SPRING: Fast Pseudorandom Functions from Rounded Ring Products

  • Abhishek Banerjee
  • Hai Brenner
  • Gaëtan LeurentEmail author
  • Chris Peikert
  • Alon Rosen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8540)


Recently, Banerjee, Peikert and Rosen (EUROCRYPT 2012) proposed new theoretical pseudorandom function candidates based on “rounded products” in certain polynomial rings, which have rigorously provable security based on worst-case lattice problems. The functions also enjoy algebraic properties that make them highly parallelizable and attractive for modern applications, such as evaluation under homomorphic encryption schemes. However, the parameters required by BPR’s security proofs are too large for practical use, and many other practical aspects of the design were left unexplored in that work.

In this work we give two concrete and practically efficient instantiations of the BPR design, which we call SPRING, for “subset-product with rounding over a ring.” One instantiation uses a generator matrix of a binary BCH error-correcting code to “determinstically extract” nearly random bits from a (biased) rounded subset-product. The second instantiation eliminates bias by working over suitable moduli and decomposing the computation into “Chinese remainder” components.

We analyze the concrete security of these instantiations, and provide initial software implementations whose throughputs are within small factors (as small as 4.5) of those of AES.


Pseudorandom functions Noisy learning problems Learning with rounding Lattices 


  1. [ACPR13]
    Alberini, G., Crockett, E., Peikert, C., Rosen, A.: Fast homomorphic evaluation of symmetric-key primitives (2013) (Manuscript)Google Scholar
  2. [AG11]
    Arora, S., Ge, R.: New algorithms for learning in presence of errors. In: Aceto, L., Henzinger, M., Sgall, J. (eds.) ICALP 2011, Part I. LNCS, vol. 6755, pp. 403–415. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  3. [AR13]
    Alberini, G., Rosen, A.: Efficient rounding procedures of biased samples (2013) (Manuscript)Google Scholar
  4. [BBS86]
    Blum, L., Blum, M., Shub, M.: A simple unpredictable pseudo-random number generator. SIAM J. Comput. 15(2), 364–383 (1986)CrossRefzbMATHMathSciNetGoogle Scholar
  5. [BKW03]
    Blum, A., Kalai, A., Wasserman, H.: Noise-tolerant learning, the parity problem, and the statistical query model. J. ACM 50(4), 506–519 (2003)CrossRefMathSciNetGoogle Scholar
  6. [BLMR13]
    Boneh, D., Lewi, K., Montgomery, H., Raghunathan, A.: Key homomorphic PRFs and their applications. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 410–428. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  7. [BM82]
    Blum, M., Micali, S.: How to generate cryptographically strong sequences of pseudo-random bits. SIAM J. Comput. 13(4), 850–864 (1984). Preliminary version in FOCS 1982CrossRefzbMATHMathSciNetGoogle Scholar
  8. [BPR12]
    Banerjee, A., Peikert, C., Rosen, A.: Pseudorandom functions and lattices. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 719–737. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  9. [CCK+13]
    Cheon, J.H., Coron, J.-S., Kim, J., Lee, M.S., Lepoint, T., Tibouchi, M., Yun, A.: Batch fully homomorphic encryption over the integers. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 315–335. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  10. [CN11]
    Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  11. [DR02]
    Daemen, J., Rijmen, V.: The Design of Rijndael: AES — The Advanced Encryption Standard. Information Security and Cryptography. Springer, Heidelberg (2002). doi: 10.1007/978-3-662-04722-4 CrossRefGoogle Scholar
  12. [eBA]
    eBACS: ECRYPT Benchmarking of Cryptographic Systems. Accessed 11 Nov 2013
  13. [GGM84]
    Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM 33(4), 792–807 (1986). Preliminary version in FOCS 1984CrossRefMathSciNetGoogle Scholar
  14. [GHS12]
