Advertisement

The Geometry of Lattice Cryptography

  • Daniele Micciancio
Chapter
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6858)

Abstract

Lattice cryptography is one of the hottest and fastest moving areas in mathematical cryptography today. Interest in lattice cryptography is due to several concurring factors. On the theoretical side, lattice cryptography is supported by strong worst-case/average-case security guarantees. On the practical side, lattice cryptography has been shown to be very versatile, leading to an unprecedented variety of applications, from simple (and efficient) hash functions, to complex and powerful public key cryptographic primitives, culminating with the celebrated recent development of fully homomorphic encryption. Still, one important feature of lattice cryptography is simplicity: most cryptographic operations can be implemented using basic arithmetic on small numbers, and many cryptographic constructions hide an intuitive and appealing geometric interpretation in terms of point lattices. So, unlike other areas of mathematical cryptology even a novice can acquire, with modest effort, a good understanding of not only the potential applications, but also the underlying mathematics of lattice cryptography.

In these notes, we give an introduction to the mathematical theory of lattices, describe the main tools and techniques used in lattice cryptography, and present an overview of the wide range of cryptographic applications. This material should be accessible to anybody with a minimal background in linear algebra and some familiarity with the computational framework of modern cryptography, but no prior knowledge about point lattices.

Keywords

Commitment Scheme Homomorphic Encryption Dual Lattice Random Lattice Short Vector 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 553–572. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  2. 2.
    Agrawal, S., Boneh, D., Boyen, X.: Lattice basis delegation in fixed dimension and shorter-ciphertext hierarchical IBE. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 98–115. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  3. 3.
    Melchor, C.A., Gaborit, P., Herranz, J.: Additively homomorphic encryption with d-operand multiplications. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 138–154. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  4. 4.
    Ajtai, M.: The shortest vector problem in L2 is NP-hard for randomized reductions (extended abstract). In: Proceedings of STOC 1998, pp. 10–19. ACM, New York (1998)Google Scholar
  5. 5.
    Ajtai, M.: Generating hard instances of the short basis problem. In: Wiedermann, J., Van Emde Boas, P., Nielsen, M. (eds.) ICALP 1999. LNCS, vol. 1644, pp. 1–9. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  6. 6.
    Ajtai, M.: Generating hard instances of lattice problems. Complexity of Computations and Proofs, Quaderni di Matematica 13, 1–32 (2004); Preliminary version in STOC 1996MathSciNetzbMATHGoogle Scholar
  7. 7.
    Ajtai, M., Dwork, C.: A public-key cryptosystem with worst-case/average-case equivalence. In: Proceedings of STOC 1997, pp. 284–293. ACM, New York (1997)Google Scholar
  8. 8.
    Alwen, J., Peiker, C.: Generating shorter bases for hard random lattices. In: Proceedints of STACS, pp. 75–86 (2009) Invited to Theory of Computing Systems, 48(3), 535–553. Prelim. Version in STACS 2009Google Scholar
  9. 9.
    Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  10. 10.
    Arora, S., Babai, L., Stern, J., Sweedyk, E.Z.: The hardness of approximate optima in lattices, codes, and systems of linear equations. Journal of Computer and System Sciences 54(2), 317–331 (1997); Preliminary version in FOCS 1993MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Banaszczyk, W.: New bounds in some transference theorems in the geometry of numbers. Mathematische Annalen 296, 625–635 (1993)MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    Barak, B., Haitner, I., Hofheinz, D., Ishai, Y.: Bounded key-dependent message security. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 423–444. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  13. 13.
    Bendlin, R., Damgård, I.: Threshold decryption and zero-knowledge proofs for lattice-based cryptosystems. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 201–218. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  14. 14.
    Bendlin, R., Damgård, I., Orlandi, C., Zakarias, S.: Semi-homomorphic encryption and multiparty computation. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 169–188. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  15. 15.
