Springer Nature is making SARS-CoV-2 and COVID-19 research free. View research | View latest news | Sign up for updates

Hardness of k-LWE and Applications in Traitor Tracing

Abstract

We introduce the k-\(\mathrm {LWE}\) problem, a Learning With Errors variant of the k-SIS problem. The Boneh-Freeman reduction from SIS to k-SIS suffers from an exponential loss in k. We improve and extend it to an LWE to k-LWE reduction with a polynomial loss in k, by relying on a new technique involving trapdoors for random integer kernel lattices. Based on this hardness result, we present the first algebraic construction of a traitor tracing scheme whose security relies on the worst-case hardness of standard lattice problems. The proposed \(\mathrm {LWE}\) traitor tracing is almost as efficient as the \(\mathrm {LWE}\) encryption. Further, it achieves public traceability, i.e., allows the authority to delegate the tracing capability to “untrusted” parties. To this aim, we introduce the notion of projective sampling family in which each sampling function is keyed and, with a projection of the key on a well chosen space, one can simulate the sampling function in a computationally indistinguishable way. The construction of a projective sampling family from k-\(\mathrm {LWE}\) allows us to achieve public traceability, by publishing the projected keys of the users. We believe that the new lattice tools and the projective sampling family are quite general that they may have applications in other areas.

This is a preview of subscription content, log in to check access.

Notes

  1. 1.

    We recall that | and \( \Vert \) respectively denote the horizontal and vertical concatenations of matrices.

  2. 2.

    As usual, the encryption algorithm may be used to encapsulate session keys which are then fed into an efficient data encapsulation mechanism to encrypt the data.

  3. 3.

    Note that in our context, minimal access is equivalent to standard access: since the plaintext domain is small, plaintext messages can be tested exhaustively.

  4. 4.

    Another trivial situation occurs when \(\pi (k)=k\): the projected key leaks the full information about the original key and one cannot safely publish the projected key.

References

  1. 1.

    Abdalla, M., Dent, A.W., Malone-Lee, J., Neven, G., Phan, D.H., Smart, N.P.: Identity-based traitor tracing. In: Proceedings of PKC, volume 4450 of LNCS, pp. 361–376. Springer (2007)

  2. 2.

    Aggarwal, D., Regev, O.: A note on discrete gaussian combinations of lattice vectors. Chic. J. Theor. Comput. Sci. 7, 1–11 (2016)

  3. 3.

    Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In Proc. of EUROCRYPT, volume 6110 of LNCS, pp. 553–572. Springer (2010). Full version available at http://crypto.stanford.edu/~dabo/pubs/papers/latticebb.pdf

  4. 4.

    Agrawal, S., Boneh, D., Boyen, X.: Lattice basis delegation in fixed dimension and shorter-ciphertext hierarchical IBE. In: Proceedings of CRYPTO, volume 6223 of LNCS, pp. 98–115. Springer (2010)

  5. 5.

    Agrawal, S., Gentry, C., Halevi, S., Sahai, A.: Sampling discrete gaussians efficiently and obliviously. In: Proceedings of ASIACRYPT (1), volume 8269 of LNCS, pp. 97–116. Springer (2013)

  6. 6.

    Agrawal, S., Libert, B., Stehlé, D.: Fully secure functional encryption for inner products, from standard assumptions. In: Proceedings of CRYPTO, volume 9816 of LNCS, pp. 333–362. Springer (2016). Full version available at http://eprint.iacr.org/2015/608

  7. 7.

    Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: Proceedings of STOC, pp. 99–108. ACM (1996)

  8. 8.

    Ajtai, M.:.Generating hard instances of the short basis problem. In: Proceedings of ICALP, volume 1644 of LNCS, pp. 1–9. Springer (1999)

  9. 9.

    Alwen, J., Peikert, C.: Generating shorter bases for hard random lattices. Theor. Comput. Sci. 48(3), 535–553 (2011)

  10. 10.

