#### DMCA

## High-speed signatures from standard lattices

Citations: | 2 - 1 self |

### Citations

1016 | How to prove yourself: practical solutions to identification and signature problems
- Fiat, Shamir
- 1987
(Show Context)
Citation Context ...The Bai-Galbraith Signature Scheme The Bai-Galbraith digital signature scheme [6] (BG signature) is based on the Fiat-Shamir paradigm which transforms an identification scheme into a signature scheme =-=[18]-=- and closely follows previous proposals by Lyubashevsky et al. [16,21, 28,29]. The hardness of breaking the BG signature scheme, in the random oracle model, is reduced to the hardness of solving stand... |

650 | Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems
- Kocher
- 1996
(Show Context)
Citation Context ...f software implementations (even remotely over a network) has led to various attacks in the past and thus it is desirable to achieve constant runtime or at least a timing independent from secret data =-=[13,25]-=-. Our Contribution. The contribution of this paper is twofold. First, we study the parameter selection of the BG signature scheme in more detail than in the original paper and assess its security leve... |

361 | On lattices, learning with errors, random linear codes, and cryptography
- Regev
- 2005
(Show Context)
Citation Context ...ysis will be able to exploit the additional structure4. Especially, if long-term security is an issue, it seems that standard lattices and the associated problems—e.g., the Learning With Errors (LWE) =-=[34]-=- or the Small Integer Solution (SIS) problem—offer more confidence than their ring counterparts. The situation for code-based cryptography [9] is somewhat similar. The use of more structured codes, su... |

321 | Lattice Basis Reduction: Improved Practical Algorithms and Solving Subset Sum Problems
- Schnorr, Hörner
- 1994
(Show Context)
Citation Context ...k in the optimal dimension, and in this case choosing the highest possible dimension seems to be optimal. To achieve a small Hermite delta, it is necessary to run a basis-reduction algorithm like BKZ =-=[37]-=- or its successor BKZ 2.0 [14]. Lindner and Peikert [26] proposed the function log2(T (δ)) = 1.8/ log2(δ)− 110 to predict the time necessary to achieve a given Hermite delta by BKZ. More recently, Alb... |

307 |
On Lovász’ lattice reduction and the nearest lattice point problem
- Babai
- 1986
(Show Context)
Citation Context ...ignature scheme from Section 3 with 128 bits of security, for which we provide evidence in the next section. 4.1 Hardness of LWE The decoding attack dates back to the nearest-plane algorithm by Babai =-=[4]-=- and was further improved by Lindner and Peikert in [26] and Liu and Nguyen in [27]. While it is often the fastest known approach, it turns out that it is not very suitable for our instances, because ... |

244 | Remote timing attacks are practical
- Brumley, Boneh
- 2005
(Show Context)
Citation Context ...f software implementations (even remotely over a network) has led to various attacks in the past and thus it is desirable to achieve constant runtime or at least a timing independent from secret data =-=[13,25]-=-. Our Contribution. The contribution of this paper is twofold. First, we study the parameter selection of the BG signature scheme in more detail than in the original paper and assess its security leve... |

122 | On Ideal Lattices and Learning with Errors over Rings
- Lyubashevsky, Peikert, et al.
- 2010
(Show Context)
Citation Context ...ntroduction Most practical lattice-based signatures [7, 16, 21], proposed as post-quantum [9] alternatives to RSA and ECDSA, are currently instantiated and implemented using structured ideal lattices =-=[30]-=- corresponding to ideals in rings of the form Z[x]/〈f〉, where f is a degree-n irreducible polynomial (usually f = xn+1). With those schemes one is able to achieve high speeds on several architectures ... |

96 | Predicting lattice reduction
- Gama, Nguyen
- 2008
(Show Context)
Citation Context ...s proposed in the original paper can be found in the full version of this paper. Embedding approach. Given an LWE instance (A,b) such that As = b mod q, the idea of the embedding approach proposed in =-=[19]-=- is to use the em7 Table 1: The parameter set we use for 128 bits of security. Note that signature and key sizes refer to fully compressed signature and keys. Our software uses slightly a larger (padd... |

