TESLA: Tightly-Secure Efficient Signatures from Standard Lattices

Generally, lattice-based cryptographic primitives offer good performance and allow for strong security reductions. However, the most efficient current lattice-based signature schemes sacrifice (part of their) security to achieve good performance: first, security is not based on the worst-case hardness of lattice problems. Secondly, the security reductions of the most efficient schemes are non-tight; hence, their choices of parameters offer security merely heuristically. Moreover, lattice-based signature schemes are instantiated for classical adversaries, although they are based on presumably quantum-hard problems. Yet, it is not known how such schemes perform in a post-quantum world. We bridge this gap by proving the lattice-based signature scheme TESLA to be tightly secure based on the learning with errors problem over lattices in the random-oracle model. As such, we improve the security of the original proposal by Bai and Galbraith (CT-RSA'14) twofold: we tighten the security reduction and we minimize the underlying security assumptions. Remarkably, by enhancing the security we can greatly improve TESLA's performance. Furthermore, we are first to propose parameters providing a security of 128 bits against both clas- sical and quantum adversaries, for a lattice-based signature scheme. Our implementation of TESLA competes well with state-of-the-art lattice-based signatures and SPHINCS (EUROCRYPT'15), the only signature scheme instantiated with quantum-hard parameters so far.

[1]  Martin R. Albrecht,et al.  On the concrete hardness of Learning with Errors , 2015, J. Math. Cryptol..

[2]  Sanjeev Arora,et al.  New Algorithms for Learning in Presence of Errors , 2011, ICALP.

[3]  Daniele Micciancio,et al.  Fast Lattice Point Enumeration with Minimal Overhead , 2015, SODA.

[4]  Léo Ducas,et al.  Lattice Signatures and Bimodal Gaussians , 2013, IACR Cryptol. ePrint Arch..

[5]  Chris Peikert,et al.  Public-key cryptosystems from the worst-case shortest vector problem: extended abstract , 2009, STOC '09.

[6]  Hideki Imai,et al.  An Algorithm for Solving the LPN Problem and Its Application to Security Evaluation of the HB Protocols for RFID Authentication , 2006, INDOCRYPT.

[7]  Tanja Lange,et al.  Flush, Gauss, and reload : a cache attack on the BLISS lattice-based signature scheme , 2016 .

[8]  Tanja Lange,et al.  High-Speed High-Security Signatures , 2011, CHES.

[9]  Hugo Krawczyk,et al.  Chameleon Signatures , 2000, NDSS.

[10]  Phong Q. Nguyen,et al.  BKZ 2.0: Better Lattice Security Estimates , 2011, ASIACRYPT.

[11]  Vadim Lyubashevsky,et al.  Lattice Signatures Without Trapdoors , 2012, IACR Cryptol. ePrint Arch..

[12]  Claus-Peter Schnorr,et al.  Lattice basis reduction: Improved practical algorithms and solving subset sum problems , 1991, FCT.

[13]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, JACM.

[14]  Rachid El Bansarkhani,et al.  Improvement and Efficient Implementation of a Lattice-Based Signature Scheme , 2013, Selected Areas in Cryptography.

[15]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[16]  Daniele Micciancio Lattice-Based Cryptography , 2011, Encyclopedia of Cryptography and Security.

[17]  Michele Mosca,et al.  Finding shortest lattice vectors faster using quantum search , 2015, Designs, Codes and Cryptography.

[18]  Jintai Ding,et al.  Rainbow, a New Multivariable Polynomial Signature Scheme , 2005, ACNS.

[19]  Eike Kiltz,et al.  Tightly-Secure Signatures from Chameleon Hash Functions , 2015, Public Key Cryptography.

[20]  Peter W. Shor,et al.  Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer , 1995, SIAM Rev..

[21]  Oded Regev,et al.  Lattice-Based Cryptography , 2006, CRYPTO.

[22]  Craig Costello,et al.  Post-Quantum Key Exchange for the TLS Protocol from the Ring Learning with Errors Problem , 2015, 2015 IEEE Symposium on Security and Privacy.

[23]  Vadim Lyubashevsky,et al.  Fiat-Shamir with Aborts: Applications to Lattice and Factoring-Based Signatures , 2009, ASIACRYPT.

[24]  Thomas Johansson,et al.  Coded-BKW: Solving LWE Using Lattice Codes , 2015, CRYPTO.

[25]  Jintai Ding,et al.  Authenticated Key Exchange from Ideal Lattices , 2015, EUROCRYPT.

[26]  Léo Ducas,et al.  Ring-LWE in Polynomial Rings , 2012, IACR Cryptol. ePrint Arch..

[27]  Chris Peikert,et al.  A Toolkit for Ring-LWE Cryptography , 2013, IACR Cryptol. ePrint Arch..

[28]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[29]  Léo Ducas,et al.  Accelerating Bliss: the geometry of ternary polynomials , 2014, IACR Cryptol. ePrint Arch..

[30]  Chen-Mou Cheng,et al.  SSE Implementation of Multivariate PKCs on Modern x86 CPUs , 2009, CHES.

[31]  Martin R. Albrecht,et al.  On the complexity of the BKW algorithm on LWE , 2012, Des. Codes Cryptogr..

[32]  David M'Raïhi,et al.  Computational Alternatives to Random Number Generators , 1998, Selected Areas in Cryptography.

[33]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[34]  Jacques Stern,et al.  Security Proofs for Signature Schemes , 1996, EUROCRYPT.

[35]  Mingjie Liu,et al.  Solving BDD by Enumeration: An Update , 2013, CT-RSA.

