Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Classical security definitions for encryption, like semantic security [19], only consider messages that the attacker itself can generate. In certain contexts, however, a system must encrypt secret keys, which are unknown to the attacker, under corresponding public keys. Prominent examples of this include the anonymous credential scheme of Camenisch and Lysyanskaya [13], methods for proving the computational soundness of symbolic protocols [2], password managers and disk encryption utilities, and Gentry’s “bootstrapping” technique for obtaining (unbounded) fully homomorphic encryption [16, 17].

For these reasons, the notions of circular and, more generally, key-dependent message (KDM) security have attracted much attention in recent years. Informally, a public-key cryptosystem is k-circular secure if an encryption cycle \((\mathsf {Enc} _{pk_1}(sk_2), \mathsf {Enc} _{pk_2}(sk_3), \ldots , \mathsf {Enc} _{pk_k}(sk_1))\) is indistinguishable from encryptions of “junk” messages. KDM security considers a broader setting in which (adversarially specified) functions of the secret keys may be encrypted under any of the public keys.

Early positive results on circular/KDM security go back to Black et al. [8, 13], who proposed KDM-secure schemes in the random oracle model. Several years later, Boneh et al. [9] were the first to give a cryptosystem in the standard model with a proof of KDM-security (for affine functions) under a well-studied assumption, namely, Decision Diffie-Hellman (DDH). This was soon followed by constructions based on the learning with errors (LWE) [5] and quadratic residuosity [10] assumptions; constructions for richer notions like identity-based encryption [3]; and “KDM amplification” transforms that extended the class of functions far beyond affine ones [4, 6, 11, 24].

Despite all this progress, a very basic yet still unresolved question about circular/KDM security—especially in light of the fact that almost all the systems cited above are specially designed to obtain it—is:

Do classical security notions like IND-CPA or IND-CCA imply k-circular security?

For \(k=1\) there are trivial counterexamples, but for \(k \ge 2\) the question is much more interesting, and has been studied extensively in recent years. To date there is a significant gap between what is known for the cases \(k=2\) and \(k > 2\).

The case \(k = 2\). In this setting there are several negative results based on well-studied assumptions. The first counterexamples were presented by Acar et al. [1] and Cash et al. [14], who respectively gave schemes that are CPA secure but not 2-circular secure, and schemes that are CPA/CCA secure but not even weakly two-circular secure. (Weak circular security refers to the secrecy of other encrypted messages in the presence of an encryption cycle.) In both works, CPA/CCA security was under the SXDH assumption for groups with asymmetric bilinear pairings.

Most recently, Bishop et al. [7] gave additional counterexamples for \(k=2\), based on the decision linear and LWE assumptions. In addition, they introduced the useful notion of a cycle tester, which simplifies and modularizes the construction of counterexamples. For example, they showed how to combine a k-cycle tester with any CPA/CCA-secure cryptosystem to obtain CPA/CCA-secure schemes that are not k-circular secure. (However, all their concrete cycle testers were for \(k=2\).)

The case \(k > 2\). For larger values of k, the relationship between CPA/CCA and circular security remained open for many years. Intuitively, constructing a counterexample for this case is more difficult because encryption must set up a relation among k ciphertexts that can be efficiently detected; bilinear maps make this possible for \(k=2\), but seem less useful for \(k > 2\). Indeed, the only negative results are two recent concurrent and independent works of Koppula et al. [20] and Marcedone and Orlandi [25], which used strong obfuscation assumptions to construct, for any k, encryption schemes that are CPA secure but k-circular insecure. More specifically, the counterexample in [20] is based on indistinguishability obfuscation (iO) for arbitrary circuits (e.g., the candidate construction proposed in [15]), whereas [25] used the even stronger assumption of virtual black box (VBB) obfuscation for a certain large enough class of functions. (Later, following [20], the authors of [25] refined their scheme to rely only on iO.) Separately, Koppula et al. also showed that any k-circular security counterexample can be generically transformed into one that is not even weakly circular secure, because an encryption cycle implicitly reveals all the secret keys.

In summary, for \(k=2\) we have circular-security counterexamples under a reasonably wide variety of well-studied assumptions, whereas for \(k > 2\) the available evidence is weaker, since it is based on the more speculative assumption that secure iO exists. In particular, up to this point we do not have a candidate iO scheme with a proof of security under simple, plausible, and concrete assumptions. This stands in contrast to well-studied problems like those relating to bilinear pairings or (ring-)LWE, the latter of which are provably hard assuming the worst-case hardness of certain lattice problems [12, 22, 27, 28].

1.1 Contributions

Our main contributions are k-circular security counterexamples, for any \(k \ge 2\), based on the LWE [28] and ring-LWE [22] assumptions. We stress that these are the first circular security counterexamples for \(k > 2\) that do not rely on general-purpose obfuscation assumptions. More specifically, we prove the following two main theorems (in what follows, \(\lambda \) denotes the security parameter):

Informal Theorem 1

For any \(\mathrm{poly}(\lambda )\)-bounded \(k \ge 2\), there exists (in the common random string model) a k-cycle tester based on ring-LWE in degree-n rings for \(\tilde{O}(nk)^{O(k)}\) approximation factors. Moreover, it is also a \(k'\)-cycle tester for \(2 \le k' \le k\).

As example parameterizations, for any constant \(k=O(1)\) we obtain a k-cycle tester based on \(\mathrm{poly}(n)\) approximation factors, which are conjectured to offer \(2^{\tilde{\varOmega }(n)}\) hardness. For arbitrary \(k=\mathrm{poly}(\lambda )\), we can obtain a k-cycle tester based on subexponential \(2^{n^{\varepsilon }}\) factors for any desired constant \(\varepsilon > 0\), by letting \(n = \tilde{\varOmega }(\lambda ^{c/\varepsilon })\) be a sufficiently large polynomial in \(\lambda \). For such factors, ring-LWE is conjectured to offer \(2^{\tilde{\varOmega }(n^{1-\varepsilon })} \ge 2^{\varOmega (\lambda )}\) hardness.

Informal Theorem 2

For any constant \(k \ge 2\), there exists (in the common random string model) a k-cycle tester based on plain LWE in n dimensions for \(n^{O(k^{2})}\) approximation factors. Moreover, it is also a \(k'\)-cycle tester for \(2 \le k' \le ~k\).

We emphasize that unlike many lattice-based cryptographic schemes, the ring-LWE-based cycle tester from our first theorem does not appear to “mechanically” translate to plain LWE, so additional ideas are needed to prove our second theorem. In brief, this is because the ring-LWE problem is usually defined over a commutative ring, whereas in the plain LWE setting, the corresponding ring of n-by-n matrices is not commutative (see Sect. 1.2 below for further details). To overcome this obstacle, we introduce a new variant of LWE that we call tensored LWE, and prove that it is equivalent to plain LWE for corresponding parameters. We note, however, that this technique limits the solution to constant (but arbitrary) \(k = O(1)\), because it induces key sizes that are exponential in k.

Finally, by combining our cycle testers with appropriate (ring-)LWE-based CPA/CCA-secure encryption schemes [18, 26, 28] using the generic transformations given in [7, 20], we immediately obtain CPA/CCA-secure cryptosystems that are k-circular insecure, and (in the CPA-secure case) for which an encryption cycle even reveals all the encrypted secret keys.

Recent Related Work. In a concurrent and independent work, Koppula and Waters [21] also constructed a k-cycle tester for arbitrary (a priori bounded) k based on plain LWE; it can be easily adapted to ring-LWE using standard transformations. Like ours, their construction uses “telescoping products,” but the exact way in which these are used to detect cycles differs significantly—in particular, their construction does not need secret keys to commute under multiplication (see Sect. 1.2 below for further details). This yields different simplicity and efficiency profiles for the schemes. Specifically, our ring-LWE scheme has public keys, secret keys, and ciphertexts that are all an \(\varOmega (n)\) factor smaller than in the ring-LWE version of their scheme, and is arguably technically simpler and more direct. However, their plain-LWE construction can handle any polynomial cycle length \(k=\mathrm{poly}(\lambda )\), whereas our plain-LWE construction is restricted to any constant \(k=O(1)\) due to an \(n^{k}\) factor in our key and ciphertext lengths, which arises from our “tensored” form of plain LWE that yields commuting secrets. In addition, their scheme does not use a common random string, whereas ours does.

1.2 Techniques

Here we give an overview of our constructions and proof techniques. To start, we give a brief exposition of the LWE-based two-cycle tester from [7]. We recall that a k-cycle tester is a relaxed form of encryption scheme that does not require a decryption algorithm; it only requires an efficient algorithm that reliably detects when a k-tuple of ciphertexts forms an encryption cycle.

In the two-cycle tester from [7], a secret key is the randomness used to generate a uniformly random matrix \(\mathbf {S}\in \mathbb {Z}_q^{n \times m}\) along with a “trapdoor” \(T_{\mathbf {S}}\), using the \(\mathsf {GenTrap} \) algorithm from, e.g., [26]. The matrix \(\mathbf {S}\) is interpreted as a matrix of LWE secrets, and the public key is the LWE instance \((\mathbf {A}, \mathbf {B}\approx \mathbf {S}^{t} \mathbf {A})\) for a uniformly random \(\mathbf {A}\in \mathbb {Z}_q^{n \times m}\).

