We will divide the proofs of security for the protocols into several theorems to ease the proofs. First, we will prove the CPA security of Encryption Scheme 1 as a one-player scheme, and then we will prove that no information is leaked when distributing the protocols. Finally, we will add everything to prove the CPA security of both protocols used together.
5.1. Security of Encryption Scheme
We will split the proof of security of Encryption Scheme 1 in three distinct parts: reducing the security of the encryption scheme to the decisional R
-LWE problem, reducing the R
-LWE problem with the
distribution to the R
-LWE problem with truncated discrete Gaussian, and finally reducing the decisional R
-LWE problem to the Discrete Gaussian Sampling over K
-DGS) with K
the field such that R
is its ring of integers, a well-known lattice problem assumed to be hard to solve. We will make this splitting because the first reduction will be for any distribution
, while the second reduction will be specifically for the distribution
. The first reduction follows the ideas from the reduction of Regev’s encryption scheme to LWE given in [15
]. For the detailed proof see Appendix B
Given χ a distribution over , there exists a reduction to the semantic security of the Encryption Scheme 1 from the decisional problem with distribution χ.
Note that the reduction is to the semantic security of the scheme and not the CPA security. However, it is well-known that in public key encryption both notions are equivalent (see, for example, Theorem 11.1 in [12
Second, we want to be able to ensure that if we know how to solve an instance of the decision R-LWE problem with a truncated discrete Gaussian we can solve an instance of the decision R-LWE problem with the distribution. This is clearly so given an instance of the decision R-LWE problem with the distribution one can see it as an instance with the truncated discrete Gaussian distribution except for a negligible amount of times. Therefore, the advantage of the adversary solving both instances will differ at most a negligible amount, as we needed.
Finally, we need to see that our R
-LWE instance is as hard to solve as a lattice problem, in our case as hard to solve as K
-DGS, where K
is the field such that R
is its ring of integers, in other words,
(for more detail in the definition of K
-DGS refer to Definition 2.10 and Section 2.3.3 in [17
]). This job has already been done in [17
], though to do so properly we need to give some clarifications about different ways to define the R
Let K be a number field with R its ring of integers. Let be the fractional co-differential ideal of K (), and let . Let be an integer modulus. Let us unpack this. First, in our specific case of K being a cyclotomic field with for some k, we have , so in turn it can be seen that is isomorphic to R. Second, which is isomorphic to , so looking it component by component could be seen as isomorphic to with . With this out of the way we can see their definition.
(Definition 2.14, [17
]). For and an error distribution ψ over , the R-LWE distribution over is sampled by independently choosing and an error term , and outputting .
Now our postulate is that this definition taking as
-dimensional spherical continuous Gaussian with parameter
(which is a distribution used in [17
]) and then raising it to
again, is a more general definition to our Definition 8 using
, in the sense that if we can solve an instance of the R
-LWE problem defined with the distribution in Definition 8 we can solve an instance of the R
-LWE problem with the distribution in Definition 14. It can be seen as one, as a spherical Gaussian in
can be seen as the product of n
independent Gaussians over
with the same standard deviation. Then, in essence what we are doing in Definition 14 is multiply a
, then divide the result by q
(which we can as we are seeing the elements in
which is a field) and adding the error distribution. Then, we reduce it modulo
thus landing in
. Now, if we look it component by component we have in essence computed
and then added to each component a sample of
, so when raising it again to
(by multiplying by q
and rounding) we get that
and to every component we have added an independent sample taken from
. Therefore, if
is the spherical Gaussian with parameter
, given an adversary who solves
it is easy to give an adversary who solves
Therefore, we can apply the result from [17
], for which we need to give two quick lattice definitions.
]). The minimum distance of a lattice is the length of the shortest non-zero lattice vector
The dual lattice of a given lattice is defined as
(Definition 3.1, [18
]). For a lattice , and a positive real , we define its smoothing parameter to be the smallest s such that , where for a lattice , and for some element .
Finally, we can give the following result.
(Corollary 7.3, [17
]). There is a polynomial-time quantum reduction from with function γ to the (average-case, decision) problem of solving using l samples with , and
as long as , where is an ideal lattice.
