Three’s compromised too: Circular insecurity for any cycle length from (Ring-)LWE

Abstract

A public-key encryption scheme is k-circular secure if a cycle of k encrypted secret keys (Encpk1(sk2), Encpk2(sk3),., Encpkk(sk1)) is indistinguishable from encryptions of zeros. Circular security has applications in a wide variety of settings, ranging from security of symbolic protocols to fully homomorphic encryption. A fundamental question is whether standard security notions like IND-CPA/CCA imply k-circular security. For the case k = 2, several works over the past years have constructed counterexamples—i.e., schemes that are CPA or even CCA secure but not 2-circular secure—under a variety of well-studied assumptions (SXDH, decision linear, and LWE). However, for k > 2 the only known counterexamples are based on strong general-purpose obfuscation assumptions. In this work we construct k-circular security counterexamples for any k ≥ 2 based on (ring-)LWE. Specifically: -for any constant k = O(1), we construct a counterexample based on n-dimensional (plain) LWE for poly(n) approximation factors; -for any k = poly(λ), we construct one based on degree-n ring-LWE for at most subexponential exp(nε) factors. Moreover, both schemes are k′-circular insecure for 2 ≤ k′≤ k. Notably, our ring-LWE construction does not immediately translate to an LWE-based one, because matrix multiplication is not commutative. To overcome this, we introduce a new “tensored” variant of LWE which provides the desired commutativity, and which we prove is actually equivalent to plain LWE.