Results 1  10
of
21
Pseudorandom Functions and Lattices
, 2011
"... We give direct constructions of pseudorandom function (PRF) families based on conjectured hard lattice problems and learning problems. Our constructions are asymptotically efficient and highly parallelizable in a practical sense, i.e., they can be computed by simple, relatively small lowdepth arith ..."
Abstract

Cited by 35 (10 self)
 Add to MetaCart
We give direct constructions of pseudorandom function (PRF) families based on conjectured hard lattice problems and learning problems. Our constructions are asymptotically efficient and highly parallelizable in a practical sense, i.e., they can be computed by simple, relatively small lowdepth arithmetic or boolean circuits (e.g., in NC 1 or even TC 0). In addition, they are the first lowdepth PRFs that have no known attack by efficient quantum algorithms. Central to our results is a new “derandomization ” technique for the learning with errors (LWE) problem which, in effect, generates the error terms deterministically. 1 Introduction and Main Results The past few years have seen significant progress in constructing publickey, identitybased, and homomorphic cryptographic schemes using lattices, e.g., [Reg05, PW08, GPV08, Gen09, CHKP10, ABB10a] and many more. Part of their appeal stems from provable worstcase hardness guarantees (starting with the seminal work of Ajtai [Ajt96]), good asymptotic efficiency and parallelism, and apparent resistance to quantum
Subspace LWE
"... Abstract. The (decisional) learning with errors problem (LWE) asks to distinguish “noisy ” inner products of a secret vector with random vectors from uniform. In recent years, the LWE problem has found many applications in cryptography. In this paper we introduce (seemingly) much stronger adaptive a ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
Abstract. The (decisional) learning with errors problem (LWE) asks to distinguish “noisy ” inner products of a secret vector with random vectors from uniform. In recent years, the LWE problem has found many applications in cryptography. In this paper we introduce (seemingly) much stronger adaptive assumptions, called “subspace LWE ” (SLWE), where the adversary can learn the inner product of the secret and random vectors after they were projected into an adaptively and adversarially chosen subspace. We prove that SLWE mapping into subspaces of dimension d is almost as hard as LWE using secrets of length d. We discuss some applications of the new subspace LWE problem to relatedkey attacks and to cryptosystems using weak random sources. In subsequent work the main result from this paper was used to construct new cryptosystems like efficient MACs whose security can be reduced to the LPN problem (LPN is LWE over a field of size 2.) 1
Decoding by Embedding: Correct Decoding Radius and DMT Optimality
, 2013
"... Abstract—The closest vector problem (CVP) and shortest (nonzero) vector problem (SVP) are the core algorithmic problems on Euclidean lattices. They are central to the applications of lattices in many problems of communications and cryptography. Kannan’s embedding technique is a powerful technique fo ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
(Show Context)
Abstract—The closest vector problem (CVP) and shortest (nonzero) vector problem (SVP) are the core algorithmic problems on Euclidean lattices. They are central to the applications of lattices in many problems of communications and cryptography. Kannan’s embedding technique is a powerful technique for solving the approximate CVP, yet its remarkable practical performance is not well understood. In this paper, the embedding technique is analyzed from a bounded distance decoding (BDD) viewpoint. We present two complementary analyses of the embedding technique: We establish a reduction from BDD to Hermite SVP (via unique SVP), which can be used along with any Hermite SVP solver (including, among others, the Lenstra, Lenstra and Lovász (LLL) algorithm), and show that, in the special case of LLL, it performs at least as well as Babai’s nearest plane algorithm (LLLaided SIC). The former analysis helps to explain the folklore practical observation that unique SVP is easier than standard approximate SVP. It is proven that when the LLL algorithm is employed, the embedding technique can solve the CVP provided that the noise norm is smaller than a decoding radius λ1/(2γ), where λ1 is the minimum distance of the lattice, and γ ≈ O(2 n/4). This substantially improves the previously best known correct decoding bound γ ≈ O(2 n). Focusing on the applications of BDD to decoding of multipleinput multipleoutput (MIMO) systems, we also prove that BDD of the regularized lattice is optimal in terms of the diversitymultiplexing gain tradeoff (DMT), and propose practical variants of embedding decoding which require no knowledge of the minimum distance of the lattice and/or further improve the error performance. Index Terms—closest vector problem, lattice decoding, lattice reduction, MIMO systems, shortest vector problem I.
