Efficient Lattice-Based Cryptosystems with Key Dependent Message Security

Abstract

Key-dependent message (KDM) security is of great research significance, to better analyse and solve the potential security problems in complex application scenarios. Most of the current KDM security schemes are based on traditional hard mathematical problems, where the public key and ciphertext are not compact enough, and make the ciphertext size grow linearly with the degree of the challenge functions. To solve the above problems and the inefficient ciphertext operation, the authors propose a compact lattice-based cryptosystem with a variant of the RLWE problem, which applies an invertible technique to obtain the ${\mathrm{RLWE}}^{*}$ problem. It remains hard after the modification from the RLWE problem. Compared with the ACPS scheme, our scheme further expands the set of challenge functions based on the affine function of the secret key, and the size of public key and ciphertext is $\tilde{O}\left(n\right)$, which is independent of the challenge functions. In addition, this scheme enjoys a high level of efficiency, the cost of encryption and decryption is only $\mathrm{ploylog}\left(n\right)$ bit operations per message symbol, and we also prove that our scheme is KDM-CPA secure under the ${\mathrm{RLWE}}^{*}$ assumption.

1. Introduction

With the rise of cloud computing and cloud storage technology, some application scenarios also need to encrypt the secret key and its related information. In 1984, Goldwasser and Michali [1] first introduced the concept of key-dependent message security, which ensures the security of message $f\left(sk\right)$ directly calculated from the secret key $sk$. The KDM (Key-dependent message)-secure public key encryption scheme was originally applied to the hard disk encryption process, and the secret key and user’s data were encrypted together. Later, it has also been widely used in formal proof [2,3], homomorphic encryption [4] and some advanced cryptographic protocols [5].

At Eurocrypt 2001, Camenisch and Lysyanskaya [5] presented a circular-secure encryption scheme of provable security under the random oracle model, and the KDM attack capability of the adversary is defined by the set of challenge functions that can be queried. In 2002, Black, Rogaway and Shrimp-ton [6] considered such a situation, that is, in the application process of hard disk encryption, an adversary was allowed to obtain a ciphertext, which was encrypted by the secret key $\left\{s{k}_1,\dots , s{k}_{\ell }\right\}$ related function $f$ of the user $j$ under the public key $p{k}_j$. Compared with semantic security, the KDM security model has stronger security and a higher research value, which mainly depends on its efficiency and the set of challenge functions that can be queried. However, various KDM-secure public key encryption schemes are different in construction. Until 2008, Boneh et al. [7] proposed a public key encryption scheme based on the DDH (decisional Diffie–Hellman) assumption, and proved the KDM-CPA (Chosen Plaintext Attack) security of the scheme under the standard model. After that, Applebaum et al. [8] proposed the first lattice-based public key encryption scheme of KDM-CPA security, which was named the ACPS scheme. The security follows from the LWE (Learning with Error) assumption, because of its good linear structure, and has compact ciphertexts and a high level of computational efficiency. Similarly, the ACPS scheme has post-quantum security and its challenge functions are affine functions.

At Crypto 2010, Brakerski and Goldwasser et al. [9] extended the technique in [7] and proposed further construction of KDM-secure schemes, so that the security of the scheme could be based on more mathematically hard problems, mainly the QR (Quadratic Residuosity) problem [10] and the DCR (Decisional Composite Residuosity) problem [11]. The KDM security of this scheme can be attributed to the indecipherable (IND) security. However, the encryption method in [9] is similar to the circular security assumption which encrypts the message in bit. Therefore, the KDM-secure scheme constructed according to the above method has the disadvantages of not being compact as well as inefficient encryption and decryption. At Eurocrypt 2010, under the standard model and standard assumption, Barakerski et al. [12] constructed a KDM-CPA secure scheme based on the DDH or LWE assumption. For arbitrary but fixed polynomials $L$ and $N$, given the size of the secret key $k$, the adversary can attack at most $N\left(k\right)$ public keys and a circuit of size $L\left(k\right)$, namely, the set of challenge functions contains a Boolean circuit with polynomial size. Therefore, it is also known as a bounded KDM-secure scheme, which is inefficient and the ciphertext includes a garbled circuit of the same size as its set of challenge functions. In 2011, Brakerski, Goldwasser et al. [13] proposed a KDM-secure public key encryption scheme with respect to polynomial functions with a degree less than $d$, where $d$ is a constant. The KDM-CPA security follows from the DDH or LWE assumption. Since the construction of the scheme still follows the construction of [7], the ciphertext is not compact enough and the ciphertext size is an exponential function related to $d$. In the same year, Malkin et al. [14] proposed a public key encryption scheme based on the DCR assumption with KDM-CPA security. The ciphertext size is a linear function related to $d$, which improves the efficiency of the above scheme.

With an increase of application scenarios, the KDM-secure encryption scheme also has a significant role in identity authentication. Under the LWE assumption, Peikert et al. [15] proposed the first identity-based encryption scheme with KDM security, where the challenger can answer encryption queries with respect to affine functions. In 2019, Chen et al. [16] focused on the KDM security of an identity-based encryption scheme, proposing a generic way to reach it from public key encryption, so that it remained KDM secure. Most of the discussed schemes directly encrypt the secret key, but in practice, the set of challenge functions may be composed of the secret key in more complex forms. At Asiacrypt 2020, Kitagawa et al. [17] proved an encryption scheme with circular security that can be transformed into a KDM-secure encryption scheme, in which circular security is the most basic form of KDM security, that is, it can securely encrypt a secret key in bit. Therefore, the question of how to face more complex encryption scenarios, as well as constructing compact ciphertext, is worth intensive study.

Motivation. Through the above comparison, we can observe three urgent problems in KDM-secure public key encryption schemes: (1) how to securely encrypt the complex functions of the secret key (not only itself); (2) how to construct the public-key encryption scheme with compact ciphertexts, and independent of the challenge functions, and (3) The existing compact cryptosystems are all based on lattice problems. A question is raised of how to modify the LWE problem to improve the efficiency of encryption and decryption.

