Results 1  10
of
40
Lattice Signatures Without Trapdoors
"... We provide an alternative method for constructing latticebased digital signatures which does not use the “hashandsign” methodology of Gentry, Peikert, and Vaikuntanathan (STOC 2008). Our resulting signature scheme is secure, in the random oracle model, based on the worstcase hardness of the Õ(n ..."
Abstract

Cited by 44 (9 self)
 Add to MetaCart
We provide an alternative method for constructing latticebased digital signatures which does not use the “hashandsign” methodology of Gentry, Peikert, and Vaikuntanathan (STOC 2008). Our resulting signature scheme is secure, in the random oracle model, based on the worstcase hardness of the Õ(n1.5)SIVP problem in general lattices. The secret key, public key, and the signature size of our scheme are smaller than in all previous instantiations of the hashandsign signature, and our signing algorithm is also quite simple, requiring just a few matrixvector multiplications and rejection samplings. We then also show that by slightly changing the parameters, one can get even more efficient signatures that are based on the hardness of the Learning With Errors problem. Our construction naturally transfers to the ring setting, where the size of the public and secret keys can be significantly shrunk, which results in the most practical todate provably secure signature scheme based on lattices.
Pseudorandom Functions and Lattices
, 2011
"... We give direct constructions of pseudorandom function (PRF) families based on conjectured hard lattice problems and learning problems. Our constructions are asymptotically efficient and highly parallelizable in a practical sense, i.e., they can be computed by simple, relatively small lowdepth arith ..."
Abstract

Cited by 35 (10 self)
 Add to MetaCart
We give direct constructions of pseudorandom function (PRF) families based on conjectured hard lattice problems and learning problems. Our constructions are asymptotically efficient and highly parallelizable in a practical sense, i.e., they can be computed by simple, relatively small lowdepth arithmetic or boolean circuits (e.g., in NC 1 or even TC 0). In addition, they are the first lowdepth PRFs that have no known attack by efficient quantum algorithms. Central to our results is a new “derandomization ” technique for the learning with errors (LWE) problem which, in effect, generates the error terms deterministically. 1 Introduction and Main Results The past few years have seen significant progress in constructing publickey, identitybased, and homomorphic cryptographic schemes using lattices, e.g., [Reg05, PW08, GPV08, Gen09, CHKP10, ABB10a] and many more. Part of their appeal stems from provable worstcase hardness guarantees (starting with the seminal work of Ajtai [Ajt96]), good asymptotic efficiency and parallelism, and apparent resistance to quantum
Practical latticebased cryptography: A signature scheme for embedded systems
 CHES 2012, LNCS
, 2012
"... Nearly all of the currently used and welltested signature schemes (e.g. RSA or DSA) are based either on the factoring assumption or the presumed intractability of the discrete logarithm problem. Further algorithmic advances on these problems may lead to the unpleasant situation that a large number ..."
Abstract

Cited by 29 (6 self)
 Add to MetaCart
(Show Context)
Nearly all of the currently used and welltested signature schemes (e.g. RSA or DSA) are based either on the factoring assumption or the presumed intractability of the discrete logarithm problem. Further algorithmic advances on these problems may lead to the unpleasant situation that a large number of schemes have to be replaced with alternatives. In this work we present such an alternative – a signature scheme whose security is derived from the hardness of lattice problems. It is based on recent theoretical advances in latticebased cryptography and is highly optimized for practicability and use in embedded systems. The public and secret keys are roughly 12000 and 2000 bits long, while the signature size is approximately 9000 bits for a security level of around 100 bits. The implementation results on reconfigurable hardware (Spartan/Virtex 6) are very promising and show that the scheme is scalable, has low area consumption, and even outperforms some classical schemes.
Pseudorandom Knapsacks and the Sample Complexity of LWE . . .
, 2011
"... We study under what conditions the conjectured onewayness of the knapsack function (with polynomially bounded inputs) over an arbitrary finite abelian group implies that the output of the function is pseudorandom, i.e., computationally indistinguishable from a uniformly chosen group element. Previo ..."
Abstract

