Efficient Public Key Encryption Based on Ideal Lattices

(Extended Abstract)
  • Damien Stehlé
  • Ron Steinfeld
  • Keisuke Tanaka
  • Keita Xagawa
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5912)


We describe public key encryption schemes with security provably based on the worst case hardness of the approximate Shortest Vector Problem in some structured lattices, called ideal lattices. Under the assumption that the latter is exponentially hard to solve even with a quantum computer, we achieve CPA-security against subexponential attacks, with (quasi-)optimal asymptotic performance: if n is the security parameter, both keys are of bit-length \({\widetilde{O}}(n)\) and the amortized costs of both encryption and decryption are \({\widetilde{O}}(1)\) per message bit. Our construction adapts the trapdoor one-way function of Gentry et al. (STOC’08), based on the Learning With Errors problem, to structured lattices. Our main technical tools are an adaptation of Ajtai’s trapdoor key generation algorithm (ICALP’99) and a re-interpretation of Regev’s quantum reduction between the Bounded Distance Decoding problem and sampling short lattice vectors.


Encryption Scheme Success Probability Quantum Algorithm Ideal Lattice Trapdoor Function 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: Proceedings of STOC 1996, pp. 99–108. ACM, New York (1996)Google Scholar
  2. 2.
    Ajtai, M.: Generating hard instances of the short basis problem. In: Wiedermann, J., Van Emde Boas, P., Nielsen, M. (eds.) ICALP 1999. LNCS, vol. 1644, pp. 1–9. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  3. 3.
    Ajtai, M., Dwork, C.: A public-key cryptosystem with worst-case/average-case equivalence. In: Proceedings of STOC 1997, pp. 284–293. ACM, New York (1997)Google Scholar
  4. 4.
    Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: Proceedings of STOC 2001, pp. 601–610. ACM, New York (2001)Google Scholar
  5. 5.
    Alwen, J., Peikert, C.: Generating shorter bases for hard random lattices. In: STACS 2009. LNCS. Springer, Heidelberg (2009)Google Scholar
  6. 6.
    Babai, L.: On Lovász’ lattice reduction and the nearest lattice point problem. Combinatorica 6, 1–13 (1986)zbMATHCrossRefMathSciNetGoogle Scholar
  7. 7.
    Blake, I.F., Gao, S., Mullin, R.C.: Explicit factorization of \(x^{2^k} + 1\) over F p with prime \(p \equiv 3 \bmod 4\). App. Alg. in Eng., Comm. and Comp. 4, 89–94 (1992)CrossRefMathSciNetGoogle Scholar
  8. 8.
    Fiat, A., Shamir, A.: How to prove yourself – practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)Google Scholar
  9. 9.
    Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Proceedings of STOC 2008, pp. 197–206. ACM, New York (2008)Google Scholar
  10. 10.
    Goldreich, O.: Foundations of Cryptography. Basic Applications, vol. II. Cambridge University Press, Cambridge (2001)zbMATHGoogle Scholar
  11. 11.
    Goldreich, O., Goldwasser, S., Halevi, S.: Public-key cryptosystems from lattice reduction problems. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 112–131. Springer, Heidelberg (1997)Google Scholar
  12. 12.
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  13. 13.
    Holenstein, T., Maurer, U., Sjödin, J.: Complete classification of bilinear hard-core functions. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 73–91. Springer, Heidelberg (2004)Google Scholar
  14. 14.
    Kawachi, A., Tanaka, K., Xagawa, K.: Concurrently secure identification schemes based on the worst-case hardness of lattice problems. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 372–389. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  15. 15.
    Lyubashevsky, V.: Lattice-based identification schemes secure under active attacks. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 162–179. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  16. 16.
    Lyubashevsky, V.: Towards Practical Lattice-Based Cryptography. PhD thesis, University of California, San Diego (2008)Google Scholar
