lec13-F24.tex

\section{Post-Quantum Public Key Encryption}
The public-key encryption schemes discussed so far, rely on the difficulty of problems like factorization or discrete logarithms. In 1994, Peter Shor showed that these problems can be solved efficiently on a quantum computer~\cite{FOCS:Shor94}. Even though we do not have large-scale quantum computers capable of breaking current encryption schemes, there are two reasons to begin the transition of public-key encryption to quantum-resistant schemes:
\begin{itemize}
    \item Encrypted messages captured today can be stored and decrypted in the future when a large scale quantum computer is available. This is commonly referred to as the "harvest now, decrypt later" risk.
    \item Transition to new encryption schemes is a slow process and it is important to start the transition well before large scale quantum computers are available.
\end{itemize}

The national institute of standards and technology (NIST) opened a call for post-quantum public-key encryption and signature schemes in 2016. In Nov 2019, it received 59 submissions for public-key encryption and 23 submissions for digital signatures. In July 2022, NIST announced the first batch of winners for public-key encryption and digital signatures. In Aug 2024, the final standard for these schemes was published and they are now making their way into existing infrastructure. There was one winner (CRYSTALS-Kyber) for public-key encryption (based on lattices) and three winners for digital signatures (two based on lattices and one based on hash functions).

\begin{figure}[!htbp]
    \begin{tikzpicture}[node distance=1.5cm and 2cm,
            every node/.style={align=center}, % Adjust width as needed
            >=stealth] % Nicer arrow tips
        \node[align=center](lwe) {LWE \\ \citep{STOC:Regev05}};
        \node[right=of lwe] (lweske) {LWE-SKE};
        \node[right=of lweske, align=center] (lwepke) {LWE-PKE \\ \citep{STOC:Regev05} \\ LWE + LHL };
        \node[right=of lwepke, align=center] (comlwepke) {Compact LWE-PKE \\ \citep{RSA:LinPei11} \\ LWE + LWE};
        \node[below=of lweske, align=center] (rlwe) {RLWE \\ \citep{EC:LyuPeiReg10}};
        \node[right=of rlwe, align=center] (rlwepke) {RLWE-PKE \\ \citep{EC:LyuPeiReg13} \\ RLWE + RLWE};
        \node[below=of rlwe, align=center] (mlwe) {MLWE \\ \citep{ITCS:BraGenVai12,DCC:LanSte15}};
        \node[below=of comlwepke, align=center] (kyber) {CRYSTALS-Kyber \\ MLWE + MLWE};

        \draw[->] (lwe) -- (lweske);
        \draw[->] (lweske) -- (lwepke);
        \draw[->] (lwepke) -- (comlwepke);
        \draw[->] (lwe) -- (rlwe);
        \draw[->] (lwe) -- (mlwe);
        \draw[->] (rlwe) -- (rlwepke);
        \draw[->] (comlwepke) -- (rlwepke);
        \draw[->] (mlwe) -- (kyber);
        \draw[->] (comlwepke) -- (kyber);
        \draw[->] (rlwepke) -- (kyber);
        % Bounding box
        % \draw[dashed, thick] ($(lwe.north west)+(-0.5,0.5)$) rectangle ($(kyber.south east)+(0.5,-3)$);
    \end{tikzpicture}
    \caption{A roadmap of lattice-based public-key encryption schemes ending in the standardized CRYSTALS-Kyber scheme.}
\end{figure}


\begin{definition}[Learning With Errors Assumption (Search)]
    Let $m,n,q \in \mathbb{N}$ and $\chi$ be a distribution over $\mathbb{Z}_q$. The Learning With Errors (LWE) $\LWE_{n,m,q,\chi}$ problem is defined as follows:
    \[\Pr[\adv(A,b) \to s \mid s \sample \mathbb{Z}_q^n, A \sample \mathbb{Z}_q^{m \times n}, b = A \cdot s + e ] \leq \negl\]
\end{definition}

\begin{definition}[Learning With Errors (Decision)]
    Let $m,n,q \in \mathbb{N}$ and $\chi$ be a distribution over $\mathbb{Z}_q$. The Learning With Errors (LWE) $\LWE_{n,m,q,\chi}$ problem is defined as follows:
    \begin{multline*}
        |\Pr[\adv(A,b) \to 1 \mid s \sample \mathbb{Z}_q^n, A \sample \mathbb{Z}_q^{m \times n}, b = A \cdot s + e ] \\
        - \Pr[\adv(A,b) \to 1 \mid s \sample \mathbb{Z}_q^n, A \sample \mathbb{Z}_q^{m \times n}, b \sample \mathbb{Z}_q^m ]|\leq \negl
    \end{multline*}
\end{definition}
The Learning With Errors assumption is commonly referred to as a Lattice based assumption because there is a reduction from Search/Decision LWE to a ``worst-case'' lattice problem.

