## Public-key cryptosystems from the worst-case shortest vector problem (2008)

### Cached

### Download Links

Citations: | 92 - 18 self |

### BibTeX

@MISC{Peikert08public-keycryptosystems,

author = {Chris Peikert},

title = {Public-key cryptosystems from the worst-case shortest vector problem },

year = {2008}

}

### Years of Citing Articles

### OpenURL

### Abstract

We construct public-key cryptosystems that are secure assuming the worst-case hardness of approximating the length of a shortest nonzero vector in an n-dimensional lattice to within a small poly(n) factor. Prior cryptosystems with worst-case connections were based either on the shortest vector problem for a special class of lattices (Ajtai and Dwork, STOC 1997; Regev, J. ACM 2004), or on the conjectured hardness of lattice problems for quantum algorithms (Regev, STOC 2005). Our main technical innovation is a reduction from certain variants of the shortest vector problem to corresponding versions of the “learning with errors” (LWE) problem; previously, only a quantum reduction of this kind was known. In addition, we construct new cryptosystems based on the search version of LWE, including a very natural chosen ciphertext-secure system that has a much simpler description and tighter underlying worst-case approximation factor than prior constructions.

### Citations

1241 | Probabilistic encryption - Goldwasser, Micali - 1984 |

756 | Construction of Pseudorandom Generator from any One-Way Function - Impagliazzo, Yung - 1993 |

750 | Factoring polynomials with rational coefficients
- Lenstra, Jr, et al.
- 1982
(Show Context)
Citation Context ...ze of q. The degree of concentration is dictated by the tightness of the reduction’s main sampling algorithm, which in turn is governed by the “quality” of the input basis. Using an LLL-reduced basis =-=[LLL82]-=- (which may be computed in polynomial time), the value q = 2n suffices. However, if the reduction is given a basis of better quality, then a smaller q may be used; this is where the new variant of Gap... |

386 | A hard-core predicate for all one-way functions
- Goldreich, Levin
- 1989
(Show Context)
Citation Context ...ving search-LWE given m noisy inner products (note that x is easily computed once s is known, and vice versa). Moreover, if gA is one-way, then there is a generic hard-core predicate h(s) for gA(s,x) =-=[GL89]-=-. As shown in [GPV08], the function gA has a trapdoor that enables efficient recovery of the input s from b, so long as the error distribution χ is sufficiently concentrated. Concretely, the trapdoor ... |

360 | Non-interactive zeroknowledge proof of knowledge and chosen ciphertext attack - Rackoff, Simon - 1991 |

245 |
On Lovász’ lattice reduction and the nearest lattice point problem
- Babai
- 1986
(Show Context)
Citation Context .... We remark that the inversion algorithm presented above works in parallel by rounding each entry of Tt · b′ independently. An iterative rounding scheme akin to the “nearest-plane” algorithm of Babai =-=[Bab86]-=- can also be used, and succeeds (with overwhelming probability) whenever α(n) ≤ 1/(L̃ ·ω(√log n)), where L̃ = maxi‖t̃i‖ is the norm of the longest vector in the Gram-Schmidt orthogonalization of T. (T... |

215 | On lattices, learning with errors, random linear codes, and cryptography
- Regev
- 2005
(Show Context)
Citation Context ...be as hard as problems on general lattices, due to the extra geometric structure. A different class of cryptosystems (and the only others known to enjoy worst-case hardness) stem from a work of Regev =-=[Reg05]-=-, who defined a natural intermediate problem called learning with errors (LWE). The LWE problem is a generalization of the well-known “learning parity with noise” problem to larger moduli. It is param... |

168 |
Generating hard instances of lattice problems
- Ajtai
- 1996
(Show Context)
Citation Context ...gstuhl.de/opus/volltexte/2009/1892 1 Introduction The seminal work of Ajtai in 1996 revealed the intriguing possibility of basing cryptography on worst-case complexity assumptions related to lattices =-=[Ajt04]-=-. (An n-dimensional lattice is a discrete additive subgroup of Rn.) Since then, basic cryptographic primitives such as one-way functions and collision-resistant hash functions (along with other notion... |

161 | A sieve algorithm for the shortest lattice vector problem
- Ajtai, Kumar, et al.
- 2001
(Show Context)
Citation Context ...m on “higher quality” representations of the input lattice; hence, it is no harder than standard GapSVP, yet it still appears to be exponentially hard given the state of the art in lattice algorithms =-=[AKS01]-=-. By the above-mentioned equivalence between search- and decision-LWE for prime q = poly(n), our result provides a classical (but incomparable) foundation for the hardness of decision-LWE and the many... |

131 | Public-key cryptosystems from lattice reduction problems
- Goldreich, Goldwasser, et al.
- 1997
(Show Context)
Citation Context ...o-one) trapdoor functions. This collection appeared in a recent work of Gentry, Peikert, and Vaikuntanathan [GPV08], and is closely related to an earlier proposal by Goldreich, Goldwasser, and Halevi =-=[GGH97]-=-. In this work, we prove that the collection is one-way under classical worst-case assumptions, and we establish additional properties that are useful in constructing cryptosystems. The description of... |