    Bai, S., Langlois, A., Lepoint, T., Stehlé, D., Steinfeld, R.: Improved security proofs in lattice-based cryptography: using the Rényi divergence rather than the statistical distance. In: Proceedings of ASIACRYPT, volume 9452 of LNCS, pp. 3–24. Springer (2015). Full version available at http://eprint.iacr.org/2015/483

  11. 11.

    Billet, O., Phan, D.H.: Efficient traitor tracing from collusion secure codes. In: Proc. of ICITS, volume 5155 of LNCS, pp. 171–182. Springer (2008)

  12. 12.

    Boneh, D., Franklin, M.K.: An efficient public key traitor tracing scheme. In: Proceedings of CRYPTO, volume 1666 of LNCS, pp. 338–353. Springer (1999)

  13. 13.

    Boneh, D., Freeman, D.M.: Linearly homomorphic signatures over binary fields and new tools for lattice-based signatures. In: Proceedings of PKC, volume 6571 of LNCS, pp. 1–16. Springer (2011). Full version available at http://eprint.iacr.org/2010/453.pdf

  14. 14.

    Boneh, D., Naor, M.: Traitor tracing with constant size ciphertext. In: Proceedings of ACM CCS, pp. 501–510. ACM (2008)

  15. 15.

    Boneh, D., Sahai, A., Waters, B.: Fully collusion resistant traitor tracing with short ciphertexts and private keys. In: Proceedings of EUROCRYPT, volume 4004 of LNCS, pp. 573–592. Springer (2006)

  16. 16.

    Boneh, D., Waters, B.: A fully collusion resistant broadcast, trace, and revoke system. In: Proceedings of ACM CCS, pp. 211–220. ACM (2006)

  17. 17.

    Boneh, D., Zhandry, M.: Multiparty key exchange, efficient traitor tracing, and more from indistinguishability obfuscation. In: Proceedings of CRYPTO, volume 8616 of LNCS, pp. 480–499. Springer (2014)

  18. 18.

    Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: STOC, pp. 575–584. ACM (2013)

  19. 19.

    Cash, D., Hofheinz, D., Kiltz, E., Peikert, C.: Bonsai trees, or how to delegate a lattice basis. In: Proceedings of EUROCRYPT, volume 6110 of LNCS, pp. 523–552. Springer (2010)

  20. 20.

    Chabanne, H., Phan, D.H., Pointcheval, D.: Public traceability in traitor tracing schemes. In: Cramer, R. (ed.) EUROCRYPT 2005, volume 3494 of LNCS , pp. 542–558. Springer (2005)

  21. 21.

    Chor, B., Fiat, A., Naor, M.: Tracing traitors. In: Proceedings of CRYPTO, volume 839 of LNCS, pp. 257–270. Springer (1994)

  22. 22.

    Chor, B., Fiat, A., Naor, M., Pinkas, B.: Tracing traitors. IEEE Trans. Inf. Theory 46(3), 893–910 (2000)

  23. 23.

    Cramer, R., Shoup, V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002, volume 2332 of LNCS, pp. 45–64. Springer (2002)

  24. 24.

    Fazio, N., Nicolosi, A., Phan, D.H.: Traitor tracing with optimal transmission rate. In: Proceedings of ISC, volume 4779 of LNCS, pp. 71–88. Springer (2007)

  25. 25.

    Fiat, A., Naor, M.: Broadcast encryption. In Stinson, D.R. (ed.) CRYPTO’93, volume 773 of LNCS, pp. 480–491. Springer (1994)

  26. 26.

    Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: Proceedings of FOCS, pp. 40–49. IEEE Computer Society Press (2013)

  27. 27.

    Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Proceedins of STOC, pp. 197–206. ACM (2008). Full version available at http://eprint.iacr.org/2007/432.pdf

  28. 28.

    Gordon, S.D., Katz, J., Vaikuntanathan, V.: A group signature scheme from lattice assumptions. In: Proceedins of ASIACRYPT, volume 2647 of LNCS, pp. 395–412. Springer (2010)

  29. 29.

    Kiayias, A., Pehlivanglu, S.: Encryption For Digital Content. Springer, Berlin (2010)

  30. 30.

