Keywords

1 Introduction

In cryptography and learning theory, the Learning Parity with Noise (LPN) problem has become a well-known problem. The two versions of LPN have been pointed out to be polynomially equivalent [10]. The decisional one with parameter \( 0<\mu <1/2\) (noise rate), \(m=\mathsf {poly}(n)\), \(n\in {\mathbb {N}} \) posulates that \( ({\mathbf {A}},\langle \mathbf {A,s}\rangle +{\mathbf {e}}) \) is pseudorandom given \( {\mathbf {A}} \) (i.e., computationally indistinguishable from uniform randomness), where \( {\mathbf {A}}\in \{0,1\}^{m\times n}\), \({\mathbf {s}}\in \{0,1\}^{n} \) are chosen uniformly at random, \( {\mathbf {e}}\in \{0,1\}^{m} \) is distributed to \( {\mathcal {B}}_{\mu }^{m} \), (i.e., concatenation of m independent copies of the Bernoulli distribution \( {\mathcal {B}}_{\mu } \) such that \( \mathrm {Pr}[{\mathcal {B}}_{\mu }=1]=\mu \)), \( \langle \cdot ,\cdot \rangle \) denotes the inner product of two vectors and ‘\( +\)’ denotes the XOR operation. The computational version assumes that it is computationally infeasible to find out the random secret binary vector \( {\mathbf {s}}\in \{0,1\}^{n} \) from those noisy linear samples.

LPN Hardness. The computational LPN problem is deemed as a well-known NP-complete problem “decoding random linear codes” [2], which makes LPN be a promising candidate for post-quantum cryptography. Furthermore, the simplicity of LPN makes it more suitable for weak-power devices (e.g., RFID tags) than other post-quantum candidates such as LWE [17]. The best known algorithms for solving constant noise (noise parameter \( 0<\mu <1/2 \)) LPN problem require \( 2^{O(n/\log n)} \) time and samples [4, 12]. When given only polynomially many \( \mathsf {poly}(n) \) samples, the time complexity goes up to \( 2^{O(n/\log \log n)} \) [13], and even \( 2^{O(n)} \) when given only linearly many O(n) samples [14, 19]. Under low-noise rate i.e., the noise rate \( \mu =O(n^{-c}) \) (typically \( c=1/2 \)), the best LPN solvers need only \( 2^{O(n^{1-c})} \) time when given O(n) samples [3, 19].

1.1 Related Work

PKE with CPA security. Retrospectively, Alekhnovich [1] constructed the first CPA-secure public-key encryption scheme from low-noise LPN (i.e., noise rate \( \mu =1/\sqrt{n} \)). Inspired by the schemes of Regev [17] and Gentry et al. [9], Döttling et al. proposed an alternative one [8]. The work of Yu and Zhang [20] in 2016 made a breakthrough in solving the open problem of constructing public-key primitives based on constant-noise LPN problem. In their IND-CPA scheme, they used a variant assumption called LPN on Squared-Log Entropy and gave a tight requirement of secret key’s distribution.

PKE with CCA security. IND-CCA security [16] is one of the strongest known notions of security for public-key encryption schemes. Döttling et al. [8] constructed the first CCA-secure PKE scheme from low-noise LPN by using the correlated products approach of [18]. But the complexity of that scheme was hundreds of times worse than Alekhnovich’s scheme. Kiltz et al. [11] gave a more efficient CCA-secure construction by means of the techniques from LWE-based encryption in [15] with some technical changes. Specifically, they used a double-trapdoor mechanism, together with a trapdoor switching lemma so that there is always an available trapdoor to answer the decryption queries in game simulation. In [20], Yu and Zhang constructed the first constant-noise LPN problem based CCA-secure scheme which uses a tag-based encryption technique.

1.2 Our Contributions

In this work, we propose a simple and efficient PKE scheme which is IND-CCA secure from low-noise LPN . We build a neat construction with noise rate \( \mu \approx O(\sqrt{1/n}) \).

With an IND-CPA secure private-key scheme and a collision resistant hash function \( {\mathsf {H}} \) we plug the \( {\mathsf {H}}({\mathbf {c}}_{1},{\mathbf {c}}_{2},{\mathbf {s}},\mathbf {H_{t}}) \) into \( \mathsf {Enc}'_{{\mathbf {k}}}({\mathbf {m}}) \) where \( {\mathbf {k}}={\mathsf {H}}({\mathbf {c}}_{1},{\mathbf {c}}_{2},{\mathbf {s}},\mathbf {H_{t}}) \) becomes a secret key of the \( \mathsf {Enc}' \) algorithm of an IND-CPA-secure private-key scheme \( \mathrm {\Pi }' \). Intuitively, based on the indistinguishability of LPN samples, it holds that the scheme is IND-sTag-CCA secure (see Definition 4) and can be efficiently transformed into a CCA-secure encryption scheme [5, 11, 20].

2 Preliminaries

2.1 Notations and Definitions

We use capital letters (e.g., XY) for random variables and distributions, standard letters (e.g., xy) for values. Vectors are used in the column form and denoted by bold lower-case letters (e.g., \( {\mathbf {a}} \)). We treat matrices as the sets of its column vectors and denote them by bold capital letters (e.g., \( {\mathbf {A}} \)). For a binary string x, |x| refers to the Hamming weight of x. We use \( {\mathcal {B}}_{\mu } \) to denote the Bernoulli distribution with parameter \( \mu \), i.e., \( \mathrm {Pr}[{\mathcal {B}}_{\mu }=1]=\mu \), \(\mathrm {Pr}[{\mathcal {B}}_{\mu }=0]=1-\mu \), while \( {\mathcal {B}}_{\mu }^{n} \) denotes the concatenation of n independent copies of \( {\mathcal {B}}_{\mu } \). For n, \( \ell \in {\mathbb {N}}\), \( U_{n} \) (resp., \( U_{\ell \times n} \)) denotes the uniform distribution over \( \{0,1\}^{n} \) (resp., \( \{0,1\}^{\ell \times n} \)) and independent of any other random variables in consideration. \( X\sim D \) denotes that random variable X follows distribution D. We use \( s\leftarrow S \) to denote sampling an element s according to distribution S. For random variables X and Y, the statistical distance between them is defined by \( \varDelta (X, Y)=\frac{1}{2}\cdot \sum _{x}\left| \mathrm {Pr}[X=x]-\mathrm {Pr}[Y=x]\right| \). If for probability ensembles \( X=\{X_{n}\} _{n\in {\mathbb {N}}}\) and \( Y=\{Y_{n}\}_{n\in {\mathbb {N}}} \), \( \varDelta (X_{n}, Y_{n})\le \mathsf {negl}(n) \) holds, then X and Y are called statistically indistinguishable, denoted by \( X\overset{s}{\sim }Y \). If for any PPT distinguisher \( {\mathcal {D}} \), \( \left| \mathrm {Pr}[{\mathcal {D}}(X_{n})=1]-\mathrm {Pr}[{\mathcal {D}}(Y_{n})=1]\le \mathsf {negl}(n)\right| \) holds then X and Y are called computationally indistinguishable, denoted by \( X\overset{c}{\sim }Y \).

