The Geometry of Provable Security: Some Proofs of Security in Which Lattices Make a Surprise Appearance

  • Craig GentryEmail author
Part of the Information Security and Cryptography book series (ISC)


We highlight some uses of lattice reduction in security proofs of nonlattice-based cryptosystems. In particular, we focus on RSA-OAEP, the Rabin partial-domain hash signature scheme, techniques to compress Rabin signatures and ciphertexts, the relationship between the RSA and Paillier problems and Hensel lifting, and the hardness of the most significant bits of a Diffie–Hellman secret.


Hash Function Encryption Scheme Signature Scheme Random Oracle Security Proof 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.



We thank Phong Nguyen and the reviewers for their helpful suggestions and comments.


  1. 1.
    P. Kocher. Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS and Other Systems. In Proc. of Crypto 1996, LNCS 1109, pages 104–113. Springer, 1996Google Scholar
  2. 2.
    P. Kocher, J. Jaffe, and B. Jun. Differential Power Analysis. In Proc. of Crypto 1999, LNCS 1666, pages 388-397. Springer, 1999Google Scholar
  3. 3.
    Y. Ishai, A. Sahai and D. Wagner. Private Circuits: Securing Hardware Against Probing Attacks. In Proc. of Crypto 2003, LNCS 2729, pages 463–481. Springer, 2003Google Scholar
  4. 4.
    S. Micali and L. Reyzin. A Model for Physically Observable Cryptography. In Proc. of TCC, LNCS 2951, pages 278–296. Springer, 2004Google Scholar
  5. 5.
    C. Rackoff and D. Simon. Noninteractive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack. In Proc. of Crypto 1991, pages 433–444, 1991Google Scholar
  6. 6.
    D. Dolev, C. Dwork, and M. Naor. Non-malleable Cryptography. In Proc. of STOC, 542–552, 1991Google Scholar
  7. 7.
    D. Dolev, C. Dwork, and M. Naor. Non-malleable Cryptography. SIAM J. Computing, 30(2):391–437, 2000zbMATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    W. Diffie and M. Hellman. New Directions in Cryptography. IEEE Transactions on Information Theory, 22(6):644–654, 1976zbMATHCrossRefMathSciNetGoogle Scholar
  9. 9.
    T. ElGamal. A Public Key Cryptosystem and a Signature Scheme Based on the Discrete Logarithm. IEEE Transactions on Information Theory, 31(4):469–472, 1985zbMATHCrossRefMathSciNetGoogle Scholar
  10. 10.
    R.L. Rivest, A. Shamir, and L.M. Adleman. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. In Comm. of the ACM, pages 120–126, 1978Google Scholar
  11. 11.
    M.O. Rabin. Digitalized Signatures and Public-Key Functions as Intractable as Factorization. MIT/LCS/TR-212, MIT Laboratory for Computer Science, 1979Google Scholar
  12. 12.
    M. Bellare and P. Rogaway. Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. In Proc. of ACM CCS, pages 62–73, 1993Google Scholar
  13. 13.
    R. Canetti, O. Goldreich, and S. Halevi. The Random Oracle Model, Revisited. J. ACM 51(4): 557–594, 2004CrossRefMathSciNetGoogle Scholar
  14. 14.
    E.-J. Goh and S. Jarecki. A Signature Scheme as Secure as the Diffie Hellman Problem. In Proc. of Eurocrypt 2003, LNCS 2656, pages 401–415. Springer, 2003Google Scholar
  15. 15.
    M. Bellare. Practice-Oriented Provable Security. In Proc. of International Workshop on Information Security (ISW) 1997, LNCS 1396, pages 221–231. Springer, 1998Google Scholar
  16. 16.
    D. Coppersmith. Finding a Small Root of a Univariate Modular Equation. In Proc. of Eurocrypt 1996, pages 155–165, 1996Google Scholar
  17. 17.
    M. Bellare and P. Rogaway. Optimal Asymmetric Encryption. In Proc. of Eurocrypt 1994, pages 92–111. Springer, 1994Google Scholar
  18. 18.
    V. Shoup. OAEP Reconsidered. In Proc. of Crypto 2001, pages 239–259. Springer, 2003Google Scholar
  19. 19.
    D. Boneh. Simplified OAEP for the RSA and Rabin Functions. In Proc. of Crypto 2001, LNCS 2139, pages 275–291. Springer, 2001Google Scholar
  20. 20.
    E. Fujisaki, T. Okamoto, D. Pointcheval, and J. Stern. RSA-OAEP Is Secure under the RSA Assumption. In J. Cryptology, 17(2): 81–104 (2004)Google Scholar
  21. 21.
    D.J. Bernstein. Reducing Lattice Bases to Find Small-Height Values of Univariate Polynomials. 2003. Available at
  22. 22.
