Citation Context

...f DSS, such that someday the security and efficiency issues of NTRUSign may be amended.s2.2 Hash-and-sign signaturessDSSs based on the hash-and-sign paradigm follow seminal work by Diffie and Hellman =-=[30]-=-. The concept followssthe criterion that a message, μ, should be hashed before being signed. That is, to sign a message, first hash μ tossome point h = H(μ), which must be in the range of the trapdoor...

Citation Context

...it is signed σ =sf -1 (h) and a verification algorithm checks that f(σ) =sH(μ) to confirm whether (σ,μ) is a valid message/signature pair. This theory became the foundation for full-domainshash (FDH) =-=[31]-=-, with the hash function H() being modelled on a random oracle. Where f is a trapdoorspermutation, the scheme is shown to be existentially unforgeable under a chosen-message attack. The relationslatt...

Citation Context

...With the onset of quantum computers ever looming, the computational power it could provide would causesinstant insecurity to many of today’s universally used cryptographic schemes by virtue of Shor’s =-=[1]-=- algorithm.sSpecifically, schemes based on the discrete-logarithm problem or number-theoretic hard problems, whichssubsume almost all public-key encryption schemes used on the Internet, including elli...

Citation Context

...this stage more efficient could result in significant improvements overall. As lattice-basedsDSSs become more practical and publicly available, further attack vectors like side-channel analysis (SCA) =-=[53]-=- havesto be considered. Timing and fault injection attacks, power, electro-magnetic analysis and advanced machineslearning-based attacks are serious threats to many real-world implementations. Recent ...

Citation Context

... Fiat-Shamir SignaturessAn alternative way of constructing a DSS is to first build an identification scheme of a certain form, then convertingsit into a DSS by means of the Fiat-Shamir transformation =-=[35, 36]-=-. Lattice-based signature schemes which use thesFiat-Shamir transformation are mainly due to research by Lyubashevsky et al. [14, 37-41]. The procedures in thesfirst publication by Lyubashevsky [37] a...

Citation Context

...schemessbegin to replace current public-key cryptography and their integration into practical applications needs to besexplored. For example, ECC was proposed independently by Miller [19] and Koblitz =-=[20]-=- in 1986/1987, but it tooks20 years until it appeared in actual security systems. Even with relatively little cryptanalysis and low confidence insparameters sets, the most critical issue to date with ...

Citation Context

...ice-based crypto schemessbegin to replace current public-key cryptography and their integration into practical applications needs to besexplored. For example, ECC was proposed independently by Miller =-=[19]-=- and Koblitz [20] in 1986/1987, but it tooks20 years until it appeared in actual security systems. Even with relatively little cryptanalysis and low confidence insparameters sets, the most critical is...

Citation Context

...earch field. As a result,sconcepts such as functional encryption [4], identity-based encryption [5, 6], attribute-based encryption [7], groupssignature schemes [8-10] and fully homomorphic encryption =-=[11, 12]-=- have been developed. On the practical front,ssome constructions of public-key encryption schemes and digital signature schemes based on lattice problems aresnow more practical than traditional scheme...

Citation Context

...schemes. Computational problems that exist within the lattice environment, such as finding thesshortest vector (SVP) or finding the closest vector (CVP) are thought to be immune to quantum reductions =-=[2,3]-=-swhich imply its conjectured intractability. Such properties show promise, with regards to security andspracticability, for replacing current encryption schemes that would be susceptible to attacks in...

Citation Context

...earch field. As a result,sconcepts such as functional encryption [4], identity-based encryption [5, 6], attribute-based encryption [7], groupssignature schemes [8-10] and fully homomorphic encryption =-=[11, 12]-=- have been developed. On the practical front,ssome constructions of public-key encryption schemes and digital signature schemes based on lattice problems aresnow more practical than traditional scheme...

Citation Context

...attice problems generally fall into three categories: 1) GGH/NTRUSign signatures;s2) Hash-and-sign signatures; and 3) Fiat- Shamir signatures.s2.1 GGH/NTRUSign signaturessThe GGH [21] and NTRUEncrypt =-=[22]-=- cryptosystems were among the first shown to be based on the hardness ofslattice problems, specifically based on solving the approximate closest vector problem. The difference betweensthese schemes is...

Citation Context

...ttack. The relationslattices have to hash-and-sign signatures is the intuition that a short basis for a lattice could provide such astrapdoor function. This led to the first proposal by Gentry et al. =-=[32]-=- (GPV), showing a DSS based on the hardness ofslattice problems. Central to the scheme is the construction of trapdoor functions with the necessary property thatsevery output value has several preimag...

Citation Context

... on the hardness of lattice problems generally fall into three categories: 1) GGH/NTRUSign signatures;s2) Hash-and-sign signatures; and 3) Fiat- Shamir signatures.s2.1 GGH/NTRUSign signaturessThe GGH =-=[21]-=- and NTRUEncrypt [22] cryptosystems were among the first shown to be based on the hardness ofslattice problems, specifically based on solving the approximate closest vector problem. The difference bet...

