## Fiat-Shamir with aborts: Applications to lattice and factoring-based signatures (2009)

Citations: | 10 - 2 self |

### BibTeX

@MISC{Lyubashevsky09fiat-shamirwith,

author = {Vadim Lyubashevsky},

title = {Fiat-Shamir with aborts: Applications to lattice and factoring-based signatures},

year = {2009}

}

### OpenURL

### Abstract

Abstract. We demonstrate how the framework that is used for creating efficient number-theoretic ID and signature schemes can be transferred into the setting of lattices. This results in constructions of the most efficient to-date identification and signature schemes with security based on the worst-case hardness of problems in ideal lattices. In particular, our ID scheme has communication complexity of around 65, 000 bits and the length of the signatures produced by our signature scheme is about 50, 000 bits. All prior lattice-based identification schemes required on the order of millions of bits to be transferred, while all previous lattice-based signature schemes were either stateful, too inefficient, or produced signatures whose lengths were also on the order of millions of bits. The security of our identification scheme is based on the hardness of finding the approximate shortest vector to within a factor of Õ(n2) in the standard model, while the security of the signature scheme is based on the same assumption in the random oracle model. Our protocols are very efficient, with all operations requiring Õ(n) time. We also show that the technique for constructing our lattice-based schemes can be used to improve certain number-theoretic schemes. In particular, we are able to shorten the length of the signatures that are produced by Girault’s factoring-based digital signature scheme ([10, 11, 31]). 1

### Citations

878 | Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer
- Shor
- 1997
(Show Context)
Citation Context ...ding small elements in the kernel of a homomorphism. This difference is what seems to give lattice problems resistance against polynomial-time quantum algorithms that solve factoring and discrete log =-=[36]-=-, but at the same time it also hinders constructions of lattice-based primitives.Secret key: s $ ← Ds Public key: N, g, and S ← g s mod N Prover Verifier y $ ← Dy, Y ← g y mod N Y ✲ ✛ c c $ ← Dc z ← ... |

831 | How to prove yourself: Practical solutions to identification and signature problems
- Fiat, Shamir
- 1986
(Show Context)
Citation Context ...). A different way of constructing digital signature schemes is to first construct an identification scheme of a certain form and then convert it to a signature scheme using the Fiat-Shamir transform =-=[7, 32, 1]-=-. The identification schemes of Micciancio and Vadhan [26], Lyubashevsky [17], and Kawachi et al. [15] can all be instantiated such that the secret and public keys are of size Õ(n), and the entire int... |

697 | Factoring polynomials with rational coefficients
- Lenstra, Lenstra, et al.
- 1982
(Show Context)
Citation Context ...hat the currently best lattice algorithms are unable to take advantage of the extra structure provided by ideal lattices. Therefore, it still seems that solving SVPγ takes time 2 O(n) when γ = n O(1) =-=[16, 4]-=-. 2.3 Lattice-Based Collision-Resistant Hash Function Let R be the ring Zp[x]/〈x n +1〉. We define the following family of hash functions: Definition 1. For any integer m and D ⊆ R, the function family... |

583 |
Efficient Signature Generation by Smart Cards
- Schnorr
- 1991
(Show Context)
Citation Context ...ry. This is in sharp contrast to number-theoretic ID schemes where the response of the prover is longer than the challenge by only a small factor. What allows number-theoretic ID schemes like Schnorr =-=[35]-=-, GQ [13], Girault [10], Okamoto [27], etc. to be so “compact” is that the challenge string in these protocols is not treated as a sequence of independent 0’s and 1’s, but instead the entire string is... |

327 |
A certified digital signature
- Merkle
- 1990
(Show Context)
Citation Context ... in which signing and verification can be performed in time Õ(n) [19]. Using standard techniques, the one-time signature can be transformed into a full-fledged signature scheme using a signature-tree =-=[21, 22]-=- with only an additional work factor of O(log n). While this combination results in a very theoretically-appealing scheme where all the operations take time Õ(n), it does require the use of a tree, wh... |

310 |
Zero-knowledge Proof of Identity
- Feige, Fiat, et al.
- 1988
(Show Context)
Citation Context ...t this definition can be relaxed so that sometimes an honest prover is not accepted with some small probability. The standard active attack model against identification schemes proceeds in two phases =-=[5]-=-. In the first phase, the adversary interacts with the prover in an effort to obtain some information. In the second stage, the adversary plays the role of the prover and tries to make a verifier acce... |