Lapin: An Efficient Authentication Protocol Based on RingLPN
"... We propose a new authentication protocol that is provably secure based on a ring variant of the learning parity with noise (LPN) problem. The protocol follows the design principle of the LPNbased protocol from Eurocrypt’11 (Kiltz et al.), and like it, is a two round protocol secure against active ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
(Show Context)
We propose a new authentication protocol that is provably secure based on a ring variant of the learning parity with noise (LPN) problem. The protocol follows the design principle of the LPNbased protocol from Eurocrypt’11 (Kiltz et al.), and like it, is a two round protocol secure against active attacks. Moreover, our protocol has small communication complexity and a very small footprint which makes it applicable in scenarios that involve lowcost, resourceconstrained devices. Performancewise, our protocol is more efficient than previous LPNbased schemes, such as the many variants of the HopperBlum (HB) protocol and the aforementioned protocol from Eurocrypt’11. Our implementation results show that it is even comparable to the standard challengeandresponse protocols based on the AES blockcipher. Our basic protocol is roughly 20 times slower than AES, but with the advantage of having 10 times smaller code size. Furthermore, if a few hundred bytes of nonvolatile memory are available to allow the storage of some offline precomputations, then the online phase of our protocols is only twice as slow as AES.
WorstCase to AverageCase Reductions for Module Lattices
"... Abstract. Most latticebased cryptographic schemes are built upon the assumed hardness of the Short Integer Solution (SIS) and Learning With Errors (LWE) problems. Their efficiencies can be drastically improved by switching the hardness assumptions to the more compact RingSIS and RingLWE problems. ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Most latticebased cryptographic schemes are built upon the assumed hardness of the Short Integer Solution (SIS) and Learning With Errors (LWE) problems. Their efficiencies can be drastically improved by switching the hardness assumptions to the more compact RingSIS and RingLWE problems. However, this change of hardness assumptions comes along with a possible security weakening: SIS and LWE are known to be at least as hard as standard (worstcase) problems on euclidean lattices, whereas RingSIS and RingLWE are only known to be as hard as their restrictions to special classes of ideal lattices, corresponding to ideals of some polynomial rings. In this work, we define the ModuleSIS and ModuleLWE problems, which bridge SIS with RingSIS, and LWE with RingLWE, respectively. We prove that these averagecase problems are at least as hard as standard lattice problems restricted to module lattices (which themselves generalize arbitrary and ideal lattices). As these new problems enlarge the toolbox of the latticebased cryptographer, they could prove useful for designing new schemes. Importantly, the worstcase to averagecase reductions for the module problems are (qualitatively) sharp, in the sense that there exist converse reductions. This property is not known to hold in the context of RingSIS/RingLWE: Ideal lattice problems could reveal easy without impacting the hardness of RingSIS/RingLWE. 1
Never trust a bunny ⋆
"... Abstract. “Lapin ” is a new RFID authentication protocol proposed at FSE 2012. “RingLPN ” (RingLearningParitywithNoise) is a new computational problem proposed in the same paper; there is a proof relating the security of Lapin to the difficulty of RingLPN. This paper presents an attack against ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
(Show Context)
Abstract. “Lapin ” is a new RFID authentication protocol proposed at FSE 2012. “RingLPN ” (RingLearningParitywithNoise) is a new computational problem proposed in the same paper; there is a proof relating the security of Lapin to the difficulty of RingLPN. This paper presents an attack against RingLPN512 and Lapin512. The attack is not practical but nevertheless violates specific security claims in the FSE 2012 paper.
