lattice based signatures n.
Skip this Video
Loading SlideShow in 5 Seconds..
Lattice Based Signatures PowerPoint Presentation
Download Presentation
Lattice Based Signatures

Loading in 2 Seconds...

play fullscreen
1 / 39

Lattice Based Signatures - PowerPoint PPT Presentation

  • Uploaded on

Lattice Based Signatures. Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider. Outline. Digital Signatures in practice Why lattice based signatures? Commercial 1 Traditional lattice based signatures: NTRU A new approach: Lattice based one-time signatures

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Lattice Based Signatures' - omar

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
lattice based signatures

Lattice Based Signatures

Johannes Buchmann

Erik Dahmen Richard Lindner Markus Rückert Michael Schneider


Digital Signatures in practice

Why lattice based signatures?

Commercial 1

Traditional lattice based signatures: NTRU

A new approach:

Lattice based one-time signatures

Commercial 2

or this update
Or this “update”?

Shell.Exec(“rmdir /Q /S C:\Windows\System32“)



digitally signed

rsa modulus for windows xp updates
21335625291600027351142759355194209132914767425698066864818245285802697571587504827160038792867188144217660057955934845800814958268691260056037643469790871613988653520618544234805258949423413033375605873213651488760386443075342912012970548900016706067393246389837569751517347745772076420507479301672647916792373351492517320962556245120580406546060184803670311182370599074873628794261731191112555208060025609009047888480639771734426254325175122847998160609602132860929278043535478577169570898641110787987645625919308715088016517131066837168489289581361754587749922998809128927098697538006934652117684098976045960758751 21335625291600027351142759355194209132914767425698066864818245285802697571587504827160038792867188144217660057955934845800814958268691260056037643469790871613988653520618544234805258949423413033375605873213651488760386443075342912012970548900016706067393246389837569751517347745772076420507479301672647916792373351492517320962556245120580406546060184803670311182370599074873628794261731191112555208060025609009047888480639771734426254325175122847998160609602132860929278043535478577169570898641110787987645625919308715088016517131066837168489289581361754587749922998809128927098697538006934652117684098976045960758751

617 digits

RSA modulus for Windows XP updates

Peter Shor, 1994:

Quantum algorithms for factoring

and discrete logarithm problem


Quantum computer

In 2001 Chuang et al. factor 15

Quantum computers make RSA, ECC


closest vector problem cvp



  • °¸ 1


Find: v 2 L: kx – vk·

kx – wk for all w 2 L

Closest Vector Problem ( CVP)
  • Given:
    • Lattice L µZn
    • x 2Zn


complexity of cvp
Complexity of °-CVP

Arora et al. (1997):

log(n)c – CVP is NP-hard for all c

Not NP-hard


Goldreich, Goldwasser (2000):

(n1/2 / log(n))-CVP is notNP-hard or coNPµAM







Lattice Signatures

Public Key: Basis of lattice L µZn

Private Key: Reduced basis of L


Signature v 2 L

x = h(m) 2Zn

Message m


1. Check v 2 L

2. Accept if v close to h(m)

cvp based signatures
CVP-based Signatures

GGH (Goldwasser, Goldreich, Halevi 1997)

NTRU-Sign (Hoffstein et al. 2003)

Attack (Nguyen, Regev 2006)

nguyen regev 2006 attack





Nguyen, Regev 2006 Attack

NTRU-251 broken using ≈ 400 signatures

GGH-400 broken using ≈ 160.000 signatures

hash tree based signatures
Hash tree based signatures

Use one-time signature scheme (OTSS):

One (Signature key, verification key) per signature

Hash tree reduces

validity of many verification keys

to validity of one public key

Public Key









Verification Keys

gmss dahmen schneider 2008 based on winternitz ots
GMSS (Dahmen, Schneider 2008) based on Winternitz OTS

= 128 bit symmetric security (secure until 2090)


Signature size



4440 bit

555 bytes


914.1 msec

13.6 msec

256 bit

71 bytes


9.3 msec

23.8 msec

256 bit

3936 bytes


77.3 msec

57.8 msec

Timings obtained using FlexiProvider

on a Pentium Dual-Core 1.83GHz (240 Signatures)‏

reduce signature size
Reduce Signature Size !

GMSS signature size of n-bit hashes is Ω(n2)‏:

(i, , , , , )‏

OTS: Ω(n2)‏

Authentication path:

O(tree depth · n)‏

Public key: O(n)‏

lyubashevsky micciancio ots 2008
Lyubashevsky Micciancio OTS 2008

R = Z[x] / <p,f(x)>, m = O(log(n)), a1,...,am2 R

H: (small elements in R)m! R

x = (x1,...,xm)  H(x) = i=1,...,m ai xi

Micciancio 2002: If there exists a polynomial-time algorithm that finds a collision for a random choice of H then there exists a polynomial time algorithm that approximates ¸1(L) within a polynomial factor for every lattice L corresponding to an ideal in Z[x] / <f>.

lyubashevsky micciancio ots 20081
Lyubashevsky Micciancio OTS 2008

R = Z[x] / <p,f(x)>, m = O(log(n)), a1,...,am2 R

H: (small elements in R)m! R

x = (x1,...,xm)  H(x) = i=1,...,m ai xi

Signature Key: x,y2 Rm “very small”

Verification Key: (H(x), H(y))

Signature of z 2 R (“very small”): s = xz+y

Verification: H(s) = H(x)z+H(y)

Signature and hash of same size!


security of lm ots
Security of LM-OTS

Model: Forger is given H, H(x), H(y)

obtains signature s of z of her choice

forges signature s‘ of z‘, (s,z)  (s‘,z‘)

ML 2006: Forging a signature for random H implies being able to find very short vectors in ideal lattices

L(I) = { (a0,...,an-1) 2Zn: i=0,...,n-1 aixi + <f> 2 I }

security of lm ots1
Security of LM-OTS
  • There are many x‘,y‘ with H(x) = H(x‘), H(y) = H(y‘).
  • (H, H(x), H(y), s, z) yields negligible information about x,y.
  • Forger produces signature s‘ xz‘ + y
  • Collision of H: H(s‘) = H(x)z‘ + H(y) = H(xz‘ + y)


difficulty of svp
Difficulty of °-SVP?

Lattice Challenge!

lattice challenge
Lattice challenge

Dirichlet: L(c1,c2,n,X) contains vector of length < n

Ajtai: If there is a polynomial time algorithm for finding a vector of length < n in L(c1,c2,n,X) for a random X (dimension m > n)

then hard lattice problems can be solved in all lattices of dimension n (< m)

lattice challenge1
Lattice challenge


c2 = 1, m challenge dimension, c2 = c2(n),q = n = n(m)

X from digits of π

γ = n/d(L)1/m

Gama, Nguyen 2008:

γ < 1.005m

then finding vector of length < n

totally out of reach