 Research
 Open Access
A new method of generating hard random lattices with short bases
 Chengli Zhang^{1, 2}Email authorView ORCID ID profile,
 Wenping Ma^{1},
 Hefeng Chen^{3} and
 Feifei Zhao^{1}
https://doi.org/10.1186/s1363501900880
© The Author(s). 2019
 Received: 22 January 2019
 Accepted: 16 April 2019
 Published: 10 June 2019
Abstract
This paper first gives a regularity theorem and its corollary. Then, a new construction of generating hard random lattices with short bases is obtained by using this corollary. This construction is from a new perspective and uses a random matrix whose entries obeyed Gaussian sampling which ensures that the corresponding schemes have a wider application future in cryptography area. Moreover, this construction is more specific than the previous constructions, which makes it can be implemented easier in practical applications.
Keywords
 Cryptography
 Gaussian distribution
 Hard random lattices
 Short bases
1 Introduction
A lattice has a typical linear structure and some problems about it have been proven to be NPhard. Many exciting developments in latticebased cryptography have occurred in the past few years [1–10], and there has been renewed interest in latticebased cryptography as prospects for a real quantum computer improve. As is well known, some latticebased cryptosystems can be resistant to attack by both classical and quantum computers. But the basic problems about short bases and short vector are studied in only a few papers [11–14]. But such problems occupy an important place in the study on latticebased cryptography. And more researches are based on these basic problems.
Ajtai’s seminal work [15] in the latticebased cryptography demonstrated a random class of lattice whose elements could be generated along with a short vector in them for which finding a short nonzero vector in the random lattice is at least as hard as finding the length of a shortest nonzero vector for any random lattice, and is at least as hard as finding a basis for the random lattice in 1996. And he showed how to generate a hard random lattice with knowledge of one relatively short nonzero lattice vector which can be used as secret information in cryptography applications. In addition, Ajtai also had given the reductions of some hard problems on the lattice.
In 1999, Ajtai also demonstrated an entirely different method of generating a random lattice along with a short basis based on his previous studies [11]. His algorithm had an important property that the resulting lattice is drawn, under the appropriate distribution, from the hard family defined in [15]. Interestingly, the algorithm apparently went without application until recently, when Gentry, Peikert, and Vaikuntanathan constructed several provably secure cryptographic schemes that crucially use the short bases as the secret keys [16].
Alwen and Perkert revisited the problem of generating a hard random lattice with a relatively short basis [12] in 2011. They elucidated and modularized Ajtai’s basic approach for generating a hard random lattice with a relatively short basis. They endeavored to give a topdown exposition of the key aspects of the problem and the techniques. They have based the algorithm around the concept of the Hermite normal form.
Micciancio and Peikert then gave the methods for generating and using “strong trapdoors” in cryptographic lattices [7]. Their methods involved a kind of trapdoor and included specialized algorithms for inverting LWE, randomly sampling SIS preimages, and securely delegating trapdoors. The trapdoor generator strictly subsumed the prior ones of [11, 12], in that it proves the main theorems from those works.
We construct a new hard random lattice together with a relatively short basis from a new perspective in this paper. Firstly, we give and demonstrate a useful theorem called regularity theorem, which plays an important role in the cryptography area. Before this, we get that after proper matrix elementary transformations, any random matrix uniformly on \( {Z}_q^{k\times {l}_1} \) can be written a special matrix whose first k columns consist an identity matrix and the other columns are uniformly on \( {Z}_q^k \). Furthermore, we can learn from the theorem that the result matrix of the above special matrix right multiplied by a matrix whose entries follow Gaussian distribution is a uniform matrix. Then, by using the regularity theorem, we give our simple, wider applied, and more particular algorithm in which Gaussian distribution is used. Then, the concrete expression of each matrix in our algorithm is given. Lastly, we give the analysis of the short basis in our algorithm.
