Skip to main content
Book cover

Post-Quantum Cryptography pp 147–191Cite as

Lattice-based Cryptography

  • Chapter

In this chapter we describe some of the recent progress in lattice-based cryptography. Lattice-based cryptographic constructions hold a great promise for post-quantum cryptography, as they enjoy very strong security proofs based on worst-case hardness, relatively efficient implementations, as well as great simplicity. In addition, lattice-based cryptography is believed to be secure against quantum computers. Our focus here will be mainly on the practical aspects of lattice-based cryptography and less on the methods used to establish their security. For other surveys on the topic of lattice-based cryptography, see, e.g., [36, 52, 60, 71] and the lecture notes [51, 67]. The survey by Nguyen and Stern [60] also describes some applications of lattices in cryptanalysis, an important topic that we do not discuss here. Another useful resource is the book by Micciancio and Goldwasser [49], which also contains a wealth of information on the computational complexity aspects of lattice problems.

Keywords

  • Hash Function
  • Signature Scheme
  • Lattice Problem
  • Quantum Algorithm
  • Random Oracle Model

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

This is a preview of subscription content, access via your institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-540-88702-7_5
  • Chapter length: 45 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   119.00
Price excludes VAT (USA)
  • ISBN: 978-3-540-88702-7
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   159.99
Price excludes VAT (USA)
Hardcover Book
USD   159.99
Price excludes VAT (USA)
Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Adleman, L.M.: Factoring and lattice reduction (1995). Unpublished manuscript.

    Google Scholar 

  2. Aharonov, D. and Regev, O.: Lattice problems in NP intersect coNP. Journal of the ACM, 52(5):749–765 (2005). Preliminary version in FOCS 2004.

    CrossRef  MathSciNet  Google Scholar 

  3. Ajtai, M.: The shortest vector problem in l 2 is NP-hard for randomized reductions (extended abstract) 10–19. In Proc. 30th ACM Symp. on Theory of Computing (STOC), pages 10–19. ACM (1998).

    Google Scholar 

  4. Ajtai, M.: Representing hard lattices with O(nlogn) bits. In Proc. 37th Annual ACM Symp. on Theory of Computing (STOC) (2005).

    Google Scholar 

  5. Ajtai, M. and Dwork, C: A public-key cryptosystem with worst-case/average-case equivalence. In Proc. 29th Annual ACM Symp. on Theory of Computing (STOC), pages 284–293 (1997).

    Google Scholar 

  6. Ajtai, M., Kumar, R., and Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In Proc. 33rd ACM Symp. on Theory of Computing, pages 601–610 (2001).

    Google Scholar 

  7. Ajtai, M.: Generating hard instances of lattice problems. In Complexity of computations and proofs, volume 13 of Quad. Mat., pages 1–32. Dept. Math., Seconda Univ. Napoli, Caserta (2004). Preliminary version in STOC 1996.

    Google Scholar 

  8. Babai, L.: On Lovász lattice reduction and the nearest lattice point problem. Combinatorica, 6:1–13 (1986).

    MATH  CrossRef  MathSciNet  Google Scholar 

  9. Blum, A., Kalai, A., and Wasserman, H.: Noise-tolerant learning, the parity problem, and the statistical query model. Journal of the ACM, 50(4):506–519 (2003). Preliminary version in STOC'00.

    CrossRef  MathSciNet  Google Scholar 

  10. Buchmann, J., Lindner, R., and Rückert, M.: Creating a lattice challenge (2008). Manuscript.

    Google Scholar 

  11. Cai, J.Y. and Nerurkar, A.: An improved worst-case to average-case connection for lattice problems. In Proc. 38th IEEE Symp. on Found. of Comp. Science, pages 468–477 (1997).

    Google Scholar 

  12. Cai, J.Y. and Nerurkar, A.: Approximating the SVP to within a factor (1 + 1/dime) is NP-hard under randomized reductions. J. Comput. System Sci., 59(2):221–239 (1999). ISSN 0022-0000.

