are relatively efficient among lattice-based encryption schemes.

However, there are several efficient approximation algorithms for finding the (nearly) shortest/closest vectors, such as the LLL [19], BKZ [29], and BKZ2.0 [8] algorithms. Recently, several improved attacks for these underlying problems using these methods, such as lattice decoding attacks [6] and subfield lattice attacks [18] have been developed. In order to avoid these attacks, the public-key sizes of lattice-based cryptosystems must be enlarged. Encryption schemes with large key sizes require a large amount of memory in applications.

Code-based encryption was first proposed in 1978 by McEliece [22]. Its security depends on the decoding problem for random linear codes, for which only exponential algorithms are known. However, it requires a large public-key size, of more than 1M bits. The multivariate public-key cryptosystem (MPKC) was first introduced in 1989 by Matsumoto and Imai [16] and was improved by Patarin [26]. Its security depends on the problem of solving non-linear equations (called multivariate equations) over finite fields. While the problem is NP-hard in general, almost all proposed schemes have been broken due to the special structure of the equations that are used as public keys. Several schemes with resistance against known attacks on MPKC have been proposed, but they still have large public keys [27, 32, 33].

These candidates require large public-key sizes of more than 24 K bits (under 128-bit security) to avoid improved attacks that take advantage of the special structure of the schemes. Even though many PQC candidates have been proposed, none of them are efficient enough for practical use. This might be due to their large public-key sizes and the large amount of memory that is therefore required in applications. In an effort to find a more practical PQC, Akiyama et al. proposed the algebraic surface cryptosystem (ASC) [3], whose security depends on the section-finding problem (the problem of solving some kind of indeterminate equation). Although they claimed that their proposed scheme necessitates much shorter public keys than the other candidates for PQC, the scheme was broken by Faugére et al. [11]. In this paper, we intend to improve ASC by modifying the underlying problem to make the scheme secure while keeping the public-key size small relative to that of other PQC candidates.

Our Contribution. This paper proposes a post-quantum public-key encryption scheme whose security is based on the smallest solution problem for non-linear solution spaces of indeterminate equations, to which attack algorithms based on approximation (e.g., LLL and BKZ) cannot be applied. Our scheme was developed from ASC, which is designed such that its security depends on the intractability of solving some non-linear indeterminate equation [3]. ASC was broken by the ideal decomposition attack proposed in PKC 2010 [11]. We revise the scheme to be secure against this attack by adding a noise term to the cipher polynomial. Our scheme is provably secure in regards to IND-CPA under the intermediate equation of LWE (IE-LWE) assumption, which is a new computational assumption coming from analogy to the LWE assumption. An IND-CCA2 secure scheme is obtained by using a well-known conversion technique [10].

The linear algebraic attack, one of the known attacks for ASC, can be applied to the IE-LWE problem. Through this attack, the IE-LWE problem can be reduced to a lattice problem, but the rank of the lattice is larger than that of present lattice-based cryptosystems due to the properties of multivariate polynomials. This suggests that the keys (both public and secret) can be expected to be much shorter than those of lattice-based cryptosystems. Our scheme is, in this sense, a light PQC constructed by combining the beneficial properties of multivariate cryptography and lattice-based cryptography. According to our computational experiment on attacks, our scheme requires a public key that is 3/4 the length of the public keys in LWE and 1/3 the length of the public keys in NTRU. Moreover, our scheme supports multi-bit homomorphism as well as NTRU.

This paper is organized as follows. Section 2 gives our notation and a short overview of algebraic surface encryptions, which our scheme was developed from. In Sect. 3, we define the smallest solution problem and propose our new encryption scheme. Section 4 defines the computational assumption that makes our scheme provably secure and discusses the complexity of this assumption against some considered attacks. In Sect. 5, we give a set of appropriate parameters that make our scheme secure. We summarize the results and discuss directions for future work in Sect. 6.

2 Preliminaries

2.1 Notation

We express a polynomial with two variables xy as \(\xi (x,y)=\sum _{(i,j)\in \varGamma _{\xi }}\tau _{i,j} x^iy^j\), where \(\varGamma _{\xi }\) denotes the set of pairs (ij) of the exponents of non-zero monomials \(x^iy^j\) in a polynomial \(\xi (x,y)\). We refer to \(\varGamma _{\xi }\) as the term set of \(\xi (x,y)\). Note that the cardinality \(\#\varGamma _{\xi }\) is equal to the number of monomials in \(\xi (x,y)\). Hereinafter, we write \(\xi \) instead of \(\xi (x,y)\) when \(\xi \) is clearly a polynomial in two variables xy.

The set of polynomials with two variables having the term set \(\varGamma \) over a ring R is denoted by \(\mathfrak {F}_\varGamma /R\). This is defined as

$$ \mathfrak {F}_\varGamma /R= \left\{ f\in R[x,y]\,\,| \,\,f=\sum _{(i,j)\in \varGamma }a_{ij}x^iy^j \right\} . $$

For simplicity, we write \(\mathfrak {F}_\varGamma \) instead of \(\mathfrak {F}_\varGamma /R\) when it is clearly over R.