    Kiayias, A., Yung, M.: On crafty pirates and foxy tracers. In: Proceedins of DRM Workshop, volume 2320 of LNCS, pp. 22–39. Springer (2001)

  31. 31.

    Kiayias, A., Yung, M.: Self protecting pirates and black-box traitor tracing. In Proceedins of CRYPTO, volume 2139 of LNCS, pp. 63–79. Springer (2001)

  32. 32.

    Kiayias, A., Yung, M.: Breaking and repairing asymmetric public-key traitor tracing. In: Digital Rights Management Workshop, pp. 32–50 (2002)

  33. 33.

    Kiayias, A., Yung, M.: Traitor tracing with constant transmission rate. In Knudsen, L.R. (ed.) EUROCRYPT 2002, volume 2332 of LNCS, pp. 450–465. Springer (2002)

  34. 34.

    Klein, P.N.: Finding the closest lattice vector when it’s unusually close. In: Proceedins of SODA, pp. 937–941. ACM (2000)

  35. 35.

    Komaki, H., Watanabe, Y., Hanaoka, G., Imai, H.: Efficient asymmetric self-enforcement scheme with public traceability. In: Kim, K. (ed.) PKC 2001, volume 1992 of LNCS, pp. 225–239. Springer (2001)

  36. 36.

    Kurosawa, K., Desmedt, Y.: Optimum traitor tracing and asymmetric schemes. In: Proceedings of EUROCRYPT, LNCS, pp. 145–157. Springer (1998)

  37. 37.

    Kurosawa, K., Yoshida, T.: Linear code implies public-key traitor tracing. In: Naccache, D., Paillier, P. (eds.) PKC 2002, volume 2274 of LNCS, pp. 172–187. Springer (2002)

  38. 38.

    Langlois, A., Stehlé, D., and Steinfeld, R. GGHLite: More efficient multilinear maps from ideal lattices. In: Proceedings of EUROCRYPT, LNCS, pp. 239–256. Springer (2014)

  39. 39.

    Ling, S., Phan, D.H., Stehlé, D., Steinfeld, R.: Hardness of k-LWE and applications in traitor tracing. In: Proceedings of CRYPTO, volume 8616 of LNCS, pp. 315–334. Springer (2014)

  40. 40.

    Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. J. ACM 60(6), 43 (2013)

  41. 41.

    Micciancio, D., Peikert, C.: Trapdoors for lattices: Simpler, tighter, faster, smaller. In: Proceedings of EUROCRYPT, volume 7237 of LNCS, pp. 700–718. Springer (2012)

  42. 42.

    Micciancio, D., Regev, O.: Worst-case to average-case reductions based on gaussian measures. SIAM J. Comput. 37(1), 267–302 (2007)

  43. 43.

    Micciancio, D., Regev, O.: Lattice-based cryptography. In: Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.) Post-Quantum Cryptography, pp. 147–191. Springer, Berlin (2009)

  44. 44.

    Naor, D., Naor, M., Lotspiech, J.: Revocation and tracing schemes for stateless receivers. In: Kilian, J. (ed.) CRYPTO 2001, volume 2139 of LNCS, pp. 41–62. Springer (2001)

  45. 45.

    Naor, M., Pinkas, B.: Efficient trace and revoke schemes. In: Frankel, Y. (ed.) FC 2000, volume 1962 of LNCS, pp. 1–20. Springer (2000)

  46. 46.

    Naor, M., Pinkas, B.: Efficient trace and revoke schemes. In: Proceedings of Financial Cryptography, volume 1962 of LNCS, pp. 1–20. Springer (2000)

  47. 47.

    O’Neill, A., Peikert, C., Waters, B.: Bi-deniable public-key encryption. In: Proceedings of CRYPTO, volume 6841 of LNCS, pp. 525–542. Springer (2011)

  48. 48.

    Peikert, C.: Limits on the hardness of lattice problems in \(\ell _p\) norms. Comput. Complex. 2(17), 300–351 (2008)

  49. 49.

    Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem. In: Proceedings of STOC, pp. 333–342. ACM (2009)

  50. 50.

    Peikert, C.: An efficient and parallel Gaussian sampler for lattices. In: Proceedings of CRYPTO, volume 6223 of LNCS, pp. 80–97. Springer (2010)

  51. 51.

    Peikert, C., Shelat, A., Smith, A.: Lower bounds for collusion-secure fingerprinting. In: Proceedings of SODA, pp. 472–479 (2003)

  52. 52.

    Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. In: Proceedings of STOC, pp. 187–196. ACM (2008)

  53. 53.

    Pfitzmann, B.: Trials of traced traitors. In: Information Hiding, volume 1174 of LNCS, pp. 49–64. Springer (1996)

  54. 54.

    Pfitzmann , B., Waidner, M.: Asymmetric fingerprinting for larger collusions. In: ACM CCS 97, pp. 151–160. ACM Press (1997)

  55. 55.

    Phan, D.H., Safavi-Naini, R., Tonien, D.: Generic construction of hybrid public key traitor tracing with full-public-traceability. In: Proceedings of ICALP (2), volume 4052 of LNCS, pp. 264–275. Springer (2006)

  56. 56.

    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Proceedings of STOC, pp. 84–93. ACM (2005)

  57. 57.

    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 34 (2009)

  58. 58.

    Regev, O.: The learning with errors problem, 2010. Invited survey in CCC 2010. Available at http://www.cims.nyu.edu/~regev/

  59. 59.

    Silverberg, A., Staddon, J., Walker, J.L.: Efficient traitor tracing algorithms using list decoding. In: Proceedings of ASIACRYPT, volume 2248 of LNCS, pp. 175–192. Springer (2001)

  60. 60.

    Sirvent, T.: Traitor tracing scheme with constant ciphertext rate against powerful pirates. In: Augot, D., Sendrier, N., and Tillich, J.P. (eds.) Workshop on Coding and Cryptography—WCC ’07, pp. 379–388 (2007)

  61. 61.

    Stinson, D.R., Wei, R.: Combinatorial properties and constructions of traceability schemes and frameproof codes. SIAM J. Discret. Math. 11(1), 41–53 (1998)

  62. 62.

    Stinson, D.R., Wei, R.: Key preassigned traceability schemes for broadcast encryption. In: Proceedings of SAC, volume 1556 of LNCS, pp. 144–156. Springer (1998)

  63. 63.

    Tardos, G.: Optimal probabilistic fingerprint codes. J. ACM 55(2), 10 (2008)

  64. 64.

    Watanabe, Y., Hanaoka, G., Imai, H.: Efficient asymmetric public-key traitor tracing without trusted agents. In: Naccache, D. (ed.) CT-RSA 2001, volume 2020 of LNCS, pp. 392–407. Springer (2001)

Download references

Acknowledgements

We thank M. Abdalla, D. Augot, R. Bhattacharrya, L. Ducas, V. Guleria, G. Hanrot, F. Laguillaumie, K. T. T. Nguyen, G. Quintin, O. Regev, H. Wang for helpful discussions. The authors were partly supported by the LaBaCry MERLION Grant, the Australian Research Council Discovery Grants DP110100628 and DP150100285, the ANR-09-VERSO-016 BEST and ANR-12-JS02-0004 ROMAnTIC Projects, the INRIA invited researcher scheme, the Singapore National Research Foundation Research Grant NRF-CRP2-2007-03, the Singapore MOE Tier 2 research Grant MOE2013-T2-1-041, the LIA Formath Vietnam and the ERC Starting Grant ERC-2013-StG-335086-LATTAC.

Author information

Correspondence to Ron Steinfeld.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Ling, S., Phan, D.H., Stehlé, D. et al. Hardness of k-LWE and Applications in Traitor Tracing. Algorithmica 79, 1318–1352 (2017). https://doi.org/10.1007/s00453-016-0251-7

Download citation

Keywords

  • Lattice-based cryptography
  • Traitor tracing
  • LWE