LARA: A Design Concept for Lattice-Based Encryption

Abstract

Lattice-based encryption schemes still suffer from a low message throughput per ciphertext and inefficient solutions towards realizing enhanced security properties such as CCA1- or CCA2-security. This is mainly due to the fact that the underlying schemes still follow a traditional design concept and do not tap the full potentials of LWE. Furthermore, the desired security features are also often achieved by costly approaches or less efficient generic transformations. Recently, a novel encryption scheme based on the A-LWE assumption (relying on the hardness of LWE) has been proposed, where data is embedded into the error term without changing its target distributions. By this novelty it is possible to encrypt much more data as compared to the classical approach. In this paper we revisit this approach and propose several techniques in order to improve the message throughput per ciphertext. Furthermore, we present a very efficient trapdoor construction of reduced storage size. More precisely, the secret and public key sizes are reduced to just 1 polynomial, as opposed to \(O( \log q)\) polynomials following previous constructions. Finally, we give an efficient implementation of the scheme instantiated with the new trapdoor construction. In particular, we attest high message throughputs and low ciphertext expansion factors at efficient running times. Our scheme even ensures CCA (or RCCA) security, while entailing a great deal of flexibility to encrypt arbitrary large messages or signatures by use of the same secret key.

A CCA-secure Encryption with Tags

Let \(q=3^k\) and \(\mathcal {T}\) define the tag space containing binary polynomials of degree less than \(n/2\,.\)

Fig. 3.

Description of the CCA-secure encryption scheme.

Remark 3

We note that in the encryption routine we have \((\mathbf {t}_u\cdot \mathbf {g}-\mathbf {a}_3) \cdot \mathbf {s}+ \mathbf {e}_3=\mathbf {t}_u\mathbf {s} \cdot \mathbf {g}-\mathbf {a}_3 \cdot \mathbf {s}+ \mathbf {e}_3\,.\) Furthermore,the trapdoor inversion algorithm \(\mathsf {LWEInv}^{\prime }\) computes the same quantities as \(\mathsf {LWEInv}\) with the difference that it also deduces \(\mathbf {t}_u\) from u via the coefficient embedding. Once \(\mathbf {t}_u\cdot \mathbf {s}\) is recovered, one can compute \(\mathbf {s}\) and thus \(\hat{\mathbf {e}}=\hat{\mathbf {b}}-\mathbf {A}_u\cdot \mathbf {s}\) (see Sect. 4).

1.1 A.1 Chosen Ciphertext Security and Variants

We recall the definitions of (replayable) chosen ciphertext security of encryption schemes. Let \(\mathcal {E}= (\mathsf {KGen},\mathsf {Enc},\mathsf {Dec})\) be a public key encryption scheme and consider the following experiments for \(\mathsf {atk}\in \{\mathsf {cca1,cca2,rcca}\}\):

The security of the scheme directly follows from the framework as described in [EDB15] (Fig. 3).