In this paper, we take representative sets of \(\mathbb {Z}_p\) and \(\mathbb {Z}_q\) as \(\mathbb {Z}_p^{+}=\{0,1,\cdots ,p-1\}\) and \(\mathbb {Z}_q^{+}=\{0,1,\cdots ,q-1\}\), respectively. we refer to \(\mathbb {Z}_q[t]/(t^n-1)\) as \(R_q\) and denote the subset of \(R_q\) whose elements have restricted coefficients to the range of \(\mathbb {Z}_p^{+}\) to \(R_p\). Then, we can define the maximum coefficient of the polynomial \(\xi \), which is denoted by \(MC(\xi )\), as follows:

$$\begin{aligned} MC(\xi )=\max \left\{ \tau _{i,j} | \xi (x,y) =\sum _{(i,j)\in \varGamma _{\xi }}\tau _{i,j} x^iy^j \right\} , \end{aligned}$$
(1)

where \(\tau _{i,j}\) is regarded as an integer instead of a representative element in \(\mathbb {Z}_p\) or \(\mathbb {Z}_q\) to measure the size of the coefficients. Some properties of the maximum coefficient are described in Appendix B.

These concepts can be defined in the same manner for polynomials with one or three variables.

2.2 Algebraic Surface Cryptosystem

ASC was first introduced in 2006 by Akiyama and Goto [2]. The security of ASC depends on the section-finding problem, defined as follows.

Definition 1

(Section-finding Problem). If \(X(x,y,t)=0\) is an algebraic surface over field K, then the problem of finding a parameterized curve \((x,y,t)=(u_x(t),u_y(t),t)\) on X is called the section-finding problem on X.

A section can be considered as a solution of \(X(x,y)=0\), which is an indeterminate equation over the ring K[t]. In this paper, we write an algebraic surface \(X(x,y)=0\) over \(F_p[t]\) instead of \(X(x,y,t)=0\) over \(F_p\).

The problem of solving indeterminate equations over some rings or fields is known to be difficult. For example, the case of indeterminate equations over the integer ring \(\mathbb {Z}\), a class of problems called Diophantine equations, is undecidable (Hilbert’s 10th problem). “Undecidable” in this context means that there is no general algorithm to solve such indeterminate equations. The section-finding problem has also been proven to be undecidable [9].

To show the concept for the scheme we propose in this paper, we give an explanation of algebraic surface encryption. First, the simplest ASC can be described as

$$\begin{aligned} c(x,y)=m(x,y)+X(x,y)r(x,y)\,, \end{aligned}$$
(2)

where X(xy) is the public key, which defines an algebraic surface with a section. The polynomials c(xy) and r(xy) are a ciphertext polynomial and a random polynomial, respectively. The polynomial m(xy) is a plaintext polynomial in which plaintext is embedded. In the decryption phase, we substitute the secret key (a section of X(xy)) into c(xy). Using the relation \(X(u_x(t),u_y(t))=0\), we obtain \(c(u_x(t),u_y(t))=m(u_x(t),u_y(t))\). The plaintext can be recovered from the polynomial \(m(u_x(t),u_y(t))\) as follows. First, we write m(xy) as \(m(x,y)=\sum _{(i,j,k)\in \varGamma _m}m_{ijk}x^iy^jt^k\), where \(m_{ijk}\) are unknowns, and substitute the section into m(xy). Then, we obtain \(m(u_x(t),u_y(t))=\sum _{(i,j,k)\in \varGamma _m}m_{ijk}u_x(t)^iu_y(t)^jt^k\). The simultaneous linear equations in \(m_{ijk}\) are constructed by comparing the coefficients of t. When the number of variables is less than or equal to the rank of the coefficient matrix, we can recover the correct plaintext by solving the equations.

However, an attack that can break the scheme exists. We can expand the cipher polynomial c(xy) as

$$\begin{aligned} c(x,y)=\sum _{(i,j,k)\in \varGamma _m} m_{ijk}x^iy^jt^k+ \left( \sum _{(i,j,k)\in \varGamma _X} a_{ijk}x^iy^jt^k \right) \left( \sum _{(i,j,k)\in \varGamma _r} r_{ijk}x^iy^jt^k \right) , \end{aligned}$$
(3)

where \(\varGamma _m,\varGamma _X, and~\varGamma _r\) are given as parameters and \(a_{ijk}\) are given coefficients of the public key X; and \(m_{ijk}\) and \(r_{ijk}\) are variables. By comparing the coefficients of the monomials, we obtain the simultaneous linear equations with the variables \(m_{ijk}\) and \(r_{ijk}\). The relation \(\#\varGamma _m+\#\varGamma _r < \#\varGamma _{Xr}\) is required for the decoding. However, in this case, the equations have unique solutions with high probability. We refer to the attacks of this type as linear algebraic attacks.

For avoiding this attack, Akiyama, Goto, and Miyake constructed the latest ASC scheme in 2009 [3]. From the cryptographic point of view, the ciphertext is equivalent to

$$\begin{aligned} c(x,y)=m(x,y)s(x,y)+X(x,y)r(x,y). \end{aligned}$$
(4)

Here, s(xy) is employed as another random polynomial, and the term set m(xy)s(xy) is equal to that of X(xy)r(xy) (\(\varGamma _{ms}=\varGamma _{Xr}\)). In order to decrypt the ciphertext, we have to decompose \(m(u_x(t),u_y(t))s(u_x(t),u_y(t))\) into \(m(u_x(t),u_y(t))\) and \(s(u_x(t),u_y(t))\). Since polynomial factorization (over \(F_p\)) is easy to compute by using the Berlekamp method, we can obtain \(m(u_x(t),u_y(t))\) as a factor, and recover the plaintext from \(m(u_x(t),u_y(t))\) in the same way as the previous scheme.

