• Documents
  • Authors
  • Tables
  • Log in
  • Sign up
  • MetaCart
  • DMCA
  • Donate

CiteSeerX logo

Advanced Search Include Citations
Advanced Search Include Citations

Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices (2006)

by C Peikert, A Rosen
Venue:In TCC
Add To MetaCart

Tools

Sorted by:
Results 1 - 10 of 62
Next 10 →

Fully homomorphic encryption using ideal lattices

by Craig Gentry - In Proc. STOC , 2009
"... We propose a fully homomorphic encryption scheme – i.e., a scheme that allows one to evaluate circuits over encrypted data without being able to decrypt. Our solution comes in three steps. First, we provide a general result – that, to construct an encryption scheme that permits evaluation of arbitra ..."
Abstract - Cited by 663 (17 self) - Add to MetaCart
We propose a fully homomorphic encryption scheme – i.e., a scheme that allows one to evaluate circuits over encrypted data without being able to decrypt. Our solution comes in three steps. First, we provide a general result – that, to construct an encryption scheme that permits evaluation of arbitrary circuits, it suffices to construct an encryption scheme that can evaluate (slightly augmented versions of) its own decryption circuit; we call a scheme that can evaluate its (augmented) decryption circuit bootstrappable. Next, we describe a public key encryption scheme using ideal lattices that is almost bootstrappable. Lattice-based cryptosystems typically have decryption algorithms with low circuit complexity, often dominated by an inner product computation that is in NC1. Also, ideal lattices provide both additive and multiplicative homomorphisms (modulo a public-key ideal in a polynomial ring that is represented as a lattice), as needed to evaluate general circuits. Unfortunately, our initial scheme is not quite bootstrappable – i.e., the depth that the scheme can correctly evaluate can be logarithmic in the lattice dimension, just like the depth of the decryption circuit, but the latter is greater than the former. In the final step, we show how to modify the scheme to reduce the depth of the decryption circuit, and thereby obtain a bootstrappable encryption scheme, without reducing the depth that the scheme can evaluate. Abstractly, we accomplish this by enabling the encrypter to start the decryption process, leaving less work for the decrypter, much like the server leaves less work for the decrypter in a server-aided cryptosystem.
(Show Context)

Citation Context

...ounds the coefficients of a vector to the nearest integer. We define the length ‖BI‖ of a basis to be max{‖bi‖ : bi ∈ BI}. Cryptographic work on ideal lattices includes NTRU [25] and more recent work =-=[41, 32, 33, 48, 49]-=-. 3.4 The Initial Construction, Concretely When we implement the abstract construction using a polynomial ring and ideal lattices as described in Section 3.3, the sets XEnc and XDec become subsets of ...

A fully homomorphic encryption scheme

by Craig Gentry , 2009
"... ..."
Abstract - Cited by 208 (9 self) - Add to MetaCart
Abstract not found

Trapdoors for Hard Lattices and New Cryptographic Constructions

by Craig Gentry, Chris Peikert, Vinod Vaikuntanathan , 2007
"... We show how to construct a variety of “trapdoor ” cryptographic tools assuming the worstcase hardness of standard lattice problems (such as approximating the shortest nonzero vector to within small factors). The applications include trapdoor functions with preimage sampling, simple and efficient “ha ..."
Abstract - Cited by 191 (26 self) - Add to MetaCart
We show how to construct a variety of “trapdoor ” cryptographic tools assuming the worstcase hardness of standard lattice problems (such as approximating the shortest nonzero vector to within small factors). The applications include trapdoor functions with preimage sampling, simple and efficient “hash-and-sign ” digital signature schemes, universally composable oblivious transfer, and identity-based encryption. A core technical component of our constructions is an efficient algorithm that, given a basis of an arbitrary lattice, samples lattice points from a Gaussian-like probability distribution whose standard deviation is essentially the length of the longest vector in the basis. In particular, the crucial security property is that the output distribution of the algorithm is oblivious to the particular geometry of the given basis. ∗ Supported by the Herbert Kunzel Stanford Graduate Fellowship. † This material is based upon work supported by the National Science Foundation under Grants CNS-0716786 and CNS-0749931. Any opinions, findings, and conclusions or recommedations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation. ‡ The majority of this work was performed while at SRI International. 1 1

