Skip to main content
SpringerLink
Log in

Building an Efficient Lattice Gadget Toolkit: Subgaussian Sampling and More

  • Conference paper
  • First Online:
Advances in Cryptology – EUROCRYPT 2019 (EUROCRYPT 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11477))

Abstract

Many advanced lattice cryptography applications require efficient algorithms for inverting the so-called “gadget” matrices, which are used to formally describe a digit decomposition problem that produces an output with specific (statistical) properties. The common gadget inversion problems are the classical (often binary) digit decomposition, subgaussian decomposition, Learning with Errors (LWE) decoding, and discrete Gaussian sampling. In this work, we build and implement an efficient lattice gadget toolkit that provides a general treatment of gadget matrices and algorithms for their inversion/sampling. The main contribution of our work is a set of new gadget matrices and algorithms for efficient subgaussian sampling that have a number of major theoretical and practical advantages over previously known algorithms. Another contribution deals with efficient algorithms for LWE decoding and discrete Gaussian sampling in the Residue Number System (RNS) representation.

We implement the gadget toolkit in PALISADE and evaluate the performance of our algorithms both in terms of runtime and noise growth. We illustrate the improvements due to our algorithms by implementing a concrete complex application, key-policy attribute-based encryption (KP-ABE), which was previously considered impractical for CPU systems (except for a very small number of attributes). Our runtime improvements for the main bottleneck operation based on subgaussian sampling range from 18x (for 2 attributes) to 289x (for 16 attributes; the maximum number supported by a previous implementation). Our results are applicable to a wide range of other advanced applications in lattice cryptography, such as GSW-based homomorphic encryption schemes, leveled fully homomorphic signatures, other forms of ABE, some program obfuscation constructions, and more.

This work was sponsored by the Defense Advanced Research Projects Agency (DARPA) and the Army Research Laboratory (ARL) under Contract Numbers W911NF-15-C-0226 and W911NF-15-C-0233. The views expressed are those of the authors and do not necessarily reflect the official policy or position of the Department of Defense or the U.S. Government.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    In the context of lattice cryptography, “short” typically means much smaller than the modulus q.

  2. 2.

    This assumes the GSO has entries each described in O(n) bits.

  3. 3.

    This theorem is most relevant when q is a relatively small modulus (say \(q<2^{64}\)), so that arithmetic operations modulo q can be performed with unit cost. For larger moduli, the theorem will be used as a building block for a more complex algorithm described in Sect. 6 using RNS/CRT representation for the elements of \(\mathbb {Z}_q\).

  4. 4.

    For a general integer basis \(\mathbf {B}\), the GSO can have numbers with denominators as large as \(\prod _i \Vert \mathbf {b}_i\Vert ^2\).

  5. 5.

    This is also known as the residue number system (RNS) in previous works.

  6. 6.

    https://github.com/cpeikert/Lol/blob/master/lol/Crypto/Lol/Gadget.hs.

  7. 7.

    https://bitbucket.org/malb/lwe-estimator.

References

  1. Ajtai, M.: Generating hard instances of the short basis problem. In: Wiedermann, J., van Emde Boas, P., Nielsen, M. (eds.) ICALP 1999. LNCS, vol. 1644, pp. 1–9. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48523-6_1

    Chapter  Google Scholar 

  2. Albrecht, M., et al.: Homomorphic encryption security standard. Technical report, HomomorphicEncryption.org, Cambridge, MA, March 2018

    Google Scholar 

  3. Albrecht, M., Scott, S., Player, R.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9(3), 169–203 (2015)

    Article  MathSciNet  Google Scholar 

  4. Alperin-Sheriff, J., Apon, D.: Weak is better: tightly secure short signatures from weak PRFs. IACR Cryptology ePrint Archive, 2017:563 (2017)

    Google Scholar 

  5. Alperin-Sheriff, J., Peikert, C.: Faster bootstrapping with polynomial error. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 297–314. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_17

    Chapter  Google Scholar 

  6. Alwen, J., Peikert, C.: Generating shorter bases for hard random lattices. Theory Comput. Syst. 48(3), 535–553 (2011)

    Article  MathSciNet  Google Scholar 

  7. Babai, L.: On lovász’ lattice reduction and the nearest lattice point problem. Combinatorica 6(1), 1–13 (1986)

    Article  MathSciNet  Google Scholar 

  8. Bajard, J.-C., Eynard, J., Hasan, M.A., Zucca, V.: A full RNS variant of FV like somewhat homomorphic encryption schemes. In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS, vol. 10532, pp. 423–442. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69453-5_23

