Lizard: Cut Off the Tail! A Practical Post-quantum Public-Key Encryption from LWE and LWR

Abstract

The LWE problem has been widely used in many constructions for post-quantum cryptography due to its reduction from the worst-case of lattice hard problems and the lightweight operations for generating its instances. The PKE schemes based on the LWE problem have a simple and fast decryption, but the encryption phase requires large parameter size for the leftover hash lemma or Gaussian samplings.

In this paper, we propose a novel PKE scheme, called Lizard, without relying on either of them. The encryption procedure of Lizard first combines several LWE samples as in the previous LWE-based PKEs, but the following step to re-randomize this combination before adding a plaintext is different: it removes several least significant bits of each component of the computed vector rather than adding an auxiliary error vector. To the best of our knowledge, Lizard is the first IND-CPA secure PKE under the hardness assumptions of the LWE and LWR problems, and its variant, namely CCALizard, achieves IND-CCA security in the (quantum) random oracle model.

Our approach accelerates the encryption speed to a large extent and also reduces the size of ciphertexts. We present an optimized C implementation of our schemes, which shows outstanding performances with concrete security: On an Intel single core processor, an encryption and decryption for CCALizard with 256-bit plaintext space under 128-bit quantum security take only 32,272 and 47,125 cycles, respectively. To achieve these results, we further take some advantages of sparse small secrets. Lizard is submitted to NIST’s post-quantum cryptography standardization process.

This work was supported by Institute for Information & communications Technology Promotion (IITP) grant funded by the Korea government (MSIT) (No. 2017-0-00616, Development of lattice-based post-quantum public-key cryptographic schemes) and Samsung Research Funding Center of Samsung Electronics under Project Number SRFC-TB1403-52, and Duhyeong Kim has been supported by NRF (National Research Foundation of Korea) Grant funded by Korean Government (NRF-2016H1A2A1906584-Global Ph.D. Fellowship Program).

A IND-CCA Variant of Lizard

In this section, we present CCA-secure encryption scheme, say CCALizard, achieved by applying a variant of Fujisaki-Okamoto (FO) transformation [19, 20, 23, 33] to our Lizard encryption scheme. More precisely, we first convert Lizard into IND-CCA Key Encapsulation Mechanism (KEM) applying the transformation in [23], and then combine it with a (one-time) CCA-secure symmetric encryption scheme.

\(\mathsf {G}:{\mathbb {Z}}_t^{\ell }\rightarrow B_{m,h_r}\), \(\mathsf {H}:{\mathbb {Z}}_t^{\ell }\rightarrow \{0,1\}^d \), \(\mathsf {H'}:{\mathbb {Z}}_t^{\ell }\rightarrow {\mathbb {Z}}_t^{\ell }\) are the hash functions, where \(\{0,1\}^d\) is the plaintext space for CCALizard. Here, \(\mathsf {Lizard.Enc}_\mathsf {pk}(\delta ; \mathbf {v})\) denotes the encryption of \(\delta \) with the random vector \(\mathbf {v}\), i.e., the output of \(\mathsf {Lizard.Enc}_\mathsf {pk}(\delta ; \mathbf {v})\) is (\(\left\lfloor {(p/q)\cdot A^T\mathbf {v}}\right\rceil \), \(\left\lfloor {(p/t)\cdot \mathbf {\delta }+(p/q)\cdot B^T\mathbf {v}}\right\rceil \)).

CCALizard consists of three algorithms (\(\mathsf {CCALizard.KeyGen}\), \(\mathsf {CCALizard.Enc}\), \(\mathsf {CCALizard.Dec}\)). \(\mathsf {CCALizard.KeyGen}\) is the same as \(\mathsf {Lizard.KeyGen}\), and \(\mathsf {CCALizard.Enc}\) and \(\mathsf {CCALizard.Dec}\) are as follows:

• \(\mathsf {CCALizard.Enc}_\mathsf {pk}(\mathbf {m} \in \{0,1\}^{d})\):

  • Choose \(\delta \leftarrow {\mathbb {Z}}_t^{\ell }\).

  • Compute a tuple of vectors \(\mathbf {c}_1 := \mathsf {H}(\delta )\oplus \mathbf {m}\), \(\mathbf {c}_2 :=\mathsf {Lizard.Enc}_\mathsf {pk}(\delta ; \mathsf {G}(\delta ))\), \(\mathbf {c}_3 := \mathsf {H}'(\delta )\).

