Lattice-Based Dual Receiver Encryption and More

Abstract

Dual receiver encryption (DRE), proposed by Diament et al. at ACM CCS 2004, is a special extension notion of public-key encryption, which enables two independent receivers to decrypt a ciphertext into a same plaintext. This primitive is quite useful in designing combined public key cryptosystems and denial of service attack-resilient protocols. Up till now, a series of DRE schemes are constructed with bilinear pairing groups. In this work, we introduce the first construction of lattice-based DRE. Our scheme is secure against chosen-ciphertext attacks from the standard Learning with Errors (LWE) assumption with a public key of bit-size about \(2nm\log q\), where m and q are small polynomials in n. Additionally, for the DRE notion in the identity-based setting, identity-based DRE (ID-DRE), we also give a lattice-based ID-DRE scheme that achieves chosen-plaintext and adaptively chosen identity security based on the LWE assumption with public parameter size about \((2\ell +1)nm\log q\), where \(\ell \) is the bit-size of the identity in the scheme.

Appendices

Appendix A: Lattice Background

For positive integers q, n, m, and a matrix \(\mathbf {A}\in \mathbb {Z}_{q}^{n\times m}\), the m-dimensional integer lattices are defined as: \(\varLambda _{q}(\mathbf {A})=\{\mathbf {y}:\mathbf {y}=\mathbf {A}^{\top }\mathbf {s}~\mathrm {for}~\mathrm {some}~\mathbf {s}\in \mathbb {Z}^{n}\}\) and \(\varLambda _{q}^{\perp }(\mathbf {A})=\{\mathbf {y}:\mathbf {A}\mathbf {y}=\mathbf {0}\mod q\}\).

Let \(\mathbf {S}\) be a set of vectors \(\mathbf {S}=\{\mathbf {s}_{1},\cdots ,\mathbf {s}_{n}\}\) in \(\mathbb {R}^{m}\). We use \(\widetilde{\mathbf {S}}=\{\widetilde{\mathbf {s}}_{1},\cdots ,\widetilde{\mathbf {s}}_{n}\}\) to denote the Gram-Schmidt orthogonalization of the vectors \(\mathbf {s}_{1},\cdots ,\mathbf {s}_{n}\) in that order, and \(\Vert \mathbf {S}\Vert \) to denote the length of the longest vector in \(\mathbf {S}\). For a real-valued matrix \(\mathbf {R}\), let \(s_{1}(\mathbf {R})=\max _{\Vert \mathbf {u}\Vert =1}\Vert \mathbf {Ru}\Vert \) (respectively, \(\Vert \mathbf {R}\Vert _{\infty }=\max \Vert \mathbf {r}_{i}\Vert _{\infty }\)) denote the operator norm (respectively, infinity norm) of \(\mathbf {R}\).

For \(\mathbf {x}\in \varLambda \), define the Gaussian function \(\rho _{s,\mathbf {c}}(\mathbf {x})\) over \(\varLambda \subseteq \mathbb {Z}^m\) centered at \(\mathbf {c}\in \mathbb {R}^{m}\) with parameter \(s>0\) as \(\rho _{s,\mathbf {c}}(\mathbf {x})=\exp (-\pi ||\mathbf {x-c}||/s^2)\). Let \(\rho _{s,\mathbf {c}}(\varLambda )=\sum _{\mathbf {x}\in \varLambda }\rho _{s,\mathbf {c}}(\mathbf {x})\), and define the discrete Gaussian distribution over \(\varLambda \) as \(\mathcal {D}_{\varLambda ,s,\mathbf {c}}(\mathbf {x})=\frac{\rho _{s,\mathbf {c}}(\mathbf {x})}{\rho _{s,\mathbf {c}}(\varLambda )}\), where \(\mathbf {x}\in \varLambda \). For simplicity, \(\rho _{s,\mathbf {0}}\) and \(\mathcal {D}_{\varLambda ,s,\mathbf {0}}\) are abbreviated as \(\rho _{s}\) and \(\mathcal {D}_{\varLambda ,s}\), respectively.

