### Citations

3528 | New directions in cryptography
- Diffie, Hellman
- 2003
(Show Context)
Citation Context ... Lattice cryptography has many attractive features, some of which we now describe. Conjectured security against quantum attacks. Most number-theoretic cryptography, such as the DiffieHellman protocol =-=[DH76]-=- and RSA cryptosystem [RSA78], relies on the conjectured hardness of the integer factorization or discrete logarithm problems (in some cases, on elliptic curves). However, Shor [Sho97] gave efficient ... |

1742 | Identity-based encryption from the Weil pairing, in: Joe Kilian (Ed
- Boneh, Franklin
- 2001
(Show Context)
Citation Context ...s are the only known IBEs that are conjectured to be secure against quantum attacks; all others are based on the quadratic residuosity assumption (e.g., [Coc01, BGH07]) or on bilinear pairings (e.g., =-=[BF01]-=-). The main idea behind the GPV IBE is that instead of users generating their own Gaussian-distributed secret keys x ∈ Zm and corresponding public keys u = fA(x) = Ax ∈ Znq , a public key is merely th... |

1636 | Random oracles are practical: A paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...ficient methods [FO99a, FO99b] for converting any INDCPA-secure public-key encryption scheme into an IND-CCA-secure one. However, their construction and analysis relies on the random-oracle heuristic =-=[BR93]-=-, which is not sound in general (see, e.g., [CGH98]). Recently, an instantiation of the Fujisaki-Okamoto transformation for a particular compact ring-LWE-based cryptosystem was described in [Pei14]. I... |

1379 |
S: Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...c key, then decrypting the resulting ciphertext using the secret key yields the original message (perhaps with all but negligible probability). A standard notion of security, called semantic security =-=[GM82]-=-—or more formally, indistinguishability under chosen-plaintext attack (IND-CPA)—considers the following experiment, which is parameterized by a bit b ∈ {0, 1}: generate a public/secret key pair, and g... |

1019 | How to prove yourself: Practical solutions to identification and signature problems
- Fiat, Shamir
- 1986
(Show Context)
Citation Context ...nature as inspiration, the remaining works adhere to the following template: first design an appropriate kind of public-coin, interactive identification protocol, then apply the Fiat-Shamir heuristic =-=[FS86]-=- to convert it to a noninteractive signature scheme in the random-oracle model. Recall that the Fiat-Shamir heuristic is a generic transformation that replaces the verifier’s random challenge(s) with ... |

744 |
How to construct random functions
- Goldreich, Goldwasser, et al.
- 1986
(Show Context)
Citation Context ...g and verifications times are competitive with (or even better than) those of RSA-2048. 5.7 Pseudorandom Functions Pseudorandom functions (PRFs), introduced by Goldreich, Goldwasser, and Micali (GGM) =-=[GGM84]-=-, are a cornerstone of symmetric-key cryptography. A PRF family is a set F = {Fs : D → R} of functions indexed by an index s, usually called the secret key or seed, mapping a common finite domain to a... |

658 | Fully homomorphic encryption using ideal lattices - Gentry |

520 | Attribute-based encryption for fine-grained access control of encrypted data
- Goyal, Pandey, et al.
- 2006
(Show Context)
Citation Context ...o the bits of an identity, and a predicate is an equality test with a particular identity.) Many ABE schemes have been devised based on cryptographic groups admitting bilinear pairings, starting from =-=[GPSW06]-=-. Soon after the identity-based lattice encryption schemes of [GPV08, CHKP10, ABB10], generalizations of these systems to the attribute-based setting emerged. 6.2.1 ABE for Inner-Product Predicates A ... |

308 |
On Lovász’ lattice reduction and the nearest lattice point problem
- Babai
- 1986
(Show Context)
Citation Context ...ard. Using a sufficiently short trapdoor basis S for L, one can efficiently invert the function using a standard lattice decoding algorithm, such as naı̈ve rounding or Babai’s nearest-plane algorithm =-=[Bab85]-=-. For example, the rounding algorithm, given t = v + e, simply outputs btt · Se · S−1 = b(vt + et) · Se · S−1 = vt + bet · Se · S−1, where the second equality holds because vt · S is integral, since v... |

289 | The Random Oracle Methodology, Revisited
- Canetti, Goldreich, et al.
- 1998
(Show Context)
Citation Context ...INDCPA-secure public-key encryption scheme into an IND-CCA-secure one. However, their construction and analysis relies on the random-oracle heuristic [BR93], which is not sound in general (see, e.g., =-=[CGH98]-=-). Recently, an instantiation of the Fujisaki-Okamoto transformation for a particular compact ring-LWE-based cryptosystem was described in [Pei14]. In the rest of this subsection we describe two relat... |

282 | An identity based encryption scheme based on quadratic residues - Cocks - 2001 |

270 | Bounded-width polynomial-size branching programs recognize exactly those languages in NC
- Barrington
- 1989
(Show Context)
Citation Context ...multiplying a sequence of permutation matrices (or more generally, orthonormal integer matrices), where each matrix is encrypted entry-wise. The second main idea is that by using Barrington’s Theorem =-=[Bar86]-=-, any depth-d circuit can be converted into a length-4d branching program of permutation matrices. In particular, the O(log λ)-depth decryption circuit can be computed homomorphically in polynomial ti... |

246 | A public-key cryptosystem with worst case/average case equivalence
- Ajtai, Dwork
- 1997
(Show Context)
Citation Context ...he worst case. Both SIS and Ajtai’s function are still heavily used to this day in cryptographic applications; we recall them in detail in Section 4.1. In a subsequent work from 1997, Ajtai and Dwork =-=[AD97]-=- gave a lattice-based public-key encryption scheme. (See also [AD07].) Because all lattice-based encryption schemes inherit the basic template of this system, we describe it in some detail here. At th... |

209 | A sieve algorithm for the shortest lattice vector problem
- Ajtai, Kumar, et al.
(Show Context)
Citation Context ...d appear to be intractable, except for very large approximation factors. Known polynomial-time algorithms like the one of Lenstra, Lenstra, and Lovász [LLL82] and its descendants (e.g., [Sch87] with =-=[AKS01]-=- as a subroutine) obtain only slightly subexponential approximation factors γ = 2Θ(n log logn/ logn) for the above problems and others. Known algorithms that obtain polynomial poly(n) or better approx... |

207 | A fully homomorphic encryption scheme - Gentry - 2009 |

206 | Secure integration of asymmetric and symmetric encryption schemes - Fujisaki, Okamoto - 1999 |

203 | NTRU: A Ring-Based Public Key Cryptosystem
- Hoffstein, Pipher, et al.
- 1998
(Show Context)
Citation Context ... consisting mainly of linear operations on vectors and matrices modulo relatively small integers. Moreover, constructions based on “algebraic” lattices over certain rings, e.g., the NTRU cryptosystem =-=[HPS98]-=-, can be especially efficient, and in some cases even outperform more traditional systems by a significant margin. Strong security guarantees from worst-case hardness. Cryptography inherently requires... |

192 |
Generating hard instances of lattice problems.
- Ajtai
- 2004
(Show Context)
Citation Context ...n turn out to be easier on the average, especially for distributions that produce instances having some extra “structure,” e.g., the existence of a secret key for decryption. In a seminal work, Ajtai =-=[Ajt96]-=- gave a remarkable connection between the worst case and the average case for lattices: he proved that certain problems are hard on the average (for cryptographically useful distributions), as long as... |

189 | Trapdoors for hard lattices and new cryptographic constructions
- Gentry, Peikert, et al.
- 2008
(Show Context)
Citation Context ...nd independent of A. Therefore, the procedure is a form of randomized self-reduction for both the search and decision forms of LWE. 5.2.2 Dual LWE Encryption Gentry, Peikert, and Vaikuntanathan (GPV) =-=[GPV08]-=- defined an LWE-based public-key encryption scheme which can be viewed as “dual” to the above-described ones of Regev [Reg05] and Peikert et al. [PVW08]. The systems are duals in the following sense: ... |

170 | Candidate indistinguishability obfuscation and functional encryption for all circuits. - Garg, Gentry, et al. - 2013 |

156 | Candidate multilinear maps from ideal lattices - Garg, Gentry, et al. - 2013 |

147 | Public-key cryptosystems from lattice reduction problems
- Goldreich, Goldwasser, et al.
- 1997
(Show Context)
Citation Context ....4. 3.3 Goldreich-Goldwasser-Halevi Encryption and Signatures Inspired by Ajtai’s seminal work [Ajt96] along with the McEliece code-based cryptosystem [McE78], Goldreich, Goldwasser, and Halevi (GGH) =-=[GGH97]-=- proposed a public-key encryption scheme and digital signature scheme based on lattice problems. Unlike the works of Ajtai and Ajtai-Dwork [AD97], the GGH proposals did not come with any worst-case se... |

142 | The shortest vector problem in L2 is NP-hard for randomized reductions - Ajtai |

131 | Implementing gentry’s fully-homomorphic encryption scheme
- Gentry, Halevi
- 2011
(Show Context)
Citation Context ...(log λ) depth, so it suffices for cs to have some λ−O(log λ) error rate. Because bootstrapping involves the homomorphic evaluation of a somewhat complex function, it is not very efficient (see, e.g., =-=[GH11b]-=-). However, bootstrapping has been intensively studied and improved in various ways [GH11a, BGV12], culminating in ring-LWE-based methods that run in only polylogarithmic Õ(1) time per encrypted bit ... |

123 | Bonsai trees, or how to delegate a lattice basis
- Cash, Hofheinz, et al.
- 2010
(Show Context)
Citation Context ...ely sample from the discrete Gaussian DL⊥y (A),s using the algorithm from Theorem 5.4.2 (or any other suitable algorithm). 44 Extending and randomizing short bases. Cash, Hofheinz, Kiltz, and Peikert =-=[CHKP10]-=- demonstrated additional useful features of lattice trapdoors, namely, that they can be extended and re-randomized. These properties were used to construct digital signature and IBE schemes without ra... |

117 | Efficient fully homomorphic encryption from (standard) LWE
- Brakerski, Vaikuntanathan
(Show Context)
Citation Context ...here is a secret s such that every ai · s+ bi = ei (mod q) for some short ei ∈ R. This interpretation often makes it possible to adapt cryptographic constructions from one problem to the other (e.g., =-=[BV11b]-=- and [LTV12]). Ring-LWE is at least as hard as NTRU. Here we sketch a proof that ring-LWE is at least as hard as the NTRU learning problem, for appropriate parameters. (Although the proof strategy is ... |

110 | New bounds in some transference theorems in the geometry of numbers. - Banaszczyk - 1993 |

105 | Cryptographic primitives based on hard learning problems
- Blum, Furst, et al.
- 1993
(Show Context)
Citation Context ... some polynomial blowup in the number m of samples). Originally, this search-decision equivalence applied only to polynomiallybounded prime moduli q = poly(n), generalizing an earlier proof for q = 2 =-=[BFKL93]-=-. Subsequently, however, it has been improved to hold for essentially any modulus [Pei09, ACPS09, MM11, MP12, BLP+13], i.e., even exponentially large composite ones. 4.2.3 Cryptosystem In [Reg05], Reg... |

99 | On the limits of nonapproximability of lattice problems. - Goldreich, Goldwasser - 2000 |

98 | Efficient lattice (h)ibe in the standard model
- Agrawal, Boneh, et al.
- 2010
(Show Context)
Citation Context ... one of [Pei09] based on injective TDFs, but with more compact, algebraic “tagged” functions, similar to those originally used in [PW08]. Here the tagged functions are obtained using a technique from =-=[ABB10]-=-, which was originally developed in the context of identity-based encryption. See Sections 5.4.3 and 5.5 below for more details. 5.4 Lattice Trapdoors Informally, a trapdoor function is a function tha... |

97 | Lattice Reduction - Nguyen, Stern |

92 | How to enhance the security of public key encryption at minimum cost,” - Fujisaki, Okamoto - 1999 |

84 | Computing arbitrary functions of encrypted data
- Gentry
(Show Context)
Citation Context ...analysis; • the 2010 survey by Regev [Reg10] on the learning with errors (LWE) problem, its worst-case hardness, and some early applications; • the overviews of fully homomorphic encryption by Gentry =-=[Gen10a]-=- and Vaikuntanathan [Vai11]; • videos from the 2012 Bar-Ilan Winter School on Lattice Cryptography and Applications [Bar12]; • other surveys, books, and course notes [NS01, MG02, Reg04, Mic14] on comp... |

73 | (Leveled) fully homomorphic encryption without bootstrapping,”
- Brakerski, Gentry, et al.
- 2012
(Show Context)
Citation Context ...lus q, namely, that cyclotomics are Galois over the rationals, and that q splits into the product of distinct small-norm prime ideals in R. 4.4.3 Generalizations Brakerski, Gentry, and Vaikuntanathan =-=[BGV12]-=- introduced a generalized ring-LWE problem (R-GLWE), which essentially interpolates between LWE and ring-LWE: the secret is a vector ~s ∈ Rkq of ring elements, and GLWE samples are of the form (~a, b)... |

71 | Fully homomorphic encryption from ring-lwe and security for key dependent messages - Brakerski, Vaikuntanathan |

70 | Fully homomorphic encryption without modulus switching from classical GapSVP.
- Brakerski
- 2012
(Show Context)
Citation Context ...′Z. In the FHE context, the above rounding also preserves the encrypted message, when the ciphertext is in most-significant bit form (i.e., 〈s, c〉 ≈ µ · b q2e (mod q)). We also mention that Brakerski =-=[Bra12]-=- gave an alternative “scale invariant” method of homomorphic multiplication that increases the error rate by only a fixed poly(n) factor, regardless of the absolute error of the input ciphertexts. Usi... |

69 | Functional signatures and pseudorandom functions. - Boyle, Goldwasser, et al. - 2014 |

69 | Constrained pseudorandom functions and their applications. - Boneh, Waters - 2013 |

68 | Generating shorter bases for hard random lattices - Alwen, Peikert - 2009 |

65 |
Lattice attacks on NTRU”,
- Coppersmith, Shamir
- 1997
(Show Context)
Citation Context ...hstood significant cryptanalytic efforts when appropriately parameterized. (Note that early parameterizations were a bit too compact, and were shown to have insufficient concrete security; see, e.g., =-=[CS97]-=-.) Unlike Ajtai-Dwork and its ilk, however, there is relatively little theoretical understanding of the NTRU cryptosystem and its associated average-case computational problems. In particular, there i... |

64 | Fast Cryptographic Primitives and CircularSecure Encryption Based on Hard Learning Problems. - Applebaum, Cash, et al. - 2009 |

64 |
Generating Hard Instances of the Short Basis Problem
- Ajtai
- 1999
(Show Context)
Citation Context ...enerate lattices from Ajtai’s worst-case-hard family of q-ary SIS lattices (Equation (4.1.2)), so we lack evidence that these methods yield hard-on-average problems, which we need for security. Ajtai =-=[Ajt99]-=- addressed this gap by showing how to generate a random lattice from the SIS family along with a relatively short basis. Later works [AP09, MP12] simplified and improved this method to obtain nearly o... |

64 | Fully homomorphic encryption with polylog overhead. - Gentry, Halevi, et al. - 2012 |

61 | Fully homomorphic encryption over the integers with shorter public keys - Coron, Mandal, et al. - 2011 |

59 | BKZ 2.0: Better lattice security estimates. - CHEN, NGUYEN - 2011 |

56 |
More on average case vs approximation complexity
- Alekhnovich
- 2003
(Show Context)
Citation Context ...ller than those in the above LWE-based schemes by a factor of about log q, which is around ten or more for typical choices of parameters. This system adapts the code-based cryptosystem of Alekhnovich =-=[Ale03]-=- and the subset-sum-based cryptosystem of Lyubashevsky, Palacio, and Segev [LPS10], and their security proof strategies, to LWE. In particular, and in contrast to the systems described above, both the... |

56 | Practical multilinear maps over the integers - Coron, Lepoint, et al. |

55 | Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based,”
- Gentry, Sahai, et al.
- 2013
(Show Context)
Citation Context ...ks known. So to date, all unbounded FHE schemes require an additional assumption of circular security for the secret key. 6.1.3 Third-Generation FHE In 2013, Gentry, Sahai, and Waters (hereafter GSW) =-=[GSW13]-=- proposed an interesting LWE-based FHE scheme that has some unique and advantageous properties. For example, homomorphic multiplication does not require any key-switching step, and the scheme can be m... |

52 | Space-efficient identity based encryption without pairings - Boneh, Gentry, et al. - 2007 |

49 | Whyte NTRUSign: Digital signatures using the NTRU lattice. Preliminary draft 2 http://www.ntru.com/NTRUFTPDocsFolder/NTRUSign_v2.pdf - Hoffstein, Howgrave-Graham, et al. |

43 | D.: Classical hardness of learning with errors - Brakerski, Langlois, et al. - 2013 |

42 | Attribute-based encryption for circuits.
- Gorbunov, Vaikuntanathan, et al.
- 2013
(Show Context)
Citation Context ...6.2.2 ABE for Arbitrary Circuits In prior works on ABE from bilinear pairings, the class of supported predicates was somewhat limited, to boolean formulas. A work of Gorbunov, Vaikuntanathan, and Wee =-=[GVW13]-=- constructed from LWE an ABE for arbitrary predicates expressed as circuits of any a priori bounded depth, which is set at system setup. In this system, the secret key for a predicate grows proportion... |

39 | Functional encryption for inner product Predicates from learning with errors. Cryptology
- Agrawal, Freeman, et al.
- 2011
(Show Context)
Citation Context ...emerged. 6.2.1 ABE for Inner-Product Predicates A first example of ABE from lattices is a system for inner-product predicates over (large) finite fields F, due to Agrawal, Freeman, and Vaikuntanathan =-=[AFV11]-=-, with improvements by Xagawa [Xag13]. The construction inherits from the HIBE of [ABB10] described in Section 5.5.3, but key generation and decryption for a predicate involve linearly homomorphic ope... |

39 | New algorithms for learning in presence of errors.
- ARORA, GE
- 2011
(Show Context)
Citation Context ...val. Such distributions are algorithmically much easier to sample than Gaussians, and so may be more suitable in practical implementations. Another motivation is an algorithmic attack of Arora and Ge =-=[AG11]-=-, which shows that for errors that come from a domain of size d, it is possible to solve LWE in time and space roughly 2d 2 , provided that the attacker is given sufficiently many LWE samples. Althoug... |

39 | Linearly homomorphic signatures over binary fields and new tools for lattice-based signatures,” in Public Key Cryptography–PKC - Boneh, Freeman - 2011 |

38 | Lattice mixing and vanishing trapdoors: A framework for fully secure short signatures and
- Boyen
- 2010
(Show Context)
Citation Context ...end of Section 5.2.1. Signatures. The above puncturing technique yields a rather compact (H)IBE, but by itself it does not work for signatures due to the “all but one” nature of the puncturing. Boyen =-=[Boy10]-=- adapted the technique to signatures, improving upon [CHKP10] in the bit length of the signatures themselves, though still with a public key that contains a linear number of parity-check matrices. Rec... |

35 | Pseudorandom functions and lattices
- Banerjee, Peikert, et al.
(Show Context)
Citation Context ...ates the good parallelism inherent to LWE. This motivates the search for alternative constructions of lattice-based PRGs and PRFs. Learning With Rounding. Banerjee, Peikert, and Rosen (hereafter BPR) =-=[BPR12]-=- constructed more efficient PRGs and the first non-generic PRFs from lattice problems, namely, LWE. Their first contribution is a problem called learning with rounding (LWR), which is essentially a “d... |

34 | Toward basing fully homomorphic encryption on worst-case hardness. - Gentry - 2010 |

33 | Inequalities for convex bodies and polar reciprocal lattices - Banaszczyk - 1996 |

32 | Public key compression and modulus switching for fully homomorphic encryption over the integers - Coron, Naccache, et al. - 2012 |

31 | Cryptanalysis of the multilinear map over the integers. Cryptology ePrint Archive, Report 2014/906, 2014. http: //eprint.iacr.org - Cheon, Han, et al. |

31 | Fully homomorphic encryption without squashing using depth-3 arithmetic circuits,” - Gentry, Halevi - 2011 |

28 | T.: Practical lattice-based cryptography: A signature scheme for embedded systems
- Güneysu, Lyubashevsky, et al.
(Show Context)
Citation Context ...tance ε. Practical implementations. Using several additional optimizations and engineering tricks, a programmable hardware (FPGA) implementation of the scheme with unimodal Gaussians was presented in =-=[GLP12]-=-. For an estimated security level of about 80 bits, its public and secret keys are respectively about 12 and 2 kilobits, and signatures are about 9 kilobits. A software implementation of the ring-base... |

