Asymptotically Effi cient Lattice-Based Digital Signatures

We give a direct construction of digital signatures based on the complexity of approximating the shortest vector in ideal (e.g., cyclic) lattices. The construction is provably secure based on the worst-case hardness of approximating the shortest vector in such lattices within a polynomial factor, and it is also asymptotically efficient: the time complexity of the signing and verification algorithms, as well as key and signature size is almost linear (up to poly-logarithmic factors) in the dimension n of the underlying lattice. Since no sub-exponential (in n) time algorithm is known to solve lattice problems in the worst case, even when restricted to cyclic lattices, our construction gives a digital signature scheme with an essentially optimal performance/security trade-off.

[1]  Daniele Micciancio,et al.  The Provable Security of Graph-Based One-Time Signatures and Extensions to Algebraic Signature Schemes , 2002, ASIACRYPT.

[2]  John Rompel,et al.  One-way functions are necessary and sufficient for secure signatures , 1990, STOC '90.

[3]  David Chaum,et al.  Provably Unforgeable Signatures , 1992, CRYPTO.

[4]  Ralph C. Merkle,et al.  A Certified Digital Signature , 1989, CRYPTO.

[5]  Vadim Lyubashevsky,et al.  Lattice-Based Identification Schemes Secure Under Active Attacks , 2008, Public Key Cryptography.

[6]  Birgit Pfitzmann,et al.  Fail-Stop Signatures , 1997, SIAM J. Comput..

[7]  Daniele Micciancio Generalized Compact Knapsacks, Cyclic Lattices, and Efficient One-Way Functions , 2007, computational complexity.

[8]  Michael Szydlo,et al.  Merkle Tree Traversal in Log Space and Time , 2004, EUROCRYPT.

[9]  Ueli Maurer,et al.  Optimal Tree-Based One-Time Digital Signature Schemes , 1996, STACS.

[10]  Silvio Micali,et al.  On-line/off-line digital signatures , 1996, Journal of Cryptology.

[11]  Chris Peikert,et al.  Lattices that admit logarithmic worst-case to average-case connection factors , 2007, STOC '07.

[12]  Oded Goldreich,et al.  On the Limits of Nonapproximability of Lattice Problems , 2000, J. Comput. Syst. Sci..

[13]  Ravi Kumar,et al.  A sieve algorithm for the shortest lattice vector problem , 2001, STOC '01.

[14]  Dorit Aharonov,et al.  Lattice problems in NP ∩ coNP , 2005, JACM.

[15]  Chris Peikert,et al.  Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices , 2006, TCC.

[16]  Ralph C. Merkle,et al.  A Digital Signature Based on a Conventional Encryption Function , 1987, CRYPTO.

[17]  Miklós Ajtai,et al.  Generating Hard Instances of Lattice Problems , 1996, Electron. Colloquium Comput. Complex..

[18]  Daniele Micciancio,et al.  Generalized Compact Knapsacks Are Collision Resistant , 2006, ICALP.

[19]  Shai Halevi,et al.  Secure Hash-and-Sign Signatures Without the Random Oracle , 1999, EUROCRYPT.

[20]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[21]  Manuel Blum,et al.  How to generate cryptographically strong sequences of pseudo random bits , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[22]  Daniele Micciancio,et al.  Worst-case to average-case reductions based on Gaussian measures , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[23]  Irit Dinur,et al.  Approximating SVPinfinity to within almost-polynomial factors is NP-hard , 1998, Theor. Comput. Sci..

[24]  Matthieu Finiasz,et al.  How to Achieve a McEliece-Based Digital Signature Scheme , 2001, ASIACRYPT.

[25]  Moni Naor,et al.  Universal one-way hash functions and their cryptographic applications , 1989, STOC '89.

[26]  Ronald Cramer,et al.  Signature schemes based on the strong RSA assumption , 2000, TSEC.

[27]  Vadim Lyubashevsky,et al.  Fiat-Shamir with Aborts: Applications to Lattice and Factoring-Based Signatures , 2009, ASIACRYPT.

[28]  Ravi Kumar,et al.  On Polynomial-Factor Approximations to the Shortest Lattice Vector Length , 2003, SIAM J. Discret. Math..

[29]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[30]  Miklós Ajtai,et al.  Generating hard instances of lattice problems (extended abstract) , 1996, STOC '96.

[31]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[32]  Ueli Maurer,et al.  On the Efficiency of One-Time Digital Signatures , 1996, ASIACRYPT.