Skip to main content
SpringerLink
Log in

An Efficient Lattice-Based Signature Scheme with Provably Secure Instantiation

  • Conference paper
  • First Online:
Progress in Cryptology – AFRICACRYPT 2016 (AFRICACRYPT 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9646))

Included in the following conference series:

Abstract

In view of the expected progress in cryptanalysis it is important to find alternatives for currently used signature schemes such as RSA and ECDSA. The most promising lattice-based signature schemes to replace these schemes are (CRYPTO 2013) and GLP (CHES 2012). Both come with a security reduction from a lattice problem and have high performance. However, their parameters are not chosen according to their provided security reduction, i.e., the instantiation is not provably secure. In this paper, we present the first lattice-based signature scheme with good performance when provably secure instantiated. To this end, we provide a tight security reduction for the new scheme from the ring learning with errors problem which allows for provably secure and efficient instantiations. We present experimental results obtained from a software implementation of our scheme. They show that our scheme, when provably secure instantiated, performs comparably with BLISS and the GLP scheme.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Sometimes benchmarks are given as the median instead of the average value. Due to the rejection sampling, taking the median value of our experiments would be overly optimistic for \(\mathsf {Sign}\).

  2. 2.

    bliss.di.ens.fr.

References

  1. Abdalla, M., Fouque, P.-A., Lyubashevsky, V., Tibouchi, M.: Tightly-secure signatures from lossy identification schemes. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 572–590. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  2. Akleylek, S., Bindel, N., Buchmann, J., Krämer, J., Marson, G.A.: An efficient lattice-based signature scheme with provably secure instantiation. Cryptology ePrint Archive, Report 2016/030 (2016). http://eprint.iacr.org/

  3. Albrecht, M., Cid, C., Faugère, J.-C., Fitzpatrick, R., Perret, L.: Algebraic algorithms for LWE problems. Cryptology ePrint Archive, Report 2014/1018 (2014). http://eprint.iacr.org/2014/1018/

  4. Albrecht, M.R., Fitzpatrick, R., Göpfert, F.: On the efficacy of solving LWE by reduction to unique-SVP. In: Lee, H.-S., Han, D.-G. (eds.) ICISC 2013. LNCS, vol. 8565, pp. 293–310. Springer, Heidelberg (2014)

    Google Scholar 

  5. Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. Cryptology ePrint Archive, Report 2015/046 (2015). http://eprint.iacr.org/

  6. Alkim, E., Bindel, N., Buchmann, J., Dagdelen, O.: Tesla: tightly-secure efficient signatures from standard lattices. Cryptology ePrint Archive, Report 2015/755 (2015). http://eprint.iacr.org/

  7. Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  8. Arora, S., Ge, R.: New algorithms for learning in presence of errors. In: Aceto, L., Henzinger, M., Sgall, J. (eds.) ICALP 2011, Part I. LNCS, vol. 6755, pp. 403–415. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  9. Babai, L.: A Las Vegas-NC algorithm for isomorphism of graphs with bounded multiplicity of eigenvalues. In: 27th FOCS, pp. 303–312. IEEE Computer Society Press, Toronto, 27–29 October 1986

    Google Scholar 

  10. Bai, S., Galbraith, S.D.: An improved compression technique for signatures based on learning with errors. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 28–47. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

  11. Bellare, M., Rogaway, P.: The exact security of digital signatures - how to sign with RSA and Rabin. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996)

    Google Scholar 

  12. Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.): Post-Quantum Cryptography. Mathematics and Statistics Springer-11649; ZDB-2-SMA. Springer, Heidelberg (2009)

    MATH  Google Scholar 

  13. Blum, A., Kalai, A., Wasserman, H.: Noise-tolerant learning, the parity problem, and the statistical query model. In: 32nd ACM STOC, pp. 435–440. ACM Press, Portland, 21–23 May 2000

    Google Scholar 

  14. Bos, J.W., Costello, C., Naehrig, M., Stebila, D.: Post-quantum key exchange for the TLS protocol from the ring learning with errors problem. In: 2015 IEEE Symposium on Security and Privacy, pp. 553–570. IEEE Computer Society Press, San Jose, 17–21 May 2015

    Google Scholar 

  15. Bos, J.W., Naehrig, M., van de Pol, J.: Sieving for shortest vectors in ideal lattices: a practical perspective. Cryptology ePrint Archive, Report 2014/880 (2014). http://eprint.iacr.org/2014/880

  16. Campbell, P., Groves, M., Shepherd, D., SOLILOQUY: a cautionary tale. In: ETSI 2nd Quantum-Safe Crypto Workshop (2014). http://docbox.etsi.org/Workshop/2014/201410_CRYPTO/S07_Systems_and_Attacks/S07_Groves_Annex.pdf