    Blömer, J., Seifert, J.-P.: On the complexity of computing short linearly independent vectors and short bases in a lattice. In: Proceedings of STOC 1999, pp. 711–720. ACM, New York (1999)Google Scholar
  16. 16.
    Boneh, D., Freeman, D.: Homomorphic signatures for polynomial functions. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 149–168. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  17. 17.
    Boneh, D., Freeman, D.: Linearly homomorphic signatures over binary fields and new tools for lattice-based signatures. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 1–16. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  18. 18.
    Boyen, X.: Lattice mixing and vanishing trapdoors: A framework for fully secure short signatures and more. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 499–517. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  19. 19.
    Brakerski, Z., Vaikuntanathan, V.: Fully homomorphic encryption from ring-LWE and security for key dependent messages. In: CRYPTO (to appear, 2011)Google Scholar
  20. 20.
    Cai, J.-Y., Nerurkar, A.P.: An improved worst-case to average-case connection for lattice problems (extended abstract). In: Proceedings of FOCS 1997, pp. 468–477. IEEE, Los Alamitos (1997)Google Scholar
  21. 21.
    Cai, J.-Y., Nerurkar, A.P.: Approximating the SVP to within a factor (1 + 1/dim ε) is NP-hard under randomized reductions. Journal of Computer and System Sciences 59(2), 221–239 (1999); Preliminary version in CCC 1998MathSciNetCrossRefzbMATHGoogle Scholar
  22. 22.
    Cash, D., Hofheinz, D., Kiltz, E., Peikert, C.: Bonsai trees, or how to delegate a lattice basis. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 523–552. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  23. 23.
    Cayrel, P.-L., Lindner, R., Rückert, M., Silva, R.: Improved zero-knowledge identification with lattices. In: Heng, S.-H., Kurosawa, K. (eds.) ProvSec 2010. LNCS, vol. 6402, pp. 1–17. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  24. 24.
    Cayrel, P.-L., Lindner, R., Rückert, M., Silva, R.: A Lattice-Based Threshold Ring Signature Scheme. In: Abdalla, M., Barreto, P.S.L.M. (eds.) LATINCRYPT 2010. LNCS, vol. 6212, pp. 255–272. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  25. 25.
    Coron, J.-S., Mandal, A., Naccache, D., Tibouchi, M.: Fully-homomorphic encryption over the integers with shorter public-keys. In: CRYPTO (to appear, 2011)Google Scholar
  26. 26.
    Dinur, I.: Approximating SVP  ∞  to within almost-polynomial factors is NP-hard. Theoretical Computer Science 285(1), 55–71 (2002); Preliminary version in CIAC 2000MathSciNetCrossRefzbMATHGoogle Scholar
  27. 27.
    Dinur, I., Kindler, G., Raz, R., Safra, S.: Approximating CVP to within almost-polynomial factors is NP-hard. Combinatorica 23(2), 205–243 (2003); Preliminary version in FOCS 1998MathSciNetCrossRefzbMATHGoogle Scholar
  28. 28.
    Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Proceedings of STOC, pp. 169–178. ACM, New York (2009)Google Scholar
  29. 29.
    Gentry, C.: Toward basing fully homomorphic encryption on worst-case hardness. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 116–137. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  30. 30.
    Gentry, C.: Fully homomorphic encryption without bootstrapping. Cryptology ePrint Archive, Report 2011/277 (2011)Google Scholar
  31. 31.
    Gentry, C., Halevi, S.: Fully homomorphic encryption without squashing using depth-3 arithmetic circuits. Cryptology ePrint Archive, Report 2011/279 (2011)Google Scholar
  32. 32.
    Gentry, C., Halevi, S.: Implementing gentrys fully-homomorphic encryption scheme. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 129–148. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  33. 33.
    Gentry, C., Halevi, S., Vaikuntanathan, V.: A simple BGN-type cryptosystem from lwe. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 506–522. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  34. 34.
    Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Proceedings of STOC, pp. 197–206. ACM, New York (2008)Google Scholar
  35. 35.
    Gordon, D., Katz, J., Vaikuntanathan, V.: A group signature scheme from lattice assumptions. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 395–412. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  36. 36.
    Guruswami, V., Micciancio, D., Regev, O.: The complexity of the covering radius problem. Computational Complexity 14(2), 90–121 (2005); Preliminary version in CCC 2004MathSciNetCrossRefzbMATHGoogle Scholar
  37. 37.
    Haviv, I., Lyubashevsky, V., Regev, O.: A note on the distribution of the distance from a lattice. Discrete and Computational Geometry 41(1), 162–176 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  38. 38.