Cited by 23 (2 self)
 Add to MetaCart
We study under what conditions the conjectured onewayness of the knapsack function (with polynomially bounded inputs) over an arbitrary finite abelian group implies that the output of the function is pseudorandom, i.e., computationally indistinguishable from a uniformly chosen group element. Previous work of Impagliazzo and Naor (J. Cryptology 9(4):199216, 1996) considers only specific families of finite abelian groups and uniformly chosen random binary inputs. Our work substantially extends previous results and provides a much more general reduction that applies to arbitrary finite abelian groups and input distributions with polynomially bounded coefficients. As an application of the new result, we give sample preserving searchtodecision reductions for the Learning With Errors (LWE) problem, introduced
Hardness of SIS and LWE with Small Parameters
, 2013
"... The Short Integer Solution (SIS) and Learning With Errors (LWE) problems are the foundations for countless applications in latticebased cryptography, and are provably as hard as approximate lattice problems in the worst case. A important question from both a practical and theoretical perspective is ..."
Abstract

Cited by 16 (4 self)
 Add to MetaCart
(Show Context)
The Short Integer Solution (SIS) and Learning With Errors (LWE) problems are the foundations for countless applications in latticebased cryptography, and are provably as hard as approximate lattice problems in the worst case. A important question from both a practical and theoretical perspective is how small their parameters can be made, while preserving their hardness. We prove two main results on SIS and LWE with small parameters. For SIS, we show that the problem retains its hardness for moduli q ≥ β · n δ for any constant δ> 0, where β is the bound on the Euclidean norm of the solution. This improves upon prior results which required q ≥ β · √ n log n, and is essentially optimal since the problem is trivially easy for q ≤ β. For LWE, we show that it remains hard even when the errors are small (e.g., uniformly random from {0, 1}), provided that the number of samples is small enough (e.g., linear in the dimension n of the LWE secret). Prior results required the errors to have magnitude at least √ n and to come from a Gaussianlike distribution. 1
Sampling from discrete Gaussians for latticebased cryptography on a constrained device
 Appl. Algebra Eng. Commun. Comput
"... ABSTRACT. Modern latticebased publickey cryptosystems require sampling from discrete Gaussian (normal) distributions. The paper surveys algorithms to implement such sampling efficiently, with particular focus on the case of constrained devices with small onboard storage and without access to larg ..."
Abstract

Cited by 15 (0 self)
 Add to MetaCart
(Show Context)
ABSTRACT. Modern latticebased publickey cryptosystems require sampling from discrete Gaussian (normal) distributions. The paper surveys algorithms to implement such sampling efficiently, with particular focus on the case of constrained devices with small onboard storage and without access to large numbers of external random bits. We review latticebased encryption schemes and signature schemes and their requirements for sampling from discrete Gaussians. Finally, we make some remarks on challenges and potential solutions for practical latticebased cryptography.
Software Speed Records for LatticeBased Signatures
"... Abstract. Novel publickey cryptosystems beyond RSA and ECC are urgently required to ensure longterm security in the era of quantum computing. The most critical issue on the construction of such cryptosystems is to achieve security and practicability at the same time. Recently, latticebased constr ..."
Abstract

