The Geometry of Lattice Cryptography

Lattice cryptography is one of the hottest and fastest moving areas in mathematical cryptography today. Interest in lattice cryptography is due to several concurring factors. On the theoretical side, lattice cryptography is supported by strong worst-case/average-case security guarantees. On the practical side, lattice cryptography has been shown to be very versatile, leading to an unprecedented variety of applications, from simple (and efficient) hash functions, to complex and powerful public key cryptographic primitives, culminating with the celebrated recent development of fully homomorphic encryption. Still, one important feature of lattice cryptography is simplicity: most cryptographic operations can be implemented using basic arithmetic on small numbers, and many cryptographic constructions hide an intuitive and appealing geometric interpretation in terms of point lattices. So, unlike other areas of mathematical cryptology even a novice can acquire, with modest effort, a good understanding of not only the potential applications, but also the underlying mathematics of lattice cryptography. In these notes, we give an introduction to the mathematical theory of lattices, describe the main tools and techniques used in lattice cryptography, and present an overview of the wide range of cryptographic applications. This material should be accessible to anybody with a minimal background in linear algebra and some familiarity with the computational framework of modern cryptography, but no prior knowledge about point lattices.

[1]  Pierre-Louis Cayrel,et al.  A Lattice-Based Threshold Ring Signature Scheme , 2010, LATINCRYPT.

[2]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2009, JACM.

[3]  Gerhard Goos,et al.  Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[4]  Richard Lindner,et al.  Improved Zero-Knowledge Identification with Lattices , 2012 .

[5]  Oded Regev,et al.  Lattice-Based Cryptography , 2006, CRYPTO.

[6]  Jonathan Katz,et al.  Smooth Projective Hashing and Password-Based Authenticated Key Exchange from Lattices , 2009, ASIACRYPT.

[7]  Keisuke Tanaka,et al.  Concurrently Secure Identification Schemes and Ad Hoc Anonymous Identification Schemes Based on the Worst-Case Hardness of Lattice Problems , 2007 .

[8]  Vinod Vaikuntanathan,et al.  Noninteractive Statistical Zero-Knowledge Proofs for Lattice Problems , 2008, CRYPTO.

[9]  Vadim Lyubashevsky,et al.  Fiat-Shamir with Aborts: Applications to Lattice and Factoring-Based Signatures , 2009, ASIACRYPT.

[10]  Craig Gentry,et al.  Implementing Gentry's Fully-Homomorphic Encryption Scheme , 2011, EUROCRYPT.

[11]  Keisuke Tanaka,et al.  Concurrently Secure Identification Schemes Based on the Worst-Case Hardness of Lattice Problems , 2008, ASIACRYPT.

[12]  Javier Herranz,et al.  Additively Homomorphic Encryption with d-Operand Multiplications , 2010, IACR Cryptol. ePrint Arch..

[13]  Brent Waters,et al.  Lossy Trapdoor Functions and Their Applications , 2011, SIAM J. Comput..

[14]  Dan Boneh,et al.  Lattice Basis Delegation in Fixed Dimension and Shorter-Ciphertext Hierarchical IBE , 2010, CRYPTO.

[15]  Daniele Micciancio The Shortest Vector in a Lattice is Hard to Approximate to within Some Constant , 2000, SIAM J. Comput..

[16]  David Cash,et al.  Bonsai Trees, or How to Delegate a Lattice Basis , 2010, Journal of Cryptology.

[17]  Cynthia Dwork,et al.  A public-key cryptosystem with worst-case/average-case equivalence , 1997, STOC '97.

[18]  Markus Rückert Adaptively Secure Identity-Based Identification from Lattices without Random Oracles , 2010, SCN.

[19]  Aggelos Kiayias,et al.  Topics in Cryptology - CT-RSA 2011 - The Cryptographers' Track at the RSA Conference 2011, San Francisco, CA, USA, February 14-18, 2011. Proceedings , 2011, CT-RSA.

[20]  Brent Waters,et al.  Bi-Deniable Public-Key Encryption , 2011, CRYPTO.

