Lizard: Cut Off the Tail! A Practical Post-quantum Public-Key Encryption from LWE and LWR

The LWE problem has been widely used in many constructions for post-quantum cryptography due to its reduction from the worst-case of lattice hard problems and the lightweight operations for generating its instances. The PKE schemes based on the LWE problem have a simple and fast decryption, but the encryption phase requires large parameter size for the leftover hash lemma or Gaussian samplings.

In this paper, we propose a novel PKE scheme, called Lizard, without relying on either of them. The encryption procedure of Lizard first combines several LWE samples as in the previous LWE-based PKEs, but the following step to re-randomize this combination before adding a plaintext is different: it removes several least significant bits of each component of the computed vector rather than adding an auxiliary error vector. To the best of our knowledge, Lizard is the first IND-CPA secure PKE under the hardness assumptions of the LWE and LWR problems, and its variant, namely CCALizard, achieves IND-CCA security in the (quantum) random oracle model.

Our approach accelerates the encryption speed to a large extent and also reduces the size of ciphertexts. We present an optimized C implementation of our schemes, which shows outstanding performances with concrete security: On an Intel single core processor, an encryption and decryption for CCALizard with 256-bit plaintext space under 128-bit quantum security take only 32,272 and 47,125 cycles, respectively. To achieve these results, we further take some advantages of sparse small secrets. Lizard is submitted to NIST’s post-quantum cryptography standardization process.

1. 1.

   A provably secure variant of NTRU [32] is secure under the hardness assumption of ring-\(\mathsf {LWE}\), but the ring-\(\mathsf {LWE}\) problem only has a reduction from a lattice problem with ring structure, not from the standard lattice problems.

2. 2.

   Hence, the parameter choices of [25] are irrelevant of this comparison. Note that the chosen parameter sets in [25] do not achieve the claimed security anymore, due to many recent attacks in the literatures [3,4,5].

3. 3.

   After approving it, Albrecht’s combinatorial strategy for sparse secrets in [3] can be exploited naturally: As far as we know, the adjusted dual attack in [3] is the best attack for \(\mathsf {LWR}\) using sparse signed binary secrets.

4. 4.

   We used the lwe-estimator [2] reported on July 6th, 2017. We remark that one can find a guideline for attacking the \(\mathsf {LWE}\) problem in [5].

5. 5.

   Since the data type of each component of public key is \(\texttt {uint16\_t}\) and the modulus q is \(2^{11}\), our public key can be compressed by a factor 16/11.

We would like to thank Martin Albrecht and Fernando Virdia for valuable discussions on parameter selection. We would also like to thank Leo Ducas, Peter Schwabe, Tsuyoshi Takagi, Yuntao Wang and anonymous SCN 2018 reviewers for their useful comments.

Authors and Affiliations

1. Seoul National University, Seoul, Republic of Korea

   Jung Hee Cheon, Duhyeong Kim & Joohee Lee

2. University of California, San Diego, USA

   Yongsoo Song

Corresponding author

Correspondence to Joohee Lee .

Editors and Affiliations

1. University of Catania, Catania, Italy

   Dario Catalano

2. University of Salerno, Fisciano, Italy

   Roberto De Prisco

A IND-CCA Variant of Lizard

In this section, we present CCA-secure encryption scheme, say CCALizard, achieved by applying a variant of Fujisaki-Okamoto (FO) transformation [19, 20, 23, 33] to our Lizard encryption scheme. More precisely, we first convert Lizard into IND-CCA Key Encapsulation Mechanism (KEM) applying the transformation in [23], and then combine it with a (one-time) CCA-secure symmetric encryption scheme.

\(\mathsf {G}:{\mathbb {Z}}_t^{\ell }\rightarrow B_{m,h_r}\), \(\mathsf {H}:{\mathbb {Z}}_t^{\ell }\rightarrow \{0,1\}^d \), \(\mathsf {H'}:{\mathbb {Z}}_t^{\ell }\rightarrow {\mathbb {Z}}_t^{\ell }\) are the hash functions, where \(\{0,1\}^d\) is the plaintext space for CCALizard. Here, \(\mathsf {Lizard.Enc}_\mathsf {pk}(\delta ; \mathbf {v})\) denotes the encryption of \(\delta \) with the random vector \(\mathbf {v}\), i.e., the output of \(\mathsf {Lizard.Enc}_\mathsf {pk}(\delta ; \mathbf {v})\) is (\(\left\lfloor {(p/q)\cdot A^T\mathbf {v}}\right\rceil \), \(\left\lfloor {(p/t)\cdot \mathbf {\delta }+(p/q)\cdot B^T\mathbf {v}}\right\rceil \)).