Our Results. In this paper, we analyse the KDM security of the public-key encryption scheme, and choose to use the RLWE (Ring-Learning with error) problem to build the compact cryptosystems. First, we apply the invertible technique [18] to obtain the ${\mathrm{RLWE}}^{*}$ problem, then provide a new version by scaling the noise, and proving that it remains hard after the above modification. After that, we give a useful transformation to obtain the ${\mathrm{RLWE}}^{*}$ assumption-Hermite normal form (HNF), namely, the secret chooses form error distribution. As it happens, through noise scaling, the secret key just fits into the message space $R_t$, so our scheme can securely encrypt the linear functions of its secret key. Therefore, we easily construct a compact public-key scheme, analyze its correctness, and prove its key-dependent message security under the ${\mathrm{RLWE}}^{*}$ assumption.

In particular, through the proof of KDM-CPA security, we observe that the ciphertexts are pseudorandom with encrypting the secret key directly. If we do not expand the message space by scaling the noise, then it is possible to construct a symmetric-key scheme for KDM security by directly encrypting the secret key to its linear functions. Therefore, we further improve the ${\mathrm{RLWE}}^{*}$ problem, propose its variant $k$-${\mathrm{RLWE}}^{*}$ problem, and demonstrate its hardness. For the message space $R_2$, given a small enough Hamming weight $h$ and making $\left(\begin{array}{c}n\\ h\end{array}\right)$ large enough, we can obtain a binary secret symmetric-key scheme with less ciphertext noise. Finally, we prove that our scheme is KDM-CPA secure under the special $k$-${\mathrm{RLWE}}^{*}$ assumption and the cost of encryption and decryption is only $\mathrm{ploylog}\left(n\right)$ bit operations per message symbol.

Organization. In Section 2, we describe some important lemmas and give the formal definition of KDM-secure cryptosystems. In Section 3, we first introduce the ${\mathrm{RLWE}}^{*}$ problem and a HNF (Hermite normal form) transformation, then construct a compact public-key scheme with KDM-CPA security. In Section 4, similarly to the previous section, the variant $k$-${\mathrm{RLWE}}^{*}$ problem and symmetric-key scheme are presented. In Section 5, we provide a detailed performance comparison. Finally, the conclusion is given in Section 6.

2. Preliminaries

2.1. Basic Notation

In this paper, we use the following notation and lemmas. We will use a ring $R$. In our concrete instantiations, we prefer to use either $R=\mathbb{Z}$ (the integers) or the polynomial ring $R=\mathbb{Z}\left[x\right]/\left(x^d+1\right)$, where $d$ is a power of 2. For integer $q$, we use $R_q$ to denote $R/qR$. Sometimes we will use abuse notation and use $R_2$ to denote the set of $R$-elements with binary coefficients, when $R=\mathbb{Z}$, $R_2$ may denote $\left\{0,1\right\}$, and when $R$ is a polynomial ring, $R_2$ may denote those polynomials that have $0/1$ coefficients. For $a\in R$, we use the notation ${\left[a\right]}_q$ to refer to $a$ mod $q$, with coefficients reduced into the range $\left(-q/2, q/2\right]$.

For the security parameter $\lambda$, denote a negligible function $\mathrm{negl}\left(\lambda \right)$. For some distribution $\chi$, writing $e\leftarrow \chi$ means that $e$ is distributed according to $\chi$, the error distribution $\chi$ is the discrete gaussian distribution $D_{{\mathbb{Z}}^n,\sigma }$ for some $\sigma >0$. The usual norm ${\ell }_1\left(s\right)$ over the reals equals ${\displaystyle \sum }_{i=1}^n\left|s_i\right|$. The ${\ell }_{\infty }\left(s\right)$ norm is defined as $\max \left\{\left|s_1\right|,\left|s_2\right|,\dots ,\left|s_n\right|\right\}$.

Lemma 1.

(see [19]). Let $n\in \mathbb{N}$. For any real number $\sigma =\omega \left(\sqrt{\log n}\right)$, we have

$$\underset{x\leftarrow D_{{\mathbb{Z}}^n,\sigma }}{\mathrm{Pr}}[\Vert x\Vert >\sigma \sqrt{n}]\le 2^{-n+1}.$$

(1)

Lemma 2.

(see [20]). Let $n\in \mathbb{N}$. For any real number $\sigma =\omega \left(\sqrt{\log n}\right)$,and any $c\in {\mathbb{Z}}^n$, the statistical distance between the distributions $D_{{\mathbb{Z}}^n,\sigma }$ and $D_{{\mathbb{Z}}^n,\sigma ,c}$ is at most $\Vert c\Vert /\sigma$.

Lemma 3.

(see [21]). Let $n\in \mathbb{N}$. $m=2n$, and let $f\left(x\right)={\Phi }_m\left(x\right)=x^n+1$ and let $R=\mathbb{Z}\left[x\right]/\left({\Phi }_m\left(x\right)\right)$. For any $s,t\in R$, $\Vert s\cdot t\left(mod {\Phi }_m\left(x\right)\right)\Vert \le \sqrt{n}\cdot \Vert s\Vert \cdot \Vert t\Vert$ and $\Vert s\cdot t{\left(mod {\Phi }_m\left(x\right)\right)\Vert }_{\infty }\le n\cdot {\Vert s\Vert }_{\infty }\cdot {\Vert t\Vert }_{\infty }$.

2.2. The RLWE Problem

This simple version of the RLWE problem comes from [22], and the LWE problem can choose the secret from the noise distribution by the transformation $T$.

Definition 1.

(RLWE). For security parameter $\lambda$, let f(x) = x^d + 1 where $d=d\left(\lambda \right)$ is a power of $2$. Let $q=q\left(\lambda \right) \ge 2$ be an integer. Let $R=\mathbb{Z}\left[x\right]/\left(f\left(x\right)\right)$ and let $R_q=R/qR$. Let $\chi =\chi \left(\lambda \right)$ be a distribution over $R$. The $RLW{E}_{d,q,\chi }$ problem is to distinguish the following two distributions: In the first distribution, one samples $\left(a_i,b_i\right)$ uniformly from $R_q^2$. In the second distribution, one first draws $s\leftarrow R_q$ uniformly and then samples $\left(a_i,b_i\right)\in R_q^2$ by sampling $a_i\leftarrow {ℝ}_q$ uniformly, $e_i\leftarrow \chi$ and setting $b_i=a_i·s+e_i$, let this distribution be $A_{s,\chi }$. The $RLW{E}_{d,q,\chi }$assumption is that the $RLW{E}_{d,q,\chi }$problem is infeasible.

Lemma 4.

