Approximate Trapdoors for Lattices and Smaller Hash-and-Sign Signatures

Yilei Chen; Nicholas Genise; Pratyay Mukherjee

doi:10.1007/978-3-030-34618-8_1

International Conference on the Theory and Application of Cryptology and Information Security

ASIACRYPT 2019: Advances in Cryptology – ASIACRYPT 2019 pp 3-32 | Cite as

Approximate Trapdoors for Lattices and Smaller Hash-and-Sign Signatures

Authors
Authors and affiliations

Yilei Chen
Nicholas Genise
Pratyay Mukherjee

Conference paper

First Online: 22 November 2019

Part of the Lecture Notes in Computer Science book series (LNCS, volume 11923)

Abstract

We study a relaxed notion of lattice trapdoor called approximate trapdoor, which is defined to be able to invert Ajtai’s one-way function approximately instead of exactly. The primary motivation of our study is to improve the efficiency of the cryptosystems built from lattice trapdoors, including the hash-and-sign signatures.

Our main contribution is to construct an approximate trapdoor by modifying the gadget trapdoor proposed by Micciancio and Peikert [Eurocrypt 2012]. In particular, we show how to use the approximate gadget trapdoor to sample short preimages from a distribution that is simulatable without knowing the trapdoor. The analysis of the distribution uses a theorem (implicitly used in past works) regarding linear transformations of discrete Gaussians on lattices.

Our approximate gadget trapdoor can be used together with the existing optimization techniques to improve the concrete performance of the hash-and-sign signature in the random oracle model under (Ring-)LWE and (Ring-)SIS assumptions. Our implementation shows that the sizes of the public-key & signature can be reduced by half from those in schemes built from exact trapdoors.

This is a preview of subscription content, to check access.

Notes

Acknowledgments

We are grateful to Daniele Micciancio for valuable advice and his generous sharing of ideas on the subject of this work. We would also like to thank Léo Ducas, Steven Galbraith, Thomas Prest, Yang Yu, Chuang Gao, Eamonn Postlethwaite, Chris Peikert, and the anonymous reviewers for their helpful suggestions and comments.

A The Smoothing Parameter of $\varLambda _{ \mathbf {L} }$

Recall the notations that $ \mathbf {R} ' = \begin{bmatrix} \mathbf {R} \\ \mathbf {I} _{n(k-l)} \end{bmatrix}\in \mathbb {Z}^{m\times (n(k-l))}$, $\varSigma _p := s^2 \mathbf {I} _m - \mathbf {R} '( \mathbf {R} ')^t$. Here we derive the conditions of s so that $\sqrt{\varSigma _p \oplus \sigma ^2 \mathbf {I} _{n(k-l)}} \ge \eta _{\epsilon }(\varLambda _{ \mathbf {L} })$ holds, where $\varLambda _{ \mathbf {L} }$ is the lattice generated by

$$\begin{aligned} \mathbf {B} := \begin{bmatrix} - \mathbf {R} ' \\ \mathbf {I} _{n(k-l)} \end{bmatrix} . \end{aligned}$$

We do this in three steps: first we write out the dual basis of $ \mathbf {B} $, then we reduce $\sqrt{\varSigma _p \oplus \sigma ^2 \mathbf {I} _{n(k-l)}} \ge \eta _{\epsilon }(\varLambda _{ \mathbf {L} })$ to a statement about the smoothing parameter of $\mathbb Z^{n(k-l)}$, and finally we find when $\sqrt{\varSigma _p \oplus \sigma ^2 \mathbf {I} _{n(k-l)}} \ge \eta _{\epsilon }(\varLambda _{ \mathbf {L} })$ as a function of s.

Dual basis, $ \mathbf {B} ^*$ : Let $\varSigma = \varSigma _p \oplus \sigma ^2 \mathbf {I} _{n(k-l)}$. By definition, we need $\rho (\sqrt{\varSigma }^t \varLambda _{ \mathbf {L} }^*) \le 1 + \epsilon $. In general, the dual basis $\varLambda ^*$ is generated by the dual basis $ \mathbf {B} ( \mathbf {B} ^t \mathbf {B} )^{-1}$. In the case of $\varLambda _{ \mathbf {L} }$, we can write the dual basis as

$$ \mathbf {B} ^* := \begin{bmatrix} - \mathbf {R} ' \\ \mathbf {I} _{n(k-l)} \end{bmatrix} \begin{bmatrix} \mathbf {R} ^t \mathbf {R} + 2 \mathbf {I} \end{bmatrix}^{-1}.$$

