Results 1 
8 of
8
Publickey cryptosystems from the worstcase shortest vector problem
, 2008
"... We construct publickey cryptosystems that are secure assuming the worstcase hardness of approximating the length of a shortest nonzero vector in an ndimensional lattice to within a small poly(n) factor. Prior cryptosystems with worstcase connections were based either on the shortest vector probl ..."
Abstract

Cited by 153 (22 self)
 Add to MetaCart
We construct publickey cryptosystems that are secure assuming the worstcase hardness of approximating the length of a shortest nonzero vector in an ndimensional lattice to within a small poly(n) factor. Prior cryptosystems with worstcase connections were based either on the shortest vector problem for a special class of lattices (Ajtai and Dwork, STOC 1997; Regev, J. ACM 2004), or on the conjectured hardness of lattice problems for quantum algorithms (Regev, STOC 2005). Our main technical innovation is a reduction from certain variants of the shortest vector problem to corresponding versions of the “learning with errors” (LWE) problem; previously, only a quantum reduction of this kind was known. In addition, we construct new cryptosystems based on the search version of LWE, including a very natural chosen ciphertextsecure system that has a much simpler description and tighter underlying worstcase approximation factor than prior constructions.
Lossy Trapdoor Functions and Their Applications
 ELECTRONIC COLLOQUIUM ON COMPUTATIONAL COMPLEXITY, REPORT NO. 80 (2007)
, 2007
"... We propose a new general primitive called lossy trapdoor functions (lossy TDFs), and realize it under a variety of different number theoretic assumptions, including hardness of the decisional DiffieHellman (DDH) problem and the worstcase hardness of standard lattice problems. Using lossy TDFs, we ..."
Abstract

Cited by 125 (21 self)
 Add to MetaCart
(Show Context)
We propose a new general primitive called lossy trapdoor functions (lossy TDFs), and realize it under a variety of different number theoretic assumptions, including hardness of the decisional DiffieHellman (DDH) problem and the worstcase hardness of standard lattice problems. Using lossy TDFs, we develop a new approach for constructing many important cryptographic primitives, including standard trapdoor functions, CCAsecure cryptosystems, collisionresistant hash functions, and more. All of our constructions are simple, efficient, and blackbox. Taken all together, these results resolve some longstanding open problems in cryptography. They give the first known (injective) trapdoor functions based on problems not directly related to integer factorization, and provide the first known CCAsecure cryptosystem based solely on worstcase lattice assumptions.
Bonsai Trees, or How to Delegate a Lattice Basis
, 2010
"... We introduce a new latticebased cryptographic structure called a bonsai tree, and use it to resolve some important open problems in the area. Applications of bonsai trees include: • An efficient, stateless ‘hashandsign ’ signature scheme in the standard model (i.e., no random oracles), and • The ..."
Abstract

Cited by 124 (6 self)
 Add to MetaCart
We introduce a new latticebased cryptographic structure called a bonsai tree, and use it to resolve some important open problems in the area. Applications of bonsai trees include: • An efficient, stateless ‘hashandsign ’ signature scheme in the standard model (i.e., no random oracles), and • The first hierarchical identitybased encryption (HIBE) scheme (also in the standard model) that does not rely on bilinear pairings. Interestingly, the abstract properties of bonsai trees seem to have no known realization in conventional numbertheoretic cryptography. 1
GENERATING SHORTER BASES FOR HARD RANDOM LATTICES
, 2009
"... We revisit the problem of generating a “hard” random lattice together with a basis of relatively short vectors. This problem has gained in importance lately due to new cryptographic schemes that use such a procedure for generating public/secret key pairs. In these applications, a shorter basis dire ..."
Abstract

Cited by 69 (7 self)
 Add to MetaCart
We revisit the problem of generating a “hard” random lattice together with a basis of relatively short vectors. This problem has gained in importance lately due to new cryptographic schemes that use such a procedure for generating public/secret key pairs. In these applications, a shorter basis directly corresponds to milder underlying complexity assumptions and smaller key sizes. The contributions of this work are twofold. First, using the Hermite normal form as an organizing principle, we simplify and generalize an approach due to Ajtai (ICALP 1999). Second, we improve the construction and its analysis in several ways, most notably by tightening the length of the output basis essentially to the optimum value.
Bonsai trees (or, arboriculture in latticebased cryptography)
, 2009
"... We introduce bonsai trees, a latticebased cryptographic primitive that we apply to resolve some important open problems in the area. Applications of bonsai trees include: • An efficient, stateless ‘hashandsign’ signature scheme in the standard model (i.e., no random oracles), and • The first hier ..."
Abstract

Cited by 12 (4 self)
 Add to MetaCart
We introduce bonsai trees, a latticebased cryptographic primitive that we apply to resolve some important open problems in the area. Applications of bonsai trees include: • An efficient, stateless ‘hashandsign’ signature scheme in the standard model (i.e., no random oracles), and • The first hierarchical identitybased encryption (HIBE) scheme (also in the standard model) that does not rely on bilinear pairings. Interestingly, the abstract properties of bonsai trees seem to have no known realization in conventional numbertheoretic cryptography.
The First and Fourth PublicKey Cryptosystems with WorstCase/AverageCase Equivalence
 ELECTRONIC COLLOQUIUM ON COMPUTATIONAL COMPLEXITY, REPORT NO. 97 (2007)
, 2007
"... We describe a publickey cryptosystem with worstcase/average case equivalence. The cryptosystem has an amortized plaintext to ciphertext expansion of O(n), relies on the hardness of the Õ(n²)unique shortest vector problem for lattices, and requires a public key of size at most O(n⁴) bits. The new ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
We describe a publickey cryptosystem with worstcase/average case equivalence. The cryptosystem has an amortized plaintext to ciphertext expansion of O(n), relies on the hardness of the Õ(n²)unique shortest vector problem for lattices, and requires a public key of size at most O(n⁴) bits. The new cryptosystem generalizes a conceptually simple modification of the “AjtaiDwork” cryptosystem. We provide a unified treatment of the two cryptosystems.
Research Statement
"... Most cryptographic tasks must inherently rely on assumptions about the difficulty of some computational problem. Over the past three decades, number theory has served as the primary source of seemingly hard problems for cryptography; for instance, a prototypical conjecture is that it is infeasible t ..."
Abstract
 Add to MetaCart
Most cryptographic tasks must inherently rely on assumptions about the difficulty of some computational problem. Over the past three decades, number theory has served as the primary source of seemingly hard problems for cryptography; for instance, a prototypical conjecture is that it is infeasible to factor the product of two large, random prime numbers. Many such numbertheoretic problems have a common underlying structure, so the resulting cryptographic schemes frequently have similar characteristics and limitations. Moreover, this shared structure means that unforeseen developments could render many schemes less secure or useful than had been believed. A major theme of my research is to develop new mathematical foundations for cryptography, with a special focus on objects called lattices. (A lattice is essentially a periodic “grid ” of points in R n.) Compared to conventional number theory, lattices offer a host of intriguing properties and potential advantages: • Latticebased schemes can be quite efficient, especially when exploiting parallelism. Their core operations usually involve just adding small integers, whereas numbertheoretic schemes typically require exponentiating very large integers. • Lattice problems have so far resisted attacks by subexponentialtime and quantum algorithms. In contrast, most numbertheoretic problems used in cryptography can be solved in much better than