Collision Resistant Hash Function. A hash function family \( {\mathcal {H}}=\{{\mathsf {H}}:{\mathcal {X}}\rightarrow {\mathcal {Y}}\} \) is collision resistant if for any PPT adversary \( {\mathcal {A}} \), it satisfies that \( \mathrm {Adv}_{\mathcal {H,A}}^{cr}(n)=\mathrm {Pr}[{\mathsf {H}}\overset{\$}{\leftarrow }{\mathcal {H}},(x,x')\overset{\$}{\leftarrow }{\mathcal {A}}({\mathsf {H}}):{\mathsf {H}}(x)={\mathsf {H}}(x')\wedge x\ne x']\le \mathsf {negl}(n) \).

2.2 Learning Parity with Noise

Definition 1

(Learning Parity with Noise). The decisional \( \mathbf {\mathsf {LPN}}_{n,m,\mu } \) problem is hard if for every \( m=\mathsf {poly}(n) \) we have \( ({\mathbf {A}}, {\mathbf {A}}\cdot \mathbf {s+e})\overset{c}{\sim }({\mathbf {A}},{\mathbf {b}}) \) where \({\mathbf {A}}\sim U_{m\times n} \), \( {\mathbf {s}}\sim U_{n}, {\mathbf {e}}\sim {\mathcal {B}}^{m}_{\mu } \) and \( {\mathbf {b}}\sim U_{m} \) while the secret length is n and the noise rate is \( 0<\mu <1/2 \). The computational \( \mathbf {\mathsf {LPN}}_{n,m,\mu } \) problem is hard if for every \( m=\mathsf {poly}(n) \) and every PPT algorithm \( {\mathcal {D}} \) we have \( \mathrm {Pr}[ {\mathcal {D}}({\mathbf {A}}, {\mathbf {A}}\cdot \mathbf {s+e})={\mathbf {s}} ]=\mathsf {negl}(n) \) where \( {\mathbf {A}}\sim U_{m\times n} \), \( {\mathbf {s}}\sim U_{n} \) and \( {\mathbf {e}}\sim {\mathcal {B}}^{m}_{\mu } \).

Definition 2

(Knapsack LPN-KLPN). The knapsack LPN problem is hard if for \( m>n \) samples we have \( ({\mathbf {A}}, \mathbf {A^{\intercal }t})\overset{c}{\sim }({\mathbf {A}}, {\mathbf {b}}) \) where \( {\mathbf {A}}\sim U_{m\times n} \), \( {\mathbf {t}}\sim {\mathcal {B}}_{\mu }^{m} \), \( {\mathbf {b}}\sim U_{n} \).

With a standard hybrid argument technique, we have results on the \( \ell \)-fold LPN and \( \ell \)-fold KLPN that \( (\mathbf {A,AS+E})\overset{c}{\sim }(\mathbf {A,B_{1}}) \) where \( {\mathbf {A}}\sim U_{m\times n},{\mathbf {S}}\sim U_{n\times \ell },{\mathbf {E}}\sim {\mathcal {B}}_{\mu }^{m\times \ell } \) and \( {\mathbf {B}}_{1}\sim U_{m\times \ell } \); \( (\mathbf {A,T^{\intercal }A})\overset{c}{\sim }(\mathbf {A,B_{2}}) \) where \( {\mathbf {A}}\sim U_{m\times n},{\mathbf {T}}\sim {\mathcal {B}}_{\mu }^{m\times \ell }\) and \({\mathbf {B}}_{2}\sim U_{\ell \times n} \).

Definition 3

(Extended Knapsack LPN-EKLPN). The Extended Knapsack LPN problem is hard if for \( m>n \) samples we have \( ({\mathbf {A}},\mathbf {A^{\intercal }t},{\mathbf {e}},\mathbf {t^{\intercal }e})\overset{c}{\sim }({\mathbf {A}},\mathbf {b,e,t^{\intercal }e}) \) where \( {\mathbf {A}}\sim U_{m\times n},{\mathbf {b}}\sim U_{n} \), \( \mathbf {t,e}\sim {\mathcal {B}}_{\mu }^{m} \).

Lemma 1

Assume that the Extended Knapsack LPN problem is hard then we have \( ({\mathbf {A}},\mathbf {A^{\intercal }t},{\mathbf {e}},\mathbf {t^{\intercal }e})\overset{c}{\sim }({\mathbf {A}},\mathbf {A^{\intercal }t'},\mathbf {e,t^{\intercal }e}) \).

Proof

From Definition 3 we have \( ({\mathbf {A}},\mathbf {A^{\intercal }t},{\mathbf {e}},\mathbf {t^{\intercal }e})\overset{c}{\sim }({\mathbf {A}},\mathbf {b,e,t^{\intercal }e}) \). From Definition 2 we have \( ({\mathbf {A}}, \mathbf {A^{\intercal }t'})\overset{c}{\sim }({\mathbf {A}}, {\mathbf {b}}) \) where \( {\mathbf {A}}\sim U_{m\times n} \), \( \mathbf {t,t',e}\sim {\mathcal {B}}_{\mu }^{m} \). By combining these two equations, we immediately obtain \( ({\mathbf {A}},\mathbf {A^{\intercal }t},{\mathbf {e}},\mathbf {t^{\intercal }e})\overset{c}{\sim }({\mathbf {A}},\mathbf {A^{\intercal }t'},\mathbf {e,t^{\intercal }e}). \)

The Extended Knapsack LPN to standard LPN problem reduction can be referenced to [7].

