Efficient Lattice-Based Cryptosystems with Key Dependent Message Security

Key-dependent message (KDM) security is of great research significance, to better analyse and solve the potential security problems in complex application scenarios. Most of the current KDM security schemes are based on traditional hard mathematical problems, where the public key and ciphertext are not compact enough, and make the ciphertext size grow linearly with the degree of the challenge functions. To solve the above problems and the inefficient ciphertext operation, the authors propose a compact lattice-based cryptosystem with a variant of the RLWE problem, which applies an invertible technique to obtain the RLWE∗ problem. It remains hard after the modification from the RLWE problem. Compared with the ACPS scheme, our scheme further expands the set of challenge functions based on the affine function of the secret key, and the size of public key and ciphertext is Õ(n), which is independent of the challenge functions. In addition, this scheme enjoys a high level of efficiency, the cost of encryption and decryption is only ploylog(n) bit operations per message symbol, and we also prove that our scheme is KDM-CPA secure under the RLWE∗ assumption.


Introduction
With the rise of cloud computing and cloud storage technology, some application scenarios also need to encrypt the secret key and its related information. In 1984, Goldwasser and Michali [1] first introduced the concept of key-dependent message security, which ensures the security of message f (sk) directly calculated from the secret key sk. The KDM (Key-dependent message)-secure public key encryption scheme was originally applied to the hard disk encryption process, and the secret key and user's data were encrypted together. Later, it has also been widely used in formal proof [2,3], homomorphic encryption [4] and some advanced cryptographic protocols [5].
At Eurocrypt 2001, Camenisch and Lysyanskaya [5] presented a circular-secure encryption scheme of provable security under the random oracle model, and the KDM attack capability of the adversary is defined by the set of challenge functions that can be queried. In 2002, Black, Rogaway and Shrimp-ton [6] considered such a situation, that is, in the application process of hard disk encryption, an adversary was allowed to obtain a ciphertext, which was encrypted by the secret key {sk 1 , . . . , sk } related function f of the user j under the public key pk j . Compared with semantic security, the KDM security model has stronger security and a higher research value, which mainly depends on its efficiency and the set of challenge functions that can be queried. However, various KDM-secure public key encryption schemes are different in construction. Until 2008, Boneh et al. [7] proposed a public key encryption scheme based on the DDH (decisional Diffie-Hellman) assumption, and proved the KDM-CPA (Chosen Plaintext Attack) security of the scheme under the standard model. After that, Applebaum et al. [8] proposed the first lattice-based public key encryption scheme of KDM-CPA security, which was named the ACPS scheme. The security follows from the LWE (Learning with Error) assumption, because of its good linear structure, and has compact ciphertexts and a high level of computational efficiency.
In particular, through the proof of KDM-CPA security, we observe that the ciphertexts are pseudorandom with encrypting the secret key directly. If we do not expand the message space by scaling the noise, then it is possible to construct a symmetric-key scheme for KDM security by directly encrypting the secret key to its linear functions. Therefore, we further improve the RLWE * problem, propose its variant k-RLWE * problem, and demonstrate its hardness. For the message space R 2 , given a small enough Hamming weight h and making n h large enough, we can obtain a binary secret symmetric-key scheme with less ciphertext noise. Finally, we prove that our scheme is KDM-CPA secure under the special k-RLWE * assumption and the cost of encryption and decryption is only ploylog(n) bit operations per message symbol. Organization. In Section 2, we describe some important lemmas and give the formal definition of KDM-secure cryptosystems. In Section 3, we first introduce the RLWE * problem and a HNF (Hermite normal form) transformation, then construct a compact public-key scheme with KDM-CPA security. In Section 4, similarly to the previous section, the variant k-RLWE * problem and symmetric-key scheme are presented. In Section 5, we provide a detailed performance comparison. Finally, the conclusion is given in Section 6.

