Results 1  10
of
35
GGHLite: More Efficient Multilinear Maps from Ideal Lattices?
"... Abstract. The GGH Graded Encoding Scheme [10], based on ideal lattices, is the first plausible approximation to a cryptographic multilinear map. Unfortunately, using the security analysis in [10], the scheme requires very large parameters to provide security for its underlying “encoding rerandomiz ..."
Abstract

Cited by 26 (5 self)
 Add to MetaCart
(Show Context)
Abstract. The GGH Graded Encoding Scheme [10], based on ideal lattices, is the first plausible approximation to a cryptographic multilinear map. Unfortunately, using the security analysis in [10], the scheme requires very large parameters to provide security for its underlying “encoding rerandomization” process. Our main contributions are to formalize, simplify and improve the efficiency and the security analysis of the rerandomization process in the GGH construction. This results in a new construction that we call GGHLite. In particular, we first lower the size of a standard deviation parameter of the rerandomization process of [10] from exponential to polynomial in the security parameter. This first improvement is obtained via a finer security analysis of the “drowning ” step of rerandomization, in which we apply the Rényi divergence instead of the conventional statistical distance as a measure of distance between distributions. Our second improvement is to reduce the number of randomizers needed from Ω(n logn) to 2, where n is the dimension of the underlying ideal lattices. These two contributions allow us to decrease the bit size of the public parameters from O(λ5 log λ) for the GGH scheme to O(λ log2 λ) in GGHLite, with respect to the security parameter λ (for a constant multilinearity parameter κ). 1
A toolkit for ringLWE cryptography
 In EUROCRYPT
, 2013
"... Recent advances in lattice cryptography, mainly stemming from the development of ringbased primitives such as ringLWE, have made it possible to design cryptographic schemes whose efficiency is competitive with that of more traditional numbertheoretic ones, along with entirely new applications lik ..."
Abstract

Cited by 21 (7 self)
 Add to MetaCart
Recent advances in lattice cryptography, mainly stemming from the development of ringbased primitives such as ringLWE, have made it possible to design cryptographic schemes whose efficiency is competitive with that of more traditional numbertheoretic ones, along with entirely new applications like fully homomorphic encryption. Unfortunately, realizing the full potential of ringbased cryptography has so far been hindered by a lack of practical algorithms and analytical tools for working in this context. As a result, most previous works have focused on very special classes of rings such as poweroftwo cyclotomics, which significantly restricts the possible applications. We bridge this gap by introducing a toolkit of fast, modular algorithms and analytical techniques that can be used in a wide variety of ringbased cryptographic applications, particularly those built around ringLWE. Our techniques yield applications that work in arbitrary cyclotomic rings, with no loss in their underlying worstcase hardness guarantees, and very little loss in computational efficiency, relative to poweroftwo cyclotomics. To demonstrate the toolkit’s applicability, we develop a few illustrative applications: two variant publickey cryptosystems, and a “somewhat homomorphic ” symmetric encryption scheme. Both apply to arbitrary cyclotomics, have tight parameters, and very efficient implementations. 1
Hardness of SIS and LWE with Small Parameters
, 2013
"... The Short Integer Solution (SIS) and Learning With Errors (LWE) problems are the foundations for countless applications in latticebased cryptography, and are provably as hard as approximate lattice problems in the worst case. A important question from both a practical and theoretical perspective is ..."
Abstract

Cited by 16 (4 self)
 Add to MetaCart
The Short Integer Solution (SIS) and Learning With Errors (LWE) problems are the foundations for countless applications in latticebased cryptography, and are provably as hard as approximate lattice problems in the worst case. A important question from both a practical and theoretical perspective is how small their parameters can be made, while preserving their hardness. We prove two main results on SIS and LWE with small parameters. For SIS, we show that the problem retains its hardness for moduli q ≥ β · n δ for any constant δ> 0, where β is the bound on the Euclidean norm of the solution. This improves upon prior results which required q ≥ β · √ n log n, and is essentially optimal since the problem is trivially easy for q ≤ β. For LWE, we show that it remains hard even when the errors are small (e.g., uniformly random from {0, 1}), provided that the number of samples is small enough (e.g., linear in the dimension n of the LWE secret). Prior results required the errors to have magnitude at least √ n and to come from a Gaussianlike distribution. 1
Improvement and Efficient Implementation of a Latticebased Signature Scheme
, 2013
"... Latticebased signature schemes constitute an interesting alternative to RSA and discrete logarithm based systems which may become insecure in the future, for example due to the possibility of quantum attacks. A particularly interesting scheme in this context is the GPV signature scheme [GPV08] comb ..."
Abstract

