Structural Lattice Reduction: Generalized Worst-Case to Average-Case Reductions and Homomorphic Cryptosystems

  • Nicolas GamaEmail author
  • Malika Izabachène
  • Phong Q. Nguyen
  • Xiang Xie
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9666)


In lattice cryptography, worst-case to average-case reductions rely on two problems: Ajtai’s SIS and Regev’s LWE, which both refer to a very small class of random lattices related to the group \(G=\mathbb {Z}_q^n\). We generalize worst-case to average-case reductions to all integer lattices of sufficiently large determinant, by allowing G to be any (sufficiently large) finite abelian group. Our main tool is a novel generalization of lattice reduction, which we call structural lattice reduction: given a finite abelian group G and a lattice L, it finds a short basis of some lattice \(\bar{L}\) such that \(L \subseteq \bar{L}\) and \(\bar{L}/L \simeq G\). Our group generalizations of SIS and LWE allow us to abstract lattice cryptography, yet preserve worst-case assumptions: as an illustration, we provide a somewhat conceptually simpler generalization of the Alperin-Sheriff-Peikert variant of the Gentry-Sahai-Waters homomorphic scheme. We introduce homomorphic mux gates, which allows us to homomorphically evaluate any boolean function with a noise overhead proportional to the square root of its number of variables, and bootstrap the full scheme using only a linear noise overhead.



Part of this work has been supported by Fonds Unique Interministériel (FUI) through the CRYPTOCOMP project and the EIT Digital project HC@WORKS, China’s 973 Program (Grant 2013CB834205), and NSFC’s Key Project (Grant 61133013).