Basic Notation
In this paper, we use the following notation and lemmas. We will use a ring R. In our concrete instantiations, we prefer to use either R = Z (the integers) or the polynomial ring R = Z[x]/ x d + 1 , where d is a power of 2. For integer q, we use R q to denote R/qR. Sometimes we will use abuse notation and use R 2 to denote the set of R-elements with binary coefficients, when R = Z, R 2 may denote {0, 1}, and when R is a polynomial ring, R 2 may denote those polynomials that have 0/1 coefficients. For a ∈ R, we use the notation [a] q to refer to a mod q, with coefficients reduced into the range (−q/2, q/2]. For the security parameter λ, denote a negligible function negl(λ). For some distribution χ, writing e ← χ means that e is distributed according to χ, the error distribution χ is the discrete gaussian distribution D Z n ,σ for some σ > 0. The usual norm 1 (s) over the reals equals n ∑ i=1 |s i |. The ∞ (s) norm is defined as max{|s 1 |, |s 2 |, . . . , |s n |}. Lemma 1. (see [19]). Let n ∈ N. For any real number σ = ω log n , we have Lemma 2. (see [20]). Let n ∈ N. For any real number σ = ω log n ,and any c ∈ Z n , the statistical distance between the distributions D Z n ,σ and D Z n ,σ,c is at most c /σ.

The RLWE Problem
This simple version of the RLWE problem comes from [22], and the LWE problem can choose the secret from the noise distribution by the transformation T.

Definition 1. (RLWE).
For security parameter λ, let f(x) = x d + 1 where d = d(λ) is a power of 2. Let q = q(λ) ≥ 2 be an integer. Let R = Z[x]/( f (x)) and let R q = R/qR. Let χ = χ(λ) be a distribution over R. The RLWE d,q,χ problem is to distinguish the following two distributions: In the first distribution, one samples (a i , b i ) uniformly from R 2 q . In the second distribution, one first draws s ← R q uniformly and then samples (a i , b i ) ∈ R 2 q by sampling a i ← R q uniformly, e i ← χ and setting b i = a i ·s + e i , let this distribution be A s,χ . The RLWE d,q,χ assumption is that the RLWE d,q,χ problem is infeasible.

Lemma 4.
(see [8]). Let q = p e be a prime power. There is a deterministic polynomial-time transformation T that, for arbitrary s ∈ Z n q and error distribution χ, maps A s,χ to A x,χ where x ← χ n , and maps U Z n q × Z q to itself. The transformation also produces an invertible square matrix A ∈ Z n×n q and b ∈ Z n q that, when mapping A s,χ to A x,χ , satisfy x = −A T s + b.
Theorem 1. (see [23]). Let K be the mth cyclotomic number field having dimension n = ϕ(m) and R = O K be its ring of integers. Let α < log n/n , and let q = q(n) ≥ 2, q = 1 mod m be a poly(n) -bounded prime such that αq ≥ ω log n . Then there is a polynomial-time quantum reduction from O √ n/α -approximate SIVP (or SVP) on ideal lattices in K to R-DLWE q,Y α . Alternatively, for any > 1, we can replace the target problem by the problem of solving R-DLWE q,D ξ given only samples, where ξ = α(n / log(n )) 1/4 .

Key-Dependent Message Security
We now define key-dependent message security by a game played between the challenger and the adversary A, and KDM security guarantees the direct encryption of the secret key sk and its correlation function f (sk). The KDM attack capability of the adversary A is mainly determined by the collection of secret key functions F that it can query, expressed as F ⊂ f | f : K → M , where K and M are the secret key space and message space of the encryption scheme. Given public keys {pk 1 , . . . , pk } and encryption of the key-dependent message f (sk 1 , . . . , sk ), the adversary A cannot effectively distinguish it from the ciphertext that is encrypted by the message {0, 1}, and so we can call the scheme KDM-CPA secure with respect to F . F is a family of sets of functions parameterized by the security parameter λ and the number of users . The game proceeds as follows: 1. The challenger chooses a bit µ ← {0, 1} . Run the scheme's key generation algorithm times. It gives {pk 1 , . . . , pk } to the adversary A.
2. Adversary A makes encryption queries of the form (i, f ), where 1 < i < and f ∈ F . To process a query, the challenger computes m ← f (sk 1 , . . . , sk ) , then computes the challenge ciphertexts and returns to the adversary A.
3. Adversary A attempts to guess µ and outputs µ ∈ {0, 1}. The scheme is KDM-CPA secure if for every probabilistic polynomial-time adversary A, the distinguishing advantage Adv(A) = |Pr[µ = µ ] − 1/2| ≤ negl(n). This shows that the scheme can securely encrypt any functions F of its own secret key, taking the place of a message.
The KDM-CPA security definition of the symmetric-key scheme is similar. In the first stage, the challenger generates the secret key without giving anything to the adversary A. In the second stage, it uses the secret key for encryption (and uses it as the input of f (sk)). Everything else is just the same.

