Results 1  10
of
176
Trapdoors for Hard Lattices and New Cryptographic Constructions
, 2007
"... We show how to construct a variety of “trapdoor ” cryptographic tools assuming the worstcase hardness of standard lattice problems (such as approximating the shortest nonzero vector to within small factors). The applications include trapdoor functions with preimage sampling, simple and efficient “ha ..."
Abstract

Cited by 104 (20 self)
 Add to MetaCart
We show how to construct a variety of “trapdoor ” cryptographic tools assuming the worstcase hardness of standard lattice problems (such as approximating the shortest nonzero vector to within small factors). The applications include trapdoor functions with preimage sampling, simple and efficient “hashandsign ” digital signature schemes, universally composable oblivious transfer, and identitybased encryption. A core technical component of our constructions is an efficient algorithm that, given a basis of an arbitrary lattice, samples lattice points from a Gaussianlike probability distribution whose standard deviation is essentially the length of the longest vector in the basis. In particular, the crucial security property is that the output distribution of the algorithm is oblivious to the particular geometry of the given basis. ∗ Supported by the Herbert Kunzel Stanford Graduate Fellowship. † This material is based upon work supported by the National Science Foundation under Grants CNS0716786 and CNS0749931. Any opinions, findings, and conclusions or recommedations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation. ‡ The majority of this work was performed while at SRI International. 1 1
Lossy Trapdoor Functions and Their Applications
 ELECTRONIC COLLOQUIUM ON COMPUTATIONAL COMPLEXITY, REPORT NO. 80 (2007)
, 2007
"... We propose a new general primitive called lossy trapdoor functions (lossy TDFs), and realize it under a variety of different number theoretic assumptions, including hardness of the decisional DiffieHellman (DDH) problem and the worstcase hardness of standard lattice problems. Using lossy TDFs, we ..."
Abstract

Cited by 79 (17 self)
 Add to MetaCart
We propose a new general primitive called lossy trapdoor functions (lossy TDFs), and realize it under a variety of different number theoretic assumptions, including hardness of the decisional DiffieHellman (DDH) problem and the worstcase hardness of standard lattice problems. Using lossy TDFs, we develop a new approach for constructing many important cryptographic primitives, including standard trapdoor functions, CCAsecure cryptosystems, collisionresistant hash functions, and more. All of our constructions are simple, efficient, and blackbox. Taken all together, these results resolve some longstanding open problems in cryptography. They give the first known (injective) trapdoor functions based on problems not directly related to integer factorization, and provide the first known CCAsecure cryptosystem based solely on worstcase lattice assumptions.
Simultaneous hardcore bits and cryptography against memory attacks
 In TCC
, 2009
"... Abstract. This paper considers two questions in cryptography. Cryptography Secure Against Memory Attacks. A particularly devastating sidechannel attack against cryptosystems, termed the “memory attack”, was proposed recently. In this attack, a significant fraction of the bits of a secret key of a c ..."
Abstract

Cited by 74 (8 self)
 Add to MetaCart
Abstract. This paper considers two questions in cryptography. Cryptography Secure Against Memory Attacks. A particularly devastating sidechannel attack against cryptosystems, termed the “memory attack”, was proposed recently. In this attack, a significant fraction of the bits of a secret key of a cryptographic algorithm can be measured by an adversary if the secret key is ever stored in a part of memory which can be accessed even after power has been turned off for a short amount of time. Such an attack has been shown to completely compromise the security of various cryptosystems in use, including the RSA cryptosystem and AES. We show that the publickey encryption scheme of Regev (STOC 2005), and the identitybased encryption scheme of Gentry, Peikert and Vaikuntanathan (STOC 2008) are remarkably robust against memory attacks where the adversary can measure a large fraction of the bits of the secretkey, or more generally, can compute an arbitrary function of the secretkey of bounded output length. This is done without increasing the size of the secretkey, and without introducing any
Bonsai Trees, or How to Delegate a Lattice Basis
, 2010
"... We introduce a new latticebased cryptographic structure called a bonsai tree, and use it to resolve some important open problems in the area. Applications of bonsai trees include: • An efficient, stateless ‘hashandsign ’ signature scheme in the standard model (i.e., no random oracles), and • The ..."
Abstract