Learning with Errors Assumption. The learning with errors problem, denoted by \(\mathrm {LWE}_{q,n,m,\alpha }\), was first proposed by Regev [16]. For integer \(n, m=m(n)\), a prime integer \(q>2\), an error rate \(\alpha \in (0,1)\), the LWE problem \(\mathrm {LWE}_{q,n,m,\alpha }\) is to distinguish the following pairs of distributions: \(\{\mathbf {A},\mathbf {A}^{\top }\mathbf {s+e}\}\) and \(\{\mathbf {A},\mathbf {u}\}\), where \(\mathbf {A}\overset{\$}{\leftarrow }\mathbb {Z}_{q}^{n\times m},\mathbf {s}\overset{\$}{\leftarrow }\mathbb {Z}_{q}^{n},\mathbf {u}\overset{\$}{\leftarrow }\mathbb {Z}_{q}^{m}\) and \(\mathbf {e}\overset{\$}{\leftarrow }\mathcal {D}_{\mathbb {Z}^{m},\alpha q}\). Regev [16] showed that solving decisional \(\mathrm {LWE}_{q,n,m,\alpha }\) (denoted by \(\mathrm {DLWE}_{q,n,m,\alpha }\)) for \(\alpha q>2\sqrt{2n}\) is (quantumly) as hard as approximating the SIVP and GapSVP problems to within \(\widetilde{\mathcal {O}}(n/\alpha )\) factors in the worst case.

Lemma 12

Let p, q, n, m be positive integers with \(q\ge p\ge 2\) and q prime. There exists PPT algorithms such that

• ([2, 3]): \(\mathsf {TrapGen}(1^n,1^{m},q)\) a randomized algorithm that, when \(m\ge 6n\lceil \log q\rceil \), outputs a pair \((\mathbf {A,T_{A}})\in \mathbb {Z}_{q}^{n\times m}\times \mathbb {Z}^{m\times m}\) such that \(\mathbf {A}\) is statistically close to uniform in \(\mathbb {Z}_{q}^{n\times m}\) and \(\mathbf {T_{A}}\) is a basis of \(\varLambda ^{\perp }_{q}(\mathbf {A})\), satisfying \(\Vert \widetilde{\mathbf {T_{A}}}\Vert \le \mathcal {O}(\sqrt{n\log q})\) with overwhelming probability.

• ([5]): \(\mathsf {SampleLeft}(\mathbf {A},\mathbf {B},\mathbf {u},\mathbf {T_{A}},\sigma )\) a randomized algorithm that, given a full rank matrix \(\mathbf {A}\in \mathbb {Z}_{q}^{n\times m}\), a matrix \(\mathbf {B}\in \mathbb {Z}_{q}^{n\times m}\), a basis \(\mathbf {T_{A}}\) of \(\varLambda ^{\perp }_{q}(\mathbf {A})\), a vector \(\mathbf {u}\in \mathbb {Z}_{q}^{n}\) and \(\sigma \ge \Vert \widetilde{\mathbf {T_{A}}}\Vert \cdot \omega (\sqrt{\log m})\), then outputs a vector \(\mathbf {r}\in \mathbb {Z}_{q}^{ 2m}\) distributed statistically close to \(\mathcal {D}_{\varLambda _{q}^{\mathbf {u}}(\mathbf {F}),\sigma }\) where \(\mathbf {F}=[\mathbf {A|B}]\).

• ([1]): \(\mathsf {SampleRight}(\mathbf {A},\mathbf {G},\mathbf {R},\mathbf {S},\mathbf {u},\mathbf {T_{G}},\sigma )\) a randomized algorithm that, given a full rank matrix \(\mathbf {A}\in \mathbb {Z}_{q}^{n\times m}\), a matrix \(\mathbf {R}\in \mathbb {Z}_{q}^{m\times m}\), an invertible matrix \(\mathbf {S}\in \mathbb {Z}_{q}^{n\times n}\), a vector \(\mathbf {u}\in \mathbb {Z}_{q}^{n}\) and \(\sigma \ge \Vert \widetilde{\mathbf {T_{G}}}\Vert \cdot s_{1}(\mathbf {R})\cdot \omega (\sqrt{\log m})\), then it outputs a vector \(\mathbf {r}\in \mathbb {Z}_{q}^{2m}\) statistically close to \(\mathcal {D}_{\varLambda _{q}^{\mathbf {u}}(\mathbf {F}),\sigma }\) where \(\mathbf {F}=[\mathbf {A|AR+SG}]\).