71 | Better key sizes (and attacks) for LWE-based encryption.
- LINDNER, PEIKERT
- 2011
(Show Context)
Citation Context ...y, for which we provide evidence in the next section. 4.1 Hardness of LWE The decoding attack dates back to the nearest-plane algorithm by Babai [4] and was further improved by Lindner and Peikert in =-=[26]-=- and Liu and Nguyen in [27]. While it is often the fastest known approach, it turns out that it is not very suitable for our instances, because an attacker has only access to a few samples. Thus we co... |

59 |
BKZ 2.0: Better lattice security estimates.
- CHEN, NGUYEN
- 2011
(Show Context)
Citation Context ...d in this case choosing the highest possible dimension seems to be optimal. To achieve a small Hermite delta, it is necessary to run a basis-reduction algorithm like BKZ [37] or its successor BKZ 2.0 =-=[14]-=-. Lindner and Peikert [26] proposed the function log2(T (δ)) = 1.8/ log2(δ)− 110 to predict the time necessary to achieve a given Hermite delta by BKZ. More recently, Albrecht et al. [2] proposed the ... |

55 |
Amit Sahai. Fast cryptographic primitives and circular-secure encryption based on hard learning problems
- Applebaum, Cash, et al.
- 2009
(Show Context)
Citation Context ...rrors problem LWEχ,q asks to distinguish As,χ, where s is chosen uniformly at random, from the uniform distribution on Znq × Zq. It is also possible to sample s according to the error distribution χn =-=[3]-=-. 4 Departing from the original definition of LWE, that gives access to arbitrary many samples, an attacker has often only access to a maximum number of samples. Typically, this number of samples is d... |

46 | Compact mceliece keys from goppa codes
- Misoczki, Barreto
- 2009
(Show Context)
Citation Context ...(SIS) problem—offer more confidence than their ring counterparts. The situation for code-based cryptography [9] is somewhat similar. The use of more structured codes, such as quasi-dyadic Goppa codes =-=[31]-=-, has been the target of an algebraic attack [15] which is effective against certain (but not all) proposed parameters. This is an indication that the additional structure used to improve the efficien... |

44 | Lattice Signatures without Trapdoors
- Lyubashevsky
- 2012
(Show Context)
Citation Context ...ure scheme [6] (BG signature) is based on the Fiat-Shamir paradigm which transforms an identification scheme into a signature scheme [18] and closely follows previous proposals by Lyubashevsky et al. =-=[16,21, 28,29]-=-. The hardness of breaking the BG signature scheme, in the random oracle model, is reduced to the hardness of solving standard worst-case computational assumptions on lattices. The explicit design goa... |

28 | T.: Practical lattice-based cryptography: A signature scheme for embedded systems
- Güneysu, Lyubashevsky, et al.
(Show Context)
Citation Context ... of the scheme and finally compare our work with the state of the art. Keywords: Signature scheme, standard lattices, vectorization, Ivy Bridge. 1 Introduction Most practical lattice-based signatures =-=[7, 16, 21]-=-, proposed as post-quantum [9] alternatives to RSA and ECDSA, are currently instantiated and implemented using structured ideal lattices [30] corresponding to ideals in rings of the form Z[x]/〈f〉, whe... |

24 | Fiat-Shamir with aborts: Applications to lattice and factoring-based signatures
- Lyubashevsky
- 2009
(Show Context)
Citation Context ...ure scheme [6] (BG signature) is based on the Fiat-Shamir paradigm which transforms an identification scheme into a signature scheme [18] and closely follows previous proposals by Lyubashevsky et al. =-=[16,21, 28,29]-=-. The hardness of breaking the BG signature scheme, in the random oracle model, is reduced to the hardness of solving standard worst-case computational assumptions on lattices. The explicit design goa... |

