Post on 06-Aug-2020
Lattice-Based Cryptography:Security Foundations and Constructions
Adeline Langlois
École Normale Supérieure de Lyon,
sous la direction de Damien Stehlé
Soutenance de thèse de doctorat – 17 octobre 2014
Adeline Langlois Lattice-Based Cryptography October 17, 2014 1/ 1
Lattice-based cryptography
Lattice
→ solve an algorithmic problem
•
•
• • •
• • •
• • •
• •
• •
• •
b1
Communication
Adeline Langlois Lattice-Based Cryptography October 17, 2014 2/ 1
Lattice-based cryptography
Lattice
→ solve an algorithmic problem
•
•
• • •
• • •
• • •
• •
• •
• •
b1
Communication
Adversary
Adeline Langlois Lattice-Based Cryptography October 17, 2014 2/ 1
Lattice-based cryptography
Lattice
→ solve an algorithmic problem
•
•
• • •
• • •
• • •
• •
• •
• •
b1
Communication
AdversaryHARD
Adeline Langlois Lattice-Based Cryptography October 17, 2014 2/ 1
Lattice-based cryptography
Lattice
→ solve an algorithmic problem
•
•
• • •
• • •
• • •
• •
• •
• •
b1
Communication
AdversaryHARD
Adeline Langlois Lattice-Based Cryptography October 17, 2014 2/ 1
Encryption scheme
Wants to senda message M
c = Enc(pk,M)c
Generates pairof keys pk, sk
pk
keeps sk
M ′ = Dec(sk, c)
Two requirements:Correctnessand Security
M = M ′ with high probability
c0 = Enc(pk,M0) indistinguishable from c1 = Enc(pk,M1)
Adeline Langlois Lattice-Based Cryptography October 17, 2014 3/ 1
Signature scheme
Two requirements:Correctnessand Security
Verify = 1 with high probabilityif σ is correct
adversary cannot forge a signature σ∗ for a new M∗
Wants to authenticatea message M
Generates a pairof keys (pk, sk)
σ = Sign(sk,M)
pk
(M,σ)
Anyone can verify:Verify(pk, σ,M) = 1?
Adeline Langlois Lattice-Based Cryptography October 17, 2014 4/ 1
Group signatures[Chaum, VanHeyst 91]
→ allow any member of a group to anonymously andaccountably sign on behalf of this group.
I Group manager (mpk,msk) + ski KeyGen, OpenI Group members (ski) SignI Anyone Verify
Group MembersGroup Manager
Anyone
KeyGen
Sign
Verify
Open
Adeline Langlois Lattice-Based Cryptography October 17, 2014 5/ 1
Outline
Lattice-Based Cryptography
Security FoundationsI Z. Brakerski, A. Langlois, C. Peikert, O. Regev and D. Stehlé. Classical
Hardness of Learning with Errors. In proc. of STOC 2013.
I A. Langlois and D. Stehlé. Worst-case to Average-case Reductions forModule Lattices. Accepted to Designs, Codes and Cryptography.
Group Signature SchemeI F. Laguillaumie, A. Langlois, B. Libert and D. Stehlé. Lattice-based Group
Signature with Logarithmic Signature Size. In proc. of Asiacrypt 2013.
I A. Langlois, S. Ling, K. Nguyen and H. Wang. Lattice-based GroupSignature with Verifier Local Revocation. In proc. of PKC 2014.
Conclusion
Adeline Langlois Lattice-Based Cryptography October 17, 2014 6/ 1
Outline
Lattice-Based Cryptography
Security FoundationsI Z. Brakerski, A. Langlois, C. Peikert, O. Regev and D. Stehlé. Classical
Hardness of Learning with Errors. In proc. of STOC 2013.
I A. Langlois and D. Stehlé. Worst-case to Average-case Reductions forModule Lattices. Accepted to Designs, Codes and Cryptography.
