Chosen-Ciphertext Security from Subset Sum PKC 2016, 07.03.2016 - - PowerPoint PPT Presentation

Chosen-Ciphertext Security from Subset Sum

PKC 2016, 07.03.2016

Sebastian Faust1 Daniel Masny1 Daniele Venturi2

1Ruhr Universität Bochum 2Sapienza University of Rome

1

Outline

1 Our Contribution 2 Subset Sum 3 CCA secure PKE 4 Tag-Based Encryption

Our Contribution State of the Art

▶ CPA-secure Public Key Encryption (PKE) from Subset Sum

[LPS10].

3

Our Contribution State of the Art

▶ CPA-secure Public Key Encryption (PKE) from Subset Sum

[LPS10].

▶ The security decreases with the message length.

3

Our Contribution State of the Art

▶ CPA-secure Public Key Encryption (PKE) from Subset Sum

[LPS10].

▶ The security decreases with the message length. ▶ Solution: split message (not possible for CCA)

3

Our Contribution State of the Art

▶ CPA-secure Public Key Encryption (PKE) from Subset Sum

[LPS10].

▶ The security decreases with the message length. ▶ Solution: split message (not possible for CCA)

Our Results

▶ We construct a CCA-secure PKE from Subset Sum (using

[MP12]).

3

Our Contribution State of the Art

▶ CPA-secure Public Key Encryption (PKE) from Subset Sum

[LPS10].

▶ The security decreases with the message length. ▶ Solution: split message (not possible for CCA)

Our Results

▶ We construct a CCA-secure PKE from Subset Sum (using

[MP12]).

▶ The security of our PKE does not decrease with the message

length.

3

Outline

1 Our Contribution 2 Subset Sum 3 CCA secure PKE 4 Tag-Based Encryption

Subset Sum

Subset Sum (n, µ): Find secret s ∈ {0, 1}n,

5

Subset Sum

Subset Sum (n, µ): Find secret s ∈ {0, 1}n, given (A := (a1, . . . , an), t := s1a1 + · · · + snan) ∈ Zn

µ × Zµ.

5

Subset Sum

Subset Sum (n, µ): Find secret s ∈ {0, 1}n, given (A := (a1, . . . , an), t := s1a1 + · · · + snan) ∈ Zn

µ × Zµ.

Hardness of Subset Sum

Θ(1) δ :=

n log µ :

Θ( 1

n)

Θ(

n log2 n)

5

Subset Sum

Subset Sum (n, µ): Find secret s ∈ {0, 1}n, given (A := (a1, . . . , an), t := s1a1 + · · · + snan) ∈ Zn

µ × Zµ.

Hardness of Subset Sum

Θ(1) δ :=

n log µ :

Θ(

1 log n)

Θ( 1

n)

Θ(

n log2 n) ▶ We focus on δ = Θ( 1 log n).

5

Subset Sum

Subset Sum (n, µ): Find secret s ∈ {0, 1}n, given (A := (a1, . . . , an), t := s1a1 + · · · + snan) ∈ Zn

µ × Zµ.

Hardness of Subset Sum

Θ(1) δ :=

n log µ :

Θ(

1 log n)

Θ( 1

n)

Θ(

n log2 n) ▶ We focus on δ = Θ( 1 log n).

Decisional Subset Sum [IN96]: (A, t) is hard to distinguish from uniform.

5

“LWE” form of Subset Sum [LPS10]

(A, t) ∈ Zn

µ × Zµ → Zm×n q

× Zm

q

6

“LWE” form of Subset Sum [LPS10]

(A, t) ∈ Zn

µ × Zµ → Zm×n q

× Zm

q

Let µ = qm,

6

“LWE” form of Subset Sum [LPS10]

(A, t) ∈ Zn

µ × Zµ → Zm×n q

× Zm

q

Let µ = qm, then we can represent a ∈ Zµ as value in Zm

q :

6

“LWE” form of Subset Sum [LPS10]

(A, t) ∈ Zn

µ × Zµ → Zm×n q

× Zm

q

Let µ = qm, then we can represent a ∈ Zµ as value in Zm

q :

a = am · qm−1 + . . . + a1 · q0 = (am, . . . , a1)T ∈ Zm

q

6

“LWE” form of Subset Sum [LPS10]

(A, t) ∈ Zn

µ × Zµ → Zm×n q

× Zm

q

Let µ = qm, then we can represent a ∈ Zµ as value in Zm

q :

a = am · qm−1 + . . . + a1 · q0 = (am, . . . , a1)T ∈ Zm

q

6

“LWE” form of Subset Sum [LPS10]