19 | Solving BDD by enumeration: An update,
- Liu, Nguyen
- 2013
(Show Context)
Citation Context ...dence in the next section. 4.1 Hardness of LWE The decoding attack dates back to the nearest-plane algorithm by Babai [4] and was further improved by Lindner and Peikert in [26] and Liu and Nguyen in =-=[27]-=-. While it is often the fastest known approach, it turns out that it is not very suitable for our instances, because an attacker has only access to a few samples. Thus we concentrate on the embedding ... |

16 | Post-quantum key exchange for the TLS protocol from the ring learning with errors problem.
- BOS, COSTELLO, et al.
- 2015
(Show Context)
Citation Context ...ults and a comparison in Section 6. 6 A software implementation of a constant time discrete Gaussian sampler using the Cumulative Distribution Table (CDT) approach was recently proposed by Bos et al. =-=[12]-=-. However, even for the small standard deviation required for lattice-based encryption schemes, the constant time requirement leads to a significant overhead. 7 We note here that there was some vaguen... |

16 |
On the Design of Hardware Building Blocks for Modern Lattice-Based Encryption Schemes
- Göttert, Feller, et al.
- 2012
(Show Context)
Citation Context ...as power of two) so that there is still hope for high speed. The only results currently available dealing with the implementation of standard lattice-based instantiations rely on arithmetic libraries =-=[7,20]-=- and can thus not fully utilize the power of their target architectures. An additional feature of the BG signature is that sampling of Gaussian noise is only needed during the much less performance-cr... |

15 |
Enhanced lattice-based signatures on reconfigurable hardware.
- PÖPPELMANN, DUCAS, et al.
- 2014
(Show Context)
Citation Context ... the discrete-compact-knapsack (DCK) [21] or NTRU-related assumptions [16] that have not been studied extensively so far. While results for ideal-lattice-based signatures have been published recently =-=[11, 22, 32, 33]-=-, currently no research is available dealing with implementation and performance issues of standard-lattice-based signatures. While the large keys of such schemes might prevent their adoption on const... |

14 | Sampling from Discrete Gaussians for Lattice-based Cryptography on a Constrained Device,” Applicable Algebra - Dwarakanath, Galbraith - 2014 |

12 | An improved compression technique for signatures based on learning with errors.
- BAI, GALBRAITH
- 2014
(Show Context)
Citation Context ...evices or reconfigurable hardware, the size of the keys is much less an issue on current multi-core CPUs which have access to large amounts of memory. In this context, the scheme by Bai and Galbraith =-=[6]-=- (from now on referred to as BG signature) is an interesting proposal as it achieves small signatures and is based on the standard LWE and SIS problems. An interesting question arising is also the per... |

12 | Improvement and efficient implementation of a lattice-based signature scheme. IACR Cryptology ePrint Archive
- Bansarkhani, Buchmann
- 2013
(Show Context)
Citation Context ...(Haswell) verify: 335072 This work Intel Core i5-3210M 128 bits sign: 1973610 (Ivy Bridge) verify: 608870 This work TI Sitara AM335x 128 bits sign: 10264721 (ARM Cortex-A8) verify: 2796433 GPV-matrix =-=[7]-=- AMD Opteron 8356 100 bits sign: 287500000 (n = 512, k = 27) (Barcelona) verify: 48300000 Software using ideal lattices GLP [22] Intel Core i5-3210M 75–80 bits sign: 634988 (Ivy Bridge) verify: 45036 ... |

10 |
and Tanja Lange. eBACS: ECRYPT benchmarking of cryptographic systems. http://bench.cr.yp.to (accessed
- Bernstein
(Show Context)
Citation Context ...atforms. Instead of 446880 cycles which one might expect from an arithmetic lower bound, matrix-vector multiplication takes 2448008 cycles. 6 Results and Comparison Our software follows the eBACS API =-=[10]-=- and we will submit the software to eBACS for public benchmarking. In this section we do not report cycle counts obtained by running the eBACS benchmarking framework SUPERCOP. The reason is the same a... |

