Abstract
\(\mathsf {PASS~Encrypt}\) is a lattice-based public key encryption scheme introduced by Hoffstein and Silverman (Des Codes Cryptogr 77(2–3):541–552, 2015). The efficiency and algebraic properties of \(\mathsf {PASS~Encrypt}\) and of the underlying partial Vandermonde knapsack problem (\(\mathrm {PV}\text {-}\mathrm {Knap}\)) make them an attractive starting point for building efficient post-quantum cryptographic primitives. Recall that \(\mathrm {PV}\text {-}\mathrm {Knap}\) asks to recover a polynomial of small norm from a partial list of its Vandermonde transform. Unfortunately, the security foundations of \(\mathrm {PV}\text {-}\mathrm {Knap}\)-based encryption are not well understood, and in particular, no security proof for \(\mathsf {PASS~Encrypt}\) is known. In this work, we make progress in this direction. First, we present a modified version of \(\mathsf {PASS~Encrypt}\) with a security proof based on decision \(\mathrm {PV}\text {-}\mathrm {Knap}\) and a leaky variant of it, named the \(\mathrm {PASS}\) problem. We next study an alternative approach to build encryption based on \(\mathrm {PV}\text {-}\mathrm {Knap}\). To this end, we introduce the partial Vandermonde \(\mathrm {LWE}\) problem (\(\mathrm {PV}\text {-}\mathrm {LWE}\)), which we show is computationally equivalent to \(\mathrm {PV}\text {-}\mathrm {Knap}\). Following Regev’s design for \(\mathrm {LWE}\)-based encryption, we use \(\mathrm {PV}\text {-}\mathrm {LWE}\) to construct an efficient encryption scheme. Its security is based on \(\mathrm {PV}\text {-}\mathrm {LWE}\) and a hybrid variant of \(\mathrm {PV}\text {-}\mathrm {Knap}\) and Polynomial \(\mathrm {LWE}\). Finally, we give a refined analysis of the concrete security of both schemes against best known lattice attacks.
Similar content being viewed by others
Notes
Note that \(\mathbf {V}_{\varOmega } \cdot \mathbf {f}\bmod q\) is the vector of evaluations \((\mathbf {f}(\omega _j))_{\omega _j \in \varOmega }\) mod q of the polynomial \(\mathbf {f}\) at the roots in \(\varOmega \); the full vector of evaluations \((\mathbf {f}(\omega _j))_{j \in [n]}\) is also known as the Number Theoretic Transform (\(\mathrm {NTT}\)) of \(\mathbf {f}\) and \(\mathbf {f}(\omega _j)\) is also referred to as the j-th \(\mathrm {NTT}\) slot of \(\mathbf {f}\).
In Fourier \(\mathrm {SIS}\), the Fourier matrix, instead of the Vandermonde matrix, is used. The Fourier matrix consists of the powers of all roots of unity, whereas the Vandermonde matrix only contains the powers of all primitive roots of unity.
In other works, this term may also refer to the complex embeddings from K to \(\mathbb {C}\).
Even though they originally called it the partial Fourier recovery problem.
A deterministic \(\mathrm {PKE}\) scheme cannot be \(\textsf {IND-CPA}\) secure as an adversary can simply encrypt both messages using the public key and decide which one is used in the challenge ciphertext.
In contrast to \(\mathsf {PASS~Encrypt}\) we don’t need to bound the \(\ell _1\)-norm for the correctness of \(\mathsf {PV}\text { }\mathsf {Regev}\text { }\mathsf {Encrypt}\) and thus there is no motivation to use the uniform distribution over \(T_n(d)\) as before.
We could further save in storage and bandwidth by only transmitting an index vector in \(\{0,1\}^n\) (instead of the full vector \(\varOmega \)) indicating which row of \(\mathbf {V}\) is used for the public key.
References
Albrecht M.R., Curtis B.R., Deo A., Davidson A., Player R., Postlethwaite E.W., Virdia F., Wunderer T.: Estimate all the LWE, NTRU schemes! In: SCN. Lecture Notes in Computer Science, vol. 11035, pp. 351–367. Springer, New York (2018).
Ajtai M., Dwork C.: A public-key cryptosystem with worst-case/average-case equivalence. In: STOC, pp. 284–293. ACM, New York (1997).
Alkim E., Ducas L., Pöppelmann T., Schwabe P.: Post-quantum key exchange: a new hope. In: USENIX Security Symposium, pp. 327–343. USENIX Association (2016).
Ajtai M.: Generating hard instances of lattice problems (extended abstract). In: STOC, pp. 99–108. ACM, New York (1996).
Cramer R., Ducas L., Peikert C., Regev O.: Recovering short generators of principal ideals in cyclotomic rings. In: EUROCRYPT (2). Lecture Notes in Computer Science, vol. 9666, pp. 559–585. Springer, New York (2016).
Cramer R., Ducas L., Wesolowski B.: Short stickelberger class relations and application to ideal-svp. In: EUROCRYPT (1). Lecture Notes in Computer Science, vol. 10210, pp. 324–348 (2017).
Dachman-Soled D., Ducas L., Gong H., Rossi M.: LWE with side information: attacks and concrete security estimation. In: CRYPTO (2). Lecture Notes in Computer Science, vol. 12171, pp. 329–358. Springer, New York (2020).
Doröz Y., Hoffstein J., Silverman J.H., Sunar B.: MMSAT: a scheme for multimessage multiuser signature aggregation. IACR Cryptol. (2020).
