Results 1 
9 of
9
A toolkit for ringLWE cryptography
 In EUROCRYPT
, 2013
"... Recent advances in lattice cryptography, mainly stemming from the development of ringbased primitives such as ringLWE, have made it possible to design cryptographic schemes whose efficiency is competitive with that of more traditional numbertheoretic ones, along with entirely new applications lik ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
Recent advances in lattice cryptography, mainly stemming from the development of ringbased primitives such as ringLWE, have made it possible to design cryptographic schemes whose efficiency is competitive with that of more traditional numbertheoretic ones, along with entirely new applications like fully homomorphic encryption. Unfortunately, realizing the full potential of ringbased cryptography has so far been hindered by a lack of practical algorithms and analytical tools for working in this context. As a result, most previous works have focused on very special classes of rings such as poweroftwo cyclotomics, which significantly restricts the possible applications. We bridge this gap by introducing a toolkit of fast, modular algorithms and analytical techniques that can be used in a wide variety of ringbased cryptographic applications, particularly those built around ringLWE. Our techniques yield applications that work in arbitrary cyclotomic rings, with no loss in their underlying worstcase hardness guarantees, and very little loss in computational efficiency, relative to poweroftwo cyclotomics. To demonstrate the toolkit’s applicability, we develop a few illustrative applications: two variant publickey cryptosystems, and a “somewhat homomorphic ” symmetric encryption scheme. Both apply to arbitrary cyclotomics, have tight parameters, and very efficient implementations. 1
Message Authentication, Revisited
, 2012
"... Traditionally, symmetrickeymessage authentication codes (MACs) are easily built from pseudorandom functions (PRFs). In this work we propose a wide variety of other approaches to building efficient MACs, without going through a PRF first. In particular, unlike deterministic PRFbased MACs, where eac ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Traditionally, symmetrickeymessage authentication codes (MACs) are easily built from pseudorandom functions (PRFs). In this work we propose a wide variety of other approaches to building efficient MACs, without going through a PRF first. In particular, unlike deterministic PRFbased MACs, where each message has a unique valid tag, we give a number of probabilistic MAC constructions from various other primitives/assumptions. Our main results are summarized as follows: • We showseveralnew probabilisticMAC constructionsfromavarietyofgeneralassumptions, including CCAsecure encryption, Hash Proof Systems and keyhomomorphic weak PRFs. By instantiating these frameworks under concrete number theoretic assumptions, we get several schemes which are more efficient than just using a stateoftheart PRF instantiation under the corresponding assumption. For example, we obtain elegant DDHbased MACs with much shorter keys than the quadraticsized key of the NaorReingold PRF. We also show that several natural (probabilistic) digital signature schemes, such as those by BonehBoyen and Waters, can be significantly optimized when “downgraded ” into a MAC, both in
Practical Bootstrapping in Quasilinear Time
, 2013
"... Gentry’s “bootstrapping ” technique (STOC 2009) constructs a fully homomorphic encryption (FHE) scheme from a “somewhat homomorphic ” one that is powerful enough to evaluate its own decryption function. To date, it remains the only known way of obtaining unbounded FHE. Unfortunately, bootstrapping i ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Gentry’s “bootstrapping ” technique (STOC 2009) constructs a fully homomorphic encryption (FHE) scheme from a “somewhat homomorphic ” one that is powerful enough to evaluate its own decryption function. To date, it remains the only known way of obtaining unbounded FHE. Unfortunately, bootstrapping is computationally very expensive, despite the great deal of effort that has been spent on improving its efficiency. The current state of the art, due to Gentry, Halevi, and Smart (PKC 2012), is able to bootstrap “packed ” ciphertexts (which encrypt up to a linear number of bits) in time only quasilinear Õ(λ) = λ · log O(1) λ in the security parameter. While this performance is asymptotically optimal up to logarithmic factors, the practical import is less clear: the procedure composes multiple layers of expensive and complex operations, to the point where it appears very difficult to implement, and its concrete runtime appears worse than those of prior methods (all of which have quadratic or larger asymptotic runtimes). In this work we give simple, practical, and entirely algebraic algorithms for bootstrapping in quasilinear time, for both “packed ” and “nonpacked ” ciphertexts. Our methods are easy to implement (especially in the nonpacked case), and we believe that they will be substantially more efficient in practice than all prior realizations of bootstrapping. One of our main techniques is a substantial enhancement of the
