Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller

We give new methods for generating and using "strong trapdoors" in cryptographic lattices, which are simultaneously simple, efficient, easy to implement (even in parallel), and asymptotically optimal with very small hidden constants. Our methods involve a new kind of trapdoor, and include specialized algorithms for inverting LWE, randomly sampling SIS preimages, and securely delegating trapdoors. These tasks were previously the main bottleneck for a wide range of cryptographic schemes, and our techniques substantially improve upon the prior ones, both in terms of practical performance and quality of the produced outputs. Moreover, the simple structure of the new trapdoor and associated algorithms can be exposed in applications, leading to further simplifications and efficiency improvements. We exemplify the applicability of our methods with new digital signature schemes and CCA-secure encryption schemes, which have better efficiency and security than the previously known lattice-based constructions.

[1]  Moni Naor,et al.  Nonmalleable Cryptography , 2000, SIAM Rev..

[2]  Daniele Micciancio,et al.  On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem , 2009, CRYPTO.

[3]  Yvo Desmedt,et al.  Perfect Homomorphic Zero-Knowledge Threshold Schemes over any Finite Abelian Group , 1994, SIAM J. Discret. Math..

[4]  Phong Q. Nguyen,et al.  BKZ 2.0: Better Lattice Security Estimates , 2011, ASIACRYPT.

[5]  Hugo Krawczyk,et al.  Chameleon Signatures , 2000, NDSS.

[6]  Chris Peikert,et al.  Better Key Sizes (and Attacks) for LWE-Based Encryption , 2011, CT-RSA.

[7]  Chris Peikert,et al.  Bonsai Trees (or, Arboriculture in Lattice-Based Cryptography) , 2009, IACR Cryptol. ePrint Arch..

[8]  Markus Rückert,et al.  Strongly Unforgeable Signatures and Hierarchical Identity-Based Signatures from Lattices without Random Oracles , 2010, PQCrypto.

[9]  Brent Waters,et al.  Lossy trapdoor functions and their applications , 2008, SIAM J. Comput..

[10]  Chris Peikert,et al.  An Efficient and Parallel Gaussian Sampler for Lattices , 2010, CRYPTO.

[11]  Dan Boneh,et al.  Lattice Basis Delegation in Fixed Dimension and Shorter-Ciphertext Hierarchical IBE , 2010, CRYPTO.

[12]  Oded Regev,et al.  Lattice-Based Cryptography , 2006, CRYPTO.

[13]  Vinod Vaikuntanathan,et al.  Noninteractive Statistical Zero-Knowledge Proofs for Lattice Problems , 2008, CRYPTO.

[14]  Richard J. Lipton,et al.  Cryptographic Primitives Based on Hard Learning Problems , 1993, CRYPTO.

[15]  Chris Peikert,et al.  Public-key cryptosystems from the worst-case shortest vector problem: extended abstract , 2009, STOC '09.

[16]  Chris Peikert,et al.  Generating Shorter Bases for Hard Random Lattices , 2009, STACS.

[17]  Roman Vershynin,et al.  Introduction to the non-asymptotic analysis of random matrices , 2010, Compressed Sensing.

[18]  Craig Gentry,et al.  Fully Homomorphic Encryption over the Integers , 2010, EUROCRYPT.

[19]  Philip N. Klein,et al.  Finding the closest lattice vector when it's unusually close , 2000, SODA '00.

[20]  Miklós Ajtai,et al.  Generating hard instances of lattice problems (extended abstract) , 1996, STOC '96.

[21]  Daniele Micciancio,et al.  Pseudorandom Knapsacks and the Sample Complexity of LWE Search-to-Decision Reductions , 2011, CRYPTO.

[22]  Brent Waters,et al.  A Framework for Efficient and Composable Oblivious Transfer , 2008, CRYPTO.

[23]  Oded Goldreich,et al.  Public-Key Cryptosystems from Lattice Reduction Problems , 1996, CRYPTO.

[24]  Michael Schneider,et al.  Estimating the Security of Lattice-based Cryptosystems , 2010, IACR Cryptol. ePrint Arch..

[25]  Miklós Ajtai,et al.  Generating Hard Instances of Lattice Problems , 1996, Electron. Colloquium Comput. Complex..

[26]  Miklós Ajtai,et al.  Generating Hard Instances of the Short Basis Problem , 1999, ICALP.

