Three's Compromised Too: Circular Insecurity for Any Cycle Length from (Ring-)LWE

Informally, a public-key encryption scheme is k-circular secure if a cycle of k encrypted secret keys (Encpk1(sk2),Encpk2(sk3), . . . ,Encpkk(sk1)) is indistinguishable from encryptions of zeros. Circular security has applications in a wide variety of settings, ranging from security of symbolic protocols to fully homomorphic encryption. A fundamental question is whether standard security notions like IND-CPA/CCA imply k-circular security. For the case k = 2, several works over the past years have constructed counterexamples—i.e., schemes that are CPA or even CCA secure but not 2-circular secure—under a variety of well-studied assumptions (SXDH, decision linear, and LWE). However, for k > 2 the only known counterexamples are based on strong general-purpose obfuscation assumptions. In this work we construct k-circular security counterexamples for any k ≥ 2 based on (ring-)LWE. Specifically: • for any constant k = O(1), we construct a counterexample based on n-dimensional (plain) LWE for poly(n) approximation factors; • for any k = poly(λ), we construct one based on degree-n ring-LWE for at most subexponential exp(n) factors. Moreover, both schemes are k′-circular insecure for 2 ≤ k′ ≤ k. Notably, our ring-LWE construction does not immediately translate to an LWE-based one, because matrix multiplication is not commutative. To overcome this, we introduce a new “tensored” variant of LWE which provides the desired commutativity, and which we prove is actually equivalent to plain LWE. ∗Computer Science and Engineering, University of Michigan. Email: [email protected] †Computer Science and Engineering, University of Michigan. Email: [email protected]. This material is based upon work supported by the National Science Foundation under CAREER Award CCF-1054495 and CNS-1606362, and by the Alfred P. Sloan Foundation. The views expressed are those of the authors and do not necessarily reflect the official policy or position of the National Science Foundation or the Sloan Foundation.