Improving Lattice Based Cryptosystems Using the Hermite Normal Form
We describe a simple technique that can be used to substantially reduce the key and ciphertext size of various lattice based cryptosystems and trapdoor functions of the kind proposed by Goldreich, Goldwasser and Halevi (GGH). The improvement is significant both from the theoretical and practical point of view, reducing the size of both key and ciphertext by a factor n equal to the dimension of the lattice (i.e., several hundreds for typical values of the security parameter.) The efficiency improvement is obtained without decreasing the security of the functions: we formally prove that the new functions are at least as secure as the original ones, and possibly even better as the adversary gets less information in a strong information theoretical sense. The increased efficiency of the new cryptosystems allows the use of bigger values for the security parameter, making the functions secure against the best cryptanalytic attacks, while keeping the size of the key even below the smallest key size for which lattice cryptosystems were ever conjectured to be hard to break.
KeywordsLattices trapdoor functions public-key encryption
Unable to display preview. Download preview PDF.
- 1.M. Ajtai. Generating hard instances of lattice problems (extended abstract). In Proceedings of the Twenty-Eighth Annual ACM Symposium on the Theory of Computing, pages 99–108, Philadelphia, Pennsylvania, 22–24 May 1996.Google Scholar
- 2.M. Ajtai and C. Dwork. A public-key cryptosystem with worst-case/average-case equivalence. In Proceedings of the Twenty-Ninth Annual ACM Symposium on Theory of Computing, pages 284–293, El Paso, Texas, 4–6 May 1997.Google Scholar
- 3.S. Arora, L. Babai, J. Stern, and E.Z. Sweedyk. The hardness of approximate optima in lattices, codes, and systems of linear equations. J. Comput. Syst. Sci., 54(2):317–331, Apr. 1997. Preliminary version in FOCS’93.Google Scholar
- 5.M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In Proceedings of the first ACM Conference on Computer and Communications Security. ACM, Nov. 1993.Google Scholar
- 6.J.-Y. Cai and T.W. Cusick. A lattice-based public-key cryptosystem. Information and Computation, 151(1–2):17–31, May–June 1999.Google Scholar
- 8.H. Daude and B. Vallèe. An upper bound on the average number of iterations of the LLL algorithm. Theoretical Computer Science, 123(1):95–115, Jan. 1994.Google Scholar
- 9.I. Dinur, G. Kindler, and S. Safra. Approximating CVP to within almost-polynomial factors is NP-hard. In 39th Annual Symposium on Foundations of Computer Science, Palo Alto, California, 7–10 Nov. 1998. IEEE.Google Scholar
- 10.R. Fischlin and J.-P. Seifert. Tensor-based trapdoors for CVP and their application to public key cryptography. In 7th IMA International Conference ”Cryptography and Coding”, volume 1746 of Lecture Notes in Computer Science, pages 244–257. Springer-Verlag, 1999.Google Scholar
- 11.E. Fujisaki and T. Okamoto. Secure integration of asymmetric and symmetric encryption schemes. In M. Wiener, editor, Advances in Cryptology3-CRYPTO’99, volume 1666 of Lecture Notes in Computer Science, pages 537–554, University of California, Santa Barbara, Aug. 1999. IACR, Springer-Verlag.CrossRefGoogle Scholar
- 12.E. Fujisaki and T. Okamoto. How to enhance the security of public-key encryption at minimum cost. IEICE Transaction of Fundamentals of electronic Communications and Computer Science, E38-A(1):24–32, Jan. 2000.Google Scholar
- 13.O. Goldreich, S. Goldwasser, and S. Halevi. The GGH cryptosystem, challenge page. http://theory.lcs.mit.edu/~cis/lattice/challenge.html.
- 15.O. Goldreich and L. Levin. A hard predicate for all one-way functions. In Proceedings of the 21st Annual Symposium on Theory of Computing (STOC). ACM, 1989.Google Scholar
- 18.P. Klein. Finding the closest lattice vector when it’s unusually close. In Proceedings of the 11th Symposium on Discrete Algorithms, San Francisco, California, Jan. 2000. SIAM.Google Scholar
- 20.Y.X. Li, R.H. Deng, and X.M. Wang. On the equivalence of McEliece’s and Niederreiter’s public-key cryptosystems. IEEE Transactions on Information Theory, 40(1):271–273, Jan. 1994.Google Scholar
- 21.R.J. McEliece. A public-key cryptosystem based on algebraic coding theory. DSN Progress Report 42-44, Jet Propulsion Laboratory, Pasadena, 1978.Google Scholar
- 22.D. Micciancio. The hardness of the closest vector problem with preprocessing. IEEE Transactions on Information Theory, 2001. To Appear.Google Scholar
- 23.D. Micciancio and B. Warinschi. A linear space algorithm for computing the Hermite Normal Form. In B. Mourrain, editor, International Symposium on Symbolic and Algebraic Computation. ACM 2001. To Appear.Google Scholar
- 24.P. Nguyen. Cryptanalysis of the Goldreich-Goldwasser-Halevi cryptosystem from Crypto’97. In M. Wiener, editor, Advances in Cryptology—CRYPTO’99, volume 1666 of Lecture Notes in Computer Science. Springer-Verlag, Aug. 1999.Google Scholar
- 26.T. Okamoto and D. Pointcheval. React: Rapid enhanced-security asymmetric cryptosystem transform. In D. Naccache, editor, Proceedings of the Cryptographers’ Track of the RSA Conference’ 2001 (RSA 2001), Lecture Notes in Computer Science, San Francisco, California, USA, 8–12 Apr. 2001. Springer-Verlag.Google Scholar
- 27.C. Rackoff and D. R. Simon. Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In J. Feigenbaum, editor, Advances in Cryptology: Proceedings of Crypto’91, volume 576 of Lecture Notes in Computer Science, University of California, Santa Barbara, Aug. 1991. IACR, Springer-Verlag.Google Scholar
- 30.C.-P. Schnorr and M. Euchner. Lattice basis reduction: Improved practical algorithms and solving subset sum problems. In L. Budach, editor, Proceedings of Fundamentals of Computation Theory, volume 529 of LNCS, pages 68–85. Springer-Verlag, 1991.Google Scholar
- 31.C.-P. Schnorr, M. Fischlin, H. Koy, and A. May. Lattice attacks on GGH cryptosystem. Rump session of Crypto’97, 1997.Google Scholar
- 32.C.-P. Schnorr and H. H. Hörner. Attacking the Chor-Rivest cryptosystem by improved lattice reduction. In L. C. Guillou and J.-J. Quisquater, editors, Advances in Cryptology—EUROCRYPT’95, volume 921 of Lecture Notes in Computer Science, pages 1–12. Springer-Verlag, 21–25 May 1995.Google Scholar
- 33.V. Shoup. NTL: A library for doing number theory. Available on-line at URL http://www.shoup.net/ntl/index.html.
- 35.N. J. A. Sloane. Encryption by random rotations. In Workshop on Cryptography Burg Feuerstein 1982, volume 149 of Lecture Notes in Computer Science, pages 71–129, 1983.Google Scholar
- 36.P. van Emde Boas. Another NP-complete problem and the complexity of computing short vectors in a lattice. Technical Report 81-04, Mathematische Instituut, Universiry of Amsterdam, 1981. Available on-line at URL http://turing.wins.uva.nl/~peter/.
- 37.A. Yao. Theory and applications of trapdoor functions. In Proceedings of the 23rd IEEE Symposium on Foundations of Computer Science (FOCS), pages 80–91, Chicago, IL, 1982. IEEE.Google Scholar