Reducing to $\eta _\epsilon (\mathbb Z^{n(k-l)})$ : Next, the gaussian sum $\rho (\sqrt{\varSigma }^t \varLambda _{ \mathbf {L} }^*)$ is equal to

$$\sum _{ \mathbf {x} \in \mathbb Z^{n(k-l)}} \exp (-\pi \mathbf {x} ^t( \mathbf {B} ^*)^t\varSigma \mathbf {B} ^* \mathbf {x} ).$$

This reduces to showing $\sqrt{( \mathbf {B} ^*)^t\varSigma \mathbf {B} ^*} \ge \eta _\epsilon (\mathbb Z^{n(k-l)})$.

Now we write out the matrix product $( \mathbf {B} ^*)^t\varSigma \mathbf {B} ^*$,

$$\begin{aligned} ( \mathbf {B} ^*)^t\varSigma \mathbf {B} ^*&= \begin{bmatrix} \mathbf {R} ^t \mathbf {R} + 2 \mathbf {I} \end{bmatrix}^{-t} \begin{bmatrix} -( \mathbf {R} ')^{t}&\mathbf {I} \end{bmatrix} \begin{bmatrix} \varSigma _p &{} \mathbf {0} \\ \mathbf {0} &{} \sigma ^2 \mathbf {I} \end{bmatrix} \begin{bmatrix} - \mathbf {R} ' \\ \mathbf {I} \end{bmatrix} \begin{bmatrix} \mathbf {R} ^t \mathbf {R} + 2 \mathbf {I} \end{bmatrix}^{-1} \\&= \begin{bmatrix} \mathbf {R} ^t \mathbf {R} + 2 \mathbf {I} \end{bmatrix}^{-t} \begin{bmatrix} ( \mathbf {R} ')^t \varSigma _p \mathbf {R} ' + \sigma ^2 \mathbf {I} \end{bmatrix} \begin{bmatrix} \mathbf {R} ^t \mathbf {R} + 2 \mathbf {I} \end{bmatrix}^{-1}. \end{aligned}$$

Before we continue, we consider the structure of the middle matrix:

$$\begin{aligned} \varSigma _s := ( \mathbf {R} ')^t \varSigma _p \mathbf {R} '&= \begin{bmatrix} \mathbf {R} ^t&\mathbf {I} \end{bmatrix} \left( s^2 \mathbf {I} - \sigma ^2\begin{bmatrix} \mathbf {R} \\ \mathbf {I} \end{bmatrix} \begin{bmatrix} \mathbf {R} ^t&\mathbf {I} \end{bmatrix} \right) \begin{bmatrix} \mathbf {R} \\ \mathbf {I} \end{bmatrix} \\&= \begin{bmatrix} \mathbf {R} ^t \mathbf {R} + \mathbf {I} \end{bmatrix}\left( s^2 \mathbf {I} - \sigma ^2\begin{bmatrix} \mathbf {R} ^t \mathbf {R} + \mathbf {I} \end{bmatrix} \right) . \end{aligned}$$

Derive the condition for s : Now we will derive the condition for s so that

$$ \begin{bmatrix} \mathbf {R} ^t \mathbf {R} + 2 \mathbf {I} \end{bmatrix}^{-t}[\varSigma _s + \sigma ^2 \mathbf {I} ]\begin{bmatrix} \mathbf {R} ^t \mathbf {R} + 2 \mathbf {I} \end{bmatrix}^{-1} \ge \eta ^2_\epsilon (\mathbb Z^{n(k-l)}). $$

Claim

All invertible matrices of the form $( \mathbf {R} ^t \mathbf {R} + \alpha \mathbf {I} )^i$ for $i \in \mathbb Z, \alpha \in \mathbb {R}$ commute.

