Results 1 
3 of
3
Tesla: Tightlysecure efficient signatures from standard lattices. Cryptology ePrint Archive, Report 2015/XXX
, 2015
"... Abstract. Generally, latticebased cryptographic primitives offer good performance and allow for strong security reductions. However, the most efficient current latticebased signature schemes sacrifice (part of its) security to achieve good performance: first, security is based on ideal lattice pr ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Generally, latticebased cryptographic primitives offer good performance and allow for strong security reductions. However, the most efficient current latticebased signature schemes sacrifice (part of its) security to achieve good performance: first, security is based on ideal lattice problems, that might not be as hard as standard lattice problems. Secondly, the security reductions of the most efficient schemes are nontight; hence, their choices of parameters offer security merely heuristically. Moreover, latticebased signatures are instantiated for classical adversaries, although they are based on presumably quantum hard problems. Yet, it is not known how such schemes perform in a postquantum world. We bridge this gap by proving the latticebased signature scheme TESLA to be tightly secure based on the learning with errors problem over standard lattices in the random oracle model. As such, we improve the security of the original proposal by Bai and Galbraith (CTRSA’14) twofold; we tighten the security reduction and we minimize the underlying security assumptions. Remarkably, by enhancing the security we can improve TESLA’s performance by a factor of two. Furthermore, we are first to propose parameters providing a security of 128 bits against both classical and quantum adversaries for a latticebased signature scheme. Our implementation of TESLA competes well with stateoftheart latticebased signatures and SPHINCS (EUROCRYPT’15), the only signature scheme instantiated with quantumhard parameters thus far.
On the Asymptotic Complexity of Solving LWE
"... Abstract. We provide for the first time an asymptotic comparison of all known algorithms for the search version of the Learning with Errors (LWE) problem. This includes an analysis of several latticebased approaches as well as the combinatorial BKW algorithm. Our analysis of the latticebased appr ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. We provide for the first time an asymptotic comparison of all known algorithms for the search version of the Learning with Errors (LWE) problem. This includes an analysis of several latticebased approaches as well as the combinatorial BKW algorithm. Our analysis of the latticebased approaches defines a general framework, in which the algorithms of Babai, LindnerPeikert and several pruning strategies appear as special cases. We show that within this framework, all lattice algorithms achieve the same asymptotic complexity. For the BKW algorithm, we present a refined analysis for the case of only a polynomial number of samples via amplification, which allows for a fair comparison with latticebased approaches. Somewhat surprisingly, such a small number of samples does not make the asymptotic complexity significantly inferior, but only affects the constant in the exponent. As the main result we obtain that both, latticebased techniques and BKW with a polynomial number of samples, achieve running time 2O(n) for ndimensional LWE, where we make the constant hidden in the bigO notion explicit as a simple and easy to handle function of all LWEparameters. In the lattice case this function also depends on the time to compute a BKZ lattice basis with block sizeΘ(n). Thus, from a theoretical perspective our analysis reveals how LWE’s complexity changes as a function of the LWEparameters, and from a practical perspective our analysis is a useful tool to choose LWEparameters resistant to all known attacks.
How to Use SNARKs in Universally Composable Protocols
"... The past several years have seen tremendous advances in practical, generalpurpose, noninteractive proof systems called SNARKs. These building blocks are efficient and convenient, with multiple publicly available implementations, including tools to compile highlevel code (e.g., written in C) to ar ..."
Abstract
 Add to MetaCart
The past several years have seen tremendous advances in practical, generalpurpose, noninteractive proof systems called SNARKs. These building blocks are efficient and convenient, with multiple publicly available implementations, including tools to compile highlevel code (e.g., written in C) to arithmetic circuits, the native representation used by SNARK constructions. However, while we would like to use these primitives in UCsecure protocols—which are provablysecure even when composed with other arbitrary concurrentlyexecuting protocols— the SNARK definition is not directly compatible with this framework, due to its use of non blackbox knowledge extraction. We show several constructions to transform SNARKs into UCsecure NIZKs, along with benchmarks and an endtoend application example showing that the added overhead is tolerable. Our constructions rely on embedding cryptographic algorithms into the SNARK proof system. Ordinarily, cryptographic constructions are chosen and tuned for implementation on CPUs or in hardware, not as arithmetic circuits. We therefore also explore SNARKfriendly cryptography, describing several protocol parameterizations, implementations, and performance comparisons for encryption, commitments, and other tasks. This is also of independent interest for use in other SNARKbased applications. 1