Cryptographic Functions from Worst-Case Complexity Assumptions

  • Daniele Micciancio
Part of the Information Security and Cryptography book series (ISC)


Lattice problems have been suggested as a potential source of computational hardness to be used in the construction of cryptographic functions that are provably hard to break. A remarkable feature of lattice-based cryptographic functions is that they can be proved secure (that is, hard to break on the average) based on the assumption that the underlying lattice problems are computationally hard in the worst-case. In this paper we give a survey of the constructions and proof techniques used in this area, explain the importance of basing cryptographic functions on the worst-case complexity of lattice problems, and discuss how this affects the traditional approach to cryptanalysis based on random challenges.


Hash Function Lattice Vector Lattice Problem Cryptographic Function Close Vector Problem 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.



This work was supported in part by NSF grant CCF-0634909. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.


  1. 1.
    Lenstra, A.K., Lenstra, Jr., H.W., Lovász, L.: Factoring polynomials with rational coefficients. Mathematische Annalen 261, 513–534 (1982)Google Scholar
  2. 2.
    Brickell, E.F., Odlyzko, A.M.: Cryptanalysis: A survey of recent results. In: G.J. Simmons (ed.) Contemporary Cryptology, chap. 10, pp. 501–540. IEEE Press (1991)Google Scholar
  3. 3.
    Joux, A., Stern, J.: Lattice reduction: A toolbox for the cryptanalyst. Journal of Cryptology 11(3), 161–185 (1998)zbMATHCrossRefMathSciNetGoogle Scholar
  4. 4.
    Nguyen, P., Stern, J.: The two faces of lattices in cryptology. In: Proceedings of CaLC ’01, LNCS, vol. 2146, pp. 146–180. Springer (2001)Google Scholar
  5. 5.
    Schnorr, C.P., Euchner, M.: Lattice basis reduction: Improved practical algorithms and solving subset sum problems. Mathematical programming 66(1–3), 181–199 (1994). Preliminary version in FCT 1991Google Scholar
  6. 6.
    Schnorr, C.P.: A hierarchy of polynomial time lattice basis reduction algorithms. Theoretical Computer Science 53(2–3), 201–224 (1987)zbMATHCrossRefMathSciNetGoogle Scholar
  7. 7.
    Schnorr, C.P.: A more efficient algorithm for lattice basis reduction. Journal of Algorithms 9(1), 47–62 (1988)zbMATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    Schnorr, C.P.: Fast LLL-type lattice reduction. Information and Computation 204(1), 1–25 (2006)zbMATHCrossRefMathSciNetGoogle Scholar
  9. 9.
    Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: Proceedings of STOC ’01, pp. 266–275. ACM (2001)Google Scholar
  10. 10.
    Kumar, R., Sivakumar, D.: On polynomial-factor approximations to the shortest lattice vector length. SIAM Journal on Discrete Mathematics 16(3), 422–425 (2003)zbMATHCrossRefMathSciNetGoogle Scholar
  11. 11.
    Nguyen, P., Stehlé, D.: Floating-point LLL revisited. In: Proceedings of EUROCRYPT ’05, LNCS, vol. 3494, pp. 215–233. Springer (2005)Google Scholar
  12. 12.
    Gama, N., Nguyen, P.Q.: Finding short lattice vectors within mordell’s inequality. In: Proceedings of STOC ’08, pp. 207–216. ACM (2008)Google Scholar
  13. 13.
    Ajtai, M.: Generating hard instances of lattice problems. Complexity of Computations and Proofs, Quaderni di Matematica 13, 1–32 (2004). Preliminary version in STOC 1996Google Scholar
  14. 14.
    Cai, J.Y., Nerurkar, A.P.: An improved worst-case to average-case connection for lattice problems (extended abstract). In: Proceedings of FOCS ’97, pp. 468–477. IEEE (1997)Google Scholar
  15. 15.