280 | Security arguments for digital signatures and blind signatures
- Pointcheval, Stern
(Show Context)
Citation Context ...ndistinguishability of the ID scheme because the challenge is now simply generated by a random oracle rather than by the verifier. The proof of security of the signature scheme uses the forking lemma =-=[32]-=- to obtain two signatures from a forger that use the same random oracle query. Then using the same ideas as in the security proof of the ID scheme, it can be shown how to use these signatures to obtai... |

214 |
A digital signature based on a conventional encryption function
- Merkle
- 1987
(Show Context)
Citation Context ... in which signing and verification can be performed in time Õ(n) [19]. Using standard techniques, the one-time signature can be transformed into a full-fledged signature scheme using a signature-tree =-=[21, 22]-=- with only an additional work factor of O(log n). While this combination results in a very theoretically-appealing scheme where all the operations take time Õ(n), it does require the use of a tree, wh... |

207 | A public-key cryptosystem with worst-case/average-case equivalence
- Ajtai, Dwork
- 1997
(Show Context)
Citation Context ... European Research Council (ERC) Starting Grant. Some of the work in this paper was performed while the author was a student at the University of California, San Diego.were on the order of megabytes =-=[3, 33, 34, 28]-=- (also see [25] for concrete parameter proposals for the scheme in [34]). Therefore some new ideas were required in order to make provably-secure lattice-based primitives a realistic alternative to on... |

194 | On lattices, learning with errors, random linear codes, and cryptography
- Regev
- 2004
(Show Context)
Citation Context ... European Research Council (ERC) Starting Grant. Some of the work in this paper was performed while the author was a student at the University of California, San Diego.were on the order of megabytes =-=[3, 33, 34, 28]-=- (also see [25] for concrete parameter proposals for the scheme in [34]). Therefore some new ideas were required in order to make provably-secure lattice-based primitives a realistic alternative to on... |

168 | Witness indistinguishable and witness hiding protocols
- Feige, Shamir
- 1990
(Show Context)
Citation Context ...with some non-negligible probability. Witness-Indistinguishability. We will only define the concept of witnessindistinguishability in a way that pertains to our application and we refer the reader to =-=[6]-=- for the more general definition. For convenience, we will use the notation from the identification protocol in Figure 1. An identification scheme is said to be perfectly witness-indistinguishable if ... |

162 |
Generating hard instances of lattice problems
- Ajtai
- 1996
(Show Context)
Citation Context ...ed on the hardness of lattice problems began with the seminal work of Ajtai who showed that one-way functions could be built with security based on the worst-case hardness of certain lattice problems =-=[2]-=-. Unfortunately, cryptographic primitives that were built with this very strong security property were extremely inefficient for practical applications. For example, evaluating one-way and collision-r... |

150 | A sieve algorithm for the shortest lattice vector problem
- Ajtai, Kumar, et al.
- 2001
(Show Context)
Citation Context ...hat the currently best lattice algorithms are unable to take advantage of the extra structure provided by ideal lattices. Therefore, it still seems that solving SVPγ takes time 2 O(n) when γ = n O(1) =-=[16, 4]-=-. 2.3 Lattice-Based Collision-Resistant Hash Function Let R be the ring Zp[x]/〈x n +1〉. We define the following family of hash functions: Definition 1. For any integer m and D ⊆ R, the function family... |

147 |
Provably secure and practical identification schemes and corresponding signature schemes
- Okamoto
- 1993
(Show Context)
Citation Context ...er-theoretic ID schemes where the response of the prover is longer than the challenge by only a small factor. What allows number-theoretic ID schemes like Schnorr [35], GQ [13], Girault [10], Okamoto =-=[27]-=-, etc. to be so “compact” is that the challenge string in these protocols is not treated as a sequence of independent 0’s and 1’s, but instead the entire string is interpreted as an integer from a cer... |

120 | NTRU: A ringbased public key cryptosystem
- Hoffstein, Pipher, et al.
(Show Context)
Citation Context ...ed on number-theory. A promising approach for improving efficiency is to use lattices that possess extra algebraic structure, and it is precisely this extra structure that makes the NTRU cryptosystem =-=[14]-=- (which unfortunately does not have a proof of security) very efficient in practice. A step in the direction of building provably-secure lattice-based primitives was taken by Micciancio [23], who show... |

103 | Trapdoors for hard lattices and new cryptographic constructions
- Gentry, Peikert, et al.
- 2008
(Show Context)
Citation Context ...ppealing scheme where all the operations take time Õ(n), it does require the use of a tree, which is a somewhat unwanted feature in practice. Another signature scheme was proposed by Gentry et al. in =-=[9]-=-. Their signature scheme follows the hash-and-sign paradigm, and when instantiated with algebraic lattices [37], verification takes time Õ(n), but Õ(n4 ) time is needed to do the signing (it is plausi... |

