Ideal lattice explained

In discrete mathematics, ideal lattices are a special class of lattices and a generalization of cyclic lattices.[1] Ideal lattices naturally occur in many parts of number theory, but also in other areas. In particular, they have a significant place in cryptography. Micciancio defined a generalization of cyclic lattices as ideal lattices. They can be used in cryptosystems to decrease by a square root the number of parameters necessary to describe a lattice, making them more efficient. Ideal lattices are a new concept, but similar lattice classes have been used for a long time. For example, cyclic lattices, a special case of ideal lattices, are used in NTRUEncrypt and NTRUSign.

Ideal lattices also form the basis for quantum computer attack resistant cryptography based on the Ring Learning with Errors.[2] These cryptosystems are provably secure under the assumption that the shortest vector problem (SVP) is hard in these ideal lattices.

Introduction

In general terms, ideal lattices are lattices corresponding to ideals in rings of the form

Z[x]/\langlef\rangle

for some irreducible polynomial

f

of degree

n

.[1] All of the definitions of ideal lattices from prior work are instances of the following general notion: let

R

be a ring whose additive group is isomorphic to

Zn

(i.e., it is a free

Z

-module of rank

n

), and let

\sigma

be an additive isomorphism mapping

R

to some lattice

\sigma(R)

in an

n

-dimensional real vector space (e.g.,

Rn

). The family of ideal lattices for the ring

R

under the embedding

\sigma

is the set of all lattices

\sigma(I)

, where

I

is an ideal in

R.

[3]

Definition

Notation

Let

f\inZ[x]

be a monic polynomial of degree

n

, and consider the quotient ring

Z[x]/\langlef\rangle

.

Using the standard set of representatives

\lbrace(g\bmodf):g\inZ[x]\rbrace

, and identification of polynomials with vectors, the quotient ring

Z[x]/\langlef\rangle

is isomorphic (as an additive group) to the integer lattice

Zn

, and any ideal

I\subseteqZ[x]/\langlef\rangle

defines a corresponding integer sublattice

l{L}(I)\subseteqZn

.

An ideal lattice is an integer lattice

l{L}(B)\subseteqZn

such that

B=\lbraceg\bmodf:g\inI\rbrace

for some monic polynomial

f

of degree

n

and ideal

I\subseteqZ[x]/\langlef\rangle

.

Related properties

It turns out that the relevant properties of

f

for the resulting function to be collision resistant are:

f

should be irreducible.

\lVertg\rVertf

is not much bigger than

\lVertg\rVertinfty

for any polynomial

g

, in a quantitative sense.

Z[x]/\langlef\rangle

defines a full-rank lattice in

Zn

and plays a fundamental role in proofs.

I

of

Z[x]/\langlef\rangle

, where

f

is a monic, irreducible integer polynomial of degree

n

, is isomorphic to a full-rank lattice in

Zn

.

Ding and Lindner[4] gave evidence that distinguishing ideal lattices from general ones can be done in polynomial time and showed that in practice randomly chosen lattices are never ideal. They only considered the case where the lattice has full rank, i.e. the basis consists of

n

linear independent vectors. This is not a fundamental restriction because Lyubashevsky and Micciancio have shown that if a lattice is ideal with respect to an irreducible monic polynomial, then it has full rank, as given in the above lemma.

Algorithm: Identifying ideal lattices with full rank bases

Data: A full-rank basis

B\inZ(n,n)


Result: true and

bf{q}

, if

B

spans an ideal lattice with respect to

bf{q}

, otherwise false.
  1. Transform

B

into HNF
  1. Calculate

A={\rmadj}(B)

,

d=\det(B)

, and

z=B(n,n)

  1. Calculate the product

P=AMB\bmodd

  1. if only the last column of P is non-zero then
  2. set

c=P(\centerdot,n)

to equal this column
  1. else return false
  2. if

z\midci

for

i=1,\ldots,n

then
  1. use CRT to find

q\ast\equiv(c/z)\bmod(d/z)

and

q\ast\equiv0\bmodz

  1. else return false
  2. if

Bq\ast\equiv0\bmod(d/z)

then
  1. return true,

q=Bq\ast/d

  1. else return false

where the matrix M is

M=\begin{pmatrix} 0&&&&0\\ &&&&\\ &&&&\\ In-1&&&&\\ &&&&0 \end{pmatrix}

Using this algorithm, it can be seen that many lattices are not ideal lattices. For example, let

n=2

and

k\inZ\smallsetminus\lbrace0,\pm1\rbrace

, then

B1=\begin{pmatrix} k&0\\ 0&1 \end{pmatrix}

is ideal, but

B2=\begin{pmatrix} 1&0\\ 0&k \end{pmatrix}

is not.

