Results 1  10
of
47
On ideal lattices and learning with errors over rings
 In Proc. of EUROCRYPT, volume 6110 of LNCS
, 2010
"... The “learning with errors ” (LWE) problem is to distinguish random linear equations, which have been perturbed by a small amount of noise, from truly uniform ones. The problem has been shown to be as hard as worstcase lattice problems, and in recent years it has served as the foundation for a pleth ..."
Abstract

Cited by 125 (18 self)
 Add to MetaCart
The “learning with errors ” (LWE) problem is to distinguish random linear equations, which have been perturbed by a small amount of noise, from truly uniform ones. The problem has been shown to be as hard as worstcase lattice problems, and in recent years it has served as the foundation for a plethora of cryptographic applications. Unfortunately, these applications are rather inefficient due to an inherent quadratic overhead in the use of LWE. A main open question was whether LWE and its applications could be made truly efficient by exploiting extra algebraic structure, as was done for latticebased hash functions (and related primitives). We resolve this question in the affirmative by introducing an algebraic variant of LWE called ringLWE, and proving that it too enjoys very strong hardness guarantees. Specifically, we show that the ringLWE distribution is pseudorandom, assuming that worstcase problems on ideal lattices are hard for polynomialtime quantum algorithms. Applications include the first truly practical latticebased publickey cryptosystem with an efficient security reduction; moreover, many of the other applications of LWE can be made much more efficient through the use of ringLWE. 1
Practical latticebased cryptography: A signature scheme for embedded systems
 CHES 2012, LNCS
, 2012
"... Nearly all of the currently used and welltested signature schemes (e.g. RSA or DSA) are based either on the factoring assumption or the presumed intractability of the discrete logarithm problem. Further algorithmic advances on these problems may lead to the unpleasant situation that a large number ..."
Abstract

Cited by 28 (6 self)
 Add to MetaCart
(Show Context)
Nearly all of the currently used and welltested signature schemes (e.g. RSA or DSA) are based either on the factoring assumption or the presumed intractability of the discrete logarithm problem. Further algorithmic advances on these problems may lead to the unpleasant situation that a large number of schemes have to be replaced with alternatives. In this work we present such an alternative – a signature scheme whose security is derived from the hardness of lattice problems. It is based on recent theoretical advances in latticebased cryptography and is highly optimized for practicability and use in embedded systems. The public and secret keys are roughly 12000 and 2000 bits long, while the signature size is approximately 9000 bits for a security level of around 100 bits. The implementation results on reconfigurable hardware (Spartan/Virtex 6) are very promising and show that the scheme is scalable, has low area consumption, and even outperforms some classical schemes.
Asymptotically efficient latticebased digital signatures
 IN FIFTH THEORY OF CRYPTOGRAPHY CONFERENCE (TCC
, 2008
"... We give a direct construction of digital signatures based on the complexity of approximating the shortest vector in ideal (e.g., cyclic) lattices. The construction is provably secure based on the worstcase hardness of approximating the shortest vector in such lattices within a polynomial factor, an ..."
Abstract

Cited by 28 (9 self)
 Add to MetaCart
We give a direct construction of digital signatures based on the complexity of approximating the shortest vector in ideal (e.g., cyclic) lattices. The construction is provably secure based on the worstcase hardness of approximating the shortest vector in such lattices within a polynomial factor, and it is also asymptotically efficient: the time complexity of the signing and verification algorithms, as well as key and signature size is almost linear (up to polylogarithmic factors) in the dimension n of the underlying lattice. Since no subexponential (in n) time algorithm is known to solve lattice problems in the worst case, even when restricted to cyclic lattices, our construction gives a digital signature scheme with an essentially optimal performance/security tradeoff.
A toolkit for ringLWE cryptography
 In EUROCRYPT
, 2013
"... Recent advances in lattice cryptography, mainly stemming from the development of ringbased primitives such as ringLWE, have made it possible to design cryptographic schemes whose efficiency is competitive with that of more traditional numbertheoretic ones, along with entirely new applications lik ..."
Abstract