• (Generalized Leftover Hash Lemma [1, 9]): For \(m>(n+1)\log q+\omega (\log n)\) and prime \(q>2\), let \(\mathbf {R}\overset{\$}{\leftarrow }\{-1,1\}^{m\times k}\) and \(\mathbf {A}\overset{\$}{\leftarrow }\mathbb {Z}_{q}^{n\times m},\mathbf {B}\overset{\$}{\leftarrow }\mathbb {Z}_{q}^{n\times k}\) be uniformly random matrices. Then the distribution \((\mathbf {A,AR},\mathbf {R}^{\top }\mathbf {w})\) is \(\mathsf {negl}(n)\)-close to the distribution \((\mathbf {A,B},\mathbf {R}^{\top }\mathbf {w})\) for all vector \(\mathbf {w}\in \mathbb {Z}_{q}^{m}\). When \(\mathbf {w}\) is always \(\mathbf {0}\), this lemma is called Leftover Hash Lemma.

In [12], Katsuamta and Yamada introduced the “Noise Rerandomization” lemma which plays an important role in the security proof because of creating a well distributed challenge ciphertext.

Lemma 13

(Noise Rerandomization [12]). Let q, w, m be positive integers and r a positive real number with \(r>\max \{\omega (\sqrt{\log m}),\omega (\sqrt{\log w})\}\). For arbitrary column vector \(\mathbf {b}\in \mathbb {Z}_{q}^m\), vector \(\mathbf {e}\) chosen from \(\mathcal {D}_{\mathbb {Z}^{m},r}\), any matrix \(\mathbf {V}\in \mathbb {Z}^{w\times m}\) and positive real number \(\sigma >s_{1}(\mathbf {V})\), there exists a PPT algorithm \(\mathsf {ReRand}(\mathbf {V},\mathbf {b}+\mathbf {e},r,\sigma )\) that outputs \(\mathbf {b}^{\prime }=\mathbf {Vb}+\mathbf {e}^{\prime }\in \mathbb {Z}^{w}\) where \(\mathbf {e}^{\prime }\) is distributed statistically close to \(\mathcal {D}_{\mathbb {Z}^{w},2r\sigma }\).

Appendix B: Signature

Definition 1

(Signature Scheme). A signature scheme is a triple of probabilistic polynomial-time algorithms as follows:

• \(\mathsf {Gen}(1^\lambda )\) outputs a verification key vk and a signing key sk.

• \( \mathsf {Sign}(sk,\mu )\), given sk and a message \(\mu \in \{0,1\}^{\star }\), outputs a signature \(\sigma \in \{0,1\}^{\star }\).

• \(\mathsf {Ver}(vk,\mu ,\sigma )\) either accepts or rejects the signature \(\sigma \) for message \(\mu \).

The correctness requirement is: for any message \(\mu \in \mathcal {M}\), and for \((vk,sk)\overset{\$}{\leftarrow }\mathsf {Gen}(1^\lambda )\), \(\sigma \overset{\$}{\leftarrow }\mathsf {Sign}(sk; \mu )\), \(\mathsf {Ver}(vk,\mu ,\sigma )\) should accept with overwhelming probability (over all the randomness of the experiment).

The notion of security that we require for our IND-CCA DRE construction is strong existential unforgeability under a one-time chosen-message attack. The attack is defined as follows: generate \((vk,sk)\overset{\$}{\leftarrow }\mathsf {Gen}(1^\lambda )\) and give vk to the adversary \(\mathcal {A}\), then \(\mathcal {A}\) outputs a message \(\mu \). Generate \(\sigma \overset{\$}{\leftarrow }\mathsf {Sign}(sk, \mu )\) and give \(\sigma \) to \(\mathcal {A}\). The advantage of \(\mathcal {A}\) in the attack is the probability that it outputs some \((\mu ^\star ,\sigma ^\star )\ne (\mu ,\sigma )\) such that \(\mathsf {Ver}(vk,\mu ^\star ,\sigma ^\star )\) accepts. We say that the signature scheme is secure if for every PPT adversary \(\mathcal {A}\), its advantage in the attack is \(\mathsf {negl}(\lambda )\).