Cited by 11 (5 self)
 Add to MetaCart
(Show Context)
Abstract. Novel publickey cryptosystems beyond RSA and ECC are urgently required to ensure longterm security in the era of quantum computing. The most critical issue on the construction of such cryptosystems is to achieve security and practicability at the same time. Recently, latticebased constructions were proposed that combine both properties, such as the latticebased digital signature scheme presented at CHES 2012. In this work, we present a first highlyoptimized SIMDbased software implementation of that signature scheme targeting Intel’s Sandy Bridge and Ivy Bridge microarchitectures. This software computes a signature in only 634988 cycles on average on an Intel Core i53210M (Ivy Bridge) processor. Signature verification takes only 45036 cycles. This performance is achieved with full protection against timing attacks.
A dichotomy for local smallbias generators
 Electronic Colloquium on Computational Complexity, 2011. [AIK06] [AIK08] Benny Applebaum, Yuval Ishai, and Eyal Kushilevitz. Cryptography in NC 0
"... We consider pseudorandom generators in which each output bit depends on a constant number of input bits. Such generators have appealingly simple structure: they can be described by a sparse inputoutput dependency graph G and a small predicate P that is applied at each output. Following the works of ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
We consider pseudorandom generators in which each output bit depends on a constant number of input bits. Such generators have appealingly simple structure: they can be described by a sparse inputoutput dependency graph G and a small predicate P that is applied at each output. Following the works of Cryan and Miltersen (MFCS’01) and by Mossel et al (STOC’03), we ask: which graphs and predicates yield “smallbias ” generators (that fool linear distinguishers)? We identify an explicit class of degenerate predicates and prove the following. For most graphs, all nondegenerate predicates yield smallbias generators, f: {0, 1} n → {0, 1} m, with output length m = n 1+ɛ for some constant ɛ> 0. Conversely, we show that for most graphs, degenerate predicates are not secure against linear distinguishers, even when the output length is linear m = n + Ω(n). Taken together, these results expose a dichotomy: every predicate is either very hard or very easy, in the sense that it either yields a smallbias generator for almost all graphs or fails to do so for almost all graphs. As a secondary contribution, we attempt to support the view that smallbias is a good measure of pseudorandomness for local functions with large stretch. We do so by demonstrating that resilience to linear distinguishers implies resilience to a larger class of attacks.
Lattice Cryptography for the Internet
, 2014
"... In recent years, latticebased cryptography has been recognized for its many attractive properties, such as strong provable security guarantees and apparent resistance to quantum attacks, flexibility for realizing powerful tools like fully homomorphic encryption, and high asymptotic efficiency. Inde ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
(Show Context)
In recent years, latticebased cryptography has been recognized for its many attractive properties, such as strong provable security guarantees and apparent resistance to quantum attacks, flexibility for realizing powerful tools like fully homomorphic encryption, and high asymptotic efficiency. Indeed, several works have demonstrated that for basic tasks like encryption and authentication, latticebased primitives can have performance competitive with (or even surpassing) those based on classical mechanisms like RSA or DiffieHellman. However, there still has been relatively little work on developing lattice cryptography for deployment in realworld cryptosystems and protocols. In this work we take a step toward that goal, by giving efficient and practical latticebased protocols for key transport, encryption, and authenticated key exchange that are suitable as “dropin ” components for proposed Internet standards and other open protocols. The security of all our proposals is provably based (sometimes in the randomoracle model) on the wellstudied “learning with errors over rings” problem, and hence on the conjectured worstcase hardness of problems on ideal lattices (against quantum algorithms). One of our main technical innovations (which may be of independent interest) is a simple, lowbandwidth reconciliation technique that allows two parties who “approximately agree ” on a secret value to reach exact agreement, a setting common to essentially all latticebased encryption schemes. Our technique reduces the ciphertext length of prior (already compact) encryption schemes nearly twofold, at essentially no cost. 1
Efficient IdentityBased Encryption over NTRU Lattices
"... Efficient implementations of latticebased cryptographic schemes have been limited to only the most basic primitives like encryption and digital signatures. The main reason for this limitation is that at the core of many advanced lattice primitives is a trapdoor sampling algorithm (Gentry, Peikert, ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
Efficient implementations of latticebased cryptographic schemes have been limited to only the most basic primitives like encryption and digital signatures. The main reason for this limitation is that at the core of many advanced lattice primitives is a trapdoor sampling algorithm (Gentry, Peikert, Vaikuntanathan, STOC 2008) that produced outputs that were too long for practical applications. In this work, we show that using a particular distribution over NTRU lattices can make GPVbased schemes suitable for practice. More concretely, we present the first latticebased IBE scheme with practical parameters – key and ciphertext sizes are between two and four kilobytes, and all encryption and decryption operations take approximately one millisecond on a moderatelypowered laptop. As a byproduct, we also obtain digital signature schemes which are shorter than the previously mostcompact ones of Ducas, Durmus, Lepoint, and Lyubashevsky from Crypto 2013.