Secure Parameters for SWIFFT [chapter]

Johannes Buchmann, Richard Lindner
2009 Lecture Notes in Computer Science  
The SWIFFT compression functions, proposed by Lyubashevsky et al. at FSE 2008, are very efficient instantiations of generalized compact knapsacks for a specific set of parameters. They have the property that, asymptotically, finding collisions for a randomly chosen compression function implies being able to solve computationally hard ideal lattice problems in the worst-case. We present three results. First, we present new average-case problems, which may be used for all lattice schemes whose
more » ... urity is proven with the worst-case to average-case reduction in either general or ideal lattices. The new average-case problems require less description bits, resulting in improved keysize and speed for these schemes. Second, we propose a parameter generation algorithm for SWIFFT where the main parameter n can be any integer in the image of Euler's totient function, and not necessarily a power of 2 as before. Third, we give experimental evidence that finding pseudo-collisions 1 for SWIFFT is as hard as breaking a 68bit symmetric cipher according to the well-known heuristic by Lenstra and Verheul. We also recommend conservative parameters corresponding to a 127-bit symmetric cipher.
doi:10.1007/978-3-642-10628-6_1 fatcat:goeut3y7vfbblgjpmcdznugqn4