Lattice-Based Cryptography(or, fast and provably secure cryptography)

Ring-based learning with errors problem (R-LWE)

(One-time) Signatures from R-LWESecret-key Encryption from R-LWE

What is a lattice?

• : Sample uniform random , four “small” ring elements .Verification key: ,Secret key:

• : Let be the encoding of message as a “small” element of , .Signature: .

• : Check and .Output “accept” if both checks succeed, and “reject” otherwise.

Gaussian error distributions

Let be a prime, . Consider the ring of polynomials.

Given a secret element and a number of pairs

where are chosen uniformly at random, and are chosen coefficient wise according to the discrete error distribution .R-LWE problem: Find the secret (search), or distinguish whether a list of pairs was chosen as described above or whether both were chosen uniformly at random (decision).

Why lattice-based cryptography?

Short basis = Good basis Long basis = Bad basis

FAST: Speeds approaching Symmetric Crypto primitives (e.g., AES)

SECURE: Best attacks take exponential time, secure against quantum attacks

• : Sample a “small” ring element .Secret key:

• : Let be the encoding of message as a “small” element of . is uniformly random in is asmall ring element .

Encryption: .• : Output

This scheme can be turned into a fully homomorphic encryption, that can compute any function on encrypted data.

=