(see [8]). Let $q=p^e$ be a prime power. There is a deterministic polynomial-time transformation $T$ that, for arbitrary $s\in {\mathbb{Z}}_q^n$ and error distribution $\chi$, maps $A_{s,\chi }$to $A_{\overline{x},\chi }$ where $\overline{x}\leftarrow {\chi }^n$, and maps $U\left({\mathbb{Z}}_q^n\times {\mathbb{Z}}_q\right)$ to itself. The transformation also produces an invertible square matrix $\overline{A} \in {\mathbb{Z}}_q^{n\times n}$ and $\overline{b} \in {\mathbb{Z}}_q^n$ that, when mapping $A_{s,\chi }$ to $A_{\overline{x},\chi }$ , satisfy $\overline{x}=-{\overline{A}}^{T}s+\overline{b}$.

Theorem 1.

(see [23]). Let $K$ be the $m$th cyclotomic number field having dimension $n=\phi \left(m\right)$ and $R={\mathcal{O}}_K$ be its ring of integers. Let $\alpha <\sqrt{\log n/n}$ , and let $q=q\left(n\right)\ge 2$, $q=1 mod m$ be a $poly\left(n\right)$ -bounded prime such that $\alpha q\ge \omega \left(\sqrt{\log n}\right)$. Then there is a polynomial-time quantum reduction from $\tilde{O}\left(\sqrt{n}/\alpha \right)$ -approximate SIVP (or SVP) on ideal lattices in $K$ to $R$ -${\mathrm{DLWE}}_{q,{{\rm Y}}_{\alpha }}$. Alternatively, for any $\ell >1$, we can replace the target problem by the problem of solving $R$-${\mathrm{DLWE}}_{q,D_{\xi }}$ given only $\ell$ samples, where $\xi =\alpha {\left(n\ell ∕\log \left(n\ell \right)\right)}^{1/4}$.

2.3. Key-Dependent Message Security

We now define key-dependent message security by a game played between the challenger and the adversary $\mathcal{A}$, and KDM security guarantees the direct encryption of the secret key $sk$ and its correlation function $f\left(sk\right)$. The KDM attack capability of the adversary $\mathcal{A}$ is mainly determined by the collection of secret key functions $ℱ$ that it can query, expressed as $ℱ\subset \left\{f|f:{\mathcal{K}}^{\ell }\to ℳ\right\}$, where $\mathcal{K}$ and $ℳ$ are the secret key space and message space of the encryption scheme. Given public keys $\left\{p{k}_1,\dots ,p{k}_{\ell }\right\}$ and encryption of the key-dependent message $f\left(s{k}_1,\dots ,s{k}_{\ell }\right)$, the adversary $\mathcal{A}$ cannot effectively distinguish it from the ciphertext that is encrypted by the message $\left\{0,1\right\}$, and so we can call the scheme KDM-CPA secure with respect to $ℱ$. $ℱ$ is a family of sets of functions parameterized by the security parameter $\lambda$ and the number of users $\ell$. The game proceeds as follows:

1. The challenger chooses a bit $\mu \leftarrow \left\{0,1\right\}$. Run the scheme’s key generation algorithm $\ell$ times. It gives $\left\{p{k}_1,\dots ,p{k}_{\ell }\right\}$ to the adversary $\mathcal{A}$.

2. Adversary $\mathcal{A}$ makes encryption queries of the form $\left(i,f\right)$, where $1<i<\ell$ and $f\in ℱ$. To process a query, the challenger computes $m\leftarrow f\left(s{k}_1,\dots ,s{k}_{\ell }\right)$, then computes the challenge ciphertexts and returns to the adversary $\mathcal{A}$.

$$c=\{\begin{array}{c}\hspace{1em}Enc\left(p{k}_i,m\right), \mu =0,\hfill \\ Enc\left(p{k}_i,0^{\left|m\right|}\right), otherwise.\end{array}$$

(2)

3. Adversary $\mathcal{A}$ attempts to guess $\mu$ and outputs ${\mu }^{\prime }\in \left\{0,1\right\}$.

The scheme is KDM-CPA secure if for every probabilistic polynomial-time adversary $\mathcal{A}$, the distinguishing advantage $Adv\left(\mathcal{A}\right)=\left|\mathrm{Pr}\left[\mu ={\mu }^{\prime }\right]-1/2\right|\le \mathrm{negl}\left(n\right)$. This shows that the scheme can securely encrypt any functions $ℱ$ of its own secret key, taking the place of a message.

The KDM-CPA security definition of the symmetric-key scheme is similar. In the first stage, the challenger generates the secret key without giving anything to the adversary $\mathcal{A}$. In the second stage, it uses the secret key for encryption (and uses it as the input of $f\left(sk\right)$). Everything else is just the same.

3. Compact Public-Key Cryptosystem with KDM Security

In this section, we will describe the construction of a public-key scheme based on the variant of the RLWE problem. At first, we introduce the ${\mathrm{RLWE}}^{*}$ problem by applying the invertible technique, and then give the new version by scaling the noise. After that, to ensure that the secret chooses form error distribution, a useful transformation is given to obtain the ${\mathrm{RLWE}}^{*}$ assumption-Hermite normal form. Finally, we construct a compact public-key scheme, analyze its correctness, and prove its key-dependent message security.

3.1. The Invertible Version of RLWE Problem

According to [18], authors presented a variant of RLWE problem, defined as the ${\mathrm{RLWE}}^{*}$ problem. It is similar to the RLWE problem except that $a$ chooses from $R_q^{*}$, in which $R_q^{*}$ is the ser of invertible elements of $R_q$. Therefore, we call ${\mathrm{RLWE}}^{*}$ the invertible variant.

${\mathrm{RLWE}}^{*}$ problem. For $s\in R_q$ and error distribution $\chi$, we define $A_{s,\chi }^{*}$ as the distribution obtained by sampling the pair $\left(a, as+e\right)\in R_q^{*}\times R_q$, where $R_q^{*}$ denote the set of invertible elements of $R_q$. The Decision ${\mathrm{RLWE}}^{*}$ problem is to distinguish between $A_{s,\chi }^{*}$ and $U\left(R_q^{*}\times R_q\right)$. Please note that for $R_q^{*}$, [23] claim that for any $q\ge 2$, the fraction of invertible elements in $R_q$ is at least $1/\mathrm{poly}\left(n,\log q\right)$. Moreover, ref. [18] further shows that as long as $q=\Omega \left(n\right)$, an element choosing from $U\left(R_q\right)$ is invertible with overwhelming probability. Hence, the RLWE problem remains hard even when applying the invertible technique.

