Practical provably-secure authenticated encryption schemes using lattice-based pseudorandom function SPRING

Lattice-based cryptography has received significant attention from security practitioners in the past decade. It exhibits attractive properties, including being a major post-quantum cryptography candidate, enjoying worst-case to average-case security reductions, and being supported by efficient implementations. In this paper, we propose three practical lattice-based Authenticated Encryption (AE) schemes. These schemes are provably secure assuming hardness of basic lattice problems. The proposed schemes have remarkable motivations and advantages over widely-used AEs as follows. These schemes are alternatives to current conventional and post-quantum AE schemes in the post-quantum era. Moreover, composing the proposed AEs with a lattice-based asymmetric key distribution scheme results in a hybrid encryption, which depends only on one (type of) security assumption. The implementation of such hybrid encryption can make use of specic optimizations regarding, e.g., code size in software, and gate equivalent or FPGA area usage in hardware. That is because the symmetric and asymmetric algorithms have some common primitive computations. To evaluate the performance of the proposed AEs, we implement them on current Intel CPUs and benchmark them to encrypt messages of various sizes. The most efficient proposed scheme is only 12% slower than AES-256-GCM for 40-byte messages on Sandy Bridge, and 34% faster for 1500-byte messages.