9 | Polynomial Time Attack on Wild McEliece Over Quadratic Extensions
- Couvreur, Otmani, et al.
- 2014
(Show Context)
Citation Context ...ng counterparts. The situation for code-based cryptography [9] is somewhat similar. The use of more structured codes, such as quasi-dyadic Goppa codes [31], has been the target of an algebraic attack =-=[15]-=- which is effective against certain (but not all) proposed parameters. This is an indication that the additional structure used to improve the efficiency of such cryptosystems might be also used by ad... |

9 | Software speed records for lattice-based signatures.
- GÜNEYSU, ODER, et al.
- 2013
(Show Context)
Citation Context ...ludes a (slow) routine for key generation but we will not discuss key generation here. 5.1 High-Level Optimizations Regarding platform independent high-level optimizations we follow the approach from =-=[22]-=- and would like to emphasize the changes to the algorithm (adding E to the private key and choosing A as global constant) and improved rejection sampling (usage of Lnew) as discussed in Section 3. For... |

7 |
Tancrède Lepoint, and Vadim Lyubashevsky. Lattice signatures and bimodal gaussians
- Ducas, Durmus
- 2013
(Show Context)
Citation Context ... of the scheme and finally compare our work with the state of the art. Keywords: Signature scheme, standard lattices, vectorization, Ivy Bridge. 1 Introduction Most practical lattice-based signatures =-=[7, 16, 21]-=-, proposed as post-quantum [9] alternatives to RSA and ECDSA, are currently instantiated and implemented using structured ideal lattices [30] corresponding to ideals in rings of the form Z[x]/〈f〉, whe... |

7 | Parallel Gauss sieve algorithm : Solving the SVP in the ideal lattice of 128-dimensions. Cryptology ePrint Archive, Report 2013/388
- Ishiguro, Kiyomoto, et al.
- 2013
(Show Context)
Citation Context ...ficient discrete Gaussian sampling [16,17,33] it is still not known how to implement the 4 There exists sieving algorithms which can exploit the ideal structure, but the speedup is of no significance =-=[24,36]-=-. Some first ideas towards attacks with lower complexity were sketched by Bernstein in his blog [8]. 5 Omitting costly Gaussian sampling was also the motivation for the design of the GLP signature [21... |

6 |
A subfield-logarithm attack against ideal lattices
- Bernstein
- 2014
(Show Context)
Citation Context ... sieving algorithms which can exploit the ideal structure, but the speedup is of no significance [24,36]. Some first ideas towards attacks with lower complexity were sketched by Bernstein in his blog =-=[8]-=-. 5 Omitting costly Gaussian sampling was also the motivation for the design of the GLP signature [21]. 2 sampling efficiently6 without leaking information on the sampled values through the runtime of... |

6 | Implementation and Comparison of Lattice-based Identification
- Boorghany, Jalili
(Show Context)
Citation Context ... the discrete-compact-knapsack (DCK) [21] or NTRU-related assumptions [16] that have not been studied extensively so far. While results for ideal-lattice-based signatures have been published recently =-=[11, 22, 32, 33]-=-, currently no research is available dealing with implementation and performance issues of standard-lattice-based signatures. While the large keys of such schemes might prevent their adoption on const... |

5 | On the efficacy of solving LWE by reduction to unique-SVP. Cryptology ePrint Archive
- Albrecht, Fitzpatrick, et al.
(Show Context)
Citation Context ...ieves Hermite factor δ succeeds with high probability if λ2(Λ)/λ1(Λ) ≥ τ · δdim(Λ), 8 Table 2: Security of our parameter set Security Level Problem Attack Bit Security LWE Decoding [26] 271 Embedding =-=[2]-=- 192 Embedding [6] 130 SIS Lattice reduction [6] 159 where τ ≈ 0.4 is a constant that depends on the reduction algorithm used. In fact, this factor is missing in the analysis by Bai and Galbraith, whi... |

