2.1. Notation
In this work, we will consider that a Probabilistic PKE (PPKE) is a set, $\pi $, composed by three algorithms: key generation, ${\mathcal{G}}^{\prime}$, encryption, $\mathcal{E}$, and decryption, $\mathcal{D}$, and a couple of sets M and C, where M is the set of possible messages and C is an optional randomness set. In short, $\pi =\{{\mathcal{G}}^{\prime},\mathcal{E},\mathcal{D},M,C\}$. In the particular case when the PKE is deterministic (DPKE), then C is not considered. Moreover, M can be omitted if it is not necessary to specify it.
A KEM is a set made of three algorithms: key generation, $\mathcal{G}$, encapsulation, $\mathcal{E}c$, and decapsulation, $\mathcal{D}c$. We will denote this set by $\kappa =\{\mathcal{G},\mathcal{E}c,\mathcal{D}c\}$.
The correctness of a PKE is defined as the probability of generating invalid ciphertexts, that is, ciphertexts obtained by the encryption algorithm so that if the decryption algorithm takes them as input, the decryption outputs give an error (say ⊥). We say that a given PKE,
$\pi =\{{\mathcal{G}}^{\prime},\mathcal{E},\mathcal{D},M\}$, is perfectly correct if for any pair of public and secret keys,
$(pk,sk)$, generated by
${\mathcal{G}}^{\prime}$, for any message,
$m\in M$, and
c defined as
$c:=\mathcal{E}(pk,m)$, then
A PKE
$\pi $ is said to be
$\gamma $-spread if for every pair of public-secret keys,
$(pk,sk)\leftarrow {\mathcal{G}}^{\prime}$, and every message
$m\leftarrow M$, it is verified that the image of
$\mathcal{E}$ is sufficiently random, that is,
2.2. Some Security Aspects
The main reason to apply the FO transformation is to obtain schemes that provide a strong notion of security, starting from a weaker one.
One-Way Encryption:
The One-Wayness (OW) notion of security is frequently seen as a weak definition of asymmetric encryption security. We consider the PKE
$\pi =\{\mathcal{G},\mathcal{E},\mathcal{D},M,C\}$ and let
A be an adversary against
$\pi $. This adversary receives an encrypted message
$c=\mathcal{E}(pk,m)$; then, he has to make a guess on the original plaintext, and the attacker can consult an oracle to make the guess. Depending on the oracle
${O}^{A}$, the attack is defined in a different way. The advantage of the attacker is defined in the same way, independently of the oracle, and is denoted as
$OW-*$. For
$k\in \mathbb{N}$, the advantage of
A is defined as
The possible oracles that can be considered provide in the following attacks:
If A has no oracle, then the attack is defined as a One-Way-Chosen-Plaintext Attack (OW-CPA).
If ${O}^{A}$ is a Plaintext checking oracle (Pco), then A is defined as a One-Way-Plaintext-Checking-Attack (OW-PCA). This oracle works as follows: if $\mathcal{D}(sk,{c}^{\prime})={m}^{\prime}$ then $\mathrm{Pco}({m}^{\prime},{c}^{\prime})=1$; else $\mathrm{Pco}({m}^{\prime},{c}^{\prime})=0$.
If ${O}^{A}$ is a Ciphertext validation oracle (Cvo), then A is defined as a One-Way-Validation-Attack (OW-VA). This oracle works as follows: Cvo takes c as input and calculates ${m}^{*}\leftarrow \mathcal{D}(sk,c)$; if ${m}^{*}\in M$ returns 1; else returns 0.
If ${O}^{A}$ encompasses both a plaintext checking oracle and a validation oracle, then A is defined as a One-Way-Plaintext-Checking-Validation-Attack (OW-PCVA).
The adversary, A, is not allowed to directly ask the oracles about the plaintext m or the ciphertext c.
Definition 1. Let $ATK\in \{CPA,PCA,VA,PCVA\}$. A PKE, denoted by π, is said to be $(\u03f5,t,q)$-secure in the OW-ATK sense if for all OW-ATK adversaries, A, which runs in time at most t and makes at most q queries to an ${O}^{A}$ oracle, has INDistinguishability under Chosen Ciphertext Attacks (IND-CCA) was established as the target for semantic security by the NIST. Here, we introduce the formal definition of IND-CCA and Indistinguishability under Chosen Plaintext Attacks in the Random Oracle Model (ROM).
Let
$A=({A}_{1},{A}_{2})$ be an adversary against a PKE,
$\pi $, that behaves as follows. First of all, a key pair
$(pk,sk)\leftarrow \mathcal{G}$ is generated and it is set as a random value
$b{\leftarrow}_{R}\{0,1\}$ (both the keys and
b are unknown for
A).
${A}_{1}$ (
A finds the way) takes the public key as input and generates two valid plaintexts,
${m}_{0},{m}_{1}$, and a value
sTo generate these outputs,
${A}_{1}$ can query two random oracles,
H and
G. Set
$c=\mathcal{E}(pk,{m}_{b})$ (remember that
b is still unknown to the attacker).