Compact Public-Key Cryptosystem with KDM Security
In this section, we will describe the construction of a public-key scheme based on the variant of the RLWE problem. At first, we introduce the RLWE * problem by applying the invertible technique, and then give the new version by scaling the noise. After that, to ensure that the secret chooses form error distribution, a useful transformation is given to obtain the RLWE * assumption-Hermite normal form. Finally, we construct a compact public-key scheme, analyze its correctness, and prove its key-dependent message security.

The Invertible Version of RLWE Problem
According to [18], authors presented a variant of RLWE problem, defined as the RLWE * problem. It is similar to the RLWE problem except that a chooses from R * q , in which R * q is the ser of invertible elements of R q . Therefore, we call RLWE * the invertible variant. RLWE * problem. For s ∈ R q and error distribution χ, we define A * s,χ as the distribution obtained by sampling the pair (a, as + e) ∈ R * q × R q , where R * q denote the set of invertible elements of R q . The Decision RLWE * problem is to distinguish between A * s,χ and U R * q × R q . Please note that for R * q , [23] claim that for any q ≥ 2, the fraction of invertible elements in R q is at least 1/poly(n, log q). Moreover, ref. [18] further shows that as long as q = Ω(n), an element choosing from U R q is invertible with overwhelming probability. Hence, the RLWE problem remains hard even when applying the invertible technique.
Scaling the noise. This technique was first formally proposed in [24] and generated the RLWE * samples as (a, a · s + t · e); security is not affected when t ∈ Z * q and q are relatively prime, and other parameters are as above.

Definition 2.
(Decision RLWE * ). The average-case decision version of the RLWE * problem, denoted RLWE * q,χ , is to distinguish the following two distributions with non-negligible advantage: In the first distribution, one samples (a i , b i ) uniformly from R 2 q . In the second distribution, one first draws s ← R q uniformly and then samples (a, b = a · s + t · e) ∈ R 2 q by sampling a ← R * q uniformly, where R * q denote the set of invertible elements of R q , e ← χ and t ∈ Z * q .

A Generic Transformation
In this section, we make a useful transformation to sampling s ← χ . There is no loss of security, and it is ensured that the secret can be placed in the message space. The transformation lemma follows.

Lemma 5.
For modulus q, arbitrary s ∈ R q and the error distribution χ, there is a deterministic polynomial-time transformation T, which maps A * s,χ to A * φ,χ where φ ← χ , and mapsU R * q × R q to itself.
Proof. The transformation T to access the distribution D over R * q × R q , possibly A * s,χ or U R * q × R q . Then, we prove it in two steps. The first step. Transformation T generates the sample a, b ∈ R * q × R q by drawing from the distribution D.
Especially a ∈ R * q is uniform due to a ← R * q being invertible modulo q and a chooses from where φ = t · x, therefore, (a , b ) is subject to bA * φ,χ , as desired.
Definition 3. (The RLWE * assumption-Hermite normal form). As in the previous definition, for all security parameters λ ∈ N, the RLWE * assumption suggests that, for any = poly(λ), in which s is sampled from the noise distribution χ, and other parameters remain unchanged.

