Improved lattice-based CCA2-secure PKE in the standard model

Jiang Zhang, Yu Yu, Shuqin Fan, Zhenfeng Zhang
2020 Science China Information Sciences  
Based on the identity-based encryption (IBE) from lattices by Agrawal et al. (Eurocrypt'10), Micciancio and Peikert (Eurocrypt'12) presented a CCA1-secure public-key encryption (PKE), which has the best known efficiency in the standard model and can be used to obtain a CCA2-secure PKE from lattices by using the generic BCHK transform (SIAM J Comput, 2006) with a cost of introducing extra overheads to both computation and storage for the use of other primitives such as signatures and
more » ... In this paper, we propose a more efficient standard model CCA2-secure PKE from lattices by carefully combining a different message encoding (which encodes the message into the most significant bits of the LWE's "secret term") with several nice algebraic properties of the tag-based lattice trapdoor and the LWE problem (such as unique witness and additive homomorphism). Compared to the best known lattice-based CCA1-secure PKE in the standard model due to Micciancio and Peikert (Eurocrypt'12), we not only directly achieve the CCA2security without using any generic transform (and thus do not use signatures or commitments), but also reduce the noise parameter roughly by a factor of 3. This improvement makes our CCA2-secure PKE more efficient in terms of both computation and storage. In particular, when encrypting a 256-bit (respectively, 512-bit) message at 128-bit (respectively, 256-bit) security, the ciphertext size of our CCA2-secure PKE is even 33%-44% (respectively, 36%-46%) smaller than that of their CCA1-secure PKE.
doi:10.1007/s11432-019-9861-3 fatcat:gis5on5e3bdsjfcthex2rwgi6e