Supplementary material


  1. 1.
    Ajtai, M.: Generating hard instances of lattice problems. In: STOC, pp. 99–108 (1996)Google Scholar
  2. 2.
    Alperin-Sheriff, J., Peikert, C.: Faster bootstrapping with polynomial error. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 297–314. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  3. 3.
    Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  4. 4.
    Baumslag, G., Fazio, N., Nicolosi, A.R., Shpilrain, V., Skeith III, W.E.: Generalized learning problems and applications to non-commutative cryptography. In: Boyen, X., Chen, X. (eds.) ProvSec 2011. LNCS, vol. 6980, pp. 324–339. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  5. 5.
    Becker, A., Gama, N., Joux, A.: A sieve algorithm based on overlattices. LMS J. Comput. Math. 17(A), 49–70 (2014). Cryptology ePrint Archive, report 2013/685MathSciNetCrossRefzbMATHGoogle Scholar
  6. 6.
    Bleichenbacher, D.: On the generation of DSA one-time keys. Draft of 13 September 2004. Short Presentation at the Rump Session of CRYPTO 2005 (2005)Google Scholar
  7. 7.
    Blum, A., Kalai, A., Wasserman, H.: Noise-tolerant learning, the parity problem, and the statistical query model. J. ACM 50(4), 506–519 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Boneh, D., Venkatesan, R.: Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 129–142. Springer, Heidelberg (1996)Google Scholar
  9. 9.
    Brakerski, Z.: Fully homomorphic encryption without modulus switching from classical GapSVP. In: Canetti, R., Safavi-Naini, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 868–886. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  10. 10.
    Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. In: ITCS, pp. 309–325 (2012)Google Scholar
  11. 11.
    Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: Proceedings of 45th STOC, pp. 575–584. ACM (2013)Google Scholar
  12. 12.
    Brakerski, Z., Vaikuntanathan, V.: Lattice-based FHE as secure as PKE. In: ITCS, pp. 1–12 (2014)Google Scholar
  13. 13.
    Cai, J.-Y., Theory, A.N.: The complexity of some lattice problems. In: Bosma, W. (ed.) ANTS-IV. LNCS, vol. 1838, pp. 1–32. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  14. 14.
    Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Wang, X., Lee, D.H. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  15. 15.
    Ducas, L., Micciancio, D.: FHEW: bootstrapping homomorphic encryption in less than a second. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 617–640. Springer, Heidelberg (2015)Google Scholar
  16. 16.
    Fazio, N., Iga, K., Nicolosi, A.R., Perret, L., Skeith, W.E.: Hardness of learning problems over burnside groups of exponent 3. Des. Codes Crypt. 75(1), 59–70 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Gama, N., Izabachène, M., Nguyen, P.Q., Xie, X.: Structural lattice reduction: generalized worst-case to average-case reductions and homomorphic cryptosystems. To appear soon on IACR Cryptology ePrint Archive (2016)Google Scholar
  18. 18.
    Gama, N., Nguyen, P.Q.: Predicting lattice reduction. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 31–51. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  19. 19.
    Gentry, C., Halevi, S.: Implementing gentry’s fully-homomorphic encryption scheme. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 129–148. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  20. 20.
    Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC (2008)Google Scholar
  21. 21.
    Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  22. 22.
    Goldstein, D., Mayer, A.: On the equidistribution of Hecke points. Forum Math. 15(2), 165–189 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  23. 23.
    Lenstra, A.K., Lenstra Jr., H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 513–534 (1982)MathSciNetCrossRefzbMATHGoogle Scholar
  24. 24.
    Lubotzky, A.: The expected number of random elements to generate a finite group. J. Algebra 257(2), 452–459 (2002)MathSciNetCrossRefzbMATHGoogle Scholar
  25. 25.
    Micciancio, D.: Almost perfect lattices, the covering radius problem, and applications to Ajtai’s connection factor. SIAM J. Comput. 34(1), 118–169 (2004)MathSciNetCrossRefzbMATHGoogle Scholar
  26. 26.
    Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  27. 27.
    Micciancio, D., Peikert, C.: Hardness of SIS and LWE with small parameters. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 21–39. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  28. 28.
    Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measures. SIAM J. Comput. 37(1), 267–302 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
  29. 29.
    Mordell, L.J.: On some arithmetical results in the geometry of numbers. Compos. Math. 1, 248–253 (1935)MathSciNetzbMATHGoogle Scholar
  30. 30.
    Nguyen, P.Q., Shparlinski, I.E.: The insecurity of the digital signature algorithm with partially known nonces. J. Cryptology 15(3), 151–176 (2002)MathSciNetCrossRefzbMATHGoogle Scholar
  31. 31.
    Nguyen, P.Q., Shparlinski, I.E.: Counting co-cyclic lattices. CoRR, abs/1505.06429 (2015, preprint)Google Scholar
  32. 32.
    Pak, I.: On probability of generating a finite group (1999, preprint)Google Scholar
  33. 33.
    Paz, A., Schnorr, C.-P.: Approximating integer lattices by lattices with cyclic factor groups. In: Ottmann, T. (ed.) ICALP 1987. LNCS, vol. 267, pp. 386–393. Springer, Heidelberg (1987)CrossRefGoogle Scholar
  34. 34.
    Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem. In: STOC, pp. 333–342. ACM (2009)Google Scholar
  35. 35.
    Peikert, C.: An efficient and parallel gaussian sampler for lattices. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 80–97. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  36. 36.
    Regev, O.: Lattices in computer science #12: average-case hardness. Regev’s Webpage (2004)Google Scholar
  37. 37.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC, pp. 84–93 (2005)Google Scholar
  38. 38.
    van Dijk, M., Gentry, C., Halevi, S., Vaikuntanathan, V.: Fully homomorphic encryption over the integers. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 24–43. Springer, Heidelberg (2010)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  • Nicolas Gama
    • 1
    • 2
    Email author
  • Malika Izabachène
    • 3
  • Phong Q. Nguyen
    • 4
    • 5
  • Xiang Xie
    • 6
  1. 1.Laboratoire de Mathématiques de Versailles, UVSQ, CNRSUniversité Paris-SaclayVersaillesFrance
  2. 2.InpherLausanneSwitzerland
  3. 3.CEA, LISTGif-sur-Yvette CedexFrance
  4. 4.InriaParisFrance
  5. 5.CNRS/JFLI and the University of TokyoTokyoJapan
  6. 6.Huawei TechnologiesShenzhenChina

Personalised recommendations