High-Speed Signatures from Standard Lattices

At CT-RSA 2014 Bai and Galbraith proposed a lattice-based signature scheme optimized for short signatures and with a security reduction to hard standard lattice problems. In this work we first refine the security analysis of the original work and propose a new 128-bit secure parameter set chosen for software efficiency. Moreover, we increase the acceptance probability of the signing algorithm through an improved rejection condition on the secret keys. Our software implementation targeting Intel CPUs with AVX/AVX2 and ARM CPUs with NEON vector instructions shows that even though we do not rely on ideal lattices, we are able to achieve high performance. For this we optimize the matrix-vector operations and several other aspects of the scheme and finally compare our work with the state of the art.

[1]  Vadim Lyubashevsky,et al.  Lattice Signatures Without Trapdoors , 2012, IACR Cryptol. ePrint Arch..

[2]  Claus-Peter Schnorr,et al.  Lattice basis reduction: Improved practical algorithms and solving subset sum problems , 1991, FCT.

[3]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[4]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, JACM.

[5]  Léo Ducas,et al.  Lattice Signatures and Bimodal Gaussians , 2013, IACR Cryptol. ePrint Arch..

[6]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[7]  Paulo S. L. M. Barreto,et al.  Compact McEliece Keys from Goppa Codes , 2009, IACR Cryptol. ePrint Arch..

[8]  Michael Schneider,et al.  Sieving for Shortest Vectors in Ideal Lattices , 2013, AFRICACRYPT.

[9]  Rachid El Bansarkhani,et al.  Improvement and Effi cient Implementation of a Lattice-based Signature Scheme , 2013, IACR Cryptol. ePrint Arch..

[10]  Craig Costello,et al.  Post-Quantum Key Exchange for the TLS Protocol from the Ring Learning with Errors Problem , 2015, 2015 IEEE Symposium on Security and Privacy.

[11]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[12]  Frederik Vercauteren,et al.  Compact Ring-LWE Cryptoprocessor , 2014, CHES.

[13]  Peter Schwabe,et al.  Software Speed Records for Lattice-Based Signatures , 2013, PQCrypto.

[14]  Nicolas Gama,et al.  Predicting Lattice Reduction , 2008, EUROCRYPT.

[15]  Tsuyoshi Takagi,et al.  Parallel Gauss Sieve Algorithm: Solving the SVP Challenge over a 128-Dimensional Ideal Lattice , 2014, Public Key Cryptography.

[16]  Rachid El Bansarkhani,et al.  Improvement and Efficient Implementation of a Lattice-Based Signature Scheme , 2013, Selected Areas in Cryptography.

[17]  Chris Peikert,et al.  Better Key Sizes (and Attacks) for LWE-Based Encryption , 2011, CT-RSA.

[18]  Sorin A. Huss,et al.  On the Design of Hardware Building Blocks for Modern Lattice-Based Encryption Schemes , 2012, CHES.

[19]  William Whyte,et al.  Practical Signatures from the Partial Fourier Recovery Problem , 2013, IACR Cryptol. ePrint Arch..

[20]  RegevOded,et al.  On Ideal Lattices and Learning with Errors over Rings , 2013 .

[21]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[22]  David Cash,et al.  Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems , 2009, CRYPTO.

[23]  Shi Bai,et al.  An Improved Compression Technique for Signatures Based on Learning with Errors , 2014, CT-RSA.

[24]  Tim Güneysu,et al.  Practical Lattice-Based Cryptography: A Signature Scheme for Embedded Systems , 2012, CHES.

[25]  Claus-Peter Schnorr,et al.  Lattice Basis Reduction: Improved Practical Algorithms and Solving Subset Sum Problems , 1991, FCT.

[26]  László Babai,et al.  On Lovász’ lattice reduction and the nearest lattice point problem , 1986, Comb..

[27]  Tim Güneysu,et al.  Enhanced Lattice-Based Signatures on Reconfigurable Hardware , 2014, CHES.

[28]  Xavier Boyen,et al.  Sealing the Leak on Classical NTRU Signatures , 2014, PQCrypto.

[29]  Mingjie Liu,et al.  Solving BDD by Enumeration: An Update , 2013, CT-RSA.

[30]  Rasool Jalili,et al.  Implementation and Comparison of Lattice-based Identification Protocols on Smart Cards and Microcontrollers , 2014, IACR Cryptol. ePrint Arch..

[31]  Martin R. Albrecht,et al.  On the Efficacy of Solving LWE by Reduction to Unique-SVP , 2013, ICISC.

[32]  Vadim Lyubashevsky,et al.  Fiat-Shamir with Aborts: Applications to Lattice and Factoring-Based Signatures , 2009, ASIACRYPT.

[33]  Phong Q. Nguyen,et al.  BKZ 2.0: Better Lattice Security Estimates , 2011, ASIACRYPT.

[34]  Steven D. Galbraith,et al.  Sampling from discrete Gaussians for lattice-based cryptography on a constrained device , 2014, Applicable Algebra in Engineering, Communication and Computing.

[35]  Tim Güneysu,et al.  Beyond ECDSA and RSA: Lattice-based digital signatures on constrained devices , 2014, 2014 51st ACM/EDAC/IEEE Design Automation Conference (DAC).

[36]  E. B. Wilson Mathematics and Statistics , 1930 .