On ideal lattices and learning with errors over rings

by Vadim Lyubashevsky, Chris Peikert, Oded Regev - In Proc. of EUROCRYPT, volume 6110 of LNCS , 2010
"... The “learning with errors ” (LWE) problem is to distinguish random linear equations, which have been perturbed by a small amount of noise, from truly uniform ones. The problem has been shown to be as hard as worst-case lattice problems, and in recent years it has served as the foundation for a pleth ..."
Abstract - Cited by 125 (18 self) - Add to MetaCart
The “learning with errors ” (LWE) problem is to distinguish random linear equations, which have been perturbed by a small amount of noise, from truly uniform ones. The problem has been shown to be as hard as worst-case lattice problems, and in recent years it has served as the foundation for a plethora of cryptographic applications. Unfortunately, these applications are rather inefficient due to an inherent quadratic overhead in the use of LWE. A main open question was whether LWE and its applications could be made truly efficient by exploiting extra algebraic structure, as was done for lattice-based hash functions (and related primitives). We resolve this question in the affirmative by introducing an algebraic variant of LWE called ring-LWE, and proving that it too enjoys very strong hardness guarantees. Specifically, we show that the ring-LWE distribution is pseudorandom, assuming that worst-case problems on ideal lattices are hard for polynomial-time quantum algorithms. Applications include the first truly practical lattice-based public-key cryptosystem with an efficient security reduction; moreover, many of the other applications of LWE can be made much more efficient through the use of ring-LWE. 1

Bonsai Trees, or How to Delegate a Lattice Basis

by David Cash, Dennis Hofheinz, Eike Kiltz, Chris Peikert , 2010
"... We introduce a new lattice-based cryptographic structure called a bonsai tree, and use it to resolve some important open problems in the area. Applications of bonsai trees include: • An efficient, stateless ‘hash-and-sign ’ signature scheme in the standard model (i.e., no random oracles), and • The ..."
Abstract - Cited by 123 (7 self) - Add to MetaCart
We introduce a new lattice-based cryptographic structure called a bonsai tree, and use it to resolve some important open problems in the area. Applications of bonsai trees include: • An efficient, stateless ‘hash-and-sign ’ signature scheme in the standard model (i.e., no random oracles), and • The first hierarchical identity-based encryption (HIBE) scheme (also in the standard model) that does not rely on bilinear pairings. Interestingly, the abstract properties of bonsai trees seem to have no known realization in conventional number-theoretic cryptography. 1
(Show Context)

Citation Context

...ast quadratic in the security parameter. Fortunately, the principles of bonsai trees may be applied equally well using analogous hard problems and tools for cyclic/ideal lattices (developed in, e.g., =-=[39, 47, 36, 48, 55, 38]-=-). This approach can ‘miniaturize’ the bonsai trees and most of their associated operations by about a linear factor in the security parameter. The resulting schemes are still not suitable for practic...

Efficient lattice (H)IBE in the standard model

by Shweta Agrawal, Dan Boneh, Xavier Boyen - In EUROCRYPT 2010, LNCS , 2010
"... Abstract. We construct an efficient identity based encryption system based on the standard learning with errors (LWE) problem. Our security proof holds in the standard model. The key step in the construction is a family of lattices for which there are two distinct trapdoors for finding short vectors ..."
Abstract - Cited by 98 (15 self) - Add to MetaCart
Abstract. We construct an efficient identity based encryption system based on the standard learning with errors (LWE) problem. Our security proof holds in the standard model. The key step in the construction is a family of lattices for which there are two distinct trapdoors for finding short vectors. One trapdoor enables the real system to generate short vectors in all lattices in the family. The other trapdoor enables the simulator to generate short vectors for all lattices in the family except for one. We extend this basic technique to an adaptively-secure IBE and a Hierarchical IBE. 1
(Show Context)

Citation Context

...iplication by a constant in the number field K = F[X]/(f) and is therefore invertible when the matrix is non-zero. We note that similar matrix encodings of ring multiplication were previously used in =-=[26, 21]-=-. Theorem 5. Let F be a field and f a polynomial in F[X]. If f is irreducible in F[X] then the function H defined in (3) is an encoding with full-rank differences (or FRD encoding). (3) 12An example....

Lattice-based Cryptography

by Daniele Micciancio, Oded Regev , 2008
"... In this chapter we describe some of the recent progress in lattice-based cryptography. Lattice-based cryptographic constructions hold a great promise for post-quantum cryptography, as they enjoy very strong security proofs based on worst-case hardness, relatively efficient implementations, as well a ..."
Abstract - Cited by 66 (5 self) - Add to MetaCart
In this chapter we describe some of the recent progress in lattice-based cryptography. Lattice-based cryptographic constructions hold a great promise for post-quantum cryptography, as they enjoy very strong security proofs based on worst-case hardness, relatively efficient implementations, as well as great simplicity. In addition, lattice-based cryptography is believed to be secure against quantum computers. Our focus here
(Show Context)

Citation Context

...-trivial. In particular, Micciancio could only prove that the resulting function is one-way (i.e., hard to invert), as opposed to collision resistant. In fact, collisions can be efficiently found: in =-=[43, 62]-=- it was observed that if each block A (i) is multiplied by a constant vector ci · 1 = (ci, . . . , ci), then the output of fA is going to be a constant vector c · 1 too. Since c can take only q differ...