${A}_{2}$ (
A guesses the way) takes
s and
c as input and makes queries to the random oracles until it is able to make a guess and outputs
${b}^{\prime}\in \{0,1\}$. The adversary is successful if
${b}^{\prime}=b$. The advantage of
A, as an IND-CPA adversary, is defined as follows:
Definition 2. An adversary A$(t,{q}_{g},{q}_{h},\u03f5)$-breaks π in the sense of IND-CPA in the ROM if A runs in at most time t, asks at most ${q}_{g}$ queries to G, asks at most ${q}_{h}$ queries to H, and achieves $Ad{v}_{\pi}^{IND-CPA}\left(A\right)\le \u03f5$. An encryption scheme, π, is $(t,{q}_{g},{q}_{h},\u03f5)$-secure in the IND-CPA sense if there is no adversary that breaks it in that sense.
A stronger security assumption than IND-CPA is INDistinguishability under Chosen Ciphertext Attacks. This definition of security can be defined for a general public key encryption scheme. However, since in this work, this definition is only used on KEMs, we presented here the KEM version (that slightly differs from the PKE one). In this case, access is given to the adversary to a decryption oracle, in addition to the other oracles that are the same as in IND-CPA. A decryption oracle is an oracle that takes any ciphertext and decrypts it, but it cannot take the challenged ciphertext as a valid input. The advantage for IND-CCA security is defined as follows.
The final security notion considered is called Disjoint Simulatability (DS). Let
${D}_{M}$ be a distribution over the message space,
M, of a deterministic PKE. Then, the DPKE scheme is
${D}_{M}$ disjoint simulatable if the ciphertext of a message that is distributed according to
${D}_{M}$ can be simulated by a simulator that does not know the message, and the simulated ciphertext is invalid (i.e., it does not belong to the image of the encryption algorithm) with overwhelming probability [
6].
Generally speaking, to prove the security of a primitive, say
P, under the hardness of a given problem denoted by
S, a reduction algorithm, called
R, is constructed, which uses an adversary,
A, against the security of
P as a subroutine and can solve the problem
S [
6]. If
$(t,r)$ and
$({t}^{\prime},{r}^{\prime})$ denote the running time and success rate, respectively, of
A and
R, it is said that a reduction is tight [
8] if
$t\approx {t}^{\prime}$ and
$r\approx {r}^{\prime}$. Tight security guarantees that to break the security of the primitive
P implies to break the problem
S. Moreover, if a security reduction is non-tight,
P is not guaranteed to be hard to break even when
S is [
7]. Usually, a parameter adjustment is needed to maintain the correct security reduction.
2.3. Lattice-Based Problems
Lattice-based cryptography has proven to be one of the most promising mathematical backgrounds to post-quantum algorithms. There are two classical problems used in lattice-based cryptography, the Shortest Vector Problem (SVP) and the Closest Vector Problem (CVP). However, most of the NIST call candidates base their security in the Learning With Errors (LWE) problem.
Given a lattice
L, the LWE problem can be stated as follows: given pairs
$({\mathbf{a}}_{i},{b}_{i})$, such that
${\mathbf{a}}_{i}{\leftarrow}_{R}L$ and
${b}_{i}=\langle \mathbf{s},{\mathbf{a}}_{i}\rangle +{e}_{i}$, where
${e}_{i}{\leftarrow}_{R}\chi $ is an error, sampled by an error distribution
$\chi $ (Gaussian, binomial, etc.), the goal is to find the secret vector
$\mathbf{s}\in L$. The notation
${\leftarrow}_{R}$ denotes that the elements are chosen uniformly at random. In general, if no algebraic structure on the lattice is considered, then
$L={\mathbb{Z}}_{q}^{n}$. The objective of the problem is to determine the vector
$\mathbf{s}$ from several samples such as the following ones:
If the error ${e}_{i}$ is not added to the inner product of $\mathbf{s}$ and ${\mathbf{a}}_{\mathbf{i}}$, then $\mathbf{s}$ can be recovered efficiently by the Gaussian elimination method in the expression $\mathbf{b}=\mathbf{A}\mathbf{s}$, where $\mathbf{A}$ is the matrix of vectors ${\mathbf{a}}_{i}$.
Given a ring, $\mathcal{R}$, the Ring LWE problem (RLWE) is the same problem defined above, but now, $(a,b)\in \mathcal{R}\times \mathcal{R}$. In general, the considered ring is $\mathcal{R}={\mathcal{R}}_{q}={\mathbb{Z}}_{q}\left[x\right]/({x}^{n}\pm 1)$. The structure of the ring allows simpler computation with smaller keys; however, it may also have a higher vulnerability to attacks that can exploit such a structure. Moreover, the Module LWE (MLWE) problem is analogous to the RLWE problem one but considering a module structure instead of a ring structure. Finally, the Module Learning With Rounding (MLWR) problem is a variant of the MLWE in which the small error terms are determined from the beginning, instead of sampled, and this error is avoided by rounding from one modulus to a smaller one.