Over the past few years, there have been many attractive developments in lattice-based cryptographic protocols, whose security is based on worst-case hardness assumptions, and which are conjectured to be secure against quantum attacks. Thus, lattice-based primitives are a promising candidate to replace constructions based on number theoretic assumptions like RSA  or Diffie-Hellman  that are currently in use.
One of the most versatile primitives for the design of provably secure cryptographic protocols is the learning with errors (LWE) problem introduced by Regev . For instance it can serve for IND-CPA (Indistinguishability under chosen-plaintext attack)  and IND-CCA (Indistinguishability under chosen-ciphertext attack) public key encryption . A structured variant of LWE, the decision ring learning with errors (-LWE) was proposed in  by Lyubashevsky et al. to allow more compact representations. Cryptographic applications of -LWE include fast encryption  and fast homomorphic encryption . Solving -LWE is at least as hard as solving approximate SIVP on ideal lattices.
In , Peikert introduced an efficient lattice-based key encapsulation mechanism (KEM) that allows two parties to share an ephemeral key that is useful for secret communications, featuring a low bandwidth reconciliation technique that aims to reach exact agreement on the shared key. A practical implementation of Peikert’s protocol called NewHope was proposed in  as a candidate to the NIST challenge on post-quantum cryptography. In  and , although key generation is performed using -dimensional lattices, the reconciliation step uses 1-dimensional and 4-dimensional lattices respectively111In fact, the latest implementation of the NewHope algorithm does not use reconciliation ..
In this paper, we consider a more general framework for KEM based on ring-LWE, that does not require a dither, and where reconciliation is done directly on the -dimensional lattice using Wyner-Ziv coding.
More precisely, we consider Barnes-Wall lattices  and use Micciancio and Nicolosi’s BDD decoder with polynomial complexity  for the reconciliation step. In particular, we prove that this decoder is linear. This result is required for our security proof and may also be of independent interest. In the asymptotic regime for large , we show that this technique can generate bits of key per dimension. This improves upon  and  where the key rates are bit and bits per dimension respectively. Moreover, our scheme achieves exponentially small error probability , in particular when . Although current recommendations are to keep the error probability smaller than , this may be too conservative when transforming an IND-CPA secure encryption scheme into an IND-CCA secure one using the Fujisaki-Okamoto transform . A smaller error probability is desirable to prevent leakage of information from decryption failure attacks .
This paper is organized as follows. In Section II we provide basic definitions about cyclotomic fields, lattices, etc. In Section III we present the Barnes-Wall lattice with some of its properties. In Section IV, we introduce our key generation algorithm. In Section V and VI, we provide a proof that the error probability is small, and that our scheme is IND-CPA secure respectively.
In this section, we introduce the mathematical tools we use to describe and analyze our proposed scheme.
We write if , and if and . Finally a variant of notation that “ignores” logarithmic factors: , equivalent to for some integer .
Ii-a Lattices and Algebraic number theory
First of all, we define the space H as follows: when and with the Euler’s totient function, let
Note that is a proper -subspace of and is isomorphic to as an inner product space.
For our purposes, a lattice is a real full-rank discrete additive subgroup . Any lattice is generated as the set of all integer linear combinations of
linearly independent basis vectorsin as A fundamental cell of is a bounded set, which, when shifted by the lattice points, generates a partition of . For a fundamental cell , any point can be uniquely expressed as a sum
We write and .
We will use implicitly in our proofs the fact that , and , as well as .
Given a lattice with basis and a vector such that dist, the bounded distance decoding problem is to find the lattice vector closest to .
Let and ; then defined as is a permutation of .
Cyclotomic fields and the canonical embedding
For an integer , the cyclotomic number field is the extension with degree , where is any primitive root of unity. We denote the ring of integers of by , its co-different by , and define for any integer . In the same manner we can define . Note that is isomorphic to by an isomorphism [5, Lemma 2.15].
Now we describe the embedding of a cyclotomic number field, which induces a “canonical” geometry on it. will has exactly injective ring homomorphisms , and we can define the canonical embedding as
This is a ring homomorphism from to , where multiplication and addition in the latter are both component-wise. We define norms and other geometric quantities on simply by identifying field elements with their canonical embeddings , e.g., the norm is .
Ii-B Error Distribution
A random vector in is subgaussian with parameter , if for any unit vector and for any ,
As a consequence of Theorem 1 in , the following tail inequality holds.
Let be a subgaussian vector in with parameter . Then :
The following two propositions describe the sum and point-wise product behavior of subgaussians:
Proposition 1 (, Corollary 2.3).