    Micciancio, D.: Almost perfect lattices, the covering radius problem, and applications to Ajtai’s connection factor. SIAM Journal on Computing 34(1), 118–169 (2004). Preliminary version in STOC 2002.Google Scholar
  16. 16.
    Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measure. SIAM Journal on Computing 37(1), 267–302 (2007). Preliminary version in FOCS 2004Google Scholar
  17. 17.
    Micciancio, D.: Generalized compact knapsacks, cyclic lattices, and efficient one-way functions. Computational Complexity 16(4), 365–411 (2007). Preliminary version in FOCS 2002Google Scholar
  18. 18.
    Ajtai, M.: Representing hard lattices with O(n log n) bits. In: Proceedings of STOC ’05,pp. 94–103. ACM (2005)Google Scholar
  19. 19.
    Lyubashevsky, V., Micciancio, D.: Generalized compact knapsacks are collision resistant. In: Proceedings of ICALP ’06, LNCS, vol. 4052, pp. 144–155. Springer (2006)Google Scholar
  20. 20.
    Peikert, C., Rosen, A.: Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In: Proceedings of TCC ’06, LNCS, vol. 3876, pp. 145–166. Springer (2006)Google Scholar
  21. 21.
    Lyubashevsky, V., Micciancio, D., Peikert, C., Rosen, A.: Swifft: a modest proposal for fft hashing. In: Proceedings of FSE ’08, LNCS, vol. 5086, pp. 54–72. Springer (2008)Google Scholar
  22. 22.
    Ajtai, M., Dwork, C.: A public-key cryptosystem with worst-case/average-case equivalence. In: Proceedings of STOC ’97, pp. 284–293. ACM (1997)Google Scholar
  23. 23.
    Regev, O.: New lattice based cryptographic constructions. Journal of the ACM 51(6), 899–942 (2004). Preliminary version in STOC 2003Google Scholar
  24. 24.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Proceedings of STOC ’05, pp. 84–93. ACM (2005)Google Scholar
  25. 25.
    Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. In: Proceedings of STOC ’08, pp. 187–196. ACM (2008)Google Scholar
  26. 26.
    Micciancio, D., Vadhan, S.: Statistical zero-knowledge proofs with efficient provers: lattice problems and more. In: Proceedings of CRYPTO ’03, LNCS, vol. 2729, pp. 282–298. Springer (2003)Google Scholar
  27. 27.
    Lyubashevsky, V.: Lattice-based identification schemes secure under active attacks. In: Proceedings of PKC ’08, no. 4939 in LNCS, pp. 162–179. Springer (2008)Google Scholar
  28. 28.
    Lyubashevsky, V., Micciancio, D.: Asymptotically efficient lattice-based digital signatures. In: Proceedings of TCC ’08, LNCS, vol. 4948, pp. 37–54. Springer (2008)Google Scholar
  29. 29.
    Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Proceedings of STOC ’08, pp. 197–206. ACM (2008)Google Scholar
  30. 30.
    Peikert, C., Vaikuntanathan, V.: Noninteractive statistical zero-knowledge proofs for lattice problems. In: Proceedings of CRYPTO ’08, LNCS, vol. 5157, pp. 536–553. Springer (2008)Google Scholar
  31. 31.
    Peikert, C., Vaikuntanathan, V., Waters, B.: A framework for efficient and composable oblivious transfer. In: Proceedings of CRYPTO ’08, LNCS, vol. 5157, pp. 554–571. Springer (2008)Google Scholar
  32. 32.
    Regev, O.: On the complexity of lattice problems with polynomial approximation factors. In: this volume (2008)Google Scholar
  33. 33.
    Micciancio, D., Goldwasser, S.: Complexity of Lattice Problems: a cryptographic perspective, The Kluwer International Series in Engineering and Computer Science, vol. 671. Kluwer Academic Publishers (2002)Google Scholar
  34. 34.
    Goldreich, O., Micciancio, D., Safra, S., Seifert, J.P.: Approximating shortest lattice vectors is not harder than approximating closest lattice vectors. Information Processing Letters 71(2), 55–61 (1999)zbMATHCrossRefMathSciNetGoogle Scholar