ManintheMiddle Secure Authentication Schemes from LPN and Weak PRFs
"... We show how to construct, from any weak pseudorandom function, a 3round symmetrickey authentication protocol that is secure against maninthemiddle attacks. The construction is very efficient, requiring both the secret key and communication size to be only 3n bits long. Our techniques also exten ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
(Show Context)
We show how to construct, from any weak pseudorandom function, a 3round symmetrickey authentication protocol that is secure against maninthemiddle attacks. The construction is very efficient, requiring both the secret key and communication size to be only 3n bits long. Our techniques also extend to certain classes of randomized weakPRFs, chiefly among which are those based on the classical LPN problem and its more efficient variants such as ToeplitzLPN and RingLPN. Building a maninthemiddle secure authentication scheme from any weakPRF resolves a problem left open by Dodis et al. (Eurocrypt 2012), while building a maninthemiddle secure scheme based on any variant of the LPN problem solves the main open question in a long line of research aimed at constructing a practical lightweight authentication scheme based on learning problems, which began with the work of Hopper and Blum (Asiacrypt 2001). 1
Embedding hard learning problems into gaussian space
 In RANDOM
, 2014
"... We give the first representationindependent hardness result for agnostically learning halfspaces with respect to the Gaussian distribution. We reduce from the problem of learning sparse parities with noise with respect to the uniform distribution on the hypercube (sparse LPN), a notoriously hard pr ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
We give the first representationindependent hardness result for agnostically learning halfspaces with respect to the Gaussian distribution. We reduce from the problem of learning sparse parities with noise with respect to the uniform distribution on the hypercube (sparse LPN), a notoriously hard problem in computer science and show that any algorithm for agnostically learning halfspaces requires nΩ(log (1/)) time, ruling out a polynomial time algorithm for the problem. As far as we are aware, this is the first representationindependent hardness result for supervised learning when the underlying distribution is restricted to be a Gaussian. We also show that the problem of agnostically learning sparse polynomials with respect to the Gaussian distribution in polynomial time is as hard as PAC learning DNFs on the uniform distribution in polynomial time. This complements the surprising result of [APVZ14] who show that sparse polynomials are learnable under random Gaussian noise in polynomial time. Taken together, these results show the inherent difficulty of designing supervised learning algorithms in Euclidean space even in the presence of strong distributional assumptions. Our results use a novel embedding of random labeled examples from the uniform distribution on the Boolean hypercube into random labeled examples from the Gaussian distribution that allows us to relate the hardness of learning problems on two different domains and distributions. 1
Hardness of decision (R)LWE for any modulus
, 2012
"... Abstract. The decision Learning With Errors problem has proven an extremely flexible foundation for devising provably secure cryptographic primitives. LWE can be expressed in terms of linear algebra over Z/qZ. This modulus q is the subject of study of the present work. When q is prime and small, or ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Abstract. The decision Learning With Errors problem has proven an extremely flexible foundation for devising provably secure cryptographic primitives. LWE can be expressed in terms of linear algebra over Z/qZ. This modulus q is the subject of study of the present work. When q is prime and small, or when it is exponential and composite with small factors, LWE is known to be at least as hard as standard worstcase problems over euclidean lattices (sometimes using quantum reductions). The Ring Learning With Errors problem is a structured variant of LWE allowing for more compact keys and more efficient primitives. It is known to be at least as hard as standard worstcase problems restricted to socalled ideal lattices, but under even more restrictive arithmetic conditions on q. In this work, we prove that the arithmetic form of the modulus q is irrelevant to the computational hardness of LWE and RLWE. More precisely, we show that these problems are at least as hard as standard worstcase problems on lattices, under the unique condition that q is of polynomial bitsize. This result is most useful for adapting LWEbased cryptographic constructions to the RLWE setting. Among others, this allows us to derive the first IdentityBased Encryption scheme of quasioptimal performance proven secure under standard worstcase lattice assumptions, in the standard model. Other applications include authentication, functional encryption and traitor tracing.