[21]  Chris Peikert,et al.  SWIFFT: A Modest Proposal for FFT Hashing , 2008, FSE.

[22]  Shafi Goldwasser,et al.  Complexity of lattice problems - a cryptographic perspective , 2002, The Kluwer international series in engineering and computer science.

[23]  Joseph H. Silverman,et al.  Cryptography and Lattices , 2001, Lecture Notes in Computer Science.

[24]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[25]  Craig Gentry,et al.  A Simple BGN-Type Cryptosystem from LWE , 2010, EUROCRYPT.

[26]  W. Banaszczyk New bounds in some transference theorems in the geometry of numbers , 1993 .

[27]  Vinod Vaikuntanathan,et al.  Fully Homomorphic Encryption from Ring-LWE and Security for Key Dependent Messages , 2011, CRYPTO.

[28]  Rosario Gennaro,et al.  Public Key Cryptography - PKC 2011 - 14th International Conference on Practice and Theory in Public Key Cryptography, Taormina, Italy, March 6-9, 2011. Proceedings , 2011, Public Key Cryptography.

[29]  Sorin C. Popescu,et al.  Lidar Remote Sensing , 2011 .

[30]  Jeffrey Shallit,et al.  Algorithmic Number Theory , 1996, Lecture Notes in Computer Science.

[31]  Ronald Cramer,et al.  Public Key Cryptography - PKC 2008, 11th International Workshop on Practice and Theory in Public-Key Cryptography, Barcelona, Spain, March 9-12, 2008. Proceedings , 2008, Public Key Cryptography.

[32]  Chris Peikert,et al.  Lattices that admit logarithmic worst-case to average-case connection factors , 2007, STOC '07.

[33]  David Cash,et al.  Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems , 2009, CRYPTO.

[34]  Keisuke Tanaka,et al.  Multi-bit Cryptosystems Based on Lattice Problems , 2007, Public Key Cryptography.

[35]  Vadim Lyubashevsky,et al.  A Note on the Distribution of the Distance from a Lattice , 2009, Discret. Comput. Geom..

[36]  Daniele Micciancio,et al.  On Bounded Distance Decoding for General Lattices , 2006, APPROX-RANDOM.

[37]  Miklós Ajtai,et al.  Generating Hard Instances of Lattice Problems , 1996, Electron. Colloquium Comput. Complex..

[38]  Daniele Micciancio,et al.  On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem , 2009, CRYPTO.

[39]  Tal Rabin Advances in Cryptology - CRYPTO 2010, 30th Annual Cryptology Conference, Santa Barbara, CA, USA, August 15-19, 2010. Proceedings , 2010, CRYPTO.

[40]  Daniele Micciancio,et al.  Generalized Compact Knapsacks Are Collision Resistant , 2006, ICALP.

[41]  Ron Steinfeld,et al.  Faster Fully Homomorphic Encryption , 2010, ASIACRYPT.

[42]  Markus Rückert,et al.  Lattice-based Blind Signatures , 2010, Algorithms and Number Theory.

[43]  Dan Boneh,et al.  Efficient Lattice (H)IBE in the Standard Model , 2010, EUROCRYPT.

[44]  Daniele Micciancio Almost Perfect Lattices, the Covering Radius Problem, and Applications to Ajtai's Connection Factor , 2003, SIAM J. Comput..

[45]  Craig Gentry,et al.  Toward Basing Fully Homomorphic Encryption on Worst-Case Hardness , 2010, CRYPTO.

[46]  Markus Rückert,et al.  Strongly Unforgeable Signatures and Hierarchical Identity-Based Signatures from Lattices without Random Oracles , 2010, PQCrypto.

[47]  Oded Regev,et al.  The Learning with Errors Problem (Invited Survey) , 2010, 2010 IEEE 25th Annual Conference on Computational Complexity.

[48]  Craig Gentry,et al.  Fully Homomorphic Encryption without Squashing Using Depth-3 Arithmetic Circuits , 2011, 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science.

[49]  Xavier Boyen,et al.  Lattice Mixing and Vanishing Trapdoors A Framework for Fully Secure Short Signatures and more , 2010 .