The above assumptions have been stated with respect to some abstract distribution $\chi$ over $\mathbb{Z}_q$. But what do we actually choose this distribution to be? In the extreme case of $\chi = 0$, the LWE problem is trivial as one can simply use Gaussian Elimination. In the other extreme if $\chi$ is uniform over $\mathbb{Z}_q$, then the LWE problem is information theoretically hard (but not very useful for cryptography). We will be interested in the intermediate case where $\chi$ is a \emph{small} distribution over $\mathbb{Z}_q$, centered around 0. For eg: $\chi$ is a uniform distribution over $[-B, B]$ for some $B \ll q/2$. This will allow us to do build interesting cryptographic primitives like public key encryption and signature schemes. For provable reductions to lattice problems, we set $\mathsf{stddev}(\chi) = \Omega(\sqrt{n})$. However, there is a gap between the best known attacks on LWE and the best known reductions to lattice problems. As a result, much more aggressive parameters are used in practice, chosen based on the best known attacks. Typical parameters for LWE are $n = 512$, $q = 3329$, $\mathsf{supp}(\chi) = [-3,3]$, and $m = 768$. \cite{EPRINT:AlbPlaSco15} provides a lattice estimator \url{https://github.com/malb/lattice-estimator} that can be used to estimate the number of bits of security provided by a given set of LWE parameters.

\subsection{LWE $\to$ LWE-SKE}
As a first step, we will see how to build a symmetric key encryption scheme from LWE.

\begin{itemize}
    \item $\Gen$: Sample $s \sample \mathbb{Z}_q^n$ and output $\sk = s$.
    \item $\Enc(\sk,\mu)$: Sample $a \sample \mathbb{Z}_q^n$, $e \sample \chi$, and compute $b \gets \langle a, s \rangle + e$. Output $c = (c_0 = a, c_1 = b + \lfloor\frac{q}{2}\rfloor\mu)$.
    \item $\Dec(\sk,c)$: Parse $c = (c_0, c_1)$ and compute $m \gets \mathsf{Decode}(c_1 - \langle c_0, s \rangle)$, where $\mathsf{Decode}(\hat{\mu}) \to \{0,1\}$ takes a value from $\mathbb{Z}_q$ and outputs $0$ if $\hat{\mu} \in [\lfloor\frac{-q}{4}\rfloor, \lfloor\frac{q}{4}\rfloor]$ and $1$ otherwise.
\end{itemize}

\begin{theorem}
    If the decisional variant of $\LWE_{n,1,q,\chi}$ is hard, then the above scheme is an IND-CPA secure symmetric key encryption scheme.
\end{theorem}
\begin{proof}
    Let the ciphertext $c = (c_0, c_1)$. Then $\hat{\mu} = c_1 - \langle c_0,s\rangle = b + \lfloor\frac{q}{2}\rfloor - \langle a,s\rangle = \lfloor\frac{q}{2}\rfloor\mu + e$. Upon applying the $\mathsf{Decode}$ function, we recover the message $\mu$ if $|e| < \lfloor\frac{q}{4}\rfloor$.
    One can choose the noise distribution $\chi$ such that
    $\Pr[|e| \geq \lfloor\frac{q}{4}\rfloor] \leq \negl$, to obtain a symmetric key encryption scheme with a small correctness error. Alternatively, one can also set $\chi$ such that $\Pr[|e| \geq \lfloor\frac{q}{4}\rfloor] = 0$ to obtain a perfectly correct symmetric key encryption scheme.
    Security reduces to hardness of the decisional $\LWE_{n,1,q,\chi}$ problem.
\end{proof}

\subsection{How to build a public key encryption scheme from LWE?}
Our first observation is that LWE samples offer a limited amount of homomorphism. Given LWE samples $(a_1, b_1 = \langle a_1, s\rangle + e_1)$ and $(a_2, b_2 = \langle a_2, s\rangle + e_2)$, one can \emph{add} them up to get $(a_1 + a_2, b_1 + b_2 = \langle a_1 + a_2, s\rangle + (e_1+e_2))$. Observe that as long as $e_1 + e_2$ is small, we can still build useful cryptography as done in the symmetric key encryption scheme above.

