Practical $$\mathsf {MP} \text{- }\mathsf {LWE} $$ -based encryption balancing security-risk versus efficiency

Middle-product learning with errors ( $$\mathsf {MP} \text{- }\mathsf {LWE} $$ ) is a variant of the $$\mathsf {LWE}$$ problem introduced at CRYPTO 2017 by Rosca et al. (Advances in cryptology—CRYPTO, Springer, Berlin, 2017). Asymptotically, the theoretical results of Rosca et al. (2017) suggest that $$\mathsf {MP} \text{- }\mathsf {LWE} $$ gives lattice-based public-key cryptosystems offering a ‘security-risk vs. efficiency’ trade-off: higher performance than cryptosystems based on unstructured lattices ( $$\mathsf {LWE}$$ problem) and lower risk than cryptosystems based on structured lattices (Polynomial/Ring $$\mathsf {LWE}$$ problem). However, although promising in theory, Rosca et al. (2017) left the practical implications of $$\mathsf {MP} \text{- }\mathsf {LWE} $$ for lattice-based cryptography unclear. In this paper, we show how to build practical public-key cryptosystems with strong security guarantees based on $$\mathsf {MP} \text{- }\mathsf {LWE} $$ . On the implementation side, we present optimised fast algorithms for computing the middle-product operation over polynomial rings $${\mathbb {Z}}_q[x]$$ , the dominant computation for $$\mathsf {MP} \text{- }\mathsf {LWE} $$ -based cryptosystems. On the security side, we show how to obtain a nearly tight security proof for $$\mathsf {MP} \text{- }\mathsf {LWE} $$ from the hardest Polynomial LWE problem over a large family of rings, improving on the loose reduction of Rosca et al. (2017). We also show and analyze an optimised cryptanalysis of $$\mathsf {MP} \text{- }\mathsf {LWE} $$ that narrows the complexity gap between best known attacks on $$\mathsf {MP} \text{- }\mathsf {LWE} $$ and Polynomial $$\mathsf {LWE}$$ . To evaluate the practicality of $$\mathsf {MP} \text{- }\mathsf {LWE} $$ , we apply our results to construct, implement and optimise parameters for a practical $$\mathsf {MP} \text{- }\mathsf {LWE} $$ -based public-key cryptosystem, $$\mathsf {Titanium} $$ , and compare its benchmarks to other lattice-based systems. Our results show that $$\mathsf {MP} \text{- }\mathsf {LWE} $$ offers a new ‘security-risk vs. efficiency’ trade-off in lattice-based cryptography in practice, not only asymptotically in theory.

[1]  Kristin E. Lauter,et al.  Provably Weak Instances of Ring-LWE , 2015, CRYPTO.

[2]  David Harvey,et al.  Faster arithmetic for number-theoretic transforms , 2012, J. Symb. Comput..

[3]  Ron Steinfeld,et al.  Efficient Public Key Encryption Based on Ideal Lattices , 2009, ASIACRYPT.

[4]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, EUROCRYPT.

[5]  Rafail Ostrovsky,et al.  Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data , 2004, SIAM J. Comput..

[6]  Vadim Lyubashevsky,et al.  Digital Signatures Based on the Hardness of Ideal Lattice Problems in All Rings , 2016, ASIACRYPT.

[7]  Damien Stehlé,et al.  Worst-case to average-case reductions for module lattices , 2014, Designs, Codes and Cryptography.

[8]  Chris Peikert,et al.  How (Not) to Instantiate Ring-LWE , 2016, SCN.

[9]  Kristin E. Lauter,et al.  Weak Instances of PLWE , 2014, Selected Areas in Cryptography.

[10]  Damien Stehlé,et al.  CRYSTALS - Kyber: A CCA-Secure Module-Lattice-Based KEM , 2017, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[11]  Martin R. Albrecht,et al.  On the Efficacy of Solving LWE by Reduction to Unique-SVP , 2013, ICISC.

[12]  Tatsuaki Okamoto,et al.  Secure Integration of Asymmetric and Symmetric Encryption Schemes , 1999, CRYPTO.

[13]  Chris Peikert,et al.  Lattice Cryptography for the Internet , 2014, PQCrypto.

[14]  C. Sidney Burrus,et al.  Efficient computation of the DFT with only a subset of input or output points , 1993, IEEE Trans. Signal Process..

[15]  Wouter Castryck,et al.  Provably Weak Instances of Ring-LWE Revisited , 2016, EUROCRYPT.

[16]  Gábor Lugosi,et al.  Concentration Inequalities - A Nonasymptotic Theory of Independence , 2013, Concentration Inequalities.

[17]  Guillaume Hanrot,et al.  The Middle Product Algorithm I , 2004, Applicable Algebra in Engineering, Communication and Computing.

[18]  Ron Steinfeld,et al.  Middle-Product Learning with Errors , 2017, CRYPTO.

[19]  Daniele Micciancio,et al.  Generalized Compact Knapsacks Are Collision Resistant , 2006, ICALP.

[20]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2009, JACM.

[21]  Ravi Kannan,et al.  Minkowski's Convex Body Theorem and Integer Programming , 1987, Math. Oper. Res..

[22]  Vinod Vaikuntanathan,et al.  Efficient Fully Homomorphic Encryption from (Standard) LWE , 2011, 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science.

[23]  Gregor Seiler,et al.  Faster AVX2 optimized NTT multiplication for Ring-LWE lattice cryptography , 2018, IACR Cryptol. ePrint Arch..

[24]  Ronald Cramer,et al.  Recovering Short Generators of Principal Ideals in Cyclotomic Rings , 2016, EUROCRYPT.

[25]  Craig Costello,et al.  Frodo: Take off the Ring! Practical, Quantum-Secure Key Exchange from LWE , 2016, IACR Cryptol. ePrint Arch..

[26]  Damien Stehlé,et al.  On the Ring-LWE and Polynomial-LWE problems , 2018, IACR Cryptol. ePrint Arch..

[27]  Martin R. Albrecht,et al.  Large Modulus Ring-LWE ≥ Module-LWE , 2017, ASIACRYPT.

[28]  Claus-Peter Schnorr,et al.  Lattice Reduction by Random Sampling and Birthday Methods , 2003, STACS.

[29]  Michele Mosca,et al.  Finding shortest lattice vectors faster using quantum search , 2015, Designs, Codes and Cryptography.