Citation Context

...ugh thesrobustness of this hardness assumption, in comparison to general lattices, has not been explicitly proven, it issgenerally considered that most problems still remain hard using ideal lattices =-=[17, 18]-=-. Additionally, using idealslattices offers a significant speed-up and reduction in key sizes for almost all cryptographic protocols, in particular,sin encryption schemes and digital signatures. Howev...

Citation Context

...sceptible to attacks in a post-quantumsworld.sIn recent years there has been a tremendous growth in lattice-based cryptography as a research field. As a result,sconcepts such as functional encryption =-=[4]-=-, identity-based encryption [5, 6], attribute-based encryption [7], groupssignature schemes [8-10] and fully homomorphic encryption [11, 12] have been developed. On the practical front,ssome construct...

Citation Context

...schemes. Computational problems that exist within the lattice environment, such as finding thesshortest vector (SVP) or finding the closest vector (CVP) are thought to be immune to quantum reductions =-=[2,3]-=-swhich imply its conjectured intractability. Such properties show promise, with regards to security andspracticability, for replacing current encryption schemes that would be susceptible to attacks in...

Citation Context

...scheme by Micciancio and Peikert [33] also adopts hash-and-sign, introducing a more efficientstrapdoor than the one used in GPV. Improvements to the key generation were also made by Alwen and Peikerts=-=[34]-=-.s2.3 Fiat-Shamir SignaturessAn alternative way of constructing a DSS is to first build an identification scheme of a certain form, then convertingsit into a DSS by means of the Fiat-Shamir transforma...

Citation Context

...nctions with the necessary property thatsevery output value has several preimages, the Gaussian sampling algorithm and also the use of modular lattices. Asmore recent scheme by Micciancio and Peikert =-=[33]-=- also adopts hash-and-sign, introducing a more efficientstrapdoor than the one used in GPV. Improvements to the key generation were also made by Alwen and Peikerts[34].s2.3 Fiat-Shamir SignaturessAn a...

Citation Context

... furthermore finding a collision in a randomly chosen h H is equivalent to finding short vectors in aslattice over R, that is, the ring-SIS problem.sThe subsequent improvements made by Lyubashevsky =-=[38]-=- (LYU) were twofold. The most significant change is thatsof the hardness assumption used, adapting from ring-SIS to ring-LWE, which is shown to significantly decrease thessizes of the signature and th...

Citation Context

... Fiat-Shamir SignaturessAn alternative way of constructing a DSS is to first build an identification scheme of a certain form, then convertingsit into a DSS by means of the Fiat-Shamir transformation =-=[35, 36]-=-. Lattice-based signature schemes which use thesFiat-Shamir transformation are mainly due to research by Lyubashevsky et al. [14, 37-41]. The procedures in thesfirst publication by Lyubashevsky [37] a...

Citation Context

...ro-magnetic analysis and advanced machineslearning-based attacks are serious threats to many real-world implementations. Recent work has shown that SCAsattacks are applicable in real-world situations =-=[54]-=-. There has been very little research conducted on thesvulnerabilities of lattice-based cryptographic implementations to physical attacks. It is anticipated that there maysbe a particular vulnerabilit...

Citation Context

...rssecurity level, and with the added properties of consuming less resources and greater adaptability for scaling. Withsregards to digital signature schemes, the two most notable are by Güneysu et al. =-=[14]-=- and Pöppelmann et al. [15]swith the former implementation resulting in a 1.5x speed improvement compared to an equivalent RSA design,sand the latter scheme being faster, consuming less resources, nee...

Citation Context

...tosystemsincluded a DSS, in turn forming the basis of NTRUSign [23] which combined almost the entire design of GGH butsuses the NTRU lattices employed in NTRUEncrypt. The predecessor to NTRUSign, NSS =-=[24]-=-, was broken by Gentryset al. [25, 26] and incidently NTRUSign suffered the same fate with works by Nguyen and Regev [27], which showssexperimental results recovering the secret-key with 400 signature...

Citation Context

...own to besstrongly unforgeable and is based on the worst-case hardness of finding short vectors in a lattice.sThe current state-of-the-art in lattice-based DSSs is the proposed scheme by Ducas et al. =-=[41]-=- named BLISS. Thesmain contribution of this work is the significant improvement in the rejection sampling stage. As a consequence,sthis scheme presents an important bridge between theoretical and prac...

Citation Context

...e has been a tremendous growth in lattice-based cryptography as a research field. As a result,sconcepts such as functional encryption [4], identity-based encryption [5, 6], attribute-based encryption =-=[7]-=-, groupssignature schemes [8-10] and fully homomorphic encryption [11, 12] have been developed. On the practical front,ssome constructions of public-key encryption schemes and digital signature scheme...

Citation Context

...for implementations on both large and lightweight devices. Another modulespertaining to one of the more computationally expensive in hardware is the Gaussian sampling stage.sDwarakanath and Galbraith =-=[51]-=- and Roy et al. [52] look into different approaches to efficiently compute such asstage for constrained devices. As shown by [15] and [46] the CDT approach is best suited for larger devices withsthe B...

