Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices
نویسندگان
چکیده
The generalized knapsack function is defined as fa(x) = P i ai · xi, where a = (a1, . . . , am) consists of m elements from some ring R, and x = (x1, . . . , xm) consists of m coefficients from a specified subset S ⊆ R. Micciancio (FOCS 2002) proposed a specific choice of the ring R and subset S for which inverting this function (for random a,x) is at least as hard as solving certain worst-case problems on cyclic lattices. We show that for a different choice of S ⊂ R, the generalized knapsack function is in fact collision-resistant, assuming it is infeasible to approximate the shortest vector in n-dimensional cyclic lattices up to factors Õ(n). For slightly larger factors, we even get collision-resistance for any m ≥ 2. This yields very efficient collision-resistant hash functions having key size and time complexity almost linear in the security parameter n. We also show that altering S is necessary, in the sense that Micciancio’s original function is not collision-resistant (nor even universal one-way). Our results exploit an intimate connection between the linear algebra of n-dimensional cyclic lattices and the ring Z[α]/(α − 1), and crucially depend on the factorization of α − 1 into irreducible cyclotomic polynomials. We also establish a new bound on the discrete Gaussian distribution over general lattices, employing techniques introduced by Micciancio and Regev (FOCS 2004) and also used by Micciancio in his study of compact knapsacks.
منابع مشابه
Generalized Compact Knapsacks Are Collision Resistant
The generalized knapsack problem is the following: given m random elements a1, . . . , am in a ring R, and a target t ∈ R, find z1, . . . , zm ∈ D such that P aizi = t, where D is some fixed subset of R. In (Micciancio, FOCS 2002) it was proved that for appropriate choices of R and D, solving the generalized compact knapsack problem on the average is as hard as solving certain worst-case proble...
متن کاملCOS 598 D - Lattices scribe : Srdjan Krstic
The first two sections are largely based on the first two lectures by Oded Regev, course ”Lattices in Computer Science, Fall 2004. The third part is somewhat based on the paper by Oded Regev and Daniele Micciancio Worst-case to Average-case Reductions based on Gaussian Measures, SIAM Journal on Computing 37(1) pp. 267-302, 2007. and to a larger extent on the paper by O. Goldreich, S. Goldwasser...
متن کاملSWIFFT: A Modest Proposal for FFT Hashing
We propose SWIFFT, a collection of compression functions that are highly parallelizable and admit very efficient implementations on modern microprocessors. The main technique underlying our functions is a novel use of the Fast Fourier Transform (FFT) to achieve “diffusion,” together with a linear combination to achieve compression and “confusion.” We provide a detailed security analysis of conc...
متن کاملOn Ideal Lattices, Gr\"obner Bases and Generalized Hash Functions
In this paper, we draw connections between ideal lattices and multivariate polynomial rings over integers using Gröbner bases. Univariate ideal lattices are ideals in the residue class ring, Z[x]/〈f〉 (here f is a monic polynomial) and cryptographic primitives have been built based on these objects. Ideal lattices in the univariate case are generalizations of cyclic lattices. We introduce the no...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- Electronic Colloquium on Computational Complexity (ECCC)
دوره شماره
صفحات -
تاریخ انتشار 2005