[27]  Daniele Micciancio,et al.  Generalized Compact Knapsacks Are Collision Resistant , 2006, ICALP.

[28]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[29]  Vadim Lyubashevsky,et al.  Lattice Signatures Without Trapdoors , 2012, IACR Cryptol. ePrint Arch..

[30]  Craig Gentry,et al.  A Simple BGN-Type Cryptosystem from LWE , 2010, EUROCRYPT.

[31]  W. Banaszczyk New bounds in some transference theorems in the geometry of numbers , 1993 .

[32]  Vinod Vaikuntanathan,et al.  Fully Homomorphic Encryption from Ring-LWE and Security for Key Dependent Messages , 2011, CRYPTO.

[33]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[34]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, JACM.

[35]  Daniele Micciancio Lattice-Based Cryptography , 2011, Encyclopedia of Cryptography and Security.

[36]  Yael Tauman Kalai,et al.  Improved Online/Offline Signature Schemes , 2001, CRYPTO.

[37]  Daniele Micciancio,et al.  Worst-case to average-case reductions based on Gaussian measures , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[38]  David Cash,et al.  Bonsai Trees, or How to Delegate a Lattice Basis , 2010, Journal of Cryptology.

[39]  Ron Steinfeld,et al.  Efficient Public Key Encryption Based on Ideal Lattices , 2009, ASIACRYPT.

[40]  Kousha Etessami,et al.  Recursive Markov chains, stochastic grammars, and monotone systems of nonlinear equations , 2005, JACM.

[41]  Craig Gentry,et al.  A fully homomorphic encryption scheme , 2009 .

[42]  László Babai,et al.  On Lovász’ lattice reduction and the nearest lattice point problem , 1986, Comb..

[43]  Adam O'Neill,et al.  Adaptive Trapdoor Functions and Chosen-Ciphertext Security , 2010, EUROCRYPT.

[44]  David Cash,et al.  Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems , 2009, CRYPTO.

[45]  Chris Peikert,et al.  Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices , 2006, TCC.

[46]  Jonathan Katz,et al.  A Group Signature Scheme from Lattice Assumptions , 2010, IACR Cryptol. ePrint Arch..

[47]  Chris Peikert,et al.  Generating Shorter Bases for Hard Random Lattices , 2009, Theory of Computing Systems.

[48]  Dan Boneh,et al.  Efficient Lattice (H)IBE in the Standard Model , 2010, EUROCRYPT.

[49]  Brent Waters,et al.  Efficient Identity-Based Encryption Without Random Oracles , 2005, EUROCRYPT.

[50]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[51]  Craig Gentry,et al.  Fully Homomorphic Encryption without Squashing Using Depth-3 Arithmetic Circuits , 2011, 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science.

[52]  Xavier Boyen,et al.  Lattice Mixing and Vanishing Trapdoors A Framework for Fully Secure Short Signatures and more , 2010 .

[53]  Vadim Lyubashevsky,et al.  Lattice-Based Identification Schemes Secure Under Active Attacks , 2008, Public Key Cryptography.

[54]  Daniele Micciancio Generalized Compact Knapsacks, Cyclic Lattices, and Efficient One-Way Functions , 2007, computational complexity.

[55]  Serge Fehr,et al.  Span Programs over Rings and How to Share a Secret from a Module , 1998 .

[56]  Chris Peikert,et al.  SWIFFT: A Modest Proposal for FFT Hashing , 2008, FSE.

[57]  Vinod Vaikuntanathan,et al.  Efficient Fully Homomorphic Encryption from (Standard) LWE , 2011, 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science.

[58]  Jonathan Katz,et al.  Chosen-Ciphertext Security from Identity-Based Encryption , 2004, SIAM J. Comput..

[59]  Nicolas Gama,et al.  Predicting Lattice Reduction , 2008, EUROCRYPT.

[60]  Craig Gentry,et al.  Fully Homomorphic Encryption without Bootstrapping , 2011, IACR Cryptol. ePrint Arch..

[61]  Brent Waters,et al.  Short and Stateless Signatures from the RSA Assumption , 2009, CRYPTO.

[62]  Craig Gentry,et al.  (Leveled) fully homomorphic encryption without bootstrapping , 2012, ITCS '12.