Advances in Cryptology – EUROCRYPT 2012

Volume 7237 of the series Lecture Notes in Computer Science pp 572-590

Tightly-Secure Signatures from Lossy Identification Schemes

  • Michel AbdallaAffiliated withÉcole Normale Supérieure
  • , Pierre-Alain FouqueAffiliated withÉcole Normale Supérieure
  • , Vadim LyubashevskyAffiliated withÉcole Normale Supérieure
  • , Mehdi TibouchiAffiliated withNTT Information Sharing Platform Laboratories


In this paper we present three digital signature schemes with tight security reductions. Our first signature scheme is a particularly efficient version of the short exponent discrete log based scheme of Girault et al. (J. of Cryptology 2006). Our scheme has a tight reduction to the decisional Short Discrete Logarithm problem, while still maintaining the non-tight reduction to the computational version of the problem upon which the original scheme of Girault et al. is based. The second signature scheme we construct is a modification of the scheme of Lyubashevsky (Asiacrypt 2009) that is based on the worst-case hardness of the shortest vector problem in ideal lattices. And the third scheme is a very simple signature scheme that is based directly on the hardness of the Subset Sum problem. We also present a general transformation that converts, what we term \(\emph{lossy}\) identification schemes, into signature schemes with tight security reductions. We believe that this greatly simplifies the task of constructing and proving the security of such signature schemes.


Signature schemes tight reductions Fiat-Shamir