121 | Moni Naor. Non-malleable cryptography - Dolev, Dwork - 2000 |

114 | Trapdoors for hard lattices and new cryptographic constructions - Gentry, Peikert, et al. |

92 | Lossy trapdoor functions and their applications
- Peikert, Waters
- 2008
(Show Context)
Citation Context ...larger q). The LWE problem is amazingly versatile. In addition to its first application in a public-key cryptosystem [Reg05], it has provided the foundation for chosen ciphertext-secure cryptosystems =-=[PW08]-=-, identitybased encryption [GPV08], and universally composable oblivious transfer [PVW08], as well as for strong hardness of learning results relating to halfspaces [KS06]. We emphasize that all of th... |

88 | Cryptographic primitives based on hard learning problems - Blum, Furst, et al. - 1994 |

85 | On the limits of nonapproximability of lattice problems
- Goldreich, Goldwasser
(Show Context)
Citation Context ...ve the hardness of search-LWE, we need the following lemma about the statistical distance between the uniform distributions over two n-dimensional balls whose centers are relatively close. Lemma 2.1 (=-=[GG00]-=-). For any constants c, d > 0 and any z ∈ Rn with ‖z‖ ≤ d and d′ = d ·√n/(c log n), we have ∆(U(d′ · Bn), U(z+ d′ · Bn)) ≤ 1− 1/ poly(n). 2.1 Learning with Errors Let T = R/Z be the additive group on ... |

82 |
Efficient and composable oblivious transfer
- Peikert, Vaikuntanathan, et al.
(Show Context)
Citation Context ...in a public-key cryptosystem [Reg05], it has provided the foundation for chosen ciphertext-secure cryptosystems [PW08], identitybased encryption [GPV08], and universally composable oblivious transfer =-=[PVW08]-=-, as well as for strong hardness of learning results relating to halfspaces [KS06]. We emphasize that all of the above cryptographic applications are based on the decision version of LWE, for prime q ... |

82 | Simultaneous hardcore bits and cryptography against memory attacks - Akavia, Goldwasser, et al. - 2009 |

75 |
A personal view of average-case complexity
- Impagliazzo
- 1995
(Show Context)
Citation Context ... lattice is a discrete additive subgroup of Rn.) Since then, basic cryptographic primitives such as one-way functions and collision-resistant hash functions (along with other notions from “Minicrypt” =-=[Imp95]-=-) have been based on the conjectured hardness of important and well-studied lattice problems. Perhaps the most well-known of these, the shortest vector problem GapSVP, is to approximate the length (ty... |

63 |
Vinod Vaikuntanathan. Trapdoors for hard lattices and new cryptographic constructions
- Gentry, Peikert
- 2008
(Show Context)
Citation Context ...zingly versatile. In addition to its first application in a public-key cryptosystem [Reg05], it has provided the foundation for chosen ciphertext-secure cryptosystems [PW08], identitybased encryption =-=[GPV08]-=-, and universally composable oblivious transfer [PVW08], as well as for strong hardness of learning results relating to halfspaces [KS06]. We emphasize that all of the above cryptographic applications... |

60 | Predicting lattice reduction - Gama, Nguyen - 2008 |

45 |
Generating hard instances of the short basis problem
- Ajtai
- 1999
(Show Context)
Citation Context ...ting a (nearly) uniform matrix A ∈ Zn×mq that serves as the index of the public function gA, together with a trapdoor T made up of vectors whose lengths are bounded by some relatively small L.2 Ajtai =-=[Ajt99]-=- gave the first such generation algorithm for odd q, which yielded a bound L = m2.5; recently, Alwen and Peikert [AP08] improved the algorithm to yield a tighter bound L ≈ m for arbitrary q (recall th... |

45 |
New lattice-based cryptographic constructions
- Regev
(Show Context)
Citation Context ...ome additive domain: one is the uniform distribution, while the other type consists of “lumpy” distributions that are periodic and concentrated around multiples of the period. As a simple example, in =-=[Reg04b]-=- the domain is the real interval [0, 1) with addition modulo 1, and lumpy distributions are concentrated around integer multiples of 1/h for some large integer h. The cryptosystems are constructed rou... |

44 | Statistical zero-knowledge proofs with efficient provers: lattice problems and more - Micciancio, Vadhan |

43 | Generating shorter bases for hard random lattices
- Alwen, Peikert
- 2008
(Show Context)
Citation Context ...made up of vectors whose lengths are bounded by some relatively small L.2 Ajtai [Ajt99] gave the first such generation algorithm for odd q, which yielded a bound L = m2.5; recently, Alwen and Peikert =-=[AP08]-=- improved the algorithm to yield a tighter bound L ≈ m for arbitrary q (recall that we use an even q in Theorem 3.3 and Lemma 3.6 for our particular choice of hard-core functions). 2As described in mo... |

36 | László Lovász. Factoring polynomials with rational coefficients - Lenstra, Lenstra - 1982 |