Cited by 65 (5 self)
 Add to MetaCart
We introduce a new latticebased cryptographic structure called a bonsai tree, and use it to resolve some important open problems in the area. Applications of bonsai trees include: • An efficient, stateless ‘hashandsign ’ signature scheme in the standard model (i.e., no random oracles), and • The first hierarchical identitybased encryption (HIBE) scheme (also in the standard model) that does not rely on bilinear pairings. Interestingly, the abstract properties of bonsai trees seem to have no known realization in conventional numbertheoretic cryptography. 1
What Can We Learn Privately?
 49TH ANNUAL IEEE SYMPOSIUM ON FOUNDATIONS OF COMPUTER SCIENCE
, 2008
"... Learning problems form an important category of computational tasks that generalizes many of the computations researchers apply to large reallife data sets. We ask: what concept classes can be learned privately, namely, by an algorithm whose output does not depend too heavily on any one input or sp ..."
Abstract

Cited by 57 (9 self)
 Add to MetaCart
Learning problems form an important category of computational tasks that generalizes many of the computations researchers apply to large reallife data sets. We ask: what concept classes can be learned privately, namely, by an algorithm whose output does not depend too heavily on any one input or specific training example? More precisely, we investigate learning algorithms that satisfy differential privacy, a notion that provides strong confidentiality guarantees in the contexts where aggregate information is released about a database containing sensitive information about individuals. We present several basic results that demonstrate general feasibility of private learning and relate several models previously studied separately in the contexts of privacy and standard learning.
Efficient lattice (H)IBE in the standard model
 In EUROCRYPT 2010, LNCS
, 2010
"... Abstract. We construct an efficient identity based encryption system based on the standard learning with errors (LWE) problem. Our security proof holds in the standard model. The key step in the construction is a family of lattices for which there are two distinct trapdoors for finding short vectors ..."
Abstract

Cited by 52 (10 self)
 Add to MetaCart
Abstract. We construct an efficient identity based encryption system based on the standard learning with errors (LWE) problem. Our security proof holds in the standard model. The key step in the construction is a family of lattices for which there are two distinct trapdoors for finding short vectors. One trapdoor enables the real system to generate short vectors in all lattices in the family. The other trapdoor enables the simulator to generate short vectors for all lattices in the family except for one. We extend this basic technique to an adaptivelysecure IBE and a Hierarchical IBE. 1
PublicKey Cryptosystems Resilient to Key Leakage
"... Most of the work in the analysis of cryptographic schemes is concentrated in abstract adversarial models that do not capture sidechannel attacks. Such attacks exploit various forms of unintended information leakage, which is inherent to almost all physical implementations. Inspired by recent sidec ..."
Abstract

Cited by 51 (6 self)
 Add to MetaCart
Most of the work in the analysis of cryptographic schemes is concentrated in abstract adversarial models that do not capture sidechannel attacks. Such attacks exploit various forms of unintended information leakage, which is inherent to almost all physical implementations. Inspired by recent sidechannel attacks, especially the “cold boot attacks ” of Halderman et al. (USENIX Security ’08), Akavia, Goldwasser and Vaikuntanathan (TCC ’09) formalized a realistic framework for modeling the security of encryption schemes against a wide class of sidechannel attacks in which adversarially chosen functions of the secret key are leaked. In the setting of publickey encryption, Akavia et al. showed that Regev’s latticebased scheme (STOC ’05) is resilient to any leakage of
Efficient collisionresistant hashing from worstcase assumptions on cyclic lattices
 In TCC
, 2006
"... Abstract The generalized knapsack function is defined as fa(x) = Pi ai * xi, where a = (a1,..., am)consists of m elements from some ring R, and x = (x1,..., xm) consists of m coefficients froma specified subset S ` R. Micciancio (FOCS 2002) proposed a specific choice of the ring R andsubset S for w ..."
Abstract