To encrypt under a public key \((\mathbf {A},\mathbf {B})\), we interpret the message as randomness for \(\mathsf {GenTrap} \), thereby generating some \(\hat{\mathbf {S}}\) with trapdoor \(T_{\hat{\mathbf {S}}}\). We then choose a random short integer vector \(\mathbf {r}\), let \(\mathbf {v}= \mathbf {A}\mathbf {r}\), and output the two-component ciphertext

$$ \big ({\, \mathbf {x}\leftarrow \hat{\mathbf {S}}^{-1}[ \mathbf {v}] \, , \, \mathbf {u}= \mathbf {B}\mathbf {r}\approx \mathbf {S}^{t} \mathbf {A}\mathbf {r}= \mathbf {S}^{t} \mathbf {v}\big ) \,} \in \mathbb {Z}^{m} \times \mathbb {Z}_q^{m}. $$

Here \(\mathbf {x}\leftarrow \hat{\mathbf {S}}^{-1}[\mathbf {v}]\) denotes using the trapdoor \(T_{\hat{\mathbf {S}}}\) to randomly sample a short solution to \(\hat{\mathbf {S}} \mathbf {x}= \mathbf {v}\) without revealing any information about \(T_{\hat{\mathbf {S}}}\), e.g., using a discrete Gaussian distribution [18]. (This is used in the proof of IND-CPA security.) Notice that \(\mathbf {x}\) is a short integer vector, whereas \(\mathbf {u}\) is “large.”

Now consider an encryption cycle for two keys, which consists of ciphertexts

$$ (\, \mathbf {x}_{i} = \mathbf {S}_{1-i}^{-1}[\mathbf {v}_{i}] \, ,\, \mathbf {u}_{i} \approx \mathbf {S}_{i}^{t} \mathbf {v}_{i} \,) $$

for \(i \in \{0,1\}\), where \(\mathbf {S}_{i}\) is the (secret) matrix produced by \(\mathsf {GenTrap} \) using the ith secret key as randomness. Because the \(\mathbf {x}_{i}\) are short, we have

$$\begin{aligned} \langle {\mathbf {u}_{0}, \mathbf {x}_{1}}\rangle = \mathbf {u}_{0}^{t} \cdot \mathbf {x}_{1}&\approx \mathbf {v}_{0}^{t} \mathbf {S}_{0} \cdot \mathbf {S}_{0}^{-1}[\mathbf {v}_{1}] = \mathbf {v}_{0}^{t} \cdot \mathbf {v}_{1} = \langle {\mathbf {v}_{0}, \mathbf {v}_{1}}\rangle \\ \langle {\mathbf {u}_{1}, \mathbf {x}_{0}}\rangle = \mathbf {u}_{1}^{t} \cdot \mathbf {x}_{0}&\approx \mathbf {v}_{1}^{t} \mathbf {S}_{1} \cdot \mathbf {S}_{1}^{-1}[\mathbf {v}_{0}] = \mathbf {v}_{1}^{t} \cdot \mathbf {v}_{0} = \langle {\mathbf {v}_{1}, \mathbf {v}_{0}}\rangle . \end{aligned}$$

Because the inner product is commutative, testing whether \(\langle {\mathbf {u}_{0}, \mathbf {x}_{1}}\rangle \approx \langle {\mathbf {u}_{1}, \mathbf {x}_{0}}\rangle \pmod {q}\) will therefore detect a two-cycle. (For ordinary ciphertexts, the approximation is unlikely to hold, because the inner products are essentially uniform and independent.)

Challenges Beyond Two-Cycles. Generalizing the above construction to work for cycle lengths larger than two comes with several technical challenges. One is that there does not appear to be an appropriate generalization of the inner product \(\langle {\cdot ,\cdot }\rangle \) to three or more vectors. However, a promising idea is to replace \(\mathbf {v}\) with a matrix \(\mathbf {V}\) of many columns, and likewise replace \(\mathbf {x}\) with \(\mathbf {X}\leftarrow \hat{\mathbf {S}}^{-1}[\mathbf {V}]\), so that \(\hat{\mathbf {S}} \cdot \mathbf {X}= \mathbf {V}\). Then for, say, a 3-cycle, if we could somehow arrange for \(\mathbf {V}_{i} = \mathbf {Z}_{i} \cdot \mathbf {S}_{i}\) for some \(\mathbf {Z}_{i}\), we would have the “telescoping product”

$$\begin{aligned} \mathbf {U}_{0}^{t} \cdot \mathbf {X}_{1} \cdot \mathbf {X}_{2}&= \mathbf {V}_{0}^{t} \cdot \mathbf {S}_{0} \cdot \mathbf {S}_{0}^{-1}[\mathbf {V}_{1}] \cdot \mathbf {X}_{2} \\&= \mathbf {S}_{0}^{t} \cdot \mathbf {Z}_{0}^{t} \cdot \mathbf {Z}_{1} \cdot \mathbf {S}_{1} \cdot \mathbf {S}_{1}^{-1}[\mathbf {V}_{2}] \\&= \mathbf {S}_{0}^{t} \cdot \mathbf {Z}_{0}^{t} \cdot \mathbf {Z}_{1} \cdot \mathbf {Z}_{2} \cdot \mathbf {S}_{2}, \end{aligned}$$

and similarly for \(\mathbf {U}_{1} \cdot \mathbf {X}_{2} \cdot \mathbf {X}_{0}\). Unfortunately, we do not see any way to generate \(\mathbf {V}_{i} = \mathbf {Z}_{i} \cdot \mathbf {S}_{i}\) in the encryption algorithm, because \(\mathbf {S}_{i}\) is secret (it can only be obtained from the ith secret key). Alternatively, we might try to obtain a more “LWE-like” approximation \(\mathbf {V}_{i} \approx \mathbf {Z}_{i} \cdot \mathbf {S}_{i}\) using the public key, but then the above equations do not even hold approximately, because \(\mathbf {V}_{0}\) is “large” and hence amplifies the errors too much.

Our Solution. With the above attempt in mind, we take a different and arguably simpler approach to LWE-based cycle testers, which resolves both of the difficulties identified above. Our approach is easiest to understand in the ring setting first. For concreteness, define \(R=\mathbb {Z}[X]/(X^{n}+1)\) for n a power of two, and define \(R_{q}=R/qR=\mathbb {Z}_q[X]/(X^{n}+1)\) for a suitably large modulus q.

As in [7], a secret key in our system is the randomness used by (a ring variant of) \(\mathsf {GenTrap} \) to produce a row vector \(\mathbf {a}\in R_{q}^{m}\) with a trapdoor \(T_{\mathbf {a}}\). However, here we simply take \(\mathbf {a}\) to be the public key, rather than using it as a vector of ring-LWE secrets.

To encrypt under public key \(\mathbf {a}\), as in [7] we interpret the message as randomness for \(\mathsf {GenTrap} \) to obtain an \(\hat{\mathbf {a}} \in R_{q}^{m}\) and trapdoor \(T_{\hat{\mathbf {a}}}\). We then choose an \(s \in R\) from the ring-LWE error distribution, let \(\mathbf {b}\approx s \cdot \mathbf {a}\in R_{q}^{m}\) (where the approximation hides ring-LWE errors), and output the ciphertext

$$\begin{aligned} \mathbf {C}\leftarrow \hat{\mathbf {a}}^{-1}[\mathbf {b}] \in R^{m \times m}, \end{aligned}$$

where \(\hat{\mathbf {a}}^{-1}[\mathbf {b}]\) uses \(T_{\hat{\mathbf {a}}}\) to randomly sample a short matrix \(\mathbf {C}\) over R such that \(\hat{\mathbf {a}} \cdot \mathbf {C}= \mathbf {b}\). Notice that in contrast with [7], the ciphertext is just one short matrix—it does not contain any “large” components, which will be important for cycle testing.

Consider now an encryption cycle of, say, three secret keys, which consists of ciphertexts

$$ \mathbf {C}_{i} \leftarrow \mathbf {a}_{i-1}^{-1}[\mathbf {b}_{i}], \quad \mathbf {b}_{i} \approx s_{i} \cdot \mathbf {a}_{i} $$

for each \(i \in \mathbb {Z}_{3}\) (where the subscript arithmetic is modulo three). We then have the telescoping product

$$\begin{aligned} \mathbf {a}_{2} \cdot \mathbf {C}_{0} \cdot \mathbf {C}_{1} \cdot \mathbf {C}_{2}&= \mathbf {a}_{2} \cdot \mathbf {a}_{2}^{-1}[\mathbf {b}_{0}] \cdot \mathbf {C}_{1} \cdot \mathbf {C}_{2} \\&\approx s_{0} \cdot \mathbf {a}_{0} \cdot \mathbf {a}_{0}^{-1}[\mathbf {b}_{1}] \cdot \mathbf {C}_{2} \\&\approx s_{0} \cdot s_{1} \cdot \mathbf {a}_{1} \cdot \mathbf {a}_{1}^{-1}[\mathbf {b}_{2}] \\&\approx s_{0} \cdot s_{1} \cdot s_{2} \cdot \mathbf {a}_{2}, \end{aligned}$$

where the approximations hold because all the \(s_{i}\) and \(\mathbf {C}_{i}\) are short. Similarly,

$$ \mathbf {a}_{0} \cdot \mathbf {C}_{1} \cdot \mathbf {C}_{2} \cdot \mathbf {C}_{0} \approx s_{1} \cdot s_{2} \cdot s_{0} \cdot \mathbf {a}_{0}. $$

Now because the ring R is commutative, the above right-hand sides are almost identical, except for the different public keys \(\mathbf {a}_{0}, \mathbf {a}_{2}\). But this issue is easily addressed: the \(\mathsf {GenTrap} \) algorithm comes in a version that takes a vector over \(R_{q}\) as a public parameter, and outputs an \(\mathbf {a}\) having that vector as its prefix. Therefore, our cycle tester just checks whether the first entries of the above products (corresponding to the common prefix of \(\mathbf {a}_{0}, \mathbf {a}_{2}\)) are approximately equal. More precisely, the difference should be smaller than some bound that depends on the maximum cycle length k we want to be able to detect; this induces our choice of the modulus q. Finally, notice that the tester also works equally well for cycles of length \(k'\) for \(2 \le k' \le k\).

