Results 1 
2 of
2
Tesla: Tightlysecure efficient signatures from standard lattices
, 2015
"... Generally, latticebased cryptographic primitives offer good performance and allow for strong security reductions. However, the most efficient current latticebased signature schemes sacrifice (part of its) security to achieve good performance: first, security is based on ideal lattice problems, ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Generally, latticebased cryptographic primitives offer good performance and allow for strong security reductions. However, the most efficient current latticebased signature schemes sacrifice (part of its) security to achieve good performance: first, security is based on ideal lattice problems, that might not be as hard as standard lattice problems. Secondly, the security reductions of the most efficient schemes are nontight; hence, their choices of parameters offer security merely heuristically. Moreover, latticebased signatures are instantiated for classical adversaries, although they are based on presumably quantum hard problems. Yet, it is not known how such schemes perform in a postquantum world. We bridge this gap by proving the latticebased signature scheme TESLA to be tightly secure based on the learning with errors problem over standard lattices in the random oracle model. As such, we improve the security of the original proposal by Bai and Galbraith (CTRSA’14) twofold; we tighten the security reduction and we minimize the underlying security assumptions. Remarkably, by enhancing the security we can improve TESLA’s performance by a factor of two. Furthermore, we are first to propose parameters providing a security of 128 bits against both classical and quantum adversaries for a latticebased signature scheme. Our implementation of TESLA competes well with stateoftheart latticebased signatures and SPHINCS (EUROCRYPT’15), the only signature scheme instantiated with quantumhard parameters thus far.
PostQuantum ZeroKnowledge and Signatures from SymmetricKey Primitives *
"... Abstract We propose a new class of postquantum digital signature schemes that: (a) derive their security entirely from the security of symmetrickey primitives, believed to be quantumsecure, and (b) have extremely small keypairs, and, (c) are highly parameterizable. In our signature constructions ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract We propose a new class of postquantum digital signature schemes that: (a) derive their security entirely from the security of symmetrickey primitives, believed to be quantumsecure, and (b) have extremely small keypairs, and, (c) are highly parameterizable. In our signature constructions, the public key is an image y = f (x) of a oneway function f and secret key x. A signature is a noninteractive zeroknowledge proof of x, that incorporates a message to be signed. For this proof, we leverage recent progress of Giacomelli et al. (USENIX'16) in constructing an efficient Σprotocol for statements over general circuits. We improve this Σprotocol to reduce proof sizes by a factor of two, at no additional computational cost. While this is of independent interest as it yields more compact proofs for any circuit, it also decreases our signature sizes. We consider two possibilities for making the proof noninteractive, the FiatShamir transform, and Unruh's transform (EUROCRYPT'12, We implement and benchmark both approaches and explore the possible choice of f , taking advantage of the recent trend to strive for practical symmetric ciphers with a particularly low number of multiplications and end up using LowMC. * This paper is a merge of