Proof

Let $ \mathbf {Q} \mathbf {S} \mathbf {V} ^t$ be $ \mathbf {R} $’s singular value decomposition. Now, $ \mathbf {R} ^t \mathbf {R} + \alpha \mathbf {I} = \mathbf {V} \mathbf {D} \mathbf {V} ^t + \mathbf {V} (\alpha \mathbf {I} ) \mathbf {V} ^t$ where $ \mathbf {D} = \mathbf {S} ^t \mathbf {S} = \text {diag}(s^2_i( \mathbf {R} ))$ since $ \mathbf {V} , \mathbf {Q} $ are orthogonal. Equivalently, we have $ \mathbf {R} ^t \mathbf {R} + \alpha \mathbf {I} = \mathbf {V} \mathbf {D} _\alpha \mathbf {V} ^t$ where $ \mathbf {D} _\alpha = \text {diag}(s^2_i( \mathbf {R} ) + \alpha ) = \mathbf {S} ^t \mathbf {S} + \alpha \mathbf {I} _{2n}$. By induction, we have $( \mathbf {R} ^t \mathbf {R} + \alpha \mathbf {I} )^i = \mathbf {V} \mathbf {D} _\alpha ^i \mathbf {V} ^t$, $i \in \mathbb Z$. Finally, $ \mathbf {D} _\alpha ^i$ is a diagonal matrix so $ \mathbf {D} _{\alpha }^i$ and $ \mathbf {D} _{\alpha '}^j$ commute for all $\alpha , \alpha '$ since diagonal matrices commute. The result follows from the orthogonality of $ \mathbf {V} $ ($ \mathbf {V} ^t \mathbf {V} = \mathbf {I} $).

Claim A allows us to lower-bound the smallest eigenvalue of

$$\begin{aligned}( \mathbf {B} ^*)^t\varSigma \mathbf {B} ^*&= \begin{bmatrix} \mathbf {R} ^t \mathbf {R} + 2 \mathbf {I} \end{bmatrix}^{-2} \left( \begin{bmatrix} \mathbf {R} ^t \mathbf {R} + \mathbf {I} \end{bmatrix} \left[ s^2 \mathbf {I} - \sigma ^2\begin{bmatrix} \mathbf {R} ^t \mathbf {R} + \mathbf {I} \end{bmatrix}\right] +\sigma ^2 \mathbf {I} \right) \\&= \begin{bmatrix} \mathbf {R} ^t \mathbf {R} + 2 \mathbf {I} \end{bmatrix}^{-2} \left( s^2[ \mathbf {R} ^t \mathbf {R} + \mathbf {I} ] - \sigma ^2[2 \mathbf {R} ^t \mathbf {R} + ( \mathbf {R} ^t \mathbf {R} )^2]\right) .\end{aligned}$$

Viewing these matrices as their diagonal matrices of eigenvalues, we see $( \mathbf {B} ^*)^t\varSigma \mathbf {B} ^*$’s least eigenvalue is lower-bounded by

$$\begin{aligned} \lambda _{lb}(s, \mathbf {R} ) := \frac{s^2(s_{2n}^2( \mathbf {R} )+1) - \sigma ^2(s_1^4( \mathbf {R} )+2s_1^2( \mathbf {R} ) ) }{(s_1^2( \mathbf {R} )+2)^2} . \end{aligned}$$

Next, we assume $\sigma = \sqrt{b^2+1}\eta _\epsilon (\mathbb Z^{nk}) \ge \eta _\epsilon (\varLambda ^\perp _q( \mathbf {G} ))$ and solve for s using $\lambda _{lb}(s, \mathbf {R} ) \ge \eta ^2_\epsilon (\mathbb Z^{n(k-l)})$,

$$s^2 \ge \frac{s_1^2( \mathbf {R} )+ 1}{s_{2n}^2( \mathbf {R} )+ 1}\eta ^2_\epsilon (\mathbb Z^{n(k-l)}) + \frac{(b^2 + 1)(s_1^4( \mathbf {R} ) + 2s_1^2( \mathbf {R} ))}{s_{2n}^2( \mathbf {R} )+ 1} \eta ^2_\epsilon (\mathbb Z^{nk}).$$

This is

$$s \gtrsim \sqrt{b^2+1}\frac{s_1^2( \mathbf {R} )}{s_{2n}( \mathbf {R} )} \eta _\epsilon (\mathbb Z^{nk}).$$

We remark that the ratio $\frac{s_1( \mathbf {R} )}{s_{2n}( \mathbf {R} )}$ is a constant for commonly-used subgaussian distributions for $ \mathbf {R} $’s entries [51].