[36]  Sanjit Chatterjee,et al.  Another Look at Tightness , 2011, IACR Cryptol. ePrint Arch..

[37]  Peter Schwabe,et al.  SPHINCS: Practical Stateless Hash-Based Signatures , 2015, EUROCRYPT.

[38]  Mihir Bellare,et al.  The Exact Security of Digital Signatures - HOw to Sign with RSA and Rabin , 1996, EUROCRYPT.

[39]  Mark Zhandry,et al.  Random Oracles in a Quantum World , 2010, ASIACRYPT.

[40]  László Babai,et al.  On Lovász’ lattice reduction and the nearest lattice point problem , 1986, Comb..

[41]  Martin R. Albrecht,et al.  On the Efficacy of Solving LWE by Reduction to Unique-SVP , 2013, ICISC.

[42]  Erdem Alkim,et al.  Post-quantum Key Exchange - A New Hope , 2016, USENIX Security Symposium.

[43]  Martin R. Albrecht,et al.  Lazy Modulus Switching for the BKW Algorithm on LWE , 2014, Public Key Cryptography.

[44]  Chen-Mou Cheng,et al.  Extreme Enumeration on GPU and in Clouds - - How Many Dollars You Need to Break SVP Challenges - , 2011, CHES.

[45]  Steven D. Galbraith Space-efficient variants of cryptosystems based on learning with errors , 2012 .

[46]  Thijs Laarhoven,et al.  Faster Sieving for Shortest Lattice Vectors Using Spherical Locality-Sensitive Hashing , 2015, LATINCRYPT.

[47]  Lov K. Grover A fast quantum mechanical algorithm for database search , 1996, STOC '96.

[48]  Pierre-Alain Fouque,et al.  An Improved BKW Algorithm for LWE with Applications to Cryptography and Lattices , 2015, IACR Cryptol. ePrint Arch..

[49]  Craig Gentry,et al.  Candidate Multilinear Maps from Ideal Lattices , 2013, EUROCRYPT.

[50]  David Cash,et al.  Bonsai Trees, or How to Delegate a Lattice Basis , 2010, Journal of Cryptology.

[51]  Tommaso Gagliardoni,et al.  The Fiat-Shamir Transformation in a Quantum World , 2013, IACR Cryptol. ePrint Arch..

[52]  Chris Peikert,et al.  Better Key Sizes (and Attacks) for LWE-Based Encryption , 2011, CT-RSA.

[53]  Mark Zhandry,et al.  Secure Signatures and Chosen Ciphertext Security in a Quantum Computing World , 2013, CRYPTO.

[54]  Daniele Micciancio,et al.  Worst-case to average-case reductions based on Gaussian measures , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[55]  Tim Güneysu,et al.  Practical Lattice-Based Cryptography: A Signature Scheme for Embedded Systems , 2012, CHES.

[56]  Daniele Micciancio,et al.  A Deterministic Single Exponential Time Algorithm for Most Lattice Problems based on Voronoi Cell Computations ( Extended Abstract ) , 2009 .

[57]  Peter Schwabe,et al.  High-Speed Signatures from Standard Lattices , 2014, LATINCRYPT.

[58]  P. Campbell,et al.  SOLILOQUY: A CAUTIONARY TALE , 2014 .

[59]  Mark Zhandry,et al.  Secure Identity-Based Encryption in the Quantum Random Oracle Model , 2012, CRYPTO.

[60]  Tanja Lange,et al.  Never Trust a Bunny , 2012, RFIDSec.

[61]  Ravi Kumar,et al.  A sieve algorithm for the shortest lattice vector problem , 2001, STOC '01.

[62]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2009, JACM.

[63]  Miklós Ajtai,et al.  Generating hard instances of lattice problems (extended abstract) , 1996, STOC '96.

[64]  Martin R. Albrecht,et al.  Algebraic algorithms for LWE problems , 2015, ACCA.

[65]  Chris Peikert,et al.  How (Not) to Instantiate Ring-LWE , 2016, SCN.

[66]  Daniele Micciancio,et al.  Improving Lattice Based Cryptosystems Using the Hermite Normal Form , 2001, CaLC.

[67]  Tsuyoshi Takagi,et al.  Improved Progressive BKZ Algorithms and Their Precise Cost Estimation by Sharp Simulator , 2016, EUROCRYPT.

[68]  Mark Zhandry,et al.  How to Construct Quantum Random Functions , 2012, 2012 IEEE 53rd Annual Symposium on Foundations of Computer Science.

[69]  Mehdi Tibouchi,et al.  Tightly Secure Signatures From Lossy Identification Schemes , 2015, Journal of Cryptology.

[70]  Alfred Menezes,et al.  Another Look at "Provable Security" , 2005, Journal of Cryptology.

[71]  Serge Vaudenay,et al.  Better Algorithms for LWE and LWR , 2015, EUROCRYPT.

[72]  Jonathan Katz,et al.  Efficiency improvements for signature schemes with tight security reductions , 2003, CCS '03.

[73]  Peter Schwabe,et al.  Software Speed Records for Lattice-Based Signatures , 2013, PQCrypto.

[74]  Shi Bai,et al.  An Improved Compression Technique for Signatures Based on Learning with Errors , 2014, CT-RSA.

[75]  David Cash,et al.  Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems , 2009, CRYPTO.

[76]  Damien Stehlé,et al.  Classical hardness of learning with errors , 2013, STOC '13.

[77]  Éric Levieil,et al.  An Improved LPN Algorithm , 2006, SCN.

[78]  John Sullivan,et al.  Another Look at , 1979 .