Improving Lattice Based Cryptosystems Using the Hermite Normal Form

  • Daniele Micciancio
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2146)


We describe a simple technique that can be used to substantially reduce the key and ciphertext size of various lattice based cryptosystems and trapdoor functions of the kind proposed by Goldreich, Goldwasser and Halevi (GGH). The improvement is significant both from the theoretical and practical point of view, reducing the size of both key and ciphertext by a factor n equal to the dimension of the lattice (i.e., several hundreds for typical values of the security parameter.) The efficiency improvement is obtained without decreasing the security of the functions: we formally prove that the new functions are at least as secure as the original ones, and possibly even better as the adversary gets less information in a strong information theoretical sense. The increased efficiency of the new cryptosystems allows the use of bigger values for the security parameter, making the functions secure against the best cryptanalytic attacks, while keeping the size of the key even below the smallest key size for which lattice cryptosystems were ever conjectured to be hard to break.


Lattices trapdoor functions public-key encryption 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    M. Ajtai. Generating hard instances of lattice problems (extended abstract). In Proceedings of the Twenty-Eighth Annual ACM Symposium on the Theory of Computing, pages 99–108, Philadelphia, Pennsylvania, 22–24 May 1996.Google Scholar
  2. 2.
    M. Ajtai and C. Dwork. A public-key cryptosystem with worst-case/average-case equivalence. In Proceedings of the Twenty-Ninth Annual ACM Symposium on Theory of Computing, pages 284–293, El Paso, Texas, 4–6 May 1997.Google Scholar
  3. 3.
    S. Arora, L. Babai, J. Stern, and E.Z. Sweedyk. The hardness of approximate optima in lattices, codes, and systems of linear equations. J. Comput. Syst. Sci., 54(2):317–331, Apr. 1997. Preliminary version in FOCS’93.Google Scholar
  4. 4.
    L. Babai. On Lovasz’ lattice reduction and the nearest lattice point problem. Combinatorica, 6(1):1–13, 1986.zbMATHMathSciNetCrossRefGoogle Scholar
  5. 5.
    M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In Proceedings of the first ACM Conference on Computer and Communications Security. ACM, Nov. 1993.Google Scholar
  6. 6.
    J.-Y. Cai and T.W. Cusick. A lattice-based public-key cryptosystem. Information and Computation, 151(1–2):17–31, May–June 1999.Google Scholar
  7. 7.
    A. Canteaut and N. Sendrier. Cryptanalysis of the original McEliece cryptosystem. In K. Ohta and D. Pei, editors, Advances in Cryptology — Proceedings of Asiacrypt’98, volume 1514 of Lecture Notes in Computer Science, pages 187–199, Beijing, China, 1998.CrossRefGoogle Scholar
  8. 8.
    H. Daude and B. Vallèe. An upper bound on the average number of iterations of the LLL algorithm. Theoretical Computer Science, 123(1):95–115, Jan. 1994.Google Scholar
  9. 9.
    I. Dinur, G. Kindler, and S. Safra. Approximating CVP to within almost-polynomial factors is NP-hard. In 39th Annual Symposium on Foundations of Computer Science, Palo Alto, California, 7–10 Nov. 1998. IEEE.Google Scholar
  10. 10.
    R. Fischlin and J.-P. Seifert. Tensor-based trapdoors for CVP and their application to public key cryptography. In 7th IMA International Conference ”Cryptography and Coding”, volume 1746 of Lecture Notes in Computer Science, pages 244–257. Springer-Verlag, 1999.Google Scholar
  11. 11.
    E. Fujisaki and T. Okamoto. Secure integration of asymmetric and symmetric encryption schemes. In M. Wiener, editor, Advances in Cryptology3-CRYPTO’99, volume 1666 of Lecture Notes in Computer Science, pages 537–554, University of California, Santa Barbara, Aug. 1999. IACR, Springer-Verlag.CrossRefGoogle Scholar
  12. 12.
    E. Fujisaki and T. Okamoto. How to enhance the security of public-key encryption at minimum cost. IEICE Transaction of Fundamentals of electronic Communications and Computer Science, E38-A(1):24–32, Jan. 2000.Google Scholar
  13. 13.
    O. Goldreich, S. Goldwasser, and S. Halevi. The GGH cryptosystem, challenge page.
  14. 14.
    O. Goldreich, S. Goldwasser, and S. Halevi. Public-key cryptosystems from lattice reduction problems. In B. S. Kaliski Jr., editor, Advances in Cryptology— CRYPTO’97, volume 1294 of Lecture Notes in Computer Science, pages 112–131. Springer-Verlag, 17–21 Aug. 1997.CrossRefGoogle Scholar
  15. 15.
    O. Goldreich and L. Levin. A hard predicate for all one-way functions. In Proceedings of the 21st Annual Symposium on Theory of Computing (STOC). ACM, 1989.Google Scholar
  16. 16.
