Microsoft Research India Workshop on

Lattice-Based Cryptography

December 1, 2013


Lattice-based cryptography revolutionized the field of cryptography with fundamental theoretical breakthroughs and potentially transformative applications. This workshop will include lectures on state of the art in lattice-based cryptography by eminent researchers. Topics that will be covered include algorithmic/complexity foundations of lattices, constructions such as fully homomorphic encryption, functional encryption, hashing, and signature schemes using hard problems on lattices, and cryptanalytic attacks using algorithms on lattices. These lectures will be useful to researchers in cryptography at all stages who wish to advance their knowledge of lattice based cryptography.

Invited Speakers

Detailed program will be available on this web site soon.

Time and Place

This workshop will take place in the MSR India building (VIGYAN, #9 Lavelle Road) from 9 AM to 6 PM on December 1, 2013. MSR India is just a few minutes (by walk) away from the conference hotel of Asiacrypt 2013.


Registration for the workshop is free but required. Please register by sending e-mail to with your name, position, affiliation, and whether you are registered for Asiacrypt 2013.  Due to limited space, registered participants of Asiacrypt will be given priority. Lunch and coffee/tea/snacks will be served at the venue during the day.


9:00 – 10:00

Damien Stehlé, École Normale Supérieure de Lyon, France
An Overview of Lattice Algorithms

10:00 – 11:00

Nadia Heninger, University of Pennsylvania, U S A
Approximate Common Divisors via Lattices

11:00 – 11:30


11:30 – 12:30

Alon Rosen, The Interdisciplinary Center, Herzliya, Israel
The Learning with Rounding Problem

12:30 – 2:00


2:00 – 3:00

Vadim Lyubashevsky, École Normale Supérieure, Paris, France
Practical Digital Signatures from Lattices

3:00 – 4:00

Shweta Agrawal, Indian Institute of Technology, Delhi
Building Functional Encryption from Learning With Errors

4:00 – 4:30


4:30 – 5:30

Sanjam Garg, IBM Research, U S A
Candidate Multilinear Maps


Damien Stehlé
École Normale Supérieure de Lyon, France
Title: An overview of lattice reduction algorithms
Abstract : The best generic tool currently known for attacking lattice-based cryptographic primitives is lattice reduction. Lattice reduction is a representation
paradigm: it consists in finding a representation (a basis) of a given lattice that provides easier access to intrinsic properties of that lattice.

In this talk, I  will give an overview of the state of the art in lattice reduction algorithms. I will also describe how lattice reduction may be used to solve standard problems from lattice-based cryptography, namely, the Learning With Errors (LWE) and Small Integer Solution (SIS) problems.

Nadia Heninger
University of Pennsylvania, U S A
Title: Approximate Common Divisors via Lattices
Abstract: Coppersmith's technique using lattices to find small roots of polynomial equations (and Howgrave-Graham's extension to solving equations modulo divisors) have produced many fascinating results, particularly in the cryptanalysis of RSA: low public exponent padding vulnerabilities, low public exponent vulnerabilities, and efficient key recovery from partial information.  In this talk, I will discuss generalizations of these results and their applications.  Extending these results to multivariate equations informs our understanding of fully homomorphic encryption schemes over the integers.  The extension to rings of integers over number fields informs our understanding of learning with errors over ideals.  And finally, the analogue of these results for polynomial rings turns out to give new efficient decoding algorithms for decoding families of error-correcting codes, including Reed-Solomon codes, Parvaresh-Vardy codes, and algebraic geometry codes.

Joint work with Henry Cohn.

Alon Rosen
The Interdisciplinary Center, Herzliya, Israel
Title: The Learning with Rounding Problem
Abstract: In this talk I will survey a recently introduced cryptographic problem called Learning with Rounding (LWR). I will show reductions from and to the more well-established Learning with Errors (LWE) problem, and demonstrate the applicability of LWR to the construction of efficient Pseudorandom Functions and other cryptographic primitives.

Vadim Lyubashevsky
École Normale Supérieure, Paris, France
Title: Practical Digital Signatures from Lattices
Recent work has solidly established lattice-based signatures as a viable replacement for number-theoretic schemes should quantum computing come into fruition.  In fact, the current lattice-based schemes have key and signature sizes comparable to RSA while being an order of magnitude faster.  The main focus of this talk will be presenting the main ideas behind the latest results in this area.  In addition to the high level intuition, I will try to motivate the many employed optimizations, such as having an NTRU-like public key and sampling from a bimodal Gaussian distribution.

Most of the talk will be based on the papers "Lattice Signatures without Trapdoors" and "Lattice Signatures and Bimodal Gaussians".  The latter is joint work with Leo Ducas, Alain Durmus, and Tancrede Lepoint.

Shweta Agrawal
Indian Institute of Technology, Delhi

Title: Building Functional Encryption from Learning With Errors.
Abstract : Recent times have seen fantastic advances in the general area of "computing on encrypted data". Of particular importance, is the fast-growing area of functional encryption (FE). Functional encryption is a generalization of public key encryption which allows tremendous flexibility and control in learning information from encrypted data. In functional encryption, a user's secret key corresponds to some function f, denoted by SK_f. The ciphertext corresponds to some input x chosen from the domain of f. Given SK_f and ciphertext CT_x, the user may run the decryption procedure to learn f(x). Security of the system guarantees that nothing beyond f(x) can be learned from CT_x and SK_f.

We will study how lattices can be used for the construction of functional encryption schemes. Of special interest to us will be the "learning with errors" (LWE) assumption, which enjoys strong worst case guarantees that makes it very desirable for the construction of cryptographic primitives. We will review known constructions of functional encryption from LWE, including FE for point functions or "identity based encryption", FE for linear functions or "inner product" encryption" and FE for more general circuits or "attribute based encryption for circuits". We will also discuss some open problems in this fast growing area.

Sanjam Garg
IBM Research, U S A

Title: "Candidate Multilinear Maps"
I will describe plausible lattice-based constructions with properties that approximate the sought-after multilinear maps in hard-discrete-logarithm groups.  These new constructions radically enhance our tool set and open a floodgate of  applications. I will present some of these applications.  

(joint work with Craig Gentry and Shai Halevi)


Satya Lokam (Microsoft Research India) and Vinod Vaikuntanathan (MIT and U. Toronto)

This workshop is supported by Microsoft Research and National Mathematics Initiative at IISc, Banaglore.  
Microsoft Research NMI