This section shows a cryptographic scheme that satisfies IND-CCA2 security. This scheme is constructed by applying Fujisaki–Okamoto conversion [20] to our cryptographic primitive (which satisfies IND-CPA security as described in Section 6).
9.1 Fujisaki–Okamoto conversion
Let Π := (K,E,D) be a public-key encryption scheme that satisfies IND-CPA security, whereKis the key-generation algorithm,Eis the encryption algorithm, andDis the decryption algorithm. Fujisaki–Okamoto conversion tells us that the public-key encryption scheme ¯Π := (¯K,E¯H,D¯H) satisfies IND-CCA2 security, such that
¯ EH
pk=Epk((x||s), H(x||s)), (71) where
– sis a random string chosen from an appropriate domain, – H is a hash function
H :{0,1}∗→ {0,1}κ0
– Epk(message, coins) indicates the encryption of the indicated message using the indicated coins as random bits.
More precisely, the basic scheme ¯Π := (¯K,E¯H,D¯H) can be described as follows.
– Let ¯K(1κ) :=K(1κ).
– E¯Hpk:{0,1}κ−κ0× {0,1}κ0→C is defined by
¯
EHpk(x, s) :=Epk((x||s), H(x||s)),
wherex∈ {0,1}κ−κ0, s∈ {0,1}κ0, andC is a cipher space whose elements
are valid ciphertexts. – D¯H
sk:C→ {0,1}κ−κ0∪ {⊥}is defined by ¯
DHsk(y) :=
{
[Dsk(y)]κ−κ0if the condition (72) holds
⊥(null) otherwise ,
where [Dsk(y)]κ−κ0 indicates the first (κ−κ
0) bits ofDsk(y). The condition for ciphertext verification is
y=Epk(Dsk(y), H(Dsk(y))). (72) Specifically, the following theorem holds.
Theorem 3. Suppose Π is γ-uniform and (t′,0,0, ϵ′)-secure in the sense of IND-CPA. Then, for anyqH andqD, the schemeΠ¯ is(t, qH, qD, ϵ)-secure in the
sense of IND-CCA2 in the random oracle model where t=t′−qH·(Tϵ(κ) +c·κ)
ϵ=ϵ′·(1−γ)−qD +q
H·2−(κ0−1).
(73)
In this, Tϵ(·) denotes the computational running time ofEpk(·) andc is a con- stant.
Definition 8. Let Π = (K,E,D) be a public-key encryption scheme. Let the parameters mlenandclendenote the length of a plaintext message and a coins tuple s, respectively. For a givenx∈ {0,1}mlen andy∈C, define
γ(x, y) =P r[s←R{0,1}clen:y=Epk(x, s)].
We say thatΠ isγ-uniform (for anyk∈N) if, for any x∈ {0,1}mlen and any
y∈C,γ(x, y)≤γ.
Now, we estimate the sizes of the parametersqD,qH, andγof our encryption scheme. First, we set the parameter qD to 264. We assume the parameter qH is 22k to consider an exhaustive search for a quantum computer with Grover’s algorithm. To calculate the parameter γ, we need to estimate the probability
γ(x, y) for any x ∈ {0,1}mlen and y ∈ C. Let x
0 be the fixed plaintext in {0,1}mlen and suppose the probability
P r{∀s1, s2∈ {0,1}clen|Epk(x0, s1) =Epk(x0, s2)}, s1̸=s2.} (74) If we write
Epk(x0, si) =m(t) +X(x, y)ri(x, y) +ℓ·ei(x, y) (i= 1,2), the condition (74) can be described as
ℓ−1·X(x, y)(r1(x, y)−r2(x, y)) =e2(x, y)−e1(x, y).
If e1(x, y) equals e2(x, y), then r1(x, y) = r2(x, y) since neither X(x, y) nor ℓ equals 0. So, we can assume e1(x, y) ̸= e2(x, y). By the definition of the en- cryption scheme, the coefficients ofe2(x, y)−e1(x, y) are inRq with coefficients restricted to the range {0,· · · , ℓ−1, q−ℓ+ 1,· · ·, q−1}. Further, the coeffi- cients ofℓ−1·X(x, y)(r1(x, y)−r2(x, y)) are inRq with coefficients in the range {0,· · ·, q−1}and the coinris in{0,1}κ0. Then, we can estimate the probability
(74) as
max({(2ℓ/q)#Γe·n,2−κ0}).