    Haviv, I., Regev, O.: Tensor-based hardness of the shortest vector problem to within almost polynomial factors. In: Proceedings of STOC, pp. 469–477. ACM, New York (2007)Google Scholar
  39. 39.
    Katz, J., Vaikuntanathan, V.: Smooth projective hashing and password-based authenticated key exchange based on lattices. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 636–652. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  40. 40.
    Kawachi, A., Tanaka, K., Xagawa, K.: Multi-bit cryptosystems based on lattice problems. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 315–329. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  41. 41.
    Kawachi, A., Tanaka, K., Xagawa, K.: Concurrently secure identification schemes and ad hoc anonymous identification schemes based on the worst-case hardness of lattice problems. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 372–389. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  42. 42.
    Khot, S.: Hardness of approximating the shortest vector problem in lattices. Journal of the ACM 52(5), 789–808 (2005); Preliminary version in FOCS 2004MathSciNetCrossRefzbMATHGoogle Scholar
  43. 43.
    Khot, S.: Hardness of approximating the shortest vector problem in high Lp norms. J. of Computer Systems Sciences 72(2), 206–219 (2006); Preliminary version in FOCS 2003CrossRefzbMATHGoogle Scholar
  44. 44.
    Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  45. 45.
    Liu, Y.-K., Lyubashevsky, V., Micciancio, D.: On bounded distance decoding for general lattices. In: Díaz, J., Jansen, K., Rolim, J.D.P., Zwick, U. (eds.) APPROX 2006 and RANDOM 2006. LNCS, vol. 4110, pp. 450–461. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  46. 46.
    Lyubashevsky, V.: Lattice-based identification schemes secure under active attacks. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 162–179. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  47. 47.
    Lyubashevsky, V.: Fiat-Shamir with aborts: Applications to lattice and factoring-based signatures. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 598–616. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  48. 48.
    Lyubashevsky, V., Micciancio, D.: Generalized compact knapsacks are collision resistant. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 144–155. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  49. 49.
    Lyubashevsky, V., Micciancio, D.: Asymptotically efficient lattice-based digital signatures. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 37–54. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  50. 50.
    Lyubashevsky, V., Micciancio, D.: On bounded distance decoding, unique shortest vectors, and the minimum distance problem. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 577–594. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  51. 51.
    Lyubashevsky, V., Micciancio, D., Peikert, C., Rosen, A.: SWIFFT: a modest proposal for FFT hashing. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 54–72. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  52. 52.
    Lyubashevsky, V., Palacio, A., Segev, G.: Public-key cryptographic primitives provably as secure as subset sum. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 382–400. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  53. 53.
    Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  54. 54.
    Micciancio, D.: Improving lattice based cryptosystems using the Hermite normal form. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 126–145. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  55. 55.
    Micciancio, D.: The shortest vector problem is NP-hard to approximate to within some constant. SIAM Journal on Computing 30(6), 2008–2035 (2001); Preliminary version in FOCS 1998MathSciNetCrossRefzbMATHGoogle Scholar
  56. 56.
    Micciancio, D.: Almost perfect lattices, the covering radius problem, and applications to Ajtai’s connection factor. SIAM Journal on Computing 34(1), 118–169 (2004); Preliminary version in STOC 2002MathSciNetCrossRefzbMATHGoogle Scholar
  57. 57.
    Micciancio, D.: Generalized compact knapsacks, cyclic lattices, and efficient one-way functions. Computational Complexity 16(4), 365–411 (2007); Preliminary version in FOCS 2002MathSciNetCrossRefzbMATHGoogle Scholar
  58. 58.
    Micciancio, D.: Cryptographic functions from worst-case complexity assumptions. In: The LLL Algorithm: Survey and Applcations, Springer, Heidelberg (2009)Google Scholar
  59. 59.
    Micciancio, D.: Duality in lattice cryptography. In: Proceedings of PKC. LNCS. IACR, Springer (May 2010) (invited talk); Slides available from author’s web pageGoogle Scholar
  60. 60.