35 | Chosen-ciphertext security via correlated products. Cryptology ePrint Archive, Report 2008/116
- Rosen, Segev
- 2008
(Show Context)
Citation Context ... in n when q is large (e.g., q = 2n). To construct cryptosystems that are secure under chosen-ciphertext attacks, we rely on a recent approach of [PW08] and additional perspectives of Rosen and Segev =-=[RS08]-=-. The key observation is that k independently chosen functions gA1 , gA2 , . . . , gAk remain one-way even when evaluated on the same input s (but independent error vectors x1, . . . ,xk), assuming th... |

34 | Amit Sahai. Fast cryptographic primitives and circular-secure encryption based on hard learning problems - Applebaum, Cash, et al. - 2009 |

32 | Cryptographic hardness for learning intersections of halfspaces
- Klivans, Sherstov
- 2006
(Show Context)
Citation Context ...hertext-secure cryptosystems [PW08], identitybased encryption [GPV08], and universally composable oblivious transfer [PVW08], as well as for strong hardness of learning results relating to halfspaces =-=[KS06]-=-. We emphasize that all of the above cryptographic applications are based on the decision version of LWE, for prime q = poly(n). The main result of [Reg05] is a remarkable connection between lattices ... |

23 |
Micciancio and Oded Regev. Worst-case to average-case reductions based on Gaussian measures
- Daniele
- 2007
(Show Context)
Citation Context ... outputs “small.” When the minimum distance of Λ is large, the ai are distributed essentially uniformly over Znq ; this follows by a bound on the smoothing parameter of Λ∗ due to Micciancio and Regev =-=[MR07]-=-. Therefore, the input provided to the oracle is faithful to the LWE distribution, the oracle solves for s by hypothesis, and the reduction outputs “large” as desired. The case of small minimum distan... |

20 | Limits on the hardness of lattice problems in ℓp norms - Peikert - 2007 |

19 | On bounded distance decoding, unique shortest vectors, and the minimum distance problem - Lyubashevsky, Micciancio - 2009 |

19 | A relation of primal-dual lattices and the complexity of shortest lattice vector problem - Cai - 1998 |

17 | Multi-bit cryptosystems based on lattice problems - Kawachi, Tanaka, et al. |

12 | Bonsai trees (or, arboriculture in lattice-based cryptography). Cryptology ePrint Archive, Report 2009/359 - Peikert - 2009 |

8 | Generating Hard Instances of Lattice Problems. Quaderni di Matematica, Publ. Seconda Universita di - Ajtai - 2005 |

8 | Yiming Zhao. Generic transformation to strongly unforgeable signatures - Huang, Wong - 2007 |

7 | How to delegate a lattice basis. Cryptology ePrint Archive, Report 2009/351 - Cash, Hofheinz, et al. - 2009 |

6 | Lecture notes on lattices in computer science, 2004. Available at http://www.cs. tau.ac.il/˜odedr/teaching/lattices_fall_2004/index.html, last accessed 28 - Regev - 2008 |

5 | The first and fourth public-key cryptosystems with worstcase/average-case equivalence
- Ajtai, Dwork
(Show Context)
Citation Context ...letting q = 2O(n)), the public key size and ciphertext expansion factor are therefore O(n4) and O(n), respectively; these quantities match the (amortized) Ajtai-Dwork cryptosystem based on unique-SVP =-=[AD07]-=-. Assuming hardness of the new GapSVP variant (and letting q = poly(n)), the public key size and ciphertext expansion can be as small as O(n2) and O(log n), respectively; these match the most efficien... |

4 |
Limits on the hardness of lattice problems in `p norms
- Peikert
- 2008
(Show Context)
Citation Context ...hat GapSVPζ,γ is potentially hard in the worst case whenever ζ > γ, so Theorem 3.1 allows for a choice of q as small as q > (γ/ √ n) · ω( √ log n) = ω( √ n/α). We also mention that using results from =-=[Pei08]-=-, Theorem 3.1 can easily be generalized to work forGapSVPζ,γ in any `p norm, 2 ≤ p ≤ ∞, for essentially the same approximation factor γ. Our proof of Theorem 3.1 relies on the core classical component... |

2 | Oded Goldreich and Shafi Goldwasser. On the limits of nonapproximability of lattice problems - Sci - 1998 |

2 | Efficient circular-secure encryption from hard learning problems - Cash, Peikert, et al. - 2009 |

2 | Foundations of Cryptography, volume II. Cambridge University Press, 2004. [GPV08] [HILL99] [HWZ07] [Imp95] [KS06] [KTX07] Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan. Trapdoors for hard lattices and new cryptographic constructions - Goldreich - 2008 |

1 |
and Vinod Vaikuntanathan. Correlation-secure trapdoor functions from lattices
- Goldwasser
- 2008
(Show Context)
Citation Context ... function h`(s) remains hard-core given all these values, if it was hard-core for LWE in the first place. (We remark that these facts were also observed independently by Goldwasser and Vaikuntanathan =-=[GV08]-=-, who construct similar chosen ciphertext-secure cryptosystems.) Essentially, the properties described above constitute security under “correlated inputs,” as defined in [RS08].3 There is a simple (an... |