In conclusion, we have seen that breaking the security of Encryption Scheme 1 is at least as hard as solving the decision R-LWE problem with a truncated discrete Gaussian, which is at least as hard as solving the decision R-LWE problem with the distribution, which in turn is at least as hard as solving the K-DGS problem.
5.2. Non-Leakage of Information
In this section, we need to see that the adversary does not gain any extra information by interacting with the distributed protocol. We will start first with the Protocol 1, seeing that an adversary cannot distinguish between interacting with the protocol or with random inputs. Furthermore, we will also give the adversary the ability to choose its shares of the secret key and the PRSS keys, as it makes the game easier and it only serves to see that the protocol’s security is even stronger than what is usually required.
To appropriately do so we will need the following auxiliary lemmas about statistical distance, the proofs of which will be in Appendix B
Let Y be a probability distribution over such that is bounded by κ and X be a discrete uniform distribution in the integer interval with . Then, , where .
Let be two probability distributions over a countable support such that , and with for some . Then .
With these auxiliary lemmas we can go ahead and prove the adversary cannot distinguish between interacting with the protocol and random values.
Assume that is a secure pseudo-random function modeled as a random oracle, that the keys have been securely generated and distributed, that the secret key s has been securely generated and shared and that the parameters follow the conditions of Theorem 1. Then, the Decryption Protocol (Protocol 1) is secure against a passive and static adversary, corrupting up to players.
We want to construct an Attack Game in which the adversary cannot distinguish between the protocol executed correctly or with random values to show that the distribution does not leak anything about the secret key nor the error .
Let C denote the set of corrupted players and B the set of honest players. The Attack Game works as follows. Assume that the challenger knows the secret key and the such that (the keys that the adversary does not know) which have been securely generated. Assume that the challenger sends to the adversary the ciphertext and then submits as the challenge, where are the shares on the secret key of the corrupted players, are the keys such that (the keys knows) chosen by , and are the shares on the decryption of the corrupted players. Then, the challenger generates consistent shares on for the players not in C.
Once all these preliminaries are done, the challenger chooses and proceeds as following:
If : The challenger uses the decryption protocol to compute the shares of the decryption for the honest players. It computes the decrypted message and outputs .
If : The challenger computes for every H such that some element uniformly at random and we denote as the polynomial in with vector of coefficients . Then the challenger generates consistent shares of (the challenger knows as it can be computed using the protocol, given that everything needed is known) and outputs .
Finally outputs , meaning whether it thinks it has interacted with the protocol or with a simulation, and the Game concludes.
It is clear that
will be correct in both cases given the proof of Theorem 1, and furthermore,
will be an effective “decryption” of
in the sense that every coefficient will be closer to 0 if
and closer to
Therefore we only need to see that
are indistinguishable whether they are computed with
. Let us see it. First of all,
are computationally indistinguishable to the adversary given the properties of pseudo-randomness of
. We now want to see that the way
are distributed are at a negligible statistical distance. It is clear that
is distributed in the interval
values distributed uniformly in
) and as we have seen in the proof of Theorem 1
is in the interval
. Therefore, as the distribution of every coefficient is identical and independent we have that by Lemma 2
and by Lemma 3
so the distribution of
are at a negligible statistical distance. Therefore, we get that
are computationally indistinguishable.
Finally, adding it all together we get that the output
is computationally indistinguishable whether it has been computed with
as we wanted to see. □
After Theorem 3, we have only seen that Protocol 1 is secure when the keys are securely generated and against a passive adversary corrupting players, but it is standard to see that the same protocol is secure against an active adversary corrupting players if instead of the client reconstructs using the shares of all subsets of players, as that will give a majority of correct outputs.
The reason behind this is that we have already seen that no information is leaked, so we only need to see that the adversary cannot abort the protocol or cause an incorrect output. In case of an active adversary (who can cause players to deviate arbitrarily from the protocol), what is needed is that if all combinations of players are decrypting the message, there needs to be a majority of combinations of players with no corrupt players. This gives us that is enough.
Now, we need to see that Protocol 2 leaks no information against an adversary corrupting up to players. To do so we will once again see that the adversary cannot distinguish between interacting with the protocol or a simulation where the challenger sets before-hand the values of the keys.
