# Lattice Signatures Without Trapdoors

@inproceedings{Lyubashevsky2011LatticeSW, title={Lattice Signatures Without Trapdoors}, author={Vadim Lyubashevsky}, booktitle={IACR Cryptol. ePrint Arch.}, year={2011} }

We provide an alternative method for constructing lattice-based digital signatures which does not use the "hash-and-sign" methodology of Gentry, Peikert, and Vaikuntanathan (STOC 2008). Our resulting signature scheme is secure, in the random oracle model, based on the worst-case hardness of the O(n1.5)-SIVP problem in general lattices. The secret key, public key, and the signature size of our scheme are smaller than in all previous instantiations of the hash-and-sign signature, and our signing…

## 580 Citations

Lattice-based Signatures with Tight Adaptive Corruptions and More

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2022

This work constructs the first tightly secure signature schemes in the multi-user setting with adaptive corruptions from lattices based on the Learning with Errors (LWE) assumption, and formally rule out the possibility that the aforementioned “ID-toSignature” methodology can work tightly using parallel OR proofs.

Cryptanalysis of a code-based signature scheme without trapdoors

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2021

An attack on the recent attempt by Li, Xing and Yeo to produce a code-based signature scheme using the Schnorr-Lyubashevsky approach in the Hamming metric is proposed, and it is proved the existence of a strong correlation between produced signatures, which ultimately leaks information about the secret key.

Towards Practical and Round-Optimal Lattice-Based Threshold and Blind Signatures

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2021

This work improves the state of art lattice-based construction by Hauck et al as follows and improves the round complexity from three to two and reduces the amount of noise flooding from 2 down to √ QS, where QS is the bound on the number of signatures and λ is the security parameter.

Short lattice signatures with constant-size public keys

- Computer Science, MathematicsSecur. Commun. Networks
- 2016

This paper proposes a new method for constructing short lattice signatures with constant-size public keys in the standard model, and introduces a new hard lattice problem, called variant small integer solution (Variant-SIS), and gives the security reduction from smallinteger solution to Variant-S IS.

Lattice-based Threshold Signature with Message Block Sharing

- Computer Science, Mathematics
- 2014

An interesting tool is introduced to construct the k-out-of-N threshold signature schemes, which are a protocol that approves any subset of k members among N members to produce a valid signature, but it is impossible to generate a valid signatures in case fewer thank members are involved in the protocol.

SHORTER HASH-AND-SIGN LATTICE-BASED SIGNATURES

- Computer Science, Mathematics
- 2022

It is shown that the Gaussian vectors in signatures can be represented in a more compact way with appropriate coding-theoretic techniques, improving signature size by an additional 7 to 14% and reducing the modulus q with respect to which signatures are computed almost “for free”.

Scalable revocable identity-based signature over lattices in the standard model

- Computer Science, MathematicsInf. Sci.
- 2020

Lattice signatures using NTRU on the hardness of worst-case ideal lattice problems

- Computer Science, MathematicsIET Inf. Secur.
- 2020

The authors propose an alternative lattice-based signature scheme on the Fiat-Shamir framework over the ring Z [ x ] / ( x n + 1 ) which is provably secure based on the hardness of the Ring SIS problem in the random oracle model.

Programmable Hash Functions from Lattices: Short Signatures and IBEs with Small Key Sizes

- Computer Science, MathematicsCRYPTO
- 2016

Under the Inhomogeneous Small Integer Solution ISIS assumption, it is shown that any non-trivial lattice-based PHF is collision-resistant, which gives a direct application of this new primitive.

TESLA: Tightly-Secure Efficient Signatures from Standard Lattices

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2015

This work proves the lattice-based signature scheme TESLA to be tightly secure based on the learning with errors problem over lattices in the random-oracle model, and improves the security of the original proposal by Bai and Galbraith twofold: the security reduction is tightened and the underlying security assumptions are minimized.

## References

SHOWING 1-10 OF 63 REFERENCES

Fiat-Shamir with Aborts: Applications to Lattice and Factoring-Based Signatures

- Computer Science, MathematicsASIACRYPT
- 2009

This work demonstrates how the framework that is used for creating efficient number-theoretic ID and signature schemes can be transferred into the setting of lattices and is able to shorten the length of the signatures that are produced by Girault's factoring-based digital signature scheme.

Estimating the Security of Lattice-based Cryptosystems

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2010

This work provides a framework that distills a hardness estimate out of a given parameter set and relates the complexity of practical lattice-based attacks to symmetric “bit security” for the first time.

Lattice Mixing and Vanishing Trapdoors: A Framework for Fully Secure Short Signatures and More

- Computer Science, MathematicsPublic Key Cryptography
- 2010

Here the framework for adaptive security from hard random lattices in the standard model is proposed, and fully secure signatures, and also IBE, that are compact, simple, and elegant are obtained.

Trapdoors for hard lattices and new cryptographic constructions

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2007

A new notion of trapdoor function with preimage sampling, simple and efficient "hash-and-sign" digital signature schemes, and identity-based encryption are included.

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2011

We give new methods for generating and using "strong trapdoors" in cryptographic lattices, which are simultaneously simple, efficient, easy to implement (even in parallel), and asymptotically optimal…

Fully Homomorphic Encryption from Ring-LWE and Security for Key Dependent Messages

- Computer Science, MathematicsCRYPTO
- 2011

A somewhat homomorphic encryption scheme that is both very simple to describe and analyze, and whose security reduces to the worst-case hardness of problems on ideal lattices using the RLWE assumption, which allows us to completely abstract out the lattice interpretation.

Asymptotically Effi cient Lattice-Based Digital Signatures

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2008

The construction is provably secure based on the worst-case hardness of approximating the shortest vector in ideal lattices within a polynomial factor, and asymptotically efficient: the time complexity of the signing and verification algorithms, as well as key and signature size is almost linear in the dimension n of the underlying lattice.

Making NTRU as Secure as Worst-Case Problems over Ideal Lattices

- Computer Science, MathematicsEUROCRYPT
- 2011

This work shows how to modify NTRUEncrypt to make it provably secure in the standard model, under the assumed quantum hardness of standard worst-case lattice problems, restricted to a family of lattices related to some cyclotomic fields.

Multi-signatures in the plain public-Key model and a general forking lemma

- Computer Science, MathematicsCCS '06
- 2006

This work provides a new scheme that is proven secure in the plain public-key model, meaning requires nothing more than that each signer has a (certified) public key, and is provenSecure in the random-oracle model under a standard (not bilinear map related) assumption.

Learning a Parallelepiped: Cryptanalysis of GGH and NTRU Signatures

- Computer Science, MathematicsJournal of Cryptology
- 2008

This work proposes an alternative method to attack signature schemes à la GGH by studying the following learning problem: given many random points uniformly distributed over an unknown n-dimensional parallelepiped, recover the parallelePiped or an approximation thereof and transforms this problem into a multivariate optimization problem that can provably be solved by a gradient descent.