    Micciancio, D., Goldwasser, S.: Complexity of Lattice Problems: a cryptographic perspective. The Kluwer International Series in Engineering and Computer Science, vol. 671. Kluwer Academic Publishers, Boston (2002)CrossRefzbMATHGoogle Scholar
  61. 61.
    Micciancio, D., Mol, P.: Pseudorandom knapsacks and the sample complexity of LEW search-to-decision reductions. In: CRYPTO (to appear, 2011)Google Scholar
  62. 62.
    Micciancio, D., Peikert, C.: Trapdoor for lattices: Simpler, tighter, faster, smaller (manuscript, 2011)Google Scholar
  63. 63.
    Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measure. SIAM Journal on Computing 37(1), 267–302 (2007); Preliminary version in FOCS 2004MathSciNetCrossRefzbMATHGoogle Scholar
  64. 64.
    Micciancio, D., Regev, O.: Lattice-based cryptography. In: Post-quantum Cryptography. Springer, Heidelberg (2008)Google Scholar
  65. 65.
    Ogura, N., Yamamoto, G., Kobayashi, T., Uchiyama, S.: An improvement of key generation algorithm for Gentry homomorphic encryption scheme. In: Echizen, I., Kunihiro, N., Sasaki, R. (eds.) IWSEC 2010. LNCS, vol. 6434, pp. 70–83. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  66. 66.
    O’Neill, A., Peikert, C., Waters, B.: Bi-deniable public-key encryption. In: CRYPTO (to appear, 2011)Google Scholar
  67. 67.
    Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem. In: Proceedings of STOC, pp. 333–342. ACM, New York (2009)Google Scholar
  68. 68.
    Peikert, C., Rosen, A.: Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 145–166. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  69. 69.
    Peikert, C., Rosen, A.: Lattices that admit logarithmic worst-case to average-case connection factors. In: Proceedings of STOC, pp. 478–487. ACM, New York (2007)Google Scholar
  70. 70.
    Peikert, C., Vaikuntanathan, V.: Noninteractive statistical zero-knowledge proofs for lattice problems. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 536–553. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  71. 71.
    Peikert, C., Vaikuntanathan, V., Waters, B.: A framework for efficient and composable oblivious transfer. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 554–571. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  72. 72.
    Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. In: Proceedings of STOC, pp. 187–196. ACM, New York (2008)Google Scholar
  73. 73.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. Journal of ACM 56(6), 34 (2009); Preliminary version in STOC 2005MathSciNetCrossRefzbMATHGoogle Scholar
  74. 74.
    Regev, O.: Learning with errors over rings. In: Hanrot, G., Morain, F., Thomé, E. (eds.) ANTS-IX. LNCS, vol. 6197, pp. 3–3. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  75. 75.
    Regev, O.: The learning with errors problem (invited survey). In: CCC, pp. 191–204 (2010)Google Scholar
  76. 76.
    Rückert, M.: Adaptively secure identity-based identification from lattices without random oracles. In: Garay, J.A., De Prisco, R. (eds.) SCN 2010. LNCS, vol. 6280, pp. 345–362. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  77. 77.
    Rückert, M.: Lattice-based blind signatures. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 413–430. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  78. 78.
    Rückert, M.: Strongly unforgeable signatures and hierarchical identity-based signatures from lattices without random oracles. In: Sendrier, N. (ed.) PQCrypto 2010. LNCS, vol. 6061, pp. 182–200. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  79. 79.
    Smart, N., Vercauteren, F.: Fully homomorphic encryption with relatively small key and ciphertext sizes. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 420–443. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  80. 80.
    Stehlé, D., Steinfeld, R.: Faster fully homomorphic encryption. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 377–394. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  81. 81.
    Stehlé, D., Steinfeld, R., Tanaka, K., Xagawa, K.: Efficient public key encryption based on ideal lattices. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 617–635. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  82. 82.
    van Dijk, M., Gentry, C., Halevi, S., Vaikuntanathan, V.: Fully homomorphic encryption over the integers. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 24–43. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  83. 83.
    Xagawa, K., Tanaka, K.: Zero-knowledge protocols for NTRU: Application to identification and proof of plaintext knowledge. In: Pieprzyk, J., Zhang, F. (eds.) ProvSec 2009. LNCS, vol. 5848, pp. 198–213. Springer, Heidelberg (2009)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Daniele Micciancio
    • 1
  1. 1.UC San DiegoUSA

Personalised recommendations