2 Preliminaries
Some notations are given in this section that will be used throughout the paper. We denote the integer ring by Z and the modular q residue ring by Zq. For any real x, the largest integer not greater than x is denoted by ⌊x⌋. For a vector x = (× 1, ···,xn), ⌊x⌋ is defined as (⌊× 1⌋, ···, ⌊xn⌋). We write log for the logarithm to the base 2, and log_{q} when the base q is any number possibly different from 2. A negligible amount in n is defined as an amount that is asymptotically smaller than n^{−c} for any constant c > 0. Also, when we say that an expression is exponentially small in n, we mean that it is at most 2^{−Ω(n)}. Finally, when we say that an expression is exponentially close to 1, we mean that it is 1 − 2^{−Ω(n)}.
All the kdimensional vectors over a domain D are written by D^{k}. Similarly, (D)^{m × n} denotes all m by n matrices whose entries belong to D. The Euclidean norm of a vector x = (x_{1}, ⋯, x_{n}) ∈ R^{n} is \( \left\Vert x\right\Vert =\sqrt{\sum \limits_i{x}_i^2} \), and the associated distance of two vectors x and y is dist(x, y)= ‖x − y‖. The distance function is extended to sets in a customary way: dist(x, S) = dist(S, x)= min_{y ∈ S} dist(x, y) where x is a point, S is a set, and y ∈ S. We often use matrix notation to denote sets of vectors. For example, the matrix S ∈ R^{n × m} represents the set of ndimensional vectors s_{1}, ⋯, s_{m}, where s_{1}, ⋯, s_{m} are the columns of S. [A  B] denotes a block matrix whose left part is A and the right part is B. We denote the maximum norm of the column vectors in S by ‖S‖ and the number of all elements in S by S. For the vectors x = (x_{1}, ⋯, x_{n}) and y = (y_{1}, ⋯, y_{n}) in R^{n}, 〈x, y〉 denotes the inner product of x and y, that is, 〈x, y〉 = ∑_{i}x_{i}y_{i}. The linear space spanned by a set S of m vectors s_{1}, ⋯, s_{m} is denoted by span (S) = {∑_{i}x_{i}s_{i} : x_{i} ∈ Rfor 1 ≤ i ≤ m}. For any set of n linearly independent vectors in S, we define the halfopen parallelepiped as \( P\left(\mathrm{S}\right)=\left\{{\sum}_i{x}_i{s}_i:0\le {x}_i<1 for\kern0.5em 1\le i\le n\right\} \). Random matrix is a matrix whose each entry is chosen randomly from some set.
We now review some basic definitions of lattice. A lattice in R^{n} is defined as the set of all integer combinations of n linearly independent vectors. This set of vectors is known as a basis of the lattice and it is not unique.
The set of vectors b_{1}, ⋯, b_{n} is called a basis for the lattice. A basis can be represented by the matrix B = (b_{1}, ⋯, b_{n}) ∈ R^{n × n} having the basis vectors as its columns. The lattice generated by B is denoted L(B). Notice that L(B) = {Bx : x ∈ Z^{n}}, where Bx is the usual matrixvector multiplication.
For any lattice basis B B and point x, there exists a unique vector y ∈ P(B) such that y − x ∈ L(B). This vector is denoted by y = x mod B, and it can be computed in polynomial time when given B and x.
The dual of a lattice Λ in R^{n}, denoted Λ^{V}, is the lattice given by the set of all vectors y ∈ R^{n} such that 〈x, y〉 ∈ Z for all vectors x ∈ Λ.
We now recall some about Gaussian measures.
We know that the expected square distance from c of a vector chosen from the distribution is nr^{2}/(2π). So D_{r, c} can be seen as a sphere of radius \( r\sqrt{n/\left(2\pi \right)} \) centered around c. Notice that a sample from the above Gaussian distribution can be obtained by taking n independent samples from the 1dimensional Gaussian distribution.
We refer to D_{L, r, c}(x) as a discrete Gaussian distribution. And for a large enough r, D_{L, r, c} behaves in many respects like the continuous Gaussian distribution D_{r, c}. In particular, vectors distributed according to D_{L, r, c} have an average value which is very close to the center c and the expected squared distance from the vector c is very close to nr^{2}/(2π). The center vector is zero sometimes and is omitted.
We give the definition of smoothing parameter introduced by Micciancio and Regev.