    MATH  CrossRef  MathSciNet  Google Scholar 

  13. Coppersmith, D. and Shamir, A.: Lattice attacks on NTRU. In Proc. of Euro-crypt '97, volume 1233 of LNCS. IACR, Springer (1997).

    Google Scholar 

  14. Dinur, I., Kindler, G., Raz, R., and Safra, S.: Approximating CVP to within almost-polynomial factors is NP-hard. Combinatorica, 23(2):205–243 (2003).

    MATH  CrossRef  MathSciNet  Google Scholar 

  15. Gama, N. and Nguyen, P.Q.: Finding short lattice vectors within Mordell's inequality. In Proc. 40th ACM Symp. on Theory of Computing (STOC), pages 207–216 (2008).

    Google Scholar 

  16. Gama, N. and Nguyen, P.Q.: Predicting lattice reduction. In Advances in Cryptology — Proc. Eurocrypt '08, Lecture Notes in Computer Science. Springer (2008).

    Google Scholar 

  17. Gentry, C. and Szydlo, M.: Cryptanalysis of the revised NTRU signature scheme. In Proc. of Eurocrypt ɗ02, volume 2332 of LNCS. Springer-Verlag (2002).

    Google Scholar 

  18. Gentry, C, Peikert, C, and Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In Proc. 40th ACM Symp. on Theory of Computing (STOC), pages 197–206 (2008).

    Google Scholar 

  19. Goldreich, O., Goldwasser, S., and Halevi, S.: Public-key cryptosystems from lattice reduction problems. In Advances in cryptology, volume 1294 of Lecture Notes in Comput. Sci., pages 112–131. Springer (1997).

    Google Scholar 

  20. Goldreich, O. and Goldwasser, S.: On the limits of nonapproximability of lattice problems. Journal of Computer and System Sciences, 60(3):540–563 (2000). Preliminary version in STOC 1998.

    MATH  CrossRef  MathSciNet  Google Scholar 

  21. Goldreich, O., Goldwasser, S., and Halevi, S.: Collision-free hashing from lattice problems. Technical Report TR96–056, Electronic Colloquium on Computational Complexity (ECCC) (1996).

    Google Scholar 

  22. Goldreich, O., Goldwasser, S., and Halevi, S.: Eliminating decryption errors in the Ajtai-Dwork cryptosystem. In Advances in cryptology, volume 1294 of Lecture Notes in Comput. Sci., pages 105–111. Springer (1997).

    Google Scholar 

  23. Goldwasser, S. and Micali, S.: Probabilistic encryption. Journal of Computer and System Sience, 28(2):270–299 (1984). Preliminary version in Proc. of STOC 1982.

    MATH  CrossRef  MathSciNet  Google Scholar 

  24. Goldwasser, S., Micali, S., and Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. on Computing, 17(2):281–308 (1987).

    CrossRef  MathSciNet  Google Scholar 

  25. Haviv, I. and Regev, O.: Tensor-based hardness of the shortest vector problem to within almost polynomial factors. In Proc. 39th ACM Symp. on Theory of Computing (STOC), pages 469–477 (2007).

    Google Scholar 

  26. Hoffstein, J., Graham, N.A.H., Pipher, J., Silverman, J.H., and Whyte, W.: NTRUSIGN: Digital signatures using the NTRU lattice. In Proc. of CT-RSA, volume 2612 of Lecture Notes in Comput. Sci., pages 122–140. Springer-Verlag (2003).

    Google Scholar 

  27. Hoffstein, J., Graham, N.A.H., Pipher, J., Silverman, J.H., and Whyte, W.: Performances improvements and a baseline parameter generation algorithm for NTRUsign. In Proc. of Workshop on Mathematical Problems and Techniques in Cryptology, pages 99–126. CRM (2005).