  35. 35.
    Babai, L.: On Lovasz’ lattice reduction and the nearest lattice point problem. Combinatorica 6(1), 1–13 (1986)zbMATHCrossRefMathSciNetGoogle Scholar
  36. 36.
    Ajtai, M.: The worst-case behavior of Schnorr’s algorithm approximating the shortest nonzero vector in a lattice. In: Proceedings of STOC ’03, pp. 396–406. ACM (2003)Google Scholar
  37. 37.
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring based public key cryptosystem. In: Proceedings of ANTS-III, LNCS, vol. 1423, pp. 267–288. Springer (1998)Google Scholar
  38. 38.
    Goldwasser, S., Micali, S.: Probabilistic encryption. Journal of Computer and System Sciences 28(2), 270–299 (1984). Preliminary version in Proc. of STOC 1982Google Scholar
  39. 39.
    Impagliazzo, R., Rudich, S.: Limits on the provable consequences of one-way permutations. In: Proceedings of STOC ’89, pp. 44–61. ACM (1989)Google Scholar
  40. 40.
    Cai, J.Y.: A relation of primal-dual lattices and the complexity of the shortest lattice vector problem. Theoretical Computer Science 207(1), 105–116 (1998)zbMATHCrossRefMathSciNetGoogle Scholar
  41. 41.
    Goldreich, O., Goldwasser, S., Halevi, S.: Eliminating decryption errors in the Ajtai-Dwork cryptosystem. In: Proceedings of CRYPTO ’97, LNCS, vol. 1294, pp. 105–111. Springer (1997)Google Scholar
  42. 42.
    Nguyen, P., Stehlé, D.: LLL on the average. In: Proceedings of ANTS-VII, LNCS, vol. 4076, pp. 238–256. Springer (2006)Google Scholar
  43. 43.
    Gama, N., Nguyen, P.Q.: Predicting lattice reduction. In: Proceedings of EUROCRYPT ’08, LNCS, vol. 4965, pp. 31–51. Springer (2008)Google Scholar
  44. 44.
    Schnorr, C.P., Hörner, H.H.: Attacking the Chor-Rivest cryptosystem by improved lattice reduction. In: Proceedings of EUROCRYPT ’95, LNCS, vol. 921, pp. 1–12. Springer (1995)Google Scholar
  45. 45.
    Lenstra, A.K., Verheul, E.R.: Selecting cryptographic key sizes. Journal of Cryptology 14(4), 255–293 (2001)zbMATHMathSciNetGoogle Scholar
  46. 46.
    Nguyen, P., Stern, J.: Cryptanalysis of the Ajtai-Dwork cryptosystem. In: Proceedings of CRYPTO ’98, LNCS, vol. 1462, pp. 223–242. Springer (1998)Google Scholar
  47. 47.
    Dinur, I.: Approximating SVP to within almost-polynomial factors is NP-hard. Theoretical Computer Science 285(1), 55–71 (2002)zbMATHCrossRefMathSciNetGoogle Scholar
  48. 48.
    Regev, O., Rosen, R.: Lattice problems and norm embeddings. In: Proceedings of STOC ’06, pp. 447–456. ACM (2006)Google Scholar
  49. 49.
    Haviv, I., Regev, O.: Tensor-based hardness of the shortest vector problem to within almost polynomial factors. In: Proceedings of STOC ’07, pp. 469–477. ACM (2007)Google Scholar
  50. 50.
    Lovász, L., Scarf, H.: The generalized basis reduction algorithm. Mathematics of Operations Research 17(3), 754–764 (1992)CrossRefGoogle Scholar
  51. 51.
    Gama, N., Howgrave-Graham, N., Nguyen, P.: Symplectic lattice reduction and NTRU. In: Proceedings of EUROCRYPT ’06, LNCS, vol. 4004, pp. 233–253. Springer (2006)Google Scholar
  52. 52.
    Lyubashevsy, V., Micciancio, D., Peikert, C., Rosen, A.: Provably secure FFT hashing. In: 2nd NIST cryptographic hash workshop. Santa Barbara, CA, USA (2006)Google Scholar
  53. 53.
    Ajtai, M.: Random lattices and a conjectured 0-1 law about their polynomial time computable properties. In: Proceedings of FOCS ’02, pp. 733–742. IEEE (2002)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  1. 1.Department of Computer Science and EngineeringUniversity of California at San DiegoLa JollaUSA

Personalised recommendations