Now to build public key encryption, we \emph{delegate} the power to create LWE samples, without revealing the secret $s$. We achieve this by setting the public key to be many symmetric key encryptions of $0$. The scheme below was originally proposed by Regev in 2005~\cite{STOC:Regev05}.

\begin{itemize}
    \item $\Gen$: Sample $s \sample \mathbb{Z}_q^n$, $A \sample \mathbb{Z}_q^{m \times n}$, $e \sample \chi^m$, $b \gets As + e$ and output $(\pk = (A,b), \sk = s)$.
    \item $\Enc(\pk, \mu)$: Sample $u \sample \{0,1\}^m$. Output $c = (c_0 = A^\intercal u,c_1 =  b^\intercal u + \lfloor\frac{q}{2}\rfloor\mu)$.
    \item $\Dec(\sk, c)$: Output $\mathsf{Decode}(c_1 - \langle c_0, s\rangle)$.
\end{itemize}

Observe that $b$ is actually just $m$ encryptions of $0$. Moreover, $m$ influences the size of the public key and we would like to make this as small as possible. The exact parameter will be chosen based on what we can actually prove security for.

\begin{proof}
    For correctness observe that as before $c_1 - \langle c_0, s\rangle = b^\intercal u + \lfloor\frac{q}{2}\rfloor\mu - \langle A^\intercal u, s\rangle = u^\intercal e + \lfloor\frac{q}.{2}\rfloor\mu$. $\mathsf{Decode}$ will recover $\mu$ if $|u^\intercal e| < \lfloor\frac{q}{4}\rfloor$, and one can choose $\chi$ to ensure this with high probability.

    For security, we describe a sequence of hybrids starting from the public-key IND-CPA game, where the challenger receives $(\mu_0, \mu_1)$, and responds with an encryption of $\mu_0$. We then end in a hybrid where the challenger responds with an encryption of $\mu_1$, while showing that consecutive hybrids are indistinguishable.

    \begin{itemize}
        \item \textbf{Hybrid 0}: This is the original public-key IND-CPA game, where the challenger samples $(\pk, \sk)$ as described in the protocol and receives $(\mu_0, \mu_1)$ from $\adv$. The challenger responds with an encryption of $\mu_0$ and $\adv$ outputs a guess $b'$.
        \item \textbf{Hybrid 1}: This hybrid is identical to Hybrid 0, except that the challenger sets $\pk = (A \sample \mathbb{Z}_q^{m \times n}, b \sample \mathbb{Z}_q^m)$. From the hardness of the decisional $\LWE_{n,m,q,\chi}$ problem, these two hybrids are computationally indistinguishable.
        \item \textbf{Hybrid 2}: In this hybrid we replace the ciphertext with a uniformly random string $c\in \mathbb{Z}_p^{n} \times \mathbb{Z}_p$. We now argue that this hybrid is statistically indistinguishable from the previous hybrid. Let $u \sample \{0,1\}^m$, and $\gamma \sample \mathbb{Z}_p^n$. Then $\mathbb{E}_{C \in \mathbb{Z}_q^{n \times m}}[\mathsf{SD}(C u, \gamma)] \leq \frac{1}{2} \sqrt{\frac{q^n}{2^m}}$. If we set $m = n \log{q} + 2\lambda$, then the statistical distance is negligible in the security parameter.