When applying the linear algebra attack to this scheme, m(xy)s(xy) must be considered as a single polynomial g(xy) because the quadratic equations are derived from the variables \(m_{ijk}\) and \(s_{ijk}\). (It is difficult to solve systems of quadratic equations in general.) Therefore, if the number of variables \(\#\varGamma _r+\#\varGamma _{Xr}\) is greater than the number of equations \(\#\varGamma _{Xr}\), then the linear algebra attack does not work.

Unfortunately, this scheme was also broken by the ideal decomposition attack, which was introduced by Faugere et al. [11]. They found that the ideal (cX) can be decomposed into (mX) and (sX) by calculating the resultant \(Res_x(c,X)\) or \(Res_y(c,X)\). Ultimately, they were able to recover the plaintext m by using this method to solve the linear equations.

3 Our Proposed Encryption Scheme

In this section, we propose a new ASC scheme that is resistant to the ideal decomposition attack. We accomplish this by changing the underlying ring of ASC to \(\mathbb {Z}_q[t]/(t^n-1)\) and adding a p divisible polynomial \(p\cdot e(x,y)\) to the simplest ASC cipher polynomial (2) as noise. Our cipher polynomial is

$$\begin{aligned} c(x,y)=m(t)+X(x,y)r(x,y)+p\cdot e(x,y) , \end{aligned}$$

where e(xy) is a random polynomial with small coefficients, and p and m are a small prime and an element of \(\mathbb {Z}_q[t]/(t^n-1)\), respectively. The polynomial e(xy) works as a noise factor in the cipher, and the condition \(\#\varGamma _e = \#\varGamma _{Xr}\) is required for resistance against the linear algebra attack. Also, a small solution of X(xy) is necessary in order to decrypt.

3.1 Algorithms

Parameters. In this section, we introduce our scheme’s parameters. Appropriate parameters are discussed in Sect. 5. The parameters are as follows.

  1. 1.

    pq: The cardinality of \(\mathbb {Z}_p,\mathbb {Z}_q\), where pq are primes and \(p \ll q\)

  2. 2.

    n: The degree of the modulus polynomial of \(R_q(=\mathbb {Z}_q[t]/(t^n-1))\)

  3. 3.

    \(\varGamma _X\): The term set of the indeterminate equation \(X(x,y)(=0)\)

  4. 4.

    \(\varGamma _r\): The term set of the random polynomial r(xy)

The total degrees of X and r are denoted by \(w_X\) and \(w_r\), respectively. The relation between p and q is important to the decryption. The following condition must be fulfilled:

$$\begin{aligned} q>\#\varGamma _{Xr}\cdot p(p-1)\cdot (n(p-1))^{w_X+w_r}, \end{aligned}$$
(5)

which reason is explained in Appendix B. It is evident that q is much greater than p.

Keys. The secret-key is a small (smallest is not necessary) solution of the indeterminate equation \(X(x,y)=0\), which is denoted by u:

$$\begin{aligned} u:(x,y)=(u_x(t),u_y(t)),\,\,u_x(t),u_y(t)\in R_p, \end{aligned}$$
(6)

where \(\deg u_x(t)=\deg u_y(t)=n-1\). Note that p is much smaller than q. Therefore, we call u a small solution. The public key is the indeterminate equation \(X(x,y)=0\) that has the smallest solution u:

$$\begin{aligned} X(x,y)=\sum _{(i,j)\in \varGamma _X} a_{ij}x^iy^j, \end{aligned}$$
(7)

where \(a_{ij}\in R_q\).

Key Generation. The key-generation algorithm, which accepts parameters \(p,q,n,\varGamma _X, and \varGamma _r\) as input, can be described as follows. The secret key is generated as the random polynomials \(u_x(t),u_y(t)(\in R_p)\), whose degrees are \(n-1\). The indeterminate equation \(X(x,y) = 0\) is constructed according to the following procedure.

  1. 1.

    Choose a coefficient for each non-constant monomial as follows.

    1. (a)

      Set \(X=0\).

    2. (b)

      For each (ij) in \(\varGamma _X\):

      1. i.

        Choose a coefficient \(a_{ij}(t)\), with degree \(n-1\) uniformly at random from the set \(R_q\).

      2. ii.

        Set \(X=X+a_{ij}(t)x^iy^j\).

  2. 2.

    Calculate the constant term \(a_{00}(t)\) as \(a_{00}(t)=-\sum _{(i,j)\in \varGamma _X-(0,0)}a_{ij}(t)u_x(t)^iu_y(t)^j\,\,(\in R_q)\).

Encryption

  1. 1.

    Embed a plaintext M into the coefficients of the plaintext polynomial \(m(t) (\in R_p)\), whose degree is \(n-1\).

  2. 2.

    Choose a random polynomial r(xy) in \(\mathfrak {F}_{\varGamma _r}/R_q\) as follows.

    1. (a)

      Set \(r=0\).

    2. (b)

      For each (ij) in \(\varGamma _r\):

      1. i.

        Choose a coefficient \(r_{ij}(t)\), with degree \(n-1\) uniformly at random from the set \(R_q\).

      2. ii.

        Set \(r=r+r_{ij}(t)x^iy^j\).

  3. 3.

    Choose a noise polynomial e(xy) for \(\mathfrak {F}_{\varGamma _{Xr}}/R_p\) as follows.

    1. (a)

      Set \(e=0\)

    2. (b)

      For each (ij) in \(\varGamma _{Xr}\):

      1. i.

        Choose a coefficient \(e_{ij}(t)\), with degree \(n-1\) uniformly at random from the set \(R_p\).

      2. ii.

        Set \(e=e+e_{ij}(t)x^iy^j\).

  4. 4.

