A Classification of Lattice-Based Trapdoor Functions

SCIS 2017 2017 Symposium on Cryptography and Information Security Naha, Japan, Jan. 24 - 27, 2017 The Institute of Electronics, Copyright c 2017 The Institute of Electronics, Information and Communication Engineers Information and Communication Engineers

A Classiﬁcation of Lattice-based Trapdoor Functions

Rakyong Choi ∗ Kwangjo Kim ∗

Abstract: A trapdoor function is a one-way function with trapdoor, which is indispensable for getting a preimage of the function. In lattice-based cryptography, trapdoor function plays an important role in constructing the secure cryptographic schemes like identity-based encryption, homomorphic encryption, or homomorphic signature. There are three categories of trapdoor functions as standard trapdoor, lossy trapdoor, and homomorphic trapdoor functions. Lossy trapdoor function is a trapdoor function that behaves in two ways as a standard trapdoor function or by losing information from the input. Homomorphic trapdoor function can evaluate the computation of trapdoor function results. In this paper, we survey all the public literature on lattices studying lattice-based trapdoor functions and their preimage sampling algorithms to the best of our knowledge. Then, we classify these trapdoor functions into three categories depending on their cryptographic features and suggest their feasibility to design cryptographic primitives. Keywords: lattice-based trapdoor function, (preimage) sampling algorithm, lossy trapdoor function, homomorphic trapdoor function

1 Introduction a formal definition of trapdoor functions and construction of Gentry et al.’s lattice-based trapdoor function. 1.1 Background and Motivation Then, we introduce the various trapdoor functions with After Ajtai’s seminal work [1] on lattices, lattices their applications. have become one of the essential tools in cryptology. The description and applications of lossy trapdoor Lattice-based cryptography is one candidate of post functions and homomorphic trapdoor functions are dis- quantum cryptography, which remains secure against cussed in Sections 4 and 5, respectively. Finally, we give the upcoming quantum computer. It has the advan- concluding remarks and possible directions for future tage of the security based on the worst-case hardness work in Section 6. assumptions instead of average-case hardness assumptions. With these advantages, lattices have been ap- 2 Preliminaries plied to various areas in cryptology recently such as identity-based encryption [2], fully homomorphic en- 2.1 Notation cryption [3–5], multilinear maps [6], and homomorphic We denote vectors with small bold letters (e.g., x, signatures [7–9]. y) and matrices with large bold letters (e.g., A, B). A trapdoor function samples a preimage of a given We denote R and Z to express the set of real numbers output with a trapdoor but remains as a one-way func- and the set of integers, respectively, and small non-bold tion without its trapdoor. To construct cryptographic letters to express real numbers (e.g., a, b, c). primitives on lattices and prove their security rigor- For any integer q ≥ 2, Zq denotes the ring of integers n×m ously, we should find the proper lattice-based trapdoor modulo q and Zq denotes the set of n × m matrices n×m1 n×m2 function. In order to choose the proper trapdoor func- with entries in Zq. When A ∈ Zq , B ∈ Zq , tion, we study the literature on lattice-based cryptog- we write the concatenation of A and B as [A | B] ∈ raphy. Then, we categorize the types of trapdoor func- n×(m1+m2) T Zq and a transpose of A as A . tions depending on their cryptographic features and kxk represents the Euclidean norm of a vector x suggest their feasibility to design cryptographic primi- and kBk represents the maximum of Euclidean norms tives. of the columns of a matrix B. For instance, when B = {b |b | · · · |b }, kBk = max kb k. Then, we 1.2 Outline of the Paper 1 2 m i i denote Be = {be1|be2| · · · |bem} for the Gram-Schmidt or- In this work, we provide the formal definition of three thogonalization of columns of B and denote kBe k = types of trapdoor functions and their applications. Sec- max kb k for Gram-Schmidt norm of B. tion 2 describes a notation in this paper and some back- i ei ground on lattices including hard lattice problems and 2.2 Hard Problems on Lattices discrete Gaussian distribution. In Section 3, we give A lattice Λ can be defined as a discrete subgroup of ∗ School of Computing, KAIST. 291, Daehak-ro, Yuseong-gu, Rm with its basis B. A basis B of Λ is a set of linearly Daejeon, South Korea 34141. {thepride, kkj}@kaist.ac.kr