Basic RLWE * -Based Encryption Scheme
For security parameter λ, let q = 1 mod 2n and t ∈ Z * q relatively prime, in which {1, . . . , q − 1} ⊇ Z * q . Let χ = D Z n ,σ be an error distribution with σ ≥ ω log n and σ t; we sampled s from error distribution χ, so all s ∈ R t with overwhelming probability when the secret chooses from error distribution.
where f (x) = x n + 1 and n = n(λ) is a power of 2.
• RPKE1.KeyGen 1 λ : Sample s ← χ . Output sk = s. Sample a ← R * q uniformly, e ← χ and set b = a · s + t · e, where t ∈ Z * q and R * q denote the set of invertible elements of R q . Output the public key pk = (a, b) ∈ R * q × R q . • RPKE1.Enc(pk, m): Notice that m ∈ R t , due to the lemma by the noise scaling. Sample r, e 1 , e 2 ← χ . Compute c 1 = a · r + t · e 1 , c 2 = b · r + t · e 2 + m, output the ciphertext c = (c 1 , c 2 ) ∈ R q × R q . • RPKE1.Dec(sk, c): Input the corresponding secret key and ciphertext, then output m = (c 2 − c 1 ·s) mod q mod t.
The correctness of the scheme is obvious, compute (c 2 − c 1 ·s) = m + te 2 − te 1 s + ter, according to the Lemma 3, we have if q > t · poly(n) · σ 2 , where t = σ √ n, the ciphertext can be decrypted correctly. The KDM-CPA security follows from the RLWE * assumption by noting the pseudorandom distribution A * s,χ . Observe that f (sk) = k · s + t · w ∈ R t , where k, s, w all choose from error distribution. The ciphertext is indistinguishable from uniform even if m is replaced with any linear function of the scheme's own secret key. Theorem 2. Let k ← D Z n ,σ and w ← D Z n ,σ , where σ ≥ 2 ω(log n) · σ 2 , σ = ω log n . Under the RLWE * assumption, the above cryptosystem RPKE1 about f (sk) = k · s + t · w satisfies KDM-CPA security.
Proof. For any probabilistic polynomial-time adversary A, we use a three-step hybrid game to prove that the ciphertext with key-dependent message f (sk) in the RPKE1 scheme is computationally indistinguishable from one that carries no information on the message. Therefore, the distinguishing advantage of the adversary A is negligible.
Game H 0 : Let pk = (a, b) ← RPK1.KeyGen 1 λ , the remaining parameters are as above, and Hybrid game H 0 is mainly used to generate the challenge ciphertexts.
Game H 1 : Similar to the hybrid game H 0 , hybrid game H 1 generates the challenge ciphertexts related to f (sk) in different ways.
where u i (i = 1, 2) chooses from U R q . Observe the hybrid game H 1 , a = a · r + k is indistinguishable from uniform, c * 1 = a , c * 2 = a · s + t · w ∈ R q × R q just happens to be an instance of the RLWE problem. Therefore, c * 1 , c * 2 is pseudorandom, and then Since the challenge ciphertext (u 1 , u 2 ) ∈ U R q × R q , thus we have Finally, we conclude that This proves the KDM-CPA security of the RPKE1 scheme.

Efficient Symmetric-Key Encryption Scheme
The above public-key scheme expands the message space due to the noise scaling, resulting in low efficiency. In this section, we will introduce a KDM secure symmetric-key scheme without scaling the noise. For the symmetric-key scheme, we can generate the following ciphertext (c 1 = a, c 2 = b + m) by the RLWE * problem, where b = a · s + e. If secret key s replaces message m, consider the ciphertext (c 1 = a, c 2 = b + s), we will have that c = (a, (a + 1) · s + e). If we define a = a + 1, then (a , a · s + e) is an instance of the RLWE problem, so the challenge ciphertext (c 1 = a , c 2 = a · s + e) is pseudorandom, and it is easy to prove the KDM security. By way of the above, we can easily extend to any linear function about s, just like f (sk) = k · s + w, where k ∈ R q and w ← χ . Then, we will obtain a challenge ciphertext (a, (a + k) + w + e), therefore, for the sake of convenience, we might wish to define the following problem.

The Variant of RLWE * Problem
Definition 4. (k-RLWE * ). As in the previous Definition 2, the k-RLWE * problem is to distinguish the following two distributions with non-negligible advantage: In the first distribution, one samples (a, b) uniformly from R q × R q . In the second distribution, one samples (a, b) ∈ R * q × R q by sampling a, k ← R * q uniformly, where s ∈ R q , e ← χ and setting b = (a + k) · s + e, let this distribution be bA * s,χ .
Observe that the k-RLWE * problem, when k = 0, is a complete RLWE * problem. If k = 0 ∈ R q ,we give a probability polynomial-time reduction to prove that the k-RLWE * problem remains hard, even when A * s,χ is respectively replaced by bA * s,χ .
Lemma 6. For any n ≥ 1, q ≥ 2, and error distribution χ, there is a probability polynomial-time reduction from RLWE * to the k-RLWE * that reduces the advantage by at most 2 −n .
Proof. Given a sample (a 0 , b 0 ) ∈ R * q × R q and a sample (k, b 1 ) ∈ R * q × R q from the given RLWE * oracle, the reduction outputs a new instance (a = a 0 , b = b 0 + b 1 ) ∈ R * q × R q . If samples (a 0 , b 0 ) and (k, b 1 ) are chosen from U R * q × R q , then b 0 and b 1 are uniform in R q , and b 1 is pseudorandom by RLWE problem, the reduction outputs a uniform sample (a = a 0 , b = b + b 1 ) ∈ R * q × R q , up to statistical distance 2 −n . If sample (a 0 , b 0 ) is chosen from U R * q × R q and the distribution of (k, b 1 ) is A * s,χ , then b 0 is uniform in R q , and b 1 = k · s + e 1 is pseudorandom, the reduction outputs a uniform sample (a = a 0 , b = b + b 1 ) ∈ R * q × R q , up to statistical distance 2 −n . In addition, a sample (a 0 , b 0 ) from A * s,χ and a sample (k, b 1 ) from U R * q × R q are the same as above. On the other hand, if given samples (a 0 , b 0 ) and (k, b 1 ) from the distribution A * s,χ , the equation b = b 0 + b 1 = a 0 · s + e 0 + k · s + e 1 = (a 0 + k) · s + (e 0 + e 1 ). Let e = e 0 + e 1 , we notice that (a , b ) ∈ R * q × R q is exactly a k-RLWE * instance, the reduction outputs a sample (a = a 0 , b = (a + k) · s + e ) ∈ R * q × R q from bA * s,χ , up to statistical distance 2 −n . To sum up, if the RLWE * problem is infeasible, then the k-RLWE * problem is also infeasible-namely, bA * s,χ is indistinguishable from uniform, as desired.
After that, we also give the Hermite normal form of the k-RLWE * problem, this modification makes the secret short and useful in the following symmetric-key scheme.