Let be independent subgaussian vectors over with parameters . Then is subgaussian with parameter .
Proposition 2 (, Claim 2.4).
Let be a subgaussian vector in of parameter , and another random vector. Then the point-wise multiplication vector is subgaussian of parameter .
When dealing with ring-LWE defined below, we work with a Gaussian-like error distribution over the number field . We first define the
-dimensional i.i.d. Gaussian distributionwith zero mean and covariance . Then we define the Gaussian distribution over to output an element for which has Gaussian distribution with parameter . In our application, we discretize to using coordinate-wise randomized rounding  and denote the resulting distribution by .
Proposition 3 (, Lemma 8.2).
If is a continuous Gaussian with parameter , and we use coordinate-wise randomized rounding, then is subgaussian with parameter , where is the product of all distinct primes dividing .
A function is negligible if for any constant .
Two ensembles and are computationally indistinguishable if for all efficient distinguisher algorithms , is negligible in .
We define the notion of key encapsulation mechanism (KEM). Following , a KEM with ciphertext space and (finite) key space is given by efficient algorithms Setup, Gen, Encaps and Decaps, having the following structure:
Setup() outputs a public parameter .
Gen() outputs a public encapsulation key and secret decapsulation key .
Encaps(; ) outputs a ciphertext and a key .
Decaps(; ) outputs some .
A KEM satisfies IND-CPA security, if the outputs of the following “real” and “ideal” games are computationally indistinguishable:
|Real Game||Ideal Game|
We state the ring-LWE problem in its discretized form. First of all, let’s define the ring-LWE distribution:
For a distribution on and , a sample from the ring-LWE distribution over is generated by choosing uniformly at random, choosing , and outputting .
Definition 2 (Ring-LWE, Decision).
The decision version of the ring-LWE problem, denoted , is to distinguish with non-negligible advantage between independent samples from , where is chosen once and for all, and the same number of uniformly random and independent samples from .
Theorem 2 (, Theorem 2.22).
Let be the th cyclotomic ring, having dimension . Let , and let be a poly-bounded prime such that . There is a poly-time quantum reduction from -approximate SIVP (or SVP) on ideal lattices in to solving -DLWE given only samples, where is the Gaussian distribution for .
The following result extends the hardness guarantees to the case of discrete error. We make use of what is called a valid discretization from Section 2.4.2 in :
Theorem 3 (, Lemma 2.24).
Let be a coordinate-wise randomized rounding to . If -DLWE is hard given samples, then so is the variant of -DLWE in which the secret is sampled from given samples.
To apply Theorem 3 with two samples, we let . Hence is a continuous Gaussian with parameter .
Iii Barnes-Wall lattices and the Micciancio-Nicolosi BDD decoder
Micciancio and Nicolosi  give a polynomial time algorithm to solve the bounded distance decoding (BDD) for Barnes-Wall lattices: given a vector within distance from some lattice point in , find . This algorithm called ParBW has complexity and we can prove that it is linear in the following sense:
Let . For a fixed , we have
This means that the operation ParBW induces a partition of into fundamental cells. The proof of Theorem 4 can be found in the Appendix.
We can also scale the Barnes-Wall lattice by an matrix to obtain
. For invertible matrixand we define the operation as:
and . It is not hard to prove that for and , , and .
For any , we have that , where .
Iv Key generation algorithm
We give here the key generation algorithm below between Alice and Bob.
|Parameters are ; and error distribution on|
|Alice (Server)||Bob (Client)|
We start by considering the lattice , a scaled rotation of where with a power of . After that, , thence is identified to . Note that induces an isomorphism between the additive quotient groups and . With slight abuse of notation, in the rest of the paper we identify the two quotient groups. For the remaining two lattices, we choose (quantization lattice) and (coding lattice) with partitions into fundamental sets such that the operation can be done in polynomial time for and such that performs BDD, i.e. given within distance from , . We will use the notation when there is no ambiguity about the chosen partition. Moreover, we impose that and .
The reconciliation rate og the protocol is , and the key rate .
We suppose that the error terms , and the secret terms , are taken independently from the distribution on , which is subgaussian with parameter (see Proposition 3). We define the modulus to noise ratio as the quotient between the modulus and the parameter of the error distribution . A smaller modulus to noise ratio provides stronger concrete security against known attacks. Moreover, since all the exchanged messages are modulo , the size of affects the overhead of the protocol.
Referring to Table I, the KEM algorithm consists of the following steps:
Setup() : Alice chooses a random element from and outputs .
Gen() : She then chooses in , computes , and outputs a public key and a secret key .
Encaps() : Bob chooses independent . He then computes and . He outputs with
and in such that
Decaps() : Alice computes and outputs .