1 independent vectors B = {b1, b2, ··· , bm} which spans 3 Trapdoor Functions the lattice Λ and B = (b |b | · · · |b ) is called a basis 1 2 m We give a formal definition and security requirements matrix of the lattice Λ. to make trapdoor functions and the concrete construc- Integer lattices are defined as a subgroup of m in- Z tion of lattice-based trapdoor functions by Gentry et stead of m. For a matrix A ∈ n×m, we can denote R Zq al. [10]. Then, we discuss several trapdoor functions lattices as a set Λu(A) = {e ∈ m|A · e = u mod q} q Z on lattices and their applications in cryptographic pro- and as a set Λ⊥(A) = {e ∈ m|A · e = 0 mod q} when q Z tocols. u = 0. Shortest Vector Problem (SVP) is to find the non- 3.1 Lattices and Trapdoor Functions zero lattice vector v which is the closest to the origin, Gentry et al. [10] proposed the notion of preimage in a lattice Λ, and Closest Vector Problem (CVP) is to sampleable (trapdoor) functions whose preimage can find the lattice vector v in a lattice Λ which is the clos- be efficiently sampled using the trapdoor as below: est to the vector w. Both SVP and CVP are considered as a worst-case hardness problem in lattice. On the TrapGen(n) : other hand, there are two popular average-case hard- Output a description A for a function fA : Dn → ness problems in lattice which can be reduced to the Rn and its trapdoor information T. In the con- aforementioned worst-case hardness problem in lattice. text of lattice-based cryptography, a description One is called Short Integer Solution (SIS) problem, A is a matrix for a lattice ΛA and a trapdoor which can be used to construct one-way functions or information T is a short basis for ΛA. signature schemes and the other is Learning With Er- rors (LWE) problem whose decisional version is used SampleDom(n) : for guaranteeing the security of encryption schemes like Sample an e from a distribution over the domain identity based encryption and fully homomorphic en- Dn where the output distribution fA(e) ← Rn is cryption schemes. There are also ring variant of these uniform. problems. The formal definition of SIS and LWE problems are given below. SamplePre(A, T, y) : Sample a preimage x ∈ Dn such that fA(x) = Definition 1. (SIS problem) Given a matrix A ∈ y ∈ Rn. n×m Zq with m ≥ n log q and its corresponding lattice ⊥ m This function behaves as a one-way function without Λq (A) = {e ∈ Z |A·e = 0 mod q, }, it is hard to find trapdoor. they also defined the collision-resistance of a small vector e ∈ Λ⊥(A), such that kek ≤ β for some √ q the trapdoor functions as the one for hash functions. β ≥ n log q and A · e = 0 (mod q), whose coefficients Alwen and Peikert [11] proposed the lattice-based are −1, 0, or 1. trapdoor generation algorithm L.TrapGen (n, m, q) n×m which generates a matrix A ∈ Zq with its “trap- Definition 2. (LWE problem) For a positive integer door” matrix T ∈ m×m satisfying the following func- n Z m, n with m > n, integer q ≥ 2, a vector s ∈ Zq , and a tionality: probability distribution D on the interval [0, q)m, it is hard to distinguish between uniformly chosen (A, y) ← L.TrapGen(n, m, q) : n×m m T Zq × [0, q) and the sampling (A, A s+e mod q) For the security parameter n, m = d6n log qe and n×m where A ← Zq and e ← D. an integer q, this algorithm outputs a matrix A ∈ n×m Zq and its trapdoor matrix T such that T is 2.3 Discrete Gaussian Distribution ⊥ a basis of Λq (A) with low Gram-Schmidt norm m √ Given L as any subset of Z , a Gaussian function kTek ≤ 30 n log q. on Rm with center c and a parameter γ can be defined 2 2 m as ργ,c(x) = exp(−πkx-ck /γ ) for any vector c ∈ R Without loss of generality, we assume that a matrix and any positive parameter γ > 0, A ← L.TrapGen(n, m, q) has a full rank. Then, the For a subset L ⊂ m, we can define discrete Gaus- distribution of the output of L.TrapGen(n, m, q) can Z √ sian distribution, which is the m-dimensional Gaussian be sampled efficiently for γ ≥ kTek · ω( log n) where T distribution whose support is restricted to the subset is a trapdoor matrix of an n-dimensional lattice Λ as L and its density function is defined as below:

ργ,c(x) L.SamplePre(A, T, γ, b) : DL,γ,c(x) = P y∈L ργ,c(y) This is a preimage sampling algorithm for a matrix A ∈ n×m, its trapdoor matrix T ∈ m×m, and for the sake of simplicity, we denote ργ (x) and Zq Zq a real number γ > 0, and a vector b ∈ n. This DL,γ (x) when a center c = 0. Z algorithm outputs a sample s from a distribution that is statistically close to D u . Λq (A),γ

2 The above two algorithms L.TrapGen(n, m, q) and The benefit of using a two-sided function is that we L.SamplePre(A, T, γ, b) construct a collision-resistant use the “firm” preimage trapdoor TA that can always trapdoor function assuming SIS problem in lattices with sample the preimage in the real scheme, whereas we discrete Gaussian distribution and can be essential tools use the “fickle” preimage trapdoor TB for a matrix to make lattice-based signature schemes. B which sometimes “vanishes” depending on a given message. 3.2 Application of Trapdoor Functions In the signature scheme, they generated l+1 random Following Gentry et al.’s work [10], there are variants matrices C0, C1, ··· , Cl for a message m with length l Pl mi of techniques to use trapdoor functions. and “mixed” them as Cm = i=0(−1) Ci where mi In 2009, Peikert [12] introduced the notion of chosen- is the i-th value of the message m. Then, they built output security for trapdoor functions to construct a practical and fully secure signatures and identity based secure cryptosystem against a chosen-ciphertext attack. encryption in the standard model by achieving this en- To get this property, a new deterministic polynomial- coding framework. time algorithm Ver(A, s, b) called a preimage verifier was introduced. Then, we say a trapdoor function is Brakerski and Kalai [2] introduced the formal defini- chosen-output secure if it satisfies the following: tion of a ring trapdoor function and gave a generic construction of ring signature scheme from a ring trapdoor 1. (Completeness) For any s ∈ Dn, Ver(A, s, b) ac- function. We present a ring homomorphic function for cepts with overwhelming probability when fA(s) = lattices which satisfies the following: b. 1. Sampling a function: 2. (Uniqueness) For any b ∈ Rn, there is at most n×m We can sample a random matrix A ∈ Zq and one value of s where fA(s) = b is accepted. the function fA(x) = Ax. 3. (Correctness) For any b ∈ Rn, b has a valid 2. Sampling a trapdoor: preimage s. i.e. s ← SamplePre(A, T, γ, b) We can generate a pair of a random matrix A . and its trapdoor T using the trapdoor generation algorithm L.TrapGen(n, m, q). Cash et al. [13] introduce the technique to extend the basis to higher dimension in the concept of bonsai 3. Trapdoor property: trees using the following algorithm. n×m Given A1, A2, ··· , At ∈ Zq , a trapdoor Si for some A , and a vector v ∈ n, we can sample ExtBasis(T, B) : i Zq n×m xj from a distribution X for all j 6= i and use For the trapdoor matrix T of A ∈ Zq and the 0 Si to sample xi from X such that Aixi = v − matrix B = AkA0 ∈ n×(m+m ), this algorithm P Zq j6=i Ajxj. ⊥ outputs a basis S for Λq (B) with kSek = kTek in polynomial time, i.e., Gram-Schmidt norm of S 4. Ring one-wayness: is equal to that of T. The above trapdoor function is a one-way function assuming the hardness of SIS problem. The above algorithm indicates the controlled growth of the bonsai tree and the hierarchy of the lattices has Wang and Sun [15] also designed a ring signature a well-quasi-ordering where any short basis of a parent using a different sampling algorithm for ring trapdoor lattice can be easily extended to a short basis of any functions. higher-dimensional child lattice. They introduced a new preimage sampling algorithm They showed that this technique can be applicable GenSamplePre(AS, AR, TR, γ, y) using the lattice ba- to a hash-then-sign signature without random oracles sis delegation technique. and a hierarchical identity-based encryption scheme. Let k, k1, k2, k3, k4 be positive integers as k = k1 +

k2 + k3 + k4. We write AS = [AS1 | AS2 | AS3 | AS4 ] n×km n×kim Boyen [14] proposed the general framework to en- ∈ Zq where ASi ∈ Zq for each i and AR = n×(k1+k3)m code all bits at once by lattice trapdoor mixing and [AS1 | AS3 ] ∈ Zq and its trapdoor TR. Then, vanishing techniques. one can sample a preimage from a vector y as below: In that signature scheme, they introduced a new generation algorithm TwoSideGen(1λ) by slightly modi- GenSamplePre(AS, AR, TR, γ, y) : fying Cash et al.’s extending basis algorithm. a. Sample e ∈ n×k2m and e ∈ n×k4m. TwoSideGen(1λ) outputs two random matrices A ∈ S2 Zq S4 Zq n×m m×m b. Let z = y − A e − A e and sam- Zq and R ∈ Zq where A is uniform and R is S2 s2 S4 s4 n×m n×(k1+k3)m from some distribution R. Then, for some B ∈ Zq , ple eR = [eS1 | eS3 ] ∈ Zq from n×2m F = [A | AR + B] ∈ Zq and q deﬁnes the public L.SamplePre (AR, TR, γ, z). parameters of a two-sided function. c. Output e = [eS | eS eS | eS ]. (F, q) is indeed a trapdoor function that samples the 1 2 3 4 preimage with a trapdoor for either A or B.

3 Compared to Brakerski and Kalai’s work [2], Wang Fltdf : Fltdf (A, ·) computes an injective function fA(·) and Sun’s work gives ring signature scheme in the ran- over the domain {0, 1}n. dom oracle model. −1 −1 −1 Micciancio and Peikert [16] gave a new concept of Fltdf : Fltdf (T, ·) computes fA (·). If a value y ∈ n trapdoors called a “gadget” trapdoor and suggested sim- {0, 1} doesn’t have a preimage, then the behav- −1 pler and more efficient algorithms for inverting LWE, ior of Fltdf (T, ·) is not clear and thus, we need to sampling SIS preimages, and delegating basis securely. check the correctness. n×w They defined a primitive matrix G ∈ Zq satis- w n For the security of lossy trapdoor functions, the dis- fying G · Z = Zq and constructed a lattice with G. n×m n×w tribution of the output of Sinj(·) = Sltdf (·, 1) and the Then, given A ∈ Zq and G ∈ Zq , they intro- (m−w)×w output of Slossy(·) = Sltdf (·, 0) should be hard to dis- duced a new notion of G-trapdoor R ∈ Zq and tinguish. n×n R In lattice-based constructions, they use the relaxed tag (label) of the trapdoor H ∈ Zq where A = I term called “almost-always” lossy trapdoor functions HG and H is invertible. such that there is only a negligible probability that There are efficient algorithms for generating trap- f (·) is not injective or F −1 (T, ·) incorrectly computes doors, inverting LWE, sampling SIS preimages, and A ltdf f −1(·) for some input. delegating basis securely. Among them, we describe A If we extend this concept to a tree-like construction the new trapdoor generation algorithm by Micciancio for more than two functions by denoting each leaf as a and Peikert [16] as below: function, then we call it an all-but-one (ABO) trapdoor MP.TrapGen(A∗, H) : function if only one leaf expresses a lossy function. ∗ n×m∗ Lossy trapdoor functions can be applied to many Given a matrix A ∈ Zq and an invertible n×n cryptographic primitives like pseudorandom generators, matrix H ∈ Zq , we can generate a matrix ∗ ∗ n×m collision-resistant hash functions, and oblivious trans- A = [A | HG − A R] ∈ Zq for a matrix m∗×w fer protocols. R ∈ Zq . 4.2 Application of Lossy Trapdoor Functions Since the size of a G-trapdoor grows linearly in the lattice dimension m, the basis delegation algorithm After Peikert and Waters [18] had introduced the becomes much more efficient than previous work by concept of lossy trapdoor functions, Bellare et al. [19] Cash et al. [13] and derive faster implementation on and Qin et al. [20] extended the notion as identity- lattice-based cryptography such as threshold protocols based lossy trapdoor functions and leakage-resilient lossy for lattice-based signatures or hierarchical identity-based trapdoor functions, respectively, without using lattices encryption [17]. as a main tool. Meanwhile, Xie et al. [21] introduced the notion of 4 Lossy Trapdoor Function inner-product trapdoor and inner-product lossy trapdoor functions to construct an inner-product encryp- In this section, we give a formal definition and secu- tion scheme from lattices. rity requirements of lossy trapdoor functions and dis- An inner-product trapdoor function consists of four cuss several applications of lossy trapdoor functions poly-time algorithms (IP.Param, IP.TrapGen, IP.Eval, from the literature. IP.Inv) with the following functionality:

4.1 Deﬁnition and Security Requirements IP.Param(n, l): In 2011, Peikert and Waters [18] proposed a general Given a security parameter n and a predicate cryptographic primitive called lossy trapdoor functions length parameter l, it computes a public parame- and its construction based on Diﬃe-Hellman problem ter params = (A, B, {Aij}) and a master secret and LWE problem. key msk = TA using L.TrapGen(n, m, q). As a security parameter, n(λ) = poly(λ) represents the input length of the trapdoor function, k(λ) ≤ n(λ) IP.TrapGen(params, a, msk): represents the lossiness of the collection, and r(λ) = Given a predicate a ∈ Zq, it outputs an inversion n(λ) − k(λ) represents the residual leakage. key ska = Sa where Sa is a basis for a matrix Then, (n, k)-lossy trapdoor function is a tuple of Ua = [A | ΣiΣjaijAij] by ExtBasis(TA, Ua). −1 poly-time algorithms (Sltdf ,Fltdf ,Fltdf ) with the fol- IP.Eval(params, b, m): lowing functionality: Given an attribute b ∈ Σ and an input value m, it outputs an output value C by some matrix S : S (·) = S (·, 1) generates a description A of b ltdf inj ltdf multiplication. a function fA and its trapdoor information T like the normal trapdoor function. But, Slossy(·) = IP.Inv(params, ska, {Cb, b}): Sltdf (·, 0) outputs a description A of a function Given an function value {Cb, b}, this algorithm fA but ⊥ for trapdoor information. outputs an inverse value m.

4 Alwen et al. [22] introduced new lossy trapdoor func- H.Evalin and H.Evalout : tions and ABO trapdoor functions based on Learning From a function g and a tuple of {ui, xi, vi}, it With Rounding (LWR) problem, instead of standard outputs u∗ and v∗. LWE problem, as below: The security requirements of homomorphic trapdoor Definition 3. (LWR problem) For a security pa- functions (HTDF security) are the one-wayness of the rameter λ and corresponding integers n = n(λ), m = function without trapdoors and somewhat claw-freeness which holds when it is negligible to find u, u0 ∈ U and m(λ), q = q(λ), p = p(λ), LWR problem states that for 0 0 x 6= x ∈ X such that f (u) = f 0 (u ). A colli- m×n n m pk,x pk,x a given A ← Zq , s ← Zq , and u ← Zq , A, bA · scp sion resistance property is not necessary for the security of homomorphic trapdoor functions and the existential and A, bucp are computationally indistinguishable. unforgeability of fully homomorphic signatures. They define the l(λ)-entropic lossy trapdoor func- 5.2 Application of Homomorphic Trapdoor Func- tions and l(λ)-entropic ABO trapdoor functions by mod- tions ifying the definition of the lossiness as losing the entropy and give a construction based on LWR problem. As an extension of Gorbunov et al.’s trapdoor function [9], Alperin-Sheriff [23] define the notion of punc- Injective functions : turable homomorphic trapdoor functions to get shorter For any (pk, sk) from Gen(1λ, injective) we get signature scheme, by combining homomorphic trap- −1 F (sk, F (pk, s)) = s for all s and fpk(·) is a door functions with lattice mixing and vanishing tech- injective function. nique [14].

λ Wang et al. [24] suggested the identity-based homo- Lossy functions : For pk ← Gen(1 , lossy), fpk(·) morphic trapdoor functions with a better security no- loses the entropy up to l(λ). This parameter l(λ) tion by achieving collision resistance. Then, they con- is the residual leakage of this lossy trapdoor func- structed a strongly unforgeable identity-based fully ho- tion. momorphic signature scheme. Both l(λ)-entropic lossy trapdoor functions and l(λ)- Recently, Fiore et al. [25] showed a multi-key homo- entropic ABO trapdoor functions can be used to re- morphic signature scheme with the homomorphic trap- place lossy trapdoor functions by Peikert and Waters door functions. [18] in various applications. 6 Conclusion and Future Work 5 Homomorphic Trapdoor Function We investigate previous lattice-based trapdoor func- In this section, we give a formal definition and secu- tions from Gentry et al.’s trapdoor function [10] with rity requirements of homomorphic trapdoor functions an efficient sampling algorithm to Gorbunov et al.’s and the concrete construction based on lattice by Gor- recent work [9] on homomorphic trapdoor functions to bunov et al. [9]. Then, we discuss several applications construct levelled fully homomorphic signature scheme. of lossy trapdoor functions from the literature. We summarize the classification of lattice-based trapdoor functions as standard trapdoor, lossy trapdoor, 5.1 Definition and Security Requirements and homomorphic trapdoor functions with their features and cryptographic applications in Appendix A. Gorbunov et al. [9] introduced the new concept of ho- As future work, we plan to define ring homomorphic momorphic trapdoor functions to construct the levelled trapdoor function and its security requirements to con- fully homomorphic signature scheme. struct a ring homomorphic signature scheme. Conceptually, a homomorphic trapdoor function is a trapdoor function that can take a tuple of values ∗ Acknowledgement {ui, xi, vi = fpk,xi (ui)}i∈[N] and compute an input u ∗ ∗ This work was supported by the National Research and an output v = fpk,g(x1,x2,··· ,xN )(u ). Formally, a homomorphic trapdoor function consists of five poly- Foundation of Korea(NRF) grant funded by the Korea time algorithms (H.Gen, f, f −1, H.Evalin, H.Evalout) government(MSIP) (No. NRF-2015R1A2A2A01006812). with the following functionality: References H.Gen(1λ): A security parameter λ defines the index space X , [1] M. Ajtai, “Generating hard instances of lattice input space U, output space V, and input distri- problems,” in Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Comput- bution DU where one can efficiently sample uniformly at random from V. ing, pp. 99–108, ACM, 1996. [2] Z. Brakerski and Y. T. Kalai, “A framework for fpk,x : An deterministic algorithm to get the function value. efficient signatures, ring signatures and identity based encryption in the standard model,” IACR −1 fsk,x : A probabilistic algorithm to get the inverse Cryptology ePrint Archive 2010/86, 2010.

5 [3] C. Gentry, “Fully homomorphic encryption using [15] J. Wang and B. Sun, “Ring signature schemes ideal lattices,” in Proceedings of the Forty-First from lattice basis delegation,” in International Annual ACM on Symposium on Theory of Com- Conference on Information and Communications puting, pp. 169–178, ACM, 2009. Security, pp. 15–28, Springer, 2011.

[4] Z. Brakerski and V. Vaikuntanathan, “Efficient [16] D. Micciancio and C. Peikert, “Trapdoors for lat- fully homomorphic encryption from (standard) tices: Simpler, tighter, faster, smaller,” in Annual lwe,” SIAM Journal on Computing, vol. 43, no. 2, International Conference on the Theory and Ap- pp. 831–871, 2014. plications of Cryptographic Techniques, pp. 700– 718, Springer, 2012. [5] C. Gentry, A. Sahai, and B. Waters, “Ho- momorphic encryption from learning with er- [17] R. Bendlin, S. Krehbiel, and C. Peikert, “How rors: Conceptually-simpler, asymptotically-faster, to share a lattice trapdoor: Threshold protocols attribute-based,” in Advances in Cryptology– for signatures and (h) ibe,” in Applied Cryptogra- CRYPTO 2013, pp. 75–92, Springer, 2013. phy and Network Security, pp. 218–236, Springer, 2013. [6] S. Garg, C. Gentry, and S. Halevi, “Candidate multilinear maps from ideal lattices,” in Advances [18] C. Peikert and B. Waters, “Lossy trapdoor func- in Cryptology–EUROCRYPT 2013, vol. 7881, tions and their applications,” SIAM Journal on pp. 1–17, Springer, 2013. Computing, vol. 40, no. 6, pp. 1803–1844, 2011. [7] D. Boneh and D. M. Freeman, “Linearly homo- [19] M. Bellare, E. Kiltz, C. Peikert, and B. Waters, morphic signatures over binary fields and new “Identity-based (lossy) trapdoor functions and ap- tools for lattice-based signatures,” in Public Key plications,” in Annual International Conference Cryptography–PKC 2011, pp. 1–16, Springer, on the Theory and Applications of Cryptographic 2011. Techniques, pp. 228–245, Springer, 2012. [8] D. Boneh and D. M. Freeman, “Homomorphic sig- [20] B. Qin, S. Liu, K. Chen, and M. Charlemagne, natures for polynomial functions,” in Advances “Leakage-resilient lossy trapdoor functions and in Cryptology–EUROCRYPT 2011, pp. 149–168, public-key encryption,” in Proceedings of the First Springer, 2011. ACM workshop on Asia Public-Key Cryptography, pp. 3–12, ACM, 2013. [9] S. Gorbunov, V. Vaikuntanathan, and D. Wichs, “Leveled fully homomorphic signatures from stan- [21] X. Xie, R. Xue, and R. Zhang, “Inner-product dard lattices,” in Proceedings of the Forty-Seventh lossy trapdoor functions and applications,” in Annual ACM on Symposium on Theory of Com- International Conference on Applied Cryptogra- puting, pp. 469–477, ACM, 2015. phy and Network Security, pp. 188–205, Springer, 2012. [10] C. Gentry, C. Peikert, and V. Vaikuntanathan, “Trapdoors for hard lattices and new crypto- [22] J. Alwen, S. Krenn, K. Pietrzak, and D. Wichs, graphic constructions,” in Proceedings of the For- “Learning with rounding, revisited,” in Ad- tieth Annual ACM on Symposium on Theory of vances in Cryptology–CRYPTO 2013, pp. 57–74, Computing, pp. 197–206, ACM, 2008. Springer, 2013. [11] J. Alwen and C. Peikert, “Generating shorter [23] J. Alperin-Sheriff, “Short signatures with short bases for hard random lattices,” Theory of Com- public keys from homomorphic trapdoor func- puting Systems, vol. 48, no. 3, pp. 535–553, 2011. tions,” in Public Key Cryptography–PKC 2015, pp. 236–255, Springer, 2015. [12] C. Peikert, “Public-key cryptosystems from the worst-case shortest vector problem,” in Proceed- [24] F. Wang, K. Wang, B. Li, and Y. Gao, “Lev- ings of the Forty-First Annual ACM Symposium eled strongly-unforgeable identity-based fully ho- on Theory of Computing, pp. 333–342, ACM, momorphic signatures,” in International Infor- 2009. mation Security Conference, pp. 42–60, Springer, 2015. [13] D. Cash, D. Hofheinz, E. Kiltz, and C. Peikert, “Bonsai trees, or how to delegate a lattice basis,” [25] D. Fiore, A. Mitrokotsa, L. Nizzardo, and Journal of Cryptology, vol. 25, no. 4, pp. 601–639, E. Pagnin, “Multi-key homomorphic authentica- 2012. tors,” in Advances in Cryptology–ASIACRYPT 2016: 22nd International Conference on the The- [14] X. Boyen, “Lattice mixing and vanishing trap- ory and Application of Cryptology and Informa- doors: A framework for fully secure short sig- tion Security, Part II, pp. 499–530, Springer, 2016. natures and more,” in Public Key Cryptography– PKC 2010, pp. 499–517, Springer, 2010.

6 Appendix A. Classiﬁcation of Lattice-based Trapdoor Functions

Scheme Used Type Features and Applications • Propose the definition of trapdoor function and collision-resistance property. • Lattice-based trapdoor functions based on SIS and LWE problem with the preimage GPV08 [10] Normal sampling algorithm • Applicable to any lattice-based signature schemes • Introduce the notion of chosen-output security for trapdoor functions Pei09 [12] Normal • Applicable to constructing a secure cryptosystem against chosen-ciphertext attack • Introduce a two-sided function which behaves differently for “firm” trapdoor and Boy10 [14] Normal “fickle” trapdoor • Applicable to a more practical signature scheme by mixing the lattice trapdoors AP11 [11] Normal • Propose the improved lattice-based trapdoor generation algorithm • Explain how to delegate lattice trapdoors using the extending basis technique CHKP12 [13] Normal • Applicable to constructing a signature scheme without random oracles and hierarchical ID-based encryption • Define ring trapdoor functions and give a concrete construction based on lattice BK10 [2] Normal • Applicable to constructing a ring signature • Introduce a new sampling algorithm to construct ring trapdoor function WS11 [15] Normal • Applicable to constructing a ring signature scheme in the random oracle model or to enhancing the security of a ring signature scheme in the standard model • Introduce a new notion of G-trapdoor and the tag of the trapdoor to get the simpler, more efficient, and smaller trapdoor MP12 [16] Normal • Propose new algorithms for inverting LWE, sampling SIS preimages, and securely delegating basis, with G-trapdoor • Applicable to getting a more efficient lattice-based cryptographic protocol • Propose general cryptographic primitives called lossy trapdoor functions and all- but-one (ABO) trapdoor functions PW11 [18] Lossy • Introduce the concrete construction of both lossy trapdoor functions and ABO trapdoor functions based on LWE problem • Introduce the notion of inner-product trapdoor functions and inner-product lossy XXZ12 [21] Lossy trapdoor functions to construct inner product encryption • Lossy/ABO trapdoor functions based on LWR problem AKPW13 [22] Lossy •Both l(λ)-entropic lossy trapdoor functions and l(λ)-entropic ABO trapdoor functions can be used to replace lossy trapdoor functions in PW11 [18] • Define the notion of homomorphic trapdoor function and its security requirements GVW15 [9] Homomorphic as HTDF security • Applicable to lattice-based levelled fully homomorphic signature scheme • Introduce puncturable homomorphic trapdoor function to construct a short signa- Alp15 [23] Homomorphic ture scheme by combining homomorphic trapdoor functions and lattice mixing and vanishing technique WWLG15 [24] Homomorphic • Construct an identity-based homomorphic trapdoor function • Define the multi-key authenticator and construct multi-key homomorphic signature FMLP16 [25] Homomorphic on lattices using homomorphic trapdoor functions

? Note that each scheme is identiﬁed with the authors’ initials (e.g. GPV) and the publication year (e.g. 08).