  17. Chatterjee, S., Menezes, A., Sarkar, P.: Another look at tightness. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 293–319. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  18. Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  19. Cramer, R., Ducas, L., Peikert, C., Regev, O.: Recovering short generators of principal ideals in cyclotomic rings. Cryptology ePrint Archive, Report 2015/313 (2015). http://eprint.iacr.org/2015/313

  20. Dagdelen, Ö., El Bansarkhani, R., Göpfert, F., Güneysu, T., Oder, T., Pöppelmann, T., Sánchez, A.H., Schwabe, P.: High-speed signatures from standard lattices. In: Aranha, D.F., Menezes, A. (eds.) LATINCRYPT 2014. LNCS, vol. 8895, pp. 84–102. Springer, Heidelberg (2015)

    Google Scholar 

  21. Duc, A., Tramèr, F., Vaudenay, S.: Better algorithms for LWE and LWR. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 173–202. Springer, Heidelberg (2015)

    Google Scholar 

  22. Ducas, L.: Accelerating Bliss: the geometry of ternary polynomials. Cryptology ePrint Archive, Report 2014/874 (2014). http://eprint.iacr.org/2014/874

  23. Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 40–56. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  24. El Bansarkhani, R., Buchmann, J.: High performance lattice-based CCA-secure encryption. Cryptology ePrint Archive, Report 2015/042 (2015). http://eprint.iacr.org/2015/042

  25. Elias, Y., Lauter, K.E., Ozman, E., Stange, K.E.: Ring-LWE cryptography for the number theorist. Cryptology ePrint Archive, Report 2015/758 (2015). http://eprint.iacr.org/2015/758

  26. Garg, S., Gentry, C., Halevi, S.: Candidate multilinear maps from ideal lattices. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 1–17. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  27. Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC, pp. 197–206. ACM Press, Victoria, 17–20 May 2008

    Google Scholar 

  28. Güneysu, T., Lyubashevsky, V., Pöppelmann, T.: Practical lattice-based cryptography: a signature scheme for embedded systems. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 530–547. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  29. Güneysu, T., Oder, T., Pöppelmann, T., Schwabe, P.: Software speed records for lattice-based signatures. In: Gaborit, P. (ed.) PQCrypto 2013. LNCS, vol. 7932, pp. 67–82. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  30. Guo, Q., Johansson, T., Stankovski, P.: Coded-BKW: solving LWE using lattice codes. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 23–42. Springer, Heidelberg (2015)

    Chapter  Google Scholar 

  31. Ishiguro, T., Kiyomoto, S., Miyake, Y., Takagi, T.: Parallel Gauss Sieve algorithm: solving the SVP challenge over a 128-dimensional ideal lattice. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 411–428. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

  32. Katz, J., Wang, N.: Efficiency improvements for signature schemes with tight security reductions. In: Jajodia, S., Atluri, V., Jaeger, T. (eds.) ACM CCS 2003, pp. 155–164. ACM Press, Washington D.C., 27–30 October 2003

    Google Scholar 

  33. Kirchner, P., Fouque, P.-A.: An improved BKW algorithm for LWE with applications to cryptography and lattices. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 43–62. Springer, Heidelberg (2015)

    Chapter  Google Scholar 

  34. Laarhoven, T.: Sieving for shortest vectors in lattices using angular locality-sensitive hashing. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 3–22. Springer, Heidelberg (2015)

    Chapter  Google Scholar 

  35. Lenstra, A., Lenstra, H., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 515–534 (1982)

    Article  MathSciNet  MATH  Google Scholar 

  36. Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  37. Liu, M., Nguyen, P.Q.: Solving BDD by enumeration: an update. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 293–309. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  38. Lyubashevsky, V.: Lattice signatures without trapdoors. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 738–755. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  39. Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  40. Micciancio, D., Voulgaris, P.: Faster exponential time algorithms for the shortest vector problem. In: Charika, M. (ed) 21st SODA, pp. 1468–1480. ACM-SIAM, Austin, 17–19 January 2010

    Google Scholar 

  41. Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Cryptology 13(3), 361–396 (2000)

    Article  MATH  Google Scholar 

  42. Schneider, M.: Sieving for shortest vectors in ideal lattices. In: Nitaj, A., Hassanien, A.E., Youssef, A. (eds.) AFRICACRYPT 2013. LNCS, vol. 7918, pp. 375–391. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

Download references

Acknowledgment

This work has been cofunded by the DFG as part of project P1 and P2 within the CRC 1119 CROSSING.

