Towards Practical GGM-Based PRF from (Module-)Learning-with-Rounding

  • Chitchanok ChuengsatiansupEmail author
  • Damien StehléEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11959)


We investigate the efficiency of a \(\mathsf {(module}\text {-}\mathsf {)LWR}\)-based PRF built using the GGM design. Our construction enjoys the security proof of the GGM construction and the \(\mathsf {(module}\text {-}\mathsf {)LWR}\) hardness assumption which is believed to be post-quantum secure. We propose GGM-based PRFs from PRGs with larger ratio of output to input. This reduces the number of PRG invocations which improves the PRF performance and reduces the security loss in the GGM security reduction. Our construction bridges the gap between practical and provably secure PRFs. We demonstrate the efficiency of our construction by providing parameters achieving at least 128-bit post-quantum security and optimized implementations utilizing AVX2 vector instructions. Our PRF requires, on average, only 39.4 cycles per output byte.


Pseudorandom function Post-quantum security (Module-)learning-with-rounding Efficient implementation Karatsuba multiplication 

Supplementary material


  1. 1.
    25th Annual Symposium on Foundations of Computer Science, West Palm Beach, Florida, USA, 24–26 October 1984. IEEE Computer Society (1984)Google Scholar
  2. 2.
    2018 IEEE European Symposium on Security and Privacy, EuroS&P 2018, London, United Kingdom, 24–26 April 2018. IEEE (2018)Google Scholar
  3. 3.
    Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: USENIX 2016 [24], pp. 327–343 (2016)Google Scholar
  4. 4.
    Alperin-Sheriff, J., Apon, D.: Dimension-preserving reductions from LWE to LWR. IACR Cryptology ePrint Archive 2016:589 (2016)Google Scholar
  5. 5.
    Alwen, J., Krenn, S., Pietrzak, K., Wichs, D.: Learning with rounding, revisited. In: CRYPTO 2013 [14], pp. 57–74 (2013)CrossRefGoogle Scholar
  6. 6.
    Banerjee, A., Brenner, H., Leurent, G., Peikert, C., Rosen, A.: SPRING: fast pseudorandom functions from rounded ring products. In: FSE 2014 [17], pp. 38–57 (2014)CrossRefGoogle Scholar
  7. 7.
    Banerjee, A., Peikert, C., Rosen, A.: Pseudorandom functions and lattices. In: EUROCRYPT 2012 [42], pp. 719–737 (2012)CrossRefGoogle Scholar
  8. 8.
    Becker, A., Ducas, L., Gama, N., Laarhoven, T.: New directions in nearest neighbor searching with applications to lattice sieving. In: SODA 2016 [26], pp. 10–24 (2016)Google Scholar
  9. 9.
    Bernstein, D.J.: Batch binary edwards. In: CRYPTO [23], pp. 317–336 (2009)CrossRefGoogle Scholar
  10. 10.
    Bogdanov, A., Guo, S., Masny, D., Richelson, S., Rosen, A.: On the hardness of learning with rounding over small modulus. In: TCC 2016 [27], pp. 209–224 (2016)zbMATHGoogle Scholar
  11. 11.
    Bos, J.W.: CRYSTALS - Kyber: a CCA-secure module-lattice-based KEM. In: EuroS&P 2018 [2], pp. 353–367 (2018)Google Scholar
  12. 12.
    Bouillaguet, C., Delaplace, C., Fouque, P.-A., Kirchner, P.: Fast lattice-based encryption: stretching Spring. In: PQCrypto 2017 [31], pp. 125–142 (2017)CrossRefGoogle Scholar
  13. 13.
    Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled)fully homomorphic encryption without bootstrapping. TOCT 6(3), 13:1–13:36 (2014)MathSciNetCrossRefGoogle Scholar
  14. 14.
    Canetti, R., Garay, J.A. (eds.): CRYPTO 2013. LNCS, vol. 8042. Springer, Heidelberg (2013). Scholar
  15. 15.
    Charikar, M. (ed.): Proceedings of the Twenty-First Annual ACM-SIAM Symposium on Discrete Algorithms, SODA 2010, Austin, Texas, USA, 17–19 January 2010. SIAM (2010)Google Scholar
  16. 16.
    Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: ASIACRYPT 2011 [33], pp. 1–20 (2011)Google Scholar
  17. 17.
    Cid, C., Rechberger, C. (eds.): FSE 2014. LNCS, vol. 8540. Springer, Heidelberg (2015). Scholar
  18. 18.
    Ducas, L., Lepoint, T., Lyubashevsky, V., Schwabe, P., Seiler, G., Stehlé, D.: CRYSTALS - dilithium: digital signatures from module lattices. IACR Cryptology ePrint Archive 2017:633 (2017)Google Scholar
  19. 19.