Lemma 24. [17] For any lattice Λ, real ε > 0 and s ≥ η_{ε}(Λ), and c ∈ H, we have ρ_{s}(Λ + c) ∈ [1 ± ε]s^{n} det(Λ)^{−1}.
3 New hard random lattice
We will give a new method of generating a hard random lattice along with short bases by using our regularity theorem in this section. On the topic of hard random lattice with short bases, the large hard random matrix and its corresponding short base are required simultaneously in cryptography to ensure the security. But the matrix in our regularity theorem needs to be a special form, that is, the left part is an identity matrix and the right part is a random matrix. So we must first transform the hard random matrix into the special form matrix.
We now describe our basic framework for constructing our new hard random lattice and the corresponding short basis.
Firstly, we must ensure that the large hard random matrix contains an invertible submatrix, and we will prove that any k × l_{1} random matrix A uniformly chosen from \( {\left({\mathrm{Z}}_q\right)}^{k\times {l}_1} \), with very great probability, contains k independent column vectors, that is, A contains an invertible submatrix.
Secondly, our regularity theorem, which can be extended a useful corollary, will be constructed and be proved. Moreover, an effective parameter will be calculated in the regularity theorem which ensures that our hard random lattice with a short basis is generated.
Thirdly, we will give the new construction of generating the hard random lattice with a short basis and the framework of our algorithm by using the fact in the first part of this section and the regularity in the second part of this section.
Fourthly, the concrete expression of each matrix in the algorithm is given.
Finally, the quality of the short basis S will be analyzed.
3.1 Generate a random matrix containing an invertible submatrix
Let q be an integer and Z_{q} be a modular q residue ring. Let \( \mathbf{A}\in {\left({\mathrm{Z}}_q\right)}^{k\times {l}_1} \) be a random matrix where k, l_{1} ∈ Z whose entries are chosen randomly from Z_{q}.
Case 1: Let p be a prime integer and \( q={p}^{\overline{k}} \) be an integer for some integer \( \overline{k} \). It is obvious that a submatrix on (Z_{q})^{k × k} contained in A is invertible if and only if the submatrix mod p is invertible.
Firstly, we choose a kdimensional vector on Z_{q}^{k} randomly and the probability that the vector can be one column of the invertible submatrix of A is \( \frac{\left({\mathrm{p}}^k1\right){\mathrm{p}}^{k\left(\overline{\mathrm{k}}1\right)}}{q^k}=\frac{{\mathrm{p}}^k1}{p^k} \). Then we let this column be the first column of A.
After fixing the first column of A, we choose a kdimensional vector randomly on \( {Z}_q^k \) again and the probability that this vector can be another column of the invertible submatrix of A is \( \frac{\left({p}^kp\right){p}^{k\left(\overline{\mathrm{k}}1\right)}}{q^k}=\frac{p^kp}{p^k} \).Similarly, we let this column be the second column of A.
And so on, after fixing the first k − 1 columns of A, the probability that a vector is chosen randomly can be the kth column of the invertible submatrix of A is \( \frac{p^k{p}^{k1}}{p^k} \).
Thus, we choose a matrix A randomly on \( {\left({\mathrm{Z}}_q\right)}^{k\times {l}_1} \), the probability that A contains an invertible submatrix is \( \prod \limits_{i=1}^k\left(1\frac{1}{p^i}\right) \).
Case 2: From another perspective, let \( q={p}_1^{k_1}{p}_2^{k_2}\cdots {p}_t^{k_t} \), where each p_{i} is a prime and k_{i} ∈ Z(i = 1, 2, ⋯, t). Similarly, the probability of generating a random matrix on \( {\left({\mathrm{Z}}_q\right)}^{k\times {l}_1} \) which contains an invertible submatrix in t steps is \( \prod \limits_{s=1}^t\prod \limits_{i=1}^k\left(1\frac{1}{{p_s}^i}\right) \).