    Google Scholar 

  28. Hoffstein, J., Howgrave-Graham, N., Pipher, J., and Silverman, J.H.: Hybrid lattice reduction and meet in the middle resistant parameter selection for NTRU-Encrypt. Submission/contribution to ieee p1363.1, NTRU Cryptosystems, Inc., URL http://grouper.ieee.org/groups/1363/lattPK/submissions.html#2007-02 (2007).

  29. Hoffstein, J., Pipher, J., and Silverman, J.H.: NTRU: a ring based public key cryptosystem. In Proceedings of ANTS-III, volume 1423 of LNCS, pages 267– 288. Springer (1998).

    Google Scholar 

  30. Howgrave-Graham, N.: A hybrid lattice-reduction and meet-in-the-middle attack against NTRU. In Advances in cryptology (CRYPTO), pages 150–169 (2007).

    Google Scholar 

  31. Kannan, R.: Improved algorithms for integer programming and related lattice problems. In Proc. 15th ACM Symp. on Theory of Computing (STOC), pages 193–206. ACM (1983).

    Google Scholar 

  32. Kawachi, A., Tanaka, K., and Xagawa, K.: Multi-bit cryptosystems based on lattice problems. In Public Key Cryptography — PKC 2007, volume 4450 of Lecture Notes in Comput. Sci., pages 315–329. Springer, Berlin (2007).

    CrossRef  Google Scholar 

  33. Khot, S.: Hardness of approximating the shortest vector problem in lattices. In Proc. 45th Annual IEEE Symp. on Foundations of Computer Science (FOCS), pages 126–135 (2004).

    Google Scholar 

  34. Khot, S.: Inapproximability results for computational problems on lattices (2007). Survey paper prepared for the LLL+25 conference. To appear.

    Google Scholar 

  35. Klein, P.: Finding the closest lattice vector when it's unusually close. In Proc. 11th Annual ACM-SIAM Symposium on Discrete Algorithms, pages 937–941 (2000).

    Google Scholar 

  36. Kumar, R. and Sivakumar, D.: Complexity of SVP — a reader's digest. SIGACT News, 32(3):40–52 (2001). doi:http://doi.acm.org/10.1145/582475.582484.

    CrossRef  Google Scholar 

  37. Lagarias, J.C., Lenstra, Jr., H.W., and Schnorr, C.P.: Korkin-Zolotarev bases and successive minima of a lattice and its reciprocal lattice. Combinatorica, 10(4):333–348 (1990).

    MATH  CrossRef  MathSciNet  Google Scholar 

  38. Lenstra, A.K. and Lenstra, Jr., H.W., editors: The development of the number field sieve, volume 1554 of Lecture Notes in Mathematics. Springer-Verlag, Berlin (1993). ISBN 3-540-57013-6.

    MATH  Google Scholar 

  39. Lenstra, A.K., Lenstra, Jr., H.W., and Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann., 261(4):515–534 (1982).

    MATH  CrossRef  MathSciNet  Google Scholar 

  40. Lindner, R. and Rückert, M.: The lattice challence (2008). Available at http://www.latticechallenge.org/.

  41. Ludwig, C.: A faster lattice reduction method using quantum search. In ISAAC, pages 199–208 (2003).

    Google Scholar 

  42. Lyubashevsky, V. and Micciancio, D.: Generalized compact knapsacks are collision resistant. In 33rd International Colloquium on Automata, Languages and Programming (ICALP) (2006).

    Google Scholar 

  43. Lyubashevsky, V. and Micciancio, D.: Asymptotically efficient lattice-based digital signatures. In Fifth Theory of Cryptography Conference (TCC), volume 4948 of Lecture Notes in Computer Science. Springer (2008).

    Google Scholar 

  44. Lyubashevsky, V.: Lattice-based identification schemes secure under active attacks. In PKC'08, number 4939 in LNCS, pages 162–179 (2008).

    Google Scholar 

  45. Lyubashevsky, V., Micciancio, D., Peikert, C., and Rosen, A.: SWIFFT: a modest proposal for FFT hashing. In FSE 2008 (2008).