(A, t) ∈ Zn

µ × Zµ → Zm×n q

× Zm

q

Let µ = qm, then we can represent a ∈ Zµ as value in Zm

q :

a = am · qm−1 + . . . + a1 · q0 = (am, . . . , a1)T ∈ Zm

q

Therefore A = (a1, . . . , an) =    am

1

· · · am

n

. . . ... . . . a1

1

· · · a1

n

   ∈ Zm×n

q

6

“LWE” form of Subset Sum [LPS10]

t = s1a1 + · · · + snan ∈ Zqm,

7

“LWE” form of Subset Sum [LPS10]

t = s1a1 + · · · + snan ∈ Zqm, ̸ = s1      am

1

. . . a2

1

a1

1

     · · · + sn      am

n

. . . a2

n

a1

n

     +      em(A, s) . . . e2(A, s) e1(A, s)      ∈ Zm

q ,

7

“LWE” form of Subset Sum [LPS10]

t = s1a1 + · · · + snan ∈ Zqm,

• =

s1      am

1

. . . a2

1

a1

1

     · · · + sn      am

n

. . . a2

n

a1

n

     +      em(A, s) . . . e2(A, s) e1(A, s)      ∈ Zm

q ,

where e(A, s) is a vector of carries.

7

“LWE” form of Subset Sum [LPS10]

t = s1a1 + · · · + snan ∈ Zqm,

• =

s1      am

1

. . . a2

1

a1

1

     · · · + sn      am

n

. . . a2

n

a1

n

     +      em(A, s) . . . e2(A, s) e1(A, s)      ∈ Zm

q ,

where e(A, s) is a vector of carries.

7

“LWE” form of Subset Sum [LPS10]

t = s1a1 + · · · + snan ∈ Zqm,

• =

s1      am

1

. . . a2

1

a1

1

     · · · + sn      am

n

. . . a2

n

a1

n

     +      em(A, s) . . . e2(A, s) e1(A, s)      ∈ Zm

q ,

where e(A, s) is a vector of carries.

7

“LWE” form of Subset Sum [LPS10]

t = s1a1 + · · · + snan ∈ Zqm,

• =

s1      am

1

. . . a2

1

a1

1

     · · · + sn      am

n

. . . a2

n

a1

n

     +      em(A, s) . . . e2(A, s) e1(A, s)      ∈ Zm

q ,

where e(A, s) is a vector of carries. From now on, (A, t = As + e(A, s)) ∈ Zm×n

q

× Zm

q (m samples).

7

Many Samples from Subset Sum

µ = qm

8

Many Samples from Subset Sum

µ = qm ⇒ m samples

8

Many Samples from Subset Sum

µ = qm ⇒ m samples ⇒ δ =

n log µ = n m·log q (easy for e.g. m = n2)

8

Many Samples from Subset Sum

µ = qm ⇒ m samples ⇒ δ =

n log µ = n m·log q (easy for e.g. m = n2)

From m to ℓ samples:

▶ given (A, t) ∈ Zm×n q

× Zm

q

8

Many Samples from Subset Sum

µ = qm ⇒ m samples ⇒ δ =

n log µ = n m·log q (easy for e.g. m = n2)

From m to ℓ samples:

▶ given (A, t) ∈ Zm×n q

× Zm

q ▶ R ← Dℓ×m q

, where D has sufficient min-entropy.

8

Many Samples from Subset Sum

µ = qm ⇒ m samples ⇒ δ =

n log µ = n m·log q (easy for e.g. m = n2)

From m to ℓ samples:

▶ given (A, t) ∈ Zm×n q

× Zm

q ▶ R ← Dℓ×m q

, where D has sufficient min-entropy.

▶ output (RA, Rt = RAs + Re(A, s)) ∈ Zℓ×n q

× Zℓ

q

8

Many Samples from Subset Sum

µ = qm ⇒ m samples ⇒ δ =

n log µ = n m·log q (easy for e.g. m = n2)

From m to ℓ samples:

▶ given (A, t) ∈ Zm×n q

× Zm

q ▶ R ← Dℓ×m q

, where D has sufficient min-entropy.

▶ output (RA, Rt = RAs + Re(A, s)) ∈ Zℓ×n q

× Zℓ

q ▶ Leftover hash lemma [HILL99]:

If (A, t) is uniform ⇒ (A, t, RA, Rt) is uniform.

8

Many Samples from Subset Sum

µ = qm ⇒ m samples ⇒ δ =

n log µ = n m·log q (easy for e.g. m = n2)

From m to ℓ samples:

▶ given (A, t) ∈ Zm×n q

× Zm

q ▶ R ← Dℓ×m q

, where D has sufficient min-entropy.