Scaling the noise. This technique was first formally proposed in [24] and generated the ${\mathrm{RLWE}}^{*}$ samples as $\left(a, a\cdot s+t\cdot e\right)$; security is not affected when $t\in {\mathbb{Z}}_q^{*}$ and $q$ are relatively prime, and other parameters are as above.

Definition 2. (Decision ${\mathrm{RLWE}}^{*}$). The average-case decision version of the ${\mathrm{RLWE}}^{*}$ problem, denoted ${\mathrm{RLWE}}_{q,\chi }^{*}$, is to distinguish the following two distributions with non-negligible advantage: In the first distribution, one samples $\left(a_i,b_i\right)$ uniformly from $R_q^2$. In the second distribution, one first draws $s\leftarrow R_q$ uniformly and then samples $\left(a,b=a\cdot s+t\cdot e\right)\in R_q^2$ by sampling $a\leftarrow R_q^{*}$ uniformly, where $R_q^{*}$ denote the set of invertible elements of $R_q$, $e\leftarrow \chi$ and $t\in {\mathbb{Z}}_q^{*}$.

3.2. A Generic Transformation

In this section, we make a useful transformation to sampling $s\leftarrow \chi$. There is no loss of security, and it is ensured that the secret can be placed in the message space. The transformation lemma follows.

Lemma 5.

For modulus$q$, arbitrary$s\in R_q$and the error distribution$\chi$, there is a deterministic polynomial-time transformation$T$, which maps$A_{s,\chi }^{*}$to$A_{\varphi ,\chi }^{*}$where$\varphi \leftarrow \chi$, and maps$U\left(R_q^{*}\times R_q\right)$to itself.

Proof. 

The transformation $T$ to access the distribution $D$ over $R_q^{*}\times R_q$, possibly $A_{s,\chi }^{*}$ or $U\left(R_q^{*}\times R_q\right)$. Then, we prove it in two steps.

The first step. Transformation $T$ generates the sample $\left(\overline{a},\overline{b}\right)\in R_q^{*}\times R_q$ by drawing from the distribution $D$. When $D=A_{s,\chi }^{*}$, we have $\overline{b}=\overline{a}\cdot s+t\cdot \overline{x}$, where $\overline{x}\leftarrow \chi$.

The second step. To transform samples from $D$ into samples from a different distribution, the sample $\left(a,b\right)\in R_q^{*}\times R_q$ from $D$ will be transformed into $\left(a^{\prime },b^{\prime }\right)\in R_q^{*}\times R_q$, where $a^{\prime }=-{\overline{a}}^{-1}\cdot a$, $b^{\prime }=b+a^{\prime }\cdot \overline{b}$.

Especially $a^{\prime }\in R_q^{*}$ is uniform due to $\overline{a}\leftarrow R_q^{*}$ being invertible modulo $q$ and $a$ chooses from $U\left(R_q^{*}\right)$. If $D=U\left(R_q^{*}\times R_q\right)$, then $\left(a^{\prime },b^{\prime }\right)$ is also subject to $U\left(R_q^{*}\times R_q\right)$. If D $=b{A}_{s,\chi }^{*}$, then $b=a\cdot s+t\cdot e$, so we have

$$b^{\prime }=b+a^{\prime }\cdot \overline{b}=a\cdot s+t\cdot e+a^{\prime }\cdot \left(\overline{a}\cdot s+t\cdot \overline{x}\right)=a^{\prime }\cdot \left(t\cdot \overline{x}\right)+t\cdot e,$$

(3)

where $\varphi =t\cdot \overline{x}$, therefore, $\left(a^{\prime },b^{\prime }\right)$ is subject to $b{A}_{\varphi ,\chi }^{*}$, as desired. □

Definition 3.

(The ${\mathrm{RLWE}}^{*}$ assumption-Hermite normal form). As in the previous definition, for all security parameters $\lambda \in \mathbb{N}$, the ${\mathrm{RLWE}}^{*}$ assumption suggests that, for any $\ell =\mathrm{poly}\left(\lambda \right)$, we have

$${\left\{\left(a_i,a_i\cdot s+t\cdot e_i\right)\right\}}_{i\in [\ell ]}\approx {\left\{\left(a_i,u_i\right)\right\}}_{i\in [\ell ]},$$

(4)

in which $s$ is sampled from the noise distribution $\chi$, and other parameters remain unchanged.

3.3. Basic $RLW{E}^{*}$-Based Encryption Scheme

For security parameter $\lambda$, let $q=1 \mathrm{mod} 2n$ and $t\in {\mathbb{Z}}_q^{*}$ relatively prime, in which $\left\{1,\dots ,q-1\right\}\supseteq {\mathbb{Z}}_q^{*}$. Let $\chi =D_{{\mathbb{Z}}^n,\sigma }$ be an error distribution with $\sigma \ge \omega \left(\sqrt{\log n}\right)$ and $\sigma \ll t$; we sampled $s$ from error distribution $\chi$, so all $s\in R_t$ with overwhelming probability when the secret chooses from error distribution. Let $R=\mathbb{Z}\left[x\right]/\left(f\left(x\right)\right)$, $R_q={\mathbb{Z}}_q\left[x\right]/\left(f\left(x\right)\right)$ where $f\left(x\right)=x^n+1$ and $n=n\left(\lambda \right)$ is a power of 2.

• $RPKE1.KeyGen\left(1^{\lambda }\right)$: Sample $s\leftarrow \chi$. Output $sk=s$. Sample $a\leftarrow R_q^{*}$ uniformly, $e\leftarrow \chi$ and set $b=a\cdot s+t\cdot e$, where $t\in {\mathbb{Z}}_q^{*}$ and $R_q^{*}$ denote the set of invertible elements of $R_q$. Output the public key $pk=\left(a,b\right)\in R_q^{*}\times R_q$.
• $RPKE1.Enc\left(pk,m\right)$: Notice that $m\in R_t$, due to the lemma by the noise scaling. Sample $r,e_1,e_2\leftarrow \chi$. Compute $c_1=a\cdot r+t\cdot e_1$, $c_2=b\cdot r+t\cdot e_2+m$, output the ciphertext $c=\left(c_1,c_2\right)\in R_q\times R_q$.
• $RPKE1.Dec\left(sk,c\right)$: Input the corresponding secret key and ciphertext, then output $m=(c_2-c_1·s) \mathrm{mod} q \mathrm{mod} t$.

