Three's Compromised Too: Circular Insecurity for Any Cycle Length from (Ring-)LWE [chapter]

Navid Alamati, Chris Peikert
2016 Lecture Notes in Computer Science  
Informally, a public-key encryption scheme is k-circular secure if a cycle of k encrypted secret keys (Enc pk1 (sk 2 ), Enc pk2 (sk 3 ), . . . , Enc pk k (sk 1 )) is indistinguishable from encryptions of zeros. Circular security has applications in a wide variety of settings, ranging from security of symbolic protocols to fully homomorphic encryption. A fundamental question is whether standard security notions like IND-CPA/CCA imply k-circular security. For the case k = 2, several works over
more » ... past years have constructed counterexamples-i.e., schemes that are CPA or even CCA secure but not 2-circular secure-under a variety of well-studied assumptions (SXDH, decision linear, and LWE). However, for k > 2 the only known counterexamples are based on strong general-purpose obfuscation assumptions. In this work we construct k-circular security counterexamples for any k ≥ 2 based on (ring-)LWE. Specifically: • for any constant k = O(1), we construct a counterexample based on n-dimensional (plain) LWE for poly(n) approximation factors; • for any k = poly(λ), we construct one based on degree-n ring-LWE for at most subexponential exp(n ε ) factors. Moreover, both schemes are k -circular insecure for 2 ≤ k ≤ k. Notably, our ring-LWE construction does not immediately translate to an LWE-based one, because matrix multiplication is not commutative. To overcome this, we introduce a new "tensored" variant of LWE which provides the desired commutativity, and which we prove is actually equivalent to plain LWE.
doi:10.1007/978-3-662-53008-5_23 fatcat:xlv7wvkb6nfttefkbqcjbmufry