    Google Scholar 

  46. McEliece, R.: A public-key cryptosystem based on algebraic number theory. Technical report, Jet Propulsion Laboratory (1978). DSN Progress Report 42-44.

    Google Scholar 

  47. Micciancio, D.: The shortest vector problem is NP-hard to approximate to within some constant. SIAM J. on Computing, 30(6):2008–2035 (2001). Preliminary version in FOCS 1998.

    MATH  CrossRef  MathSciNet  Google Scholar 

  48. Micciancio, D.: Improved cryptographic hash functions with worst-case/average-case connection. In Proc. 34th ACM Symp. on Theory of Computing (STOC), pages 609–618 (2002).

    Google Scholar 

  49. Micciancio, D. and Goldwasser, S.: Complexity of Lattice Problems: A Cryptographic Perspective, volume 671 of The Kluwer International Series in Engineering and Computer Science. Kluwer Academic Publishers, Boston, Massachusetts (2002).

    Google Scholar 

  50. Micciancio, D.: Improving lattice based cryptosystems using the hermite normal form. In J. Silverman, editor, Cryptography and Lattices Conference — CaLC 2001, volume 2146 of Lecture Notes in Computer Science, pages 126–145. Springer-Verlag, Providence, Rhode Island (2001).

    Google Scholar 

  51. Micciancio, D.: Lattices in cryptography and cryptanalysis (2002). Lecture notes of a course given in UC San Diego.

    Google Scholar 

  52. Micciancio, D.: Cryptographic functions from worst-case complexity assumptions (2007). Survey paper prepared for the LLL+25 conference. To appear.

    Google Scholar 

  53. Micciancio, D.: Generalized compact knapsacks, cyclic lattices, and efficient oneway functions from worst-case complexity assumptions. Computational Complexity, 16(4):365–411 (2007). Preliminary versions in FOCS 2002 and ECCC TR04-095.

    MATH  CrossRef  MathSciNet  Google Scholar 

  54. Micciancio, D. and Regev, O.: Worst-case to average-case reductions based on Gaussian measures. In Proc. 45th Annual IEEE Symp. on Foundations of Computer Science (FOCS), pages 372–381 (2004).

    Google Scholar 

  55. Micciancio, D. and Vadhan, S.: Statistical zero-knowledge proofs with efficient provers: lattice problems and more. In Advances in cryptology (CRYPTO), volume 2729 of Lecture Notes in Computer Science, pages 282–298. Springer-Verlag (2003).

    MathSciNet  CrossRef  Google Scholar 

  56. Naor, M. and Yung, M.: Universal one-way hash functions and their cryptographic applications. In Proc. 21st ACM Symp. on Theory of Computing (STOC), pages 33–43 (1989).

    Google Scholar 

  57. Nguyen, P.Q. and Vidick, T.: Sieve algorithms for the shortest vector problem are practical. J. of Mathematical Cryptology (2008). To appear.

    Google Scholar 

  58. Nguyen, P. and Stern, J.: Cryptanalysis of the Ajtai-Dwork cryptosystem. In Advances in cryptology (CRYPTO), volume 1462 of Lecture Notes in Comput. Sci., pages 223–242. Springer (1998).

    Google Scholar 

  59. Nguyen, P.Q. and Regev, O.: Learning a parallelepiped: Cryptanalysis of GGH and NTRU signatures. In The 25th International Cryptology Conference (Eu-rocrypt), pages 271–288 (2006).

    Google Scholar 

  60. Nguyen, P.Q. and Stern, J.: The two faces of lattices in cryptology. In J.H. Silverman, editor, Cryptography and Lattices, International Conference (CaLC 2001), number 2146 in Lecture Notes in Computer Science, pages 146–180 (2001).

    Google Scholar 

  61. Peikert, C. and Rosen, A.: Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In 3rd Theory of Cryptography Conference (TCC), pages 145–166 (2006).

    Google Scholar 

  62. Peikert, C. and Rosen, A.: Lattices that admit logarithmic worst-case to average-case connection factors. In Proc. 39th ACM Symp. on Theory of Computing (STOC), pages 478–487 (2007).