[50]  Chris Peikert,et al.  Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller , 2012, IACR Cryptol. ePrint Arch..

[51]  Subhash Khot,et al.  Hardness of approximating the shortest vector problem in lattices , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[52]  Oded Regev,et al.  Tensor-based hardness of the shortest vector problem to within almost polynomial factors , 2007, STOC '07.

[53]  Chris Peikert,et al.  Public-key cryptosystems from the worst-case shortest vector problem: extended abstract , 2009, STOC '09.

[54]  Frederik Vercauteren,et al.  Fully Homomorphic Encryption with Relatively Small Key and Ciphertext Sizes , 2010, Public Key Cryptography.

[55]  Miklós Ajtai,et al.  Generating Hard Instances of the Short Basis Problem , 1999, ICALP.

[56]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[57]  Ron Steinfeld,et al.  Efficient Public Key Encryption Based on Ideal Lattices , 2009, ASIACRYPT.

[58]  Miklós Ajtai,et al.  The shortest vector problem in L2 is NP-hard for randomized reductions (extended abstract) , 1998, STOC '98.

[59]  Chris Peikert,et al.  Generating Shorter Bases for Hard Random Lattices , 2009, Theory of Computing Systems.

[60]  Daniele Micciancio,et al.  Generalized Compact Knapsacks, Cyclic Lattices, and Efficient One-Way Functions , 2002, The 43rd Annual IEEE Symposium on Foundations of Computer Science, 2002. Proceedings..

[61]  Jonathan Katz,et al.  A Group Signature Scheme from Lattice Assumptions , 2010, IACR Cryptol. ePrint Arch..

[62]  Daniele Micciancio,et al.  Pseudorandom Knapsacks and the Sample Complexity of LWE Search-to-Decision Reductions , 2011, CRYPTO.

[63]  Dan Boneh,et al.  Homomorphic Signatures for Polynomial Functions , 2011, EUROCRYPT.

[64]  Brent Waters,et al.  A Framework for Efficient and Composable Oblivious Transfer , 2008, CRYPTO.

[65]  Craig Gentry,et al.  Fully Homomorphic Encryption over the Integers , 2010, EUROCRYPT.

[66]  Josef Pieprzyk,et al.  Advances in Cryptology - ASIACRYPT 2008, 14th International Conference on the Theory and Application of Cryptology and Information Security, Melbourne, Australia, December 7-11, 2008. Proceedings , 2008, ASIACRYPT.

[67]  Shai Halevi Advances in Cryptology - CRYPTO 2009, 29th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2009. Proceedings , 2009, CRYPTO.

[68]  Jin-Yi Cai,et al.  Approximating the Svp to within a Factor ? , 2007 .

[69]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, JACM.

[70]  Keisuke Tanaka,et al.  Zero-Knowledge Protocols for NTRU: Application to Identification and Proof of Plaintext Knowledge , 2009, ProvSec.

[71]  Ivan Damgård,et al.  Threshold Decryption and Zero-Knowledge Proofs for Lattice-Based Cryptosystems , 2010, TCC.

[72]  Jean-Pierre Seifert,et al.  On the complexity of computing short linearly independent vectors and short bases in a lattice , 1999, STOC '99.

[73]  Aggelos Kiayias,et al.  Multi-query Computationally-Private Information Retrieval with Constant Communication Rate , 2010, Public Key Cryptography.

[74]  Daniele Micciancio,et al.  Worst-case to average-case reductions based on Gaussian measures , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[75]  Irit Dinur,et al.  Approximating SVPinfinity to within almost-polynomial factors is NP-hard , 1998, Theor. Comput. Sci..

[76]  Benny Pinkas,et al.  Secure Two-Party Computation is Practical , 2009, IACR Cryptol. ePrint Arch..

[77]  Tatsuaki Okamoto,et al.  Public Key Cryptography - PKC 2007, 10th International Conference on Practice and Theory in Public-Key Cryptography, Beijing, China, April 16-20, 2007, Proceedings , 2007, Public Key Cryptography.