Group Signature SchemeI F. Laguillaumie, A. Langlois, B. Libert and D. Stehlé. Lattice-based Group
Signature with Logarithmic Signature Size. In proc. of Asiacrypt 2013.
I A. Langlois, S. Ling, K. Nguyen and H. Wang. Lattice-based GroupSignature with Verifier Local Revocation. In proc. of PKC 2014.
Conclusion
Adeline Langlois Lattice-Based Cryptography October 17, 2014 6/ 1
Lattices
Given a lattice L(B) of dimension n and d > 0:Output: • yes: there is z ∈ L(B) non-zero such that ‖z‖ < d,
• no: for all non-zero vectors z ∈ L(B): ‖z‖ ≥ d.
•
•
• • •
• • •
• • •
• •
• •
• •
b1
b2
LatticeL(B) = {
∑n1=i aibi, ai ∈ Z}, where the (bi)1≤i≤n’s, linearly
independent vectors, are a basis of L(B).
Adeline Langlois Lattice-Based Cryptography October 17, 2014 7/ 1
Shortest Vector Problem (GapSVP)Given a lattice L(B) of dimension n and d > 0:
Output: • yes: there is z ∈ L(B) non-zero such that ‖z‖ < d,• no: for all non-zero vectors z ∈ L(B): ‖z‖ ≥ d.
•
•
• • •
• • •0
• • •
• •
• •
• •
d
• • • • • • • •
• • • •0• • •
• • • • • • • •
d
LatticeL(B) = {
∑n1=i aibi, ai ∈ Z}, where the (bi)1≤i≤n’s, linearly
independent vectors, are a basis of L(B).
Adeline Langlois Lattice-Based Cryptography October 17, 2014 7/ 1
Gap Shortest Vector Problem (GapSVPγ)Given a lattice L(B) of dimension n and d > 0:
Output: • yes: there is z ∈ L(B) non-zero such that ‖z‖ < d,• no: for all non-zero vectors z ∈ L(B): ‖z‖ ≥ γd.
•
•
• • •
• • •0
• • •
• •
• •
• •
d
γd
• • • • • • • • • • • • • • • • • • • • •
• • • • • • • • • • • • • • • • • • • • • •
• • • • • • • • • • • • • • • • • • • • • •
0
d
γd
ConjectureThere is no algorithm that approximates these lattice problems towithin polynomial factors γ = poly(n) with time polynomial in n.
Adeline Langlois Lattice-Based Cryptography October 17, 2014 7/ 1
Lattice-based cryptography
From basic to very advanced primitivesI Public key encryption and Signature scheme (practical),
[Regev 05, Gentry, Peikert and Vaikuntanathan 08, Lyubashevsky 12 ...];I Identity/Attribute-based encryption, [GPV 08
Gorbunov, Vaikuntanathan and Wee 13 ...];I Fully homomorphic encryption,
[Gentry 09, Brakerski and Vaikuntanathan 11, ...].
AdvantagesI (Asymptotically) efficient;I Security proofs from the hardness of lattice problems;I Likely to resist attacks from quantum computers.
Adeline Langlois Lattice-Based Cryptography October 17, 2014 8/ 1
SISβParameters: n dimension, m ≥ n, q modulus.For A ← U(Zm×n
q ):
Small Integer Solution
x
A = 0 mod q
,A As
+ em
n
s ← U(Znq ),
e a small error ≈ αq.
Goal: Given A ← U(Zm×nq ),
Goal: Given ( A , A s + e ),
find x s.t. 0 < ‖ x ‖ ≤ β.
find s .
[Ajtai 96]
[Regev 05]
Adeline Langlois Lattice-Based Cryptography October 17, 2014 9/ 1
SISβ and LWEα
Parameters: n dimension, m ≥ n, q modulus.For A ← U(Zm×n
q ):
Small Integer Solution Learning With Errors
x
A = 0 mod q ,A As
+ em
n
s ← U(Znq ),
e a small error ≈ αq.