▶ output (RA, Rt = RAs + Re(A, s)) ∈ Zℓ×n q

× Zℓ

q ▶ Leftover hash lemma [HILL99]:

If (A, t) is uniform ⇒ (A, t, RA, Rt) is uniform.

▶ (RA, Rt) is not Subset Sum distributed (Re(A, s) ̸= e(RA, s)).

8

Outline

1 Our Contribution 2 Subset Sum 3 CCA secure PKE 4 Tag-Based Encryption

CCA secure PKE

Given a One-Time Signature (OTS), [CHK04]: TBE + OTS → CCA-secure PKE.

10

CCA secure PKE

Given a One-Time Signature (OTS), [CHK04]: TBE + OTS → CCA-secure PKE. Tag-Based Encryption (TBE): TBE = (Gen, Enc, Dec).

10

CCA secure PKE

Given a One-Time Signature (OTS), [CHK04]: TBE + OTS → CCA-secure PKE. Tag-Based Encryption (TBE): TBE = (Gen, Enc, Dec). Correctness: For (sk, pk) ← Gen(1n): Dec(sk, τ, Enc(pk, τ, M)) = M

10

CCA secure PKE

Given a One-Time Signature (OTS), [CHK04]: TBE + OTS → CCA-secure PKE. Tag-Based Encryption (TBE): TBE = (Gen, Enc, Dec). Correctness: For (sk, pk) ← Gen(1n): Dec(sk, τ, Enc(pk, τ, M)) = M Security:

10

CCA secure PKE

Given a One-Time Signature (OTS), [CHK04]: TBE + OTS → CCA-secure PKE. Tag-Based Encryption (TBE): TBE = (Gen, Enc, Dec). Correctness: For (sk, pk) ← Gen(1n): Dec(sk, τ, Enc(pk, τ, M)) = M Security: For all ppt Adv.: Pr[b′ = b] = 1/2.

Adv. (sk, pk) ← Gen(1n) M = Dec(sk, τ, c) · · · b ← {0, 1} c∗ ← Enc(pk, τ ∗, Mb) M = Dec(sk, τ, c) · · ·

CCA secure PKE

Given a One-Time Signature (OTS), [CHK04]: TBE + OTS → CCA-secure PKE. Tag-Based Encryption (TBE): TBE = (Gen, Enc, Dec). Correctness: For (sk, pk) ← Gen(1n): Dec(sk, τ, Enc(pk, τ, M)) = M Security: For all ppt Adv.: Pr[b′ = b] = 1/2.

Adv. (sk, pk) ← Gen(1n) M = Dec(sk, τ, c) · · · b ← {0, 1} c∗ ← Enc(pk, τ ∗, Mb) M = Dec(sk, τ, c) · · · τ ∗ pk

CCA secure PKE

Given a One-Time Signature (OTS), [CHK04]: TBE + OTS → CCA-secure PKE. Tag-Based Encryption (TBE): TBE = (Gen, Enc, Dec). Correctness: For (sk, pk) ← Gen(1n): Dec(sk, τ, Enc(pk, τ, M)) = M Security: For all ppt Adv.: Pr[b′ = b] = 1/2.

Adv. (sk, pk) ← Gen(1n) M = Dec(sk, τ, c) · · · b ← {0, 1} c∗ ← Enc(pk, τ ∗, Mb) M = Dec(sk, τ, c) · · · τ ∗ pk τ̸= τ ∗, c M

CCA secure PKE

Given a One-Time Signature (OTS), [CHK04]: TBE + OTS → CCA-secure PKE. Tag-Based Encryption (TBE): TBE = (Gen, Enc, Dec). Correctness: For (sk, pk) ← Gen(1n): Dec(sk, τ, Enc(pk, τ, M)) = M Security: For all ppt Adv.: Pr[b′ = b] = 1/2.

Adv. (sk, pk) ← Gen(1n) M = Dec(sk, τ, c) · · · b ← {0, 1} c∗ ← Enc(pk, τ ∗, Mb) M = Dec(sk, τ, c) · · · τ ∗ pk τ̸= τ ∗, c M M0, M1 c∗

CCA secure PKE

Given a One-Time Signature (OTS), [CHK04]: TBE + OTS → CCA-secure PKE. Tag-Based Encryption (TBE): TBE = (Gen, Enc, Dec). Correctness: For (sk, pk) ← Gen(1n): Dec(sk, τ, Enc(pk, τ, M)) = M Security: For all ppt Adv.: Pr[b′ = b] = 1/2.

