Results 1  10
of
28
A toolkit for ringLWE cryptography
 In EUROCRYPT
, 2013
"... Recent advances in lattice cryptography, mainly stemming from the development of ringbased primitives such as ringLWE, have made it possible to design cryptographic schemes whose efficiency is competitive with that of more traditional numbertheoretic ones, along with entirely new applications lik ..."
Abstract

Cited by 21 (7 self)
 Add to MetaCart
Recent advances in lattice cryptography, mainly stemming from the development of ringbased primitives such as ringLWE, have made it possible to design cryptographic schemes whose efficiency is competitive with that of more traditional numbertheoretic ones, along with entirely new applications like fully homomorphic encryption. Unfortunately, realizing the full potential of ringbased cryptography has so far been hindered by a lack of practical algorithms and analytical tools for working in this context. As a result, most previous works have focused on very special classes of rings such as poweroftwo cyclotomics, which significantly restricts the possible applications. We bridge this gap by introducing a toolkit of fast, modular algorithms and analytical techniques that can be used in a wide variety of ringbased cryptographic applications, particularly those built around ringLWE. Our techniques yield applications that work in arbitrary cyclotomic rings, with no loss in their underlying worstcase hardness guarantees, and very little loss in computational efficiency, relative to poweroftwo cyclotomics. To demonstrate the toolkit’s applicability, we develop a few illustrative applications: two variant publickey cryptosystems, and a “somewhat homomorphic ” symmetric encryption scheme. Both apply to arbitrary cyclotomics, have tight parameters, and very efficient implementations. 1
Sampling from discrete Gaussians for latticebased cryptography on a constrained device
 Appl. Algebra Eng. Commun. Comput
"... ABSTRACT. Modern latticebased publickey cryptosystems require sampling from discrete Gaussian (normal) distributions. The paper surveys algorithms to implement such sampling efficiently, with particular focus on the case of constrained devices with small onboard storage and without access to larg ..."
Abstract

Cited by 15 (0 self)
 Add to MetaCart
(Show Context)
ABSTRACT. Modern latticebased publickey cryptosystems require sampling from discrete Gaussian (normal) distributions. The paper surveys algorithms to implement such sampling efficiently, with particular focus on the case of constrained devices with small onboard storage and without access to large numbers of external random bits. We review latticebased encryption schemes and signature schemes and their requirements for sampling from discrete Gaussians. Finally, we make some remarks on challenges and potential solutions for practical latticebased cryptography.
Improvement and Efficient Implementation of a Latticebased Signature Scheme
, 2013
"... Latticebased signature schemes constitute an interesting alternative to RSA and discrete logarithm based systems which may become insecure in the future, for example due to the possibility of quantum attacks. A particularly interesting scheme in this context is the GPV signature scheme [GPV08] comb ..."
Abstract