Goal: Given A ← U(Zm×nq ), Goal: Given ( A , A s + e ),find x s.t. 0 < ‖ x ‖ ≤ β. find s .
[Ajtai 96] [Regev 05]
Adeline Langlois Lattice-Based Cryptography October 17, 2014 9/ 1
Learning With Errorsdimension n, modulo q
A ← Uniform in Zm×nq
s ← Uniform in Znqe is a small error
m ≥ nand/orSIS
, find sGiven A As
+ em
n
Lattice
→ solve GapSVP
•
•
• • •
• • •
• • •
• •
• •
• •
b1
1. Security Foundations
2. Constructions
LWE-basedEncryption
SIS-basedSignature
LWE and SIS-basedGroup signature
Adeline Langlois Lattice-Based Cryptography October 17, 2014 10/ 1
Outline
Lattice-Based Cryptography
Security FoundationsI Z. Brakerski, A. Langlois, C. Peikert, O. Regev and D. Stehlé. Classical
Hardness of Learning with Errors. In proc. of STOC 2013.
I A. Langlois and D. Stehlé. Worst-case to Average-case Reductions forModule Lattices. Accepted to Designs, Codes and Cryptography.
Group Signature SchemeI F. Laguillaumie, A. Langlois, B. Libert and D. Stehlé. Lattice-based Group
Signature with Logarithmic Signature Size. In proc. of Asiacrypt 2013.
I A. Langlois, S. Ling, K. Nguyen and H. Wang. Lattice-based GroupSignature with Verifier Local Revocation. In proc. of PKC 2014.
Conclusion
Adeline Langlois Lattice-Based Cryptography October 17, 2014 11/ 1
Outline
Lattice-Based Cryptography
Security FoundationsI Z. Brakerski, A. Langlois, C. Peikert, O. Regev and D. Stehlé. Classical
Hardness of Learning with Errors. In proc. of STOC 2013.
I A. Langlois and D. Stehlé. Worst-case to Average-case Reductions forModule Lattices. Accepted to Designs, Codes and Cryptography.
Group Signature SchemeI F. Laguillaumie, A. Langlois, B. Libert and D. Stehlé. Lattice-based Group
Signature with Logarithmic Signature Size. In proc. of Asiacrypt 2013.
I A. Langlois, S. Ling, K. Nguyen and H. Wang. Lattice-based GroupSignature with Verifier Local Revocation. In proc. of PKC 2014.
Conclusion
Adeline Langlois Lattice-Based Cryptography October 17, 2014 11/ 1
Main result
Not quantum GapSVP in dimension√n
A classical reduction from a worst-case lattice problem to
the Learning With Errors problem with small modulus.
Dimension n Polynomial in n
I Z. Brakerski, A. Langlois, C. Peikert, O. Regev and D. Stehlé. ClassicalHardness of Learning with Errors. In the proceedings of STOC 2013.
Adeline Langlois Lattice-Based Cryptography October 17, 2014 12/ 1
The Learning With Errors problem [Regev 05]
LWEnq (with m arbitrarily large)
,find s
Given A As
+ e
m
n
I A← U(Zm×nq ),I s← U(Znq ),I e ∼ DZm,αq small with α = o(1).
αq
Discrete Gaussian error
Decision version: Distinguish from (A,b) with b uniform.
Adeline Langlois Lattice-Based Cryptography October 17, 2014 13/ 1
Prior reductions from worst-case lattice problem to LWE
I [Regev 05]I A quantum reduction;I with q polynomial.
I [Peikert 09]I A classical reduction;I with q exponential.
I [Peikert 09]I A classical reduction;I with q polynomial;I based on a non-standard lattice
problem.
Quantum computer?
Inefficient primitives
Hardness?
Adeline Langlois Lattice-Based Cryptography October 17, 2014 14/ 1
Prior reductions from worst-case lattice problem to LWE
I [Regev 05]I A quantum reduction;I with q polynomial.
I [Peikert 09]I A classical reduction;I with q exponential.
I [Peikert 09]I A classical reduction;I with q polynomial;I based on a non-standard lattice
problem.
Our main resultI A classical reduction,I from a standard worst-case
lattice problem,I with q polynomial.
Adeline Langlois Lattice-Based Cryptography October 17, 2014 14/ 1
Main component in the proof: a self reduction
I Recall that [Peikert09] already showed hardness of LWE with qexponential.
How do we obtain a hardness proof for p polynomial?
I All we have to do is show the following reduction:
A reduction from LWE with modulus q exponential to LWE withmodulus p polynomial.
Adeline Langlois Lattice-Based Cryptography October 17, 2014 15/ 1
Main component in the proof: a self reduction
I Recall that [Peikert09] already showed hardness of LWE with qexponential.
How do we obtain a hardness proof for p polynomial?
I All we have to do is show the following reduction:
A reduction from LWE with modulus q exponential to LWE withmodulus p polynomial.
Adeline Langlois Lattice-Based Cryptography October 17, 2014 15/ 1
Modulus Switching
A reduction from LWE with modulus q to LWE with modulus p.
How to map (A,As + e) mod q to (A′,A′s + e′) mod p?I Transform A←↩ U(Zm×nq ) to A′ ←↩ U(Zm×np );
First idea: A′ = b pqAe?
I Two main difficulties:1. The distribution is not uniform:
A naive rounding introducesartefacts.
solution
Add a Gaussian roundingto smooth the distribution:
A′ = pq A + R.
2. In A′s + e′, the rounding errors gets multiplied by the secret s(which is too large: uniform is Zn
q ).
Adeline Langlois Lattice-Based Cryptography October 17, 2014 16/ 1
Modulus Switching
A reduction from LWE with modulus q to LWE with modulus p.
How to map (A,As + e) mod q to (A′,A′s + e′) mod p?I Transform A←↩ U(Zm×nq ) to A′ ←↩ U(Zm×np );
First idea: A′ = b pqAe?
I Two main difficulties:1. The distribution is not uniform:
A naive rounding introducesartefacts.
solution
Add a Gaussian roundingto smooth the distribution:
A′ = pq A + R.
2. In A′s + e′, the rounding errors gets multiplied by the secret s(which is too large: uniform is Zn
q ).
Adeline Langlois Lattice-Based Cryptography October 17, 2014 16/ 1
From large to small secret
From LWE with arbitrary secret to LWE with binary secret.
I Inspired by ideas from cryptography (prior reduction by[Goldwasser, Kalai, Peikert and Vaikuntanathan 10]);but different and stronger techniques.
,find s
A As
+ em
n
I From s uniform in Znq to s uniform in {0, 1}n.I Consequence: it expands the dimension from n to n log q.
Adeline Langlois Lattice-Based Cryptography October 17, 2014 17/ 1
Summary of our new hardness proof of LWE
Our main resultA classical reduction from GapSVP in dimension
√n
to LWE in dimension n with poly(n) modulus.
Reductions of the proofProblem Dimension Modulus SecretGapSVP
√n
↓0 [Peikert 09]
LWE√n large Z
√n
q
↓1 NewLWE n large small↓2 New
LWE n poly(n) in Znq
Adeline Langlois Lattice-Based Cryptography October 17, 2014 18/ 1
Summary of our new hardness proof of LWE
Our main resultA classical reduction from GapSVP in dimension
√n
to LWE in dimension n with poly(n) modulus.
Other resultsThe hardness of LWEnq is a function of n log q.
Open problemsIs there a classical reduction as good as the one in [Regev 05]?1. We lose a quadratic term in the dimension;2. We do not have the same hard problem on lattices as Regev.