  • Output the ciphertext \(\mathbf {c} = (\mathbf {c}_1,\mathbf {c}_2,\mathbf {c}_3)\in \{0,1\}^{d}\times \mathbb {Z}_p^{n+\ell }\times {\mathbb {Z}}_t^{\ell }\).

• \(\mathsf {CCALizard.Dec}_\mathsf {sk}(\mathbf {c})\):

  • Parse \(\mathbf {c}\) into \(\mathbf {c} = (\mathbf {c}_1,\mathbf {c}_2,\mathbf {c}_3)\in \{0,1\}^{d}\times \mathbb {Z}_p^{n+\ell }\times {\mathbb {Z}}_t^{\ell }\).

  • Compute \(\delta ' \leftarrow \mathsf {Lizard.Dec}_\mathsf {sk}(\mathbf {c}_2)\) and \(\mathbf {v}'\leftarrow \mathsf {G}(\delta ')\).

  • If \((\mathbf {c}_2, \mathbf {c}_3) = (\mathsf {Lizard.Enc}_\mathsf {pk}(\delta '; \mathbf {v}'), \mathsf {H}'(\delta '))\), then compute and output \(\mathbf {m}'\leftarrow \mathsf {H}(\delta ')\oplus \mathbf {c}_1\).

  • Otherwise, output \(\perp \).

Correctness. If Lizard is correct with the probability \(1-\epsilon \), then CCALizard is correct except with the probability \(1-\epsilon \) in the (quantum) random oracle model [23].

Security. CCALizard achieves tight IND-CCA security in the random oracle model, and non-tight IND-CCA security in the quantum random oracle model. For IND-CCA security in ROM, the hash function \(H'\) and the hash value \(\mathbf {d}\) is not necessary.

Theorem 3

([23], Theorems 3.2 and 3.3). For any IND-CCA adversary \(\mathcal {B}\) on CCALizard issuing at most \(q_D\) queries to the decryption oracle, \(q_G\) queries to the random oracle \(\mathsf {G}\), and \(q_H\) queries to the random oracle \(\mathsf {H}\), there exists an IND-CPA adversary \(\mathcal {A}\) on Lizard such that

$$\begin{aligned}&{{\textsf {\textit{Adv}}}}_{\mathsf {CCALizard}}^{{{\textsf {\textit{CCA}}}}}(\mathcal {B})\le q_G\cdot \epsilon +\frac{q_H}{2^{\omega (\log \lambda )}} +\frac{2q_G + 1}{t^\ell } + 3 \cdot {{\textsf {\textit{Adv}}}}_{{{\textsf {\textit{Lizard}}}}}^{{{\textsf {\textit{CPA}}}}}(\mathcal {A}) \end{aligned}$$

where \(\lambda \) is a security parameter and \(\epsilon \) is a decryption failure probability of Lizard and CCALizard.

Theorem 4

([23], Theorems 4.4 and 4.5). For any IND-CCA quantum adversary \(\mathcal {B}\) on CCALizard issuing at most \(q_D\) (classical) queries to the decryption oracle, \(q_G\) queries to the quantum random oracle \(\mathsf {G}\), \(q_H\) queries to the quantum random oracle \(\mathsf {H}\), and \(q_{H'}\) queries to the quantum random oracle \(\mathsf {H}'\), there exists an IND-CPA quantum adversary \(\mathcal {A}\) on Lizard such that

$$\begin{aligned}&{{\textsf {\textit{Adv}}}}_{\mathsf {CCALizard}}^{{{\textsf {\textit{CCA}}}}}(\mathcal {B})\le \small {(q_H + 2q_{H'})\sqrt{8\epsilon (q_G+1)^2 + (1 + 2q_G)\sqrt{{{\textsf {\textit{Adv}}}}_{{{\textsf {\textit{Lizard}}}}}^{{{\textsf {\textit{CPA}}}}}(\mathcal {A})}}} \end{aligned}$$

where \(\epsilon \) is a decryption failure probability of Lizard and CCALizard.

Parameters for CCALizard. We use the recommended parameters in Table 2 for CCALizard and set \(t=2\), \(\ell = d = 256\).