Cited by 13 (5 self)
 Add to MetaCart
(Show Context)
Latticebased signature schemes constitute an interesting alternative to RSA and discrete logarithm based systems which may become insecure in the future, for example due to the possibility of quantum attacks. A particularly interesting scheme in this context is the GPV signature scheme [GPV08] combined with the trapdoor construction from Micciancio and Peikert [MP12] as it admits strong security proofs and is believed to be very efficient in practice. This paper confirms this belief and shows how to improve the GPV scheme in terms of space and running time and presents an implementation of the optimized scheme. A ring variant of this scheme is also introduced which leads to a more efficient construction. Experimental results show that GPV with the new trapdoor construction is competitive to the signature schemes that are currently used in practice.
Practical Bootstrapping in Quasilinear Time
, 2013
"... Gentry’s “bootstrapping ” technique (STOC 2009) constructs a fully homomorphic encryption (FHE) scheme from a “somewhat homomorphic ” one that is powerful enough to evaluate its own decryption function. To date, it remains the only known way of obtaining unbounded FHE. Unfortunately, bootstrapping i ..."
Abstract

Cited by 10 (3 self)
 Add to MetaCart
Gentry’s “bootstrapping ” technique (STOC 2009) constructs a fully homomorphic encryption (FHE) scheme from a “somewhat homomorphic ” one that is powerful enough to evaluate its own decryption function. To date, it remains the only known way of obtaining unbounded FHE. Unfortunately, bootstrapping is computationally very expensive, despite the great deal of effort that has been spent on improving its efficiency. The current state of the art, due to Gentry, Halevi, and Smart (PKC 2012), is able to bootstrap “packed ” ciphertexts (which encrypt up to a linear number of bits) in time only quasilinear Õ(λ) = λ · log O(1) λ in the security parameter. While this performance is asymptotically optimal up to logarithmic factors, the practical import is less clear: the procedure composes multiple layers of expensive and complex operations, to the point where it appears very difficult to implement, and its concrete runtime appears worse than those of prior methods (all of which have quadratic or larger asymptotic runtimes). In this work we give simple, practical, and entirely algebraic algorithms for bootstrapping in quasilinear time, for both “packed ” and “nonpacked ” ciphertexts. Our methods are easy to implement (especially in the nonpacked case), and we believe that they will be substantially more efficient in practice than all prior realizations of bootstrapping. One of our main techniques is a substantial enhancement of the
Key Homomorphic PRFs and Their Applications∗
, 2014
"... A pseudorandom function F: K ×X → Y is said to be key homomorphic if given F (k1, x) and F (k2, x) there is an efficient algorithm to compute F (k1 ⊕ k2, x), where ⊕ denotes a group operation on k1 and k2 such as xor. Key homomorphic PRFs are natural objects to study and have a number of interesting ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
(Show Context)
A pseudorandom function F: K ×X → Y is said to be key homomorphic if given F (k1, x) and F (k2, x) there is an efficient algorithm to compute F (k1 ⊕ k2, x), where ⊕ denotes a group operation on k1 and k2 such as xor. Key homomorphic PRFs are natural objects to study and have a number of interesting applications: they can simplify the process of rotating encryption keys for encrypted data stored in the cloud, they give one round distributed PRFs, and they can be the basis of a symmetrickey proxy reencryption scheme. Until now all known constructions for key homomorphic PRFs were only proven secure in the random oracle model. We construct the first provably secure key homomorphic PRFs in the standard model. Our main construction is based on the learning with errors (LWE) problem. In the proof of security we need a variant of LWE where query points are nonuniform and we show that this variant is as hard as the standard LWE. We also construct key homomorphic PRFs based on the decision linear assumption in groups with an `linear map. We leave as an open problem the question of constructing standard model key homomorphic PRFs from more general assumptions.
Message Authentication, Revisited
, 2012
"... Traditionally, symmetrickeymessage authentication codes (MACs) are easily built from pseudorandom functions (PRFs). In this work we propose a wide variety of other approaches to building efficient MACs, without going through a PRF first. In particular, unlike deterministic PRFbased MACs, where eac ..."
Abstract