Citation Context

... slow rejection sampling and relies on the NTL librarysfor basic arithmetic. For GPV [32], initial outputs and key sizes were many megabits long and even withsimprovements by Bansarkhani and Buchmann =-=[45]-=-, signature and key sizes are still large in practice, around 250 kbsfor security of around 100-bits. With the improvements proposed by Micciancio and Peikert [33], their schemesalleviates the sizes o...

Citation Context

... suboptimal given works on fast multiplication such as [13]. The BLISS implementation bysPöppelmann et al. [15] uses the Number Theoretic Transform (NTT) multiplier proposed by Pöppelmann andsGüneysu =-=[49]-=- and achieves high throughput for signing and verification. The resource consumption is alsosreasonable and the design fits on low-cost Spartan-6 devices. Usage of the improved NTT multiplier design b...

Citation Context

...tiplication, the vectorised GLP implementation is twice as fast as BLISS.sThus in the future, it is expected that BLISS could be further improved by applying the vectorisation ideas ofsGüneysu et al. =-=[43]-=-. Moreover, for the signing procedure of BLISS, the impact of higher security levels onsperformance is moderate as n and q stay the same, with the significant changes being in the Gaussian sampler and...

Citation Context

...entations of Lattice-based Digital Signature SchemessAs previously discussed, there are currently no practical instantiations of the GGH [21] signature schemes andsimplementations of NTRUSign such as =-=[42]-=- are vulnerable to cryptanalysis, so they are not considered in thissevaluation. Lattice-based schemes investigated here for which implementation results are available are GPV [32,s33], LYU [38], GLP ...

Citation Context

...on both large and lightweight devices. Another modulespertaining to one of the more computationally expensive in hardware is the Gaussian sampling stage.sDwarakanath and Galbraith [51] and Roy et al. =-=[52]-=- look into different approaches to efficiently compute such asstage for constrained devices. As shown by [15] and [46] the CDT approach is best suited for larger devices withsthe Bernoulli approach sh...

Citation Context

... still secure to a quantumsadversary. Although making the DSSs less efficient, schemes by Gentry et al. [32] and Lyubashevsky [38] aresrespectively shown by Boneh and Zhandry [55] and Dagdelen et al. =-=[56]-=- to be secure to such an adversary, creatingsthe quantum random oracle model. This could also motivate an important area for future research, such assproving security for more DSSs to a quantum advers...

Citation Context

...quantumsworld.sIn recent years there has been a tremendous growth in lattice-based cryptography as a research field. As a result,sconcepts such as functional encryption [4], identity-based encryption =-=[5, 6]-=-, attribute-based encryption [7], groupssignature schemes [8-10] and fully homomorphic encryption [11, 12] have been developed. On the practical front,ssome constructions of public-key encryption sche...

Citation Context

...ugh thesrobustness of this hardness assumption, in comparison to general lattices, has not been explicitly proven, it issgenerally considered that most problems still remain hard using ideal lattices =-=[17, 18]-=-. Additionally, using idealslattices offers a significant speed-up and reduction in key sizes for almost all cryptographic protocols, in particular,sin encryption schemes and digital signatures. Howev...

Citation Context

...the added properties of consuming less resources and greater adaptability for scaling. Withsregards to digital signature schemes, the two most notable are by Güneysu et al. [14] and Pöppelmann et al. =-=[15]-=-swith the former implementation resulting in a 1.5x speed improvement compared to an equivalent RSA design,sand the latter scheme being faster, consuming less resources, needing less iterations and at...

Citation Context

...ifferent samplers (Bernoulli, Knuth-Yao and Discrete Ziggurat) andsrunning at 168 MHz; the device produces 28 signing, 167 verification and 0.46 key generation operations perssecond. Boorghany et al. =-=[47]-=- and Boorghany and Jalili [48] provide an implementation of GLP and BLISS used as ansidentification scheme on 8-bit architectures (Atmega and ATxmega), showing that lattice-based DSSs perform wellseve...

Citation Context

...pler andsnumber of rejections. As Gaussian sampling is not needed for verification, the runtime of verification is basicallysindependent of the security level. The LYU implementation by Weiden et al. =-=[44]-=- is not competitive, mainly due toslarger parameters and also because the implementation uses slow rejection sampling and relies on the NTL librarysfor basic arithmetic. For GPV [32], initial outputs ...

Citation Context

... schemes based on lattice problems aresnow more practical than traditional schemes based on RSA. The most recent implementation of a lattice-basedsencryption scheme in hardware is shown by Roy et al. =-=[13]-=- with results outperforming those of RSA. Moresspecifically, the scheme shows performances an order of magnitude faster in comparison to RSA, for a higherssecurity level, and with the added properties...

Citation Context

... 400 signatures. Since Nguyen and Regev categorically showsNTRUSign (without perturbation) to be absolutely insecure and further countermeasures and a version withsperturbations have also been broken =-=[28]-=-, this scheme will not be covered as implementation results currently dosnot have practical applications. However, recent research such as Melchor et al. [29] hold some promise for thesfuture of this ...