27 | Lattice problems in NP ∩ coNP. - Aharonov, Regev - 2005 |

24 | Foundations of Cryptography, volume - Goldreich - 2004 |

23 | Lattice signatures and bimodal Gaussians.
- DUCAS, DURMUS, et al.
- 2013
(Show Context)
Citation Context ...ameter proportional to (an upper bound on) ‖Xc‖. This ensures that the discrete Gaussians centered at zero and atXc have sufficient overlap. A further refinement of this idea uses “bimodal” Gaussians =-=[DDLL13]-=-, essentially by letting the prover randomly choose between ±Xc. This yields slightly more overlap, and allows the Gaussian parameter of y to be reduced by roughly a √ log(1/ε) factor, for statistical... |

23 | Lattice enumeration using extreme pruning. - GAMA, NGUYEN, et al. - 2010 |

22 | V.: Public-key encryption schemes with auxiliary inputs - Dodis, Goldwasser, et al. - 2009 |

19 | Fully key-homomorphic encryption, arithmetic circuit ABE and compact garbled circuits. - Boneh, Gentry, et al. - 2014 |

19 | Better bootstrapping in fully homomorphic encryption,” in Public Key Cryptography— Pkc - Gentry, Halevi, et al. - 2012 |

17 | Faster Gaussian Lattice Sampling Using Lazy Floating-Point Arithmetic
- Ducas, Nguyen
- 2012
(Show Context)
Citation Context ...e largest singular value (or spectral norm) of S. Therefore, the final Gaussian parameter of the sampler is proportional to s1(S), rather than ‖S̃‖ as in Theorem 5.4.2. Subsequently, Ducas and Nguyen =-=[DN12a]-=- gave a technique that optimizes (up to logarithmic factors) the asymptotic average-case runtime of the randomized nearest-plane algorithm, and the offline phase of Peikert’s convolutional sampler, us... |

14 | Lattice-based FHE as secure as PKE.
- Brakerski, Vaikuntanathan
- 2014
(Show Context)
Citation Context ... example, the binary NAND operation, which is sufficient for expressing arbitrary computations, can be written as (x1 NAND x2) = 1− x1x2. Bootstrapping. As first shown by Brakerski and Vaikuntanathan =-=[BV14]-=-, the asymmetric and quasiadditive growth of the trapdoor matrices under homomorphic multiplication allows certain computations—in particular, decryption for the purpose of bootstrapping—to be perform... |

14 | Graph-induced multilinear maps from lattices - Gentry, Gorbunov, et al. |

13 |
Representing hard lattices with O(n log n) bits
- Ajtai
- 2005
(Show Context)
Citation Context ...er “close to” or “far from” the subspace orthogonal to (−s, 1). Using the secret s, one can decrypt by distinguishing 5It is not clear how to implement such sharing for [AD97, Reg03], and while Ajtai =-=[Ajt05]-=- later gave a different style of cryptosystem that does permit sharing, no worst-case security proof is known for it. 22 between the two cases. Semantic security follows by considering a thought exper... |

13 | Robustness of the Learning with Errors Assumption
- Goldwasser, Kalai, et al.
(Show Context)
Citation Context ...ll error terms. Robustness. LWE is a very “robust” problem, in the sense that it remains hard even if the attacker learns extra information about the secret and errors. For example, Goldwasser et al. =-=[GKPV10]-=- showed that LWE with “weak” secrets—i.e., where the adversary learns some bounded information about, or a hard-to-invert function of, the secret—remains as hard as LWE with “perfect” secrets, althoug... |

12 | Circular and KDM security for identity-based encryption - Alperin-Sheriff, Peikert |

12 | Learning a zonotope and more: Cryptanalysis of NTRUSign countermeasures
- Ducas, Nguyen
- 2012
(Show Context)
Citation Context ... substantially less linear, because it involves two unrelated lattice bases. However, the ideas of [NR06] were extended to also break this variant, both asymptotically [MPSW09, Wan10] and in practice =-=[DN12b]-=-. 3.4 Micciancio’s Compact One-Way Function Inspired by the design ideas and efficiency of NTRU, in work published in 2002, Micciancio [Mic02] modified Ajtai’s one-way/collision-resistant function fro... |