Adapting to Plain LWE. There is a standard mechanical translation of cryptosystems from ring-LWE to plain LWE, which replaces every uniformly random \(a \in R_{q}\) with a uniformly random matrix \(\mathbf {A}\in \mathbb {Z}_q^{n \times n}\), and every error term \(s \in R\) with a matrix \(\mathbf {S}\in \mathbb {Z}^{n \times n}\) whose entries are drawn independently from the LWE error distribution. However, when this translation is applied to the above scheme, it is easy to see that the cycle tester does not work, because the error matrices \(\mathbf {S}_{i}\) are unlikely to commute with each other under multiplication.

We resolve this difficulty by introducing a new tensoring technique that guarantees commutativity. (We believe that the technique will find additional applications.) The central fact we use is that the tensor product of square n-dimensional matrices obeys the following special case of the mixed-product property:

$$ \mathbf {S}_{1} \otimes \mathbf {S}_{2} = (\mathbf {S}_{1} \otimes \mathbf{I }_{n}) \cdot (\mathbf{I }_{n} \otimes \mathbf {S}_{2}) = (\mathbf{I }_{n} \otimes \mathbf {S}_{2}) \cdot (\mathbf {S}_{1} \otimes \mathbf{I }_{n}) \in \mathbb {Z}^{n^{2} \times n^{2}}. $$

In particular, the matrices \(\mathbf {S}_{1} \otimes \mathbf{I }_{n}\) and \(\mathbf{I }_{n} \otimes \mathbf {S}_{2}\) commute under multiplication. (Naturally, the above equations generalize to the tensor product of any \(k > 2\) matrices.)

We apply the above facts in our plain-LWE cycle tester as follows. When encrypting to the ith public key, we use an LWE secret matrix

$$\begin{aligned} \mathbf {S}'_{i} = \underbrace{\mathbf{I }_{n} \otimes \cdots \otimes \mathbf{I }_{n}}_{i \text { terms}} {} \otimes \mathbf {S}_{i} \otimes \underbrace{\mathbf{I }_{n} \otimes \cdots \otimes \mathbf{I }_{n}}_{k-i-1 \text { terms}} \in \mathbb {Z}^{n^{k} \times n^{k}}, \end{aligned}$$

where \(\mathbf {S}_{i} \in \mathbb {Z}^{n \times n}\) has entries drawn from the error distribution. By the above, these \(\mathbf {S}_{i}\) all commute with each other under multiplication, allowing us to conclude that (certain entries of) the telescoping products are approximately equal. Also notice that it is not necessary for all the \(\mathbf {S}_{i}\) to appear in the final product, so the same cycle tester also detects \(k'\)-cycles for \(2 \le k' \le k\).

In order for all this to work, the public key matrices \(\mathbf {A}_{i}\) must have \(n^{k}\) rows, which is why our construction is limited to constant \(k=O(1)\). Of course, it is not immediately obvious whether LWE is actually hard for such highly structured secret matrices \(\mathbf {S}'_{i}\). Fortunately, we prove that this form of the problem is equivalent to n-dimensional LWE with the same error distribution, up to a polynomial factor in the number of samples given to the attacker. Known worst-case hardness theorems for LWE are essentially agnostic to the number of samples, so the reduction’s lossiness in this respect is of little concern.

2 Preliminaries

For a positive integer t we let \([t] = \{0,\ldots , t-1\}\). The primary security parameter is denoted \(\lambda \).

Tensor Products. The tensor (or Kronecker) product \(\mathbf {A}\otimes \mathbf {B}\) of an \(m_{1}\)-by-\(n_{1}\) matrix \(\mathbf {A}\) with an \(m_{2}\)-by-\(n_{2}\) matrix \(\mathbf {B}\), both over a common ring \(\mathcal {R}\), is the \(m_{1} m_{2}\)-by-\(n_{1} n_{2}\) block matrix consisting of \(m_{2}\)-by-\(n_{2}\) blocks, whose (ij)th block is \(a_{i,j} \cdot \mathbf {B}\), where \(a_{i,j}\) denotes the (ij)th entry of \(\mathbf {A}\). Equivalently, we can view \(\mathbf {A}\otimes \mathbf {B}\) as having rows indexed by \([m_{1}] \times [m_{2}]\) and columns indexed by \([n_{1}] \times [n_{2}]\), where the \(((i_{1},i_{2}), (j_{1}, j_{2}))\)th entry is \(a_{i_{1},j_{1}} \cdot b_{i_{2},j_{2}}\). This corresponds to the previous definition by “flattening” the row and column index sets using the bijection that maps \((k_{1}, k_{2}) \in [\ell _{1}] \times [\ell _{2}]\) to \(k_{1} \cdot \ell _{2} + k_{2} \in [\ell _{1} \ell _{2}]\).

We extensively use the mixed-product property of tensor products, which says that

$$\begin{aligned} (\mathbf {A}\otimes \mathbf {B}) \cdot (\mathbf {C}\otimes \mathbf {D}) = (\mathbf {A}\mathbf {C}) \otimes (\mathbf {B}\mathbf {D}) \end{aligned}$$

for any matrices \(\mathbf {A}, \mathbf {B}, \mathbf {C}, \mathbf {D}\) of compatible dimensions. In particular,

$$\begin{aligned} (\mathbf {A}\otimes \mathbf {B}) = (\mathbf {A}\otimes \mathbf{I }_{\text {height}(\mathbf {B})}) \cdot (\mathbf{I }_{\text {width}(\mathbf {A})} \otimes \mathbf {B}) = (\mathbf{I }_{\text {height}}(\mathbf {A}) \otimes \mathbf {B}) \cdot (\mathbf {A}\otimes \mathbf{I }_{\text {width}}(\mathbf {B})). \end{aligned}$$

Subgaussians. For analyzing error growth in our schemes it will be convenient to use the notion of subgaussian random variables and matrices. We say that a real random variable X (or its distribution) is subgaussian with parameter s if for all \(t \in \mathbb {R}\), the (scaled) moment-generating function satisfiesFootnote 1

$$\begin{aligned} {\mathbb {E}}[\exp (2 \pi t X)] \le (1+\mathrm{negl}(\lambda )) \cdot \exp (\pi s^{2} t^{2}). \end{aligned}$$

More generally, we say that a random matrix (over vector) \(\mathbf {X}\) is subgaussian with parameter s if \(\mathbf {u}^{t} \mathbf {X}\mathbf {v}\) is subgaussian with parameter s for all unit vectors \(\mathbf {u}, \mathbf {v}\). It follows immediately from the definitions that a \(\mathrm{poly}(\lambda )\)-dimensional matrix made up of independent subgaussian entries, or of independent subgaussian rows or columns, with common parameter s is itself subgaussian with parameter s.

The largest singular value, also known as spectral norm, of a matrix \(\mathbf {X}\) is defined as \(s_{1}(\mathbf {X}) := \max _{\mathbf {u}\ne \mathbf {0}} ||{\mathbf {X}\mathbf {u}}||{/}||{\mathbf {u}}||\). It is clear that the spectral norm is sub-additive and sub-multiplicative: \(s_{1}(\mathbf {X}+ \mathbf {Y}) \le s_{1}(\mathbf {X}) + s_{1}(\mathbf {Y})\) and \(s_{1}(\mathbf {X}\mathbf {Y}) \le s_{1}(\mathbf {X}) \cdot s_{1}(\mathbf {Y})\). We use the following standard fact about subgaussian matrices; see [29] for a proof.

Proposition 1

For a subgaussian matrix \(\mathbf {X}\in \mathbb {R}^{m \times n}\) with parameter s, we have \(s_{1}(\mathbf {X}) \le s \cdot O(\sqrt{m} + \sqrt{n})\) except with probability at most \(2^{-\varOmega (m+n)}\).

2.1 Cryptographic Definitions

Here we present some cryptographic definitions. The definition of k-cycle tester is from [7].

Definition 1

Let \(\varPi = (\mathsf {Setup}, \mathsf {Gen}, \mathsf {Enc})\) be a public-key encryption scheme (omitting the decryption algorithm) for message space \(\mathcal {M}= \mathcal {M}_{\lambda }\). We say that \(\varPi \) is IND-CPA secure if every efficient adversary \(\mathcal {A}\) has negligible (in \(\lambda \)) advantage in distinguishing the following two games for \(b \in \{0,1\}\):

  1. 1.

    Generate \(pp\leftarrow \mathsf {Setup} (1^{\lambda })\) and \((pk, sk) \leftarrow \mathsf {Gen} (pp)\).

  2. 2.

    Given \((pp,pk)\) to \(\mathcal {A}\), which outputs a pair of messages \((m_{0},m_{1}) \in \mathcal {M}^{2}\).

  3. 3.

    Generate \(c \leftarrow \mathsf {Enc} (pk, m_b)\) and give c to the adversary.

Definition 2

Let \(\varPi = (\mathsf {Setup}, \mathsf {Gen}, \mathsf {Enc})\) be a public-key encryption scheme (omitting the decryption algorithm) for message space \(\mathcal {M}= \mathcal {M}_{\lambda } \supseteq \mathcal {S}_{\lambda }\), where \(\mathcal {S}_{\lambda }\) denotes the secret-key space for security parameter \(\lambda \). We say that \(\varPi \) is IND-CIRC-CPA \(^k\) secure if the following two games are computationally indistinguishable.

  1. 1.

    Generate \(pp\leftarrow \mathsf {Setup} (1^{\lambda })\) and \((pk_i, sk_i) \leftarrow \mathsf {Gen} (pp)\) for every \(i \in \mathbb {Z}_k\).

  2. 2.

    In Game 0, let \(c_{i} \leftarrow \mathsf {Enc} (pk_i, sk_{i - 1})\) for \(i \in \mathbb {Z}_k\) (where arithmetic in the subscripts is modulo k). In Game 1, let \(c_{i} \leftarrow \mathsf {Enc} (pk_i, 0)\) for \(i \in \mathbb {Z}_k\) (where \(0 \in \mathcal {M}\) denotes some arbitrary fixed message).

  3. 3.

    Output \((pp, (pk_{i})_{i \in \mathbb {Z}_{k}}, (c_{i})_{i \in \mathbb {Z}_{k}})\).