    Construct the cipher polynomial c(xy) as

    $$\begin{aligned} c(x,y)=m(t)+X(x,y)r(x,y)+p\cdot e(x,y). \end{aligned}$$
    (8)

Decryption

  1. 1.

    Substitute the smallest solution u into c(xy) as a solution of X over \(F_q[t]\):

    $$\begin{aligned} c(u)=m(t)+p\cdot e(u), \end{aligned}$$
    (9)

    where c(u) denotes \(c(u_x(t),u_y(t))\). When the parameters p and q satisfy the relation described above (5), each coefficient of \(m(t)+p\cdot e(u) \in \mathbb {Z}/(t^n-1)\) is within the range of \(\mathbb {Z}^{+}_q\). The proof for this is given in Appendix B

  2. 2.

    Extract m(t) from c(u) as \(c(u)\,\,(mod\,\,p) =m(t)\), where we consider c(u) as an element of \(\mathbb {Z}[t]\).

  3. 3.

    Recover the plaintext M from the coefficients of m(t).

From now on, we will refer to the public-key encryption scheme as the indeterminate equation cryptosystem (IEC) encryption scheme.

3.2 The Smallest-Solution Problem

Let us express the solution \(u=(u_x(t),u_y(t))\,\,(\in (\mathbb {Z}_q[t]/(t^n-1))^2)\) of an indeterminate equation as

$$\begin{aligned} u_x(t)=\sum _{i=0}^{n-1} \alpha _i t^i,\,\,u_y(t)=\sum _{i=0}^{n-1} \beta _i t^i. \end{aligned}$$

Then, the norm of the solution is defined as follows.

$$\begin{aligned} Norm(u)=\max \{\alpha _i,\beta _i\in \mathbb {Z}_q^{+}\,\,|\,\,0\le i\le n-1 \} \end{aligned}$$

The security of our system depends on the smallest-solution problem, defined as follows.

Definition 2

(Smallest-solution Problem). If \(X(x,y)=0\) is an indeterminate equation over the ring \(\mathbb {Z}_q[t]/(t^n-1)\), then the problem of finding the solution \((x,y)=(u_x(t),u_y(t))\) on \(\mathbb {Z}_q[t]/(t^n-1)\) with the smallest norm is called the smallest-solution problem on X.

We are not able to apply the approximate lattice reduction algorithms directly to solving the problem because the solution space is non-linear.

4 Security

In this section, we introduce a computational assumption and discuss some possible attacks for the assumption, based on the attacks for ASCs.

4.1 Security Assumption

The polynomials over \(\mathbb {Z}_q\) whose coefficients are in the range of 0 to \(p-1\) are called size-p polynomials. If a polynomial is size p, this means that its coefficients are much smaller than those of an ordinary polynomial, since p is much smaller than q. We define the set of polynomials that have zero points in size p as follows:

$$ \mathfrak {X}(\varGamma _X,p)/R_q=\{X\in \mathfrak {F}_{\varGamma _X}/R_q\,\,|\,\,\exists u_x(t),u_y(t) \in R_p \,\,X(u_x(t),u_y(t))=0 \}. $$

When the sets of polynomials, such as \(\mathfrak {X}(\varGamma _X,p)/R_q\), \(\mathfrak {F}_{\varGamma _r}/R_q\), and \(\mathfrak {F}_{\varGamma _{Xr}}/R_p\), that satisfy the condition

$$\begin{aligned} (0,0)\in \varGamma _X,(0,0)\in \varGamma _r \end{aligned}$$

are given, we define the decisional problem as follows.

Definition 3

(IE-LWE problem). When we write the set \(U_{X},T_{X}\) as

$$\begin{aligned} U_{X}= & {} \mathfrak {X}(\varGamma _X,p)/R_q \times \mathfrak {F}_{\varGamma _{Xr}}/R_q, \end{aligned}$$
(10)
$$\begin{aligned} T_{X}= & {} \{(X,Xr+e)|X \in \mathfrak {X}(\varGamma _X,p)/R_q, r \in \mathfrak {F}_{\varGamma _r}/R_q, e \in \mathfrak {F}_{\varGamma _{Xr}}/R_p \}, \end{aligned}$$
(11)

respectively, the IE-LWE problem is to distinguish the multivariate polynomials chosen from a ’noisy’ set \(T_{X}\) of polynomials or from a set of \(U_X-T_X\), where \(T_X\) is a subset of \(U_X\).

We define the IE-LWE assumption.

Definition 4

(IE-LWE assumption). The IE-LWE assumption is the assumption that the advantage

$$\begin{aligned} \begin{array}{l} Adv_{\mathfrak {B}}^{{{IE\text {-}LWE}}}(k) := \\ \\ \left| \begin{array}{l} Pr \left[ \mathfrak {B}(p,q,n,\varGamma _r,\varGamma _X,X,Y)\rightarrow 1 \left| \begin{array}{l} (p,q,n,\varGamma _X,\varGamma _r,X){\mathop {\leftarrow }\limits ^{R}} GenG(1^k); \\ r {\mathop {\leftarrow }\limits ^{U}} \mathfrak {F}_{\varGamma _r}/R_q; e {\mathop {\leftarrow }\limits ^{U}} \mathfrak {F}_{\varGamma _{Xr}}/R_p;\\ Y:=Xr+e \end{array} \right. \right] \\ - Pr \left[ \mathfrak {B}(p,q,n,\varGamma _r,\varGamma _X,X,Y)\rightarrow 1 \left| \begin{array}{l} (p,q,n,\varGamma _X,\varGamma _r,X){\mathop {\leftarrow }\limits ^{R}} GenG(1^k); \\ \\ Y {\mathop {\leftarrow }\limits ^{U}} \mathfrak {F}_{\varGamma _{Xr}}/R_q \end{array} \right. \right] \end{array} \right| \end{array} \end{aligned}$$
(12)

is negligible. In other words,

where \(\epsilon (k)\) is a negligible function in the security parameter k.