    S. Goldwasser and S. Micali. Probabilistic encryption. Journal of Computer and System Sience, 28(2):270–299, 1984. Preliminary version in STOC’82.zbMATHMathSciNetCrossRefGoogle Scholar
  17. 17.
    J. Hoffstein, J. Pipher, and J.H. Silverman. NTRU: A ring based public key cryptosystem. In J. Buhler, editor, Algorithmic Number Theory (ANTS III), volume 1423 of Lecture Notes in Computer Science, pages 267–288, Portland, OR, 1998. Springer.CrossRefGoogle Scholar
  18. 18.
    P. Klein. Finding the closest lattice vector when it’s unusually close. In Proceedings of the 11th Symposium on Discrete Algorithms, San Francisco, California, Jan. 2000. SIAM.Google Scholar
  19. 19.
    A.K. Lenstra, H.W. Lenstra, Jr., and L. Lovász. Factoring polynomials with rational coefficients. Mathematische Annalen, 261:513–534, 1982.CrossRefGoogle Scholar
  20. 20.
    Y.X. Li, R.H. Deng, and X.M. Wang. On the equivalence of McEliece’s and Niederreiter’s public-key cryptosystems. IEEE Transactions on Information Theory, 40(1):271–273, Jan. 1994.Google Scholar
  21. 21.
    R.J. McEliece. A public-key cryptosystem based on algebraic coding theory. DSN Progress Report 42-44, Jet Propulsion Laboratory, Pasadena, 1978.Google Scholar
  22. 22.
    D. Micciancio. The hardness of the closest vector problem with preprocessing. IEEE Transactions on Information Theory, 2001. To Appear.Google Scholar
  23. 23.
    D. Micciancio and B. Warinschi. A linear space algorithm for computing the Hermite Normal Form. In B. Mourrain, editor, International Symposium on Symbolic and Algebraic Computation. ACM 2001. To Appear.Google Scholar
  24. 24.
    P. Nguyen. Cryptanalysis of the Goldreich-Goldwasser-Halevi cryptosystem from Crypto’97. In M. Wiener, editor, Advances in Cryptology—CRYPTO’99, volume 1666 of Lecture Notes in Computer Science. Springer-Verlag, Aug. 1999.Google Scholar
  25. 25.
    H. Niederreiter. Knapsack-type cryptosystems and algebraic coding theory. Problems of Control and Information Theory, 15(2):159–166, 1986.zbMATHMathSciNetGoogle Scholar
  26. 26.
    T. Okamoto and D. Pointcheval. React: Rapid enhanced-security asymmetric cryptosystem transform. In D. Naccache, editor, Proceedings of the Cryptographers’ Track of the RSA Conference’ 2001 (RSA 2001), Lecture Notes in Computer Science, San Francisco, California, USA, 8–12 Apr. 2001. Springer-Verlag.Google Scholar
  27. 27.
    C. Rackoff and D. R. Simon. Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In J. Feigenbaum, editor, Advances in Cryptology: Proceedings of Crypto’91, volume 576 of Lecture Notes in Computer Science, University of California, Santa Barbara, Aug. 1991. IACR, Springer-Verlag.Google Scholar
  28. 28.
    R. L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21:120–126, 1978.zbMATHMathSciNetCrossRefGoogle Scholar
  29. 29.
    C.-P. Schnorr. A hierarchy of polynomial time lattice basis reduction algorithms. Theoretical Computer Science, 53(2–3):201–224, 1987.zbMATHMathSciNetCrossRefGoogle Scholar
  30. 30.
    C.-P. Schnorr and M. Euchner. Lattice basis reduction: Improved practical algorithms and solving subset sum problems. In L. Budach, editor, Proceedings of Fundamentals of Computation Theory, volume 529 of LNCS, pages 68–85. Springer-Verlag, 1991.Google Scholar
  31. 31.
    C.-P. Schnorr, M. Fischlin, H. Koy, and A. May. Lattice attacks on GGH cryptosystem. Rump session of Crypto’97, 1997.Google Scholar
  32. 32.
    C.-P. Schnorr and H. H. Hörner. Attacking the Chor-Rivest cryptosystem by improved lattice reduction. In L. C. Guillou and J.-J. Quisquater, editors, Advances in Cryptology—EUROCRYPT’95, volume 921 of Lecture Notes in Computer Science, pages 1–12. Springer-Verlag, 21–25 May 1995.Google Scholar
  33. 33.
    V. Shoup. NTL: A library for doing number theory. Available on-line at URL
  34. 34.
    V. Sidelnikov and S. Shestakov. On cryptosystems based on generalized Reed-Solomon codes. Diskretnaya Math, 4(3):57–63, 1992. In Russian.MathSciNetGoogle Scholar
  35. 35.
    N. J. A. Sloane. Encryption by random rotations. In Workshop on Cryptography Burg Feuerstein 1982, volume 149 of Lecture Notes in Computer Science, pages 71–129, 1983.Google Scholar
  36. 36.
    P. van Emde Boas. Another NP-complete problem and the complexity of computing short vectors in a lattice. Technical Report 81-04, Mathematische Instituut, Universiry of Amsterdam, 1981. Available on-line at URL
  37. 37.
    A. Yao. Theory and applications of trapdoor functions. In Proceedings of the 23rd IEEE Symposium on Foundations of Computer Science (FOCS), pages 80–91, Chicago, IL, 1982. IEEE.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Daniele Micciancio
    • 1
  1. 1.Department of Computer Science and EngineeringUniversity of California, San DiegoLa JollaUSA

Personalised recommendations