Adv. (sk, pk) ← Gen(1n) M = Dec(sk, τ, c) · · · b ← {0, 1} c∗ ← Enc(pk, τ ∗, Mb) M = Dec(sk, τ, c) · · · τ ∗ pk τ̸= τ ∗, c M M0, M1 c∗ τ̸= τ ∗, c M b′

10

CCA secure PKE

Given a One-Time Signature (OTS), [CHK04]: TBE + OTS → CCA-secure PKE. Tag-Based Encryption (TBE): TBE = (Gen, Enc, Dec). Correctness: For (sk, pk) ← Gen(1n): Dec(sk, τ, Enc(pk, τ, M)) = M Security: For all ppt Adv.: Pr[b′ = b] = 1/2.

Adv. (sk, pk) ← Gen(1n) M = Dec(sk, τ, c) · · · b ← {0, 1} c∗ ← Enc(pk, τ ∗, Mb) M = Dec(sk, τ, c) · · · τ ∗ pk τ̸= τ ∗, c M M0, M1 c∗ τ̸= τ ∗, c M b′

10

Outline

1 Our Contribution 2 Subset Sum 3 CCA secure PKE 4 Tag-Based Encryption

Tag-Based Encryption, Gen

2 | q. Let Hτ ∈ Zn×n

2

represent τ. For τ ̸= τ ′, Hτ − Hτ ′ is invertible for [ABB10].

12

Tag-Based Encryption, Gen

2 | q. Let Hτ ∈ Zn×n

2

represent τ. For τ ̸= τ ′, Hτ − Hτ ′ is invertible for [ABB10]. For M ∈ {0, 1}ℓ: Gen(1n) : A ← Zm×n

q

, C ← Zℓ×n

q

, R ← Dm×n.

12

Tag-Based Encryption, Gen

2 | q. Let Hτ ∈ Zn×n

2

represent τ. For τ ̸= τ ′, Hτ − Hτ ′ is invertible for [ABB10]. For M ∈ {0, 1}ℓ: Gen(1n) : A ← Zm×n

q

, C ← Zℓ×n

q

, R ← Dm×n. Output sk = R, pk = (A, B := RA, C).

12

Tag-Based Encryption, Enc

For M ∈ {0, 1}ℓ: Gen(1n) : sk = R, pk = (A, B := RA, C).

13

Tag-Based Encryption, Enc

For M ∈ {0, 1}ℓ: Gen(1n) : sk = R, pk = (A, B := RA, C). Enc(pk, Hτ, M) : Sample R′ ← Dm×n, R′′ ← Dℓ×n, s ← {0, 1}n

13

Tag-Based Encryption, Enc

For M ∈ {0, 1}ℓ: Gen(1n) : sk = R, pk = (A, B := RA, C). Enc(pk, Hτ, M) : Sample R′ ← Dm×n, R′′ ← Dℓ×n, s ← {0, 1}n

• utput

c0 := As + e(A, s); c1 := (B + q/2 · Hτ)s + R′e(A, s); c2 := Cs + R′′e(A, s) + q/2 · M.

▶ (A, c0) is a Subset Sum instance for secret s.

13

Tag-Based Encryption, Enc

For M ∈ {0, 1}ℓ: Gen(1n) : sk = R, pk = (A, B := RA, C). Enc(pk, Hτ, M) : Sample R′ ← Dm×n, R′′ ← Dℓ×n, s ← {0, 1}n

• utput

c0 := As + e(A, s); c1 := (B + q/2 · Hτ)s + R′e(A, s); c2 := Cs + R′′e(A, s) + q/2 · M.

▶ (A, c0) is a Subset Sum instance for secret s. ▶ s can be recovered from (c0, c1).

13

Tag-Based Encryption, Enc

For M ∈ {0, 1}ℓ: Gen(1n) : sk = R, pk = (A, B := RA, C). Enc(pk, Hτ, M) : Sample R′ ← Dm×n, R′′ ← Dℓ×n, s ← {0, 1}n

• utput

c0 := As + e(A, s); c1 := (B + q/2 · Hτ)s + R′e(A, s); c2 := Cs + R′′e(A, s) + q/2 · M.

▶ (A, c0) is a Subset Sum instance for secret s. ▶ s can be recovered from (c0, c1). ▶ c2 encrypts M under secret s.

13

Tag-Based Encryption, Dec

For M ∈ {0, 1}ℓ: Gen(1n) : sk = R, pk = (A, B := RA, C). Enc(pk, Hτ, M) : c0 := As + e(A, s), c1 := (B + q/2 · Hτ)s + R′e(A, s), c2 := Cs + R′′e(A, s) + q/2 · M.