References

1.
Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 553–572. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_28CrossRefzbMATHGoogle Scholar
2.
Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: STOC, pp. 99–108 (1996)Google Scholar
3.
Ajtai, M.: Generating hard instances of the short basis problem. In: Wiedermann, J., van Emde Boas, P., Nielsen, M. (eds.) ICALP 1999. LNCS, vol. 1644, pp. 1–9. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48523-6_1CrossRefGoogle Scholar
4.
Alagic, G., et al.: Status report on the first round of the NIST post-quantum cryptography standardization process. US Department of Commerce, National Institute of Standards and Technology (2019)Google Scholar
5.
Albrecht, M.R., et al.: Estimate all the LWE, NTRU schemes!. In: Catalano, D., De Prisco, R. (eds.) SCN 2018. LNCS, vol. 11035, pp. 351–367. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98113-0_19CrossRefGoogle Scholar
6.
Albrecht, M.R., Ducas, L., Herold, G., Kirshanova, E., Postlethwaite, E.W., Stevens, M.: The general sieve kernel and new records in lattice reduction. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 717–746. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_25CrossRefGoogle Scholar
7.
Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9(3), 169–203 (2015)MathSciNetCrossRefGoogle Scholar
8.
Alkim, E., Barreto, P.S.L.M., Bindel, N., Longa, P., Ricardini, J.E.: The lattice-based digital signature scheme qTESLA. IACR Cryptology ePrint Archive 2019, p. 85 (2019)Google Scholar
9.
Alwen, J., Peikert, C.: Generating shorter bases for hard random lattices. Theory Comput. Syst. 48(3), 535–553 (2011)MathSciNetCrossRefGoogle Scholar
10.
Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_35CrossRefGoogle Scholar
11.
Bai, S., Galbraith, S.D.: An improved compression technique for signatures based on learning with errors. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 28–47. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-04852-9_2CrossRefGoogle Scholar
12.
Bai, S., Galbraith, S.D., Li, L., Sheffield, D.: Improved combinatorial algorithms for the inhomogeneous short integer solution problem. J. Cryptol. 32(1), 35–83 (2019)MathSciNetCrossRefGoogle Scholar
13.
El Bansarkhani, R., Buchmann, J.: Improvement and efficient implementation of a lattice-based signature scheme. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 48–67. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43414-7_3CrossRefGoogle Scholar
14.
Bert, P., Fouque, P.-A., Roux-Langlois, A., Sabt, M.: Practical implementation of ring-SIS/LWE based signature and IBE. In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 271–291. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-79063-3_13CrossRefGoogle Scholar
15.
Bourse, F., Del Pino, R., Minelli, M., Wee, H.: FHE circuit privacy almost for free. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 62–89. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_3CrossRefGoogle Scholar
16.
Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: Proceedings of the Forty-Fifth Annual ACM Symposium on Theory of Computing, pp. 575–584. ACM (2013)Google Scholar
17.
Brakerski, Z., Vaikuntanathan, V., Wee, H., Wichs, D.: Obfuscating conjunctions under entropic ring LWE. In: ITCS, pp. 147–156. ACM (2016)Google Scholar
18.
Canetti, R., Chen, Y.: Constraint-hiding constrained PRFs for NC$^1$ from LWE. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 446–476. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_16CrossRefGoogle Scholar
19.
Cash, D., Hofheinz, D., Kiltz, E., Peikert, C.: Bonsai trees, or how to delegate a lattice basis. J. Cryptol. 25(4), 601–639 (2012)MathSciNetCrossRefGoogle Scholar
20.
Chen, C., Genise, N., Micciancio, D., Polyakov, Y., Rohloff, K.: Implementing token-based obfuscation under (ring) LWE. IACR Cryptology ePrint Archive 2018, p. 1222 (2018)Google Scholar
21.
Chen, Y., Vaikuntanathan, V., Wee, H.: GGH15 beyond permutation branching programs: proofs, attacks, and candidates. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 577–607. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_20CrossRefGoogle Scholar
22.
Chen, Y.: Réduction de réseau et sécurité concréte du chiffrement complétement homomorphe. PhD thesis, Paris 7 (2013)Google Scholar
23.
del Pino, R., Lyubashevsky, V., Seiler, G.: Lattice-based group signatures and zero-knowledge proofs of automorphism stability. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, 15–19 October 2018, pp. 574–591 (2018)Google Scholar
24.
Ducas, L.: Shortest vector from lattice sieving: a few dimensions for free. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 125–145. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_5CrossRefGoogle Scholar
25.
Ducas, L., Galbraith, S., Prest, T., Yang, Y.: Integral matrix gram root and lattice Gaussian sampling without floats. IACR Cryptology ePrint Archive 2019, p. 320 (2019)Google Scholar