    Gabow, H.N., Fagin, R. (eds.): Proceedings of the 37th Annual ACM Symposium on Theory of Computing, Baltimore, MD, USA, 22–24 May 2005. ACM (2005)Google Scholar
  20. 20.
    Gennaro, R., Robshaw, M. (eds.): CRYPTO 2015. LNCS, vol. 9215. Springer, Heidelberg (2015). Scholar
  21. 21.
    Gilbert, H. (ed.): EUROCRYPT 2010. LNCS, vol. 6110. Springer, Heidelberg (2010). Scholar
  22. 22.
    Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions (extended abstract). In: FOCS 1984 [1], pp. 464–479 (1984)Google Scholar
  23. 23.
    Halevi, S. (ed.): CRYPTO 2009. LNCS, vol. 5677. Springer, Heidelberg (2009). Scholar
  24. 24.
    Holz, T., Savage, S. (eds.): 25th USENIX Security Symposium, USENIX Security 2016, Austin, TX, USA, 10–12 August 2016. USENIX Association (2016)Google Scholar
  25. 25.
    Katz, J., Lindell, Y.: Introduction to Modern Cryptography. Chapman & Hall/CRC, Boca Raton (2007)CrossRefGoogle Scholar
  26. 26.
    Krauthgamer, R. (ed.): Proceedings of the Twenty-Seventh Annual ACM-SIAM Symposium on Discrete Algorithms, SODA 2016, Arlington, VA, USA, 10–12 January 2016. SIAM (2016)Google Scholar
  27. 27.
    Kushilevitz, E., Malkin, T. (eds.): TCC 2016. LNCS, vol. 9563. Springer, Heidelberg (2016). Scholar
  28. 28.
    Laarhoven, T.: Search problems in cryptography. Ph.D. thesis, Eindhoven University of Technology, The Netherlands (2015)Google Scholar
  29. 29.
    Laarhoven, T.: Sieving for shortest vectors in lattices using angular locality-sensitive hashing. In: CRYPTO 2015 [20], pp. 3–22 (2015)zbMATHGoogle Scholar
  30. 30.
    Laarhoven, T., Mosca, M., van de Pol, J.: Finding shortest lattice vectors faster using quantum search. Des. Codes Cryptogr. 77(2–3), 375–400 (2015)MathSciNetCrossRefGoogle Scholar
  31. 31.
    Lange, T., Takagi, T. (eds.): PQCrypto 2017. LNCS, vol. 10346. Springer, Cham (2017). Scholar
  32. 32.
    Langlois, A., Stehlé, D.: Worst-case to average-case reductions for module lattices. Des. Codes Cryptogr. 75(3), 565–599 (2015)MathSciNetCrossRefGoogle Scholar
  33. 33.
    Lee, D.H., Wang, X. (eds.): ASIACRYPT 2011. LNCS, vol. 7073. Springer, Heidelberg (2011). Scholar
  34. 34.
    Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: EUROCRYPT 2010 [21], pp. 1–23 (2010)Google Scholar
  35. 35.
    Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. J. ACM 60(6), 43:1–43:35 (2013). Preliminary version in Eurocrypt 2010 [21]MathSciNetCrossRefGoogle Scholar
  36. 36.
    Micciancio, D., Voulgaris, P.: Faster exponential time algorithms for the shortest vector problem. In: SODA 2010 [15], pp. 1468–1480 (2010)Google Scholar
  37. 37.
    Naor, M., Reingold, O.: Synthesizers and their application to the parallel construction of pseudo-random functions. J. Comput. Syst. Sci. 58(2), 336–375 (1999). Preliminary version in FOCS 1995MathSciNetCrossRefGoogle Scholar
  38. 38.
    Naor, M., Reingold, O.: Number-theoretic constructions of efficient pseudo-random functions. J. ACM 51(2), 231–262 (2004). Preliminary version in FOCS 1997MathSciNetCrossRefGoogle Scholar
  39. 39.
    Naor, M., Reingold, O., Rosen, A.: Pseudorandom functions and factoring. SIAM J. Comput. 31(5), 1383–1404 (2002). Preliminary version in STOC 2000MathSciNetCrossRefGoogle Scholar
  40. 40.
    Nguyen, P.Q., Vidick, T.: Sieve algorithms for the shortest vector problem are practical. J. Math. Cryptol. 2(2), 181–207 (2008)MathSciNetCrossRefGoogle Scholar
  41. 41.
    National Institute of Standards and Technology. SHA-3 standard: Permutation-based hash and extendable-output functions. FIPS PUB 202 (2015).
  42. 42.
    Pointcheval, D., Johansson, T. (eds.): EUROCRYPT 2012. LNCS, vol. 7237. Springer, Heidelberg (2012). Scholar
  43. 43.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC 2005 [19], pp. 84–93 (2005)Google Scholar
  44. 44.
    Schnorr, C.-P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66(2), 181–199 (1994)MathSciNetCrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.Inria and ENS de LyonLyonFrance
  2. 2.ENS de Lyon, Laboratoire LIP (U. Lyon, CNRS, ENSL, INRIA, UCBL)LyonFrance

Personalised recommendations