    Chapter  Google Scholar 

  9. Bert, P., Fouque, P.-A., Roux-Langlois, A., Sabt, M.: Practical implementation of ring-SIS/LWE based signature and IBE. In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 271–291. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-79063-3_13

    Chapter  Google Scholar 

  10. Boneh, D., et al.: Fully key-homomorphic encryption, arithmetic circuit ABE and compact garbled circuits. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 533–556. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_30

    Chapter  Google Scholar 

  11. Bonnoron, G., Ducas, L., Fillinger, M.: Large FHE gates from tensored homomorphic accumulator. In: Joux, A., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2018. LNCS, vol. 10831, pp. 217–251. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-89339-6_13

    Chapter  Google Scholar 

  12. Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. In: Innovations in Theoretical Computer Science - ITCS 2012, pp. 309–325. ACM (2012)

    Google Scholar 

  13. Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: Symposium on Theory of Computing - STOC 2013, pp. 575–584 (2013)

    Google Scholar 

  14. Brakerski, Z., Vaikuntanathan, V.: Lattice-based FHE as secure as PKE. In: Innovations in Theoretical Computer Science - ITCS 2014, pp. 1–12 (2014)

    Google Scholar 

  15. Chillotti, I., Gama, N., Georgieva, M., Izabachène, M.: Faster fully homomorphic encryption: bootstrapping in less than 0.1 seconds. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 3–33. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_1

    Chapter  MATH  Google Scholar 

  16. Chillotti, I., Gama, N., Georgieva, M., Izabachène, M.: Faster packed homomorphic operations and efficient circuit bootstrapping for TFHE. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 377–408. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_14

    Chapter  Google Scholar 

  17. Cousins, D.B., et al.: Implementing conjunction obfuscation under entropic ring LWE. In: Symposium on Security and Privacy - SSP 2018, pp. 354–371 (2018)

    Google Scholar 

  18. Crockett, E., Peikert, C.: \(\Lambda \)\(o\)\(\lambda \): functional lattice cryptography. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, 24–28 October 2016, pp. 993–1005. ACM (2016)

    Google Scholar 

  19. Dai, W., et al.: Implementation and evaluation of a lattice-based key-policy ABE scheme. IEEE Trans. Inf. Forensics Secur. 13(5), 1169–1184 (2018)

    Article  Google Scholar 

  20. del Pino, R., Lyubashevsky, V., Seiler, G.: Lattice-based group signatures and zero-knowledge proofs of automorphism stability. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, pp. 574–591. ACM (2018)

    Google Scholar 

  21. Ducas, L., Micciancio, D.: FHEW: bootstrapping homomorphic encryption in less than a second. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 617–640. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_24

    Chapter  MATH  Google Scholar 

  22. Ducas, L., Prest, T.: Fast fourier orthogonalization. In: Abramov, S.A., Zima, E.V., Gao, X. (eds.) Proceedings of the ACM on International Symposium on Symbolic and Algebraic Computation, ISSAC 2016, pp. 191–198. ACM (2016)

    Google Scholar 

  23. Genise, N., Micciancio, D.: Faster Gaussian sampling for trapdoor lattices with arbitrary modulus. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 174–203. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_7

    Chapter  Google Scholar 

  24. Genise, N., Micciancio, D., Polyakov, Y.: Building an efficient lattice gadget toolkit: Subgaussian sampling and more. IACR Cryptology ePrint Archive, 2018:946 (2018)

    Google Scholar 

  25. Gentry, C., Halevi, S., Smart, N.P.: Homomorphic evaluation of the AES circuit. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 850–867. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_49

    Chapter  Google Scholar 

  26. Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Symposium on Theory of Computing - STOC 2008, pp. 197–206 (2008)

    Google Scholar 

  27. Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_5

    Chapter  Google Scholar 

  28. Gorbunov, S., Vaikuntanathan, V., Wee, H.: Predicate encryption for circuits from LWE. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 503–523. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_25