3 CCA Secure PKE from Low-Noise LPN

In this section, we construct a CCA-secure PKE from low-noise LPN problem. Technically, we construct a tag-based PKE against selective tag and chosen ciphertext attacks from LPN, which can be transformed into a standard CCA-secure PKE by using known techniques [5, 11, 20].

3.1 Tag-Based Encryption

A tag-based encryption (TBE) scheme with tag-space \( {\mathcal {T}} \) and message-space \( {\mathcal {M}} \) consists of three PPT algorithms \( \mathcal {TBE}=(\mathsf {KeyGen,Enc,Dec}) \). The randomized key generation algorithm \( \mathsf {KeyGen} \) takes the security parameter n as input, outputs a public key pk and a secret key sk, denoted as \( (pk,sk)\leftarrow \mathsf {KeyGen}(1^{n}) \). The randomized encryption algorithm \( \mathsf {Enc} \) takes pk, a tag \( {\mathbf {t}}\in {\mathcal {T}} \), and a plaintext \( {\mathbf {m}}\in {\mathcal {M}} \) as input, outputs a ciphertext C, denoted as \( C\leftarrow \mathsf {Emc}(pk,\mathbf {t,m}) \). The deterministic algorithm \( \mathsf {Dec} \) takes sk and C as inputs, outputs a plaintext \( {\mathbf {m}} \), or a special symbol \( \perp \), which is denoted as \( {\mathbf {m}}\leftarrow \mathsf {Dec}(sk,{\mathbf {t}},C) \). For correctness, we require that for all \( (pk,sk)\leftarrow \mathsf {KeyGen}(1^{n}) \), any tag \( {\mathbf {t}} \), any plaintext \( {\mathbf {m}} \) and any \( C\leftarrow \mathsf {Enc}(pk,{\mathbf {t}},{\mathbf {m}}) \), the equation \( \mathsf {Dec}(sk,{\mathbf {t}},C) ={\mathbf {m}}\) holds with overwhelming probability.

We consider the following game between a challenger \( {\mathcal {C}} \) and an adversary \( {\mathcal {A}} \).

  • Init. The adversary \( {\mathcal {A}} \) takes the security parameter n as input, and outputs a target \( {\mathbf {t}}^{*} \) to the challenger \( {\mathcal {C}} \).

  • KeyGen. The challenger \( {\mathcal {C}} \) computes \( (pk,sk)\leftarrow \mathsf {KeyGen}(1^{n}) \), gives the public key pk to the adversary \( {\mathcal {A}} \), and keeps the secret key sk.

  • Phase 1. The adversary \( {\mathcal {A}} \) can make decryption queries polynomial times for any pair \( ({\mathbf {t}},C) \), with a restriction that \( {\mathbf {t}}\ne {\mathbf {t}}^{*} \), and the challenger \( {\mathcal {C}} \) returns \( {\mathbf {m}}\leftarrow \mathsf {Dec}(sk,{\mathbf {t}},C) \) to \( {\mathcal {A}} \) accordingly.

  • Challenge. The adversary \( {\mathcal {A}} \) outputs two equal length plaintexts \( {\mathbf {m}}_{0},{\mathbf {m}}_{1}\in {\mathcal {M}} \). The challenger \( {\mathcal {C}} \) randomly chooses a bit \( b^{*}\overset{\$}{\leftarrow }\{0,1\} \), and returns the challenge ciphertext \( C^{*}\leftarrow \mathsf {Enc}(pk,{\mathbf {t}}^{*},{\mathbf {m}}_{b^{*}}) \) to the adversary \( {\mathcal {A}} \).

  • Phase 2. The adversary can make more decryption queries as in Phase 1.

  • Guess. Finally, \( {\mathcal {A}} \) outputs a guess \( b\in \{0,1\} \). If \( b=b^{*} \), the challenger \( {\mathcal {C}} \) outputs 1, else outputs 0.

  • Advantage. \( {\mathcal {A}} \)’s advantage is defined as \(\mathrm {Adv}_{\mathcal {TBE,A}}^{\mathrm {ind-stag-cca}}(1^{n})\overset{\mathrm {def}}{=}|\mathrm {Pr}[b=b^{*}]-\frac{1}{2}| \).

Definition 4

(IND-sTag-CCA.) We say that a TBE scheme \( \mathcal {TBE} \) is IND-sTag-CCA secure if for any PPT adversary \( {\mathcal {A}} \), its advantage is negilible in n.

3.2 The Construction

Our TBE scheme \( \mathcal {TBE} \) is constructed by using the following parameters and building blocks. Let k be the security parameter, \( n=\varTheta (k^{2}) \), \( m\in {\mathbb {Z}} \) such that \( m\ge 2n \). A constant \( 0<c<\frac{1}{6} \) (recall that we set \( 6c<\alpha <1 \)) defining: The Bernoulli parameter \( \mu =\sqrt{c/m} \) and the bounding parameter \( \beta =2\sqrt{cm} \) to check consistency during decryption. A generator matrix \( {\mathbf {G}}\in {\mathbb {Z}}_{2}^{m\times n} \) of a binary linear error-correcting code \( {\mathcal {C}}={\mathcal {C}}({\mathbf {G}}) \) and has efficient decode algorithm \( \mathsf {Decode}_{{\mathbf {G}}} \) correcting up to \( \alpha m \) errors (we refer to [11] for details about error-correcting code). Let the tag-space \( {\mathcal {T}}={\mathbb {F}}_{2^{n}} \). We use a matrix representation \( {\mathbf {H}}_{{\mathbf {t}}}\in \{0,1\}^{n\times n} \) for finite field elements \( {\mathbf {t}}\in {\mathbb {F}}_{2^{n}} \) [5, 6, 11] such that \( \mathbf {H_{0}}={\mathbf {0}} \), \( \mathbf {H_{t}} \) is invertible for any \( {\mathbf {t}}\ne {\mathbf {0}} \), and \( \mathbf {H_{t_{1}}}+\mathbf {H_{t_{2}}}=\mathbf {H_{t_{1}+t_{2}}} \). A family of collision resistant hash functions \( {\mathcal {H}}:=\{{\mathsf {H}}:{\mathbb {Z}}_{2}^{m}\times {\mathbb {Z}}_{2}^{m}\times {\mathbb {Z}}_{2}^{n}\times {\mathbb {Z}}_{2}^{n\times n}\rightarrow {\mathbb {Z}}_{2}^{\ell }\} \). Let \( \mathrm {\Pi }' =(\mathsf {Enc}',\mathsf {Dec}')\) be a private-key encryption scheme for messages \( {\mathbf {m}}\in \{0,1\}^{\ell '} \) (\( \ell '\ll n \), say \( \ell '=128 \) typically). We present the construction of \( \mathcal {TBE}=(\mathsf {KeyGen, Enc, Dec}) \) with message space \( \{0,1\}^{\ell '} \) in Fig. 1.

Fig. 1.
figure 1

IND-sTag-CCA secure \( \mathcal {TBE} \) from low-noise LPN

Full size image

3.3 Correctness

Lemma 2

(Chernoff Bound [11, 20] ). For any \( 0<\mu <1 \) and any \( \delta >0 \), we have \( \mathrm {Pr}[|{\mathcal {B}}_{\mu }^{m}|>(1+\delta )\mu m]<e^{\frac{-\mathsf {min}(\delta ,\delta ^{2})}{3}\mu m}, \) in particular, for \( \delta =1 \) \( \mathrm {Pr}[|{\mathcal {B}}_{\mu }^{m}|>2\mu m]<e^{-\mu m/3}. \)

Obviously, for the chosen \( {\mathbf {e}}_{1}\overset{\$}{\leftarrow }{\mathcal {B}}_{\mu }^{m} \), the Chernoff Bound yields: \( \mathrm {Pr}[|{\mathbf {e}}_{1}|>\underbrace{\beta }_{{=2\mu m}}]<e^{-\mu m/3}=2^{-\varTheta (\sqrt{m})}. \)

Theorem 1

(Correctness). Let parameters be chosen as in our construction then with overwhelming probability over the choice of the public and secret keys and for all \( {\mathbf {m}}\in \{0,1\}^{\ell '} \), \(\mathsf {Dec}(sk,c) \) outputs \( {\mathbf {m}} \) correctly over \( c\leftarrow \mathsf {Enc}(pk,{\mathbf {m}}) \).

Proof

The scheme’s correctness requires the following:

  1. 1.

    \( |(\mathbf {T'-T}){\mathbf {e}}_{1}|\le \alpha m \) (to let \( \mathsf {Decode}_{{\mathbf {G}}} \) reconstruct \( {\mathbf {s}} \) from \( {\mathbf {y}}={\mathbf {c}}_{2}-\mathbf {Tc}_{1} \)).

  2. 2.

    \( |{\mathbf {c}}_{1}-\mathbf {As}|\le \beta \wedge |{\mathbf {c}}_{2}-(\mathbf {GH_{t}+B}){\mathbf {s}}|\le \frac{\alpha m}{3} \).

For the decryption algorithm we require that the Hamming weight of the inner-product of a matrix \( {\mathbf {T}}\overset{\$}{\leftarrow }{\mathcal {B}}_{\mu }^{m\times m} \) and a vector \( {\mathbf {e}}_{1}\overset{\$}{\leftarrow }{\mathcal {B}}_{\mu }^{m} \) is upper bounded by \( \frac{1}{3}\alpha m \) with overwhelming probability. We firstly analyze the inner-product of a vector \( {\mathbf {t}}\overset{\$}{\leftarrow }{\mathcal {B}}_{\mu }^{m} \) and the vector \( {\mathbf {e}}_{1}\overset{\$}{\leftarrow }{\mathcal {B}}_{\mu }^{m} \) whose Hamming weight is at most \( \beta \) described as above. Since \( |{\mathbf {e}}_{1}|\le \beta \), a necessary condition for \( {\mathbf {t}}^{\intercal }{\mathbf {e}}_{1}=1 \) is that \( {\mathbf {t}}[i]=1 \) for at least one of the i’s where \( {\mathbf {e}}_{1}[i]=1 \). By a simple XOR-Lemma, it holds that \( \mu '=\mathrm {Pr}[{\mathbf {t}}^{\intercal }{\mathbf {e}}_{1}=1]\le \beta \mu =2c. \)

By the Chernoff Bound (1) and with \( \delta =\alpha /(3\mu ')-1 \) (where \( \mu '\le 2c<\alpha /3 \)) \( \mathrm {Pr}\left[ |\mathbf {Te}_{1}|>\frac{1}{3}\alpha m\right] = \mathrm {Pr}\left[ |\mathbf {Te}_{1}|>(1+\delta )\mu ' m\right] < e^{\frac{-\mathsf {min}(\delta ,\delta ^{2})}{3}\mu ' m}. \)

Since \( \delta \mu '=\alpha /3-\mu '\ge \alpha /3-2c>0 \) and \( \delta =\alpha /(3\mu ')-1\ge \alpha /(6c)-1>0 \) are lower bounded by constants and therefore \( \mathrm {Pr}\left[ |\mathbf {Te}_{1}|>\frac{1}{3}\alpha m\right] <e^{\frac{-\mathsf {min}(\delta ,\delta ^{2})}{3}\mu ' m}=2^{-\varTheta (m)}. \)

Finally, in the ciphertext of our construction we have \( |{\mathbf {c}}_{1}-\mathbf {As}|=|{\mathbf {e}}_{1}|\le \beta \wedge |{\mathbf {c}}_{2}-(\mathbf {GH_{t}+B}){\mathbf {s}}|=|\mathbf {T'e}_{1}|\le \frac{1}{3}\alpha m \) holds with overwhelming probability \( 1-2^{-\varTheta (\sqrt{m})} \). In the decrption operation, \( {\mathbf {y}} ={\mathbf {c}}_{2}-{\mathbf {T}}\cdot {\mathbf {c}}_{1} =(\mathbf {GH_{t}+B})\cdot {\mathbf {s}}+\mathbf {T'e}_{1}-{\mathbf {T}}(\mathbf {A\cdot {\mathbf {s}}+{\mathbf {e}}_{1}}) =\mathbf {GH_{t}}\cdot {\mathbf {s}}+(\mathbf {T'-T})\cdot {\mathbf {e}}_{1} \) it is sufficient to bound the error item \( |(\mathbf {T'-T}){\mathbf {e}}_{1}| \). It holds that \( |(\mathbf {T'-T}){\mathbf {e}}_{1}|\le |\mathbf {T'e}_{1}|+|\mathbf {Te}_{1}|\le \frac{2}{3}\alpha m<\alpha m. \) Therefore, the decoding-procedure \( \mathsf {Decode}_{{\mathbf {G}}} \) will successfully recover \( {\mathbf {s}} \).

In all, the message \( {\mathbf {m}} \) can be decrypted with overwhelming probability. \(\square \)

3.4 Security

Theorem 2

Assume that the LPN problem is hard, \( {\mathsf {H}} \) is a collision resistant hash function and \( \mathrm {\Pi }'\) is an IND-CPA-secure private-key encryption scheme then our TBE scheme \( \mathcal {TBE} \) in Fig. 1. is IND-sTag-CCA secure.

Proof

Let \( {\mathcal {A}} \) be any PPT adversary that can attack our scheme \( \mathcal {TBE} \) with advantage \( \varepsilon \). We show that \( \varepsilon \) must be negligible in n. We continue the proof by using a sequence of games, where the first game is the real game, while the last is a random game in which the challenge ciphertext contains one component from an IND-CPA secure private-key encryption. Thus if \( {\mathcal {A}} \) can win in the last game he breaks the IND-CPA secure private-key encryption as well which violates the assumption. The security of \( \mathcal {TBE} \) can be established by showing that \( {\mathcal {A}} \)’s advantage in any two consecutive games are negligibly close.

Game 1. This is the IND-sTag-CCA experiment. The challenger \( {\mathcal {C}} \) honestly runs the adversary \( {\mathcal {A}} \) with the security parameter k and obtains a target tag \( {\mathbf {t}}^{*} \) from \( {\mathcal {A}} \). Then, it simulates the IND-sTag-CCA security game for \( {\mathcal {A}} \) as follows:

  • KeyGen. First uniformly choose a collision resistant hash function \( {\mathsf {H}}\overset{\$}{\leftarrow }{\mathcal {H}} \) and matrices \( {\mathbf {A}}\overset{\$}{\leftarrow }U_{m\times n} \), \( {\mathbf {T}}\overset{\$}{\leftarrow }{\mathcal {B}}_{\mu }^{m\times m} \). Then, compute \( {\mathbf {B}}=\mathbf {TA}\in \{0,1\}^{m\times n} \). Finally, \( {\mathcal {C}} \) sends \( pk=({\mathbf {A}},{\mathbf {B}}) \) to the adversary \( {\mathcal {A}} \), and keeps \( sk={\mathbf {T}} \) to itself.

  • Phase 1. While receiving a decryption query \( c=({\mathbf {t}},({\mathbf {c}}_{1},{\mathbf {c}}_{2},{\mathbf {c}}_{3})) \) from adversary \( {\mathcal {A}} \), the challenger \( {\mathcal {C}} \) directly returns \( \perp \) if \( {\mathbf {t}}=\mathbf {t^{*}} \). Otherwise it first computes \( {\mathbf {y}} ={\mathbf {c}}_{2}-{\mathbf {T}}\cdot {\mathbf {c}}_{1} =(\mathbf {GH_{t}+B})\cdot {\mathbf {s}}+\mathbf {T'e}_{1}-{\mathbf {T}}(\mathbf {A\cdot {\mathbf {s}}+{\mathbf {e}}_{1}}) =\mathbf {GH_{t}}\cdot {\mathbf {s}}+(\mathbf {T'-T}){\mathbf {e}}_{1} \). Then the challenger reconstructs \( \mathbf {b=H_{t}s} \) from the error \( (\mathbf {T'-T}){\mathbf {e}}_{1} \) by using the error correction peoperty of \( {\mathbf {G}} \) and computes \( \mathbf {s=H_{t}^{-1}b} \). Then the challenger \( {\mathcal {C}} \) checks that whether it satisfies that \(|{\mathbf {c}}_{1}-\mathbf {As}|\le \beta \wedge |{\mathbf {c}}_{2}-(\mathbf {GH_{t}+B}){\mathbf {s}}|\le \frac{1}{3}\alpha m \). If yes it computes \( {\mathbf {k}}={\mathsf {H}}({\mathbf {c}}_{1},{\mathbf {c}}_{2},{\mathbf {s}},\mathbf {H_{t}}), {\mathbf {m}}=\mathsf {Dec}_{{\mathbf {k}}}'({\mathbf {c}}_{3}) \) otherwise lets \( {\mathbf {m}}=\perp \). Finally it returns \( {\mathbf {m}} \) to \( {\mathcal {A}} \).

  • Challenge. After receiving two equal length plaintexts \( {\mathbf {m}}_{0} \), \( {\mathbf {m}}_{1}\in \{0,1\}^{\ell '} \) from the adversary \( {\mathcal {A}} \), the challenger \( {\mathcal {C}} \) first randomly chooses a bit \( b^{*} \overset{\$}{\leftarrow }\{0,1\} \), and \( {\mathbf {s}}\overset{\$}{\leftarrow }U_{n}, {\mathbf {e}}_{1}\overset{\$}{\leftarrow }{\mathcal {B}}_{\mu }^{m} ,\mathbf {T'}\overset{\$}{\leftarrow }{\mathcal {B}}_{\mu }^{m\times m}. \) Then, it calculates \( {\mathbf {c}}_{1}^{*}:=\mathbf {As}+{\mathbf {e}}_{1}\in \{0,1\}^{m}, {\mathbf {c}}_{2}^{*}:=(\mathbf {GH_{{\mathbf {t}}^{*}}+B}){\mathbf {s}}+\mathbf {T'}{\mathbf {e}}_{1}\in \{0,1\}^{m}, {\mathbf {k}}={\mathsf {H}}({\mathbf {c}}_{1}^{*},{\mathbf {c}}_{2}^{*},{\mathbf {s}},\mathbf {H_{t^{*}}}) \in \{0,1\}^{\ell }, {\mathbf {c}}_{3}^{*}:=\mathsf {Enc}'_{{\mathbf {k}}}({\mathbf {m}}_{b^{*}})\in \{0,1\}^{\ell '} \), and returns the challenge ciphertext \( ({\mathbf {c}}_{1}^{*},{\mathbf {c}}_{2}^{*},{\mathbf {c}}_{3}^{*}) \) to the adversary \( {\mathcal {A}} \).

  • Phase 2. The adversary can make more decryption queries and the challenger \( {\mathcal {C}} \) responds to \( {\mathcal {A}} \) as in Phase 1.

  • Guess. Finally, \( {\mathcal {A}} \) outputs a guess \( b\in \{0,1\} \). If \( b=b^{*} \), the challenger \( {\mathcal {C}} \) outputs 1, else outputs 0.

Let \( W_{i} \) be the event that \( {\mathcal {C}} \) outputs 1 in Game i for i in \( \{1,2,3\} \).

Game 2. This Game is identical to Game 1 except that the challenge phase is changed as follows:

  • Challenge. After receiving two equal length plaintexts \( {\mathbf {m}}_{0} \), \( {\mathbf {m}}_{1}\in \{0,1\}^{\ell '} \) from the adversary \( {\mathcal {A}} \), the challenger \( {\mathcal {C}} \) first randomly chooses a bit \( b^{*} \overset{\$}{\leftarrow }\{0,1\} \), and \( {\mathbf {s}}\overset{\$}{\leftarrow }U_{n}, {\mathbf {e}}_{1}\overset{\$}{\leftarrow }{\mathcal {B}}_{\mu }^{m} \). Then, it calculates \( {\mathbf {c}}_{1}^{*}:=\mathbf {As}+{\mathbf {e}}_{1}\in \{0,1\}^{m}, {\mathbf {c}}_{2}^{*}:=(\mathbf {GH_{{\mathbf {t}}^{*}}+B}){\mathbf {s}}+{\mathbf {T}}{\mathbf {e}}_{1}\in \{0,1\}^{m}, {\mathbf {k}}={\mathsf {H}}({\mathbf {c}}_{1}^{*},{\mathbf {c}}_{2}^{*},{\mathbf {s}},\mathbf {H_{t^{*}}}) \in \{0,1\}^{\ell }, {\mathbf {c}}_{3}^{*}:=\mathsf {Enc}'_{{\mathbf {k}}}({\mathbf {m}}_{b^{*}}) \in \{0,1\}^{\ell '} \), and returns the challenge ciphertext \( ({\mathbf {c}}_{1}^{*},{\mathbf {c}}_{2}^{*},{\mathbf {c}}_{3}^{*}) \) to the adversary \( {\mathcal {A}} \).

Lemma 3

\(|\mathrm {Pr}[W_{1}]-\mathrm {Pr}[W_{2}]|\le \mathsf {negl}(n) \)

Proof

The only difference between Game 1 and Game 2 is that \( {\mathcal {C}} \) replaces \( {\mathbf {c}}_{2}^{*}:=(\mathbf {GH_{{\mathbf {t}}^{*}}+B}){\mathbf {s}}+\mathbf {T'}{\mathbf {e}}_{1} \) in Game 1 with \( {\mathbf {c}}_{2}^{*}:=(\mathbf {GH_{{\mathbf {t}}^{*}}+B}){\mathbf {s}}+{\mathbf {T}}{\mathbf {e}}_{1} \) in Game 2. Next, we introduce a sequence of games {\(\hbox {Game}_{1,i} \)}\( _{i\in [0,m]} \) between Game 1 and Game 2 to replace \( \mathbf {T'} \) in the \( {\mathbf {c}}_{2}^{*} \) row by row. Firstly, we define \( {\mathbf {T}}=({\mathbf {t}}_{1},\cdots ,{\mathbf {t}}_{m})^{\intercal }, \mathbf {T'} = ({\mathbf {t}}_{1}',\cdots ,{\mathbf {t}}_{m}')^{\intercal }\).

  • - \(\hbox {Game}_{1,i} \), \( i\in [m] \). This game is a hybrid of Game 1 and Game 2: the challenger \( {\mathcal {C}} \) replaces \( {\mathbf {t}}_{i}'^{\intercal } \) with \( {\mathbf {t}}_{i}^{\intercal } \) in \( {\mathbf {c}}_{2}^{*} \) during the challenge phase and keeps the remaining rows as in Game\( _{1,i-1} \). Let Game\( _{1,0} \) be Game 1. Obviously, Game\( _{1,m} \) is identical to Game 2.

It suffices to show that \( |\mathrm {Pr}[W_{1,i}]-\mathrm {Pr}[W_{1,i-1}]|\le \mathsf {negl}(n) \) for any \( i\in [m] \). The hardness of the EKLPN problem ensures that the probability for adversary \( {\mathcal {A}} \) to distinguish Game\( _{1,i} \) from Game\( _{1,i-1} \) is negligible. Otherwise we can construct an algorithm \( {\mathcal {B}} \) to solve EKLPN problem. Precisely, \( {\mathcal {B}} \) is constructed by simulating Game\( _{1,i} \) or Game \( _{1,i-1} \) for \( {\mathcal {A}} \). \( {\mathcal {B}} \) is given a quadruple \(({\mathbf {A}},(\bar{{\mathbf {t}}}_{i}^{\intercal }{\mathbf {A}})^{\intercal },{\mathbf {e}}_{1},{\bar{z}}_{i})\), where \( {\bar{z}}_{i} \) is either \( \bar{{\mathbf {t}}}_{i}^{\intercal }{\mathbf {e}}_{1} \) or \( \bar{{\mathbf {t}}}_{i}'^{\intercal }{\mathbf {e}}_{1} \). \( {\mathcal {B}} \)’s behavior is as follows.

  • KeyGen. \( {\mathcal {B}} \) picks \( {\mathsf {H}}\overset{\$}{\leftarrow }{\mathcal {H}} \), \( {\mathbf {T}}_{i} = \left( {\mathbf {t}}_{1},\cdots ,{\mathbf {r}}_{i},\cdots ,{\mathbf {t}}_{m} \right) ^{\intercal } \) and then \( {\mathcal {B}} \) sets \( {\mathbf {B}}=\left( {\mathbf {A}}^{\intercal }{\mathbf {t}}_{1},\cdots , \boxed {{\mathbf {A}}^{\intercal }\bar{{\mathbf {t}}}_{i}},\cdots ,{\mathbf {A}}^{\intercal }{\mathbf {t}}_{m} \right) ^{\intercal } \). Finally, \( {\mathcal {B}} \) sends \( pk=({\mathbf {A}},{\mathbf {B}}) \) to the adversary \( {\mathcal {A}} \), and keeps \( sk={\mathbf {T}}_{i} \) to itself. Note that the \( i^{th} \) row in \( {\mathbf {T}}_{i} \) is chosen randomly and the \( i^{th} \) row in \( {\mathbf {B}} \) is independent of it.

  • Phase 1. While receiving a decryption query \( c=({\mathbf {t}},({\mathbf {c}}_{1},{\mathbf {c}}_{2},{\mathbf {c}}_{3})) \) from adversary \( {\mathcal {A}} \), \( {\mathcal {B}} \) directly returns \( \perp \) if \( {\mathbf {t}}=\mathbf {t^{*}} \). Otherwise it first computes \( {\mathbf {y}} ={\mathbf {c}}_{2}-{\mathbf {T}}_{i}\cdot {\mathbf {c}}_{1} =(\mathbf {GH_{t}+B})\cdot {\mathbf {s}}+\mathbf {T'e}_{1}-{\mathbf {T}}_{i}({\mathbf {A}}\cdot {\mathbf {s}}+{\mathbf {e}}_{1}) =\mathbf {GH_{t}}\cdot {\mathbf {s}}+ \underbrace{ \left( \begin{array}{c} 0 \\ \vdots \\ (\bar{{\mathbf {t}}}_{i}^{\intercal }-{\mathbf {r}}_{i}^{\intercal })\mathbf {As}\\ \vdots \\ 0 \end{array} \right) +\left( \begin{array}{c} ({{\mathbf {t}}}_{1}'^{\intercal }-{\mathbf {t}}_{1}^{\intercal }){\mathbf {e}}_{1} \\ \vdots \\ ({{\mathbf {t}}}_{i}'^{\intercal }-{\mathbf {r}}_{i}^{\intercal }){\mathbf {e}}_{1}\\ \vdots \\ ({{\mathbf {t}}}_{m}'^{\intercal }-{\mathbf {t}}_{m}^{\intercal }){\mathbf {e}}_{1} \end{array} \right) }_{\mathrm {\varDelta }_{i}} \), \( \mathbf {H_{t}s}=\mathsf {Decode}({\mathbf {y}}) \). Let \( {\mathbf {y}}=\mathbf {GH_{t}}{\mathbf {s}}+\mathrm {\varDelta }_{i} \), where \( |\mathrm {\varDelta }_{i}|\le \frac{2}{3}\alpha m+1 < \alpha m \), \( \mathsf {Decode}_{{\mathbf {G}}} \) also can handle correct \( {\mathbf {s}} \) from \( {\mathbf {y}} \). Then \( {\mathcal {B}} \) checks that whether it satisfies that \(|{\mathbf {c}}_{1}-\mathbf {As}|\le \beta \wedge |{\mathbf {c}}_{2}-(\mathbf {GH_{t}+B}){\mathbf {s}}|\le \frac{1}{3}\alpha m \). If yes it computes \( {\mathbf {k}}={\mathsf {H}}({\mathbf {c}}_{1},{\mathbf {c}}_{2},{\mathbf {s}},\mathbf {H_{t}}), {\mathbf {m}}=\mathsf {Dec}_{{\mathbf {k}}}'({\mathbf {c}}_{3}) \) otherwise lets \( {\mathbf {m}}=\perp \). Finally it returns \( {\mathbf {m}} \) to \( {\mathcal {A}} \). Therefore, the decryption oracle can behave correctly.

  • Challenge. After receiving two equal length plaintexts \( {\mathbf {m}}_{0} \), \( {\mathbf {m}}_{1}\in \{0,1\}^{\ell '} \) from the adversary \( {\mathcal {A}} \), \( {\mathcal {B}} \) first randomly chooses a bit \( b^{*} \overset{\$}{\leftarrow }\{0,1\} \), and \( {\mathbf {s}}\overset{\$}{\leftarrow }U_{n}, {\mathbf {e}}_{1}\overset{\$}{\leftarrow }{\mathcal {B}}_{\mu }^{m} \). Then, it calculates \( {\mathbf {c}}_{1}^{*}:=\mathbf {As}+{\mathbf {e}}_{1}\in \{0,1\}^{m}, \mathbf {c_{2}^{*}}= \mathbf {(GH_{t^{*}}+B)s}+ \left( {\mathbf {e}}_{1}^{\intercal }{\mathbf {t}}_{1},\cdots ,{\mathbf {e}}_{1}^{\intercal }{\mathbf {t}}_{i-1} \boxed {\bar{{z}}_{i}},{\mathbf {e}}_{1}^{\intercal }{\mathbf {t}}^{'}_{i+1}\cdots ,{\mathbf {e}}_{1}^{\intercal }{\mathbf {t}}^{'}_{m} \right) ^{\intercal } \in \{0,1\}^{m}, {\mathbf {k}}={\mathsf {H}}({\mathbf {c}}_{1}^{*},{\mathbf {c}}_{2}^{*},{\mathbf {s}},\mathbf {H_{t^{*}}}) \in \{0,1\}^{\ell },{\mathbf {c}}_{3}^{*}:=\mathsf {Enc}'_{{\mathbf {k}}}({\mathbf {m}}_{b^{*}})\in \{0,1\}^{\ell '} \), and returns the challenge ciphertext \( ({\mathbf {c}}_{1}^{*},{\mathbf {c}}_{2}^{*},{\mathbf {c}}_{3}^{*}) \) to the adversary \( {\mathcal {A}} \).

  • Phase 2. The adversary can make more decryption queries and \( {\mathcal {B}} \) responds to \( {\mathcal {A}} \) as in Phase 1.

  • Guess. Finally, \( {\mathcal {A}} \) outputs a guess \( b\in \{0,1\} \). If \( b=b^{*} \), \( {\mathcal {B}} \) outputs 1, else outputs 0.

If \( {\bar{z}}_{i}=\bar{{\mathbf {t}}}_{i}'^{\intercal }{\mathbf {e}}_{1} \), then \( {\mathcal {B}} \) simulates the behavior of the challenger in Game\( _{1,i-1} \) exactly. Hence, \( \mathrm {Pr}[W_{1,i-1}] = \mathrm {Pr}\left[ {\mathcal {B}}({\mathbf {A}},(\bar{{\mathbf {t}}}_{i}^{\intercal }{\mathbf {A}})^{\intercal },{\mathbf {e}}_{1},\bar{{\mathbf {t}}}_{i}'^{\intercal }{\mathbf {e}}_{1})=1\right] \).

If \( {\bar{z}}_{i}=\bar{{\mathbf {t}}}_{i}^{\intercal }{\mathbf {e}}_{1} \), then \( {\mathcal {B}} \) simulates the behavior of the challenger in Game\( _{1,i}\) exactly. Hence, \( \mathrm {Pr}[W_{1,i-1}] = \mathrm {Pr}\left[ {\mathcal {B}}({\mathbf {A}},(\bar{{\mathbf {t}}}_{i}^{\intercal }{\mathbf {A}})^{\intercal },{\mathbf {e}}_{1},\bar{{\mathbf {t}}}_{i}^{\intercal }{\mathbf {e}}_{1})=1\right] \).

Therefore, for \( i\in [m] \), we have \( |\mathrm {Pr}[W_{1,i-1}]-\mathrm {Pr}[W_{1,i}]| \le \mathsf {negl}(n) \).

Game 3. This Game is identical to Game 2 except that the challenger \( {\mathcal {C}} \) replaces \( \mathbf {B=TA} \) with \( \mathbf {B'=B-GH_{t^{*}}}\in \{0,1\}^{m\times n} \) in the key generation phase.

Lemma 4

\( \mathrm {Pr}[W_{3}]=\mathrm {Pr}[W_{2}] \).

Proof

The only difference between Game 2 and Game 3 is that \( {\mathcal {C}} \) replaces \( \mathbf {B=TA} \) in Game 2 with \( \mathbf {B'=B-GH_{t^{*}}} \) in Game 3. This means that the public key in Game 3 has the same distribution in Game 2. Thus we have \( \mathrm {Pr}[W_{3}]=\mathrm {Pr}[W_{2}] \).

Game 4. This Game is identical to Game 3 except that the challenger \( {\mathcal {C}} \) replaces \( {\mathbf {c}}_{1}^{*}=\mathbf {As}+{\mathbf {e}}_{1}\in \{0,1\}^{m}\) with \( {\mathbf {c}}_{1}^{*}={\mathbf {u}}\in \{0,1\}^{m} \) in the challenge phase. Note that in Game 2, \( {\mathbf {c}}_{2}^{*}=(\mathbf {GH_{t^{*}}+B}){\mathbf {s}}+{\mathbf {T}}{\mathbf {e}}_{1}=\mathbf {GH_{t^{*}}s}+{\mathbf {T}}{\mathbf {c}}_{1}^{*} \). Therefore, in Game 3 we have \( {\mathbf {c}}_{2}^{*}=(\mathbf {GH_{t^{*}}+B'}){\mathbf {s}}+{\mathbf {T}}{\mathbf {e}}_{1}={\mathbf {T}}{\mathbf {c}}_{1}^{*} \).

Lemma 5

\( | \mathrm {Pr}[W_{4}]-\mathrm {Pr}[W_{3}] |\le \mathsf {negl}(n) \).

Proof

Since the only difference between Game 3 and Game 4 is that \( {\mathcal {C}} \) replaces \( {\mathbf {c}}_{1}^{*}=\mathbf {As}+{\mathbf {e}}_{1}\in \{0,1\}^{m}\) in Game 3 with \( {\mathbf {c}}_{1}^{*}={\mathbf {u}}\in \{0,1\}^{m} \) in Game 4, we can construct a distinguisher \( {\mathcal {D}} \) that distinguishes the distributions \( ({\mathbf {A}},\mathbf {A\cdot s}+{\mathbf {e}}) \) and \( ({\mathbf {A}},{\mathbf {u}}) \) (where \( {\mathbf {u}}\overset{\$}{\leftarrow } U_{m}\)) with advantage \( \mathsf {adv}(n) \) (assuming that \( {\mathcal {A}} \) distinguishes 3 and Game 4 with non-negligible \( \mathsf {adv}(n) \)), contradicting the assumption. Thus we have \(| \mathrm {Pr}[{\mathcal {D}}({\mathbf {A}},\mathbf {A\cdot s}+{\mathbf {e}})] |-| \mathrm {Pr}[{\mathcal {D}}({\mathbf {A}},{\mathbf {u}})] |=| \mathrm {Pr}[W_{3}] |-| \mathrm {Pr}[W_{4}] |=\mathsf {adv}(n) \), which contradicts the assumption. This means that we have \( | \mathrm {Pr}[W_{3}] |-| \mathrm {Pr}[W_{4}] |\le \mathsf {negl}(n) \).

Lemma 6

\( \mathrm {Pr}[W_{4}]=\frac{1}{2}+\mathsf {negl}(n) \).

Proof

This lemma follows from that the challenge ciphertext \( ({\mathbf {c}}_{1}^{*},{\mathbf {c}}_{2}^{*}) \) in game 4 is uniformly distributed. From \( {\mathcal {A}} \)’s view, \( {\mathbf {s}} \) is perfectly hidden since \( {\mathbf {c}}_{1}^{*} \) is uniformly distributed. The collision resistant hash function implies that it’s nearly impossible for \( {\mathcal {A}} \) to guess \( {\mathbf {k}} \) correctly. Combining with the IND-CPA secure private-key encryption scheme it ensures that the advantage of the adversary \( {\mathcal {A}} \) is negligible.

Note that the security requirement of private-key encryption scheme \( \mathrm {\Pi }' \) is IND-CPA secure, for example an one-time pad scheme, since the replacement of the pseudorandomness with randomness makes the challenge ciphertext perfectly random thus it is impossible for adversary to guess correctly with probability more than 1 / 2. Meanwhile it answers the decryption queries correctly. In all, we have \( \mathrm {Pr}[W_{1}]=\frac{1}{2}+\mathsf {negl}(n) \), such that \( \varepsilon =\mathsf {negl}(n) \). Thus we complete the proof.