If l_{1} ≫ k, then any k × l_{1} random matrix A uniformly chosen from \( {\left({\mathrm{Z}}_q\right)}^{k\times {l}_1} \), with very great probability, contains k independent column vectors, and we suppose these columns are the first k columns of A. After proper elementary matrix transformations, A can be written as \( \left(\mathbf{I}\overline{\mathbf{A}}\right) \), where I is a k × k identity matrix and \( \overline{\mathbf{A}} \) is a k × (l_{1} − k) uniformly random matrix on \( {\left({\mathrm{Z}}_q\right)}^{k\times \left({l}_1k\right)} \). And the columns of A generate all of the Z_{q}^{k}.
3.2 Regularity
We will construct a theorem called “Regularity Theorem” and the proof also will be given in this subsection. The regularity theorem can be widely used into cryptography applications, who gives an important property that a special matrix being multiplied by a vector sampled from Gaussian distribution, with great probability, produces a uniform vector.
Then, we give our regularity theorem on integer lattice as following:
Theorem 31. Let z be an integer and q ≥ 2 be an integer. Let A \( =\left({\mathbf{I}}_k\overline{\mathbf{A}}\right)\in {\left({\mathrm{Z}}_q\right)}^{k\times {l}_1} \), where I_{k} ∈ (Z_{q})^{k × k} is identity matrix and \( \overline{\mathbf{A}}\in {\left({\mathrm{Z}}_q\right)}^{k\times \left({l}_1k\right)} \) is a uniformly random matrix. Then, for all r (\( \sqrt{l_1}<r<\sqrt{l_1}{g}_s \)), \( {E}_{\overline{\mathbf{A}}}\left[{\rho}_{1/r}\left({\Lambda}^{\perp }{\left(\mathrm{A}\right)}^{\mathrm{V}}\right)\right]\le 1+{2}^{\Omega (k)} \).
Because of the fact that the matrix A contains an identity submatrix and Lemma24, then we can get the following more applicative corollary.
Corollary 32. Let Z, q, t, k, and l_{1} be as in Theorem 31. Assume that A \( =\left({\mathbf{I}}_k\overline{\mathbf{A}}\right)\in {\left({\mathrm{Z}}_q\right)}^{k\times {l}_1} \) is chosen as in Theorem 31. Then, with probability 1–2^{−Ω(k)} over the choice of A, the distribution of Ax ∈(Z_{q})^{k}, where each coordinate of x \( \in {\left({\mathrm{Z}}_q\right)}^{l_1} \) is chosen from a discrete Gaussian distribution with parameter r (\( \sqrt{l_1}<r<\sqrt{l_1}{g}_s \)) over Z, satisfies that the probability of each of the possible outcomes is within statistical distance 2^{−Ω(k)} of the uniform distribution over (Z_{q})^{k}.
Therefore, any random matrix A′ chosen uniformly from \( {{\mathrm{Z}}_q}^{k\times {l}_1} \), after proper matrix elementary transformations, with great probability, can be written as the special formal \( \left(\mathbf{I}\overline{\mathbf{A}}\right) \) where \( \overline{\mathbf{A}}\in {{\mathrm{Z}}_q}^{k\times \left({l}_1k\right)} \) is a uniformly random matrix. That is, \( \mathbf{A}\hbox{'}\mathbf{T}{=}_c\mathbf{A}=\left(\mathbf{I}\overline{\mathbf{A}}\right)\in {{\mathrm{Z}}_q}^{k\times {l}_1} \), where T is the product of the proper elementary transformation matrices. Similarly, for a matrix \( \mathbf{R}\in {{\mathrm{Z}}_q}^{l_1\times {l}_2} \) whose entries are chosen from Gaussian distribution with parameter r (\( \sqrt{l_1}<r<\sqrt{l_1}{g}_s \)), we know that AR is a uniformly random matrix on \( {Z}_q^{k\times {l}_2} \).
3.3 Framework of our new algorithm
By using the regularity theorem and its corollary obtained in the previous subsection, the algorithm for constructing a hard random lattice with a short basis is given in this subsection. Also, our construction is simple and guaranteed bound on basis quality.
Let l = l_{1} + l_{2} for some sufficiently large dimensions l_{1} and l_{2}. Before discussing our algorithm, we first give a uniformly random matrix \( \mathbf{A}\hbox{'}\in {Z}_q^{k\times {l}_1} \) and then using the proper elementary transformation matrices, we can obtain the special form matrix \( \mathbf{A}=\left(\mathbf{I}\overline{\mathbf{A}}\right) \), where A is a uniformly random matrix with great probability.
Our algorithm for constructing a hard random lattice with a short basis is given, where the input of the algorithm is the uniformly random matrix \( \overline{\mathbf{A}}\in {Z}_q^{k\times \left({l}_1k\right)} \).
and \( \overline{\mathbf{A}} \) can be extended to the matrix \( \mathbf{G}=\left(\mathbf{A}{\mathbf{A}}_1\right)=\left(\mathbf{I}\overline{\mathbf{A}}{\mathbf{A}}_1\right)\in {Z}_q^{k\times l} \) by generating \( {\mathbf{A}}_1\in {Z}_q^{k\times {l}_2} \) together with some short basis \( \mathbf{S}=\left(\begin{array}{cc}\mathbf{I}\mathbf{RP}& \left(\mathbf{R}+\mathbf{F}\right)\mathbf{B}\\ {}\mathbf{P}& \mathbf{B}\end{array}\right)\in {Z}^{l\times l} \) of ∧^{⊥}(G).

B is nonsingular and typically unimodular;

F has entries that grow geometrically, which is a relationship to the parameter q and the special matrix A;

P is a short matrix depending on F such that FP is short;

R is a randomly short matrix whose entries are from Gaussian distribution with the parameter r where \( \sqrt{l_1}<r<\sqrt{l_1}{g}_s \).
The matrix A′ is uniformly random matrix on \( {\mathrm{Z}}^{k\times {l}_1} \), then the matrix A′T is also uniformly random matrix which follows from the uniformity of A′. We have the matrix (A ' T A ' T(R + F)) = (A A(R + F)) is nearuniformly random because of random choice of R whose entries from Gaussian distribution by Theorem 3.1 and its corollary.
Since the matrix \( \mathbf{A}=\left(\mathbf{I}\overline{\mathbf{A}}\right)\in {\mathrm{Z}}_q^{k\times {l}_1} \), and let \( {\Lambda}^{\perp}\left(\mathbf{A}\right)=\left\{\mathbf{x}:\mathbf{x}\in {Z}^{l_1},\mathbf{Ax}=\mathbf{0}\operatorname{mod}q\right\} \). Obviously, the basis matrix of the lattice Λ^{⊥}(A) can be obtained, that is, \( \mathbf{H}=\left(\begin{array}{cc}\mathrm{q}\mathbf{I}& \overline{\mathbf{A}}\\ {}\mathbf{0}& \mathbf{I}\end{array}\right) \).
is a nonsingular matrix.
In the block structure, we know the matrices P, B, and R are short matrices and so are the matrices RP and RB. But the norm of F is large, so we must use B to reduce the norm of the block matrix, such that the matrix FB is also short. Then, the block matrix \( \left(\begin{array}{cc}\mathbf{I}\mathbf{RP}& \left(\mathbf{R}+\mathbf{F}\right)\mathbf{B}\\ {}\mathbf{P}& \mathbf{B}\end{array}\right) \) is short. Simultaneously, we must ensure that the matrix equation I + FP = H is correct.
Lemma 33. The algorithm shows that if I + FP ⊂ Λ^{⊥}(A), we have S ⊂ Λ^{⊥}(G). Moreover, S is a basis of Λ^{⊥}(G) if and only if I + FP is a basis of Λ^{⊥}(A).
Proof It is obvious that A(I + FP) = 0 mod q implies GS = 0 mod q, that is, I + FP ⊂ Λ^{⊥}(A), implies S ⊂ Λ^{⊥}(G).
Then S is a basis of Λ^{⊥}(G) exactly when I + FP is a basis of Λ^{⊥}(A).
Now, we know that the block matrix S is the basis of Λ^{⊥}(G), then the remaining problem is that S must be relatively short. By the above discussion, we know that the matrices B and R are short, where B is unimodular and R is chosen from Gaussian distribution on \( {Z}^{l_1\times {l}_2} \); moreover, the matrix P must be short and the columns of I + FP is ensured to be nontrivial vectors in Λ^{⊥}(A). So a part of the matrix F should be long. Simultaneously, the matrix FB must be short because it is a part of −(R + F)B where R and R are short or a part of the block matrix B.
3.4 Concrete expression
The framework of our algorithm for constructing the hard random lattice with a short basis was given in the previous subsection. In this subsection, the concrete expression of each matrix in our algorithm will be shown as follows.
Given any random matrix A' uniformly on \( {Z_{\mathrm{q}}}^{k\times {l}_1} \), after proper matrix elementary transformations, A' can be written as \( \left(\mathbf{I}\overline{\mathbf{A}}\right) \) where \( \overline{\mathbf{A}} \) is uniformly matrix on \( {Z_{\mathrm{q}}}^{k\times \left({l}_1k\right)} \) with great probability. The chosen uniformly random matrix A' corresponds to the formal \( \mathbf{A}=\left(\mathbf{I}\overline{\mathbf{A}}\right) \) where \( \overline{\mathbf{A}} \) is uniformly random. So we can give \( \overline{\mathbf{A}} \). By the discussion in the last subsection, H is the basis of Λ^{⊥}(A), and let H=I + FP. So FP=H−I=\( \left(\begin{array}{cc}\left(q1\right)\mathbf{I}& \mathbf{A}\\ {}\mathbf{0}& \mathbf{0}\end{array}\right) \). Let d be an integer and m = log_{d}q.
Definition of P: The columns of the matrix \( \mathbf{P}=\left({p}_1,{p}_2,\cdots, {p}_{l_1}\right)\in {\mathrm{Z}}^{l_2\times {l}_1} \) are some identity vectors which are written as \( {\mathbf{p}}_j={\mathbf{e}}_{jm}\in {Z}^{l_2} \) where j = 1, 2, ⋯, l_{1}. This construction of P guarantees that FP=H−I and ‖p_{j}‖^{2} = 1(j = 1, 2, ⋯, l_{1}).
Then, \( \mathbf{FB}=\left({\mathbf{F}}^{(1)}{\mathbf{B}}_m{\mathbf{F}}^{(2)}{\mathbf{B}}_m\cdots {\mathbf{F}}^{\left({\mathrm{l}}_1\right)}{\mathbf{B}}_m\mathbf{0}\right)\in {\mathrm{Z}}^{l_1\times {l}_2}, \) and all the entries of FB are in the range [0,d]. So the norm of each column of FB is less than or equal to \( d\sqrt{l_1} \) and FB is short.
Definition of R: The entries of the matrix \( \mathbf{R}\in {\mathrm{Z}}^{l_1\times {l}_2} \) are chosen randomly from Gaussian distribution with the parameter r where \( \sqrt{l_1}<r<\sqrt{l_1}{g}_s \). Then by the Theorem 3.1, the entries of (IA)R are uniformly on Z_{q} with great probability. Because the parameter r is relatively large, we have that the vectors distributed according to Gaussian distribution have an average value very close to zero and expected squared distance from zero very close to r^{2}l_{1}/(2π). So the norm of R is less than or equal to \( r\sqrt{l_1/\left(2\pi \right)} \).
The above discussion in this subsection shows that our algorithm for constructing the hard random lattice with a short basis is reasonable, and the basis of the dual lattice is indeed short. We will analyze the quality of the basis matrix S to prove the advantage of short in the next subsection.
3.5 Analysis and comparison
4 Conclusion
In this paper, we firstly have proved a fact that a uniformly random matrix contains an invertible submatrix and using elementary transformations the uniformly random matrix can be transformed into the special matrix which contains two parts, an identity matrix part and a uniform matrix part. Secondly, a useful regularity theorem and its corollary on Z_{q} has been proved and the useful parameters could be obtained. Thirdly, using the above fact and corollary, a new construction of hard random lattice with a short basis have been proposed, and then we have given the framework of our algorithm. Fourthly, the concrete expression of our construction, that is the concrete form of the matrices in our algorithm, has been given. Lastly, we have analyzed the quality of the short basis S, which shows that the quality of the short basis in our algorithm is as same as the Alwen and Peikert algorithm.
Declarations
Acknowledgements
This work is supported by National Key R&D Program of China (no. 2017YFB0802400), National Science Foundation of China (no. 61373171) and the 111 Project (no. B08038).
Funding
This work is supported by National Key R&D Program of China No. 2017YFB0802400, National Science Foundation of China under grant no. 61373171 and the 111 Project under grant no. B08038.
Availability of data and materials
The datasets used and/or analyzed during the current study are available from the corresponding author on reasonable request.
Authors’ contributions
All authors actively participated in the discussions, and read and approved the final manuscript.
Competing interests
The authors declare that they have no competing interests.
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Open AccessThis article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.
Authors’ Affiliations
References
 C. Peikert, in Annual Cryptology Conference. An efficient and parallel Gaussian sampler for lattices (Springer, Berlin, 2010), pp. 80–97Google Scholar
 Z. Brakerski, V. Vaikuntanathan, in Adannces in Cryptology CRYPTO 2011. Fully homomorphic encryption from ringLWE and security for key dependent message (2011), pp. 505–524View ArticleGoogle Scholar
 S. Dov Gordon, J. Katz, V. Vaikuntanathan, in Advances in cryptology ASIACRYPT 2010, Lecture Notes in Computer Science. A group signature scheme from lattice assumptions, vol 6477 (2010), pp. 395–412View ArticleGoogle Scholar
 V. Lyubashevsky, C. Peikert, O. Regev, in Advances in Cryptology C EUROCRYPT 2010. On ideal lattices and learning with errors over rings (2010), pp. 1–23Google Scholar
 V. Lyubashevsky, C. Peikert, O. Regev, in Advances in Cryptology C EUROCRYPT 2013. A Toolkit for RingLWE Cryptography (2013), pp. 35–54View ArticleGoogle Scholar
 S. Ling, K. Nguyen, D. Stehl, et al., in PublicKey CryptographyCPKC 2013. Improved zeroknowledge proofs of knowledge for the ISIS problem, and applications (Springer, Berlin, 2013), pp. 107–124View ArticleGoogle Scholar
 D. Micciancio, C. Peikert, in Advances in Cryptology C EUROCRYPT 2012. Trapdoor for lattices: simpler, tighter, faster, smaller (2012), pp. 700–718View ArticleGoogle Scholar
 O. Regev, Latticebased cryptography[C]. Annual International Cryptology Conference. (Springer, Berlin, Heidelberg, 2006), pp. 131–141Google Scholar
 C. Peikert, B. Waters, Lossy trapdoor functions and their applications[J]. SIAM J. Comput. 40(6), 1803–1844 (2011)MathSciNetView ArticleGoogle Scholar
 T. Poppelmann, Efficient implementation of ideal latticebased cryptography. Inf. Technol. 59(6), 305–309 (2017)Google Scholar
 M. Ajtai, in International Colloquium on Automata, Languages, and Programming. Generating hard instances of the short basis problem (1999), pp. 1–9Google Scholar
 J. Alwen, C. Peikert, Generating shorter bases for hard random lattices. Theory Comput. Syst. 48(3), 535–553 (2011)MathSciNetView ArticleGoogle Scholar
 V. Lyubashevsky, D. Micciancio, in Advances in CryptologyCRYPTO 2009. On bounded distance decoding, unique shortest vectors, and the minimum distance problem (2009), pp. 577–594View ArticleGoogle Scholar
 T. Laarhoven, M. Mosca, J. Van De Pol, Finding shortest lattice vectors faster using quantum search. Des. Codes Crypt. 77(2–3), 375400 (2015)MathSciNetMATHGoogle Scholar
 M. Ajtai, in ACM Symposium on Theory of Computing STOC. Generating hard instances of lattice problems (1996), pp. 99–108Google Scholar
 C. Gentry, C. Peikert, V. Vaikuntanathan, in Proceedings of the fortieth annual ACM symposium on Theory of computing. Trapdoors for hard lattices and new cryptographic constructions (2008), pp. 197–206Google Scholar
 D. Micciancio, O. Regev, Worstcase to averagecase reductions based on Gaussian measures. SIAM J. Comput. 37(1), 267–302 (2007)MathSciNetView ArticleGoogle Scholar