CCALizard consists of three algorithms (\(\mathsf {CCALizard.KeyGen}\), \(\mathsf {CCALizard.Enc}\), \(\mathsf {CCALizard.Dec}\)). \(\mathsf {CCALizard.KeyGen}\) is the same as \(\mathsf {Lizard.KeyGen}\), and \(\mathsf {CCALizard.Enc}\) and \(\mathsf {CCALizard.Dec}\) are as follows:

• \(\mathsf {CCALizard.Enc}_\mathsf {pk}(\mathbf {m} \in \{0,1\}^{d})\):

  • Choose \(\delta \leftarrow {\mathbb {Z}}_t^{\ell }\).

  • Compute a tuple of vectors \(\mathbf {c}_1 := \mathsf {H}(\delta )\oplus \mathbf {m}\), \(\mathbf {c}_2 :=\mathsf {Lizard.Enc}_\mathsf {pk}(\delta ; \mathsf {G}(\delta ))\), \(\mathbf {c}_3 := \mathsf {H}'(\delta )\).

  • Output the ciphertext \(\mathbf {c} = (\mathbf {c}_1,\mathbf {c}_2,\mathbf {c}_3)\in \{0,1\}^{d}\times \mathbb {Z}_p^{n+\ell }\times {\mathbb {Z}}_t^{\ell }\).

• \(\mathsf {CCALizard.Dec}_\mathsf {sk}(\mathbf {c})\):

  • Parse \(\mathbf {c}\) into \(\mathbf {c} = (\mathbf {c}_1,\mathbf {c}_2,\mathbf {c}_3)\in \{0,1\}^{d}\times \mathbb {Z}_p^{n+\ell }\times {\mathbb {Z}}_t^{\ell }\).

  • Compute \(\delta ' \leftarrow \mathsf {Lizard.Dec}_\mathsf {sk}(\mathbf {c}_2)\) and \(\mathbf {v}'\leftarrow \mathsf {G}(\delta ')\).

  • If \((\mathbf {c}_2, \mathbf {c}_3) = (\mathsf {Lizard.Enc}_\mathsf {pk}(\delta '; \mathbf {v}'), \mathsf {H}'(\delta '))\), then compute and output \(\mathbf {m}'\leftarrow \mathsf {H}(\delta ')\oplus \mathbf {c}_1\).

  • Otherwise, output \(\perp \).

Correctness. If Lizard is correct with the probability \(1-\epsilon \), then CCALizard is correct except with the probability \(1-\epsilon \) in the (quantum) random oracle model [23].

Security. CCALizard achieves tight IND-CCA security in the random oracle model, and non-tight IND-CCA security in the quantum random oracle model. For IND-CCA security in ROM, the hash function \(H'\) and the hash value \(\mathbf {d}\) is not necessary.

Theorem 3

([23], Theorems 3.2 and 3.3). For any IND-CCA adversary \(\mathcal {B}\) on CCALizard issuing at most \(q_D\) queries to the decryption oracle, \(q_G\) queries to the random oracle \(\mathsf {G}\), and \(q_H\) queries to the random oracle \(\mathsf {H}\), there exists an IND-CPA adversary \(\mathcal {A}\) on Lizard such that

where \(\lambda \) is a security parameter and \(\epsilon \) is a decryption failure probability of Lizard and CCALizard.

Theorem 4

([23], Theorems 4.4 and 4.5). For any IND-CCA quantum adversary \(\mathcal {B}\) on CCALizard issuing at most \(q_D\) (classical) queries to the decryption oracle, \(q_G\) queries to the quantum random oracle \(\mathsf {G}\), \(q_H\) queries to the quantum random oracle \(\mathsf {H}\), and \(q_{H'}\) queries to the quantum random oracle \(\mathsf {H}'\), there exists an IND-CPA quantum adversary \(\mathcal {A}\) on Lizard such that

where \(\epsilon \) is a decryption failure probability of Lizard and CCALizard.

Parameters for CCALizard. We use the recommended parameters in Table 2 for CCALizard and set \(t=2\), \(\ell = d = 256\).

Reprints and permissions

© 2018 Springer Nature Switzerland AG

Policies and ethics