IE-LWE is an extended variation of \(\text{ R-LWE }_{\text{ HNF }}^{\times }\), which is one of the variants of R-LWE defined by the polynomial ring \(R_q\). This is claimed by a provably secure NTRU modification [31] and can be reduced to the shortest vector problem of the lattice derived from \(R_q\). In this paper, we extend \(\text{ R-LWE }_{\text{ HNF }}^{\times }\) to the multivariate polynomial ring \(R_q[x,y]\) so that the dimension of the lattice is larger than that of the lattice derived from \(R_q\).

Theorem 1

Under the IE-LWE assumption, the IEC encryption scheme \(\Sigma =(Gen,Enc,Dec)\) is secure in the sense of IND-CPA. Specifically, if there is an adversary that runs in polynomial time and breaks the IEC encryption scheme \(\Sigma \) in the sense of IND-CPA, then there exists an algorithm \(\mathfrak {B}\) that solves the IE-LWE problem in probabilistic polynomial time. Moreover, the following relation holds:

$$\begin{aligned} Adv_{\Sigma ,\mathfrak {A}}^{{{IND\text {-}CPA}}}(k)=2\cdot Adv_{\mathfrak {B}}^{{{IE\text {-}LWE}}}(k). \end{aligned}$$

Proof

Due to space constraints, we omit the proof. We carried out the proof by using the same technique as in the proof of Lemma 13 in [31].

In addition, one can make the IEC encryption scheme IND-CCA2 secure by using well-known conversions such as those in [10]. However, the converted scheme is no longer a homomorphic one.

4.2 Possible for Attacks

In this subsection, we introduce two possible attacks for the IE-LWE assumption. Other attacks against ASC, which this scheme was developed from, cannot be applied to this problem. For example, the ideal decomposition attack described in Sect. 2.2 does not work on our scheme because our scheme does not have a multiple structure such as m(xy)s(xy) in (4).

The Linear Algebra Attack. Given a pair of polynomials (XY), we can determine that (XY) is sampled from \(T_X\) if we find \(r\in \mathfrak {F}_{\varGamma _r}/R_q\) and \(e\in \mathfrak {F}_{\varGamma _{Xr}}/R_p\) such that \(Y=Xr+e\). The problem of finding such polynomials r and e can be solved by using the linear algebra attack introduced in Sect. 2.2 as follows. We construct a system of linear equations by comparing the coefficients of \(x^iy^j\) in the relation

$$\begin{aligned} \sum _{(i,j)\in \varGamma _{Xr}}d_{ij}x^iy^j= \left( \sum _{(i,j)\in \varGamma _{X}}a_{ij}x^iy^j \right) \left( \sum _{(i,j)\in \varGamma _{r}}r_{ij}x^iy^j \right) + \left( \sum _{(i,j)\in \varGamma _{Xr}}e_{ij}x^iy^j \right) , \end{aligned}$$
(13)

where \(r_{ij}\) and \(e_{ij}\) are \(R_q\)-valued and \(R_p\)-valued variables, respectively.

In the case of \(\deg X=\deg r=1\), we can set Xre, and Y in the following manner.

\( \begin{array}{ll} X(x,y)= &{} a_{10}x+a_{01}y+a_{00} \\ r(x,y)= &{} r_{10}x+r_{01}y+r_{00} \\ e(x,y)= &{} e_{20}x^2+e_{11}xy+e_{02}y^2+e_{10}x+e_{01}y+e_{00} \\ Y(x,y)= &{} d_{20}x^2+d_{11}xy+d_{02}y^2+d_{10}x+d_{01}y+d_{00} \end{array} \)

From the equation

we obtain a system of linear equations as follows:

$$\begin{aligned} \begin{array}{ll} a_{10}r_{10}+e_{20}=d_{20} \\ a_{10}r_{01}+a_{01}r_{10}+e_{11}=d_{11} \\ a_{01}r_{01}+e_{02}=d_{02} \\ a_{10}r_{00}+a_{00}r_{10}+e_{10}=d_{10} \\ a_{01}r_{00}+a_{00}r_{01}+e_{01}=d_{01} \\ a_{00}r_{00}+e_{00}=d_{00}. \end{array} \end{aligned}$$
(14)

The system has a solution space with dimension at least three since the number of variables is more than the number of equations by three. In general, a linear system obtained with this attack has a solution space with a dimension at least \(\#\varGamma _r\) since the system has \(\#\varGamma _{Xr}+\#\varGamma _{r}\) variables and \(\#\varGamma _{Xr}\) equations.

When we can find a solution such that \(e_{ij}\) are valued in \(R_p\), we conclude that (XY) is in \(T_X\). We may find it exactly with a brute force attack on the polynomial e, but this attack can be avoided by increasing \(\#\varGamma _{Xr}\) to

$$\begin{aligned} ((p-1)p^{n-1})^{\#\varGamma _{Xr}}>2^k\,, \end{aligned}$$

where k is a security parameter.