102 |
A “paradoxical” identity-based signature scheme resulting from zero-knowledge
- Guillou, Quisquater
- 1988
(Show Context)
Citation Context ...is in sharp contrast to number-theoretic ID schemes where the response of the prover is longer than the challenge by only a small factor. What allows number-theoretic ID schemes like Schnorr [35], GQ =-=[13]-=-, Girault [10], Okamoto [27], etc. to be so “compact” is that the challenge string in these protocols is not treated as a sequence of independent 0’s and 1’s, but instead the entire string is interpre... |

83 | Regev Worst-case to Average-case Reductions based on Gaussian Measures
- Micciancio, O
- 2004
(Show Context)
Citation Context ...lt with this very strong security property were extremely inefficient for practical applications. For example, evaluating one-way and collision-resistant hash functions required Õ(n2 ) time and space =-=[2, 24]-=-, and in public-key cryptosystems, the keys ⋆ Supported by the Israel Science Foundation and by a European Research Council (ERC) Starting Grant. Some of the work in this paper was performed while the... |

82 | Public-key cryptosystems from the worst-case shortest vector problem
- Peikert
- 2009
(Show Context)
Citation Context ... European Research Council (ERC) Starting Grant. Some of the work in this paper was performed while the author was a student at the University of California, San Diego.were on the order of megabytes =-=[3, 33, 34, 28]-=- (also see [25] for concrete parameter proposals for the scheme in [34]). Therefore some new ideas were required in order to make provably-secure lattice-based primitives a realistic alternative to on... |

53 |
Predicting lattice reduction
- Gama, Nguyen
- 2008
(Show Context)
Citation Context ... the scheme of [19] is secure in the standard model), but is worse than that in [26, 9, 37] (where the factor is Õ(n1.5 )) and in [15] (where the factor is Õ(n)). Based on the work of Gama and Nguyen =-=[8]-=- who worked out the effectiveness of current state-of-the-art lattice reduction algorithms, we present some concrete parameters with which our schemes can be instantiated. On the low end, the outputte... |

46 | Generalized compact knapsacks, cyclic lattices, and efficient one-way functions from worst-case complexity assumptions
- Micciancio
(Show Context)
Citation Context ...ptosystem [14] (which unfortunately does not have a proof of security) very efficient in practice. A step in the direction of building provably-secure lattice-based primitives was taken by Micciancio =-=[23]-=-, who showed that one could build efficient ( Õ(n) evaluation time) one-way functions with security based on the worst-case instances of problems pertaining to cyclic lattices (cyclic lattices are lat... |

45 | Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices
- Peikert, Rosen
- 2006
(Show Context)
Citation Context ...lattices are lattices that correspond to ideals in the ring Z[x]/〈xn − 1〉). This result was later extended to give constructions of collision-resistant hash functions by either restricting the domain =-=[29]-=- or changing the ring [18] in Micciancio’s scheme. These works then led to constructions and implementations of collision-resistant hash functions [20] with security based on worst-case problems in la... |

45 |
New lattice-based cryptographic constructions
- Regev
(Show Context)
Citation Context |

42 | Statistical zero-knowledge proofs with efficient provers: Lattice problems and more
- Micciancio, Vadhan
- 2003
(Show Context)
Citation Context ...to first construct an identification scheme of a certain form and then convert it to a signature scheme using the Fiat-Shamir transform [7, 32, 1]. The identification schemes of Micciancio and Vadhan =-=[26]-=-, Lyubashevsky [17], and Kawachi et al. [15] can all be instantiated such that the secret and public keys are of size Õ(n), and the entire interaction takes Õ(n) time as well. While these construction... |

40 | Generalized compact knapsacks are collision resistant. Full version
- Lyubashevsky, Micciancio
(Show Context)
Citation Context ... correspond to ideals in the ring Z[x]/〈xn − 1〉). This result was later extended to give constructions of collision-resistant hash functions by either restricting the domain [29] or changing the ring =-=[18]-=- in Micciancio’s scheme. These works then led to constructions and implementations of collision-resistant hash functions [20] with security based on worst-case problems in lattices corresponding to id... |

34 | Lattice-based cryptography
- Micciancio, Regev
- 2009
(Show Context)
Citation Context ... (ERC) Starting Grant. Some of the work in this paper was performed while the author was a student at the University of California, San Diego.were on the order of megabytes [3, 33, 34, 28] (also see =-=[25]-=- for concrete parameter proposals for the scheme in [34]). Therefore some new ideas were required in order to make provably-secure lattice-based primitives a realistic alternative to ones based on num... |