Adeline Langlois Lattice-Based Cryptography October 17, 2014 18/ 1
Outline
Lattice-Based Cryptography
Security FoundationsI Z. Brakerski, A. Langlois, C. Peikert, O. Regev and D. Stehlé. Classical
Hardness of Learning with Errors. In proc. of STOC 2013.
I A. Langlois and D. Stehlé. Worst-case to Average-case Reductions forModule Lattices. Accepted to Designs, Codes and Cryptography.
Group Signature SchemeI F. Laguillaumie, A. Langlois, B. Libert and D. Stehlé. Lattice-based Group
Signature with Logarithmic Signature Size. In proc. of Asiacrypt 2013.
I A. Langlois, S. Ling, K. Nguyen and H. Wang. Lattice-based GroupSignature with Verifier Local Revocation. In proc. of PKC 2014.
Conclusion
Adeline Langlois Lattice-Based Cryptography October 17, 2014 19/ 1
Outline
Lattice-Based Cryptography
Security FoundationsI Z. Brakerski, A. Langlois, C. Peikert, O. Regev and D. Stehlé. Classical
Hardness of Learning with Errors. In proc. of STOC 2013.
I A. Langlois and D. Stehlé. Worst-case to Average-case Reductions forModule Lattices. Accepted to Designs, Codes and Cryptography.
Group Signature SchemeI F. Laguillaumie, A. Langlois, B. Libert and D. Stehlé. Lattice-based Group
Signature with Logarithmic Signature Size. In proc. of Asiacrypt 2013.
I A. Langlois, S. Ling, K. Nguyen and H. Wang. Lattice-based GroupSignature with Verifier Local Revocation. In proc. of PKC 2014.
Conclusion
Adeline Langlois Lattice-Based Cryptography October 17, 2014 19/ 1
Main result
with N members
The first lattice-based group signature with
logarithmic signature size, and security under the
SIS and LWE assumptions in the Random Oracle Model.
hard problems
logarithmic in N
I F. Laguillaumie, A. Langlois, B. Libert and D. Stehlé. Lattice-based GroupSignature with Logarithmic Signature Size. In the proc. of Asiacrypt 2013.
Adeline Langlois Lattice-Based Cryptography October 17, 2014 20/ 1
Group Signatures[Chaum, VanHeyst 91]
Group signatures allow any member of a group toanonymously and accountably sign on behalf of this group.
I Group manager (mpk,msk) + ski KeyGen, OpenI Group members (ski) SignI Anyone Verify
Group MembersGroup Manager
Anyone
KeyGen
Sign
Verify
Open Security:• Anonymity• Traceability
Adeline Langlois Lattice-Based Cryptography October 17, 2014 21/ 1
Security: Anonymity and TraceabilitySecurity requirements [BellareMicciancioWarinschi03]
I AnonymityA given signature does not leak the identity of its originator. Two types: weak and full.
weak fullGiven ski for all users
opening oracleGoal distinguish between two users
I TraceabilityNo collusion of malicious users can produce a valid
signature that cannot be traced to one of them.
Given msk and ski of users in the collusionGoal create a valid signature that
traces to someone not in the collusion
Adeline Langlois Lattice-Based Cryptography October 17, 2014 22/ 1
Prior works
I Introduced by [Chaum, VanHeyst 91],I Generic construction [Bellare, Micciancio, Warinschi 03].
signature size
Realization based [Boyen, Boneh, constant number of elementson bilinear maps Shacham 04] of a large algebraic group
[Gordon, Katz,Lattice-based Vaikuntanathan 10] linear in N
[Camenisch, Neven, (number of group members)Rückert 10]
constructionsOur result logarithmic in N
Adeline Langlois Lattice-Based Cryptography October 17, 2014 23/ 1
Our construction
IngredientsI [Boyen 10]’s signature based on lattice trapdoors,I Dual-Regev encryption [Gentry, Peikert, Vaikuntanathan 08],I ZKPoK (proof of knowledge) adapted from [Lyubashevsky 12].