Definition 3

(Cycle Tester [7]. Let \(\varGamma = (\mathsf {Setup}, \mathsf {Gen}, \mathsf {Enc}, \mathsf {Test})\) be a tuple of randomized algorithms for which:

  • \(\varPi =(\mathsf {Setup}, \mathsf {Gen}, \mathsf {Enc})\) is a public-key encryption scheme for message space \(\mathcal {M}= \mathcal {M}_{\lambda } \supseteq \mathcal {S}_{\lambda }\);

  • \(\mathsf {Test}((pk_{i}, c_{i})_{i \in \mathbb {Z}_{k}})\), given a tuple of public keys \(pk_{i}\) and corresponding ciphertexts \(c_{i}\), outputs a bit \(b \in \{0,1\}\).

We say that \(\varGamma \) is a k-cycle tester if \(\varPi \) is IND-CPA secure, and if \(\mathsf {Test} \) has non-negligible advantage in the IND-CIRC-CPA \(^{k}\) game against \(\varPi \).

2.2 Learning with Errors

Definition 4

For positive integer dimensions nm, modulus q, and error distribution \(\chi \) over \(\mathbb {Z}\), the decision-LWE\(_{n,q,\chi ,m}\) problem is to distinguish, with non-negligible advantage, between \((\mathbf {A}; \mathbf {b}^{t} = \mathbf {s}^{t} \mathbf {A}+ \mathbf {e}^{t})\) where \(\mathbf {A}\leftarrow \mathbb {Z}_q^{n \times m}\), \(\mathbf {s}\leftarrow \chi ^{n}\), \(\mathbf {e}\leftarrow \chi ^{m}\), and uniformly random \((\mathbf {A}; \mathbf {b}^{t})\) of the same dimensions.Footnote 2

A standard instantiation of LWE is to let \(\chi \) be a discrete Gaussian distribution (over \(\mathbb {Z}\)) with parameter \(r = 2\sqrt{n}\), which is known to be subgaussian with parameter r (see [26]). For this parameterization, and for any polynomially bounded m, it is known that LWE is at least as hard as quantumly approximating certain “short vector” problems on n-dimensional lattices, in the worst case, to within \(\tilde{O}(q\sqrt{n})\) factors [28]. Classical reductions are also known for different parameterizations [12, 27].

A standard hybrid argument shows that the multi-secret form of LWE—which is to distinguish

$$\begin{aligned} \begin{pmatrix} \mathbf {A}\\ \mathbf {B}= \mathbf {S}\mathbf {A}+ \mathbf {E}\end{pmatrix} \in \mathbb {Z}_q^{(n+t) \times m} \end{aligned}$$

from uniform, where \(\mathbf {A}\leftarrow \mathbb {Z}_q^{n \times m}\), \(\mathbf {S}\leftarrow \chi ^{t \times n}\), and \(\mathbf {E}\leftarrow \chi ^{t \times m}\) for some desired \(t,m = \mathrm{poly}(n)\)—is equivalent to the above single-secret version, up to a t factor loss in the distinguishing advantage.

Tensored Form. In this work we rely on another equivalent form of LWE, which we call the tensored form. Let \(m,t = \mathrm{poly}(n)\) be as above, and additionally let \(l, r = \mathrm{poly}(n)\) be arbitrary. The problem is to distinguish

$$\begin{aligned} \begin{pmatrix} \mathbf {A}\\ \mathbf {B}= (\mathbf{I }_{l} \otimes \mathbf {S}\otimes \mathbf{I }_{r}) \cdot \mathbf {A}+ \mathbf {E}\end{pmatrix} \in \mathbb {Z}_q^{l (n + t) r \times m} \end{aligned}$$

from uniform, where \(\mathbf {A}\leftarrow \mathbb {Z}_q^{l n r \times m}\), \(\mathbf {S}\leftarrow \chi ^{t \times n}\), and \(\mathbf {E}\leftarrow \chi ^{l t r \times m}\).

Lemma 1

The tensored form of LWE for parameters ntmlr is equivalent to the multi-secret form for the same nt and \(M = m l r\) samples.

Proof

The equivalence follows simply by an appropriate (efficient and reversible) reindexing. Specifically, given a multi-secret instance \((\mathbf {A}; \mathbf {B}) \in \mathbb {Z}_q^{(n+t) \times M}\), we transform it to a tensored instance \((\mathbf {A}'; \mathbf {B}') \in \mathbb {Z}_q^{l(n+t)r \times m}\) as follows. For convenience, we construct \(\mathbf {A}'\) by indexing its rows by \([l] \times [n] \times [r]\) in the standard way, and similarly for \(\mathbf {B}'\). We partition \(\mathbf {A}\) into m blocks, each consisting of lr columns of dimension n. We arbitrarily index these columns by \([l] \times [r]\), and arrange them into a single column indexed by \([l] \times [n] \times [r]\) in the obvious way; the matrix \(\mathbf {A}'\) is made up of these m columns. Similarly, we construct \(\mathbf {B}'\) from \(\mathbf {B}\) by grouping each block of lr columns of dimension t into a single column vector indexed \([l] \times [t] \times [r]\). It is easy to see that if \((\mathbf {A}; \mathbf {B})\) is uniformly random, then so is \((\mathbf {A}'; \mathbf {B}')\). Furthermore, by construction and by definition of matrix multiplication it can be verified that if \(\mathbf {B}= \mathbf {S}\mathbf {A}+ \mathbf {E}\) for some \(\mathbf {S},\mathbf {E}\), then \(\mathbf {B}' = (\mathbf{I }_{l} \otimes \mathbf {S}\otimes \mathbf{I }_{r}) \cdot \mathbf {A}' + \mathbf {E}'\), where \(\mathbf {E}'\) is obtained from \(\mathbf {E}\) in exactly the same way that \(\mathbf {B}'\) is obtained from \(\mathbf {B}\). Therefore, the transformation is a tight reduction from the multi-secret to the tensored form. Moreover, the transformation is efficiently reversible, which gives a reduction in the opposite direction.

2.3 Lattice Trapdoors

We recall some standard facts about trapdoors and preimage sampling for cryptographic lattices; for full details, see [18, 26]. There exist efficient randomized algorithms \(\mathsf {GenTrap} \), \(\mathsf {SampleDom} \), and \(\mathsf {SamplePre} \) having the following properties. For any positive integers nq, there exist suitable \(\bar{m} < m = O(n \log q)\) for which the following hold (the parameters \(n,q,\bar{m},m\) are implicit inputs to all the algorithms):

  • \(\mathsf {GenTrap} (\bar{\mathbf {A}}; \mathbf {R})\) takes some \(\bar{\mathbf {A}} \in \mathbb {Z}_q^{n \times \bar{m}}\) and random coins \(\mathbf {R}\in \mathcal {R}\) from a certain space \(\mathcal {R}\), and outputs a matrix \(\mathbf {A}\in \mathbb {Z}_q^{n \times m}\) whose first \(\bar{m}\) columns are \(\bar{\mathbf {A}}\), and for which \(\mathbf {R}\) serves as a “trapdoor.”

  • \(\mathsf {SampleDom} ()\) outputs a random \(\mathbf {x}\in \mathbb {Z}^{m}\), drawn from a certain distribution D. For brevity we usually write \(\mathbf {x}\leftarrow D\).

  • For any \(\bar{\mathbf {A}} \in \mathbb {Z}_q^{n \times \bar{m}}\) and \(\mathbf {R}\in \mathcal {R}\) defining \(\mathbf {A}\) as above, and any \(\mathbf {u}\in \mathbb {Z}_q^{n}\), \(\mathsf {SamplePre} (\bar{\mathbf {A}}, \mathbf {R}, \mathbf {u})\) outputs a random \(\mathbf {x}\in \mathbb {Z}^{m}\) (drawn from a certain distribution) such that \(\mathbf {A}\mathbf {x}= \mathbf {u}\). When \(\mathbf {A}\) and \(\mathbf {R}\) are clear from context, we usually write \(\mathbf {A}^{-1}[\mathbf {u}]\) for the sake of brevity, and because it satisfies the identity \(\mathbf {A}\cdot \mathbf {A}^{-1}[\mathbf {u}] = \mathbf {u}\). (We stress that \(\mathbf {A}^{-1}[\cdot ]\) denotes a randomized algorithm, not a formal matrix inverse.)

We extend the above notation column-wise to matrices, i.e., \(D^{\ell }\) is the distribution over \(\mathbb {Z}^{m \times \ell }\) in which the columns are drawn independently from D, and \(\mathbf {A}^{-1}[\mathbf {B}] \in \mathbb {Z}^{m \times \ell }\) for \(\mathbf {B}\in \mathbb {Z}_q^{n \times \ell }\) applies \(\mathbf {A}^{-1}\) independently to each column of \(\mathbf {B}\).

Proposition 2

The above algorithms satisfy the following statistical properties:

  1. 1.

    For uniformly random \(\mathbf {A}\leftarrow \mathbb {Z}_q^{n \times m}\) and \(\mathbf {x}\leftarrow D\), the distribution of \((\mathbf {A}, \mathbf {A}\mathbf {x})\) is within negligible statistical distance of uniform.

  2. 2.

    For uniformly random \(\bar{\mathbf {A}}\) and \(\mathbf {R}\leftarrow \mathcal {R}\), the distribution of \(\mathbf {A}= \mathsf {GenTrap} (\bar{\mathbf {A}}, \mathbf {R})\) is within negligible statistical distance of uniform.

  3. 3.

    For any \(\bar{\mathbf {A}}\) and any \(\mathbf {R}\in \mathcal {R}\) defining \(\mathbf {A}= \mathsf {GenTrap} (\bar{\mathbf {A}}; \mathbf {R})\), the following experiments are within negligible statistical distance:

    1. (a)

      choose \(\mathbf {x}\leftarrow D\) and output \((\mathbf {x}, \mathbf {u}= \mathbf {A}\mathbf {x})\);

    2. (b)

      choose uniformly random \(\mathbf {u}\leftarrow \mathbb {Z}_q^{n}\), let \(\mathbf {x}\leftarrow \mathbf {A}^{-1}[\mathbf {u}]\), and output \((\mathbf {x}, \mathbf {u})\).

