Improved lattice-based CCA2-secure PKE in the standard model

Based on the identity-based encryption(IBE) from lattices by Agrawal et al.(Eurocrypt’10),Micciancio and Peikert(Eurocrypt’12) presented a CCA1-secure public-key encryption(PKE), which has the best known efficiency in the standard model and can be used to obtain a CCA2-secure PKE from lattices by using the generic BCHK transform(SIAM J Comput, 2006) with a cost of introducing extra overheads to both computation and storage for the use of other primitives such as signatures and commitments. In this paper, we propose a more efficient standard model CCA2-secure PKE from lattices by carefully combining a different message encoding(which encodes the message into the most significant bits of the LWE’s "secret term") with several nice algebraic properties of the tag-based lattice trapdoor and the LWE problem(such as unique witness and additive homomorphism). Compared to the best known lattice-based CCA1-secure PKE in the standard model due to Micciancio and Peikert(Eurocrypt’12), we not only directly achieve the CCA2-security without using any generic transform(and thus do not use signatures or commitments), but also reduce the noise parameter roughly by a factor of 3. This improvement makes our CCA2-secure PKE more efficient in terms of both computation and storage. In particular, when encrypting a 256-bit(respectively,512-bit) message at 128-bit(respectively, 256-bit) security, the ciphertext size of our CCA2-secure PKE is even 33%–44%(respectively, 36%–46%) smaller than that of their CCA1-secure PKE.