TrapdoorI TrapGen (A,TA) such that TA allows to find short x(’s)
x
A= 0 mod q
With TA, we can solve SIS.
Computing TA given A is hard,Constructing A and TA is easy.
Adeline Langlois Lattice-Based Cryptography October 17, 2014 24/ 1
Signature using trapdoors
I pk =(A , ( A
i)0≤i≤`
I
I skid = TAid
Given A ← U(Zm×nq ), find x s.t. 0 < ‖ x ‖ ≤ β and
x
A= 0 mod q
I Hard to solve given A ⇔ solve SISI Easy to solve given TA
Adeline Langlois Lattice-Based Cryptography October 17, 2014 25/ 1
Signature using trapdoors
I pk =(A , ( A
i)0≤i≤`
I
I skid = TAid
Given A ← U(Zm×nq ), find x s.t. 0 < ‖ x ‖ ≤ β and
x
A= 0 mod q
I Hard to solve given A ⇔ solve SIS → pk = AI Easy to solve given TA → sk = TA
Adeline Langlois Lattice-Based Cryptography October 17, 2014 25/ 1
Signature using trapdoors [Boyen 10]
I pk =(A , ( A
i)0≤i≤`)
I sk = TA,
I skid = TAid
Given A ← U(Zm×nq ), find x s.t. 0 < ‖ x ‖ ≤ β and
x
A
A0+∑iM [i]Ai
AM for M ∈ {0, 1}`
= 0 mod q
I Hard to solve given A M ⇔ solve SISI Easy to solve given TA
Adeline Langlois Lattice-Based Cryptography October 17, 2014 25/ 1
Application to group signatureI pk =
(A , ( A
i)0≤i≤`, (Bi)0≤i≤`
)s.t. BT
i · A i= 0 mod q
I msk = {TBi}i trapdoors for the Bi’s
I skid = TAid
Given A ← U(Zm×nq ), find x s.t. 0 < ‖ x ‖ ≤ β and
x
A
A0+∑i id[i]Ai
Aid
= 0 mod q
I Hard to solve given A ⇔ solve SISI Easy to solve given TA
Adeline Langlois Lattice-Based Cryptography October 17, 2014 25/ 1
Our construction
I Create a temporary membership certificate:Boyen’s signature of id (using Tid).
I Encrypt this certificate: {ci}0≤i≤`.
I Prove that the ciphertext encrypts a valid certificatebelonging to a group member: π.
I Message?
Σ =({ci}0≤i≤`, π
)
Adeline Langlois Lattice-Based Cryptography October 17, 2014 26/ 1
Our construction
I Produce (x1||x2)T short such that:x1 x2
A
A0+∑i id[i]Ai
= 0 mod q
I Encrypt this certificate: {ci}0≤i≤`.
I Prove that the ciphertext encrypts a valid certificatebelonging to a group member: π.
I Message?
Σ =({ci}0≤i≤`, π
)
Adeline Langlois Lattice-Based Cryptography October 17, 2014 26/ 1
Our construction
I Produce (x1||x2)T short such that:x1 x2
A
A0+∑i id[i]Ai
= 0 mod q
I Encrypt{
x2
idi · x2in ci’s using LWE-based encryption with Bi’s
I Prove that the ciphertext encrypts a valid certificatebelonging to a group member: π.
I Message?
Σ =({ci}0≤i≤`, π
)
Adeline Langlois Lattice-Based Cryptography October 17, 2014 26/ 1
Our construction
I Produce (x1||x2)T short such that:x1 x2
A
A0+∑i id[i]Ai
= 0 mod q
I Encrypt{
x2
idi · x2in ci’s using LWE-based encryption with Bi’s
I Prove that the ciphertext encrypts a valid certificatebelonging to a group member: π.
I ZKPoK made non-interactive ZKPoK via Fiat-Shamir,(incorporating the message in π).
