Cryptology ePrint Archive: Report 2017/876

All-But-Many Lossy Trapdoor Functions and Selective Opening Chosen-Ciphertext Security from LWE

Benoit Libert and Amin Sakzad and Damien Stehle and Ron Steinfeld

Abstract: Selective opening (SO) security refers to adversaries that receive a number of ciphertexts and, after having corrupted a subset of the senders (thus obtaining the plaintexts and the senders' random coins), aim at breaking the security of remaining ciphertexts. So far, very few public-key encryption schemes are known to provide simulation-based selective opening (SIM-SO-CCA2) security under chosen-ciphertext attacks and most of them encrypt messages bit-wise. The only exceptions to date rely on all-but-many lossy trapdoor functions (as introduced by Hofheinz; Eurocrypt'12) and the Composite Residuosity assumption. In this paper, we describe the first all-but-many lossy trapdoor function with security relying on the presumed hardness of the Learning-With-Errors problem (LWE) with standard parameters. Our construction exploits homomorphic computations on lattice trapdoors for lossy LWE matrices. By carefully embedding a lattice trapdoor in lossy public keys, we are able to prove SIM-SO-CCA2 security under the LWE assumption. As a result of independent interest, we describe a variant of our scheme whose multi-challenge CCA2 security tightly relates to the hardness of LWE and the security of a pseudo-random function.

Category / Keywords: public-key cryptography / LWE, lossy trapdoor functions, chosen-ciphertext security, selective-opening security, tight security reductions

Original Publication (with major differences): IACR-CRYPTO-2017

Date: received 8 Sep 2017

Contact author: benoit libert at ens-lyon fr

Available format(s): PDF | BibTeX Citation

Version: 20170913:212849 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]