  4. 4.

    For any \(\mathbf {A}\) output by \(\mathsf {GenTrap} \) (on randomness \(\mathbf {R})\), and any \(\mathbf {u}\in \mathbb {Z}_q^{n}\), the distribution \(\mathbf {A}^{-1}[\mathbf {u}]\) is subgaussian with parameter \(\tilde{O}(m) = \tilde{O}(n \log q)\).

Remark 1

We emphasize that Item 3 of Proposition 2 applies for any (possibly adversarial) choice of the trapdoor \(\mathbf {R}\), which is needed in our application because the trapdoor will indeed be provided by the adversary. Fortunately, the \(\mathsf {GenTrap} \) and \(\mathsf {SamplePre} \) algorithms described in [26] can easily be instantiated to satisfy this property. In brief, this is \(\mathsf {GenTrap} \) produces a short random matrix \(\mathbf {R}\in \mathcal {R}\) as the trapdoor, and \(\mathsf {SamplePre} \) works for any Gaussian parameter exceeding a certain \(\tilde{\varTheta }(s_{1}(\mathbf {R}))\) bound. By defining \(\mathcal {R}\) to be, say, the set of all binary matrices of appropriate dimensions, we ensure that \(s_{1}(\mathbf {R}) \le m\) for every \(\mathbf {R}\in \mathcal {R}\), while also satisfying Item 2 via the leftover hash lemma.

2.4 The Ring Setting

Here we provide some background on rings, their geometry, and ring-LWE; then we recall analogous facts about trapdoors in the ring setting. For more details see [22, 26]. (This material is only used for our ring-LWE construction in Sect. 4, and may be safely skipped.)

For simplicity, we work in the 2nth cyclotomic ring \(R := \mathbb {Z}[X] / (X^n + 1)\) for n a power of two. (However, all of our results can be adapted to arbitrary cyclotomics using the techniques from [23].) The canonical embedding \(\sigma :R \rightarrow \mathbb {C}^n\) maps \(r \in R\) to \((\sigma _{i}(r))_{i \in \mathbb {Z}_{2n}^{*}}\), where \(\sigma _{i}(r) = r(\omega ^{i})\) and \(\omega =\exp (\pi \sqrt{-1}/n) \in \mathbb {C}\) is the principal complex 2nth root of unity. (Notice that this definition is agnostic to the choice of \(\mathbb {Z}[X]\)-representative of \(r \in \mathbb {Z}[X]/(X^{n}+1)\), which makes it “canonical.”)

We use the canonical embedding to endow R with a geometry. Specifically, for a ring element \(r \in R\) we define \(||{r}||:= ||{\sigma (r)}||\) and \(||{r}||_{\infty } := ||{\sigma (r)}||_{\infty }\). We extend the norm notation to vectors and matrices by defining \(||{\mathbf {x}}||= ({\sum _{i} ||{x_i}||^2})^{1/2}\) for any vector \(\mathbf {x}\) over R, and \(||{\mathbf {X}}||_{\infty } = \max ||{x_{i, j}}||_{\infty }\) for any vector or matrix \(\mathbf {X}\) over R. Finally, we define the spectral norm of \(\mathbf {X}\) as

$$ s_1(\mathbf {X}) := \sup _{\mathbf {u}\ne \mathbf {0}} ||{\mathbf {X}\mathbf {u}}||/||{\mathbf {u}}||, $$

where the supremum is taken over all nonzero vectors (of appropriate dimension) over R. Clearly, the spectral norm is sub-additive and sub-multiplicative: \(s_{1}(\mathbf {X}+\mathbf {Y}) \le s_{1}(\mathbf {X}) + s_{1}(\mathbf {Y})\) and \(s_{1}(\mathbf {X}\mathbf {Y}) \le s_{1}(\mathbf {X}) \cdot s_{1}(\mathbf {Y})\). The following standard fact relates the spectral and \(\ell _{\infty }\) norms.

Proposition 3

For any matrix \(\mathbf {E}\in R^{l\times k}\) we have \(s_1(\mathbf {E}) \le \sqrt{lk}\cdot ||{\mathbf {E}}||_{\infty }\).

The following standard fact bounds the coefficients of a ring element \(r \in R\) by its \(\ell _\infty \) norm.

Proposition 4

For a ring element \(r \in R\), let \(r = \sum _{j=0}^{n-1} r_{j} \cdot X^{j} \in \mathbb {Z}[X]\) for \(r_{j} \in \mathbb {Z}\) denote its canonical representative (with respect to the standard power basis of R). Then \(r_{j} \le ||{r}||_{\infty }\) for every j.

Ring-LWE. For an integer q, define \(R_q := R / qR = \mathbb {Z}_q[X]/(X^{n}+1)\).

Definition 5

Let \(\chi \) be an error distribution over R. The decision-RLWE\(_{R, q, \chi , m}\) problem is to distinguish, with non-negligible advantage, between \((\mathbf {a}; \mathbf {b}= s\cdot \mathbf {a}+ \mathbf {e}) \in R_q^{m} \times R_q^{m}\) where \(\mathbf {a}\leftarrow R_q^m\), \(s \leftarrow \chi \), \(\mathbf {e}\leftarrow \chi ^m\), and uniformly random (\(\mathbf {a}\); \(\mathbf {b}\)) of the same dimensions.

For appropriate parameters, decision-RLWE problem is (quantumly) at least as hard as the \((q \cdot \mathrm{poly}(n,m))\)-approximate shortest vector problem on any ideal lattice in R, i.e., in the worst case [22]. The standard error distribution for which this theorem applies is a sufficiently wide discrete Gaussian distribution \(\chi \) over R, for which

$$\begin{aligned} \mathop {\hbox {Pr}}\limits _{e \leftarrow \chi } [{||{e}||_{\infty } > n^c}] = \mathrm{negl}(n) \end{aligned}$$
(1)

for some universal constant \(c > 1\).

Trapdoors. Similarly to the plain setting, there are efficient randomized algorithms \(\mathsf {GenTrap} \), \(\mathsf {SampleDom} \), and \(\mathsf {SamplePre} \) having the following properties. For any modulus q, there exist suitable \(\bar{m} < m = \tilde{O}(\log q)\) for which the following hold (the parameters \(R,q,\bar{m},m\) are implicit inputs to all the algorithms):

  • \(\mathsf {GenTrap} (\bar{\mathbf {a}}; \mathbf {R})\) takes some \(\bar{\mathbf {a}} \in R_q^{\bar{m}}\) and random \(\mathbf {R}\in \mathcal {R}\) from a certain space \(\mathcal {R}\), and outputs a vector \(\mathbf {a}\in R_q^{m}\) whose first \(\bar{m}\) components are \(\bar{\mathbf {a}}\), and for which \(\mathbf {R}\) serves as a “trapdoor.”

  • \(\mathsf {SampleDom} ()\) outputs a random column vector \(\mathbf {x}^{t} \in R^{m}\), drawn from a certain distribution D. For brevity we usually write \(\mathbf {x}^{t} \leftarrow D\).

  • For any \(\bar{\mathbf {a}} \in R_q^{\bar{m}}\) and \(\mathbf {R}\in \mathcal {R}\) defining \(\mathbf {a}\) as above, and any \(u \in R_q\), \(\mathsf {SamplePre} (\bar{\mathbf {a}}, \mathbf {R}, u)\) outputs a random column vector \(\mathbf {x}^{t} \in R^{m}\) (drawn from a certain distribution) such that \(\mathbf {a}\cdot \mathbf {x}^{t} = u\). We usually write \(\mathbf {a}^{-1}[u]\) for the sake of brevity, and because it satisfies the identity \(\mathbf {a}\cdot \mathbf {a}^{-1}[u] = u\). Moreover, \(D^l\) is the distribution over \(R^{m \times l}\) in which the columns are drawn independently from D. The notation \(\mathbf {a}^{-1}[\mathbf {v}] \in R_q^{m \times l}\), where \(\mathbf {v}\in R_q^l\), applies \(\mathbf {a}^{-1}\) to each component of \(\mathbf {v}\) independently.

The following proposition follows by a standard adaptation of “plain” trapdoor constructions (e.g., [26]) to the ring setting, and by the regularity lemma for rings given in [23].

Proposition 5

The above algorithms satisfy the following statistical properties:

  1. 1.

    For uniformly random \(\mathbf {a}\leftarrow R_q^m\) and \(\mathbf {x}^{t} \leftarrow D\), the distribution of \((\mathbf {a}, \mathbf {a}\cdot \mathbf {x}^{t}) \in R^{m + 1}\) is within negligible statistical distance of uniform.

  2. 2.

    For uniformly random \(\bar{\mathbf {a}}\) and \(\mathbf {R}\leftarrow \mathcal {R}\), the distribution of \(\mathbf {a}= \mathsf {GenTrap} (\bar{\mathbf {a}}, \mathbf {R})\) is within negligible statistical distance of uniform.

  3. 3.

    For any \(\bar{\mathbf {a}}\) and any \(\mathbf {R}\in \mathcal {R}\) defining \(\mathbf {a}= \mathsf {GenTrap} (\bar{\mathbf {a}}; \mathbf {R})\), the following experiments are within negligible statistical distance:

    1. (a)

      choose \(\mathbf {x}^{t} \leftarrow D\) and output \((\mathbf {x}, u = \mathbf {a}\cdot \mathbf {x}^{t})\);

    2. (b)

      choose uniformly random \(u \leftarrow R_q\), let \(\mathbf {x}^{t} \leftarrow \mathbf {a}^{-1}[u]\), and output \((\mathbf {x}, u)\).

  4. 4.