  17. 17.
    Lyubashevsky, V., Micciancio, D.: Generalized compact knapsacks are collision resistant. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 144–155. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  18. 18.
    Lyubashevsky, V., Micciancio, D.: Asymptotically efficient lattice-based digital signatures. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 37–54. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  19. 19.
    Lyubashevsky, V., Micciancio, D.: On bounded distance decoding, unique shortest vectors, and the minimum distance problem. In: Halevi, S. (ed.) Crypto 2009. LNCS, vol. 5677, pp. 450–461. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  20. 20.
    Micciancio, D.: Generalized compact knapsacks, cyclic lattices, and efficient one-way functions. Computational Complexity 16(4), 365–411 (2007)zbMATHCrossRefMathSciNetGoogle Scholar
  21. 21.
    Micciancio, D., Goldwasser, S.: Complexity of lattice problems: a cryptographic perspective. Kluwer Academic Press, Dordrecht (2002)zbMATHGoogle Scholar
  22. 22.
    Micciancio, D., Regev, O.: Worst-case to average-case reductions based on gaussian measures. SIAM J. Comput. 37(1), 267–302 (2007)zbMATHCrossRefMathSciNetGoogle Scholar
  23. 23.
    Micciancio, D., Regev, O.: Lattice-based Cryptography. In: Post-Quantum Cryptography. Springer, Heidelberg (2008)Google Scholar
  24. 24.
    Micciancio, D., Vadhan, S.: Statistical zero-knowledge proofs with efficient provers: Lattice problems and more. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 282–298. Springer, Heidelberg (2003)Google Scholar
  25. 25.
    Nielsen, M.A., Chuang, I.L.: Quantum Computation and Quantum Information. Cambridge University Press, Cambridge (2000)zbMATHGoogle Scholar
  26. 26.
    Pan, V.Y.: Structured matrices and polynomials, unified superfast algorithms. Springer and Birkhäuser (2001)Google Scholar
  27. 27.
    Peikert, C.: Limits on the hardness of lattice problems in ℓp norms. Computational Complexity 2(17), 300–351 (2008)CrossRefMathSciNetGoogle Scholar
  28. 28.
    Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem. In: Proceedings of STOC 2009, pp. 333–342. ACM, New York (2009)Google Scholar
  29. 29.
    Peikert, C., Rosen, A.: Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 145–166. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  30. 30.
    Peikert, C., Vaikuntanathan, V., Waters, B.: A framework for efficient and composable oblivious transfer. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 554–571. Springer, Heidelberg (2008)Google Scholar
  31. 31.
    Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. In: Proceedings of STOC 2008, pp. 187–196. ACM, New York (2008)Google Scholar
  32. 32.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. Extended version of [33], May 2 (2009),
  33. 33.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Proceedings of STOC 2005, pp. 84–93. ACM, New York (2005)Google Scholar
  34. 34.
    Rosen, A., Segev, G.: Chosen-ciphertext security via correlated products. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 419–436. Springer, Heidelberg (2009)Google Scholar
  35. 35.
    Schnorr, C.P.: A hierarchy of polynomial lattice basis reduction algorithms. Theor. Comput. Sci 53, 201–224 (1987)zbMATHCrossRefMathSciNetGoogle Scholar
  36. 36.
    Schnorr, C.P.: Hot topics of LLL and lattice reduction. In: The Proceedings of the LLL+25 conference (to appear, 2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Damien Stehlé
    • 1
    • 2
  • Ron Steinfeld
    • 2
  • Keisuke Tanaka
    • 3
  • Keita Xagawa
    • 3
  1. 1.CNRS/Department of Mathematics and StatisticsUniversity of SydneyAustralia
  2. 2.Centre for Advanced Computing - Algorithms and Cryptography, Department of ComputingMacquarie UniversityAustralia
  3. 3.Department of Mathematical and Computing SciencesTokyo Institute of TechnologyJapan

Personalised recommendations