Ducas L., van Woerden, W.P.J.: NTRU fatigue: how stretched is overstretched? In: ASIACRYPT (4) Lecture Notes in Computer Science, vol. 13093, pp. 3–32. Springer, New York (2021).
Gachon E., Pellet-Mary A.: Private communication (2021).
Gentry C., Peikert C., Vaikuntanathan V. Trapdoors for hard lattices and new cryptographic constructions. In: STOC, pp. 197–206. ACM, New York (2008).
Gentry C., Sahai A., Waters B.. Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: CRYPTO (1). Lecture Notes in Computer Science, vol. 8042, pp. 75–92. Springer, New York (2013).
Hurley Ted, Hurley Donny: Coding theory: the unit-derived methodology. Int. J. Inf. Coding Theory 5(1), 55–80 (2018).
Hoffstein J., Pipher J., Silverman J.H.: NTRU: a ring-based public key cryptosystem. In: ANTS. Lecture Notes in Computer Science, vol. 1423, pp. 267–288. Springer, New York (1998).
Hoffstein J., Pipher J., Schanck J.M., Silverman J.H., Whyte W.: Practical signatures from the partial Fourier recovery problem. In: ACNS. Lecture Notes in Computer Science, vol. 8479, pp. 476–493. Springer, New York (2014).
Hoffstein J., Silverman J.H.: Pass-encrypt: a public key cryptosystem based on partial evaluation of polynomials. Des. Codes Cryptogr. 77(2–3), 541–552 (2015).
Laarhoven T.: Search problems in cryptography. (2015). http://www.thijs.com/docs/phd-final.pdf. Accessed 08 Jul 2021.
Lyubashevsky V., Micciancio D.: Generalized compact knapsacks are collision resistant. In: ICALP (2). Lecture Notes in Computer Science, vol. 4052, pp. 144–155. Springer, New York (2006).
Lindner R., Peikert C.: Better key sizes (and attacks) for lwe-based encryption. In: CT-RSA. Lecture Notes in Computer Science, vol. 6558, pp. 319–339. Springer, New York (2011).
Lyubashevsky V., Peikert C., Regev O.: On ideal lattices and learning with errors over rings. In: EUROCRYPT. Lecture Notes in Computer Science, vol. 6110, pp. 1–23. Springer, New York (2010).
Lyubashevsky V., Peikert C., Regev O.: On ideal lattices and learning with errors over rings. J. ACM 60(6), 43:1-43:35 (2013).
López-Alt A., Tromer E., Vaikuntanathan V.: On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption. In: STOC, pp. 1219–1234. ACM, New York (2012).
Lu X., Zhang Z., Au M.H.: Practical signatures from the partial fourier recovery problem revisited: a provably-secure and Gaussian-distributed construction. In: ACISP. Lecture Notes in Computer Science, vol. 10946, pp. 813–820. Springer, New York (2018).
Micciancio D., Mol P.: Pseudorandom knapsacks and the sample complexity of LWE search-to-decision reductions. In: CRYPTO. Lecture Notes in Computer Science, vol. 6841, pp. 465–484. Springer, New York (2011).
Micciancio D., Regev O.: Lattice-based cryptography. In: Post-Quantum Cryptography, pp. 147–191. Springer, New York (2010).
Peikert C.: A decade of lattice cryptography. Found. Trends Theor. Comput. Sci. 10(4), 283–424 (2016).
Pellet-Mary A., Hanrot G., Stehlé D.: Approx-svp in ideal lattices with pre-processing. In: EUROCRYPT (2). Lecture Notes in Computer Science, vol. 11477, pp. 685–716. Springer, New York (2019).
Peikert C., Rosen A.: Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In: TCC. Lecture Notes in Computer Science, vol. 3876, pp. 145–166. Springer, New York (2006).
Pan Y., Xu J., Wadleigh N., Cheng Q.: On the ideal shortest vector problem over random rational primes. In: EUROCRYPT (1). Lecture Notes in Computer Science, vol. 12696, pp. 559–583. Springer, New York (2021).
Regev O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC, pp. 84–93. ACM (2005).
Ron M.: Roth. Introduction to Coding Theory. Cambridge University Press, Cambridge (2006).
Stehlé D., Steinfeld R.. Making NTRU as secure as worst-case problems over ideal lattices. In: EUROCRYPT. Lecture Notes in Computer Science, vol. 6632, pp. 27–47. Springer, New York (2011).
Stehlé D., Steinfeld R., Tanaka K., Xagawa K.: Efficient public key encryption based on ideal lattices. In: ASIACRYPT. Lecture Notes in Computer Science, vol. 5912, pp. 617–635. Springer, New York (2009).
Steinfeld R.: Ntru cryptosystem: recent developments and emerging mathematical problems in finite polynomial rings. Algebr. Curv. Finite Fields 16, 179 (2014).
Acknowledgements
Katharina Boudgoust was funded by the Direction Générale de l’Armement (Pôle de Recherche CYBER). This work was supported in part by Australian Research Council Discovery Grant DP180102199. We thank our anonymous PKC’2021 and DCC referees for their helpful and constructive feedback and we also thank Alice Pellet–Mary for making us aware that there are unsafe choices of the partial Vandermonde matrix.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by M. Albrecht.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Boudgoust, K., Sakzad, A. & Steinfeld, R. Vandermonde meets Regev: public key encryption schemes based on partial Vandermonde problems. Des. Codes Cryptogr. 90, 1899–1936 (2022). https://doi.org/10.1007/s10623-022-01083-7
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-022-01083-7