Σ =({ci}0≤i≤`, π
)
Adeline Langlois Lattice-Based Cryptography October 17, 2014 26/ 1
Our construction
Verify:
I Check the proofs.
Open:
I Decrypt c0 ( x2)and check whether p−1ci or p−1(ci − x2) is close to the Zq-span of Bi.
I Size of the signatures: O(λ· log(N)).I Size of the key of member i: O(λ2).I λ = Θ(n) is the security parameter.
Adeline Langlois Lattice-Based Cryptography October 17, 2014 27/ 1
Our construction
Verify:
I Check the proofs.
Open:
I Decrypt c0 ( x2)and check whether p−1ci or p−1(ci − x2) is close to the Zq-span of Bi.
I Size of the signatures: O(λ· log(N)).I Size of the key of member i: O(λ2).I λ = Θ(n) is the security parameter.
Adeline Langlois Lattice-Based Cryptography October 17, 2014 27/ 1
Anonymity and TraceabilityIn the random oracle model
AnonymityWeak anonymity under LWE.
TraceabilityTraceability under SIS.
I We also provide a variant with full-anonymity.
Adeline Langlois Lattice-Based Cryptography October 17, 2014 28/ 1
Open problems
I Making it practical,
I Improving the sizes of the signature and public key,
I Removing the Random Oracle Model.
Adeline Langlois Lattice-Based Cryptography October 17, 2014 29/ 1
Outline
Lattice-Based Cryptography
Security FoundationsI Z. Brakerski, A. Langlois, C. Peikert, O. Regev and D. Stehlé. Classical
Hardness of Learning with Errors. In proc. of STOC 2013.
I A. Langlois and D. Stehlé. Worst-case to Average-case Reductions forModule Lattices. Accepted to Designs, Codes and Cryptography.
Group Signature SchemeI F. Laguillaumie, A. Langlois, B. Libert and D. Stehlé. Lattice-based Group
Signature with Logarithmic Signature Size. In proc. of Asiacrypt 2013.
I A. Langlois, S. Ling, K. Nguyen and H. Wang. Lattice-based GroupSignature with Verifier Local Revocation. In proc. of PKC 2014.
Conclusion
Adeline Langlois Lattice-Based Cryptography October 17, 2014 30/ 1
Main contributions
I Classical hardness of LWE,
I Hardness of LWEnq is a function of n log q,
I First lattice-based group signature with logarithmic signaturesize (and a second scheme with verifier local revocation).
I A. Langlois, D. Stehlé, R. Steinfeld. GGHLite: More Efficient MultilinearMaps from Ideal Lattices. In proc. of Eurocrypt 2014.
Adeline Langlois Lattice-Based Cryptography October 17, 2014 31/ 1
Practical lattice-based cryptography
I Practical?I Ring variants since 2006:
A
Rot(a1)
Rot(am)
I Structured A ∈ Zm·n×nq represented by m · n elements,
I Product with a vector more efficient,I Hardness of Ring-SIS, [Lyubashevsky and Micciancio 06]
and [Peikert and Rosen 06]
I Hardness of Ring-LWE [Lyubashevsky, Peikert and Regev 11].
Adeline Langlois Lattice-Based Cryptography October 17, 2014 32/ 1
Open problems
I Security foundations
I Hardness of LWE without quadratic loss,
I Classical hardness of Ring-LWE.
I Constructions
I Practical group signature scheme,I Removing the Random Oracle Model.
I Practical and secure cryptographic multilinear maps.
Adeline Langlois Lattice-Based Cryptography October 17, 2014 32/ 1
Open problems
I Security foundations
I Hardness of LWE without quadratic loss,
I Classical hardness of Ring-LWE.
I Constructions
I Practical group signature scheme,I Removing the Random Oracle Model.
I Practical and secure cryptographic multilinear maps.
Thank You
Adeline Langlois Lattice-Based Cryptography October 17, 2014 32/ 1