B2

with

k=2

is an example given by Lyubashevsky and Micciancio.[5]

Performing the algorithm on it and referring to the basis as B, matrix B is already in Hermite Normal Form so the first step is not needed. The determinant is

d=2

, the adjugate matrix

A=\begin{pmatrix} 2&0\\ 0&1 \end{pmatrix},

M=\begin{pmatrix} 0&0\\ 1&0 \end{pmatrix}

and finally, the product

P=AMB\bmodd

is

P=\begin{pmatrix} 0&0\\ 1&0 \end{pmatrix}.

At this point the algorithm stops, because all but the last column of

P

have to be zero if

B

would span an ideal lattice.

Use in cryptography

Micciancio[6] introduced the class of structured cyclic lattices, which correspond to ideals in polynomial rings

Z[x]/(xn-1)

, and presented the first provably secure one-way function based on the worst-case hardness of the restriction of Poly(n)-SVP to cyclic lattices. (The problem γ-SVP consists in computing a non-zero vector of a given lattice, whose norm is no more than γ times larger than the norm of a shortest non-zero lattice vector.) At the same time, thanks to its algebraic structure, this one-way function enjoys high efficiency comparable to the NTRU scheme

\tilde{O}(n)

evaluation time and storage cost). Subsequently, Lyubashevsky and Micciancio[5] and independently Peikert and Rosen[7] showed how to modify Micciancio's function to construct an efficient and provably secure collision resistant hash function. For this, they introduced the more general class of ideal lattices, which correspond to ideals in polynomial rings

Z[x]/f(x)

. The collision resistance relies on the hardness of the restriction of Poly(n)-SVP to ideal lattices (called Poly(n)-Ideal-SVP). The average-case collision-finding problem is a natural computational problem called Ideal-SIS, which has been shown to be as hard as the worst-case instances of Ideal-SVP. Provably secure efficient signature schemes from ideal lattices have also been proposed,[1] [8] but constructing efficient provably secure public key encryption from ideal lattices was an interesting open problem.

The fundamental idea of using LWE and Ring LWE for key exchange was proposed and filed at the University of Cincinnati in 2011 by Jintai Ding and provided a state of the art description of a quantum resistant key exchange using Ring LWE. The paper[9] appeared in 2012 after a provisional patent application was filed in 2012. In 2014, Peikert presented a key transport scheme following the same basic idea of Ding's, where the new idea of sending additional signal for rounding in Ding's construction is also utilized. A digital signature using the same concepts was done several years earlier by Vadim Lyubashevsky in, "Lattice Signatures Without Trapdoors."[10] Together, the work of Peikert and Lyubashevsky provide a suite of Ring-LWE based quantum attack resistant algorithms with the same security reductions.

Efficient collision resistant hash functions

The main usefulness of the ideal lattices in cryptography stems from the fact that very efficient and practical collision resistant hash functions can be built based on the hardness of finding an approximate shortest vector in such lattices.[1] Independently constructed collision resistant hash functions by Peikert and Rosen,[7] as well as Lyubashevsky and Micciancio, based on ideal lattices (a generalization of cyclic lattices), and provided a fast and practical implementation.[3] These results paved the way for other efficient cryptographic constructions including identification schemes and signatures.

R=Zp[x]/\langlef\rangle

, where

f\inZp[x]

is a monic, irreducible polynomial of degree

n

and

p

is an integer of order roughly

n2

, generate

m

random elements

a1,...,am\inR

, where

m

is a constant. The ordered

m

-tuple

h=(a1,\ldots,am)\inRm

determines the hash function. It will map elements in

Dm

, where

D

is a strategically chosen subset of

R

, to

R

. For an element

b=(b1,\ldots,bm)\inDm

, the hash is

h(b)=

m
\sum
i=1

\alphai\centerdotbi

. Here the size of the key (the hash function) is

O(mnlogp)=O(nlogn)

, and the operation

\alphai\centerdotbi

can be done in time

O(nlognloglogn)

by using the Fast Fourier Transform (FFT), for appropriate choice of the polynomial

f

. Since

m

is a constant,hashing requires time

O(nlognloglogn)

. They proved that the hash function family is collision resistant by showing that if there is a polynomial-time algorithm that succeeds with non-negligible probability in finding

bb'\inDm

such that

h(b)=h(b')

, for a randomly chosen hash function

h\inRm

, then a certainproblem called the “shortest vector problem” is solvable in polynomial time for every ideal of the ring

Z[x]/\langlef\rangle

.