    Gentry, C., Halevi, S., Smart, N.P.: Homomorphic evaluation of the AES circuit. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 850–867. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  15. [KS09]
    Käsper, E., Schwabe, P.: Faster and timing-attack resistant AES-GCM. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 1–17. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  16. [LBF08]
    Leurent, G., Bouillaguet, C., Fouque. P.-A.: SIMD Is a Message Digest. Submission to NIST (2008).
  17. [LM06]
    Lyubashevsky, V., Micciancio, D.: Generalized compact knapsacks are collision resistant. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 144–155. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  18. [LMPR08]
    Lyubashevsky, V., Micciancio, D., Peikert, C., Rosen, A.: SWIFFT: a modest proposal for FFT hashing. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 54–72. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  19. [LN13]
    Liu, M., Nguyen, P.Q.: Solving BDD by enumeration: an update. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 293–309. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  20. [LP11]
    Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  21. [LPR10]
    Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  22. [Mic02]
    Micciancio, D.: Generalized compact knapsacks, cyclic lattices, and efficient one-way functions. Comput. Complex. 16(4), 365–411 (2007). Preliminary version in FOCS 2002CrossRefzbMATHMathSciNetGoogle Scholar
  23. [MR09]
    Micciancio, D., Regev, O.: Lattice-based cryptography. In: Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.) Post Quantum Cryptography, pp. 147–191. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  24. [MV10]
    Miccianciom, D., Voulgaris, P.: Faster exponential time algorithms for the shortest vector problem. In: SODA, pp. 1468–1480 (2010)Google Scholar
  25. [NIS77]
    NIST. FIPS 46–3. Data Encryption Standard. Federal Information Processing Standards, National Bureau of Standards, US Department of Commerce (1977)Google Scholar
  26. [NN90]
    Naor, J., Naor, M.: Small-bias probability spaces: efficient constructions and applications. SIAM J. Comput. 22(4), 838–856 (1993). Preliminary version in STOC 1990CrossRefzbMATHMathSciNetGoogle Scholar
  27. [NR95]
    Naor, M., Reingold, O.: Synthesizers and their application to the parallel construction of pseudo-random functions. J. Comput. Syst. Sci. 58(2), 336–375 (1999). Preliminary version in FOCS 1995CrossRefzbMATHMathSciNetGoogle Scholar
  28. [NR97]
    Naor, M., Reingold, O.: Number-theoretic constructions of efficient pseudo-random functions. J. ACM 51(2), 231–262 (2004). Preliminary version in FOCS 1997CrossRefzbMATHMathSciNetGoogle Scholar
  29. [NRR00]
    Naor, M., Reingold, O., Rosen, A.: Pseudorandom functions and factoring. SIAM J. Comput. 31(5), 1383–1404 (2002). Preliminary version in STOC 2000CrossRefzbMATHMathSciNetGoogle Scholar
  30. [Pei09]
    Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem. In: STOC, pp. 333–342 (2009)Google Scholar
  31. [PR06]
    Peikert, C., Rosen, A.: Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 145–166. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  32. [Reg05]
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 1–40 (2009). Preliminary version in STOC 2005CrossRefMathSciNetGoogle Scholar
  33. [vdPS13]
    van de Pol, J., Smart, N.P.: Estimating key sizes for high dimensional lattice based systems. Cryptology ePrint Archive, Report 2013/630 (2013).
  34. [Wag02]
    Wagner, D.: A generalized birthday problem. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 288–303. Springer, Heidelberg (2002) CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  • Abhishek Banerjee
    • 1
  • Hai Brenner
    • 2
  • Gaëtan Leurent
    • 3
    Email author
  • Chris Peikert
    • 1
  • Alon Rosen
    • 2
  1. 1.Georgia Institute of TechnologyAtlantaUSA
  2. 2.IDC HerzliyaHerzliyyaIsrael
  3. 3.INRIA Team SECRETParisFrance

Personalised recommendations