Since the probability does not depend on the fixedx0, we can estimate
γ≤max({(2ℓ/q)#Γe·n,2−κ0)}. (75)
By the condition (15), we can estimateqas follows.
q≥ℓ−1 +ℓ∑idX=0+dr(i+ 1)ni(ℓ−1)i+1
> ℓ∑dXi=dX+dr+dr(i+ 1)ni(ℓ−1)i+1 =ℓ(dX+dr+ 1)ndX+dr(ℓ−1)dX+dr+1
>2ℓ·n2(ℓ−1)3 ≥2ℓ·22(ℓ−1)3
The last inequality is satisfied sincedX anddrare each larger than or equal to 1. Then
If we setℓequals to 4, then 1/22n = 1/2κ<1/2κ0is satisfied since 2n=|ℓ|n=κ.
We concludeγ <1/2κ0 in the case ofℓ= 4.
Then,ϵcan be calculated as follows.
ϵ=ϵ′·(1−2−κ0)−qD +q
H·2−(κ0−1) ∼ϵ′·(1 + (qD+qH)·2−κ0) Sincekis larger than or equal to 128,
ϵ < ϵ′·(1 + 2qH·2−κ0) =ϵ′·(1 + 2·22k·2−κ0)
=ϵ′·(1 + 22k+1−κ0) .
According to the relation, we set κ0 ≥ 2k+ 1 since ϵ is negligible (such as
ϵ <2ϵ′).
9.2 Key Generation Same as the section 5.2. 9.3 Encryption
Recall the domain parameters as follows (See 5.1). – ℓ: A small integer which is larger than 1.
– q: A prime which is cardinality of prime fieldFq and is much larger than
ℓ.
– n: Degree of the modulus polynomial of the quotient ringRq(=Fq[t]/(tn− 1)). Thenshould be prime for the security reason.
– dX: Total degree of the irreducible bivariate polynomialX(x, y) – dr: Total degree of the random bivariate polynomialr(x, y) – mlen Length of the messageM
1. Set the length of the payloadplen=⌈n· |ℓ|/8⌉
2. Create a plaintextM whose payload isplenbytes in size
M =m||randombytes(plen−mlen) ,
where functionrandombytes(len) returns random data whose length islen. 3. Set the lower 8− |ℓ| ·(nmod (8/|ℓ|)) bits ofM to 0.
4. Initialize the seed expander with coins equal toH(M).
5. Embed a plaintextM into the coefficients of the plaintext polynomialm(t)(∈
Rℓ) whose degree isn−1.
6. Generate a support set Γr of degreedrwith graded lexicographic order 7. Create a random polynomialr(x, y) as follows:
(a) Set r= 0
(b) For each (i, j) inΓr
ii. Setr(x, y) =r(x, y) +rij(t)xiyj
8. Generate a support setΓeof degreedX+drwith graded lexicographic order 9. Create a noise polynomial e(x, y) as follows:
(a) Set e(x, y) = 0 (b) For each (i, j) inΓe
i. Choose a coefficienteij(t) uniformly at random from the set Rℓ ii. Sete(x, y) =e(x, y) +eij(t)xiyj
10. Construct the cipher polynomialc(x, y) as
c(x, y) =m(t) +X(x, y)r(x, y) +ℓ·e(x, y) (76) 9.4 Decryption
1. Substitute the secret key that is a small solution (ux(t), uy(t)) over Rq of
X(x, y) = 0 intoc(x, y):
c(ux(t), uy(t)) =m(t) +ℓ·e(ux(t), uy(t)) (77) When the parametersℓandqsatisfy the relation described above (15), each coefficient ofm(t) +ℓ·e(ux(t), uy(t))∈Z/(tn−1) is within the range from 0 toq−1. Theorem 1 gives a proof of this fact.
2. Extractm(t) fromc(ux(t), uy(t)) as
c(ux(t), uy(t)) (mod ℓ) =m(t) where we considerc(ux(t), uy(t)) as an element ofZ[t] 3. Recover the plaintext M from the coefficients ofm(t) 4. Initialize the seed expander with coins equal toH(M). 5. Encrypt the plaintext polynomial m(t)
c′(x, y) =m(t) +X(x, y)r(x, y) +ℓ·e(x, y)
6. If c′(x, y) equals c(x, y) then m = [M]mlen and f lag = valid; otherwise,
m=nullandf lag=invalid
Here, [x]len denotes extraction of the most significantlenbits ofx.