Lemma 7.
For modulus q, arbitrary s ∈ R q and the error distribution χ, there is a deterministic polynomial-time transformation T, which maps bA * s,χ to bA * φ,χ where φ ← χ , and maps U R * q × R q to itself.
The proof will be showed in Appendix A.

Symmetric-Key Scheme with KDM Security
As in the previous section, given the security parameter λ, let q = q(λ) ≥ 2, and an error distribution where f (x) = x n + 1 and n = n(λ) is a power of 2. We demonstrate a symmetric-key scheme based on the k-RLWE * problem. In order to reduce the norm of ciphertext noise, [25] uses a binary secret s ∈ R 2 , which shows that the scheme is secure under this optimization, as long as the Hamming weight h is small enough and n h is large enough. In the final results, they construct a somewhat homomorphic encryption scheme by setting t = 2, h = 63 and f (x) = x n + 1, where m ∈ R t . Therefore, as a symmetric-key scheme, the security is not affected when the results for the RLWE setting continue to the k-RLWE * setting.
According to the encryption algorithm, c 2 − c 1 ·s = m + 2e, compared with the previous public-key encryption scheme, the ciphertext noise is small, that is 2e ∞ < q/2, namely q > 4σ √ n, then the ciphertext can be decrypted correctly. The KDM-CPA security is similar to that of Section 3.3, except that there is no public key. Although the message space is reduced to R 2 , there still exists a linear function f (sk) = k · s + 2w ∈ R 2 to realize KDM security. Theorem 3. Sample k ← R q uniformly and w ← D Z n ,σ , where σ ≥ ω log n . There exists a linear function f (sk) = k · s + 2w ∈ R 2 that makes the RSKE2 scheme satisfy KDM-CPA security, assuming that k-RLWE * is hard.
Proof. The proof of Theorem 2 is similar to RPK1. Therefore, this section gives a brief narrative. First, by f (sk) replacing m, we generate the challenge ciphertext c = (c 1 = a + 1, c 2 = (a + 1) · s + 2e + k · s + 2w), where k U ← R q and w ← D Z n ,σ . Observe that c 2 = (a + 1 + k) · s + 2(e + w), defining a = a + 1 and e = w + e, then we have the challenge ciphertext c = (a , (a + k) · s + 2e , ), which is exactly an instance of the k-RLWE * problem. It means that the challenge ciphertext c is pseudorandom, namely the adversary A cannot distinguish it from the ciphertext that is encrypted by the message 0. Therefore, the above RSK2 scheme is KDM-CPA under the k-RLWE * problem.