    There exists a universal constant \(c > 1\) such that, for any \(\mathbf {a}\) output by \(\mathsf {GenTrap} \) (on randomness \(\mathbf {R}\)), and for any \(u \in R_{q}\),

    $$\begin{aligned} \mathrm{{Pr}} [{||{\mathbf {a}^{-1}[u]}||_{\infty } > n^{c}}] = \mathrm{negl}(n). \end{aligned}$$

3 LWE-Based Construction

In this section we construct, for any constant \(k \ge 2\), a k-cycle tester that is IND-CPA secure based on the conjectured hardness of (plain) LWE, appropriately parameterized. The scheme involves the following parameters:

  • \(N := n^{k}\) for a positive integer n, an integer modulus q, and an error distribution \(\chi \) over \(\mathbb {Z}\), where \(n,q,\chi \) are the parameters of the underlying LWE problem. For concreteness, we use the standard LWE error distribution \(\chi \), which is subgaussian with parameter \(O(\sqrt{n})\).

  • \(\bar{M} < M = O(N \log q)\), where \(\bar{M}, M\) are the dimensions associated with \(\mathsf {GenTrap} \) for Nq.

  • The secret-key and message spaces are both the randomness/trapdoor space \(\mathcal {R}\) of \(\mathsf {GenTrap} \) when given an N-by-\(\bar{M}\) input.

Finally, each key is uniquely and arbitrarily identified with some \(i \in \mathbb {Z}_{k} = \{0, \ldots , k-1\}\), which is provided to the key-generation algorithm. The tester is defined as follows.

  • \(\mathsf {Setup} ()\): output a uniformly random \(\bar{\mathbf {A}} \leftarrow \mathbb {Z}_q^{N \times \bar{M}}\).

  • \(\mathsf {Gen} (i, \bar{\mathbf {A}})\): let \(\mathbf {A}_{i} = \mathsf {GenTrap} (\bar{\mathbf {A}}; \mathbf {R}_{i})\) for \(\mathbf {R}_{i} \leftarrow \mathcal {R}\), and output \((i, \mathbf {A}_{i})\) as the public key and the trapdoor \(\mathbf {R}_{i}\) as the secret key. Recall from Proposition 2 that the first \(\bar{M}\) columns of \(\mathbf {A}_{i}\) are \(\bar{\mathbf {A}}\), and that \(\mathbf {A}_{i}\) is negligibly far from uniform over the random choice of \(\bar{\mathbf {A}}\) and \(\mathbf {R}_{i}\).

  • \(\mathsf {Enc} ((i, \mathbf {A}_{i}), \mathbf {R}\in \mathcal {R})\): let \(\mathbf {A}= \mathsf {GenTrap} (\bar{\mathbf {A}}; \mathbf {R})\), so that \(\mathbf {R}\) is a trapdoor for \(\mathbf {A}\). Choose an LWE secret matrix \(\mathbf {S}_{i} \leftarrow \chi ^{n \times n}\) and an error matrix \(\mathbf {E}_{i} \leftarrow \chi ^{N \times M}\), and output the ciphertext matrix

    $$\begin{aligned} \mathbf {C}&\leftarrow \mathbf {A}^{-1}[\mathbf {S}'_{i} \cdot \mathbf {A}_{i} + \mathbf {E}_{i}] \in \mathbb {Z}^{M \times M}, \\ \text {where } \mathbf {S}'_{i}&= (\mathbf{I }_{n^{i}} \otimes \mathbf {S}_{i} \otimes \mathbf{I }_{n^{k-i-1}}) \in \mathbb {Z}^{N \times N}. \end{aligned}$$

    (The \(\mathbf {A}^{-1}\) operation is performed using trapdoor \(\mathbf {R}\).)

  • \(\mathsf {Test} ((\mathbf {A}_{i}, \mathbf {C}_{i})_{i \in \mathbb {Z}_{k}})\): given public key matrices \(\mathbf {A}_{i}\) and ciphertexts \(\mathbf {C}_{i}\), check whether

    $$\begin{aligned} (\mathbf {A}_{k-1} \cdot \mathbf {C}_{0} \cdot \mathbf {C}_{1} \cdots \mathbf {C}_{k-1} - \mathbf {A}_{0} \cdot \mathbf {C}_{1} \cdots \mathbf {C}_{k-1} \cdot \mathbf {C}_{0}) \cdot \bar{\mathbf{I }} \in (-q/4,q/4)^{N \times \bar{M}} \pmod {q}, \end{aligned}$$
    (2)

    where for every i, which we use in the analysis below.)

Remark 2

In Eq. (2), the choice of products appearing in the difference is not special; the difference between any two products \(\mathbf {A}_{i} \cdot \mathbf {C}_{i+1} \cdot \mathbf {C}_{i+2} \cdots \mathbf {C}_{i}\) for distinct values of \(i \in \mathbb {Z}_{k}\) would work equally well.

Remark 3

The number and order of ciphertexts in an encryption cycle is also not too important. The \(\mathsf {Test}\) algorithm naturally generalizes to work on any \(k'\) public keys and ciphertexts indexed by an ordered set \(S \subseteq \mathbb {Z}_{k}\), for \(2 \le k' \le k\). We simply take the difference of two products \(\mathbf {A}_{i} \cdot \prod _{j \in S} \mathbf {C}_{j}\) for two distinct i, where the order of indices j cyclically follows the order of S and ends with \(j=i\).

In the remainder of this section we prove the following theorem:

Theorem 1

For any constant \(k \ge 2\) and a sufficiently large \(q = \tilde{O}(n^{3(k^{2}-1)/2})\), the above scheme is a \(k'\)-cycle tester for \(2 \le k' \le k\), assuming the hardness of decision-LWE\(_{n,q,\chi ,M \cdot n^{k-1}}\).

Recall that the LWE instantiation from Theorem 1 is at least as hard as (quantumly) approximating certain lattice problems on n-dimensional lattices, in the worst case, to within \(\tilde{O}(n^{3k^{2}/2 - 1}) = \mathrm{poly}(n)\) factors, which is conjectured to be exponentially hard in n.

In Sect. 3.1 below we prove IND-CPA security, in Sect. 3.2 we show that \(\mathsf {Test} \) almost always accepts on an encryption cycle, and in Sect. 3.3 we show that \(\mathsf {Test} \) almost never accepts on a non-cycle. Together these prove Theorem 1.

3.1 Security

Lemma 2

The tuple \((\mathsf {Setup}, \mathsf {Gen}, \mathsf {Enc})\) is IND-CPA secure under the LWE assumption from Theorem 1.

Proof

We consider the following sequence of hybrid experiments, showing that adjacent hybrids are indistinguishable (either computationally or statistically), and that the last one does not depend on the adversary’s choice of challenge message, which proves the claim. For simplicity, assume that the adversary names some target identity \(i \in \mathbb {Z}_{k}\) at the start of the IND-CPA game. (The proof easily adapts to the case where the adversary adaptively chooses i after seeing all the public keys.)

  • Hybrid 1: Here the matrix \(\mathbf {A}_{i} \in \mathbb {Z}_q^{N \times M}\) in the public key is generated uniformly at random, instead of by \(\mathsf {GenTrap} \). By Item 2 of Proposition 2, this experiment is statistically indistinguishable from the real IND-CPA game.

  • Hybrid 2: Here the matrix \(\mathbf {B}_{i} \in \mathbb {Z}_q^{N \times M}\) given as input to the \(\mathbf {A}^{-1}\) operation is chosen uniformly at random, rather than as \(\mathbf {B}_{i} = \mathbf {S}'_{i} \cdot \mathbf {A}_{i} + \mathbf {E}_{i}\) (as in the previous hybrid).

    Using the tensored form of LWE, which by Lemma 1 is equivalent to the one appearing in the theorem statement, a straightforward reduction shows that this experiment is computationally indistinguishable from the previous one. Specifically, given an instance \((\mathbf {A}'; \mathbf {B}')\) of the tensored form of LWE, the reduction sets \(\mathbf {A}_{i} = \mathbf {A}'\), \(\mathbf {B}_{i} = \mathbf {B}'\), and finally lets \(\mathbf {C}_{i} \leftarrow \mathbf {A}^{-1}[\mathbf {B}_{i}]\), using the adversary’s challenge message to define \(\mathbf {A}\) and compute the \(\mathbf {A}^{-1}[\cdot ]\) operation (using the \(\mathsf {SamplePre} \) algorithm) in the usual way.

  • Hybrid 3: Here the matrix \(\mathbf {C}_{i}\) is drawn from \(D^{M}\), i.e., each column is independently drawn from D, instead of by invoking \(\mathbf {A}^{-1}[\mathbf {B}_{i}]\) for a matrix \(\mathbf {A}\) defined by the adversary’s challenge message.

    We claim that for any choice of \(\bar{\mathbf {A}}\) and challenge message, this experiment is within negligible statistical distance of the previous one. This follows immediately by Item 3 of Proposition 2, applied across each pair of corresponding columns of \(\mathbf {U}_{i}\) and \(\mathbf {C}_{i}\).

Clearly, the final hybrid experiment does not depend on the adversary’s choice of challenge message, so the proof is complete.

3.2 Testing an Encryption Cycle

Lemma 3

For a sufficiently large \(q = \tilde{O}(n^{3(k^{2}-1)/2})\), the \(\mathsf {Test}\) algorithm accepts with all but negligible probability when given an encryption k-cycle, i.e., in Game 0 of Definition 2.

Remark 4

The lemma and its proof easily adapt to the case where \(\mathsf {Test}\) is given a \(k'\)-cycle for \(2 \le k' \le k\), as described in Remark 3. This is because the matrices \(\mathbf {S}'_{i}\) commute with each other under multiplication, and the error terms are no larger in size and number.

