At Asiacrypt’25, Lapiha and Prest proposed a lattice-based IND-CCA threshold key-encapsulation mechanism (TKEM  ) obtained from a threshold identity-based encryption (TIBE  ) and a signature scheme. Their construction relies on a variant of the Boneh-Canetti-Halevi-Katz (BCHK) transform, instantiated with a lattice-based TIBE  . However it suffers from large ciphertexts at 540 KiB for \(\mathsf{\kappa }= 128\) bits of security. We present substantial improvements to their TIBE  , resulting in the first concretely efficient lattice-based IND-CCA TKEM  , with ciphertexts just under 30 KiB for a threshold \(T = 32\) , \(Q= 2^{45}\) queries, and the same \(\mathsf{\kappa }\) . Our design simplifies the original framework by leveraging the power of random oracles already present in their construction. We further enhance efficiency by adopting approximate computations where appropriate and by replacing module-NTRU trapdoors with NTRU trapdoors, achieving a remarkable eighteenfold reduction in ciphertext size. Finally, leveraging recent developments in secret sharing, we ensure the verifiability of key-extraction shares even in the presence of malicious parties.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

IND-CCA Lattice Threshold KEM Under 30 KiB

  • Katharina Boudgoust,
  • Rafaël del Pino,
  • Oleksandra Lapiha,
  • Thomas Prest

摘要

At Asiacrypt’25, Lapiha and Prest proposed a lattice-based IND-CCA threshold key-encapsulation mechanism (TKEM  ) obtained from a threshold identity-based encryption (TIBE  ) and a signature scheme. Their construction relies on a variant of the Boneh-Canetti-Halevi-Katz (BCHK) transform, instantiated with a lattice-based TIBE  . However it suffers from large ciphertexts at 540 KiB for \(\mathsf{\kappa }= 128\) bits of security. We present substantial improvements to their TIBE  , resulting in the first concretely efficient lattice-based IND-CCA TKEM  , with ciphertexts just under 30 KiB for a threshold \(T = 32\) , \(Q= 2^{45}\) queries, and the same \(\mathsf{\kappa }\) . Our design simplifies the original framework by leveraging the power of random oracles already present in their construction. We further enhance efficiency by adopting approximate computations where appropriate and by replacing module-NTRU trapdoors with NTRU trapdoors, achieving a remarkable eighteenfold reduction in ciphertext size. Finally, leveraging recent developments in secret sharing, we ensure the verifiability of key-extraction shares even in the presence of malicious parties.