Almost Tight Security in Lattices with Polynomial Moduli – PRF, IBE, All-but-many LTF, and More

“…Until recently, this was only possible under an LWE assumption with large approximation factors for lack of a tightly secure low-depth lattice-based PRF based on an LWE assumption with polynomial inverse-error rate. Lai et al [75] recently showed that many tightly secure LWE-based schemes (e.g., [21,77,22]) can actually be obtained using a PRF outside NC1 without going through Barrington's theorem [12]. Their technique [75] applies to our setting and ensure that any (possibly sequential) PRF with a tight security reduction from LWE with polynomial modulus and inverse-error rate allows instantiating the scheme under a similarly standard assumption.…”

“…The simulation-soundness property is indeed tightly related to the security of the underlying pseudorandom function. By exploiting a result of Lai et al [75], it can be combined with a tightly secure lattice-based PRF so as to instantiate our scheme with a polynomial modulus.…”

“…Fortunately, a recent result of Lai et al [75] makes it possible to bypass the use of Barrington's theorem by combining any tightly secure LWE-based PRF with an FHE scheme that has a decryption circuit in NC1. For this purpose, a GGM-based construction [54] can be used by exploiting the tight security result of [75,Section 3]. As a result, we can obtain tight security under the same LWE assumption as in [75,Section 3].…”

“…For this purpose, a GGM-based construction [54] can be used by exploiting the tight security result of [75,Section 3]. As a result, we can obtain tight security under the same LWE assumption as in [75,Section 3].…”

Simulation-Sound Arguments for LWE and Applications to KDM-CCA2 Security

“…Until recently, this was only possible under an LWE assumption with large approximation factors for lack of a tightly secure low-depth lattice-based PRF based on an LWE assumption with polynomial inverse-error rate. Lai et al [75] recently showed that many tightly secure LWE-based schemes (e.g., [21,77,22]) can actually be obtained using a PRF outside NC1 without going through Barrington's theorem [12]. Their technique [75] applies to our setting and ensure that any (possibly sequential) PRF with a tight security reduction from LWE with polynomial modulus and inverse-error rate allows instantiating the scheme under a similarly standard assumption.…”

“…The simulation-soundness property is indeed tightly related to the security of the underlying pseudorandom function. By exploiting a result of Lai et al [75], it can be combined with a tightly secure lattice-based PRF so as to instantiate our scheme with a polynomial modulus.…”

“…Fortunately, a recent result of Lai et al [75] makes it possible to bypass the use of Barrington's theorem by combining any tightly secure LWE-based PRF with an FHE scheme that has a decryption circuit in NC1. For this purpose, a GGM-based construction [54] can be used by exploiting the tight security result of [75,Section 3]. As a result, we can obtain tight security under the same LWE assumption as in [75,Section 3].…”

“…For this purpose, a GGM-based construction [54] can be used by exploiting the tight security result of [75,Section 3]. As a result, we can obtain tight security under the same LWE assumption as in [75,Section 3].…”

Simulation-Sound Arguments for LWE and Applications to KDM-CCA2 Security

“…The PRF that we employed is Lai et al's work [42], which is based on standard lattice assumption i.e., learning with errors (LWE) assumption. Algorithms on Lattices.…”

An Improved Lattice-Based Ring Signature with Unclaimable Anonymity in the Standard Model

New Lattice Two-Stage Sampling Technique and Its Applications to Functional Encryption – Stronger Security and Smaller Ciphertexts