Author information

Authors and Affiliations

  1. Ondokuz Mayis University, Samsun, Turkey

    Sedat Akleylek

  2. Technische Universität Darmstadt, Darmstadt, Germany

    Nina Bindel, Johannes Buchmann, Juliane Krämer & Giorgia Azzurra Marson

Authors
  1. Sedat Akleylek
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nina Bindel
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Johannes Buchmann
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Juliane Krämer
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Giorgia Azzurra Marson
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Sedat Akleylek or Nina Bindel .

Editor information

Editors and Affiliations

  1. Ecole Normale Supérieure, Paris, France

    David Pointcheval

  2. University of Caen, Caen, France

    Abderrahmane Nitaj

  3. Al Akhawayn University in Ifrane, Ifrane, Morocco

    Tajjeeddine Rachidi

A Extended Definitions and Security Notions

A Extended Definitions and Security Notions

1.1 A.1 Syntax, Functionality, and Security of Signature Schemes

A signature scheme with key space \(\mathcal {K}\), message space \(\mathcal {M}\), and signature space \(\mathcal {S}\), is a tuple \(\varSigma = (\mathsf {KeyGen},\mathsf {Sign},\mathsf {Verify})\) of algorithms defined as follows.

  • The (probabilistic) key generation algorithm on input the security parameter \(1^\lambda \) returns a key pair \((\mathsf {sk},\mathsf {pk})\in \mathcal {K}\). We write \((\mathsf {sk},\mathsf {pk})\leftarrow \mathsf {KeyGen}(1^\lambda )\) and call \(\mathsf {sk} \) the secret or signing key and \(\mathsf {pk} \) the public or verification key.

  • The (probabilistic) signing algorithm takes as input a signing key \(\mathsf {sk} \), a message \(\mu \in \mathcal {M}\), and outputs a signature \(\sigma \in \mathcal {S}\). We write \(\sigma \leftarrow \mathsf {Sign}(\mathsf {sk},\mu )\).

  • The verification algorithm, on input a verification key \(\mathsf {pk} \), a message \(\mu \in \mathcal {M}\), and a signature \(\sigma \in \mathcal {S}\), returns a bit b: if \(b = 1\) we say that the algorithm accepts, otherwise we say that it rejects. We write \(b \leftarrow \mathsf {Verify}(\mathsf {pk},\mu ,\sigma )\).

We require (perfect) correctness of the signature scheme: for every security parameter \(\lambda \), every choice of the randomness of the probabilistic algorithms, every key pair \((\mathsf {sk},\mathsf {pk})\leftarrow \mathsf {KeyGen}(1^\lambda )\), every message \(\mu \in \mathcal {M}\), and every signature \(\sigma \leftarrow \mathsf {Sign}(\mathsf {sk},\mu )\), \(\mathsf {Verify}(\mathsf {pk},\mu ,\sigma ) = 1\) holds.

Fig. 3.
figure 3

Security experiment of unforgeability under chosen-message attack for an adversary \(\mathcal {A}\) against a signature scheme \(\varSigma = (\mathsf {KeyGen},\mathsf {Sign},\mathsf {Verify})\) in the random oracle model (i.e., all parties including \(\mathcal {A}\) have access to a public function H with uniformly distributed output).

Full size image

We target the standard security requirement for signature schemes, namely unforgeability under chosen-message attack (\(\mathsf {ufcma}\)). The corresponding experiment involving an adversary \(\mathcal {A}\) against a signature scheme \(\varSigma \) is depicted in Fig. 3. Since we prove security of the scheme presented in Sect. 3 in the random oracle model, we reproduce a corresponding \(\mathsf {ufcma}\) experiment which grants \(\mathcal {A}\) access to a random oracle H. Given the experiment, we say that a signature scheme \(\varSigma \) is \((t,q_s,q_h,\epsilon )\) -unforgeable under chosen-message attack if every adversary \(\mathcal {A}\) which runs in time t and poses at most \(q_s\) queries to the signing oracle and \(q_h\) queries to the random oracle has advantage

$$\begin{aligned} \text {Adv}^{\mathsf {ufcma}}_{\varSigma }(\mathcal {A}) = \Pr \left[ \mathrm {Expt}^{\mathsf {ufcma}}_{\varSigma ,\mathcal {A}} = 1 \right] \le \epsilon . \end{aligned}$$

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Akleylek, S., Bindel, N., Buchmann, J., Krämer, J., Marson, G.A. (2016). An Efficient Lattice-Based Signature Scheme with Provably Secure Instantiation. In: Pointcheval, D., Nitaj, A., Rachidi, T. (eds) Progress in Cryptology – AFRICACRYPT 2016. AFRICACRYPT 2016. Lecture Notes in Computer Science(), vol 9646. Springer, Cham. https://doi.org/10.1007/978-3-319-31517-1_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-31517-1_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-31516-4

  • Online ISBN: 978-3-319-31517-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation