Results 11  20
of
49
Faster Gaussian lattice sampling using lazy floatingpoint arithmetic
 FULL VERSION OF THE ASIACRYPT ’12 ARTICLE
, 2013
"... Many lattice cryptographic primitives require an efficient algorithm to sample lattice points according to some Gaussian distribution. All algorithms known for this task require longinteger arithmetic at some point, which may be problematic in practice. We study how much lattice sampling can be sp ..."
Abstract

Cited by 17 (1 self)
 Add to MetaCart
(Show Context)
Many lattice cryptographic primitives require an efficient algorithm to sample lattice points according to some Gaussian distribution. All algorithms known for this task require longinteger arithmetic at some point, which may be problematic in practice. We study how much lattice sampling can be sped up using floatingpoint arithmetic. First, we show that a direct floatingpoint implementation of these algorithms does not give any asymptotic speedup: the floatingpoint precision needs to be greater than the security parameter, leading to an overall complexity Õ(n 3) where n is the lattice dimension. However, we introduce a laziness technique that can significantly speed up these algorithms. Namely, in certain cases such as NTRUSign lattices, laziness can decrease the complexity to Õ(n2) or even Õ(n). Furthermore, our analysis is practical: for typical parameters, most of the floatingpoint operations only require the doubleprecision IEEE standard.
Random Oracles in a Quantum World
"... Abstract. The interest in postquantum cryptography — classical systems that remain secure in the presence of a quantum adversary — has generated elegant proposals for new cryptosystems. Some of these systems are set in the random oracle model and are proven secure relative to adversaries that have ..."
Abstract

Cited by 15 (3 self)
 Add to MetaCart
Abstract. The interest in postquantum cryptography — classical systems that remain secure in the presence of a quantum adversary — has generated elegant proposals for new cryptosystems. Some of these systems are set in the random oracle model and are proven secure relative to adversaries that have classical access to the random oracle. We argue that to prove postquantum security one needs to prove security in the quantumaccessible random oracle model where the adversary can query the random oracle with quantum state. We begin by separating the classical and quantumaccessible random oracle models by presenting a scheme that is secure when the adversary is given classical access to the random oracle, but is insecure when the adversary can make quantum oracle queries. We then set out to develop generic conditions under which a classical random oracle proof implies security in the quantumaccessible random oracle model. We introduce the concept of a historyfree reduction which is a category of classical random oracle reductions that basically determine oracle answers independently of the history of previous queries, and we prove that such reductions imply security in the quantum model. We then show that certain postquantum proposals, including ones based on lattices, can be proven secure using historyfree reductions and are therefore postquantum secure. We conclude with a rich set of open problems in this area.
Trapdoors for lattices: Simpler, tighter, faster, smaller
 In EUROCRYPT
, 2012
"... We give new methods for generating and using “strong trapdoors ” in cryptographic lattices, which are simultaneously simple, efficient, easy to implement (even in parallel), and asymptotically optimal with very small hidden constants. Our methods involve a new kind of trapdoor, and include specializ ..."
Abstract