Theorem 4. Assuming that the image interval of the pseudo-random function is where
that is a commitment scheme such that it has a trapdoor and the parameters follow the conditions on Theorem of correctness, then the Key Generation Protocol (Protocol 2) is secure against a passive and static adversary, corrupting up to players.
We want to construct an Attack Game in which the adversary cannot distinguish between the protocol executed correctly and a simulation where the challenger sets the values of and for all H before-hand.
denote the set of corrupt players and B
the set of honest players. The Attack Game works as follows. Assume that whenever a corrupt player needs to sample a uniform distribution it sends a query to the challenger for a random value from a random oracle. Let
the challenge output by
, the first step of the interaction in Protocol 2 as we can see in Table 3
. Then, the challenger chooses
and proceeds as follows:
If : The challenger and the adversary follow Protocol 2 to generate and the shares and outputs .
: The challenger samples
. Then he uses the trapdoor in the commitment scheme to recover
, and proceeds as follows. We will divide the explanation depending on what he is simulating to ease comprehension, but everything will be done simultaneously, following the flow of information seen in Table 3
For the “generation” of , the challenger will use the keys (of which he knows all of them given that they were generated through queries to the random oracle through the challenger) to recover , the contribution of the corrupt players to . With this information, the challenger can compute the contribution of the honest players to such that . With these values computed the challenger follows with the protocol.
For the “generation” of the challenger proceeds identically as with generating .
For the “generation” of , the challenger samples random values in for (the first step) and commits them. It then will receive from the adversary (the shares of pertaining to the corrupt players) and will compute consistent Shamir shares so that the players share . Then, as in the protocol, the challenger sends the shares to all players not in H.
For the “generation” of , the challenger samples random values in for (the first step) and commits them. It then will receive (the shares of pertaining to the corrupt players) and will compute consistent Shamir shares so that the players share . Then, as in the protocol, the challenger sends the shares to all players.
For the “generation” of the challenger outputs at the end of the protocol.
Then, the challenger outputs .
Finally, outputs , meaning whether it thinks it has interacted with the protocol or with the simulation, and the Game concludes.
It is clear that the flow of information is the same in both cases and that the values will be both correct and what the challenger sampled beforehand, so we just need to see that the adversary cannot distinguish between the values received when from the ones received when . For (and ) it is clear that they are indistinguishable, as we used the trapdoor in the commitment scheme to set the values necessary before any messages were sent from the adversary to the challenger. Furthermore, we know that no information was leaked in the NIVSS as because of Lemmas 2 and 3 we know that no information was leaked as in the proof of Theorem 3.
For (and in turn as they are analogous), we need to see that the adversary cannot distinguish from generated by the protocol or them being random in . To see this we will use the security of Shamir secret sharing, as the adversary can only control up to t players. Therefore, the value shared is completely undetermined by the shares of the corrupt players, so both cases ( and ) are indistinguishable to the adversary.
Finally, by adding everything up, we get that
are indistinguishable whether we have
as we wanted to see. □
As in Section 4
, we have also proven the equivalent to this last theorem for an active adversary, however we will not use the result for the implementation, for reasons we will state in Section 6.1
. The proof can be found in Appendix A.2
Having proved the security of each protocol individually, we only need to see that using both protocols together still gives us an encryption scheme which is semantically secure.
Assume the conditions in Theorems 1 and 4 are fulfilled. Then, if K-DGS is hard, then encryption under keys generated by Protocol 2 and decryption following Protocol 1 is semantically secure against a static and passive adversary corrupting up to players acting through the Key Generation phase and the same adversary being active corrupting up to players in the Decryption phase.
First, using the result in Theorem 4, we can see that the adversary cannot distinguish between executing both protocols, or replacing the key generation with keys generated by the challenger. Then, using Theorem 1, we can see that the adversary cannot distinguish between taking part in the decryption or having the challenger decrypt all by itself. Therefore, we get that the adversary cannot distinguish between the semantic security game when both distributed protocols are used from the basic semantic security game of Encryption Scheme 1. This means, using what we have seen in Section 5.1
that breaking semantic security when both protocols are being used is as hard as breaking semantic security of the encryption scheme, so using the reduction to K
and that we assume this problem to be hard, we have that our protocols are semantically secure, as we wanted to see. □