Cited by 8 (2 self)
 Add to MetaCart
(Show Context)
Traditionally, symmetrickeymessage authentication codes (MACs) are easily built from pseudorandom functions (PRFs). In this work we propose a wide variety of other approaches to building efficient MACs, without going through a PRF first. In particular, unlike deterministic PRFbased MACs, where each message has a unique valid tag, we give a number of probabilistic MAC constructions from various other primitives/assumptions. Our main results are summarized as follows: • We showseveralnew probabilisticMAC constructionsfromavarietyofgeneralassumptions, including CCAsecure encryption, Hash Proof Systems and keyhomomorphic weak PRFs. By instantiating these frameworks under concrete number theoretic assumptions, we get several schemes which are more efficient than just using a stateoftheart PRF instantiation under the corresponding assumption. For example, we obtain elegant DDHbased MACs with much shorter keys than the quadraticsized key of the NaorReingold PRF. We also show that several natural (probabilistic) digital signature schemes, such as those by BonehBoyen and Waters, can be significantly optimized when “downgraded ” into a MAC, both in
New and improved keyhomomorphic pseudorandom functions. Cryptology ePrint Archive, Report 2014/074
, 2014
"... A keyhomomorphic pseudorandom function (PRF) family {Fs: D → R} allows one to efficiently compute the value Fs+t(x) given Fs(x) and Ft(x). Such functions have many applications, such as distributing the operation of a keydistribution center and updatable symmetric encryption. The only known const ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
(Show Context)
A keyhomomorphic pseudorandom function (PRF) family {Fs: D → R} allows one to efficiently compute the value Fs+t(x) given Fs(x) and Ft(x). Such functions have many applications, such as distributing the operation of a keydistribution center and updatable symmetric encryption. The only known construction of keyhomomorphic PRFs without random oracles, due to Boneh et al. (CRYPTO 2013), is based on the learning with errors (LWE) problem and hence on worstcase lattice problems. However, the security proof relies on a very strong LWE assumption (i.e., very large approximation factors), and hence has quite inefficient parameter sizes and runtimes. In this work we give new constructions of keyhomomorphic PRFs that are based on much weaker LWE assumptions, are much more efficient in time and space, and are still highly parallel. More specifically, we improve the LWE approximation factor from exponential in the input length to exponential in its logarithm (or less). For input length λ and 2λ security against known lattice algorithms, we improve the key size from λ3 to λ bits, the public parameters from λ6 to λ2 bits, and the runtime from λ7 to λω+1 bit operations (ignoring polylogarithmic factors in λ), where ω ∈ [2, 2.373] is the exponent of matrix multiplication. In addition, we give even more efficient ringLWEbased constructions whose key sizes, public parameters, and incremental runtimes on consecutive inputs are all quasilinear Õ(λ), which is optimal up to polylogarithmic factors. To our knowledge, these are the first lowdepth PRFs (whether key homomorphic or not) enjoying any of these efficiency measures together with nontrivial proofs of 2λ security under any conventional assumption. 1
Improved security proofs in latticebased cryptography: using the Rényi divergence rather than the statistical distance
"... Abstract. The Rényi divergence is a mean to measure the closeness of two distributions. We show that it can often be used as an alternative to the statistical distance in security proofs for latticebased cryptography. Using the Rényi divergence is particularly suited for security proofs of primitiv ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
Abstract. The Rényi divergence is a mean to measure the closeness of two distributions. We show that it can often be used as an alternative to the statistical distance in security proofs for latticebased cryptography. Using the Rényi divergence is particularly suited for security proofs of primitives in which the attacker is required to solve a search problem (e.g., forging a signature). We show that it may also be used in the case of distinguishing problems (e.g., semantic security of encryption schemes), when they enjoy a public sampleability property. The techniques lead to security proofs for schemes with smaller parameters.4 1
The Trojan Method in Functional Encryption: From Selective to Adaptive Security, Generically
"... In a functional encryption (FE) scheme, the owner of the secret key can generate restricted decryption keys that allow users to learn specific functions of the encrypted messages and nothing else. In many known constructions of FE schemes, such a notion of security is guaranteed only for messages th ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
In a functional encryption (FE) scheme, the owner of the secret key can generate restricted decryption keys that allow users to learn specific functions of the encrypted messages and nothing else. In many known constructions of FE schemes, such a notion of security is guaranteed only for messages that are fixed ahead of time (i.e., before the adversary even interacts with the system). This is called selective security, which is too restrictive for many realistic applications. Achieving adaptive security (also called full security), where security is guaranteed even for messages that are adaptively chosen at any point in time, seems significantly more challenging. The handful of known fullysecure schemes are based on specifically tailored techniques that rely on strong assumptions (such as obfuscation assumptions or multilinear maps assumptions). In this paper we show that any sufficiently expressive selectivelysecure FE scheme can be transformed into a fully secure one without introducing any additional assumptions. We present a direct blackbox transformation, making novel use of hybrid encryption, a classical technique that was originally introduced for improving the efficiency of encryption schemes, combined with a new technique we call the Trojan Method. This method allows to embed a secret execution thread in the functional keys of the underlying