Cited by 12 (3 self)
 Add to MetaCart
We give new methods for generating and using “strong trapdoors ” in cryptographic lattices, which are simultaneously simple, efficient, easy to implement (even in parallel), and asymptotically optimal with very small hidden constants. Our methods involve a new kind of trapdoor, and include specialized algorithms for inverting LWE, randomly sampling SIS preimages, and securely delegating trapdoors. These tasks were previously the main bottleneck for a wide range of cryptographic schemes, and our techniques substantially improve upon the prior ones, both in terms of practical performance and quality of the produced outputs. Moreover, the simple structure of the new trapdoor and associated algorithms can be exposed in applications, leading to further simplifications and efficiency improvements. We exemplify the applicability of our methods with new digital signature schemes and CCAsecure encryption schemes, which have better efficiency and security than the previously known latticebased constructions. 1
Subspace LWE
"... Abstract. The (decisional) learning with errors problem (LWE) asks to distinguish “noisy ” inner products of a secret vector with random vectors from uniform. In recent years, the LWE problem has found many applications in cryptography. In this paper we introduce (seemingly) much stronger adaptive a ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
Abstract. The (decisional) learning with errors problem (LWE) asks to distinguish “noisy ” inner products of a secret vector with random vectors from uniform. In recent years, the LWE problem has found many applications in cryptography. In this paper we introduce (seemingly) much stronger adaptive assumptions, called “subspace LWE ” (SLWE), where the adversary can learn the inner product of the secret and random vectors after they were projected into an adaptively and adversarially chosen subspace. We prove that SLWE mapping into subspaces of dimension d is almost as hard as LWE using secrets of length d. We discuss some applications of the new subspace LWE problem to relatedkey attacks and to cryptosystems using weak random sources. In subsequent work the main result from this paper was used to construct new cryptosystems like efficient MACs whose security can be reduced to the LPN problem (LPN is LWE over a field of size 2.) 1
IdentityBased (Lossy) Trapdoor Functions and Applications
, 2011
"... We provide the first constructions of identitybased (injective) trapdoor functions. Furthermore, they are lossy. Constructions are given both with pairings (DLIN) and lattices (LWE). Our lossy identitybased trapdoor functions provide an automatic way to realize, in the identitybased setting, many ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
We provide the first constructions of identitybased (injective) trapdoor functions. Furthermore, they are lossy. Constructions are given both with pairings (DLIN) and lattices (LWE). Our lossy identitybased trapdoor functions provide an automatic way to realize, in the identitybased setting, many functionalities previously known only in the publickey setting. In particular we obtain the first deterministic and efficiently searchable IBE schemes and the first hedged IBE schemes, which achieve best possible security in the face of bad randomness. Underlying our constructs is a new definition, of partial lossiness, that may be of broader interest.
Function private functional encryption and property preserving encryption: New de and positive results. Cryptology ePrint Archive, Report 2013/744
, 2013
"... This work furthers the exploration of meaningful definitions for security of Functional Encryption. We propose new simulation based definitions for function privacy in addition to data privacy and study their achievability. In addition, we improve efficiency / underlying assumptions / security achie ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
This work furthers the exploration of meaningful definitions for security of Functional Encryption. We propose new simulation based definitions for function privacy in addition to data privacy and study their achievability. In addition, we improve efficiency / underlying assumptions / security achieved by existing inner product Functional Encryption and Property Preserving Encryption schemes, in both the private and public key setting. Our results can be summarized as follows: • We present a new simulation based definition, which we call RelaxADSIM, that lies between simulation based (SIM) and indistinguishability based (IND) definitions for data privacy, and implies the function privacy definition of [BRS13a]. Our definition relaxes the requirements on the simulator to bypass impossibility of SIM in the standard model. We show that the inner product FE scheme of [KSW08] enjoys RelaxADSIM security for function hiding and the inner product FE scheme of [LOS+10] enjoys RelaxADSIM security for data hiding. • We study whether known impossibilities for achieving strong SIM based security imply actual real world attacks. For this, we present a new UCstyle SIM based definition of security that captures both data and function hiding, both public key and symmetric key settings and represents the
The Geometry of Lattice Cryptography
, 2012
"... Lattice cryptography is one of the hottest and fastest moving areas in mathematical cryptography today. Interest in lattice cryptographyis due toseveral concurring factors. On thetheoretical side, lattice cryptography is supported by strong worstcase/averagecase security guarantees. On the practic ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
(Show Context)
Lattice cryptography is one of the hottest and fastest moving areas in mathematical cryptography today. Interest in lattice cryptographyis due toseveral concurring factors. On thetheoretical side, lattice cryptography is supported by strong worstcase/averagecase security guarantees. On the practical side, lattice cryptography has been shown to be very versatile, leading to an unprecedented variety of applications, from simple (and efficient) hash functions, to complex and powerful public key cryptographic primitives, culminating with the celebrated recent development of fully homomorphic encryption. Still, one important feature of lattice cryptography is simplicity: most cryptographic operations can be implemented using basic arithmetic on small numbers, and many cryptographic constructions hide an intuitive and appealing geometric interpretation in terms of point lattices. So, unlike other areas of mathematical cryptology even a novice can acquire, with modest effort, a good understanding of not only the potential applications, but also the underlying mathematics of lattice cryptography. In these notes, we give an introduction to the mathematical theory of lattices, describe the main tools and techniques used in lattice cryptography, and present an overview of the wide range of cryptographic applications. This material should be accessible to anybody with a minimal background in linear algebra and some familiarity with the computational framework of modern cryptography, but no prior knowledge about point lattices. 1
Fuzzy identity based encryption from lattices. IACR Cryptology ePrint Archive
, 2011
"... Cryptosystems based on the hardness of lattice problems have recently acquired much importance due to their averagecase to worstcase equivalence, their conjectured resistance to quantum cryptanalysis, their ease of implementation and increasing practicality, and, lately, their promising potential ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
Cryptosystems based on the hardness of lattice problems have recently acquired much importance due to their averagecase to worstcase equivalence, their conjectured resistance to quantum cryptanalysis, their ease of implementation and increasing practicality, and, lately, their promising potential as a platform for constructing advanced functionalities. In this work, we construct “Fuzzy ” Identity Based Encryption from the hardness of the standard Learning With Errors (LWE) problem. We give CPA and CCA secure variants of our construction, for small and large universes of attributes. All are secure against selectiveidentity attacks in the standard model. Our construction is made possible by observing certain special properties that secret sharing schemes need to satisfy in order to be useful for Fuzzy IBE. We discuss why further extensions are not as easy as they may seem. As such, ours is among the first examples of advancedfunctionality cryptosystem from lattices that goes “beyond IBE”.
Revocable identitybased encryption from lattices
"... Abstract. In this paper, we present an identitybased encryption (IBE) scheme from lattices with efficient key revocation. We adopt multiple trapdoors from the AgrawalBonehBoyen and GentryPeikertyVaikuntanathan lattice IBE schemes to realize key revocation, which in turn, makes use of binarytre ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
Abstract. In this paper, we present an identitybased encryption (IBE) scheme from lattices with efficient key revocation. We adopt multiple trapdoors from the AgrawalBonehBoyen and GentryPeikertyVaikuntanathan lattice IBE schemes to realize key revocation, which in turn, makes use of binarytree data structure. Using our scheme, key update requires logarithmic complexity in the maximal number of users and linear in the number of revoked users for the relevant key authority. We prove that our scheme is selective secure in the standard model and under the LWE assumption, which is as hard as the worstcase approximating short vectors on arbitrary lattices. Moreover, our key revocation techniques from lattices can be applied to obtain revocable functional encryption schemes in the similar setting.