[78]  Henri Gilbert,et al.  Advances in Cryptology - EUROCRYPT 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Monaco / French Riviera, May 30 - June 3, 2010. Proceedings , 2010, EUROCRYPT.

[79]  Oded Regev Learning with Errors over Rings , 2010, ANTS.

[80]  Jean-Sébastien Coron,et al.  Fully Homomorphic Encryption over the Integers with Shorter Public Keys , 2011, IACR Cryptol. ePrint Arch..

[81]  Yuval Ishai,et al.  Bounded Key-Dependent Message Security , 2010, IACR Cryptol. ePrint Arch..

[82]  Jacques Stern,et al.  The hardness of approximate optima in lattices, codes, and systems of linear equations , 1993, Proceedings of 1993 IEEE 34th Annual Foundations of Computer Science.

[83]  Daniele Micciancio,et al.  Improving Lattice Based Cryptosystems Using the Hermite Normal Form , 2001, CaLC.

[84]  Markus Kasper,et al.  The World is Not Enough: Another Look on Second-Order DPA , 2010, IACR Cryptol. ePrint Arch..

[85]  Venkatesan Guruswami,et al.  The complexity of the covering radius problem , 2004, Proceedings. 19th IEEE Annual Conference on Computational Complexity, 2004..

[86]  Subhash Khot,et al.  Hardness of approximating the shortest vector problem in high L/sub p/ norms , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[87]  Chris Peikert,et al.  Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices , 2006, TCC.

[88]  Masakatsu Nishigaki,et al.  Advances in Information and Computer Security - 6th International Workshop, IWSEC 2011, Tokyo, Japan, November 8-10, 2011. Proceedings , 2011, IWSEC.

[89]  Robin Milner,et al.  On Observing Nondeterminism and Concurrency , 1980, ICALP.

[90]  Gil Segev,et al.  Public-Key Cryptographic Primitives Provably as Secure as Subset Sum , 2010, TCC.

[91]  Kenneth G. Paterson Advances in Cryptology - EUROCRYPT 2011 - 30th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tallinn, Estonia, May 15-19, 2011. Proceedings , 2011, EUROCRYPT.

[92]  Vadim Lyubashevsky,et al.  Lattice-Based Identification Schemes Secure Under Active Attacks , 2008, Public Key Cryptography.

[93]  Daniele Micciancio,et al.  Cryptographic Functions from Worst-Case Complexity Assumptions , 2010, The LLL Algorithm.

[94]  Daniele Micciancio Generalized Compact Knapsacks, Cyclic Lattices, and Efficient One-Way Functions , 2007, computational complexity.

[95]  Shafi Goldwasser,et al.  Complexity of lattice problems , 2002 .

[96]  Tetsutaro Kobayashi,et al.  An Improvement of Key Generation Algorithm for Gentry's Homomorphic Encryption Scheme , 2010, IWSEC.

[97]  Subhash Khot Hardness of approximating the Shortest Vector Problem in high lp norms , 2006, J. Comput. Syst. Sci..

[98]  Craig Gentry,et al.  Fully Homomorphic Encryption without Bootstrapping , 2011, IACR Cryptol. ePrint Arch..

[99]  Ivan Damgård,et al.  Semi-Homomorphic Encryption and Multiparty Computation , 2011, IACR Cryptol. ePrint Arch..

[100]  Martijn Stam Beyond Uniformity: Better Security/Efficiency Tradeoffs for Compression Functions , 2008, CRYPTO.

[101]  Dan Boneh,et al.  Linearly Homomorphic Signatures over Binary Fields and New Tools for Lattice-Based Signatures , 2011, Public Key Cryptography.

[102]  Chris Peikert,et al.  Better Key Sizes (and Attacks) for LWE-Based Encryption , 2011, CT-RSA.

[103]  Paulo S. L. M. Barreto,et al.  Progress in Cryptology - LATINCRYPT 2010, First International Conference on Cryptology and Information Security in Latin America, Puebla, Mexico, August 8-11, 2010, Proceedings , 2010, LATINCRYPT.

[104]  Jin-Yi Cai,et al.  An improved worst-case to average-case connection for lattice problems , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.