              To prove the above we will use the leftover hash lemma. Let $p_c(w) = \Pr_{u \sample \{0,1\}^m} [C u = w]$. Then,
              \[\sum_{w \in \mathbb{Z}_q^n} p_c(w)^2 = \Pr_{u_0, u_1 \sample \{0,1\}^m} [Cu_0 = Cu_1] = \frac{1}{2^m} + \mathbb{E}_C[\Pr_{u_0 \neq u_1}[C(u_0 - u_1) = 0]] = \frac{1}{2^m} + \frac{1}{q^n} \]

              Thus, $\mathbb{E}_{C \in \mathbb{Z}_q^{n \times m}}[\mathsf{SD}(C u, \gamma)] = \frac{1}{2}\mathbb{E}_{C}[\sum_w |p_c(w) - \frac{1}{q^n}|]\leq \frac{1}{2}\sqrt{q^n}\mathbb{E}_{C}\left[ \sqrt{\sum_w (p_c(w) - \frac{1}{q^n})^2} \right]$,
              where the inequality follows from Cauchy-Schwarz. Next, using Jensen's inequality we have
              \[ \frac{1}{2}\sqrt{q^n}\mathbb{E}_C\left[ \sqrt{\sum_w (p_c(w) - \frac{1}{q^n})^2}\right] \leq \frac{1}{2}\sqrt{q^n}\sqrt{\mathbb{E}_C \left[\sum_w (p_c(w)^2 - \frac{1}{q^n})\right] } = \frac{1}{2}\sqrt{\frac{q^n}{2^m}}\]
    \end{itemize}
    The remaining hybrids are symmetric to end in the IND-CPA game with challenge response set to an encryption of $\mu_1$.
\end{proof}
\subsection{Improving Efficiency}
It is worthwhile asking whether the parameter $m$ can be made smaller. Recall that when using the leftover hash lemma we needed to set $m = n\log{q} + 2\lambda$ but we got a statistical guarantee of indistinguishability. This \emph{overkill} in some sense because we still rely on the LWE assumption in a different hybrid. We can then ask the question of whether it's possible to improve efficiency and obtain \emph{compact} LWE public-key encryption if we relied on computational hardness instead of a statistical guarantee.

This was the approach taken in~\cite{RSA:LinPei11}, where they used the hardness of LWE instead of the leftover hash lemma to switch ciphertexts to uniformly random strings in the proof of IND-CPA security. The scheme is essentially identical to the previous construction except, the secret key is also sampled from the error distribution instead of uniformly over the entire field. This is necessary for correctness. But we are no longer working with LWE samples as the secret key is no longer uniform. These new type of instance are referred to as Hermite normal form LWE instances. We will later show that distinguishing HNF-LWE samples from a uniform distribution is just as hard distinguishing LWE samples from the uniform distribution.

\begin{definition}[HNF-LWE]
    Let $m,n,q \in \mathbb{N}$ and $\chi$ be a distribution over $\mathbb{Z}_q$. The Learning With Errors (LWE) $\LWE_{n,m,q,\chi}$ problem is defined as follows:
    \begin{multline*}
        |\Pr[\adv(A,b) \to 1 \mid s \sample \chi_q^n, A \sample \mathbb{Z}_q^{m \times n}, b = A \cdot s + e ] \\
        - \Pr[\adv(A,b) \to 1 \mid A \sample \mathbb{Z}_q^{m \times n}, b \sample \mathbb{Z}_q^m ]|\leq \negl
    \end{multline*}
\end{definition}

\begin{lemma}[$\LWE_{n,q,\chi,m} \leq \mathsf{HNF-LWE}_{n,q,\chi,m-n}$]
\end{lemma}
\begin{proof}
    Parse $A$ and $b$ as:
    \[A:\begin{bmatrix} A_1 \\ A_2 \end{bmatrix} \quad b:\begin{bmatrix} b_1 \\ b_2 \end{bmatrix} = \begin{bmatrix} A_1 s + e_1 \\ A_2 s + e_2 \end{bmatrix}\]
    and bbort if $A_1$ is not invertible. This happens with probability $\le 0.91$. Next, provide
    \[\begin{pmatrix} \tilde{A} := A_2 \cdot A_1^{-1} \\ \tilde{b} := -A_2 \cdot A_1^{-1} \cdot b_1 + b_2 \end{pmatrix}\] to the HNF-LWE solver. Note that $\tilde{b}$ simplifies to
    \begin{equation*}
        \begin{aligned}
            \tilde{b} & = A_2 A_1^{-1} (A_1 s + e_1) + A_2 s + e_2 \\
                      & = A_2 s - A_2 A_1^{-1} e_1 + A_2 s + e_2   \\
                      & = A_2 e_1 + e_2                            \\
        \end{aligned}
    \end{equation*}
    which is actually an HNF-LWE sample. Hence, if the HNF-LWE solver succeeds with non-negligible probability, then the LWE solver also succeeds with non-negligible probability.
\end{proof}

\begin{construction}[Compact LWE-PKE \citep{RSA:LinPei11}]
    \hfill
    \begin{itemize}
        \item $\Gen$: Sample $s \sample \chi_q^n$, $A \sample \mathbb{Z}_q^{n \times n}$, $e \sample \chi^n$, $b \gets As + e$ and output $(\pk = (A,b), \sk = s)$.
        \item $\Enc(\pk, \mu)$: Sample $u \sample \mathbb{Z}_q^n$, $e_0 \sample \chi^n$ and $e_1 \sample \chi$. Output $c = (c_0 = A^\intercal u + e_0,c_1 =  b^\intercal u + e_1 + \lfloor\frac{q}{2}\rfloor\mu)$.
        \item $\Dec(\sk, c)$: Output $\mathsf{Decode}(c_1 - \langle c_0, s\rangle)$.
    \end{itemize}
\end{construction}

The proof of security follows a similar strategy as earlier, except when replacing the ciphertext with a uniformly random string, we use the hardness of HNF-LWE.

% Stuff from Lec 16 
\subsection{Ring-LWE}
From the same motivation as above, we would like to improve the efficiency of our scheme by decreasing the number of random elements we sample (to get the matrix $A$). Note that the methods we used above require sampling $O(n^2)$ random elements to form the random matrix. 
\begin{itemize}
    \item Instead, we could replace $A$ with a structured (cyclic) matrix where each row is a cyclic shift of the previous row. This only requires $O(n)$ random elements to be sampled. However, this turns out to not be secure. \\
    Assuming that $q = 1 \mod n$, we can write this in polynomial form as $a(x) \cdot s(x) + e(x) = b(x) \mod (x^n - 1)$. The assumption on $q$ is made so that number theoretic transforms can be used to efficiently multiply polynomials. Since $x^n - 1$ is divisible by $x-1$, we have the additional relation $a(1) \cdot s(1) + e(1) = b(1)$ where both $s(1)$ and $e(1)$ are small. This allows us to construct a distinguisher.

    \item To prevent this, we would like to choose a irreducible polynomial instead, say, $x^n + 1$. Using negacyclic matrices instead (and $q = 1 \mod 2n$), we get a similar relation $a(x) \cdot s(x) + e(x) = b(x) \mod (x^n + 1)$. However, this does not have the same issue as before. This forms the basis of the Ring-LWE assumption. Other cyclotomic polynomials can also be used and we work in the ring $\mathbb{Z}_q[x]/<x^n + 1>$. \\
    This construction was shown to be secure in \cite{EC:LyuPeiReg10}.
\end{itemize}

\begin{definition}[HNF-RLWE]
    Let $n$ be the ring dimension, $q$ be the modulus, and $\chi$ be a distribution over $R_q$ where $R_q = \mathbb{Z}_q[x]/<x^n + 1>$. The HNF-RLWE problem is defined as follows:  
    \begin{align*}
        a(x) &\getsr R_q \\
        s(x) &\getsr \chi \\
        e(x) &\getsr \chi \\
        b(x) &\gets a(x) \cdot s(x) + e(x) \\
        \text{Distinguish } (a(x), b(x)) &\text{ from } (a(x), b'(x)) \text{ where } b'(x) \getsr R_q 
    \end{align*}
\end{definition}
\begin{itemize}
    \item RLWE has similar worst-case to average-case reductions to hard lattice problems as LWE. However, these hard problems are on "ideal lattices" which are structured lattices. 
    $$\text{Worst-case ``ideal lattice'' problems} \leq \text{Search RLWE} \leq \text{Decision RLWE}$$

    \item $\text{RLWE} \leq \text{HNF-RLWE}$
    \item On the plus side, state of the art attacks on RLWE do not exploit the ring structure and instead treat it as a LWE instance.
\end{itemize}