10 | D.: Learning with rounding, revisited - new reduction, properties and applications
- Alwen, Krenn, et al.
(Show Context)
Citation Context ..., it seems likely that LWR is hard for much smaller ratios q/p (where p divides q to avoid rounding bias), though no proof based on worst-case lattice problems is yet known. We note that Alwen et al. =-=[AKPW13]-=- obtained partial results in this direction for a bounded number m of LWR samples, where the ratio q/p and the underlying LWE error rate depend on m. These results suffice for the security of certain ... |

10 | Practical bootstrapping in quasilinear time,” - Alperin-Sheriff, Peikert - 2013 |

10 | Faster bootstrapping with polynomial error
- Alperin-Sheriff, Peikert
- 2014
(Show Context)
Citation Context ...)-depth decryption circuit can be computed homomorphically in polynomial time and with polynomial error growth, albeit for rather large polynomials. The subsequent work of Alperin-Sheriff and Peikert =-=[AP14]-=- significantly improved the runtime and growth to small polynomials, by avoiding Barrington’s Theorem and instead expressing decryption as an arithmetic function that can be embedded directly into per... |

10 | Key homomorphic PRFs and their applications
- Boneh, Lewi, et al.
- 2013
(Show Context)
Citation Context ... practical instantiation and software implementation of the above construction’s ring-based analogue was given in [BBL+14]. 5.7.2 Key-Homomorphic PRFs Following [BPR12], Boneh et al. (hereafter BLMR) =-=[BLMR13]-=- gave the first standard-model constructions of key homomorphic PRFs (KH-PRFs), using lattices/LWE. (Previously, the only constructions of KH-PRFs were in the random-oracle model [NPR99].) A KH-PRF fa... |

8 | New and improved key-homomorphic pseudorandom functions
- Banerjee, Peikert
- 2014
(Show Context)
Citation Context ...es with secret s into those of the form described above. (The same idea has been used in many other works and contexts, such as [BV11b, MP12, BLP+13, GSW13].) Following [BLMR13], Banerjee and Peikert =-=[BP14]-=- gave key-homomorphic PRFs from substantially weaker LWE assumptions, e.g., error rates of only α = n−Ω(log `) or even α = n−ω(1), which yields better key sizes and runtimes. For example, the key size... |

8 | Cryptanalysis of GGH map. Cryptology ePrint Archive, Report 2015/301 - Hu, Jia - 2015 |

7 | Identity-based (lossy) trapdoor functions and applications - Bellare, Kiltz, et al. - 2012 |

7 | Leveled fully homomorphic signatures from standard lattices,”
- Gorbunov, Vaikuntanathan, et al.
- 2015
(Show Context)
Citation Context ...ional ideas, yielding a system that evaluates a complete “bootstrapped NAND gate” in less than a second on standard desktop hardware. Fully homomorphic signatures. Gorbunov, Vaikuntanathan, and Wichs =-=[GVW15b]-=- showed how homomorphic trapdoors can also be used to obtain fully homomorphic signatures (FHS). The precise model and security goals for FHS are beyond the scope of this survey, but the basic idea is... |

6 | The first and fourth public-key cryptosystems with worstcase/average-case equivalence
- Ajtai, Dwork
(Show Context)
Citation Context ...to this day in cryptographic applications; we recall them in detail in Section 4.1. In a subsequent work from 1997, Ajtai and Dwork [AD97] gave a lattice-based public-key encryption scheme. (See also =-=[AD07]-=-.) Because all lattice-based encryption schemes inherit the basic template of this system, we describe it in some detail here. At the highest level, Ajtai and Dwork give two main results: first, they ... |

6 | Ring-LWE in polynomial rings
- Ducas, Durmus
- 2012
(Show Context)
Citation Context ... terms of computation, applications, analysis, etc., because the tweak is reversible; see, e.g., [LPR13, AP13] for details. (We mention that an alternative way of replacing R∨ with R was described in =-=[DD12]-=-, but it incurs some computational and analytical losses, because it is not reversible.) The decision version of the R-LWE problem is to distinguish between ring-LWE samples and uniformly random ones.... |

6 | Improved short lattice signatures in the standard model
- Ducas, Micciancio
- 2014
(Show Context)
Citation Context ...gnatures, improving upon [CHKP10] in the bit length of the signatures themselves, though still with a public key that contains a linear number of parity-check matrices. Recently, Ducas and Micciancio =-=[DM14]-=- gave a variant that reduced the number of matrices in the public key to only logarithmic. Shortly thereafter, Alperin-Sheriff [Alp15] reduced the number of matrices to only a constant, but at the cos... |