Hardness Preserving Constructions of Pseudorandom Functions
"... Abstract. We show a hardnesspreserving construction of a PRF from any length doubling PRG which improves upon known constructions whenever we can put a nontrivial upper bound q on the number of queries to the PRF. Our construction requires only O(logq) invocations to the underlying PRG with each q ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. We show a hardnesspreserving construction of a PRF from any length doubling PRG which improves upon known constructions whenever we can put a nontrivial upper bound q on the number of queries to the PRF. Our construction requires only O(logq) invocations to the underlying PRG with each query. In comparison, the number of invocations bythe best previoushardnesspreservingconstruction (GGM using Levin’s trick) is logarithmic in the hardness of the PRG. For example, starting from an exponentially secure PRG {0,1} n ↦→ {0,1} 2n, we get a PRF which is exponentially secure if queried at most q = exp ( √ n) times and where each invocation of the PRF requires Θ ( √ n) queries to the underlying PRG. This is much less than the Θ(n) required by known constructions. 1
Improvement and Efficient Implementation of a Latticebased Signature Scheme
, 2013
"... Latticebased signature schemes constitute an interesting alternative to RSA and discrete logarithm based systems which may become insecure in the future, for example due to the possibility of quantum attacks. A particularly interesting scheme in this context is the GPV signature scheme [GPV08] comb ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Latticebased signature schemes constitute an interesting alternative to RSA and discrete logarithm based systems which may become insecure in the future, for example due to the possibility of quantum attacks. A particularly interesting scheme in this context is the GPV signature scheme [GPV08] combined with the trapdoor construction from Micciancio and Peikert [MP12] as it admits strong security proofs and is believed to be very efficient in practice. This paper confirms this belief and shows how to improve the GPV scheme in terms of space and running time and presents an implementation of the optimized scheme. A ring variant of this scheme is also introduced which leads to a more efficient construction. Experimental results show that GPV with the new trapdoor construction is competitive to the signature schemes that are currently used in practice.
Deterministic Public Key Encryption and IdentityBased Encryption from Lattices in the AuxiliaryInput Setting ⋆
"... Abstract. Deterministic public key encryption (DPKE) provides an alternative to randomized public key encryption in various scenarios (e.g. search on encrypted data) where the latter exhibits inherent drawbacks. In CRYPTO’11, Brakerski and Segev formalized a framework for studying the security of d ..."
Abstract
 Add to MetaCart
Abstract. Deterministic public key encryption (DPKE) provides an alternative to randomized public key encryption in various scenarios (e.g. search on encrypted data) where the latter exhibits inherent drawbacks. In CRYPTO’11, Brakerski and Segev formalized a framework for studying the security of deterministic public key encryption schemes with respect to auxiliary inputs. A trivial requirement is that the plaintext should not be efficiently recoverable from the auxiliary inputs. In this paper, we present an efficient deterministic public key encryption scheme in the auxiliaryinput setting from lattices. The public key size, ciphertext size and ciphertext expansion factor are improved compared with the scheme proposed by Brakerski and Segev. Our scheme is also secure even in the multiuser setting where related messages may be encrypted under multiple public keys. In addition, the security of our scheme is based on the hardness of the learning with errors (LWE) problem which remains hard even for quantum algorithms. Furthermore, we consider deterministic identitybased public key encryption (DIBE) in the auxiliaryinput setting. The only known DIBE scheme (without considering auxiliary inputs) in the standard model was proposed by Bellare et al. in EUROCRYPT’12. However, this scheme is only secure in the selective security setting, and Bellare et al. identified it as an open problem to construct adaptively secure DIBE schemes. The second contribution of this work is to propose a DIBE scheme from lattices that is adaptively secure.