Based on the work of Lyubashevsky and Micciancio in 2006, Micciancio and Regev[11] defined the following algorithm of hash functions based on ideal lattices:

q,n,m,d

with

n\midm

, and vector f

\inZn

.

m/n

vectors

a1,\ldots,am/n

chosen independently and uniformly at random in
n
Z
q
.

fA:\lbrace0,\ldots,d-1\rbracem\longrightarrow

n
Z
q
given by

fA(y)=[F\asta1|\ldots|F\astam/n]y\bmodq

.

Here

n,m,q,d

are parameters, f is a vector in

Zn

and

A

is a block-matrix with structured blocks

A(i)=F\asta(i)

.

Finding short vectors in

\perp
Λ
q

([F\asta1|\ldots|F\astam/n])

on the average (even with just inverse polynomialprobability) is as hard as solving various lattice problems (such as approximate SVP and SIVP) in the worstcase over ideal lattices, provided the vector f satisfies the following two properties:

n

, typically

O(\sqrt{n}))

norm.

f(x)=

n+f
x
n

xn-1+ … +f1\inZ[x]

is irreducible over the integers, i.e., it does not factor into the product of integer polynomials of smaller degree.

The first property is satisfied by the vector

F=(-1,0,\ldots,0)

corresponding to circulant matrices,because all the coordinates of [F∗u]v are bounded by 1, and hence

\lVert[bf{F}\astbf{u}]bf{v}\rVert\leq{\sqrt{n}}

. However, the polynomial

xn-1

corresponding to

f=(-1,0,\ldots,0)

is not irreducible because it factors into

(x-1)(xn-1+xn-2+ … +x+1)

, and this is why collisions can be efficiently found. So,

f=(-1,0,\ldots,0)

is not a good choice to get collision resistant hash functions, but many other choices are possible. For example, some choices of f for which both properties are satisfied (and therefore, result in collision resistant hash functions with worst-case security guarantees) are

f=(1,\ldots,1)\inZn

where

n+1

is prime, and

f=(1,0,\ldots,0)\inZn

for

n

equal to a power of 2.

Digital signatures

Digital signatures schemes are among the most important cryptographic primitives. They can be obtained by using the one-way functions based on the worst-case hardness of lattice problems. However, they are impractical. A number of new digital signature schemes based on learning with errors, ring learning with errors and trapdoor lattices have been developed since the learning with errors problem was applied in a cryptographic context.

Their direct construction of digital signatures based on the complexity of approximating the shortest vector in ideal (e.g., cyclic) lattices.[8] The scheme of Lyubashevsky and Micciancio[8] has worst-case security guarantees based on ideal lattices and it is the most asymptotically efficient construction known to date, yielding signature generation and verification algorithms that run in almost linear time.[11]

One of the main open problems that was raised by their work is constructing a one-time signature with similar efficiency, but based on a weaker hardness assumption. For instance, it would be great to provide a one-time signature with security based on the hardness of approximating the Shortest Vector Problem (SVP) (in ideal lattices) to within a factor of

\tilde{O}(n)

.[8]

Z[x]/\langlef\rangle

for any irreducible polynomial

f

.

Key-Generation Algorithm:Input:

1n

, irreducible polynomial

f\inZ

of degree

n

.
  1. Set

p\longleftarrow(\varphin)3

,

m\longleftarrow\lceillogn\rceil

,

R\longleftarrowZp[x]/\langlef\rangle

  1. For all positive

i

, let the sets

DKi

and

DLi

be defined as:

DKi=\lbrace\hat{y}\inRm

such that

\lVert\hat{y}\rVertinfty\leq5ip1/m\rbrace

DLi=\lbrace\hat{y}\inRm

such that

\lVert\hat{y}\rVertinfty\leq5in\varphip1/m\rbrace

  1. Choose uniformly random

h\inl{H}R,m

  1. Pick a uniformly random string

r\in\lbrace0,1

\lfloorlog2n\rfloor
\rbrace

  1. If

r=

\lfloorlog2n\rfloor
0

then
  1. Set

j=\lfloorlog2n\rfloor

  1. else
  2. Set

j

to the position of the first 1 in the string

r

  1. end if
  2. Pick

\hat{k},\hat{l}

independently and uniformly at random from

DKj

and

DLj

respectively
  1. Signing Key:

(\hat{k},\hat{l})

. Verification Key:

(h,h(\hat{k}),h(\hat{l}))

Signing Algorithm:

Input: Message

z\inR

such that

\lVertz\rVertinfty\leq1

; signing key

(\hat{k},\hat{l})

Output:

\hat{s}\longleftarrow\hat{k}z+\hat{l}

Verification Algorithm:

Input: Message

z

; signature

\hat{s}

; verification key

(h,h(\hat{k}),h(\hat{l}))

Output: “ACCEPT”, if

\lVert\hat{s}\rVertinfty\leq10\varphip1/mnlog2n

and

\hat{s}=\hat{k}z+\hat{l}

“REJECT”, otherwise.

The SWIFFT hash function

The hash function is quite efficient and can be computed asymptotically in

\tilde{O}(m)

time using the Fast Fourier Transform (FFT) over the complex numbers. However, in practice, this carries a substantial overhead. The SWIFFT family of hash functions defined by Micciancio and Regev[11] is essentially a highly optimized variant of the hash function above using the (FFT) in

Zq

. The vector f is set to

(1,0,...,0)\inZn

for

n

equal to a power of 2, so that the corresponding polynomial

xn+1

is irreducible.Let

q

be a prime number such that

2n

divides

q-1

, and let

bf{W}\in

n x n
Z
q
be an invertible matrix over

Zq

to be chosen later. The SWIFFT hash function maps a key

\tilde{a}(1),\ldots,\tilde{a}(m/n)

consisting of

m/n

vectors chosen uniformly from
n
Z
q

and an input

y\in\lbrace0,\ldots,d-1\rbracem

to

bf{W}\centerdotfA(y)\bmodq

where

bf{A}=[bf{F}\ast\alpha(1),\ldots,bf{F}\ast\alpha(m/n)]

is as before and

\alpha(i)=bf{W}-1\tilde{a}(i)\bmodq

.Multiplication by the invertible matrix

bf{W}-1

maps a uniformly chosen

\tilde{a}\in

n
Z
q
to a uniformly chosen

\alpha\in

n
Z
q
. Moreover,

bf{W}\centerdot

\centerdot
f
A(y)=bf{W}

fA(y')\pmodq

if and only if

fA(y)=fA(y')\pmodq

.Together, these two facts establish that finding collisions in SWIFFT is equivalent to finding collisions in the underlying ideal lattice function

fA

, and the claimed collision resistance property of SWIFFT is supported by the connection to worst case lattice problems on ideal lattices.

The algorithm of the SWIFFT hash function is:

n,m,q,d

such that

n

is a power of 2,

q

is prime,

2n\mid(q-1)

and

n\midm

.

m/n

vectors

\tilde{a}1,\ldots,\tilde{a}m/n

chosen independently and uniformly at random in
n
Z
q
.

m/n

vectors

y(1),...,y(m/n)\in\lbrace0,...,d-1\rbracen

.
m/n
\sum
i=1

\tilde{a}(i)\odot(bf{W}y(i))\in

n
Z
q
, where

\odot

is the component-wise vector product.

Learning with errors (LWE)

Ring-LWE

Learning with errors (LWE) problem has been shown to be as hard as worst-case lattice problems and has served as the foundation for many cryptographic applications. However, these applications are inefficient because of an inherent quadratic overhead in the use of LWE. To get truly efficient LWE applications, Lyubashevsky, Peikert and Regev[3] defined an appropriate version of the LWE problem in a wide class of rings and proved its hardness under worst-case assumptions on ideal lattices in these rings. They called their LWE version ring-LWE.

Let

f(x)=xn+1\inZ[x]

, where the security parameter

n

is a power of 2, making

f(x)

irreducible over the rationals. (This particular

f(x)

comes from the family of cyclotomic polynomials, which play a special role in this work).