5 | Beyond ECDSA and RSA: Lattice-based Digital Signatures on Constrained Devices
- Oder, Pöppelmann, et al.
(Show Context)
Citation Context ... the discrete-compact-knapsack (DCK) [21] or NTRU-related assumptions [16] that have not been studied extensively so far. While results for ideal-lattice-based signatures have been published recently =-=[11, 22, 32, 33]-=-, currently no research is available dealing with implementation and performance issues of standard-lattice-based signatures. While the large keys of such schemes might prevent their adoption on const... |

4 | Practical signatures from the partial Fourier recovery problem.
- HOFFSTEIN, PIPHER, et al.
- 2014
(Show Context)
Citation Context ...dge) verify: 34004 GPV-poly [7] AMD Opteron 8356 100 bits sign: 71300000 (n = 512, k = 27) (Barcelona) verify: 9200000 BLISS [16] Intel Core i7 128 bits sign: ≈ 421600 (BLISS-I) verify: ≈ 102000 PASS =-=[23]-=- Intel Core i7-2640M 130 bits sign: 584230 (N = 1153) (Sandy Bridge) verify: 172641 Conclusion and future work. With this work we have shown that the performance impact of using standard lattices over... |

4 |
Frederik Vercauteren, Nele Mentens, Donald Donglong Chen, and Ingrid Verbauwhede. 2014. Compact Hardware Implementation of Ring-LWE Cryptosystems
- Roy
(Show Context)
Citation Context ...o the performance of schemes based on standard lattices and how to choose parameters for high performance. While FFT-techniques have been used successfully for ideal lattices on various architectures =-=[22, 35]-=- there are no fast algorithms to speed up the necessary matrixvector arithmetic. However, matrix-vector operations can be parallelized very efficiently and there are no direct restrictions on the para... |

4 | Sieving for shortest vectors in ideal lattices
- Schneider
- 2013
(Show Context)
Citation Context ...ficient discrete Gaussian sampling [16,17,33] it is still not known how to implement the 4 There exists sieving algorithms which can exploit the ideal structure, but the speedup is of no significance =-=[24,36]-=-. Some first ideas towards attacks with lower complexity were sketched by Bernstein in his blog [8]. 5 Omitting costly Gaussian sampling was also the motivation for the design of the GLP signature [21... |

1 |
Boyen, Jean-Christophe Deneuville, and Philippe Gaborit. Sealing the leak on classical NTRU signatures
- Aguilar-Melchor, Xavier
- 2014
(Show Context)
Citation Context ...rformance of an independent time implementation of vectorized BLISS or PASS. Moreover, NTRUsign might become interesting again if it is possible to fix the security issues efficiently, as proposed in =-=[1]-=-. 16 Acknowledgment We would like to thank Patrick Weiden, Rafael Misoczki, Shi Bai, and Steven Galbraith for useful discussions. We would further like to thank the anonymous reviewers for their sugge... |

1 |
Personal communication and e-mail exchanges
- Bai, Galbraith
(Show Context)
Citation Context ...tant time requirement leads to a significant overhead. 7 We note here that there was some vagueness in the parameter selection in the original work [6], also noticed later by the authors of the paper =-=[5]-=-. 3 2 Preliminaries Notation. We mainly follow the notation of [6] and denote column vectors by bold lower case letters (e.g., v = (v1, . . . , vn)T where vT is the transpose) and matrices by bold upp... |

1 | 9 A Decoding Attack An approach for solving LWE that has not been considered in the original work [6] is the decoding attack. It is inspired by the nearest plane algorithm proposed by Babai [4]. For a given lattice basis and a given target vector, it retu - pdf |