We employ a lattice-reduction attack to find such a small \(e_{ij}\). Let us represent \(a\in R_q\) as a vector \((a_0,a_1,\cdots ,a_{n-2},a_{n-1})\) for

$$\begin{aligned} a=a_0+a_1t+\cdots +a_{n-2}t^{n-2}+a_{n-1}t^{n-1}\,. \end{aligned}$$

When the elements \(b,c\in R_q\) are represented in the same manner as a, we can express \(ab+c\) as

$$\begin{aligned} \begin{array}{llll} \left( \begin{array}{ccccc} a_{n-1} &{} a_{n-2} &{} \cdots &{} a_1 &{} a_0 \\ a_{n-2} &{} a_{n-3} &{} \cdots &{} a_0 &{} a_{n-1} \\ a_{n-3} &{} a_{n-4} &{} \cdots &{} a_{n-1} &{} a_{n-2} \\ \vdots &{} \vdots &{} \vdots &{} \vdots &{} \vdots \\ a_0 &{} a_{n-1} &{} \cdots &{} a_2 &{} a_1 \end{array} \right) &{} \left( \begin{array}{c} b_0\\ b_1\\ \vdots \\ b_{n-2} \\ b_{n-1} \end{array} \right) &{} + &{} \left( \begin{array}{c} c_{n-1} \\ c_{n-2} \\ \vdots \\ c_1\\ c_0 \end{array} \right) \end{array}. \end{aligned}$$

The first equation of (14) is described as

$$\begin{aligned} A_{10}\varvec{r_{10}}+\varvec{e_{20}}=\varvec{d_{20}} \end{aligned}$$

when \(a_{10}\) is expressed as

$$ A_{10}= \left( \begin{array}{ccccc} a_{n-1} &{} a_{n-2} &{} \cdots &{} a_1 &{} a_0 \\ a_{n-2} &{} a_{n-3} &{} \cdots &{} a_0 &{} a_{n-1} \\ a_{n-3} &{} a_{n-4} &{} \cdots &{} a_{n-1} &{} a_{n-2} \\ \vdots &{} \vdots &{} \vdots &{} \vdots &{} \vdots \\ a_0 &{} a_{n-1} &{} \cdots &{} a_2 &{} a_1 \end{array} \right) $$

and \(\varvec{r_{10}},\varvec{e_{20}},\varvec{d_{20}}\) are denoted by

$$ \begin{array}{l} \varvec{r_{10}}= \left( \begin{array}{ccccc} r_{0} &{} r_{1} &{} \cdots &{} r_{n-2} &{} r_{n-1} \end{array} \right) ^T, \\ \varvec{e_{20}}= \left( \begin{array}{ccccc} e_{n-1} &{} e_{n-2} &{} \cdots &{} e_{1} &{} e_{0} \end{array} \right) ^T, \\ \varvec{d_{20}}= \left( \begin{array}{ccccc} d_{n-1} &{} d_{n-2} &{} \cdots &{} d_{1} &{} d_{0} \end{array} \right) ^T , \end{array} $$

respectively. By adding the integer vector \(\varvec{u_{20}}=(u_{n-1},\cdots ,u_0)^T\), we obtain the equation over the integers, as follows.

$$\begin{aligned} A_{10}\varvec{r_{10}}+q\varvec{u_{20}}+\varvec{e_{20}}=\varvec{d_{20}} \end{aligned}$$

Now, we can consider an integer lattice \(\mathcal{L}= \left( \begin{array}{ll} A_{10}&qI_n \end{array} \right) , \) where \(I_n\) denotes the \(n \times n\) unit matrix. If we can find a point v closest to the \(\varvec{d_{20}}\) in the lattice \(\mathcal{L}\), then we can detect \(\pm \varvec{e_{20}}\) from \(\varvec{v}-\varvec{d_{20}}\) with high possibility. In the same way, \(\pm \varvec{e_{11}}\) can be detected from a point w closest to the \(\varvec{d_{11}}\) in the lattice \( \left( \begin{array}{lll} A_{10}&A_{01}&qI_n \end{array} \right) . \) However, we cannot distinguish whether the sample (XY) is sampled from \(T_X\) if the \(a_{ij}\)’s are invertible in \(R_q\). For the equation \(a_{10}r_{10}+e_{20}=d_{20}\), we can calculate \(r_{10}\in R_q\) from any short vector \(e_{20}\) as \(r_{10}=a_{10}^{-1}(d_{20}-e_{20})\). This implies that any sample \((X,Y)\in U_X\) satisfies the relation. This is true for any equation in (14).

Therefore, we need to simultaneously consider all equations in (14). Then, we see that the linear algebraic attack can be reduced to the closest vector problem (CVP) on the lattice

$$\begin{aligned} \left( \begin{array}{ccccccccc} A_{10} &{} &{} &{} qI_n &{} &{} &{} &{} &{} \\ A_{01} &{} A_{10} &{} &{} &{} qI_n &{} &{} &{} &{} \\ &{} A_{01} &{} &{} &{} &{} qI_n &{} &{} &{} \\ A_{00} &{} &{} A_{10} &{} &{} &{} &{} qI_n &{} &{} \\ &{} A_{00} &{} A_{01} &{} &{} &{} &{} &{} qI_n &{} \\ &{} &{} A_{00} &{} &{} &{} &{} &{} &{} qI_n \end{array} \right) \end{aligned}$$
(15)

and the vector \( \left( \varvec{d_{20}} \, \varvec{d_{11}} \, \varvec{d_{02}} \, \varvec{d_{10}} \, \varvec{d_{01}} \, \varvec{d_{00}}\right) ^T. \) Here, blank entries are zero matrices.