14

Tag-Based Encryption, Dec

For M ∈ {0, 1}ℓ: Gen(1n) : sk = R, pk = (A, B := RA, C). Enc(pk, Hτ, M) : c0 := As + e(A, s), c1 := (B + q/2 · Hτ)s + R′e(A, s), c2 := Cs + R′′e(A, s) + q/2 · M. Dec(sk, Hτ, c0, c1, c2) : s = H−1

τ ⌊c1 − Rc0⌉2, output M = ⌊c2 − Cs⌉2.

(⌊·⌉2 : Zq → {0, 1})

14

Tag-Based Encryption, Dec

For M ∈ {0, 1}ℓ: Gen(1n) : sk = R, pk = (A, B := RA, C). Enc(pk, Hτ, M) : c0 := As + e(A, s), c1 := (B + q/2 · Hτ)s + R′e(A, s), c2 := Cs + R′′e(A, s) + q/2 · M. Dec(sk, Hτ, c0, c1, c2) : s = H−1

τ ⌊c1 − Rc0⌉2, output M = ⌊c2 − Cs⌉2.

(⌊·⌉2 : Zq → {0, 1}) Correctness:

14

Tag-Based Encryption, Dec

For M ∈ {0, 1}ℓ: Gen(1n) : sk = R, pk = (A, B := RA, C). Enc(pk, Hτ, M) : c0 := As + e(A, s), c1 := (B + q/2 · Hτ)s + R′e(A, s), c2 := Cs + R′′e(A, s) + q/2 · M. Dec(sk, Hτ, c0, c1, c2) : s = H−1

τ ⌊c1 − Rc0⌉2, output M = ⌊c2 − Cs⌉2.

(⌊·⌉2 : Zq → {0, 1}) Correctness: Since RAs = Bs: H−1

τ ⌊c1−Rc0⌉2

14

Tag-Based Encryption, Dec

For M ∈ {0, 1}ℓ: Gen(1n) : sk = R, pk = (A, B := RA, C). Enc(pk, Hτ, M) : c0 := As + e(A, s), c1 := (B + q/2 · Hτ)s + R′e(A, s), c2 := Cs + R′′e(A, s) + q/2 · M. Dec(sk, Hτ, c0, c1, c2) : s = H−1

τ ⌊c1 − Rc0⌉2, output M = ⌊c2 − Cs⌉2.

(⌊·⌉2 : Zq → {0, 1}) Correctness: Since RAs = Bs: H−1

τ ⌊c1−Rc0⌉2 = H−1 τ ⌊q/2 · Hτs +(R′−R)e(A, s)⌉2

14

Tag-Based Encryption, Dec

For M ∈ {0, 1}ℓ: Gen(1n) : sk = R, pk = (A, B := RA, C). Enc(pk, Hτ, M) : c0 := As + e(A, s), c1 := (B + q/2 · Hτ)s + R′e(A, s), c2 := Cs + R′′e(A, s) + q/2 · M. Dec(sk, Hτ, c0, c1, c2) : s = H−1

τ ⌊c1 − Rc0⌉2, output M = ⌊c2 − Cs⌉2.

(⌊·⌉2 : Zq → {0, 1}) Correctness: Since RAs = Bs: H−1

τ ⌊c1−Rc0⌉2 = H−1 τ ⌊q/2 · Hτs +(R′−R)e(A, s)⌉2

14

Tag-Based Encryption, Dec

For M ∈ {0, 1}ℓ: Gen(1n) : sk = R, pk = (A, B := RA, C). Enc(pk, Hτ, M) : c0 := As + e(A, s), c1 := (B + q/2 · Hτ)s + R′e(A, s), c2 := Cs + R′′e(A, s) + q/2 · M. Dec(sk, Hτ, c0, c1, c2) : s = H−1

τ ⌊c1 − Rc0⌉2, output M = ⌊c2 − Cs⌉2.

(⌊·⌉2 : Zq → {0, 1}) Correctness: Since RAs = Bs: H−1

τ ⌊c1−Rc0⌉2 = H−1 τ ⌊q/2 · Hτs +(R′−R)e(A, s)⌉2 = H−1 τ Hτs = s,

14

Tag-Based Encryption, Dec

For M ∈ {0, 1}ℓ: Gen(1n) : sk = R, pk = (A, B := RA, C). Enc(pk, Hτ, M) : c0 := As + e(A, s), c1 := (B + q/2 · Hτ)s + R′e(A, s), c2 := Cs + R′′e(A, s) + q/2 · M. Dec(sk, Hτ, c0, c1, c2) : s = H−1

τ ⌊c1 − Rc0⌉2, output M = ⌊c2 − Cs⌉2.