This algorithm can essentially be seen as a generalization of the KEM in  and , where the reconciliation step is also lattice-based. For instance, in  the functions HelpRec and Rec can be written in the form (1) and (2) by taking , and the product lattices , . Note that unlike [7, 8], a dither is not required in our algorithm.
Construction using Barnes-Wall lattices
For an explicit construction we choose and , where and a power of . By this choice, all the operations with in Table I can be deduced from Section III. The operation corresponds to a quantization operation induced by a partition of the Barnes-Wall lattice: (see Theorem 4). Since , we obtain that For the inclusion , we must have , or . By Proposition 4, this is true when
Note that the key rate of the protocol is .
V Error probability
Here we give a general estimation for the error probability, and then specialize to the case when is a Barnes-Wall lattice. We start by observing that and , therefore with . Define the quantization error as . Hence, . In the expressions of the shared keys we obtain
Note that if and .
To simplify the analysis we suppose from now on that so that 222More generally, to deal with the quantization error one could impose the condition that vanishes exponentially fast. Due to the BDD assumption for , we have that if . Now we want to estimate
For any constant
, by the law of total probability the term (4) can be bounded by
Assuming that , and is subgaussian with parameter , then by Proposition 2, we can say that is subgaussian with parameter ; and so Following the same argument, given that we get that Since is subgaussian with parameter , then under the condition that and we obtain using Proposition 1:
Therefore, by Theorem 1 if we set , and , then
Choose . The above conditions become
When dealing with our explicit construction in paragraph IV-a, the condition on becomes for large :
For example, we can choose
It is not hard to see that these are the only values of and , up to logarithmic factors, that satisfy the -LWE conditions and equation (9). With this choice, it follows from the bound (6) that the error probability can be as small as for . Note that the modulus to noise ratio of our scheme is of order , i.e. the same as in .
We will prove that the algorithm is IND-CPA secure, assuming the hardness of given two samples. This proof is generic and holds in the setting of the key generation protocol in Section IV independently of the choice of the lattices and as long as can be done efficiently. We follow the same argument as Section 4.2 in . We consider the adjacent games below:
|Game 1||Game 1 ’|
|Game 2||Game 3|
Notice that Game 1 is the “real” game defined in Section II, and Game 1’ is the “ideal” one. Our aim is to prove that Game 1 and Game 1’ are computationally indistinguishable. We’ll do so sequentially.
Clearly Game 1 and Game 2 are computationally indistinguishable under the assumption of hardness of .
To prove that Game 2 and Game 3 are computationally indistinguishable, we use the following Theorem which is essentially a consequence of the Crypto Lemma [17, Lemma 4.1.1]. It guarantees uniformity of the key without a dither.
If is uniformly random, then is uniformly random, given .
For fixed , we define ,
and we have .
Suppose that , then we have
and , there exist such that and
We conclude the proof of Theorem 5 by showing that is uniform and independent of when is uniform:
Returning to Game 2 and Game 3, we construct an efficient reduction as follows: it takes as input two pairs , and outputs
After that, we will take two indistinguishable inputs, and hence, by efficiency of , get two indistinguishable outputs.
First suppose that the inputs are drawn from ; i.e. and for independent ; and then are uniformly random and independent from and respectively (because is an isomorphism). Hence, the output of will be exactly as in Game 2. Now suppose that the inputs given to are uniformly random in and independent, then the outputs of are exactly as in Game 3. In fact, are uniform, and hence by Theorem 5, is uniformly random conditioned on .
To show that Game 3 and Game 1’ are indistinguishable, we modify Game 1 and Game 2 by choosing and output it instead of . In this case Game 1 becomes Game 1’. Let Game 2’ be the modified version of Game 2. By the same reasoning as above, we can prove that Game 1’ is computationally indistinguishable from Game 2’ and Game 3.
Following the steps in [7, Section 5], we can construct a passively secure encryption scheme based on our passively secure KEM, which yields an actively secure encryption scheme and an actively secure key transport protocol.
The work of C. Saliba and L. Luzzi is supported by the INEX Paris-Seine AAP 2017. The authors would like to thank J.-P. Tillich for helpful comments.
[Proof of Theorem 4]
In the following we refer to the functions ParBW, SeqBW, RMdec in Algorithms 1,2 and 3 of Micciancio and Nicolosi’s paper .
We modify Algorithm 3 in  in the case as follows: if , then return .
It means that we choose the output vector based on the first bit of . Note that the decoder is still BDD with this modification.
-B Linearity of ParBW
In this subsection we will prove the following proposition:
Let and a target, where