    Google Scholar 

  63. Peikert, C. and Vaikuntanathan, V.: Noninteractive statistical zero-knowledge proofs for lattice problems. In Advances in Cryptology (CRYPTO), LNCS. Springer (2008).

    Google Scholar 

  64. Peikert, C, Vaikuntanathan, V., and Waters, B.: A framework for efficient and composable oblivious transfer. In Advances in Cryptology (CRYPTO), LNCS. Springer (2008).

    Google Scholar 

  65. Peikert, C. and Waters, B.: Lossy trapdoor functions and their applications. In Proc. 40th ACM Symp. on Theory of Computing (STOC), pages 187–196 (2008).

    Google Scholar 

  66. Peikert, C.J.: Limits on the hardness of lattice problems in l p norms. Computational Complexity (2008). To appear. Preliminary version in Proc. of CCC 2007.

    Google Scholar 

  67. Regev, O.: Lattices in computer science (2004). Lecture notes of a course given in Tel Aviv University.

    Google Scholar 

  68. Regev, O.: New lattice-based cryptographic constructions. Journal of the ACM, 51(6):899–942 (2004). Preliminary version in STOC'03.

    Google Scholar 

  69. Regev, O.: Quantum computation and lattice problems. SIAM J. on Computing, 33(3):738–760 (2004). Preliminary version in FOCS'02.

    Google Scholar 

  70. Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In Proc. 37th ACM Symp. on Theory of Computing (STOC), pages 84–93 (2005).

    Google Scholar 

  71. Regev, O.: Lattice-based cryptography. In Advances in cryptology (CRYPTO), pages 131–141 (2006).

    Google Scholar 

  72. Regev, O.: On the complexity of lattice problems with polynomial approximation factors (2007). Survey paper prepared for the LLL+25 conference. To appear.

    Google Scholar 

  73. Schnorr, C.P.: A hierarchy of polynomial time lattice basis reduction algorithms. Theoretical Computer Science, 53(2–3):201–224 (1987).

    MATH  CrossRef  MathSciNet  Google Scholar 

  74. Schnorr, C.P.: Factoring integers and computing discrete logarithms via Dio-phantine approximation. In J.Y. Cai, editor, Advances in computational complexity, volume 13 of DIMACS Series in Discrete Mathematics and Theoretical Computer Science, pages 171–182. AMS (1993). Preliminary version in Euro-crypt '91.

    Google Scholar 

  75. Shoup, V.: NTL: A library for doing number theory. Available at http://www.shoup.net/ntl/.

  76. Szydlo, M.: Hypercubic lattice reduction and analysis of GGH and NTRU signatures. In Proc. of Eurocrypt '03, volume 2656 of LNCS. Springer-Verlag (2003).

    Google Scholar 

  77. van Emde Boas, P.: Another NP-complete problem and the complexity of computing short vectors in a lattice. Technical report, University of Amsterdam, Department of Mathematics, Netherlands (1981). Technical Report 8104.

    Google Scholar 

  78. Wagner, D.: A generalized birthday problem. In Advances in cryptology (CRYPTO), volume 2442 of LNCS, pages 288–303. Springer (2002).

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. CSE Department, University of California, San Diego

    Daniele Micciancio

Authors
  1. Daniele Micciancio
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Oded Regev
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, University of Illinois, Chicago, 851 S. Morgan St., Chicago, IL, 60607-7053, USA

    Daniel J. Bernstein

  2. Department of Computer Science, Technische Universität Darmstadt, Hochschulstr. 10, Darmstadt, 64289, Germany

    Johannes Buchmann & Erik Dahmen & 

Rights and permissions

Reprints and Permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Micciancio, D., Regev, O. (2009). Lattice-based Cryptography. In: Bernstein, D.J., Buchmann, J., Dahmen, E. (eds) Post-Quantum Cryptography. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-88702-7_5

Download citation