(⌊·⌉2 : Zq → {0, 1}) Correctness: Since RAs = Bs: H−1

τ ⌊c1−Rc0⌉2 = H−1 τ ⌊q/2 · Hτs +(R′−R)e(A, s)⌉2 = H−1 τ Hτs = s,

⌊c2 − Cs⌉2 = ⌊R′′e(A, s) + q/2 · M⌉2

14

Tag-Based Encryption, Dec

For M ∈ {0, 1}ℓ: Gen(1n) : sk = R, pk = (A, B := RA, C). Enc(pk, Hτ, M) : c0 := As + e(A, s), c1 := (B + q/2 · Hτ)s + R′e(A, s), c2 := Cs + R′′e(A, s) + q/2 · M. Dec(sk, Hτ, c0, c1, c2) : s = H−1

τ ⌊c1 − Rc0⌉2, output M = ⌊c2 − Cs⌉2.

(⌊·⌉2 : Zq → {0, 1}) Correctness: Since RAs = Bs: H−1

τ ⌊c1−Rc0⌉2 = H−1 τ ⌊q/2 · Hτs +(R′−R)e(A, s)⌉2 = H−1 τ Hτs = s,

⌊c2 − Cs⌉2 = ⌊R′′e(A, s) + q/2 · M⌉2

14

Tag-Based Encryption, Dec

For M ∈ {0, 1}ℓ: Gen(1n) : sk = R, pk = (A, B := RA, C). Enc(pk, Hτ, M) : c0 := As + e(A, s), c1 := (B + q/2 · Hτ)s + R′e(A, s), c2 := Cs + R′′e(A, s) + q/2 · M. Dec(sk, Hτ, c0, c1, c2) : s = H−1

τ ⌊c1 − Rc0⌉2, output M = ⌊c2 − Cs⌉2.

(⌊·⌉2 : Zq → {0, 1}) Correctness: Since RAs = Bs: H−1

τ ⌊c1−Rc0⌉2 = H−1 τ ⌊q/2 · Hτs +(R′−R)e(A, s)⌉2 = H−1 τ Hτs = s,

⌊c2 − Cs⌉2 = ⌊R′′e(A, s) + q/2 · M⌉2 = M.

14

Proof Sketch

Adv. Reduction Gen : R ← Dm×n, RC ← Dm×n pk := (A, B := RA−q/2 · Hτ ∗, C := RCA) (̸= (A, B := RA, C)) Dec : parse c1 := (RA + q/2 · (Hτ−Hτ ∗))s + R′e(A, s) · · · M = Dec(R, Hτ − Hτ ∗, c) Enc : b ← {0, 1} (for τ ∗ : c1 = RAs + R′e(A, s)) c∗ := (t, Rt, RCt + q/2 · Mb) (if (A, t) is uniform, c∗ is uniform) · · ·

Proof Sketch

Adv. Reduction Gen : R ← Dm×n, RC ← Dm×n pk := (A, B := RA−q/2 · Hτ ∗, C := RCA) (̸= (A, B := RA, C)) Dec : parse c1 := (RA + q/2 · (Hτ−Hτ ∗))s + R′e(A, s) · · · M = Dec(R, Hτ − Hτ ∗, c) Enc : b ← {0, 1} (for τ ∗ : c1 = RAs + R′e(A, s)) c∗ := (t, Rt, RCt + q/2 · Mb) (if (A, t) is uniform, c∗ is uniform) · · · τ ∗ A, t

Proof Sketch

Adv. Reduction Gen : R ← Dm×n, RC ← Dm×n pk := (A, B := RA−q/2 · Hτ ∗, C := RCA) (̸= (A, B := RA, C)) Dec : parse c1 := (RA + q/2 · (Hτ−Hτ ∗))s + R′e(A, s) · · · M = Dec(R, Hτ − Hτ ∗, c) Enc : b ← {0, 1} (for τ ∗ : c1 = RAs + R′e(A, s)) c∗ := (t, Rt, RCt + q/2 · Mb) (if (A, t) is uniform, c∗ is uniform) · · · τ ∗ A, t

Proof Sketch

Adv. Reduction Gen : R ← Dm×n, RC ← Dm×n pk := (A, B := RA−q/2 · Hτ ∗, C := RCA) (̸= (A, B := RA, C)) Dec : parse c1 := (RA + q/2 · (Hτ−Hτ ∗))s + R′e(A, s) · · · M = Dec(R, Hτ − Hτ ∗, c) Enc : b ← {0, 1} (for τ ∗ : c1 = RAs + R′e(A, s)) c∗ := (t, Rt, RCt + q/2 · Mb) (if (A, t) is uniform, c∗ is uniform) · · · τ ∗ A, t