Key-Recovery Attack. If a solution \(\tilde{u} := \left( \tilde{u}_x(t), \tilde{u}_y(t) \right) \in R_q^2\) to \(X(x, y)=0\) (not necessarily the secret key) in which all coefficients are less than p is found, then the IE-LWE problem can be solved with high probability, as follows. For an IE-LWE instance (XY), if all coefficients of \(p \cdot Y(\tilde{u})\) are multiples of p, then it can be concluded that (XY) is sampled from \(T_X\). In fact, sampling (XY) from \(T_X\) implies that

$$\begin{aligned} p\cdot Y(\tilde{u})= p(X(\tilde{u})r(\tilde{u})+e(\tilde{u}))=p\cdot e(\tilde{u}), \end{aligned}$$

and \(MC(e(\tilde{u}))<q\) implies that all coefficients of \(p\cdot e(\tilde{u})\) are multiples of p. On the other hand, if (XY) is sampled from \(U_X\), then the probability that all coefficients of \(p \cdot Y(\tilde{u})\) are multiples of p is about \(1/p^n\). Therefore, if a small solution, such as \(\tilde{u}\), can be found, then the IE-LWE problem can be solved with a probability higher than \(1 - 1/p^n\) by checking whether all coefficients of \(p \cdot Y(\tilde{u})\) are multiples of p. Since \(n, p \ge 2\), the probability \(1 - 1/p^n\) is at least 3/4, which is non-negligible.

In the following, we consider the key-recovery attack on our encryption scheme (i.e., finding the smallest solution to \(X(x,y)=0\) over \(R_q\) by using lattice-reduction techniques). First, we consider the case of \(\deg X = 1\). In this case, we need to find \(u_x(t),u_y(t)\in R_p^2\) satisfying

$$\begin{aligned} a_{10}u_x(t)+a_{01}u_y(t)+a_{00}=0. \end{aligned}$$
(16)

We write this equation with a matrix and vectors in the same manner as the algebraic attack described above, as follows:

(17)

where \(\varvec{u}\) is the vector corresponding to \(u \in \mathbb {Z}[t]/(t^n-1)\) and satisfying \(a_{10}u_x(t)+a_{01}u_y(t)+qu+a_{00}=0\) in \(\mathbb {Z}[t]/(t^n-1)\) and \( A= \left( \begin{array}{ccc} A_{10}&A_{01}&qI_n \end{array} \right) . \) We consider the lattice \(\mathcal{L}_A=\{\varvec{x}|A\varvec{x}=\varvec{0}\}\) and let \(\varvec{v}\) be a solution to the system (17). Then, any solution of (17) can be written as \(\varvec{v}+\varvec{w}\) \((\varvec{w}\in \mathcal{L}_A)\). Observe that our target solution \((\varvec{u_x},\varvec{u_y},\varvec{u})\) of (17) is expected to be relatively short among the solutions of (17), because all of the coefficients of \(u_x(t)\) and \(u_y(t)\) are much smaller than q. This observation leads us to an approach to the key-recovery attack, as follows. First, we solve the system and find its solution space \(\mathcal{L}_A\) and a solution \(\varvec{v}\). Second, we solve CVP to find the vector \(\varvec{w}\) closest to \(\varvec{v}\), and then \(\varvec{v} - \varvec{w}\) is the smallest solution of (17) and is expected to be our target solution \((\varvec{u_x},\varvec{u_y},\varvec{u})^T\).

In the case of \(\deg X=2\), our approach to the key-recovery attack is similar to the approach in the case of \(\deg X = 1\). Now, our goal is to find \(u_x(t),u_y(t)\in R_{p}\) satisfying

(18)

where \( A= \left( \begin{array}{cccccc} A_{20}&A_{11}&A_{02}&A_{10}&A_{01}&qI_n \end{array} \right) . \) \(A=\left( A_{20} \, A_{11} \, A_{02} \, A_{10} \, A_{01} \, qI_n \right) .\) Note that each entry of the vector \((\varvec{u_x^2},\varvec{u_xu_y},\varvec{u_x^2})^T\) is in \(\mathbb {Z}_{np^2}\). We observe that the key-recovery attack for \(\deg X=2\) is much more difficult than that for \(\deg X = 1\) because the solution has the non-linear parts \(\varvec{u_x^2}\), \(\varvec{u_xu_y}\), and \(\varvec{u_x^2}\), which are hard to handle with lattice-reduction techniques. In fact, the key-recovery attack for \(\deg X=2\) did not succeed at all in our experiments, while the attack for \(\deg X = 1\) succeeded for some n. Moreover, Babai’s nearest-plane algorithm could not find closer vectors than the correct vector with \(n \ge 20\). (See Table 2 in Sect. 4.3 for these results.)

We also considered the latest lattice attacks, such as the lattice-decoding attack and the subfield-lattice attack. As discussed in Appendix A, these are not applicable to our scheme.

4.3 Computational Experiment

In this subsection, we show our experimental results for the two attacks above in order to estimate the parameters that make the IE-LWE problem intractable. In our experiments, we used Babai’s nearest-plane algorithm [5], which is a standard algorithm for solving CVP approximately. A lattice basis-reduction algorithm, such as the LLL algorithm [19] or BKZ [29] algorithm, is used in Babai’s nearest-plane algorithm.

We use the root of Hermite factor (RHF) as an index to evaluate the quality of Babai’s nearest plane algorithm. RHF is larger than or equal to 1 in general, and the quality improves as RHF decreases.