32 | From identification to signatures via the Fiat-Shamir transform: minimizing assumptions for security and forward-security
- Abdalla, An, et al.
- 2002
(Show Context)
Citation Context ...). A different way of constructing digital signature schemes is to first construct an identification scheme of a certain form and then convert it to a signature scheme using the Fiat-Shamir transform =-=[7, 32, 1]-=-. The identification schemes of Micciancio and Vadhan [26], Lyubashevsky [17], and Kawachi et al. [15] can all be instantiated such that the secret and public keys are of size Õ(n), and the entire int... |

28 |
An identity-based identification scheme based on discrete logarihtms modulo a composite number
- Girault
- 1991
(Show Context)
Citation Context ...es can be used to improve certain number-theoretic schemes. In particular, we are able to shorten the length of the signatures that are produced by Girault’s factoring-based digital signature scheme (=-=[10, 11, 31]-=-). 1 Introduction The appeal of building cryptographic primitives based on the hardness of lattice problems began with the seminal work of Ajtai who showed that one-way functions could be built with s... |

28 | Swifft: A modest proposal for fft hashing
- Lyubashevsky, Micciancio, et al.
- 2008
(Show Context)
Citation Context ...class of lattices that received attention because one can construct efficient and provably secure cryptographic primitives based on the hardness of finding approximate short vectors in these lattices =-=[18, 29, 19, 20]-=-. The main reason for this efficiency is that the multiplication of two polynomials in Zp[x]/〈xn + 1〉 can be done in time Õ(n) using the Fast Fourier Transform. While the results in this paper can be ... |

24 |
E cient public key encryption based on ideal lattices
- Stehlé, Steinfeld, et al.
(Show Context)
Citation Context ...t unwanted feature in practice. Another signature scheme was proposed by Gentry et al. in [9]. Their signature scheme follows the hash-and-sign paradigm, and when instantiated with algebraic lattices =-=[37]-=-, verification takes time Õ(n), but Õ(n4 ) time is needed to do the signing (it is plausible that the signing time could be reduced to Õ(n2 ) with a more careful analysis). A different way of construc... |

19 | Lattice-based identification schemes secure under active attacks
- Lyubashevsky
- 2008
(Show Context)
Citation Context ...an identification scheme of a certain form and then convert it to a signature scheme using the Fiat-Shamir transform [7, 32, 1]. The identification schemes of Micciancio and Vadhan [26], Lyubashevsky =-=[17]-=-, and Kawachi et al. [15] can all be instantiated such that the secret and public keys are of size Õ(n), and the entire interaction takes Õ(n) time as well. While these constructions seem essentially ... |

19 | Lattices that Admit Logarithmic Worst-Case to AverageCase Connection Factors - Peikert, Rosen |

18 | On the y authentication and signature schemes based on groups of unknown order
- Girault, Poupard, et al.
- 2006
(Show Context)
Citation Context ...igner needs to abort, he simply reruns the protocol until he gets a signature in the correct range. The end result is that the eventual signature is shorter than it would have been in schemes such as =-=[10, 11, 31]-=- where the signer does not have the option to abort. 2 Preliminaries 2.1 Notation We will denote vectors by bold letters. For convenience, vectors of vectors will be denoted by a bold letter with a ha... |

18 | The composite discrete logarithm and secure authentication
- Pointcheval
- 2000
(Show Context)
Citation Context ...es can be used to improve certain number-theoretic schemes. In particular, we are able to shorten the length of the signatures that are produced by Girault’s factoring-based digital signature scheme (=-=[10, 11, 31]-=-). 1 Introduction The appeal of building cryptographic primitives based on the hardness of lattice problems began with the seminal work of Ajtai who showed that one-way functions could be built with s... |

17 | Asymptotically efficient lattice-based digital signatures
- Lyubashevky, Micciancio
(Show Context)
Citation Context ...e has been some recent work in this direction, which we will now describe. Lyubashevsky and Micciancio constructed a one-time signature in which signing and verification can be performed in time Õ(n) =-=[19]-=-. Using standard techniques, the one-time signature can be transformed into a full-fledged signature scheme using a signature-tree [21, 22] with only an additional work factor of O(log n). While this ... |

11 | Concurrently secure identification schemes based on the worst-case hardness of lattice problems
- Kawachi, Tanaka, et al.
- 2008
(Show Context)
Citation Context ...of a certain form and then convert it to a signature scheme using the Fiat-Shamir transform [7, 32, 1]. The identification schemes of Micciancio and Vadhan [26], Lyubashevsky [17], and Kawachi et al. =-=[15]-=- can all be instantiated such that the secret and public keys are of size Õ(n), and the entire interaction takes Õ(n) time as well. While these constructions seem essentially optimal, they contain a c... |