Proof Sketch

Adv. Reduction Gen : R ← Dm×n, RC ← Dm×n pk := (A, B := RA−q/2 · Hτ ∗, C := RCA) (̸= (A, B := RA, C)) Dec : parse c1 := (RA + q/2 · (Hτ−Hτ ∗))s + R′e(A, s) · · · M = Dec(R, Hτ − Hτ ∗, c) Enc : b ← {0, 1} (for τ ∗ : c1 = RAs + R′e(A, s)) c∗ := (t, Rt, RCt + q/2 · Mb) (if (A, t) is uniform, c∗ is uniform) · · · τ ∗ A, t pk τ ̸= τ ∗, c

Proof Sketch

Adv. Reduction Gen : R ← Dm×n, RC ← Dm×n pk := (A, B := RA−q/2 · Hτ ∗, C := RCA) (̸= (A, B := RA, C)) Dec : parse c1 := (RA + q/2 · (Hτ−Hτ ∗))s + R′e(A, s) · · · M = Dec(R, Hτ − Hτ ∗, c) Enc : b ← {0, 1} (for τ ∗ : c1 = RAs + R′e(A, s)) c∗ := (t, Rt, RCt + q/2 · Mb) (if (A, t) is uniform, c∗ is uniform) · · · τ ∗ A, t pk τ ̸= τ ∗, c

Proof Sketch

Adv. Reduction Gen : R ← Dm×n, RC ← Dm×n pk := (A, B := RA−q/2 · Hτ ∗, C := RCA) (̸= (A, B := RA, C)) Dec : parse c1 := (RA + q/2 · (Hτ−Hτ ∗))s + R′e(A, s) · · · M = Dec(R, Hτ − Hτ ∗, c) Enc : b ← {0, 1} (for τ ∗ : c1 = RAs + R′e(A, s)) c∗ := (t, Rt, RCt + q/2 · Mb) (if (A, t) is uniform, c∗ is uniform) · · · τ ∗ A, t pk τ ̸= τ ∗, c M

Proof Sketch

Adv. Reduction Gen : R ← Dm×n, RC ← Dm×n pk := (A, B := RA−q/2 · Hτ ∗, C := RCA) (̸= (A, B := RA, C)) Dec : parse c1 := (RA + q/2 · (Hτ−Hτ ∗))s + R′e(A, s) · · · M = Dec(R, Hτ − Hτ ∗, c) Enc : b ← {0, 1} (for τ ∗ : c1 = RAs + R′e(A, s)) c∗ := (t, Rt, RCt + q/2 · Mb) (if (A, t) is uniform, c∗ is uniform) · · · τ ∗ A, t pk τ ̸= τ ∗, c M M0, M1

Proof Sketch

Adv. Reduction Gen : R ← Dm×n, RC ← Dm×n pk := (A, B := RA−q/2 · Hτ ∗, C := RCA) (̸= (A, B := RA, C)) Dec : parse c1 := (RA + q/2 · (Hτ−Hτ ∗))s + R′e(A, s) · · · M = Dec(R, Hτ − Hτ ∗, c) Enc : b ← {0, 1} (for τ ∗ : c1 = RAs + R′e(A, s)) c∗ := (t, Rt, RCt + q/2 · Mb) (if (A, t) is uniform, c∗ is uniform) · · · τ ∗ A, t pk τ ̸= τ ∗, c M M0, M1

Proof Sketch

Adv. Reduction Gen : R ← Dm×n, RC ← Dm×n pk := (A, B := RA−q/2 · Hτ ∗, C := RCA) (̸= (A, B := RA, C)) Dec : parse c1 := (RA + q/2 · (Hτ−Hτ ∗))s + R′e(A, s) · · · M = Dec(R, Hτ − Hτ ∗, c) Enc : b ← {0, 1} (for τ ∗ : c1 = RAs + R′e(A, s)) c∗ := (t, Rt, RCt + q/2 · Mb) (if (A, t) is uniform, c∗ is uniform) · · · τ ∗ A, t pk τ ̸= τ ∗, c M M0, M1

Proof Sketch

Adv. Reduction Gen : R ← Dm×n, RC ← Dm×n pk := (A, B := RA−q/2 · Hτ ∗, C := RCA) (̸= (A, B := RA, C)) Dec : parse c1 := (RA + q/2 · (Hτ−Hτ ∗))s + R′e(A, s) · · · M = Dec(R, Hτ − Hτ ∗, c) Enc : b ← {0, 1} (for τ ∗ : c1 = RAs + R′e(A, s)) c∗ := (t, Rt, RCt + q/2 · Mb) (if (A, t) is uniform, c∗ is uniform) · · · τ ∗ A, t pk τ ̸= τ ∗, c M M0, M1