Cited by 43 (12 self)
 Add to MetaCart
Abstract The generalized knapsack function is defined as fa(x) = Pi ai * xi, where a = (a1,..., am)consists of m elements from some ring R, and x = (x1,..., xm) consists of m coefficients froma specified subset S ` R. Micciancio (FOCS 2002) proposed a specific choice of the ring R andsubset S for which inverting this function (for random a, x) is at least as hard as solving certainworstcase problems on cyclic lattices. We show that for a different choice of S ae R, the generalized knapsack function is in factcollisionresistant, assuming it is infeasible to approximate the shortest vector in ndimensionalcyclic lattices up to factors ~ O(n). For slightly larger factors, we even get collisionresistancefor any m> = 2. This yields very efficient collisionresistant hash functions having key size andtime complexity almost linear in the security parameter n. We also show that altering S isnecessary, in the sense that Micciancio's original function is not collisionresistant (nor even universal oneway).Our results exploit an intimate connection between the linear algebra of ndimensional cycliclattices and the ring Z [ ff]/(ffn 1), and crucially depend on the factorization of ffn 1 intoirreducible cyclotomic polynomials. We also establish a new bound on the discrete Gaussian distribution over general lattices, employing techniques introduced by Micciancio and Regev(FOCS 2004) and also used by Micciancio in his study of compact knapsacks. 1 Introduction A function family {fa}a2A is said to be collisionresistant if given a uniformly chosen a 2 A, it is infeasible to find elements x1 6 = x2 so that fa(x1) = fa(x2). Collisionresistant hash functions are one of the most widelyemployed cryptographic primitives. Their applications include integrity checking, user and message authentication, commitment protocols, and more. Many of the applications of collisionresistant hashing tend to invoke the hash function only a small number of times. Thus, the efficiency of the function has a direct effect on the efficiency of the application that uses it. This is in contrast to primitives such as oneway functions, which typically must be invoked many times in their applications (at least when used in a blackbox way) [9].
Efficient Fully Homomorphic Encryption from (Standard
 LWE, FOCS 2011, IEEE 52nd Annual Symposium on Foundations of Computer Science, IEEE
, 2011
"... We present a fully homomorphic encryption scheme that is based solely on the (standard) learning with errors (LWE) assumption. Applying known results on LWE, the security of our scheme is based on the worstcase hardness of “short vector problems ” on arbitrary lattices. Our construction improves on ..."
Abstract

Cited by 43 (3 self)
 Add to MetaCart
We present a fully homomorphic encryption scheme that is based solely on the (standard) learning with errors (LWE) assumption. Applying known results on LWE, the security of our scheme is based on the worstcase hardness of “short vector problems ” on arbitrary lattices. Our construction improves on previous works in two aspects: 1. We show that “somewhat homomorphic ” encryption can be based on LWE, using a new relinearization technique. In contrast, all previous schemes relied on complexity assumptions related to ideals in various rings. 2. We deviate from the “squashing paradigm ” used in all previous works. We introduce a new dimensionmodulus reduction technique, which shortens the ciphertexts and reduces the decryption complexity of our scheme, without introducing additional assumptions. Our scheme has very short ciphertexts and we therefore use it to construct an asymptotically efficient LWEbased singleserver private information retrieval (PIR) protocol. The communication complexity of our protocol (in the publickey model) is k · polylog(k) + log DB  bits per singlebit query (here, k is a security parameter). ∗ nd
Quantum computing, postselection, and probabilistic polynomialtime
, 2004
"... I study the class of problems efficiently solvable by a quantum computer, given the ability to “postselect” on the outcomes of measurements. I prove that this class coincides with a classical complexity class called PP, or Probabilistic PolynomialTime. Using this result, I show that several simple ..."
Abstract

Cited by 39 (12 self)
 Add to MetaCart
I study the class of problems efficiently solvable by a quantum computer, given the ability to “postselect” on the outcomes of measurements. I prove that this class coincides with a classical complexity class called PP, or Probabilistic PolynomialTime. Using this result, I show that several simple changes to the axioms of quantum mechanics would let us solve PPcomplete problems efficiently. The result also implies, as an easy corollary, a celebrated theorem of Beigel, Reingold, and Spielman that PP is closed under intersection, as well as a generalization of that theorem due to Fortnow and Reingold. This illustrates that quantum computing can yield new and simpler proofs of major results about classical computation.