Let

R=Z[x]/\langlef(x)\rangle

be the ring of integer polynomials modulo

f(x)

. Elements of

R

(i.e., residues modulo

f(x)

) are typically represented by integer polynomials of degree less than

n

. Let

q\equiv1\bmod2n

be a sufficiently large public prime modulus (bounded by a polynomial in

n

), and let

Rq=R/\langleq\rangle=Zq[x]/\langlef(x)\rangle

be the ring of integer polynomials modulo both

f(x)

and

q

. Elements of

Rq

may be represented by polynomials of degree less than

n

-whose coefficients are from

\lbrace0,...,q-1\rbrace

.

In the above-described ring, the R-LWE problem may be described as follows.Let

s=s(x)\inRq

be a uniformly random ring element, which is kept secret. Analogously to standard LWE, the goal of the attacker is to distinguish arbitrarily many (independent) ‘random noisy ring equations’ from truly uniform ones. More specifically, the noisy equations are of the form

(a,ba\centerdots)\inRq x Rq

, where a is uniformly random and the product

a\centerdots

is perturbed by some ‘small’ random error term, chosen from a certain distribution over

R

.

They gave a quantum reduction from approximate SVP (in the worst case) on ideal lattices in

R

to the search version of ring-LWE, where the goal is to recover the secret

s\inRq

(with high probability, for any

s

) from arbitrarily many noisy products. This result follows the general outline of Regev's iterative quantum reduction for general lattices,[12] but ideal lattices introduce several new technical roadblocks in both the ‘algebraic’ and ‘geometric’ components of the reduction. They[3] used algebraic number theory, in particular, the canonical embedding of a number field and the Chinese Remainder Theorem to overcome these obstacles. They got the following theorem:

Theorem Let

K

be an arbitrary number field of degree

n

. Let

\alpha=\alpha(n)\in(0,1)

be arbitrary, and let the (rational) integer modulus

q=q(n)\geq2

be such that

\alpha\centerdotq\geq\omega(\sqrt{logn})

. There is a probabilistic polynomial-time quantum reduction from

K

-

DGS\gamma

to

l{O}K

-

LWEq,

, where

\gamma=η\epsilon(I)\centerdot\omega(\sqrt{logn})/\alpha

.

In 2013, Guneysu, Lyubashevsky, and Poppleman proposed a digital signature scheme based on the Ring Learning with Errors problem.[13] In 2014, Peikert presented a Ring Learning with Errors Key Exchange (RLWE-KEX) in his paper, "Lattice Cryptography for the Internet."[14] This was further developed by the work of Singh.[15]

Ideal-LWE

Stehle, Steinfeld, Tanaka and Xagawa[16] defined a structured variant of LWE problem (Ideal-LWE) to describe an efficient public key encryption scheme based on the worst case hardness of the approximate SVP in ideal lattices. This is the first CPA-secure public key encryption scheme whose security relies on the hardness of the worst-case instances of

\tilde{O}(n2)

-Ideal-SVP against subexponential quantum attacks. It achieves asymptotically optimal efficiency: the public/private key length is

\tilde{O}(n)

bits and the amortized encryption/decryption cost is

\tilde{O}(1)

bit operations per message bit (encrypting

\tilde{\Omega}(n)

bits at once, at a

\tilde{O}(n)

cost). The security assumption here is that

\tilde{O}(n2)

-Ideal-SVP cannot be solved by any subexponential time quantum algorithm. It is noteworthy that this is stronger than standard public key cryptography security assumptions. On the other hand, contrary to the most of public key cryptography, lattice-based cryptography allows security against subexponential quantum attacks.

Most of the cryptosystems based on general lattices rely on the average-case hardness of the Learning with errors (LWE). Their scheme is based on a structured variant of LWE, that they call Ideal-LWE. They needed to introduce some techniques to circumvent two main difficulties that arise from the restriction to ideal lattices. Firstly, the previous cryptosystems based on unstructured lattices all make use of Regev's worst-case to average-case classical reduction from Bounded Distance Decoding problem (BDD) to LWE (this is the classical step in the quantum reduction from SVP to LWE). This reduction exploits the unstructured-ness of the considered lattices, and does not seem to carry over to the structured lattices involved in Ideal-LWE. In particular, the probabilistic independence of the rows of the LWE matrices allows to consider a single row. Secondly, the other ingredient used in previous cryptosystems, namely Regev's reduction from the computational variant of LWE to its decisional variant, also seems to fail for Ideal-LWE: it relies on the probabilistic independence of the columns of the LWE matrices.