26.
Ducas, L., et al.: CRYSTALS-Dilithium: a lattice-based digital signature scheme. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(1), 238–268 (2018)MathSciNetGoogle Scholar
27.
Fouque, P.-A., et al.: Falcon: fast-fourier lattice-based compact signatures over NTRU (2018)Google Scholar
28.
Genise, N., Micciancio, D.: Faster Gaussian sampling for trapdoor lattices with arbitrary modulus. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 174–203. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_7CrossRefGoogle Scholar
29.
Gentry, C.: Fully homomorphic encryption using ideal lattices. In: STOC, pp. 169–178 (2009)Google Scholar
30.
Gentry, C., Gorbunov, S., Halevi, S.: Graph-induced multilinear maps from lattices. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 498–527. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46497-7_20CrossRefGoogle Scholar
31.
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC, pp. 197–206 (2008)Google Scholar
32.
Gentry, C., Szydlo, M.: Cryptanalysis of the revised NTRU signature scheme. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 299–320. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_20CrossRefGoogle Scholar
33.
Goldreich, O., Goldwasser, S., Halevi, S.: Public-key cryptosystems from lattice reduction problems. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 112–131. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052231CrossRefGoogle Scholar
34.
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Attribute-based encryption for circuits. In: STOC, pp. 545–554. ACM (2013)Google Scholar
35.
Goyal, R., Koppula, V., Waters, B.: Lockable obfuscation. In: FOCS, pp. 612–621. IEEE Computer Society (2017)Google Scholar
36.
Gür, K.D., Polyakov, Y., Rohloff, K., Ryan, G.W., Savas, E.: Implementation and evaluation of improved gaussian sampling for lattice trapdoors. In: Proceedings of the 6th Workshop on Encrypted Computing and Applied Homomorphic Cryptography, pp. 61–71. ACM (2018)Google Scholar
37.
Halevi, S., Halevi, T., Shoup, V., Stephens-Davidowitz, N.: Implementing BP-obfuscation using graph-induced encoding. In: ACM Conference on Computer and Communications Security, pp. 783–798. ACM (2017)Google Scholar
38.
Hoffstein, J., Howgrave-Graham, N., Pipher, J., Silverman, J.H., Whyte, W.: NTRUSign: digital signatures using the NTRU lattice. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 122–140. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36563-X_9CrossRefGoogle Scholar
39.
Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054868CrossRefGoogle Scholar
40.
Lyubashevsky, V.: Lattice signatures without trapdoors. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 738–755. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_43CrossRefGoogle Scholar
41.
Micciancio, D.: Personal communication (2018)Google Scholar
42.
Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_41 CrossRefGoogle Scholar
43.
Micciancio, D., Peikert, C.: Hardness of SIS and LWE with small parameters. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 21–39. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_2CrossRefGoogle Scholar
44.
Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measure. SIAM J. Comput. 37(1), 267–302 (2007)MathSciNetCrossRefGoogle Scholar
45.
Micciancio, D., Walter, M.: On the bit security of cryptographic primitives. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 3–28. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_1CrossRefGoogle Scholar
46.
Nguyen, P.Q., Regev, O.: Learning a parallelepiped: cryptanalysis of GGH and NTRU signatures. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 271–288. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_17CrossRefGoogle Scholar
47.
Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem: extended abstract. In: Proceedings of the 41st Annual ACM Symposium on Theory of Computing, STOC 2009, Bethesda, MD, USA, 31 May - 2 June 2009, pp. 333–342 (2009)Google Scholar
48.
Peikert, C., Regev, O., Stephens-Davidowitz, N.: Pseudorandomness of ring-LWE for any ring and modulus. In: STOC, pp. 461–473. ACM (2017)Google Scholar
49.
Peikert, C., Rosen, A.: Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 145–166. Springer, Heidelberg (2006). https://doi.org/10.1007/11681878_8CrossRefGoogle Scholar
50.
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 34 (2009)MathSciNetCrossRefGoogle Scholar
51.
Vershynin, R.: Introduction to the non-asymptotic analysis of random matrices. In: Compressed Sensing, pp. 210–268. Cambridge University Press (2012)Google Scholar
52.
Wichs, D., Zirdelis, G.: Obfuscating compute-and-compare programs under LWE. In: FOCS, pp. 600–611. IEEE Computer Society (2017)Google Scholar

Copyright information

Authors and Affiliations

Yilei Chen
- 1
Email author
Nicholas Genise
- 2
Pratyay Mukherjee
- 1

1.Visa ResearchPalo AltoUSA
2.University of CaliforniaSan DiegoUSA