Generalized compact knapsacks are collision resistant

by Vadim Lyubashevsky, Daniele Micciancio - In ICALP (2 , 2006
"... n.A step in the direction of creating efficient cryptographic functions based on worst-case hardness was ..."
Abstract - Cited by 58 (15 self) - Add to MetaCart
n.A step in the direction of creating efficient cryptographic functions based on worst-case hardness was
(Show Context)

Citation Context

...le, but essential, as we can show that the generalized compact knapsack instances considered in [14] are not collision resistant. Concurrently with, and independently from our work, Peikert and Rosen =-=[18]-=- have shown, using very similar techniques, that the one-way function in [14] is not collision resistant and showed how to construct collision-resistant hash functions based on the hardness of finding...

SWIFFT: A Modest Proposal for FFT Hashing

by Vadim Lyubashevsky, Daniele Micciancio, Chris Peikert, Alon Rosen
"... We propose SWIFFT, a collection of compression functions that are highly parallelizable and admit very efficient implementations on modern microprocessors. The main technique underlying our functions is a novel use of the Fast Fourier Transform (FFT) to achieve “diffusion, ” together with a linear ..."
Abstract - Cited by 51 (17 self) - Add to MetaCart
We propose SWIFFT, a collection of compression functions that are highly parallelizable and admit very efficient implementations on modern microprocessors. The main technique underlying our functions is a novel use of the Fast Fourier Transform (FFT) to achieve “diffusion, ” together with a linear combination to achieve compression and “confusion. ” We provide a detailed security analysis of concrete instantiations, and give a high-performance software implementation that exploits the inherent parallelism of the FFT algorithm. The throughput of our implementation is competitive with that of SHA-256, with additional parallelism yet to be exploited. Our functions are set apart from prior proposals (having comparable efficiency) by a supporting asymptotic security proof: it can be formally proved that finding a collision in a randomly-chosen function from the family (with noticeable probability) is at least as hard as finding short vectors in cyclic/ideal lattices in the worst case.
(Show Context)

Citation Context

...mathematical problem on certain kinds of point lattices in the worst case. This claim follows from the fact that the SWIFFT functions are a special case of the cyclic/ideal lattice-based functions of =-=[13, 17, 12]-=-. SWIFFT’s simple design has a number of other advantages. First, it also enables unconditional proofs of a variety of statistical properties that are desirable in many applications of hash functions,...

Making NTRU as secure as worst-case problems over ideal lattices

by Damien Stehlé, Ron Steinfeld - In Proc. of EUROCRYPT, volume 6632 of LNCS , 2011
"... Abstract. NTRUEncrypt, proposed in 1996 by Ho stein, Pipher and Silverman, is the fastest known lattice-based encryption scheme. Its moderate key-sizes, excellent asymptotic performance and conjectured resistance to quantum computers could make it a desirable alternative to factorisation and discret ..."
Abstract - Cited by 46 (5 self) - Add to MetaCart
Abstract. NTRUEncrypt, proposed in 1996 by Ho stein, Pipher and Silverman, is the fastest known lattice-based encryption scheme. Its moderate key-sizes, excellent asymptotic performance and conjectured resistance to quantum computers could make it a desirable alternative to factorisation and discrete-log based encryption schemes. However, since its introduction, doubts have regularly arisen on its security. In the present work, we show how to modify NTRUEncrypt to make it provably secure in the standard model, under the assumed quantum hardness of standard worst-case lattice problems, restricted to a family of lattices related to some cyclotomic elds. Our main contribution is to show that if the secret key polynomials are selected by rejection from discrete Gaussians, then the public key, which is their ratio, is statistically indistinguishable from uniform over its domain. The security then follows from the already proven hardness of the R-LWE problem.
(Show Context)

Citation Context

...case lattices and q is a small prime. Micciancio's construction leads to a family of pre-image resistant hash functions, with complexity quasi-linear in n. Peikert, Rosen, Lyubashevsky and Micciancio =-=[30,19]-=- later suggested to change the ring to Zq[x]/Φ with a Φ that is irreducible over the rationals, sparse, and with small coe cients (e.g., Φ = x n + 1 for n a power of 2). The resulting hash function wa...

Powered by: Apache Solr
  • About CiteSeerX
  • Submit and Index Documents
  • Privacy Policy
  • Help
  • Data
  • Source
  • Contact Us

Developed at and hosted by The College of Information Sciences and Technology

© 2007-2019 The Pennsylvania State University