Results 1  10
of
17
Candidate Multilinear Maps from Ideal Lattices and Applications
, 2012
"... We describe plausible latticebased constructions wit hproperties that approximate the sought after multilinear maps in harddiscretelogarithm groups, and show that some applications of such multilinear maps can be realized using our approximations. The security of our constructions relies on seem ..."
Abstract

Cited by 156 (15 self)
 Add to MetaCart
We describe plausible latticebased constructions wit hproperties that approximate the sought after multilinear maps in harddiscretelogarithm groups, and show that some applications of such multilinear maps can be realized using our approximations. The security of our constructions relies on seemingly hard problems in ideal lattices, which can be viewed as extensions of the assumed hardness of the NTRU function.
Sampling from discrete Gaussians for latticebased cryptography on a constrained device
 Appl. Algebra Eng. Commun. Comput
"... ABSTRACT. Modern latticebased publickey cryptosystems require sampling from discrete Gaussian (normal) distributions. The paper surveys algorithms to implement such sampling efficiently, with particular focus on the case of constrained devices with small onboard storage and without access to larg ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
(Show Context)
ABSTRACT. Modern latticebased publickey cryptosystems require sampling from discrete Gaussian (normal) distributions. The paper surveys algorithms to implement such sampling efficiently, with particular focus on the case of constrained devices with small onboard storage and without access to large numbers of external random bits. We review latticebased encryption schemes and signature schemes and their requirements for sampling from discrete Gaussians. Finally, we make some remarks on challenges and potential solutions for practical latticebased cryptography.
Attributebased functional encryption on lattices (Extended Abstract)
, 2012
"... We introduce a broad lattice manipulation technique for expressive cryptography, and use it to realize functional encryption for access structures from postquantum hardness assumptions. Speci cally, we build an e cient keypolicy attributebased encryption scheme, and prove its security in the sele ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
We introduce a broad lattice manipulation technique for expressive cryptography, and use it to realize functional encryption for access structures from postquantum hardness assumptions. Speci cally, we build an e cient keypolicy attributebased encryption scheme, and prove its security in the selective sense from learningwitherrors intractability in the standard model.
Learning a zonotope and more: Cryptanalysis of NTRUSign countermeasures
 ASIACRYPT ’12
, 2012
"... NTRUSign is the most practical lattice signature scheme. Its basic version was broken by Nguyen and Regev in 2006: one can efficiently recover the secret key from about 400 signatures. However, countermeasures have been proposed to repair the scheme, such as the perturbation used in NTRUSign stand ..."
Abstract

Cited by 12 (2 self)
 Add to MetaCart
(Show Context)
NTRUSign is the most practical lattice signature scheme. Its basic version was broken by Nguyen and Regev in 2006: one can efficiently recover the secret key from about 400 signatures. However, countermeasures have been proposed to repair the scheme, such as the perturbation used in NTRUSign standardization proposals, and the deformation proposed by Hu et al. at IEEE Trans. Inform. Theory in 2008. These two countermeasures were claimed to prevent the NR attack. Surprisingly, we show that these two claims are incorrect by revisiting the NR gradientdescent attack: the attack is more powerful than previously expected, and actually breaks both countermeasures in practice, e.g. 8,000 signatures suffice to break NTRUSign251 with one perturbation as submitted to IEEE P1363 in 2003. More precisely, we explain why the NguyenRegev algorithm for learning a parallelepiped is heuristically able to learn more complex objects, such as zonotopes and deformed parallelepipeds.
Efficient IdentityBased Encryption over NTRU Lattices
"... Efficient implementations of latticebased cryptographic schemes have been limited to only the most basic primitives like encryption and digital signatures. The main reason for this limitation is that at the core of many advanced lattice primitives is a trapdoor sampling algorithm (Gentry, Peikert, ..."
Abstract

Cited by 7 (3 self)
 Add to MetaCart
Efficient implementations of latticebased cryptographic schemes have been limited to only the most basic primitives like encryption and digital signatures. The main reason for this limitation is that at the core of many advanced lattice primitives is a trapdoor sampling algorithm (Gentry, Peikert, Vaikuntanathan, STOC 2008) that produced outputs that were too long for practical applications. In this work, we show that using a particular distribution over NTRU lattices can make GPVbased schemes suitable for practice. More concretely, we present the first latticebased IBE scheme with practical parameters – key and ciphertext sizes are between two and four kilobytes, and all encryption and decryption operations take approximately one millisecond on a moderatelypowered laptop. As a byproduct, we also obtain digital signature schemes which are shorter than the previously mostcompact ones of Ducas, Durmus, Lepoint, and Lyubashevsky from Crypto 2013.
High Precision Discrete Gaussian Sampling on
"... Abstract. Latticebased public key cryptography often requires sampling from discrete Gaussian distributions. In this paper we present an efficient hardware implementation of a discrete Gaussian sampler with high precision and large tailbound based on the KnuthYao algorithm. The KnuthYao algorit ..."
Abstract

Cited by 7 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Latticebased public key cryptography often requires sampling from discrete Gaussian distributions. In this paper we present an efficient hardware implementation of a discrete Gaussian sampler with high precision and large tailbound based on the KnuthYao algorithm. The KnuthYao algorithm is chosen since it requires a minimal number of random bits and is well suited for high precision sampling. We propose a novel implementation of this algorithm based on an efficient traversal of the discrete distribution generating (DDG) tree. Furthermore, we propose optimization techniques to store the probabilities of the sample points in nearoptimal space. Our implementation targets the Gaussian distribution parameters typically used in LWE encryption schemes and has maximum statistical distance of 2−90 to a true discrete Gaussian distribution. For these parameters, our implementation on the Xilinx Virtex V platform results in a sampler architecture that only consumes 47 slices and has a delay of 3ns.
Discrete Ziggurat: A TimeMemory Tradeoff for Sampling from a Gaussian Distribution over the Integers
"... Several latticebased cryptosystems require to sample from a discrete Gaussian distribution over the integers. Existing methods to sample from such a distribution either need large amounts of memory or they are very slow. In this paper we explore a different method that allows for a flexible timem ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
(Show Context)
Several latticebased cryptosystems require to sample from a discrete Gaussian distribution over the integers. Existing methods to sample from such a distribution either need large amounts of memory or they are very slow. In this paper we explore a different method that allows for a flexible timememory tradeoff, offering developers freedom in choosing how much space they can spare to store precomputed values. We prove that the generated distribution is close enough to a discrete Gaussian to be used in latticebased cryptography. Moreover, we report on an implementation of the method and compare its performance to existing methods from the literature. We show that for large standard deviations, the Ziggurat algorithm outperforms all existing methods.
A hybrid Gaussian sampler for lattices over rings. Cryptology ePrint Archive, Report 2015/660
, 2015
"... Abstract. Gaussian sampling over lattices is a cornerstone of latticebased cryptography as it allows to build numerous cryptographic primitives. There are two main algorithms performing this task. The first one is due to Klein (SODA 2000) and Gentry, Peikert and Vaikuntanathan (STOC 2008), and out ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Abstract. Gaussian sampling over lattices is a cornerstone of latticebased cryptography as it allows to build numerous cryptographic primitives. There are two main algorithms performing this task. The first one is due to Klein (SODA 2000) and Gentry, Peikert and Vaikuntanathan (STOC 2008), and outputs vectors of good quality but runs rather slowly, in quadratic time. The second one is due to Peikert (CRYPTO 2010) and outputs vectors of slightly worse quality, but can be made to run in quasilinear time in the ring setting. We present a Gaussian Sampler optimized for lattices over the ring of integer of a cyclotomic number field. At a highlevel it works as Klein's sampler but uses an efficient variant of Peikert's sampler as a subroutine. The result is a new sampler that samples vectors with a quality close to Klein's sampler and achieves the same quasilinear complexity as Peikert's sampler. In practice, we get close to the best of both worlds.
1Compact and Side Channel Secure Discrete Gaussian Sampling
"... Abstract—Discrete Gaussian sampling is an integral part of many lattice based cryptosystems such as publickey encryption, digital signature schemes and homomorphic encryption schemes. In this paper we propose a compact and fast KnuthYao sampler for sampling from a narrow discrete Gaussian distribu ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Abstract—Discrete Gaussian sampling is an integral part of many lattice based cryptosystems such as publickey encryption, digital signature schemes and homomorphic encryption schemes. In this paper we propose a compact and fast KnuthYao sampler for sampling from a narrow discrete Gaussian distribution with very high precision. The designed samplers have a maximum statistical distance of 2−90 to a true discrete Gaussian distribution. In this paper we investigate various optimization techniques to achieve minimum area and cycle requirement. For the standard deviation 3.33, the most areaoptimal implementation of the bitscan operation based KnuthYao sampler consumes 30 slices on the Xilinx Virtex 5 FPGAs, and requires on average 17 cycles to generate a sample. We improve the speed of the sampler by using a precomputed table that directly maps the initial random bits into samples with very high probability. The fast sampler consumes 35 slices and spends on average 2.5 cycles to generate a sample. However the sampler architectures are not secure against timing and power analysis based attacks. In this paper we propose a random shuffle method to protect the Gaussian distributed polynomial against such attacks. The side channel attack resistant sampler architecture consumes 52 slices and spends on average 420 cycles to generate a polynomial of 256 coefficients.
A Decade of Lattice Cryptography
, 2016
"... Latticebased cryptography is the use of conjectured hard problems on point lattices in Rn as the foundation for secure cryptographic constructions. Attractive features of lattice cryptography include: apparent resistance to quantum attacks (in contrast with most numbertheoretic cryptography), hig ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Latticebased cryptography is the use of conjectured hard problems on point lattices in Rn as the foundation for secure cryptographic constructions. Attractive features of lattice cryptography include: apparent resistance to quantum attacks (in contrast with most numbertheoretic cryptography), high asymptotic efficiency and parallelism, security under worstcase intractability assumptions, and solutions to longstanding open problems in cryptography. This work surveys most of the major developments in lattice cryptography over the past ten years. The main focus is on the foundational short integer solution (SIS) and learning with errors (LWE) problems (and their more efficient ringbased variants), their provable hardness assuming the worstcase intractability of