Asymptotically Efficient Lattice-Based Digital Signatures

We present a general framework that converts certain types of linear collision-resistant hash functions into one-time signatures. Our generic construction can be instantiated based on both general and ideal (e.g., cyclic) lattices, and the resulting signature schemes are provably secure based on the worst-case hardness of approximating the shortest vector (and other standard lattice problems) in the corresponding class of lattices to within a polynomial factor. When instantiated with ideal lattices, the time complexity of the signing and verification algorithms, as well as key and signature size, is almost linear (up to poly-logarithmic factors) in the dimension n of the underlying lattice. Since no sub-exponential (in n) time algorithm is known to solve lattice problems in the worst case, even when restricted to ideal lattices, our construction gives a digital signature scheme with an essentially optimal performance/security trade-off.

[1]  Manuel Blum,et al.  How to generate cryptographically strong sequences of pseudo random bits , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[2]  Miklós Ajtai,et al.  Generating hard instances of lattice problems (extended abstract) , 1996, STOC '96.

[3]  Morris J. Dworkin,et al.  SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions , 2015 .

[4]  Ravi Kumar,et al.  On Polynomial-Factor Approximations to the Shortest Lattice Vector Length , 2003, SIAM J. Discret. Math..

[5]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[6]  Vadim Lyubashevsky,et al.  Lattice Signatures Without Trapdoors , 2012, IACR Cryptol. ePrint Arch..

[7]  Chris Peikert,et al.  Lattices that admit logarithmic worst-case to average-case connection factors , 2007, STOC '07.

[8]  Daniele Micciancio,et al.  The Provable Security of Graph-Based One-Time Signatures and Extensions to Algebraic Signature Schemes , 2002, ASIACRYPT.

[9]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, JACM.

[10]  Silvio Micali,et al.  On-line/off-line digital signatures , 1996, Journal of Cryptology.

[11]  Vadim Lyubashevsky,et al.  Lattice-Based Identification Schemes Secure Under Active Attacks , 2008, Public Key Cryptography.

[12]  David A. Wagner,et al.  A Generalized Birthday Problem , 2002, CRYPTO.

[13]  Daniele Micciancio,et al.  Worst-case to average-case reductions based on Gaussian measures , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[14]  Matthieu Finiasz,et al.  How to Achieve a McEliece-Based Digital Signature Scheme , 2001, ASIACRYPT.

[15]  Daniele Micciancio Generalized Compact Knapsacks, Cyclic Lattices, and Efficient One-Way Functions , 2007, computational complexity.

[16]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[17]  Chris Peikert,et al.  Hardness of SIS and LWE with Small Parameters , 2013, CRYPTO.

[18]  Daniele Micciancio,et al.  Asymptotically Effi cient Lattice-Based Digital Signatures , 2008, IACR Cryptol. ePrint Arch..

[19]  Birgit Pfitzmann,et al.  Fail-Stop Signatures , 1997, SIAM J. Comput..

[20]  John Rompel,et al.  One-way functions are necessary and sufficient for secure signatures , 1990, STOC '90.

[21]  David Chaum,et al.  Provably Unforgeable Signatures , 1992, CRYPTO.

[22]  Vadim Lyubashevsky,et al.  Digital Signatures Based on the Hardness of Ideal Lattice Problems in All Rings , 2016, ASIACRYPT.

[23]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[24]  Guy Kindler,et al.  Approximating CVP to Within Almost-Polynomial Factors is NP-Hard , 2003, Proceedings 39th Annual Symposium on Foundations of Computer Science (Cat. No.98CB36280).

[25]  Vadim Lyubashevsky,et al.  The Parity Problem in the Presence of Noise, Decoding Random Linear Codes, and the Subset Sum Problem , 2005, APPROX-RANDOM.

[26]  Ralph C. Merkle,et al.  A Digital Signature Based on a Conventional Encryption Function , 1987, CRYPTO.

[27]  Vadim Lyubashevsky,et al.  Fiat-Shamir with Aborts: Applications to Lattice and Factoring-Based Signatures , 2009, ASIACRYPT.

[28]  Léo Ducas,et al.  Lattice Signatures and Bimodal Gaussians , 2013, IACR Cryptol. ePrint Arch..

[29]  Ravi Kumar,et al.  A sieve algorithm for the shortest lattice vector problem , 2001, STOC '01.

[30]  Moni Naor,et al.  Universal one-way hash functions and their cryptographic applications , 1989, STOC '89.

[31]  Moni Naor,et al.  Efficient cryptographic schemes provably as secure as subset sum , 1989, 30th Annual Symposium on Foundations of Computer Science.

[32]  Chris Peikert,et al.  Provably Secure FFT Hashing , 2006 .

[33]  Ronald Cramer,et al.  Signature schemes based on the strong RSA assumption , 2000, TSEC.

[34]  Shai Halevi,et al.  Secure Hash-and-Sign Signatures Without the Random Oracle , 1999, EUROCRYPT.

[35]  Ueli Maurer,et al.  On the Efficiency of One-Time Digital Signatures , 1996, ASIACRYPT.

[36]  Xavier Boyen,et al.  Adapting Lyubashevsky's Signature Schemes to the Ring Signature Setting , 2013, AFRICACRYPT.

[37]  Shi Bai,et al.  An Improved Compression Technique for Signatures Based on Learning with Errors , 2014, CT-RSA.

[38]  Ueli Maurer,et al.  Optimal Tree-Based One-Time Digital Signature Schemes , 1996, STACS.

[39]  Ralph C. Merkle,et al.  A Certified Digital Signature , 1989, CRYPTO.

[40]  Chris Peikert,et al.  A Toolkit for Ring-LWE Cryptography , 2013, IACR Cryptol. ePrint Arch..

[41]  Damien Stehlé,et al.  CRYSTALS - Dilithium: Digital Signatures from Module Lattices , 2017, IACR Cryptol. ePrint Arch..

[42]  Oded Goldreich,et al.  On the Limits of Nonapproximability of Lattice Problems , 2000, J. Comput. Syst. Sci..

[43]  Chris Peikert,et al.  Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices , 2006, TCC.

[44]  Michael Szydlo,et al.  Merkle Tree Traversal in Log Space and Time , 2004, EUROCRYPT.

[45]  Markus Rückert,et al.  Lattice-based Blind Signatures , 2010, Algorithms and Number Theory.

[46]  Dorit Aharonov,et al.  Lattice problems in NP ∩ coNP , 2005, JACM.

[47]  Miklós Ajtai,et al.  Generating Hard Instances of Lattice Problems , 1996, Electron. Colloquium Comput. Complex..

[48]  Daniele Micciancio,et al.  Generalized Compact Knapsacks Are Collision Resistant , 2006, ICALP.