Cited by 12 (5 self)
 Add to MetaCart
(Show Context)
Latticebased signature schemes constitute an interesting alternative to RSA and discrete logarithm based systems which may become insecure in the future, for example due to the possibility of quantum attacks. A particularly interesting scheme in this context is the GPV signature scheme [GPV08] combined with the trapdoor construction from Micciancio and Peikert [MP12] as it admits strong security proofs and is believed to be very efficient in practice. This paper confirms this belief and shows how to improve the GPV scheme in terms of space and running time and presents an implementation of the optimized scheme. A ring variant of this scheme is also introduced which leads to a more efficient construction. Experimental results show that GPV with the new trapdoor construction is competitive to the signature schemes that are currently used in practice.
Beyond ECDSA and RSA: Latticebased digital signatures on constrained devices
 In DAC ’14 Proceedings of the The 51st Annual Design Automation Conference on Design Automation Conference
"... All currently deployed asymmetric cryptography is broken with the advent of powerful quantum computers. We thus have to consider alternative solutions for systems with longterm security requirements (e.g., for longlasting vehicular and avionic communication infrastructures). In this work we presen ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
(Show Context)
All currently deployed asymmetric cryptography is broken with the advent of powerful quantum computers. We thus have to consider alternative solutions for systems with longterm security requirements (e.g., for longlasting vehicular and avionic communication infrastructures). In this work we present an efficient implementation of BLISS, a recently proposed, postquantum secure, and formally analyzed novel latticebased signature scheme. We show that we can achieve a significant performance of 35.3 and 6 ms for signing and verification, respectively, at a 128bit security level on an ARM CortexM4F microcontroller. This shows that latticebased cryptography can be efficiently deployed on today’s hardware and provides security solutions for many use cases that can even withstand future threats.
On Constrained Implementation of Latticebased Cryptographic Primitives and Schemes on Smart Cards?
, 2014
"... Abstract. Most latticebased cryptographic schemes with a security proof suffer from large key sizes and heavy computations. This is also true for the simpler case of authentication protocols which are used on smart cards, as a veryconstrained computing environment. Recent progress on ideal lattice ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Most latticebased cryptographic schemes with a security proof suffer from large key sizes and heavy computations. This is also true for the simpler case of authentication protocols which are used on smart cards, as a veryconstrained computing environment. Recent progress on ideal lattices has significantly improved the efficiency, and made it possible to implement practical latticebased cryptography on constrained devices. However, to the best of our knowledge, no previous attempts were made to implement latticebased schemes on smart cards. In this paper, we provide the results of our implementation of several stateoftheart latticebased authentication protocols on smart cards and a microcontroller widely used in smart cards. Our results show that only a few of the proposed latticebased authentication protocols can be implemented using limited resources of such constrained devices, however, cuttingedge ones are suitablyefficient to be used practically on smart cards. Moreover, we have implemented fast Fourier transform (FFT) and discrete Gaussian sampling with different typical parameters sets, as well as versatile latticebased publickey encryptions. These results have noticeable points which help to design or optimize latticebased schemes for constrained devices.
Practical Signatures from the Partial Fourier Recovery Problem
"... Abstract. We present PASSSign, a variant of the prior PASS and PASS2 proposals, as a candidate for a practical postquantum signature scheme. Its hardness is based on the problem of recovering a ring element with small norm from an incomplete description of its Chinese remainder representation. For ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We present PASSSign, a variant of the prior PASS and PASS2 proposals, as a candidate for a practical postquantum signature scheme. Its hardness is based on the problem of recovering a ring element with small norm from an incomplete description of its Chinese remainder representation. For our particular instantiation, this corresponds to the recovery of a signal with small infinity norm from a limited set of its Fourier coefficients. The key improvement over previous versions of PASS is the introduction of a rejection sampling technique from Lyubashevsky (2009) which assures that transcript distributions are completely decoupled from the keys that generate them. Although the scheme is not supported by a formal security reduction, we present extensive arguments for its security and derive concrete parameters based on the performance of state of the art lattice reduction and enumeration techniques. 1.
Augmented Learning with Errors: The Untapped Potential of the Error Term
"... Abstract. The Learning with Errors (LWE) problem has gained a lot of attention in recent years leading to a series of new cryptographic applications. Specifically, it states that it is hard to distinguish random linear equations disguised by some small error from truly random ones. Interestingly, cr ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Abstract. The Learning with Errors (LWE) problem has gained a lot of attention in recent years leading to a series of new cryptographic applications. Specifically, it states that it is hard to distinguish random linear equations disguised by some small error from truly random ones. Interestingly, cryptographic primitives based on LWE often do not exploit the full potential of the error term beside of its importance for security. To this end, we introduce a novel LWEclose assumption, namely Augmented Learning with Errors (ALWE), which allows to hide auxiliary data injected into the error term by a technique that we call message embedding. In particular, it enables existing cryptosystems to strongly increase the message throughput per ciphertext. We show that ALWE is for certain instantiations at least as hard as the LWE problem. This inherently leads to new cryptographic constructions providing high data load encryption and customized security properties as required, for instance, in economic environments such as stock markets resp. for financial transactions. The security of those constructions basically stems from the hardness to solve the ALWE problem. As an application we introduce (among others) the first latticebased replayable chosenciphertext secure encryption scheme from ALWE.
Simple Lattice Trapdoor Sampling from a Broad Class of Distributions
"... Abstract. At the center of many latticebased constructions is an algorithm that samples a short vector s, satisfying [AAR − HG]s = t mod q where A,AR,H,G are public matrices and R is a trapdoor. Although the algorithm crucially relies on the knowledge of the trapdoor R to perform this sampling eff ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Abstract. At the center of many latticebased constructions is an algorithm that samples a short vector s, satisfying [AAR − HG]s = t mod q where A,AR,H,G are public matrices and R is a trapdoor. Although the algorithm crucially relies on the knowledge of the trapdoor R to perform this sampling efficiently, the distribution it outputs should be independent of R given the public values. We present a new, simple algorithm for performing this task. The main novelty of our sampler is that the distribution of s does not need to be Gaussian, whereas all previous works crucially used the properties of the Gaussian distribution to produce such an s. The advantage of using a nonGaussian distribution is that we are able to avoid the highprecision arithmetic that is inherent in Gaussian sampling over arbitrary lattices. So while the norm of our output vector s is on the order of n to ntimes larger (the representation length, though, is only a constant factor larger) than in the samplers of Gentry, Peikert, Vaikuntanathan (STOC 2008) and Micciancio, Peikert (EUROCRYPT 2012), the sampling itself can be done very efficiently. This provides a useful time/output tradeoff for devices with constrained computing power. In addition, we believe that the conceptual simplicity and generality of our algorithm may lead to it finding other applications. 1
Tesla: Tightlysecure efficient signatures from standard lattices. Cryptology ePrint Archive, Report 2015/XXX
, 2015
"... Abstract. Generally, latticebased cryptographic primitives offer good performance and allow for strong security reductions. However, the most efficient current latticebased signature schemes sacrifice (part of its) security to achieve good performance: first, security is based on ideal lattice pr ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Generally, latticebased cryptographic primitives offer good performance and allow for strong security reductions. However, the most efficient current latticebased signature schemes sacrifice (part of its) security to achieve good performance: first, security is based on ideal lattice problems, that might not be as hard as standard lattice problems. Secondly, the security reductions of the most efficient schemes are nontight; hence, their choices of parameters offer security merely heuristically. Moreover, latticebased signatures are instantiated for classical adversaries, although they are based on presumably quantum hard problems. Yet, it is not known how such schemes perform in a postquantum world. We bridge this gap by proving the latticebased signature scheme TESLA to be tightly secure based on the learning with errors problem over standard lattices in the random oracle model. As such, we improve the security of the original proposal by Bai and Galbraith (CTRSA’14) twofold; we tighten the security reduction and we minimize the underlying security assumptions. Remarkably, by enhancing the security we can improve TESLA’s performance by a factor of two. Furthermore, we are first to propose parameters providing a security of 128 bits against both classical and quantum adversaries for a latticebased signature scheme. Our implementation of TESLA competes well with stateoftheart latticebased signatures and SPHINCS (EUROCRYPT’15), the only signature scheme instantiated with quantumhard parameters thus far.