Proof

We have \(((i, \mathbf {A}_{i}), \mathbf {R}_{i}) \leftarrow \mathsf {Gen} (i, \bar{\mathbf {A}})\) and \(\mathbf {C}_{i} \leftarrow \mathsf {Enc} ((i, \mathbf {A}_{i}), \mathbf {R}_{i-1})\) for each \(i \in \mathbb {Z}_{k}\), where all arithmetic in the subscripts is modulo k. Notice that when encrypting secret key \(\mathbf {R}_{i-1}\) to produce \(\mathbf {C}_{i}\), the encryption algorithm performs the \(\mathbf {A}^{-1}\) operation for \(\mathbf {A}= \mathbf {A}_{i-1}\). We therefore have

$$\begin{aligned} \mathbf {C}_{i}&\leftarrow \mathbf {A}_{i-1}^{-1} [ {\mathbf {S}'_{i} \cdot \mathbf {A}_{i} + \mathbf {E}_{i}}] \in \mathbb {Z}^{M \times M} \\ \text {where} \quad \mathbf {S}'_{i}&= (\mathbf{I }_{n^{i}} \otimes \mathbf {S}_{i} \otimes \mathbf{I }_{n^{k-i-1}}) \\&= (\underbrace{\mathbf{I }_{n} \otimes \cdots \otimes \mathbf{I }_{n}}_{i \text { terms}} {} \otimes \mathbf {S}_{i} \otimes \underbrace{\mathbf{I }_{n} \otimes \cdots \otimes \mathbf{I }_{n}}_{k-i-1 \text { terms}}) \in \mathbb {Z}^{N \times N} \end{aligned}$$

for some error matrices \(\mathbf {S}_{i}, \mathbf {E}_{i}\). Notice that because each \(\mathbf {S}_{i}\) appears in a different position in its tensor product, the mixed-product property implies that the matrices \(\mathbf {S}'_{i}\) commute with each other under multiplication, i.e.,

$$\begin{aligned} \mathbf {S}'_{i} \cdot \mathbf {S}'_{j} = \mathbf {S}'_{j} \cdot \mathbf {S}'_{i}. \end{aligned}$$

Now observe that in Eq. (2), the minuend (left-hand term) of the difference expands as

$$\begin{aligned} \mathbf {L}&:= \mathbf {A}_{k-1} \cdot \mathbf {A}_{k-1}^{-1} [\mathbf {S}'_{0} \cdot \mathbf {A}_{0} + \mathbf {E}_{0}] \cdot \mathbf {C}_{1} \cdots \mathbf {C}_{k-1} \\&\approx \mathbf {S}'_{0} \cdot \mathbf {A}_{0} \cdot \mathbf {A}_{0}^{-1} [\mathbf {S}'_{1} \cdot \mathbf {A}_{1} + \mathbf {E}_{1}] \cdot \mathbf {C}_{2} \cdots \mathbf {C}_{k-1}&\text {(error }\mathbf {E}_{0} \cdot \mathbf {C}_{1} \cdots \mathbf {C}_{k-1}\text {)} \\&\approx \mathbf {S}'_{0} \cdot \mathbf {S}'_{1} \cdot \mathbf {A}_{1} \cdot \mathbf {A}_{1}^{-1}[\mathbf {S}'_{2} \cdot \mathbf {A}_{2} + \mathbf {E}_{2}] \cdot \mathbf {C}_{3} \cdots \mathbf {C}_{k-1}&\text {(error }\mathbf {S}'_{0} \cdot \mathbf {E}_{1} \cdot \mathbf {C}_{2} \cdots \mathbf {C}_{k-1}\text {)} \\&\cdots \\&\approx \mathbf {S}'_{0} \cdots \mathbf {S}'_{k-1} \cdot \mathbf {A}_{k-1}.&\text {(error }\mathbf {S}'_{0} \cdots \mathbf {S}'_{k-2} \cdot \mathbf {E}_{k-1}\text {)} \end{aligned}$$

(We analyze the error terms below.) Similarly, the subtrahend (right-hand term) of the difference expands in the same way as

$$\begin{aligned} \mathbf {R}:= \mathbf {A}_{0} \cdot \mathbf {C}_{1} \cdots \mathbf {C}_{k-1} \cdot \mathbf {C}_{0}&\approx \mathbf {S}'_{1} \cdots \mathbf {S}'_{k-1} \cdot \mathbf {S}'_{0} \cdot \mathbf {A}_{0} \\&= \mathbf {S}'_{0} \cdot \mathbf {S}'_{1} \cdots \mathbf {S}'_{k-1} \cdot \mathbf {A}_{0}, \end{aligned}$$

with error terms as in the previous expansion, but with all the subscripts incremented (modulo k). Finally, observe that

$$\begin{aligned} (\mathbf {L}- \mathbf {R}) \cdot \bar{\mathbf{I }} \approx \mathbf {S}'_{0} \cdots \mathbf {S}'_{k-1} \cdot (\mathbf {A}_{k-1} - \mathbf {A}_{0}) \cdot \bar{\mathbf{I }} = \mathbf {0}, \end{aligned}$$

where the approximation includes the errors (times \(\bar{\mathbf{I }}\)) from both of the above expansions.

It remains analyze the error terms from the above expansions. Recall that each \(\mathbf {E}_{i}\) and \(\mathbf {S}_{i}\) is made up of independent entries drawn from \(\chi \), which is subgaussian with parameter \(O(\sqrt{n})\). Similarly, by Item 4 of Proposition 2, every \(\mathbf {C}_{i}\) has independent subgaussian columns with parameter \(\tilde{O}(M)\). Therefore, by Proposition 1,

$$ s_{1}(\mathbf {E}_{i}) = O(\sqrt{nM}), \quad s_{1}(\mathbf {S}'_{i}) = s_{1}(\mathbf {S}_{i}) = O(n), \quad s_{1}(\mathbf {C}_{i}) = \tilde{O}(M^{3/2}) $$

except with negligible probability. It follows that in the analysis of \(\mathbf {L}, \mathbf {R}\) above, the spectral norm of each error matrix—and thereby the magnitude of every entry—is bounded by \(\tilde{O}(n^{1/2} \cdot M^{3k/2-1})\). Taking a sufficiently large \(q = \tilde{O}(n^{3(k^{2}-1)/2})\) ensures that every entry in the sum of the error matrices has magnitude less than q / 4, so the tester accepts.

3.3 Testing a Non-cycle

Lemma 4

Under the LWE assumption from Theorem 1, the \(\mathsf {Test}\) algorithm accepts with only negligible probability when given ciphertexts that all encrypt zero, i.e., in Game 1 of Definition 2.

Proof

We consider the following sequence of hybrid experiments for generating the tester’s input. We show that successive hybrids are indistinguishable (either computationally or statistically), which implies that the tester’s acceptance probability differs by only a negligible amount in successive hybrids. Moreover, we show that its acceptance probability in the final hybrid is exponentially small, which proves the claim. 

  • Hybrid 1: Here the public keys \(\mathbf {A}_{i}\) are uniformly random and independent (modulo their common prefix \(\bar{\mathbf {A}}\)), and each ciphertext \(\mathbf {C}_{i}\) is independently sampled from \(D^{M}\). Following the proof of Lemma 2, this experiment is computationally indistinguishable from the real one (under the LWE assumption), and hence the tester’s acceptance probability is only negligibly different in the two experiments.

  • Hybrids 2, 3, ..., \(k+1\) : In hybrid 2, in the cycle-test algorithm (Eq. (2)) we replace \(\mathbf {A}_{k-1} \cdot \mathbf {C}_{0}\) with a uniformly random \(\mathbf {A}'_{0}\), and similarly replace \(\mathbf {A}_{0} \cdot \mathbf {C}_{1}\) with a uniformly random \(\mathbf {A}'_{1}\) (both independent of everything else). Hybrids 3 through \(k+1\) are defined similarly, so that the final cycle-test algorithm simply tests whether \((\mathbf {A}'_{k-1} - \mathbf {A}'_{0}) \cdot \bar{\mathbf{I }} \in (-q/4,q/4) \pmod {q}\) for uniformly random and independent \(\mathbf {A}'_{k-1}, \mathbf {A}'_{0}\). Clearly, this test accepts with probability bounded by the negligible quantity \(2^{-N \cdot \bar{M}} \le 2^{-n}\). We claim that each of these hybrids is within negligible statistical distance of the previous one. For Hybrid 2 this follows by Item 1 of Proposition 2: because \(\mathbf {A}_{k-1}, \mathbf {A}_{0}\) are uniformly random, and \(\mathbf {C}_{0}, \mathbf {C}_{1}\) are independent, \(\mathbf {A}_{k-1} \cdot \mathbf {C}_{0}\) and \(\mathbf {A}_{0} \cdot \mathbf {C}_{1}\) are negligibly far from uniformly random and independent. (This is where we use the fact that \(k \ge 2\).) The same argument applies for subsequent hybrids. This completes the proof.

 

4 Ring-LWE Construction

In this section we present a k-cycle tester that is IND-CPA secure assuming the hardness of ring-LWE (RLWE), appropriately parameterized. The construction works very similarly to the plain LWE one from Sect. 4. However, it is not limited to constant \(k=O(1)\), but can be instantiated for any \(k=\mathrm{poly}(\lambda )\), because it does not use the tensoring technique. The scheme involves the following parameters:

  • the ring \(R = \mathbb {Z}[X]/(X^{n}+1)\) for power-of-two n, the standard ring-LWE error distribution \(\chi \) over R, and an integer modulus q (which we instantiate below);

  • \(\bar{m} < m = \tilde{O}(\log q)\), where \(\bar{m}, m\) are the dimensions associated with the ring-based \(\mathsf {GenTrap} \) for parameters Rq;

  • The secret-key and message spaces are both \(\mathcal {R}\), the randomness/trapdoor space of the ring-based \(\mathsf {GenTrap} \).

The construction is as follows.

  • \(\mathsf {Setup} ()\): output a uniformly random \(\bar{\mathbf {a}} \in R_q^{\bar{m}}\).