    Chapter  Google Scholar 

  29. Gorbunov, S., Vaikuntanathan, V., Wichs, D.: Leveled fully homomorphic signatures from standard lattices. In: Symposium on Theory of Computing - STOC 2015, pp. 469–477 (2015)

    Google Scholar 

  30. Gür, K.D., Polyakov, Y., Rohloff, K., Ryan, G.W., Sajjadpour, H., Savas, E.: Practical applications of improved Gaussian sampling for trapdoor lattices. IACR Cryptology ePrint Archive, 2017:1254 (2017)

    Google Scholar 

  31. Gür, K.D., Polyakov, Y., Rohloff, K., Ryan, G.W., Savas, E.: Implementation and evaluation of improved Gaussian sampling for lattice trapdoors. In: Proceedings of the 6th Workshop on Encrypted Computing & Applied Homomorphic Cryptography, WAHC 2018, pp. 61–71 (2018)

    Google Scholar 

  32. Halevi, S., Halevi, T., Shoup, V., Stephens-Davidowitz, N.: Implementing BP-obfuscation using graph-induced encoding. In: Computer and Communications Security - CCS 2017, pp. 783–798 (2017)

    Google Scholar 

  33. Halevi, S., Polyakov, Y., Shoup, V.: An improved RNS variant of the BFV homomorphic encryption scheme. IACR Cryptology ePrint Archive, 2018:117 (2018)

    Google Scholar 

  34. Klein, P.N.: Finding the closest lattice vector when it’s unusually close. In: Symposium on Discrete Algorithms - SODA 2000, pp. 937–941 (2000)

    Google Scholar 

  35. Lyubashevsky, V., Micciancio, D., Peikert, C., Rosen, A.: SWIFFT: a modest proposal for FFT hashing. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 54–72. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-71039-4_4

    Chapter  Google Scholar 

  36. Lyubashevsky, V., Peikert, C., Regev, O.: A toolkit for ring-LWE cryptography. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 35–54. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_3

    Chapter  Google Scholar 

  37. Aguilar-Melchor, C., Barrier, J., Guelton, S., Guinet, A., Killijian, M.-O., Lepoint, T.: NFLlib: NTT-based fast lattice library. In: Sako, K. (ed.) CT-RSA 2016. LNCS, vol. 9610, pp. 341–356. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29485-8_20

    Chapter  Google Scholar 

  38. Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_41

    Chapter  Google Scholar 

  39. Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measures. SIAM J. Comput. 37(1), 267–302 (2007)

    Article  MathSciNet  Google Scholar 

  40. Micciancio, D., Sorrell, J.: Ring packing and amortized FHEW bootstrapping. In: Automata, Languages, and Programming - ICALP 2018. LIPIcs, vol. 107, pp. 100:1–100:14 (2018)

    Google Scholar 

  41. Peikert, C.: Personal Communication (2018)

    Google Scholar 

  42. Polyakov, Y., Rohloff, K., Ryan, G.W.: PALISADE lattice cryptography library. https://git.njit.edu/palisade/PALISADE. Accessed Oct 2018

  43. Vershynin, R.: Introduction to the non-asymptotic analysis of random matrices. CoRR, abs/1011.3027 (2010)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of California, San Diego, La Jolla, USA

    Nicholas Genise & Daniele Micciancio

  2. New Jersey Institute of Technology, Newark, USA

    Yuriy Polyakov

Authors
  1. Nicholas Genise
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Daniele Micciancio
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yuriy Polyakov
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nicholas Genise .

Editor information

Editors and Affiliations

  1. Technion, Haifa, Israel

    Yuval Ishai

  2. COSIC Group, KU Leuven, Heverlee, Belgium

    Vincent Rijmen

Rights and permissions

Reprints and permissions

Copyright information

© 2019 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Genise, N., Micciancio, D., Polyakov, Y. (2019). Building an Efficient Lattice Gadget Toolkit: Subgaussian Sampling and More. In: Ishai, Y., Rijmen, V. (eds) Advances in Cryptology – EUROCRYPT 2019. EUROCRYPT 2019. Lecture Notes in Computer Science(), vol 11477. Springer, Cham. https://doi.org/10.1007/978-3-030-17656-3_23

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-17656-3_23

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-17655-6

  • Online ISBN: 978-3-030-17656-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation