Skip to main content
SpringerLink
Log in

Vandermonde meets Regev: public key encryption schemes based on partial Vandermonde problems

  • Published:
Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

\(\mathsf {PASS~Encrypt}\) is a lattice-based public key encryption scheme introduced by Hoffstein and Silverman (Des Codes Cryptogr 77(2–3):541–552, 2015). The efficiency and algebraic properties of \(\mathsf {PASS~Encrypt}\) and of the underlying partial Vandermonde knapsack problem (\(\mathrm {PV}\text {-}\mathrm {Knap}\)) make them an attractive starting point for building efficient post-quantum cryptographic primitives. Recall that \(\mathrm {PV}\text {-}\mathrm {Knap}\) asks to recover a polynomial of small norm from a partial list of its Vandermonde transform. Unfortunately, the security foundations of \(\mathrm {PV}\text {-}\mathrm {Knap}\)-based encryption are not well understood, and in particular, no security proof for \(\mathsf {PASS~Encrypt}\) is known. In this work, we make progress in this direction. First, we present a modified version of \(\mathsf {PASS~Encrypt}\) with a security proof based on decision \(\mathrm {PV}\text {-}\mathrm {Knap}\) and a leaky variant of it, named the \(\mathrm {PASS}\) problem. We next study an alternative approach to build encryption based on \(\mathrm {PV}\text {-}\mathrm {Knap}\). To this end, we introduce the partial Vandermonde \(\mathrm {LWE}\) problem (\(\mathrm {PV}\text {-}\mathrm {LWE}\)), which we show is computationally equivalent to \(\mathrm {PV}\text {-}\mathrm {Knap}\). Following Regev’s design for \(\mathrm {LWE}\)-based encryption, we use \(\mathrm {PV}\text {-}\mathrm {LWE}\) to construct an efficient encryption scheme. Its security is based on \(\mathrm {PV}\text {-}\mathrm {LWE}\) and a hybrid variant of \(\mathrm {PV}\text {-}\mathrm {Knap}\) and Polynomial \(\mathrm {LWE}\). Finally, we give a refined analysis of the concrete security of both schemes against best known lattice attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11

Similar content being viewed by others

Notes

  1. Note that \(\mathbf {V}_{\varOmega } \cdot \mathbf {f}\bmod q\) is the vector of evaluations \((\mathbf {f}(\omega _j))_{\omega _j \in \varOmega }\) mod q of the polynomial \(\mathbf {f}\) at the roots in \(\varOmega \); the full vector of evaluations \((\mathbf {f}(\omega _j))_{j \in [n]}\) is also known as the Number Theoretic Transform (\(\mathrm {NTT}\)) of \(\mathbf {f}\) and \(\mathbf {f}(\omega _j)\) is also referred to as the j-th \(\mathrm {NTT}\) slot of \(\mathbf {f}\).

  2. In Fourier \(\mathrm {SIS}\), the Fourier matrix, instead of the Vandermonde matrix, is used. The Fourier matrix consists of the powers of all roots of unity, whereas the Vandermonde matrix only contains the powers of all primitive roots of unity.

  3. In other works, this term may also refer to the complex embeddings from K to \(\mathbb {C}\).

  4. Even though they originally called it the partial Fourier recovery problem.

  5. A deterministic \(\mathrm {PKE}\) scheme cannot be \(\textsf {IND-CPA}\) secure as an adversary can simply encrypt both messages using the public key and decide which one is used in the challenge ciphertext.

  6. https://github.com/lducas/leaky-LWE-Estimator

  7. https://github.com/KatinkaBou/SecurityAnalysisPASSEncrypt

  8. In contrast to \(\mathsf {PASS~Encrypt}\) we don’t need to bound the \(\ell _1\)-norm for the correctness of \(\mathsf {PV}\text { }\mathsf {Regev}\text { }\mathsf {Encrypt}\) and thus there is no motivation to use the uniform distribution over \(T_n(d)\) as before.

  9. https://github.com/KatinkaBou/SecurityAnalysisPVRegevEncrypt

  10. We could further save in storage and bandwidth by only transmitting an index vector in \(\{0,1\}^n\) (instead of the full vector \(\varOmega \)) indicating which row of \(\mathbf {V}\) is used for the public key.

References

  1. Albrecht M.R., Curtis B.R., Deo A., Davidson A., Player R., Postlethwaite E.W., Virdia F., Wunderer T.: Estimate all the LWE, NTRU schemes! In: SCN. Lecture Notes in Computer Science, vol. 11035, pp. 351–367. Springer, New York (2018).

  2. Ajtai M., Dwork C.: A public-key cryptosystem with worst-case/average-case equivalence. In: STOC, pp. 284–293. ACM, New York (1997).

  3. Alkim E., Ducas L., Pöppelmann T., Schwabe P.: Post-quantum key exchange: a new hope. In: USENIX Security Symposium, pp. 327–343. USENIX Association (2016).

  4. Ajtai M.: Generating hard instances of lattice problems (extended abstract). In: STOC, pp. 99–108. ACM, New York (1996).

  5. Cramer R., Ducas L., Peikert C., Regev O.: Recovering short generators of principal ideals in cyclotomic rings. In: EUROCRYPT (2). Lecture Notes in Computer Science, vol. 9666, pp. 559–585. Springer, New York (2016).

  6. Cramer R., Ducas L., Wesolowski B.: Short stickelberger class relations and application to ideal-svp. In: EUROCRYPT (1). Lecture Notes in Computer Science, vol. 10210, pp. 324–348 (2017).

  7. Dachman-Soled D., Ducas L., Gong H., Rossi M.: LWE with side information: attacks and concrete security estimation. In: CRYPTO (2). Lecture Notes in Computer Science, vol. 12171, pp. 329–358. Springer, New York (2020).

  8. Doröz Y., Hoffstein J., Silverman J.H., Sunar B.: MMSAT: a scheme for multimessage multiuser signature aggregation. IACR Cryptol. (2020).

  9. Ducas L., van Woerden, W.P.J.: NTRU fatigue: how stretched is overstretched? In: ASIACRYPT (4) Lecture Notes in Computer Science, vol. 13093, pp. 3–32. Springer, New York (2021).

  10. Gachon E., Pellet-Mary A.: Private communication (2021).

  11. Gentry C., Peikert C., Vaikuntanathan V. Trapdoors for hard lattices and new cryptographic constructions. In: STOC, pp. 197–206. ACM, New York (2008).

  12. Gentry C., Sahai A., Waters B.. Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: CRYPTO (1). Lecture Notes in Computer Science, vol. 8042, pp. 75–92. Springer, New York (2013).

  13. Hurley Ted, Hurley Donny: Coding theory: the unit-derived methodology. Int. J. Inf. Coding Theory 5(1), 55–80 (2018).

    MathSciNet  MATH  Google Scholar 

  14. Hoffstein J., Pipher J., Silverman J.H.: NTRU: a ring-based public key cryptosystem. In: ANTS. Lecture Notes in Computer Science, vol. 1423, pp. 267–288. Springer, New York (1998).

  15. Hoffstein J., Pipher J., Schanck J.M., Silverman J.H., Whyte W.: Practical signatures from the partial Fourier recovery problem. In: ACNS. Lecture Notes in Computer Science, vol. 8479, pp. 476–493. Springer, New York (2014).

  16. Hoffstein J., Silverman J.H.: Pass-encrypt: a public key cryptosystem based on partial evaluation of polynomials. Des. Codes Cryptogr. 77(2–3), 541–552 (2015).

    Article  MathSciNet  Google Scholar 

  17. Laarhoven T.: Search problems in cryptography. (2015). http://www.thijs.com/docs/phd-final.pdf. Accessed 08 Jul 2021.

  18. Lyubashevsky V., Micciancio D.: Generalized compact knapsacks are collision resistant. In: ICALP (2). Lecture Notes in Computer Science, vol. 4052, pp. 144–155. Springer, New York (2006).

  19. Lindner R., Peikert C.: Better key sizes (and attacks) for lwe-based encryption. In: CT-RSA. Lecture Notes in Computer Science, vol. 6558, pp. 319–339. Springer, New York (2011).

