# Trapdoors for hard lattices and new cryptographic constructions

@article{Gentry2007TrapdoorsFH, title={Trapdoors for hard lattices and new cryptographic constructions}, author={Craig Gentry and Chris Peikert and Vinod Vaikuntanathan}, journal={Proceedings of the fortieth annual ACM symposium on Theory of computing}, year={2007} }

We show how to construct a variety of "trapdoor" cryptographic tools assuming the worst-case hardness of standard lattice problems (such as approximating the length of the shortest nonzero vector to within certain polynomial factors). Our contributions include a new notion of trapdoor function with preimage sampling, simple and efficient "hash-and-sign" digital signature schemes, and identity-based encryption. A core technical component of our constructions is an efficient algorithm that, given…

## 1,909 Citations

### Asymptotically Efficient Lattice-Based Digital Signatures

- Computer Science, MathematicsJournal of Cryptology
- 2017

This work presents a general framework that converts certain types of linear collision-resistant hash functions into one-time signatures, and gives a digital signature scheme with an essentially optimal performance/security trade-off.

### Asymptotically Effi cient Lattice-Based Digital Signatures

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2008

The construction is provably secure based on the worst-case hardness of approximating the shortest vector in ideal lattices within a polynomial factor, and asymptotically efficient: the time complexity of the signing and verification algorithms, as well as key and signature size is almost linear in the dimension n of the underlying lattice.

### Density of Ideal Lattices

- Mathematics, Computer ScienceAlgorithms and Number Theory
- 2009

It is shown that the density of n-dimensional ideal lat- tices with determinant b among all lattices under the same bound is in O(b 1 n ) as b grows, so, for lattices of dimension > 1 with bounded determinant, the subclass of ideal lattices is always vanishingly small.

### Public-key cryptosystems from the worst-case shortest vector problem: extended abstract

- Computer Science, MathematicsSTOC '09
- 2009

The main technical innovation is a reduction from variants of the shortest vector problem to corresponding versions of the "learning with errors" (LWE) problem; previously, only a quantum reduction of this kind was known.

### Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2011

We give new methods for generating and using "strong trapdoors" in cryptographic lattices, which are simultaneously simple, efficient, easy to implement (even in parallel), and asymptotically optimal…

### On the Bounded Distance Decoding Problem for Lattices Constructed from Polynomials and Their Cryptographic Applications

- Computer Science, Mathematics
- 2020

This paper construct lattices based on properties of polynomials for which the bounded distance decoding problem is hard to solve unless some trapdoor information is revealed, and thoroughly analyze the security of the proposed functions using state-of-the-art attacks and results on lattice reductions.

### An Efficient Identity-based Signature from Lattice in the Random Oracle Model

- Computer Science, Mathematics
- 2011

This work proposes an efficient identity-based signature (IBS) scheme that uses lattice's growth and lattice basis randomization securely to generate the user's secret key, and uses trapdoor functions with preimage sampling to generate signature.

### Lattice Signatures Without Trapdoors

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2011

This work provides an alternative method for constructing lattice-based digital signatures which does not use the "hash-and-sign" methodology, and shows that by slightly changing the parameters, one can get even more efficient signatures that are based on the hardness of the Learning With Errors problem.

### Programmable Hash Functions from Lattices: Short Signatures and IBEs with Small Key Sizes

- Computer Science, MathematicsCRYPTO
- 2016

Under the Inhomogeneous Small Integer Solution ISIS assumption, it is shown that any non-trivial lattice-based PHF is collision-resistant, which gives a direct application of this new primitive.

### Short Signatures from Homomorphic Trapdoor Functions

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2014

We present a lattice-based stateless signature scheme provably secure in the standard model. Our scheme has a constant number of matrices in the public key and a single lattice vector (plus a tag) in…

## References

SHOWING 1-10 OF 79 REFERENCES

### New lattice-based cryptographic constructions

- Mathematics, Computer ScienceJACM
- 2004

A new public key cryptosystem whose security guarantee is considerably stronger than previous results is provided, and a family of collision resistant hash functions with an improved security guarantee in terms of the unique shortest vector problem is proposed.

### Lossy trapdoor functions and their applications

- Computer Science, MathematicsElectron. Colloquium Comput. Complex.
- 2007

Using lossy TDFs, this work develops a new approach for constructing several important cryptographic primitives, including (injective) trapdoor functions, collision-resistant hash functions, oblivious transfer, and chosen ciphertext-secure cryptosystems.

### Secure Hash-and-Sign Signatures Without the Random Oracle

- Computer Science, MathematicsEUROCRYPT
- 1999

A new signature scheme is presented which is existentially unforgeable under chosen message attacks, assuming some variant of the RSA conjecture, and is unique in that the assumptions made on the cryptographic hash function in use are well defined and reasonable.

### On the Power of Claw-Free Permutations

- Computer Science, MathematicsSCN
- 2002

While it was already believed that certain cryptographic objects can be built from claw-free permutations but not from general trapdoor permutations, it is shown that certain important schemes provably work with either but enjoy a much better tradeoff between security and efficiency when deployed with claw- free permutations.

### One-way functions are necessary and sufficient for secure signatures

- Computer Science, MathematicsSTOC '90
- 1990

This paper is interested in signature schemes which are secure agMnst existential forgery under adaptive chosen message attacks, and the existence of trapdoor permutations can be shown to be necessary and sufficient for secure encryption schemes.

### The Exact Security of Digital Signatures - HOw to Sign with RSA and Rabin

- Computer Science, MathematicsEUROCRYPT
- 1996

An RSA-based signing scheme which combines essentially optimal efficiency with attractive security properties and a second scheme which maintains all of the above features and in addition provides message recovery is provided.

### On lattices, learning with errors, random linear codes, and cryptography

- Computer ScienceSTOC '05
- 2005

A public-key cryptosystem whose hardness is based on the worst-case quantum hardness of SVP and SIVP, and an efficient solution to the learning problem implies a <i>quantum</i>, which can be made classical.

### Multi-bit Cryptosystems Based on Lattice Problems

- Computer Science, MathematicsPublic Key Cryptography
- 2007

It is shown that the multi-bit versions of several single-bit cryptosystems based on lattice problems encrypt O(log n)-bit plaintexts into ciphertexts of the same length as the original ones with reasonable sacrifices of the hardness of the underlying lattICE problems.

### Universal one-way hash functions and their cryptographic applications

- Computer Science, MathematicsSTOC '89
- 1989

A Universal One-Way Hash Function family is defined, a new primitive which enables the compression of elements in the function domain and it is proved constructively that universal one- way hash functions exist if any 1-1 one-way functions exist.

### Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices

- Mathematics, Computer ScienceTCC
- 2005

These results exploit an intimate connection between the linear algebra of n-dimensional cyclic lattices and the ring ℤ[α]/(αn−1), and crucially depend on the factorization of αn-1 into irreducible cyclotomic polynomials.