Pseudorandomness of ring-LWE for any ring and modulus

Peikert, Chris; Regev, Oded; Stephens-Davidowitz, Noah

doi:10.1145/3055399.3055489

Cited by 139 publications

(88 citation statements)

References 37 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Semantic security and pseudo-randomness of internal ciphertexts follows from Lemma 2 assuming the hardness of Ring-LWE. Setting σ = α q 1 and Since σ ≥ ω(1), hardness of decision Ring-LWE is satisfied according to Theorem 6.2 in [37] and v i is indeed indistinguishable from random and subsequently the claim follows.…”

Section: Correctness Security and Privacymentioning

confidence: 93%

“…The error term e ∈ Z λ q is sampled according to a discretized Gaussian distribution. Given only (A, b) it is hard to recover s or e. In fact, the hardness of the LWE problem can be reduced from worst-case lattice problems, even for the decision LWE problem [37].…”

Section: Lwe and Gaussian Distributionmentioning

confidence: 99%

“…Therefore, the statement follows immediately from the hardness of decision Ring-A-LWE: Ring-A-LWE samples are indistinguishable from Ring-LWE samples due to [16]. Finally, decision Ring-LWE is hard based on the hardness of worst-case lattice problems [37]. The latter holds as long as σ ≥ ω( log(κ))·(κN/ log(κN )) 1 4 , which is given by assumption.…”

Section: Correctness Security and Privacymentioning

confidence: 99%

“…The latter holds as long as σ ≥ ω( log(κ))·(κN/ log(κN )) 1 4 , which is given by assumption. Observe that this parameter constraint arises from Corollary 7.3 in [37], which states the hardness assumption for decision Ring-LWE with spherical error 9 .…”

Section: Correctness Security and Privacymentioning

confidence: 99%

See 3 more Smart Citations

Revisiting Private Stream Aggregation: Lattice-Based PSA

Becker

Guajardo

Zimmermann

2018

Proceedings 2018 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Abstract-In this age of massive data gathering for purposes of personalization, targeted ads, etc. there is an increased need for technology that allows for data analysis in a privacy-preserving manner. Private Stream Aggregation as introduced by Shi et al. (NDSS 2011) allows for the execution of aggregation operations over privacy-critical data from multiple data sources without placing trust in the aggregator and while maintaining differential privacy guarantees. We propose a generic PSA scheme, LaPS, based on the Learning With Error problem, which allows for a flexible choice of the utilized privacy-preserving mechanism while maintaining post-quantum security. We overcome the limitations of earlier schemes by relaxing previous assumptions in the security model and provide an efficient and compact scheme with high scalability. Our scheme is practical, for a plaintext space of 2 16 and 1000 participants we achieve a performance gain in decryption of roughly 150 times compared to previous results in Shi et al. (NDSS 2011).

show abstract

Section: Correctness Security and Privacymentioning

confidence: 93%

Section: Lwe and Gaussian Distributionmentioning

confidence: 99%

Section: Correctness Security and Privacymentioning

confidence: 99%

Section: Correctness Security and Privacymentioning

confidence: 99%

See 2 more Smart Citations

Revisiting Private Stream Aggregation: Lattice-Based PSA

Becker

Guajardo

Zimmermann

2018

Proceedings 2018 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…Let q ≥ 2 and B = O( √ n) be positive integers. χ is a distribution over R which efficiently outputs samples e ∈ R with e ∞ ≤ B with overwhelming probability in n. Then there is a quantum reduction from the RLWE n,m,q,χ problem to the SIVP γ problem and the SVP γ problem in any ideal in the ring R, where γ = O( √ n · q/B) (see [42,10,27,49]). It is shown that the hardness of the RLWE problem is preserved when the secret s is sampled from the error distribution χ (see [42,10]).…”

Section: Definition 1 ([395040]) Given a Uniform Matrixmentioning

confidence: 99%

Accountable Tracing Signatures from Lattices

Ling

Nguyen

Wang

et al. 2019

Topics in Cryptology – CT-RSA 2019

View full text Add to dashboard Cite

Group signatures allow users of a group to sign messages anonymously in the name of the group, while incorporating a tracing mechanism to revoke anonymity and identify the signer of any message. Since its introduction by Chaum and van Heyst (EUROCRYPT 1991), numerous proposals have been put forward, yielding various improvements on security, efficiency and functionality. However, a drawback of traditional group signatures is that the opening authority is given too much power, i.e., he can indiscriminately revoke anonymity and there is no mechanism to keep him accountable. To overcome this problem, Kohlweiss and Miers (PoPET 2015) introduced the notion of accountable tracing signatures (ATS) -an enhanced group signature variant in which the opening authority is kept accountable for his actions. Kohlweiss and Miers demonstrated a generic construction of ATS and put forward a concrete instantiation based on number-theoretic assumptions. To the best of our knowledge, no other ATS scheme has been known, and the problem of instantiating ATS under post-quantum assumptions, e.g., lattices, remains open to date.In this work, we provide the first lattice-based accountable tracing signature scheme. The scheme satisfies the security requirements suggested by Kohlweiss and Miers, assuming the hardness of the Ring Short Integer Solution (RSIS) and the Ring Learning With Errors (RLWE) problems. At the heart of our construction are a lattice-based key-oblivious encryption scheme and a zero-knowledge argument system allowing to prove that a given ciphertext is a valid RLWE encryption under some hidden yet certified key. These technical building blocks may be of independent interest, e.g., they can be useful for the design of other lattice-based privacy-preserving protocols. Setup(λ):On input the security parameter λ, it outputs public parameter pp.pp is implicit for all algorithms below if not explicitly mentioned. KeyGen(pp): On input pp, it generates a key pair (pk, sk). KeyRand(pk): On input the public key pk, it outputs a new public key pk ′ for the same secret key. Enc(pk, m): On inputs pk and a message m, it outputs a ciphertext ct on this message. Dec(sk, ct): On inputs sk and ct, it outputs the decrypted message m ′ .Correctness. The above scheme must satisfy the following correctness requirement: For all λ, all pp ← Setup(λ), all (pk, sk) ← KeyGen(pp), all pk ′ ← KeyRand(pk), all m, Dec(sk, Enc(pk ′ , m)) = m.

show abstract

Digital Signatures from the Middle-Product LWE

Hiromasa

2018

Provable Security

View full text Add to dashboard Cite

Pseudorandomness of ring-LWE for any ring and modulus

Cited by 139 publications

References 37 publications

Revisiting Private Stream Aggregation: Lattice-Based PSA

Revisiting Private Stream Aggregation: Lattice-Based PSA

Accountable Tracing Signatures from Lattices

Digital Signatures from the Middle-Product LWE

Contact Info

Product

Resources

About