To overcome these difficulties, they avoided the classical step of the reduction. Instead, they used the quantum step to construct a new quantum average-case reduction from SIS (average-case collision-finding problem) to LWE. It also works from Ideal-SIS to Ideal-LWE. Combined with the reduction from worst-case Ideal-SVP to average-case Ideal-SIS, they obtained the a quantum reduction from Ideal-SVP to Ideal-LWE. This shows the hardness of the computational variant of Ideal-LWE. Because they did not obtain the hardness of the decisional variant, they used a generic hardcore function to derive pseudorandom bits for encryption. This is why they needed to assume the exponential hardness of SVP.

Fully homomorphic encryption

A fully homomorphic encryption (FHE) scheme is one which allows for computation over encrypted data, without first needing to decrypt. The problem of constructing a fully homomorphic encryption scheme was first put forward by Rivest, Adleman and Dertouzos[17] in 1978, shortly after the invention of RSA by Rivest, Adleman and Shamir.[18]

An encryption scheme

\varepsilon=(KeyGen,Encrypt,Decrypt,Eval)

is homomorphic for circuits in

l{C}

if, for any circuit

C\inl{C}

,

given

PK,SK\leftarrowKeyGen(1λ)

,

y=Encrypt(PK,x)

, and

y'=Eval(PK,C,y)

,

it holds that

Decrypt(SK,y')=C(x)

.

\varepsilon

is fully homomorphic if it is homomorphic for all circuits of size

\operatorname{poly}(λ)

where

λ

is the scheme's security parameter.

In 2009, Gentry[19] proposed the first solution to the problem of constructing a fully homomorphic encryption scheme. His scheme was based on ideal lattices.