  • \(\mathsf {Gen} (\bar{\mathbf {a}})\): let \(\mathbf {a}\leftarrow \mathsf {GenTrap} (\bar{\mathbf {a}}; \mathbf {R})\) for \(\mathbf {R}\leftarrow \mathcal {R}\). Output \(\mathbf {a}\) as the public key and the trapdoor \(\mathbf {R}\) as the secret key.

  • \(\mathsf {Enc} (\mathbf {a}, \mathbf {R}\in \mathcal {R})\): let \(\mathbf {v}\leftarrow \mathsf {GenTrap} (\bar{\mathbf {a}}; \mathbf {R})\) where \(\mathbf {v}\in R_q^m\). Choose \(s \leftarrow \chi \) and \(\mathbf {e}\leftarrow \chi ^{m}\). Output the ciphertext

    $$\begin{aligned} \mathbf {C}&\leftarrow \mathbf {v}^{-1}[s \cdot \mathbf {a}+ \mathbf {e}] \in R^{m \times m}, \end{aligned}$$

    where the \(\mathbf {v}^{-1}\) operation is performed using the trapdoor \(\mathbf {R}\).

  • \(\mathsf {Test} ((\mathbf {a}_{i}, \mathbf {C}_{i})_{i \in \mathbb {Z}_{k}})\): Given public keys \(\mathbf {a}_{i}\) and ciphertexts \(\mathbf {C}_{i}\), check whether

    $$\begin{aligned} (\mathbf {a}_{k - 1} \cdot \mathbf {C}_{0} \cdot \mathbf {C}_{1} \cdots \mathbf {C}_{k-1} - \mathbf {a}_{0} \cdot \mathbf {C}_{1} \cdots \mathbf {C}_{k-1} \cdot \mathbf {C}_{0}) \cdot \bar{\mathbf{I }} \in \mathcal {Q}^{\bar{m}} \pmod {q}, \end{aligned}$$
    (3)

    where , and \(\mathcal {Q} \subseteq R\) is the set of ring elements whose coefficients (with respect to the standard power basis) all are in \((-q/4, q/4)\).

In the remainder of this section we prove the following theorem:

Theorem 2

For any \(k = \mathrm{poly}(\lambda )\) and a sufficiently large \(q = \tilde{O}(nk)^{O(k)}\), the above scheme is a \(k'\)-cycle tester for \(2 \le k' \le k\), assuming the hardness of decision-RLWE\(_{R,q,\chi ,m}\).

Recall that the Ring-LWE instantiation from Theorem 2 is at least as hard as (quantumly) approximating certain lattice problems on ideal lattices in R, in the worst case, to within \(\tilde{O}(nk)^{O(k)}\) factors.

Lemma 5 below establishes IND-CPA security. In Sect. 4.1 we show that \(\mathsf {Test} \) almost always accepts on an encryption cycle, and in Sect. 4.2 we show that \(\mathsf {Test} \) almost never accepts on a non-cycle. Together these prove Theorem 2.

Lemma 5

The tuple \((\mathsf {Setup}, \mathsf {Gen}, \mathsf {Enc})\) is IND-CPA secure under the RLWE assumption from Theorem 2.

Due to space restrictions, we omit the proof, which proceeds very similarly to the proof of Lemma 2.

4.1 Testing an Encryption Cycle

Lemma 6

For a sufficiently large \(q = \tilde{O}(nk)^{O(k)}\), the \(\mathsf {Test}\) algorithm accepts with all but negligible probability when given an encryption k-cycle, i.e., in Game 0 of Definition 2.

Proof

For input \((\mathbf {a}_{i}, \mathbf {C}_{i})_{i \in \mathbb {Z}_{k}}\), we have

$$\begin{aligned} \mathbf {C}_{i}&\leftarrow \mathbf {a}_{i-1}^{-1} [{s_{i}\cdot \mathbf {a}_{i} + \mathbf {e}_{i}}] \end{aligned}$$

for some \(s_{i} \leftarrow \chi \) and \(\mathbf {e}_{i} \leftarrow \chi ^{m}\). Moreover, by commutativity of R we have \(s_is_j = s_js_i\) for any \(i, j \in \mathbb {Z}_{k}\). Now for the left-hand term of Eq. (3) we have

$$\begin{aligned} \mathbf {l}&:= \mathbf {a}_{k-1} \cdot \mathbf {a}_{k-1}^{-1} [s_{0}\cdot \mathbf {a}_{0}+ \mathbf {e}_{0}] \cdot \mathbf {C}_{1} \cdots \mathbf {C}_{k-1} \\&\approx s_{0} \cdot \mathbf {a}_{0} \cdot \mathbf {a}_{0}^{-1} [s_{1} \cdot \mathbf {a}_{1} + \mathbf {e}_{1}] \cdot \mathbf {C}_{2} \cdots \mathbf {C}_{k-1}&\text {(error }\mathbf {e}_{0} \cdot \mathbf {C}_{1} \cdots \mathbf {C}_{k-1}\text {)} \\&\approx s_{0} \cdot s_{1} \cdot \mathbf {a}_{1} \cdot \mathbf {a}_{1}^{-1}[s_{2} \cdot \mathbf {a}_{2} + \mathbf {e}_{2}] \cdot \mathbf {C}_{3} \cdots \mathbf {C}_{k-1}&\text {(error }s_{0} \cdot \mathbf {e}_{1} \cdot \mathbf {C}_{2} \cdots \mathbf {C}_{k-1}\text {)} \\&\cdots \\&\approx s_{0} \cdots s_{k-1} \cdot \mathbf {a}_{k-1}.&\text {(error }s_{0} \cdots s_{k-2} \cdot \mathbf {e}_{k-1}\text {)} \end{aligned}$$

(We analyze the error terms below.) Similarly, for the right-hand term of Eq. (3), we have

$$\begin{aligned} \mathbf {r}:= \mathbf {a}_{0} \cdot \mathbf {C}_{1} \cdots \mathbf {C}_{k-1} \cdot \mathbf {C}_{0}&\approx s_{1} \cdots s_{k-1} \cdot s_{0} \cdot \mathbf {a}_{0} \\&= s_{0} \cdots s_{k-1} \cdot \mathbf {a}_{0}, \end{aligned}$$

with error terms as in the previous expansion, but with all the subscripts incremented (modulo k). Therefore,

$$\begin{aligned} (\mathbf {l}- \mathbf {r}) \cdot \bar{\mathbf{I }} \approx s_{0} \cdots s_{k-1} \cdot (\mathbf {a}_{k-1} - \mathbf {a}_{0}) \cdot \bar{\mathbf{I }} = \mathbf {0}, \end{aligned}$$

where the approximation includes the errors from the expansions of both \(\mathbf {l}\) and \(\mathbf {r}\), and where we use the fact that \(\mathbf {a}_i \cdot \bar{\mathbf{I }} = \bar{\mathbf {a}}\) for every \(i \in \mathbb {Z}_k\).

It remains to analyze the error terms. Recall that each \(\mathbf {e}_i\) is made up of independent entries from \(\chi \). Also, each secret \(s_i\) comes from \(\chi \). Lastly, each ciphertext \(\mathbf {C}_{i} \in \mathbb {R}^{m \times m}\) is drawn as some \(\mathbf {a}^{-1}[\cdot ]\). Then by Eq. (1), Proposition 3, and Item 4 of Proposition 5, we have (except with negligible probability)

$$ s_1(s_i) \le n^c, \quad s_1(\mathbf {e}_i) \le \sqrt{m}\cdot n^c, \quad s_1(\mathbf {C}_i) \le m\cdot n^{c} $$

for some universal constant \(c > 1\). Let \(\mathbf {e}\) denote the sum of all the error terms in the above approximations for \(\mathbf {l}, \mathbf {r}\). We have

$$ ||{\mathbf {e}}||_{\infty } \le s_1(\mathbf {e}) \le 2k\cdot m^{k-1}\cdot n^{ck}. $$

Because \(m=\tilde{O}(\log q)\), for a sufficiently large \(q = \tilde{O}(nk)^{O(k)}\), Proposition 4 guarantees that every coefficient of every entry of \(\mathbf {e}\) has the magnitude less than q / 4, and therefore \(\mathbf {e}\in \mathcal {Q}^{m}\) and \(\mathsf {Test}\) accepts, as desired.

4.2 Testing a Non-cycle

Lemma 7

Under the same RLWE assumption from Theorem 2, for \(k \ge 2\) the \(\mathsf {Test}\) algorithm accepts with only negligible probability on ciphertexts that all encrypt zero, i.e., in Game 1 of Definition 2.

Proof

We consider the following sequence of hybrids. We show that adjacent hybrids are indistinguishable, either computationally or statistically. Hence, the tester’s acceptance probability differs by only a negligible amount in successive hybrids.

  • Hybrid 1: In this hybrid, the public keys are uniformly random and independent (modulo their common prefix \(\bar{\mathbf {a}}\)), and each ciphertext is sampled independently from \(D^m\). Following the proof of Lemma 5, this hybrid is computationally indistinguishable from real game.

  • Hybrids 2, 3, ..., \(k+1\) : In the second hybrid, in Eq. (3) we replace \(\mathbf {a}_{k - 1} \cdot \mathbf {C}_{0}\) with a uniformly random \(\mathbf {a}'_{0}\) and replace \(\mathbf {a}_{0} \cdot \mathbf {C}_{1}\) with a uniformly random \(\mathbf {a}'_{1}\). We define hybrids 3 through \(k + 1\) similarly. Hence, the final algorithm tests whether \((\mathbf {a}'_{k - 1} - \mathbf {a}'_{0}) \cdot \bar{\mathbf{I }} \in \mathcal {Q}^{\bar{m}}\), where both terms in the difference are uniformly random and independent. The acceptance probability is therefore bounded by \(2^{-n}\). Statistical indistinguishability of each of these hybrids from the previous one follows by Item 1 of Proposition 5. Therefore, the algorithm rejects on non-cycles with high probability, and proof is complete.