The LLL algorithm is expected to achieve RHF \(=1.0219\). In the case of the BKZ algorithm, RHF depends on the block sizes \(\beta \). For example, \(\beta = 20\) and \(\beta = 28\) suggest RHF \(=1.0128\) and RHF \(=1.0109\), respectively. (See [12] for these values of RHF).

Our computing environment is as follows.

  • CPU: AMD Opteron (TM) Processor 848

  • Memory: 64 GB

  • OS: Linux version 2.6.18-406.el5.centos.plus

  • Software: Magma Ver2.21-5

Experimental Results for the Linear Algebra Attack. After choosing X, r, and e uniformly at random as in the encryption process in Sect. 3.1, we set \((Y,Z) = (X, Xr + e)\) and conducted experiments to determine whether the target e or a polynomial with small coefficients \(< p\) could be found. Our experiments were conducted for the cases of \(\deg X=\deg r=1\) and \(\deg X=\deg r=2\), and we set \(p=3\) and increased n in each case. We generated three IE-LWE instances for each parameter set and applied the linear algebra attack described in Sect. 4.2 against each instance.

In Table 1, we show our experimental results for the linear algebra attack, where “Time” is the average time that it took to conduct the linear algebra attack and q is the smallest prime number satisfying (5).

Table 1. Experimental results for the linear algebra attack
Full size table

The experimental results show that the linear algebra attack for \(\deg X = 1\) failed for \(n\ge 50\) and the attack for \(\deg X = 2\) succeeded for \(n \le 40\). In the case of \(\deg X = 2\), it took too much time to complete the attack when n was more than 40, since the rank of the lattice (15) increases in proportion to the square of \(\deg Xr\) (\(3n \times 9n\) for \(\deg X = 1\), \(6n \times 21n\) for \(\deg X = 2\)). The linear algebra attack appears to fail for values of n large enough that RHF \(>1\).

Experimental Results for the Key-Recovery Attack. We conducted the key-recovery attack described in Sect. 4.2 for the same instances as the linear algebra attack. We consider the key-recovery attack as having succeeded even if we find two polynomials with small coefficients \(< p\) that differ from the correct secret key \(\left( u_x(t), u_y(t) \right) \).

Table 2. Experimental results for the key-recovery attack
Full size table

The experimental results described in Table 2 show that the key-recovery attack for \(\deg X = 1\) failed for \(n \ge 50\) and that the key recovery attack for \(\deg X = 2\) did not succeed at all.

Moreover, in the case of \(\deg X = 2\), Babai’s nearest-plane algorithm could not find closer vectors than the correct vector when \(n \ge 20\). This implies that the algorithm is not able to find the correct vector when \(n \ge 20\).

5 Appropriate Parameter Values

In this section, we design appropriate parameter values using the experimental results in Sects. 4.3. Both the linear algebra attack and the key-recovery attack for \(\deg X = 1\) failed when \(n \ge 50\). However, a key-recovery attack could also be done by using a brute force method, as follows. Choose \(\tilde{u}_x(t)\) randomly until the correct \(u_y(t)\) (or a polynomial with sufficiently small coefficients) is found by solving the one-variable equation \(X(\tilde{u}_x(t),y)=0\) over \(R_{q}\). In order to resist the brute force attack, the parameter n must be set such that the number of candidates for \(u_x(t)\) is at least \(2^k\), where k is the security parameter. Therefore, we need to set \(n \ge 80\) when we keep 128 bit security. Note that \(n \ge 80\) is also required in the case of \(\deg X = 2\) because the brute-force attack is independent of the degree of X. In addition, n is preferred to be prime since our scheme employs the same algebra as NTRU [13]. Using the above argument, we designed appropriate parameter values for our encryption scheme, shown in Table 3.

Table 3. Appropriate parameter values for our scheme
Full size table

Using [7], we show a comparison of our encryption scheme with other lattice-based encryption schemes known as efficient ring-homomorphic encryption schemes, in Table 4. Table 4 shows that the size of the ciphertext in our scheme is larger than that in LWE, but the sizes of public and secret keys in our scheme are the smallest among those in the schemes in Table 4.

Table 4. Comparison of our scheme with NTRU and LWE
Full size table

From the point of view of solving indeterminate equations, the difference between the key-recovery attacks for our encryption scheme and the NTRU encryption scheme is the following. Our scheme for \(\deg X = 2\) is based on the difficulty of finding a solution (a pair of univariate polynomials with small coefficients satisfying the non-linear indeterminate equation \(X(x,y)=0\). In contrast, the NTRU is based on the difficulty of finding polynomials f and g with small coefficients that satisfy the linear indeterminate equation \(hx \equiv g \mod q\). Based on this difference, we conclude that the lattice basis-reduction in the NTRU is easier than that in our scheme. Moreover, this leads to the difference in the sizes of public and secret keys between our scheme and NTRU (and LWE).

6 Conclusion

In this study, we constructed a post-quantum encryption scheme whose security is based on an IE-LWE problem and related to the smallest-solution problem in non-linear spaces. This paper gave the algorithms for key generation, encryption/decryption, and the security proof in the sense of IND-CPA. Then, we discussed two attacks that can be applied to the IE-LWE problem and estimated the key size of our scheme according to the results of the computational experiment for these attacks. The sizes of the keys are estimated to be much smaller than those of lattice-based cryptosystems such as LWE and NTRU since no efficient approximation algorithms are known for non-linear spaces. Finally, we described our computational experiment to solve the problem using Babai’s nearest-plane algorithm with LLL. In the future, we plan to conduct experiments using the lattice decoding attack and the subfield lattice attack to solve the problem.