    D. Bleichenbacher. Compressing Rabin Signatures. In Proc. of CT-RSA 2004, LNCS 2964, pages 126–128. Springer, 2004Google Scholar
  23. 23.
    B. Vallée. Provably Fast Integer Factoring with Quasi-Uniform Small Quadratic Residues. In Proc. of STOC 1989, pages 98–106Google Scholar
  24. 24.
    B. Vallée. Generation of Elements with Small Modular Squares and Provably Fast Integer Factoring Algorithms. In Mathematics of Computation, 56(194): 823–849, 1991Google Scholar
  25. 25.
    G.H. Hardy and E.M. Wright, An Introduction to the Theory of Numbers, Oxford Science Publications (5th edition)Google Scholar
  26. 26.
    J.-S. Coron. Security Proof for Partial-Domain Hash Signature Schemes. In Proc. of Crypto 2002, LNCS 2442, pages 613–626. Springer, 2002Google Scholar
  27. 27.
    C. Gentry. How to Compress Rabin Ciphertexts and Signatures (and More). In Proc. of Crypto 2004, LNCS 3152, pages 179–200. Springer, 2004Google Scholar
  28. 28.
    A. Lysyanskaya, S. Micali, L. Reyzin, and H. Shacham. Sequential Aggregate Signatures from Trapdoor Homomorphic Permutations. In Proc. of Eurocrypt 2004, LNCS 3027, pages 74–90. Springer, 2004Google Scholar
  29. 29.
    D. Catalano, P.Q. Nguyen, and J. Stern. The Hardness of Hensel Lifting: The Case of RSA and Discrete Logarithm. In Proc. of Asiacrypt 2002, pages 299–310. Springer, 2002Google Scholar
  30. 30.
    K. Sakurai and T. Takagi. New Semantically Secure Public Key Cryptosystems from the RSA Primitive. In Proc. of Public Key Cryptography, pages 1–16, 2002Google Scholar
  31. 31.
    P. Paillier. Public-Key Cryptosystems Based on Composite Degree Residuosity Classes. In Proc. of Eurocrypt 1999, pages 223–238, 1999Google Scholar
  32. 32.
    D. Catalano, R. Gennaro, N. Howgrave-Graham, and P.Q. Nguyen. Paillier’s Cryptosystem Revisited. In Proc. of ACM CCS 2001, pages 206–214, 2001Google Scholar
  33. 33.
    N. Koblitz. A Course in Number Theory and Cryptography. Springer, 1987Google Scholar
  34. 34.
    T. Okamoto. Encryption and Authentication Schemes Based on Public Key Systems. Ph.D. Thesis, University of Tokyo, 1988Google Scholar
  35. 35.
    D. Boneh and R. Venkatesan. Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes. In Proc. of Crypto 1996, LNCS 1109, pages 129–142. Springer, 1996Google Scholar
  36. 36.
    M.I. Gonzáles Vasco, M. Naslund, and I.E. Shparlinski. The hidden number problem in extension fields and its applications. In Proc. of LATIN 2002, LNCS 2286, pages 105–117. Springer, 2002Google Scholar
  37. 37.
    S.D. Galbraith, H.J. Hopkins, and I.E. Shparlinski. Secure Bilinear Diffie-Hellman Bits. In Proc. of ACISP 2004, LNCS 3108, pages 370–378. Springer, 2004Google Scholar
  38. 38.
    D. Boneh and I. Shparlinski. On the Unpredictability of Bits of the Elliptic Curve Diffie–Hellman Scheme. In Proc. of Crypto 2001, LNCS 2139, pages 201–212. Springer, 2001Google Scholar
  39. 39.
    W.-C.W. Li, M. Naslund, and I.E. Shparlinski. The Hidden Number Problem with the Trace and Bit Security of XTR and LUC. In Proc. of Crypto 2002, LNCS 2442, pages 433–448. Springer, 2002Google Scholar
  40. 40.
    M.I. Gonzáles Vasco and I.E. Shparlinski. On the security of Diffie-Hellman bits. In Proc. of Workshop on Cryptography and Computational Number Theory, 1999Google Scholar
  41. 41.
    C.-P. Schnorr. A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms. Theoretical Computer Science, 53:201–224, 1987zbMATHCrossRefMathSciNetGoogle Scholar
  42. 42.
    A. Lenstra, H. Lenstra, and L. Lovasz. Factoring Polynomials with Rational Coefficients. Math. Ann. 261, pages 515–534, 1982Google Scholar
  43. 43.
    R. Kannan. Algorithmic geometry of numbers. In Annual Review of Computer Science, vol. 2, pages 231–267, 1987Google Scholar
  44. 44.
    I.E. Shparlinski. Exponential Sums and Lattice Reduction: Applications to Cryptography. In Finite Fields with Applications to Coding Theory, Cryptography and Related Areas, pages 286–298. Springer, 2002Google Scholar
  45. 45.
    R. Cramer and V. Shoup. A Practical Public Key Cryptosystem Provably Secure against Adaptive Chosen Ciphertext Attack. In Proc. of Crypto 1998, LNCS 1462, pages 13–25. Springer, 1998Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  1. 1.Stanford UniversityStanfordUSA

Personalised recommendations