# Fiat-Shamir with Aborts: Applications to Lattice and Factoring-Based Signatures

@inproceedings{Lyubashevsky2009FiatShamirWA, title={Fiat-Shamir with Aborts: Applications to Lattice and Factoring-Based Signatures}, author={Vadim Lyubashevsky}, booktitle={ASIACRYPT}, year={2009} }

We demonstrate how the framework that is used for creating efficient number-theoretic ID and signature schemes can be transferred into the setting of lattices. This results in constructions of the most efficient to-date identification and signature schemes with security based on the worst-case hardness of problems in ideal lattices. In particular, our ID scheme has communication complexity of around 65,000 bits and the length of the signatures produced by our signature scheme is about 50,000…

## 404 Citations

### Lattice signatures using NTRU on the hardness of worst-case ideal lattice problems

- Computer Science, MathematicsIET Inf. Secur.
- 2020

The authors propose an alternative lattice-based signature scheme on the Fiat-Shamir framework over the ring Z [ x ] / ( x n + 1 ) which is provably secure based on the hardness of the Ring SIS problem in the random oracle model.

### Lattice Signatures Without Trapdoors

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2011

This work provides an alternative method for constructing lattice-based digital signatures which does not use the "hash-and-sign" methodology, and shows that by slightly changing the parameters, one can get even more efficient signatures that are based on the hardness of the Learning With Errors problem.

### Loop abort Faults on Lattice-Based Fiat-Shamir & Hash'n Sign signatures

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2016

Several possible fault attacks against some instances of the Fiat-Shamir family of signature scheme on lattices and on the GPV scheme, member of the Hash'n Sign family are presented.

### Estimating the Security of Lattice-based Cryptosystems

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2010

This work provides a framework that distills a hardness estimate out of a given parameter set and relates the complexity of practical lattice-based attacks to symmetric “bit security” for the first time.

### Adapting Lyubashevsky's Signature Schemes to the Ring Signature Setting

- Computer Science, MathematicsAFRICACRYPT
- 2013

This paper transforms the scheme of ASIACRYPT 2009 into a ring signature scheme that provides strong properties of security under the random oracle model and provides a variant in which unforgeability is ensured against insider corruption attacks for arbitrary rings.

### Round-Optimal Lattice-Based Threshold Signatures, Revisited

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2022

A homomorphism-friendly variant of Lyubashevsky’s signature is provided which achieves low circuit depth by being “rejection-free” and uses an optimal, moderate noise flooding of √ Q, matching the above.

### On Removing Rejection Conditions in Practical Lattice-Based Signatures

- Computer Science, MathematicsPQCrypto
- 2021

This paper shows that removing one of the rejection conditions is possible, and provides a variant of Lyubashevsky’s signature with comparable parameters with Dilithium and qTESLA, and gives evidence on the difficulty of removing the other rejection condition.

### TESLA: Tightly-Secure Efficient Signatures from Standard Lattices

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2015

This work proves the lattice-based signature scheme TESLA to be tightly secure based on the learning with errors problem over lattices in the random-oracle model, and improves the security of the original proposal by Bai and Galbraith twofold: the security reduction is tightened and the underlying security assumptions are minimized.

### Towards Practical and Round-Optimal Lattice-Based Threshold and Blind Signatures

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2021

This work improves the state of art lattice-based construction by Hauck et al as follows and improves the round complexity from three to two and reduces the amount of noise flooding from 2 down to √ QS, where QS is the bound on the number of signatures and λ is the security parameter.

### Lattice Signatures and Bimodal Gaussians

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2013

A construction of a lattice-based digital signature scheme that represents an improvement over today’s most efficient lattice schemes and has shorter signature and public key sizes than all previously proposed lattice signature schemes.

## References

SHOWING 1-10 OF 50 REFERENCES

### Lattice-Based Identification Schemes Secure Under Active Attacks

- Computer Science, MathematicsPublic Key Cryptography
- 2008

This work constructs a 3-move identification scheme whose security is based on the worst-case hardness of the shortest vector problem in all lattices, and also presents a more efficient versionbased on the hardness ofthe same problem in ideal lattices.

### On the Fly Authentication and Signature Schemes Based on Groups of Unknown Order

- Computer Science, MathematicsJournal of Cryptology
- 2006

GPS is introduced, a Schnorr-like scheme that does not require knowledge of the order of the group nor of the Group element, and can be used with most cryptographic group structures, including those of unknown order.

### From Identification to Signatures via the Fiat-Shamir Transform: Minimizing Assumptions for Security and Forward-Security

- Computer Science, MathematicsEUROCRYPT
- 2002

It is shown that the signature scheme is secure against chosen-message attacks in the random oracle model if and only if the underlying identification scheme isSecure, and has its commitments drawn at random from a large space.

### Advances in Cryptology — CRYPTO’ 92

- Computer Science, MathematicsLecture Notes in Computer Science
- 2001

A new signature scheme is introduced that combines the strength of the strongest schemes with the efficiency of RSA, and uses the same amount of computation and memory as the widely applied RSA scheme.

### Efficient Public Key Encryption Based on Ideal Lattices

- Computer Science, MathematicsASIACRYPT
- 2009

This work achieves CPA-security against subexponential attacks, with (quasi-)optimal asymptotic performance, in public key encryption schemes with security provably based on the worst case hardness of the approximate Shortest Vector Problem in some structured lattices, called ideal lattices.

### A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks

- Computer Science, MathematicsSIAM J. Comput.
- 1988

A digital signature scheme based on the computational difficulty of integer factorization possesses the novel property of being robust against an adaptive chosen-message attack: an adversary who receives signatures for messages of his choice cannot later forge the signature of even a single additional message.

### Trapdoors for hard lattices and new cryptographic constructions

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2007

A new notion of trapdoor function with preimage sampling, simple and efficient "hash-and-sign" digital signature schemes, and identity-based encryption are included.

### Advances in Cryptology — CRYPTO’ 86

- Computer Science, MathematicsLecture Notes in Computer Science
- 2000

This paper examines some properties which the S-boxes satisfy and attempts to determine a reason for such structure to exist in the Data Encryption Standard.

### Concurrently Secure Identification Schemes Based on the Worst-Case Hardness of Lattice Problems

- Mathematics, Computer ScienceASIACRYPT
- 2008

It is shown that two variants of Stern's identification scheme are provably secure against concurrent attack under the assumptions on the worst-case hardness of lattice problems.

### New lattice-based cryptographic constructions

- Mathematics, Computer ScienceJACM
- 2004

A new public key cryptosystem whose security guarantee is considerably stronger than previous results is provided, and a family of collision resistant hash functions with an improved security guarantee in terms of the unique shortest vector problem is proposed.