Cited by 21 (7 self)
 Add to MetaCart
Recent advances in lattice cryptography, mainly stemming from the development of ringbased primitives such as ringLWE, have made it possible to design cryptographic schemes whose efficiency is competitive with that of more traditional numbertheoretic ones, along with entirely new applications like fully homomorphic encryption. Unfortunately, realizing the full potential of ringbased cryptography has so far been hindered by a lack of practical algorithms and analytical tools for working in this context. As a result, most previous works have focused on very special classes of rings such as poweroftwo cyclotomics, which significantly restricts the possible applications. We bridge this gap by introducing a toolkit of fast, modular algorithms and analytical techniques that can be used in a wide variety of ringbased cryptographic applications, particularly those built around ringLWE. Our techniques yield applications that work in arbitrary cyclotomic rings, with no loss in their underlying worstcase hardness guarantees, and very little loss in computational efficiency, relative to poweroftwo cyclotomics. To demonstrate the toolkit’s applicability, we develop a few illustrative applications: two variant publickey cryptosystems, and a “somewhat homomorphic ” symmetric encryption scheme. Both apply to arbitrary cyclotomics, have tight parameters, and very efficient implementations. 1
Sampling from discrete Gaussians for latticebased cryptography on a constrained device
 Appl. Algebra Eng. Commun. Comput
"... ABSTRACT. Modern latticebased publickey cryptosystems require sampling from discrete Gaussian (normal) distributions. The paper surveys algorithms to implement such sampling efficiently, with particular focus on the case of constrained devices with small onboard storage and without access to larg ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
(Show Context)
ABSTRACT. Modern latticebased publickey cryptosystems require sampling from discrete Gaussian (normal) distributions. The paper surveys algorithms to implement such sampling efficiently, with particular focus on the case of constrained devices with small onboard storage and without access to large numbers of external random bits. We review latticebased encryption schemes and signature schemes and their requirements for sampling from discrete Gaussians. Finally, we make some remarks on challenges and potential solutions for practical latticebased cryptography.
Improvement and Efficient Implementation of a Latticebased Signature Scheme
, 2013
"... Latticebased signature schemes constitute an interesting alternative to RSA and discrete logarithm based systems which may become insecure in the future, for example due to the possibility of quantum attacks. A particularly interesting scheme in this context is the GPV signature scheme [GPV08] comb ..."
Abstract