  20. Lyubashevsky V., Peikert C., Regev O.: On ideal lattices and learning with errors over rings. In: EUROCRYPT. Lecture Notes in Computer Science, vol. 6110, pp. 1–23. Springer, New York (2010).

  21. Lyubashevsky V., Peikert C., Regev O.: On ideal lattices and learning with errors over rings. J. ACM 60(6), 43:1-43:35 (2013).

    Article  MathSciNet  Google Scholar 

  22. López-Alt A., Tromer E., Vaikuntanathan V.: On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption. In: STOC, pp. 1219–1234. ACM, New York (2012).

  23. Lu X., Zhang Z., Au M.H.: Practical signatures from the partial fourier recovery problem revisited: a provably-secure and Gaussian-distributed construction. In: ACISP. Lecture Notes in Computer Science, vol. 10946, pp. 813–820. Springer, New York (2018).

  24. Micciancio D., Mol P.: Pseudorandom knapsacks and the sample complexity of LWE search-to-decision reductions. In: CRYPTO. Lecture Notes in Computer Science, vol. 6841, pp. 465–484. Springer, New York (2011).

  25. Micciancio D., Regev O.: Lattice-based cryptography. In: Post-Quantum Cryptography, pp. 147–191. Springer, New York (2010).

  26. Peikert C.: A decade of lattice cryptography. Found. Trends Theor. Comput. Sci. 10(4), 283–424 (2016).

    Article  MathSciNet  Google Scholar 

  27. Pellet-Mary A., Hanrot G., Stehlé D.: Approx-svp in ideal lattices with pre-processing. In: EUROCRYPT (2). Lecture Notes in Computer Science, vol. 11477, pp. 685–716. Springer, New York (2019).

  28. Peikert C., Rosen A.: Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In: TCC. Lecture Notes in Computer Science, vol. 3876, pp. 145–166. Springer, New York (2006).

  29. Pan Y., Xu J., Wadleigh N., Cheng Q.: On the ideal shortest vector problem over random rational primes. In: EUROCRYPT (1). Lecture Notes in Computer Science, vol. 12696, pp. 559–583. Springer, New York (2021).

  30. Regev O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC, pp. 84–93. ACM (2005).

  31. Ron M.: Roth. Introduction to Coding Theory. Cambridge University Press, Cambridge (2006).

    MATH  Google Scholar 

  32. Stehlé D., Steinfeld R.. Making NTRU as secure as worst-case problems over ideal lattices. In: EUROCRYPT. Lecture Notes in Computer Science, vol. 6632, pp. 27–47. Springer, New York (2011).

  33. Stehlé D., Steinfeld R., Tanaka K., Xagawa K.: Efficient public key encryption based on ideal lattices. In: ASIACRYPT. Lecture Notes in Computer Science, vol. 5912, pp. 617–635. Springer, New York (2009).

  34. Steinfeld R.: Ntru cryptosystem: recent developments and emerging mathematical problems in finite polynomial rings. Algebr. Curv. Finite Fields 16, 179 (2014).

    Article  MathSciNet  Google Scholar 

Download references

Acknowledgements

Katharina Boudgoust was funded by the Direction Générale de l’Armement (Pôle de Recherche CYBER). This work was supported in part by Australian Research Council Discovery Grant DP180102199. We thank our anonymous PKC’2021 and DCC referees for their helpful and constructive feedback and we also thank Alice Pellet–Mary for making us aware that there are unsafe choices of the partial Vandermonde matrix.

Author information

Authors and Affiliations

  1. Univ Rennes, CNRS, IRISA, Rennes, France

    Katharina Boudgoust

  2. Faculty of Information Technology, Monash University, Clayton, Australia

    Amin Sakzad & Ron Steinfeld

Authors
  1. Katharina Boudgoust
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Amin Sakzad
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ron Steinfeld
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Katharina Boudgoust.

Additional information

Communicated by M. Albrecht.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Boudgoust, K., Sakzad, A. & Steinfeld, R. Vandermonde meets Regev: public key encryption schemes based on partial Vandermonde problems. Des. Codes Cryptogr. 90, 1899–1936 (2022). https://doi.org/10.1007/s10623-022-01083-7

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10623-022-01083-7

Keywords

Mathematics Subject Classification

Search

Navigation