Results 11  20
of
66
Circular and KDM security for identitybased encryption
 In Public Key Cryptography
, 2012
"... We initiate the study of security for keydependent messages (KDM), sometimes also known as “circular ” or “clique ” security, in the setting of identitybased encryption (IBE). Circular/KDM security requires that ciphertexts preserve secrecy even when they encrypt messages that may depend on the se ..."
Abstract

Cited by 12 (3 self)
 Add to MetaCart
We initiate the study of security for keydependent messages (KDM), sometimes also known as “circular ” or “clique ” security, in the setting of identitybased encryption (IBE). Circular/KDM security requires that ciphertexts preserve secrecy even when they encrypt messages that may depend on the secret keys, and arises in natural usage scenarios for IBE. We construct an IBE system that is circular secure for affine functions of users ’ secret keys, based on the learning with errors (LWE) problem (and hence on worstcase lattice problems). The scheme is secure in the standard model, under a natural extension of a selectiveidentity attack. Our three main technical contributions are (1) showing the circular/KDMsecurity of a “dual”style LWE publickey cryptosystem, (2) proving the hardness of a version of the “extended LWE ” problem due to O’Neill, Peikert and Waters (CRYPTO’11), and (3) building an IBE scheme around the dualstyle system using a novel latticebased “allbutd ” trapdoor function. 1
Improvement and Efficient Implementation of a Latticebased Signature Scheme
, 2013
"... Latticebased signature schemes constitute an interesting alternative to RSA and discrete logarithm based systems which may become insecure in the future, for example due to the possibility of quantum attacks. A particularly interesting scheme in this context is the GPV signature scheme [GPV08] comb ..."
Abstract

Cited by 12 (5 self)
 Add to MetaCart
(Show Context)
Latticebased signature schemes constitute an interesting alternative to RSA and discrete logarithm based systems which may become insecure in the future, for example due to the possibility of quantum attacks. A particularly interesting scheme in this context is the GPV signature scheme [GPV08] combined with the trapdoor construction from Micciancio and Peikert [MP12] as it admits strong security proofs and is believed to be very efficient in practice. This paper confirms this belief and shows how to improve the GPV scheme in terms of space and running time and presents an implementation of the optimized scheme. A ring variant of this scheme is also introduced which leads to a more efficient construction. Experimental results show that GPV with the new trapdoor construction is competitive to the signature schemes that are currently used in practice.
Faster bootstrapping with polynomial error
, 2014
"... Bootstrapping is a technique, originally due to Gentry (STOC 2009), for “refreshing” ciphertexts of a somewhat homomorphic encryption scheme so that they can support further homomorphic operations. To date, bootstrapping remains the only known way of obtaining fully homomorphic encryption for arbitr ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
Bootstrapping is a technique, originally due to Gentry (STOC 2009), for “refreshing” ciphertexts of a somewhat homomorphic encryption scheme so that they can support further homomorphic operations. To date, bootstrapping remains the only known way of obtaining fully homomorphic encryption for arbitrary unbounded computations. Over the past few years, several works have dramatically improved the efficiency of bootstrapping and the hardness assumptions needed to implement it. Recently, Brakerski and Vaikuntanathan (ITCS 2014) reached the major milestone of a bootstrapping algorithm based on Learning With Errors for polynomial approximation factors. Their method uses the GentrySahaiWaters (GSW) cryptosystem (CRYPTO 2013) in conjunction with Barrington’s “circuit sequentialization” theorem (STOC 1986). This approach, however, results in very large polynomial runtimes and approximation factors. (The approximation factors can be improved, but at even greater costs in runtime and space.) In this work we give a new bootstrapping algorithm whose runtime and associated approximation factor are both small polynomials. Unlike most previous methods, ours implements an elementary and efficient arithmetic procedure, thereby avoiding the inefficiencies inherent to the use of boolean circuits
How to garble arithmetic circuits
 In Symposium on Foundations of Computer Science (FOCS ’11
, 2011
"... Yao’s garbled circuit construction transforms a boolean circuit C: {0, 1} n → {0, 1} m into a “garbled circuit ” Ĉ along with n pairs of kbit keys, one for each input bit, such that Ĉ together with the n keys corresponding to an input x reveal C(x) and no additional information about x. The garbled ..."