Cited by 12 (5 self)
 Add to MetaCart
(Show Context)
Latticebased signature schemes constitute an interesting alternative to RSA and discrete logarithm based systems which may become insecure in the future, for example due to the possibility of quantum attacks. A particularly interesting scheme in this context is the GPV signature scheme [GPV08] combined with the trapdoor construction from Micciancio and Peikert [MP12] as it admits strong security proofs and is believed to be very efficient in practice. This paper confirms this belief and shows how to improve the GPV scheme in terms of space and running time and presents an implementation of the optimized scheme. A ring variant of this scheme is also introduced which leads to a more efficient construction. Experimental results show that GPV with the new trapdoor construction is competitive to the signature schemes that are currently used in practice.
Decoding by Embedding: Correct Decoding Radius and DMT Optimality
, 2013
"... Abstract—The closest vector problem (CVP) and shortest (nonzero) vector problem (SVP) are the core algorithmic problems on Euclidean lattices. They are central to the applications of lattices in many problems of communications and cryptography. Kannan’s embedding technique is a powerful technique fo ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
(Show Context)
Abstract—The closest vector problem (CVP) and shortest (nonzero) vector problem (SVP) are the core algorithmic problems on Euclidean lattices. They are central to the applications of lattices in many problems of communications and cryptography. Kannan’s embedding technique is a powerful technique for solving the approximate CVP, yet its remarkable practical performance is not well understood. In this paper, the embedding technique is analyzed from a bounded distance decoding (BDD) viewpoint. We present two complementary analyses of the embedding technique: We establish a reduction from BDD to Hermite SVP (via unique SVP), which can be used along with any Hermite SVP solver (including, among others, the Lenstra, Lenstra and Lovász (LLL) algorithm), and show that, in the special case of LLL, it performs at least as well as Babai’s nearest plane algorithm (LLLaided SIC). The former analysis helps to explain the folklore practical observation that unique SVP is easier than standard approximate SVP. It is proven that when the LLL algorithm is employed, the embedding technique can solve the CVP provided that the noise norm is smaller than a decoding radius λ1/(2γ), where λ1 is the minimum distance of the lattice, and γ ≈ O(2 n/4). This substantially improves the previously best known correct decoding bound γ ≈ O(2 n). Focusing on the applications of BDD to decoding of multipleinput multipleoutput (MIMO) systems, we also prove that BDD of the regularized lattice is optimal in terms of the diversitymultiplexing gain tradeoff (DMT), and propose practical variants of embedding decoding which require no knowledge of the minimum distance of the lattice and/or further improve the error performance. Index Terms—closest vector problem, lattice decoding, lattice reduction, MIMO systems, shortest vector problem I.
LatticeBased Group Signatures with Logarithmic Signature Size
, 2013
"... Group signatures are cryptographic primitives where users can anonymously sign messages in the name of a population they belong to. Gordon et al. (Asiacrypt 2010) suggested the first realization of group signatures based on lattice assumptions in the random oracle model. A significant drawback of th ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
(Show Context)
Group signatures are cryptographic primitives where users can anonymously sign messages in the name of a population they belong to. Gordon et al. (Asiacrypt 2010) suggested the first realization of group signatures based on lattice assumptions in the random oracle model. A significant drawback of their scheme is its linear signature size in the cardinality N of the group. A recent extension proposed by Camenisch et al. (SCN 2012) suffers from the same overhead. In this paper, we describe the first latticebased group signature schemes where the signature and public key sizes are essentially logarithmic in N (for any fixed security level). Our basic construction only satisfies a relaxed definition of anonymity (just like the Gordon et al. system) but readily extends into a fully anonymous group signature (i.e., that resists adversaries equipped with a signature opening oracle). We prove the security of our schemes in the random oracle model under the SIS and LWE assumptions.
Tightlysecure signatures from lossy identification schemes
"... In this paper we present three digital signature schemes with tight security reductions. Our first signature scheme is a particularly efficient version of the short exponent discrete log based scheme of Girault et al. (J. of Cryptology 2006). Our scheme has a tight reduction to the decisional Short ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
(Show Context)
In this paper we present three digital signature schemes with tight security reductions. Our first signature scheme is a particularly efficient version of the short exponent discrete log based scheme of Girault et al. (J. of Cryptology 2006). Our scheme has a tight reduction to the decisional Short Discrete Logarithm problem, while still maintaining the nontight reduction to the computational version of the problem upon which the original scheme of Girault et al. is based. The second signature scheme we construct is a modification of the scheme of Lyubashevsky (Asiacrypt 2009) that is based on the worstcase hardness of the shortest vector problem in ideal lattices. And the third scheme is a very simple signature scheme that is based directly on the hardness of the Subset Sum problem. We also present a general transformation that converts, what we term lossy identification schemes, into signature schemes with tight security reductions. We believe that this greatly simplifies the task of constructing and proving the security of such signature schemes.
High Precision Discrete Gaussian Sampling on
"... Abstract. Latticebased public key cryptography often requires sampling from discrete Gaussian distributions. In this paper we present an efficient hardware implementation of a discrete Gaussian sampler with high precision and large tailbound based on the KnuthYao algorithm. The KnuthYao algorit ..."
Abstract

Cited by 7 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Latticebased public key cryptography often requires sampling from discrete Gaussian distributions. In this paper we present an efficient hardware implementation of a discrete Gaussian sampler with high precision and large tailbound based on the KnuthYao algorithm. The KnuthYao algorithm is chosen since it requires a minimal number of random bits and is well suited for high precision sampling. We propose a novel implementation of this algorithm based on an efficient traversal of the discrete distribution generating (DDG) tree. Furthermore, we propose optimization techniques to store the probabilities of the sample points in nearoptimal space. Our implementation targets the Gaussian distribution parameters typically used in LWE encryption schemes and has maximum statistical distance of 2−90 to a true discrete Gaussian distribution. For these parameters, our implementation on the Xilinx Virtex V platform results in a sampler architecture that only consumes 47 slices and has a delay of 3ns.