Lattice-Based Cryptography

1. Gaussian error distributions Lattice-Based Cryptography (or, fast and provably secure cryptography) Why lattice-based cryptography? • FAST: Speeds approaching Symmetric Crypto primitives (e.g., AES) • SECURE: Best attacks take exponential time, secure against quantum attacks What is a lattice? Ring-based learning with errors problem (R-LWE) Let be a prime, . Consider the ring of polynomials . Given a secret element and a number of pairs where are chosen uniformly at random, and are chosen coefficient wise according to the discrete error distribution . R-LWE problem: Find the secret (search), or distinguish whether a list of pairs was chosen as described above or whether both were chosen uniformly at random (decision). = Long basis = Bad basis Short basis = Good basis Secret-key Encryption from R-LWE (One-time) Signatures from R-LWE • : Sample a “small” ring element . • Secret key: • : Let be the encoding of message as a “small” element of . is uniformly random in is a • small ring element . • Encryption: . • : Output • : Sample uniform random , four “small” ring elements . • Verification key: , • Secret key: • : Let be the encoding of message as a “small” element of , . • Signature: . • : Check and . • Output “accept” if both checks succeed, and “reject” otherwise. This scheme can be turned into a fully homomorphic encryption, that can compute any function on encrypted data.