Abstract

Cited by 10 (3 self)
 Add to MetaCart
Yao’s garbled circuit construction transforms a boolean circuit C: {0, 1} n → {0, 1} m into a “garbled circuit ” Ĉ along with n pairs of kbit keys, one for each input bit, such that Ĉ together with the n keys corresponding to an input x reveal C(x) and no additional information about x. The garbled circuit construction is a central tool for constantround secure computation and has several other applications. Motivated by these applications, we suggest an efficient arithmetic variant of Yao’s original construction. Our construction transforms an arithmetic circuit C: Zn → Zm over integers from a bounded (but possibly exponential) range into a garbled circuit Ĉ along with n affine functions Li: Z → Zk such that Ĉ together with the n integer vectors Li(xi) reveal C(x) and no additional information about x. The security of our construction relies on the intractability of the learning with errors (LWE) problem. 1
New and improved keyhomomorphic pseudorandom functions. Cryptology ePrint Archive, Report 2014/074
, 2014
"... A keyhomomorphic pseudorandom function (PRF) family {Fs: D → R} allows one to efficiently compute the value Fs+t(x) given Fs(x) and Ft(x). Such functions have many applications, such as distributing the operation of a keydistribution center and updatable symmetric encryption. The only known const ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
A keyhomomorphic pseudorandom function (PRF) family {Fs: D → R} allows one to efficiently compute the value Fs+t(x) given Fs(x) and Ft(x). Such functions have many applications, such as distributing the operation of a keydistribution center and updatable symmetric encryption. The only known construction of keyhomomorphic PRFs without random oracles, due to Boneh et al. (CRYPTO 2013), is based on the learning with errors (LWE) problem and hence on worstcase lattice problems. However, the security proof relies on a very strong LWE assumption (i.e., very large approximation factors), and hence has quite inefficient parameter sizes and runtimes. In this work we give new constructions of keyhomomorphic PRFs that are based on much weaker LWE assumptions, are much more efficient in time and space, and are still highly parallel. More specifically, we improve the LWE approximation factor from exponential in the input length to exponential in its logarithm (or less). For input length λ and 2λ security against known lattice algorithms, we improve the key size from λ3 to λ bits, the public parameters from λ6 to λ2 bits, and the runtime from λ7 to λω+1 bit operations (ignoring polylogarithmic factors in λ), where ω ∈ [2, 2.373] is the exponent of matrix multiplication. In addition, we give even more efficient ringLWEbased constructions whose key sizes, public parameters, and incremental runtimes on consecutive inputs are all quasilinear Õ(λ), which is optimal up to polylogarithmic factors. To our knowledge, these are the first lowdepth PRFs (whether key homomorphic or not) enjoying any of these efficiency measures together with nontrivial proofs of 2λ security under any conventional assumption. 1
Tightlysecure signatures from lossy identification schemes
"... In this paper we present three digital signature schemes with tight security reductions. Our first signature scheme is a particularly efficient version of the short exponent discrete log based scheme of Girault et al. (J. of Cryptology 2006). Our scheme has a tight reduction to the decisional Short ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
(Show Context)
In this paper we present three digital signature schemes with tight security reductions. Our first signature scheme is a particularly efficient version of the short exponent discrete log based scheme of Girault et al. (J. of Cryptology 2006). Our scheme has a tight reduction to the decisional Short Discrete Logarithm problem, while still maintaining the nontight reduction to the computational version of the problem upon which the original scheme of Girault et al. is based. The second signature scheme we construct is a modification of the scheme of Lyubashevsky (Asiacrypt 2009) that is based on the worstcase hardness of the shortest vector problem in ideal lattices. And the third scheme is a very simple signature scheme that is based directly on the hardness of the Subset Sum problem. We also present a general transformation that converts, what we term lossy identification schemes, into signature schemes with tight security reductions. We believe that this greatly simplifies the task of constructing and proving the security of such signature schemes.
WorstCase to AverageCase Reductions for Module Lattices
"... Abstract. Most latticebased cryptographic schemes are built upon the assumed hardness of the Short Integer Solution (SIS) and Learning With Errors (LWE) problems. Their efficiencies can be drastically improved by switching the hardness assumptions to the more compact RingSIS and RingLWE problems. ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
Abstract. Most latticebased cryptographic schemes are built upon the assumed hardness of the Short Integer Solution (SIS) and Learning With Errors (LWE) problems. Their efficiencies can be drastically improved by switching the hardness assumptions to the more compact RingSIS and RingLWE problems. However, this change of hardness assumptions comes along with a possible security weakening: SIS and LWE are known to be at least as hard as standard (worstcase) problems on euclidean lattices, whereas RingSIS and RingLWE are only known to be as hard as their restrictions to special classes of ideal lattices, corresponding to ideals of some polynomial rings. In this work, we define the ModuleSIS and ModuleLWE problems, which bridge SIS with RingSIS, and LWE with RingLWE, respectively. We prove that these averagecase problems are at least as hard as standard lattice problems restricted to module lattices (which themselves generalize arbitrary and ideal lattices). As these new problems enlarge the toolbox of the latticebased cryptographer, they could prove useful for designing new schemes. Importantly, the worstcase to averagecase reductions for the module problems are (qualitatively) sharp, in the sense that there exist converse reductions. This property is not known to hold in the context of RingSIS/RingLWE: Ideal lattice problems could reveal easy without impacting the hardness of RingSIS/RingLWE. 1
IdentityBased (Lossy) Trapdoor Functions and Applications
, 2011
"... We provide the first constructions of identitybased (injective) trapdoor functions. Furthermore, they are lossy. Constructions are given both with pairings (DLIN) and lattices (LWE). Our lossy identitybased trapdoor functions provide an automatic way to realize, in the identitybased setting, many ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
(Show Context)
We provide the first constructions of identitybased (injective) trapdoor functions. Furthermore, they are lossy. Constructions are given both with pairings (DLIN) and lattices (LWE). Our lossy identitybased trapdoor functions provide an automatic way to realize, in the identitybased setting, many functionalities previously known only in the publickey setting. In particular we obtain the first deterministic and efficiently searchable IBE schemes and the first hedged IBE schemes, which achieve best possible security in the face of bad randomness. Underlying our constructs is a new definition, of partial lossiness, that may be of broader interest.
Lattice Cryptography for the Internet
, 2014
"... In recent years, latticebased cryptography has been recognized for its many attractive properties, such as strong provable security guarantees and apparent resistance to quantum attacks, flexibility for realizing powerful tools like fully homomorphic encryption, and high asymptotic efficiency. Inde ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
(Show Context)
In recent years, latticebased cryptography has been recognized for its many attractive properties, such as strong provable security guarantees and apparent resistance to quantum attacks, flexibility for realizing powerful tools like fully homomorphic encryption, and high asymptotic efficiency. Indeed, several works have demonstrated that for basic tasks like encryption and authentication, latticebased primitives can have performance competitive with (or even surpassing) those based on classical mechanisms like RSA or DiffieHellman. However, there still has been relatively little work on developing lattice cryptography for deployment in realworld cryptosystems and protocols. In this work we take a step toward that goal, by giving efficient and practical latticebased protocols for key transport, encryption, and authenticated key exchange that are suitable as “dropin ” components for proposed Internet standards and other open protocols. The security of all our proposals is provably based (sometimes in the randomoracle model) on the wellstudied “learning with errors over rings” problem, and hence on the conjectured worstcase hardness of problems on ideal lattices (against quantum algorithms). One of our main technical innovations (which may be of independent interest) is a simple, lowbandwidth reconciliation technique that allows two parties who “approximately agree ” on a secret value to reach exact agreement, a setting common to essentially all latticebased encryption schemes. Our technique reduces the ciphertext length of prior (already compact) encryption schemes nearly twofold, at essentially no cost. 1
The Geometry of Lattice Cryptography
, 2012
"... Lattice cryptography is one of the hottest and fastest moving areas in mathematical cryptography today. Interest in lattice cryptographyis due toseveral concurring factors. On thetheoretical side, lattice cryptography is supported by strong worstcase/averagecase security guarantees. On the practic ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
(Show Context)
Lattice cryptography is one of the hottest and fastest moving areas in mathematical cryptography today. Interest in lattice cryptographyis due toseveral concurring factors. On thetheoretical side, lattice cryptography is supported by strong worstcase/averagecase security guarantees. On the practical side, lattice cryptography has been shown to be very versatile, leading to an unprecedented variety of applications, from simple (and efficient) hash functions, to complex and powerful public key cryptographic primitives, culminating with the celebrated recent development of fully homomorphic encryption. Still, one important feature of lattice cryptography is simplicity: most cryptographic operations can be implemented using basic arithmetic on small numbers, and many cryptographic constructions hide an intuitive and appealing geometric interpretation in terms of point lattices. So, unlike other areas of mathematical cryptology even a novice can acquire, with modest effort, a good understanding of not only the potential applications, but also the underlying mathematics of lattice cryptography. In these notes, we give an introduction to the mathematical theory of lattices, describe the main tools and techniques used in lattice cryptography, and present an overview of the wide range of cryptographic applications. This material should be accessible to anybody with a minimal background in linear algebra and some familiarity with the computational framework of modern cryptography, but no prior knowledge about point lattices. 1