Performance
In this section, we give a detailed performance comparison between our RPKE1 scheme, RSKE2 scheme and the ACPS scheme [8]. For the same security parameter λ, through the analysis of the ACPS scheme, it is easy to see the difference between the lattice problems on which these schemes are based. Firstly, our scheme has replaced LWE through RLWE, which improves its application efficiency. Secondly, about the noise distribution, in order to obtain the appropriate key-dependent ciphertexts, the ACPS scheme introduces the noise flooding technique (namely, e ← Ψ σ ), which leads to the growth of the modulo q and the decline of efficiency. Due to the problem of quantum reduction of the LWE problem, the standard deviation of the additional noise distribution is σ ≈ n −1 · σ −4 , where σ = ω log n , and m = O(n log n) ≤ n log n ≈ n · σ 2 , p = O √ mn ≈ n · σ 3 , q = p 2 ≈ n 2 · σ 6 = ploy(n) · σ 6 . As shown in Table 1, we have the same standard deviation σ = ω log n , but no extra noise distribution Ψ σ in the ciphertext generation. The w ← D Z n ,σ in the hybrid game is irrelevant, because this does not affect the efficiency of the scheme at all. In addition, we also greatly reduce the message space R t and the modulo size q = t · ploy(n) · σ 2 , where t = σ √ n. Note the last line, adding the symmetry scheme; ACPS also gave a symmetric-key cryptosystem similar to it. Although different in types, as a variant of RPKE1 it also highlights its advantages. Table 1. Parameter setting of ACPS and our schemes.
Finally, we estimate the concrete parameters for our scheme. Compared with ACPS, we have greatly improved its efficiency; the cost of encryption and decryption is only polylog(n) bit operations per message symbol. By these parameters including modulus q, degree n and error distribution χ = D Z n ,σ , we can obtain concrete secret key size, public key and ciphertext size. For example, the public key size of the ACPS scheme is m · n · log q ≈ n 2 · log 2 n = O n 2 , the ciphertext size is n · log q = O(n) and the secret key for ACPS and RPKE1 are σ · √ n (both s ← χ ). Performance comparison of ACPS and our scheme are listed in Table 2. All sizes are in bits.
There are many encryption schemes for KDM security, not only ACPS, but also many schemes based on traditional mathematical problems. However, in terms of computational efficiency, the lattice-based cryptosystems are still safer and more efficient. Additionally, the ciphertext operations mainly consist of encryption and decryption, but other schemes do not have compact ciphertexts. Hence, from the usability perspective, our schemes are superior to previous schemes.

Conclusions
In this paper, we introduce lattice-based cryptosystems with strong security properties to solve the problem that the ACPS scheme is inefficient when sampling from discrete gaussian distribution with sufficiently large standard deviation and generating extra "malformed" distributions. The public-key and symmetric-key cryptosystems provide security for key-dependent messages. Compared with the previous scheme, our scheme is compact and has a stable set of challenge functions. Both the size of public key and ciphertext are O(n), and the cost of encryption and decryption is only ploylog(n) bit operations per message symbol. Therefore, our scheme satisfies KDM-CPA security under the RLWE * assumption, and carries the advantages of having simple operation, parallelization and improved asymptotic efficiency.
However, there are still some problems to be explored and improved in this scheme, such as using an additional noise distribution in the hybrid game, and future work is still required to construct a fully homomorphic encryption scheme with circular security.

Conflicts of Interest:
The authors declare no conflict of interest.

Appendix A. Proof of Lemma 7
Proof. The transformation T to access the distribution D over R * q × R q , possibly bA * s,χ or U R * q × R q . Then, we prove it in two steps. The first step. Transformation T generates the sample a, b ∈ R * q × R q by drawing from the distribution D. When D = bA * s,χ , we have b = (a + k) · s + x, where x ← χ . The second step. To transform samples from D into samples from a different distribution. The sample (a, b) ∈ R * q × R q from D will be transformed into (a , b ) ∈ R * q × R q , where a = −a −1 · a, b = b − ϕ + a · b, and ϕ = (a + k) · s + e 1 , e 1 ← χ .
Particularly a ∈ R * q is uniform due to a ← R * q is invertible modulo q and a chooses from U R * q . If D = U R * q × R q , then (a , b ) is also subject to U R * q × R q . If D = bA * s,χ , then b = (a + k) · s + e, so we have b = b − ϕ + a · b = a − a · s + (e − e 1 ) + a · (a + k) · s + a · x = a − a · s + (e − e 1 ) + −a + a · s + a · x = (k − 1) · a · s + a · x + (e − e 1 ) Notice that we cannot obtain a reasonable distribution bA * φ,χ , set k = 1; in fact, the k-RLWE * problem remains hard. Then we have b = a · x + (e − e 1 ) = a + 1 · x + (e − e 1 − x) = a + 1 · φ + e , where φ = x and e = e − e 1 − x, therefore, (a , b ) is subject to bA * φ,χ , as desired.