The correctness of the scheme is obvious, compute $(c_2-c_1·s)=m+t{e}_2-t{e}_{1}s+ter$, according to the Lemma 3, we have

$$\begin{gathered} \Vert t{e}_2-t{e}_{1}s+ter\Vert { }_{\infty }=t\cdot \Vert e_2\Vert {}_{\infty }+t\cdot \Vert e_{1}s\Vert { }_{\infty }+t\cdot \Vert er\Vert { }_{\infty } \\ =t\cdot \sigma \sqrt{n}+2t\cdot n{\left(\sigma \sqrt{n}\right)}^2<q/2 \end{gathered}$$

(5)

if q $>t\cdot \mathrm{poly}\left(n\right)\cdot {\sigma }^2$, where $t=\sigma \sqrt{n}$, the ciphertext can be decrypted correctly.

The KDM-CPA security follows from the ${\mathrm{RLWE}}^{*}$ assumption by noting the pseudorandom distribution $A_{s,\chi }^{*}$. Observe that $f\left(sk\right)=k\cdot s+t\cdot w \in R_t$, where $k,s,w$ all choose from error distribution. The ciphertext is indistinguishable from uniform even if $m$ is replaced with any linear function of the scheme’s own secret key.

Theorem 2.

Let$k\leftarrow D_{{\mathbb{Z}}^n,\sigma }$and$w\leftarrow D_{{\mathbb{Z}}^n,{\sigma }^{\prime }}$, where${\sigma }^{\prime }\ge 2^{\omega \left(\log n\right)}\cdot {\sigma }^2$,$\sigma =\omega \left(\sqrt{\log n}\right)$. Under the${\mathrm{RLWE}}^{*}$assumption, the above cryptosystem RPKE1 about$f\left(sk\right)=k\cdot s+t\cdot w$satisfies KDM-CPA security.

Proof. 

For any probabilistic polynomial-time adversary $\mathcal{A}$, we use a three-step hybrid game to prove that the ciphertext with key-dependent message $f\left(sk\right)$ in the RPKE1 scheme is computationally indistinguishable from one that carries no information on the message. Therefore, the distinguishing advantage of the adversary $\mathcal{A}$ is negligible.

Game${\mathit{H}}_0$: Let $pk=\left(a,b\right)\leftarrow RPK1.KeyGen\left(1^{\lambda }\right)$, the remaining parameters are as above, and Hybrid game ${\mathit{H}}_0$ is mainly used to generate the challenge ciphertexts.

$$c=\{\begin{array}{c}\left(c_1=a\cdot r+t\cdot e_1, c_2=b\cdot r+t\cdot e_2+k\cdot s+t\cdot w\right), \mu =0\\ \left(c_1=a\cdot r+t\cdot e_1, c_2=b\cdot r+t\cdot e_2+0 \right), \mu =1\end{array}$$

(6)

Game${\mathit{H}}_1:$ Similar to the hybrid game ${\mathit{H}}_0$, hybrid game ${\mathit{H}}_1$ generates the challenge ciphertexts related to $f\left(sk\right)$ in different ways.

$$c=\{\begin{array}{c}\left(c_1^{*}=a^{\prime },c_2^{*}=a^{\prime }\cdot s+t\cdot w\right), \mu =0\\ \left(c_1=a\cdot r+t\cdot e_1, c_2=b\cdot r+t\cdot e_2\right), \mu =1\end{array}$$

(7)

where $a^{\prime }=a\cdot r+k$, $k\leftarrow \chi$ and $w\leftarrow D_{{\mathbb{Z}}^n,{\sigma }^{\prime }}.$ Observe that $c_1=a\cdot r+t\cdot e_1$, $r$ and $e_1$ choose from the error distribution $\chi$, just like the ciphertext $c_1^{*}=a\cdot r+k$ without scaling the noise, hence $c_1^{*}$ is indistinguishable from $c^{\prime }$. In addition, observe $c_2=b\cdot r+t\cdot e_2+k\cdot s+t\cdot w$, compute

$$c_2=\left(a\cdot s+t\cdot e\right)\cdot r+t\cdot e_2+k\cdot s+t\cdot w=\left(a\cdot r+k\right)\cdot s+t\cdot \left(w+e_2+er\right)$$

(8)

define $a^{\prime }=a\cdot r+k$, then $c_2=a^{\prime }\cdot s+t\cdot \left(w+e_2+er\right)$. By Lemma 1 and Lemma 2, we have

$$\Vert e_2+er\Vert \le \Vert e_2\Vert +\sqrt{n}\cdot \Vert e\Vert \cdot \Vert r\Vert \le \sigma \sqrt{n}+\sqrt{n}\cdot {\left(\sigma \sqrt{n}\right)}^2=n^{0.5}\cdot \sigma +n^{1.5}\cdot {\sigma }^2$$

(9)

Let $\mathsf{\Delta }=n^{0.5}\cdot \sigma +n^{1.5}\cdot {\sigma }^2$, ${\sigma }^{\prime }\ge 2^{\omega \left(\log n\right)}\cdot {\sigma }^2$, compute $\frac{\mathsf{\Delta }}{{\sigma }^{\prime }}\le \frac{n^{0.5}\cdot \sigma +n^{1.5}\cdot {\sigma }^2}{2^{\omega \left(\log n\right)}\cdot {\sigma }^2}=2^{-\omega \left(\log n\right)}.$ By Lemma 3, $D_{{\mathbb{Z}}^n,{\sigma }^{\prime }}$ is statistically indistinguishable from $D_{{\mathbb{Z}}^n,{\sigma }^{\prime },\mathsf{\Delta }}$, it holds that $c_2\approx a^{\prime }\cdot s+t\cdot w$, and therefore, the challenge ciphertext $c_2^{*}=a^{\prime }\cdot s+t\cdot w$ is indistinguishable from $c_2$. To sum up, the distinguishing advantage between the ${\mathit{H}}_1$ and ${\mathit{H}}_0$ is negligible, namely

$$\left|adv\left(\mathcal{A},{\mathit{H}}_0\right)-adv\left(\mathcal{A},{\mathit{H}}_1\right)\right|\le \mathrm{negl}\left(n\right).$$

(10)

Game${\mathit{H}}_2$: Hybrid game ${\mathit{H}}_2$ generates the challenge ciphertext from $U\left(R_q\times R_q\right)$ when $\mu =0$. Everything else is exactly the same.

$$c=\{\begin{array}{c}\left(c_1^{*}=u_1,c_2^{*}=u_2\right), \mu =0\\ \left(c_1=a\cdot r+t\cdot e_1, c_2=b\cdot r+t\cdot e_2\right), \mu =1\end{array}$$

(11)

where $u_i \left(i=1,2\right)$ chooses from $U\left(R_q\right)$. Observe the hybrid game ${\mathit{H}}_1$, $a^{\prime }=a\cdot r+k$ is indistinguishable from uniform, $\left(c_1^{*}=a^{\prime },c_2^{*}=a^{\prime }\cdot s+t\cdot w\right)\in R_q\times R_q$ just happens to be an instance of the RLWE problem. Therefore, $\left(c_1^{*},c_2^{*}\right)$ is pseudorandom, and then

$$\left|adv\left(\mathcal{A},{\mathit{H}}_1\right)-adv\left(\mathcal{A},{\mathit{H}}_2\right)\right|\le \mathrm{negl}\left(n\right).$$

(12)

Since the challenge ciphertext $\left(u_1,u_2\right)\in U\left(R_q\times R_q\right)$, thus we have

$$adv\left(\mathcal{A},{\mathit{H}}_2\right)=\mathrm{negl}\left(n\right).$$

(13)

Finally, we conclude that

$$\begin{gathered} adv\left(\mathcal{A},{\mathit{H}}_0\right)=\left(adv\left(\mathcal{A},{\mathit{H}}_0\right)-adv\left(\mathcal{A},{\mathit{H}}_1\right)\right)+adv\left(\mathcal{A},{\mathit{H}}_1\right) \\ \le \left|adv\left(\mathcal{A},{\mathit{H}}_0\right)-adv\left(\mathcal{A},{\mathit{H}}_1\right)\right|+adv\left(\mathcal{A},{\mathit{H}}_1\right) \\ \le \left|adv\left(\mathcal{A},{\mathit{H}}_0\right)-adv\left(\mathcal{A},{\mathit{H}}_1\right)\right|+\left|adv\left(\mathcal{A},{\mathit{H}}_1\right)-adv\left(\mathcal{A},{\mathit{H}}_2\right)\right| \\ +adv\left(\mathcal{A},{\mathit{H}}_2\right)=\mathrm{negl}\left(n\right). \end{gathered}$$

(14)

This proves the KDM-CPA security of the RPKE1 scheme. □

4. Efficient Symmetric-Key Encryption Scheme

The above public-key scheme expands the message space due to the noise scaling, resulting in low efficiency. In this section, we will introduce a KDM secure symmetric-key scheme without scaling the noise. For the symmetric-key scheme, we can generate the following ciphertext $\left(c_1=a, c_2=b+m\right)$ by the ${\mathrm{RLWE}}^{*}$ problem, where $b=a\cdot s+e$. If secret key $s$ replaces message $m$, consider the ciphertext $\left(c_1=a, c_2=b+s\right)$, we will have that $c=\left(a, \left(a+1\right)\cdot s+e\right)$. If we define $a^{\prime }=a+1$, then $\left(a^{\prime }, a^{\prime }\cdot s+e\right)$ is an instance of the RLWE problem, so the challenge ciphertext $\left(c_1=a^{\prime }, c_2=a^{\prime }\cdot s+e\right)$ is pseudorandom, and it is easy to prove the KDM security. By way of the above, we can easily extend to any linear function about $s$, just like $f\left(sk\right)=k\cdot s+w$, where $k\in R_q$ and $w\leftarrow \chi$. Then, we will obtain a challenge ciphertext $\left(a,\left(a+k\right)+w+e\right)$, therefore, for the sake of convenience, we might wish to define the following problem.

4.1. The Variant of $RLW{E}^{*}$ Problem

Definition 4.

($k$-${\mathrm{RLWE}}^{*}$). As in the previous Definition 2, the $k$-${\mathrm{RLWE}}^{*}$ problem is to distinguish the following two distributions with non-negligible advantage: In the first distribution, one samples $\left(a,b\right)$ uniformly from $R_q\times R_q$. In the second distribution, one samples $\left(a,b\right)\in R_q^{*}\times R_q$ by sampling $a,k\leftarrow R_q^{*}$ uniformly, where $s\in R_q$, $e\leftarrow \chi$ and setting $b=\left(a+k\right)\cdot s+e$, let this distribution be $b{A}_{s,\chi }^{*}$.

Observe that the $k$-${\mathrm{RLWE}}^{*}$ problem, when $k=0$, is a complete ${\mathrm{RLWE}}^{*}$ problem. If $k\ne 0\in R_q$,we give a probability polynomial-time reduction to prove that the $k$-${\mathrm{RLWE}}^{*}$ problem remains hard, even when $A_{s,\chi }^{*}$ is respectively replaced by $b{A}_{s,\chi }^{*}$.

Lemma 6.

For any$n\ge 1$,$q\ge 2$, and error distribution$\chi$, there is a probability polynomial-time reduction from${\mathrm{RLWE}}^{*}$to the$k$-${\mathrm{RLWE}}^{*}$that reduces the advantage by at most$2^{-n}$.

Proof. 

Given a sample $\left(a_0,b_0\right)\in R_q^{*}\times R_q$ and a sample $\left(k,b_1\right)\in R_q^{*}\times R_q$ from the given ${\mathrm{RLWE}}^{*}$ oracle, the reduction outputs a new instance $\left(a^{\prime }=a_0,b^{\prime }=b_0+b_1\right)\in R_q^{*}\times R_q$.

If samples $\left(a_0,b_0\right)$ and $\left(k,b_1\right)$ are chosen from $U\left(R_q^{*}\times R_q\right)$, then $b_0$ and $b_1$ are uniform in $R_q$, and $b_1$ is pseudorandom by RLWE problem, the reduction outputs a uniform sample $\left(a^{\prime }=a_0,b^{\prime }=b+b_1\right)\in R_q^{*}\times R_q$, up to statistical distance $2^{-n}$.

If sample $\left(a_0,b_0\right)$ is chosen from $U\left(R_q^{*}\times R_q\right)$ and the distribution of $\left(k,b_1\right)$ is $A_{s,\chi }^{*}$, then $b_0$ is uniform in $R_q$, and $b_1=k\cdot s+e_1$ is pseudorandom, the reduction outputs a uniform sample $\left(a^{\prime }=a_0,b^{\prime }=b+b_1\right)\in R_q^{*}\times R_q$, up to statistical distance $2^{-n}$. In addition, a sample $\left(a_0,b_0\right)$ from $A_{s,\chi }^{*}$ and a sample $\left(k,b_1\right)$ from $U\left(R_q^{*}\times R_q\right)$ are the same as above.

On the other hand, if given samples $\left(a_0,b_0\right)$ and $\left(k,b_1\right)$ from the distribution $A_{s,\chi }^{*}$, the equation $b^{\prime }=b_0+b_1=a_0\cdot s+e_0+k\cdot s+e_1=\left(a_0+k\right)\cdot s+\left(e_0+e_1\right)$. Let $e^{\prime }=e_0+e_1$, we notice that $\left(a^{\prime },b^{\prime }\right)\in R_q^{*}\times R_q$ is exactly a k-${\mathrm{RLWE}}^{*}$ instance, the reduction outputs a sample $\left(a^{\prime }=a_0,b^{\prime }=\left(a+k\right)\cdot s+e^{\prime }\right)\in R_q^{*}\times R_q$ from $b{A}_{s,\chi }^{*}$, up to statistical distance $2^{-n}$.

To sum up, if the ${\mathrm{RLWE}}^{*}$ problem is infeasible, then the $k$-${\mathrm{RLWE}}^{*}$ problem is also infeasible—namely, $b{A}_{s,\chi }^{*}$ is indistinguishable from uniform, as desired. □

After that, we also give the Hermite normal form of the $k$-${\mathrm{RLWE}}^{*}$ problem, this modification makes the secret short and useful in the following symmetric-key scheme.

Lemma 7.

For modulus$q$, arbitrary$s\in R_q$and the error distribution$\chi$, there is a deterministic polynomial-time transformation$T$, which maps$b{A}_{s,\chi }^{*}$to$b{A}_{\varphi ,\chi }^{*}$where$\varphi \leftarrow \chi$, and maps$U\left(R_q^{*}\times R_q\right)$to itself.

The proof will be showed in Appendix A.

Definition 5.

(The $k$-${\mathrm{RLWE}}^{*}$ assumption-Hermite normal form). As in the previous definition 4, for any $\ell =\mathrm{poly}\left(\lambda \right)$, the $k$-${\mathrm{RLWE}}^{*}$ assumptionholds that,

$${\left\{\left(a_i,\left(a_i+1\right)\cdot s+e_i\right)\right\}}_{i\in [\ell ]}\approx {\left\{\left(a_i,u_i\right)\right\}}_{i\in [\ell ]},$$

(15)

where sampling $s\leftarrow \chi$, other parameters remain unchanged.

4.2. Symmetric-Key Scheme with KDM Security

As in the previous section, given the security parameter $\lambda$, let $q=q\left(\lambda \right) \ge 2$, and an error distribution $\chi =\chi \left(\lambda \right)$. Let $R=\mathbb{Z}\left[x\right]/\left(f\left(x\right)\right)$, $R_q={\mathbb{Z}}_q\left[x\right]/\left(f\left(x\right)\right)$ where $f\left(x\right)=x^n+1$ and $n=n\left(\lambda \right)$ is a power of 2. We demonstrate a symmetric-key scheme based on the $k$-${\mathrm{RLWE}}^{*}$ problem. In order to reduce the norm of ciphertext noise, [25] uses a binary secret $s\in R_2$, which shows that the scheme is secure under this optimization, as long as the Hamming weight $h$ is small enough and $\left(\begin{array}{c}n\\ h\end{array}\right)$ is large enough. In the final results, they construct a somewhat homomorphic encryption scheme by setting $t=2$, $h=63$ and $f\left(x\right)=x^n+1$, where $m\in R_t$. Therefore, as a symmetric-key scheme, the security is not affected when the results for the RLWE setting continue to the $k$-${\mathrm{RLWE}}^{*}$ setting.

• $RSKE2.KeyGen\left(1^{\lambda }\right)$: Sample $s\leftarrow R_2$. Output $sk=s$ as the secret key.
• $RSKE2.Enc\left(sk,m\right)$: To encrypt a message $m\in R_2$, sample uniformly, $e\leftarrow \chi$ and set $b=\left(a+1\right)\cdot s+2e$. Output the ciphertext $c=\left(c_1=a+1,c_2=b+m\right)\in R_q\times R_q$.
• $RSKE2.Dec\left(sk,c\right)$: Compute $c_2-c_1·s$, then output $m=\left(c_2-c_1·s\right)\mathrm{mod} q \mathrm{mod} 2$.

According to the encryption algorithm, $c_2-c_1·s=m+2e$, compared with the previous public-key encryption scheme, the ciphertext noise is small, that is $\Vert 2e_{\infty }\Vert <q/2$, namely $q>4\sigma \sqrt{n}$, then the ciphertext can be decrypted correctly.

The KDM-CPA security is similar to that of Section 3.3, except that there is no public key. Although the message space is reduced to $R_2$, there still exists a linear function $f\left(sk\right)=k\cdot s+2w\in R_2$ to realize KDM security.

Theorem 3.

Sample$k\leftarrow R_q$uniformly and$w\leftarrow D_{{\mathbb{Z}}^n,\sigma }$, where$\sigma \ge \omega \left(\sqrt{\log n}\right)$. There exists a linear function$f\left(sk\right)=k\cdot s+2w\in R_2$that makes the RSKE2 scheme satisfy KDM-CPA security, assuming that$k$-${\mathrm{RLWE}}^{*}$is hard.

Proof. 

The proof of Theorem 2 is similar to RPK1. Therefore, this section gives a brief narrative. First, by $f\left(sk\right)$ replacing $m$, we generate the challenge ciphertext $c=\left(c_1=a+1,c_2=\left(a+1\right)\cdot s+2e+k\cdot s+2w\right)$, where $k\stackrel{U}{\leftarrow }{R}_q$ and $w\leftarrow D_{{\mathbb{Z}}^n,\sigma }$. Observe that $c_2=\left(a+1+k\right)\cdot s+2\left(e+w\right)$, defining $a^{\prime }=a+1$ and $e^{\prime }=w+e$, then we have the challenge ciphertext $c=\left(a^{\prime },(a^{’}+k\right)\cdot s+2e^{\prime },)$, which is exactly an instance of the $k$-${\mathrm{RLWE}}^{*}$ problem. It means that the challenge ciphertext $c$ is pseudorandom, namely the adversary $\mathcal{A}$ cannot distinguish it from the ciphertext that is encrypted by the message $0$. Therefore, the above RSK2 scheme is KDM-CPA under the $k$-${\mathrm{RLWE}}^{*}$ problem. □

5. Performance

In this section, we give a detailed performance comparison between our RPKE1 scheme, RSKE2 scheme and the ACPS scheme [8]. For the same security parameter $\lambda$, through the analysis of the ACPS scheme, it is easy to see the difference between the lattice problems on which these schemes are based. Firstly, our scheme has replaced LWE through RLWE, which improves its application efficiency. Secondly, about the noise distribution, in order to obtain the appropriate key-dependent ciphertexts, the ACPS scheme introduces the noise flooding technique (namely, $e\leftarrow {\Psi }_{{\sigma }^{\prime }}$), which leads to the growth of the modulo $q$ and the decline of efficiency. Due to the problem of quantum reduction of the LWE problem, the standard deviation of the additional noise distribution is ${\sigma }^{\prime }\approx n^{-1}\cdot {\sigma }^{-4}$, where $\sigma =\omega \left(\sqrt{\log n}\right)$, and $m=O\left(n\log n\right)\le n\log n\approx n\cdot {\sigma }^2$, $p=\tilde{O}\left(\sqrt{mn}\right)\approx n\cdot {\sigma }^3$, $q=p^2\approx n^2\cdot {\sigma }^6=\mathrm{ploy}\left(n\right)\cdot {\sigma }^6$. As shown in

Table 1. Parameter setting of ACPS and our schemes.

Schemes	$\mathbf{\sigma }$	${\mathbf{\sigma }}^{\mathbf{\prime }}$	Message Space	$\mathrm{Modulo}q$	$\mathrm{Challenge}ℱ$
ACPS	$\omega \left(\sqrt{\log n}\right)$	$n^{-1}\cdot {\sigma }^{-4}$	${\mathbb{Z}}_p, p=n\cdot {\sigma }^3$	$\mathrm{ploy}\left(n\right)\cdot {\sigma }^6$	affine functions
RPKE1	$\omega \left(\sqrt{\log n}\right)$	$/$	$R_t,t=\sqrt{n}\cdot \sigma$	$\mathrm{ploy}\left(n\right)\cdot {\sigma }^3$	linear functions
RSKE2	$\omega \left(\sqrt{\log n}\right)$	$/$	$R_2,t=2$	$\sqrt{n}\cdot \sigma$	linear functions

, we have the same standard deviation $\sigma =\omega \left(\sqrt{\log n}\right)$, but no extra noise distribution ${\Psi }_{{\sigma }^{\prime }}$ in the ciphertext generation. The $w\leftarrow D_{{\mathbb{Z}}^n,{\sigma }^{\prime }}$ in the hybrid game is irrelevant, because this does not affect the efficiency of the scheme at all. In addition, we also greatly reduce the message space $R_t$ and the modulo size $q=t\cdot \mathrm{ploy}\left(n\right)\cdot {\sigma }^2$, where $t=\sigma \sqrt{n}$. Note the last line, adding the symmetry scheme; ACPS also gave a symmetric-key cryptosystem similar to it. Although different in types, as a variant of RPKE1 it also highlights its advantages.

Finally, we estimate the concrete parameters for our scheme. Compared with ACPS, we have greatly improved its efficiency; the cost of encryption and decryption is only $\mathrm{polylog}\left(n\right)$ bit operations per message symbol. By these parameters including modulus $q$, degree $n$ and error distribution $\chi =D_{{\mathbb{Z}}^n,\sigma }$, we can obtain concrete secret key size, public key and ciphertext size. For example, the public key size of the ACPS scheme is $m\cdot n\cdot \log q\approx n^2\cdot {\log }^{2}n=\tilde{O}\left(n^2\right)$, the ciphertext size is $n\cdot \log q=\tilde{O}\left(n\right)$ and the secret key for ACPS and RPKE1 are $\sigma \cdot \sqrt{n}$ (both $s\leftarrow \chi$). Performance comparison of ACPS and our scheme are listed in

Table 2. Performance comparison of ACPS and our schemes.

Schemes	$pk$	$sk$	Ciphertext	$Enc/Dec$	KDM Security
ACPS	$\tilde{O}\left(n^2\right)$	$\sigma \cdot \sqrt{n}$	$\tilde{O}\left(n\right)$	$n\cdot \mathrm{polylog}\left(n\right)$	Yes
RPKE1	$\tilde{O}\left(n\right)$	$\sigma \cdot \sqrt{n}$	$\tilde{O}\left(n\right)$	$\mathrm{polylog}\left(n\right)$	Yes
RSKE2	$/$	$1$	$\tilde{O}\left(n\right)$	$\mathrm{polylog}\left(n\right)$	Yes

. All sizes are in bits.

There are many encryption schemes for KDM security, not only ACPS, but also many schemes based on traditional mathematical problems. However, in terms of computational efficiency, the lattice-based cryptosystems are still safer and more efficient. Additionally, the ciphertext operations mainly consist of encryption and decryption, but other schemes do not have compact ciphertexts. Hence, from the usability perspective, our schemes are superior to previous schemes.

6. Conclusions

In this paper, we introduce lattice-based cryptosystems with strong security properties to solve the problem that the ACPS scheme is inefficient when sampling from discrete gaussian distribution with sufficiently large standard deviation and generating extra “malformed” distributions. The public-key and symmetric-key cryptosystems provide security for key-dependent messages. Compared with the previous scheme, our scheme is compact and has a stable set of challenge functions. Both the size of public key and ciphertext are $\tilde{O}\left(n\right)$, and the cost of encryption and decryption is only $\mathrm{ploylog}\left(n\right)$ bit operations per message symbol. Therefore, our scheme satisfies KDM-CPA security under the ${\mathrm{RLWE}}^{*}$ assumption, and carries the advantages of having simple operation, parallelization and improved asymptotic efficiency.

However, there are still some problems to be explored and improved in this scheme, such as using an additional noise distribution in the hybrid game, and future work is still required to construct a fully homomorphic encryption scheme with circular security.