See also

References

  1. Book: 10.1007/978-3-540-78440-1_10 . http://cseweb.ucsd.edu/users/vlyubash/papers/idlatticeconf.pdf . Lattice-Based Identification Schemes Secure Under Active Attacks . Public Key Cryptography – PKC 2008 . Lecture Notes in Computer Science . 2008 . Lyubashevsky . Vadim . 4939 . 162–179 . 978-3-540-78439-5 .
  2. Book: 2010. 1–23. Vadim. Lyubashevsky. Chris. Peikert. Oded. Regev. Advances in Cryptology – EUROCRYPT 2010 . On Ideal Lattices and Learning with Errors over Rings . Lecture Notes in Computer Science . 6110 . 10.1.1.297.6108. 10.1007/978-3-642-13190-5_1. 978-3-642-13189-9 . Gilbert. Henri .
  3. Book: 10.1007/978-3-642-13190-5_1 . On Ideal Lattices and Learning with Errors over Rings . Advances in Cryptology – EUROCRYPT 2010 . Lecture Notes in Computer Science . 2010 . Lyubashevsky . Vadim . Peikert . Chris . Regev . Oded . 6110 . 1–23 . 978-3-642-13189-9 .
  4. Jintai Ding and Richard Lindner. Identifying Ideal Lattices. In Cryptology ePrint Archive, Report 2007/322, 2007.
  5. Book: 10.1007/11787006_13 . http://cseweb.ucsd.edu/users/vlyubash/papers/generalknapsackfull.pdf . Generalized Compact Knapsacks Are Collision Resistant . Automata, Languages and Programming . Lecture Notes in Computer Science . 2006 . Lyubashevsky . Vadim . Micciancio . Daniele . 4052 . 144–155 . 978-3-540-35907-4 .
  6. Generalized Compact Knapsacks, Cyclic Lattices, and Efficient One-Way Functions . 10.1007/s00037-007-0234-9 . 2007 . Micciancio . Daniele . Computational Complexity . 16 . 4 . 365–411 . free .
  7. Book: 10.1007/11681878_8 . http://www.cc.gatech.edu/~cpeikert/pubs/cyclic-crh.pdf . https://web.archive.org/web/20121016050722/http://www.cc.gatech.edu/~cpeikert/pubs/cyclic-crh.pdf. 2012-10-16 . Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices . Theory of Cryptography . Lecture Notes in Computer Science . 2006 . Peikert . Chris . Rosen . Alon . 3876 . 145–166 . 978-3-540-32731-8 .
  8. Book: https://www.iacr.org/archive/tcc2008/49480032/49480032.pdf . 10.1007/978-3-540-78524-8_3 . Asymptotically Efficient Lattice-Based Digital Signatures . Theory of Cryptography . Lecture Notes in Computer Science . 2008 . Lyubashevsky . Vadim . Micciancio . Daniele . 4948 . 37–54 . 978-3-540-78523-1 .
  9. Book: A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem. Ding. Jintai. Xie. Xiang. Lin. Xiaodong. 2012.
  10. Book: 10.1007/978-3-642-29011-4_43 . https://eprint.iacr.org/2011/537.pdf . Lattice Signatures without Trapdoors . Advances in Cryptology – EUROCRYPT 2012 . Lecture Notes in Computer Science . 2012 . Lyubashevsky . Vadim . 7237 . 738–755 . 978-3-642-29010-7 .
  11. Book: 10.1007/978-3-540-88702-7_5 . http://www.cs.tau.ac.il/~odedr/papers/pqc.pdf . https://web.archive.org/web/20110723090945/http://www.cs.tau.ac.il/~odedr/papers/pqc.pdf. 2011-07-23 . Lattice-based Cryptography . Post-Quantum Cryptography . 2009 . Micciancio . Daniele . Regev . Oded . 147–191 . 978-3-540-88701-0 .
  12. On lattices, learning with errors, random linear codes, and cryptography . https://web.archive.org/web/20101206195712/http://www.cs.tau.ac.il/~odedr/papers/qcrypto.pdf . 2401.03703 . 10.1145/1568318.1568324. 2010-12-06 . 2009 . Regev . Oded . Journal of the ACM . 56 . 6 . 1–40 .
  13. Book: Practical Lattice-Based Cryptography: A Signature Scheme for Embedded Systems. https://www.di.ens.fr/~lyubash/papers/signaturechess.pdf. https://web.archive.org/web/20140518004537/https://www.di.ens.fr/~lyubash/papers/signaturechess.pdf . 10.1007/978-3-642-33027-8_31. 2014-05-18 . Cryptographic Hardware and Embedded Systems – CHES 2012 . Lecture Notes in Computer Science . 2012 . Güneysu . Tim . Lyubashevsky . Vadim . Pöppelmann . Thomas . 7428 . 530–547 . 978-3-642-33026-1 .
  14. Book: Peikert, Chris. Springer International Publishing. 2014-10-01. 978-3-319-11658-7. 197–219. Lecture Notes in Computer Science. Michele. Mosca. 10.1007/978-3-319-11659-4_12. Post-Quantum Cryptography. 8772. Lattice Cryptography for the Internet. 10.1.1.800.4743. 8123895 .
  15. A Practical Key Exchange for the Internet using Lattice Cryptography. 2015. Vikram. Singh. Cryptology ePrint Archive .
  16. Book: 10.1007/978-3-642-10366-7_36 . http://eprint.iacr.org/2009/285.pdf . Efficient Public Key Encryption Based on Ideal Lattices: (Extended Abstract) . Advances in Cryptology – ASIACRYPT 2009 . Lecture Notes in Computer Science . 2009 . Stehlé . Damien . Steinfeld . Ron . Tanaka . Keisuke . Xagawa . Keita . 5912 . 617–635 . 978-3-642-10365-0 .
  17. Book: Rivest . R. . Adleman . L. . Dertouzos . M. . 1978 . On data banks and privacy homomorphisms . https://luca-giuzzi.unibs.it/corsi/Support/papers-cryptography/RAD78.pdf . In Foundations of Secure Computation . 169–180 . Academic Press.
  18. 10.1145/359340.359342 . A method for obtaining digital signatures and public-key cryptosystems . 1978 . Rivest . R. L. . Shamir . A. . Adleman . L. . Communications of the ACM . 21 . 2 . 120–126 . 1721.1/148910 . free .
  19. Book: http://portal.acm.org/citation.cfm?id=1536414.1536440 . 10.1145/1536414.1536440 . Fully homomorphic encryption using ideal lattices . Proceedings of the forty-first annual ACM symposium on Theory of computing . 2009 . Gentry . Craig . 169–178 . 978-1-60558-506-2 .

This article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia article "Ideal lattice".

Except where otherwise indicated, Everything.Explained.Today is © Copyright 2009-2025, A B Cryer, All Rights Reserved. Cookie policy.