Proof Sketch

Adv. Reduction Gen : R ← Dm×n, RC ← Dm×n pk := (A, B := RA−q/2 · Hτ ∗, C := RCA) (̸= (A, B := RA, C)) Dec : parse c1 := (RA + q/2 · (Hτ−Hτ ∗))s + R′e(A, s) · · · M = Dec(R, Hτ − Hτ ∗, c) Enc : b ← {0, 1} (for τ ∗ : c1 = RAs + R′e(A, s)) c∗ := (t, Rt, RCt + q/2 · Mb) (if (A, t) is uniform, c∗ is uniform) · · · τ ∗ A, t pk τ ̸= τ ∗, c M M0, M1 c∗

Proof Sketch

Adv. Reduction Gen : R ← Dm×n, RC ← Dm×n pk := (A, B := RA−q/2 · Hτ ∗, C := RCA) (̸= (A, B := RA, C)) Dec : parse c1 := (RA + q/2 · (Hτ−Hτ ∗))s + R′e(A, s) · · · M = Dec(R, Hτ − Hτ ∗, c) Enc : b ← {0, 1} (for τ ∗ : c1 = RAs + R′e(A, s)) c∗ := (t, Rt, RCt + q/2 · Mb) (if (A, t) is uniform, c∗ is uniform) · · · τ ∗ A, t pk τ ̸= τ ∗, c M M0, M1 c∗ τ ̸= τ ∗, c M

Proof Sketch

Adv. Reduction Gen : R ← Dm×n, RC ← Dm×n pk := (A, B := RA−q/2 · Hτ ∗, C := RCA) (̸= (A, B := RA, C)) Dec : parse c1 := (RA + q/2 · (Hτ−Hτ ∗))s + R′e(A, s) · · · M = Dec(R, Hτ − Hτ ∗, c) Enc : b ← {0, 1} (for τ ∗ : c1 = RAs + R′e(A, s)) c∗ := (t, Rt, RCt + q/2 · Mb) (if (A, t) is uniform, c∗ is uniform) · · · τ ∗ A, t pk τ ̸= τ ∗, c M M0, M1 c∗ τ ̸= τ ∗, c M b′

Proof Sketch

Adv. Reduction Gen : R ← Dm×n, RC ← Dm×n pk := (A, B := RA−q/2 · Hτ ∗, C := RCA) (̸= (A, B := RA, C)) Dec : parse c1 := (RA + q/2 · (Hτ−Hτ ∗))s + R′e(A, s) · · · M = Dec(R, Hτ − Hτ ∗, c) Enc : b ← {0, 1} (for τ ∗ : c1 = RAs + R′e(A, s)) c∗ := (t, Rt, RCt + q/2 · Mb) (if (A, t) is uniform, c∗ is uniform) · · · τ ∗ A, t pk τ ̸= τ ∗, c M M0, M1 c∗ τ ̸= τ ∗, c M b′ b′ = b

15

Conclusion Our Results

▶ “LWE" form of Subset Sum [LPS10] + LWE trapdoor [MP12] ⇒

IND-CCA-secure PKE from Subset Sum.

▶ Unlike the CPA-secure PKE of [LPS10], the security of our

scheme does not decrease with the message length ℓ.

16

References

Shweta Agrawal, Dan Boneh, and Xavier Boyen. Efficient lattice (H)IBE in the standard model. In EUROCRYPT, pages 553–572, 2010. Ran Canetti, Shai Halevi, and Jonathan Katz. Chosen-ciphertext security from identity-based encryption. In EUROCRYPT, pages 207–222, 2004. Johan Håstad, Russell Impagliazzo, Leonid A. Levin, and Michael Luby. A pseudorandom generator from any one-way function. SIAM J. Comput., 28(4):1364–1396, 1999. Russell Impagliazzo and Moni Naor. Efficient cryptographic schemes provably as secure as subset sum.

• J. Cryptology, 9(4):199–216, 1996.

Vadim Lyubashevsky, Adriana Palacio, and Gil Segev. Public-key cryptographic primitives provably as secure as subset sum. In TCC, pages 382–400, 2010. Daniele Micciancio and Chris Peikert. Trapdoors for lattices: Simpler, tighter, faster, smaller. In EUROCRYPT, pages 700–718, 2012. 17