Hardness of SIS and LWE with Small Parameters
, 2013
"... The Short Integer Solution (SIS) and Learning With Errors (LWE) problems are the foundations for countless applications in latticebased cryptography, and are provably as hard as approximate lattice problems in the worst case. A important question from both a practical and theoretical perspective is ..."
Abstract
 Add to MetaCart
The Short Integer Solution (SIS) and Learning With Errors (LWE) problems are the foundations for countless applications in latticebased cryptography, and are provably as hard as approximate lattice problems in the worst case. A important question from both a practical and theoretical perspective is how small their parameters can be made, while preserving their hardness. We prove two main results on SIS and LWE with small parameters. For SIS, we show that the problem retains its hardness for moduli q ≥ β · n δ for any constant δ> 0, where β is the bound on the Euclidean norm of the solution. This improves upon prior results which required q ≥ β · √ n log n, and is essentially optimal since the problem is trivially easy for q ≤ β. For LWE, we show that it remains hard even when the errors are small (e.g., uniformly random from {0, 1}), provided that the number of samples is small enough (e.g., linear in the dimension n of the LWE secret). Prior results required the errors to have magnitude at least √ n and to come from a Gaussianlike distribution. 1
Sampling Discrete Gaussians Efficiently and Obliviously
"... In this work we construct an algorithm for sampling Discrete Gaussians efficiently and obliviously. Previously discrete Gaussian samplers have been constructed in [GPV08, Pei10], where the algorithms take as input a “high quality ” basis and produce an output whose quality depends on the input basis ..."
Abstract
 Add to MetaCart
In this work we construct an algorithm for sampling Discrete Gaussians efficiently and obliviously. Previously discrete Gaussian samplers have been constructed in [GPV08, Pei10], where the algorithms take as input a “high quality ” basis and produce an output whose quality depends on the input basis quality. Our algorithm produces a discrete Gaussian of somewhat worse quality than [GPV08, Pei10] but with the advantage that it does not require access to an explicit description of the underlying lattice, for example it suffices for our purposes to have encryptions of lattice vectors under an additively homomorphic encryption scheme. At the heart of our work is the fundamental question how do sums of discrete Gaussians behave? Unlike their continuous counterparts, discrete Gaussians are not that well understood. We believe that our work fills in some important gaps of this understanding. Our results are already important in enabling the exciting new work on multilinear maps [GGH12], and since the questions we resolve arise naturally, we believe that our work will find application in other areas as well. The second and third authors were supported by the Intelligence Advanced Research Projects Activity
Bootstrapping Obfuscators via Fast Pseudorandom Functions
, 2013
"... We show that it is possible to upgrade an obfuscator for a weak complexity class WEAK into an obfuscator for arbitrary polynomial size circuits, assuming that the class WEAK can compute pseudorandom functions. Specifically, under standard intractability assumptions (e.g., hardness of factoring, Deci ..."
Abstract
 Add to MetaCart
We show that it is possible to upgrade an obfuscator for a weak complexity class WEAK into an obfuscator for arbitrary polynomial size circuits, assuming that the class WEAK can compute pseudorandom functions. Specifically, under standard intractability assumptions (e.g., hardness of factoring, Decisional DiffieHellman, or Learning with Errors), the existence of obfuscators for NC 1 or even TC 0 implies the existence of generalpurpose obfuscators for P. Previously, such a bootstrapping procedure was known to exist under the assumption that there exists a fullyhomomorphic encryption whose decryption algorithm can be computed in WEAK. Our reduction works with respect to virtual blackbox obfuscators and relativizes to ideal models. 1