We can also build a public-key encryption scheme from RLWE, similar to the compact LWE-PKE scheme. The security proof is also similar.
\begin{construction}[RLWE-PKE]
    \hfill
    \begin{itemize}
        \item $\Gen$: Sample $s(x) \sample \chi_q$, $a(x) \sample R_q$, $e(x) \sample \chi$, $b(x) \gets a(x) \cdot s(x) + e(x)$ and output $(\pk = (a(x),b(x)), \sk = s(x))$.
        \item $\Enc(\pk, \mu)$: Sample $u(x) \sample R_q$, $e_0(x) \sample \chi$ and $e_1(x) \sample \chi$. Output $c = (c_0 = a(x) \cdot u(x) + e_0(x),c_1 =  b(x) \cdot u(x) + e_1(x) + \lfloor\frac{q}{2}\rfloor\mu)$.
        \item $\Dec(\sk, (c_0,c_1))$: Output $\mathsf{Decode}(c_1(x) - c_0(x) \cdot s(x))$.
    \end{itemize}
\end{construction}

\begin{table}[!htbp]
    \centering
    \begin{tabular}{|c|c|c|}
        \hline
        & LWE & RLWE \\
        \hline
        Public Key Size & $(n^2 + n) \log q$ & $2n \log q$ \\
        \hline
        Ciphertext Size & $(n+1) \log q$ & $2n \log q$ \\
        \hline
        Message Length & $1$ & $n$ \\
        \hline
        Computation Cost & $O(n^2)$ & $\tilde{O}(n)$ \\
        \hline
    \end{tabular}
    \caption{Comparison of LWE and RLWE}
\end{table}

\subsection{Module LWE}
\cite{ITCS:BraGenVai12}, along with the first implementable FHE scheme, introduced the Module-LWE assumption. This is a generalization of LWE and RLWE, and was initially created for notational purposes to avoid having to write two different definitions. Setting parameters to certain values returns LWE or RLWE. However, there are middle cases that are not covered by LWE or RLWE. 

The Module-LWE assumption is defined as follows:
\begin{definition}[Module-LWE]
    Let $n$ be the degree, $q$ be the modulus, and $\chi$ be a distribution over $R_q$. Additionally, let $m$ be the number of samples and $k$ be the dimension.
    The Module-LWE problem is defined as follows: 
    \begin{align*}
        A &\getsr R_q^{m \times k} \\
        s &\getsr \chi^k \\
        e &\getsr \chi^m \\
        b &\gets A \cdot s + e \\
        \text{Distinguish } (A,b) &\text{ from } (A,b') \text{ where } b' \getsr R_q^m
    \end{align*}
\end{definition}

Note that this is the same as LWE when $k = 1$ and RLWE when $n = 1$. 

\begin{itemize}
    \item $\text{Worst-case ``rank-k" lattice problems} \leq \text{Search Module-LWE} \leq \text{Decision Module-LWE}$
    \item $\text{Module-LWE} \leq \text{HNF-Module-LWE}$ ~\cite{DCC:LanSte15}
    \item Why use MLWE? - Efficiency and Flexibility.
    \begin{itemize}
        \item Powers of two are sparse, we would need to jump from $n=512$ to $n=1024$ for instance.
        \item New Hope is another NIST candidate based on RLWE. It has parameters $n=1024$, $q=12289$ while Kyber has $n=256$, $q=3329$. The ring LWE condition requires $q = 1 \mod 2n$, and hence the larger $q$. 
    \end{itemize}
    \item Other engineering considerations for Kyber:
    \begin{itemize}
        \item The Fujisaki-Okamoto transform is used to obtain CCA security.
        \item Note that Kyber's prime does not satisfy $q = 1 \mod 2n$, and they only get incomplete NTT speedups.
        \item The matrix $A$ can be compressed using a random oracle or hash.
        \item The error distribution is restricted to $[-3,3]$. In addition, for easier sampling, instead of using a uniform distribution, they use a centered binomial distribution (sampling from this only requires sampling some bits and adding them).
        \item Another optimization for proof size is to drop the last bit of the ciphertext.
    \end{itemize}
    \item Finally, Kyber gets a public key size of $800$ bytes, a ciphertext size of $768$ bytes, and decryption failure probability of $2^{-139}$.
\end{itemize}