5 | Solving the shortest vector problem in $2n$ time via discrete gaussian sampling - Aggarwal, Dadush, et al. |

5 | Cryptanalysis of the multilinear map on the ideal lattices. http://eprint.iacr.org/2015/461 - Cheon, Lee |

5 |
Lossy codes and a new variant of the learning-with-errors problem
- Döttling, Müller-Quade
- 2013
(Show Context)
Citation Context ...nd error rate, even if one reveals one or more linear relations (over the integers) on the secret and error. Alternative errors and small parameters. In independent works, Döttling and Müller-Quade =-=[DM13]-=- and Micciancio and Peikert [MP13] also considered LWE with non-Gaussian and potentially small errors, e.g., uniform over an interval. Such distributions are algorithmically much easier to sample than... |

4 | Zeroizing Without Low-Level Zeroes New MMAP Attacks and Their Limitations - Coron, Gentry, et al. |

4 | Field switching in BGV-style homomorphic encryption - Gentry, Halevi, et al. |

3 | Key-homomorphic constrained pseudorandom functions - Banerjee, Fuchsbauer, et al. |

3 | A hybrid gaussian sampler for lattices over rings. Cryptology ePrint Archive, Report 2015/660, 2015. http: //eprint.iacr.org/2015/660. [Duc13] Léo Ducas. Lattice Based Signatures: Attacks, Analysis and Optimization
- Ducas, Prest
(Show Context)
Citation Context ...at the vectors they produce are longer by a factor up to linear in the lattice dimension, which corresponds to worse security (and thus larger keys to compensate). Also very recently, Ducas and Prest =-=[DP15]-=- investigated a “hybrid” of the nearest-plane and convolutional discrete Gaussian samplers for lattices defined over rings (e.g., NTRU lattices). They showed that the hybrid approach can simultaneousl... |

3 | Predicate encryption for circuits from LWE
- Gorbunov, Vaikuntanathan, et al.
(Show Context)
Citation Context ...pending on whether the challenge is LWE-distributed or uniform, respectively. Predicate encryption. We conclude this chapter by mentioning that a very recent work of Gorbunov, Vaikuntanathan, and Wee =-=[GVW15a]-=- constructs predicate encryption (PE) based on the LWE assumption. In brief, predicate encryption is a strengthening of attribute-based encryption in which the attributes associated with a ciphertext ... |

2 | SPRING: Fast pseudorandom functions from rounded ring products - Banerjee, Brenner, et al. - 2014 |

2 | Constrained key-homomorphic prfs from standard lattice assumptions - or: How to secretly embed a circuit in your PRF
- Brakerski, Vaikuntanathan
- 2015
(Show Context)
Citation Context ...hic and attribute-based encryption [BV14, BGG+14, AP14], as described next in Chapter 6. Finally, we mention that recent independent works of Banerjee et al. [BFP+15] and Brakerski and Vaikuntanathan =-=[BV15]-=- generalized the construction of [BP14] in different ways to give key-homomorphic constrained PRFs. Constrained PRFs, introduced in the concurrent and independent works [KPTZ13, BW13, BGI14], allow fo... |

2 |
D.: Fhew: Bootstrapping homomorphic encryption in less than a second
- Ducas, Micciancio
- 2015
(Show Context)
Citation Context ...growth to small polynomials, by avoiding Barrington’s Theorem and instead expressing decryption as an arithmetic function that can be embedded directly into permutation matrices. Ducas and Micciancio =-=[DM15]-=- devised and implemented a version of this method incorporating additional ideas, yielding a system that evaluates a complete “bootstrapped NAND gate” in less than a second on standard desktop hardwar... |

1 |
Short signatures with short public keys from homomorphic trapdoor functions
- Alperin-Sheriff
- 2015
(Show Context)
Citation Context ...ar number of parity-check matrices. Recently, Ducas and Micciancio [DM14] gave a variant that reduced the number of matrices in the public key to only logarithmic. Shortly thereafter, Alperin-Sheriff =-=[Alp15]-=- reduced the number of matrices to only a constant, but at the cost of a substantially larger norm bound for the underlying SIS problem. 5.6 Signatures Without Trapdoors A separate line of research on... |