Journal of Cryptology

, Volume 29, Issue 3, pp 597–631 | Cite as

Tightly Secure Signatures From Lossy Identification Schemes

  • Michel Abdalla
  • Pierre-Alain Fouque
  • Vadim Lyubashevsky
  • Mehdi Tibouchi
Article

Abstract

In this paper, we present three digital signature schemes with tight security reductions in the random oracle model. Our first signature scheme is a particularly efficient version of the short exponent discrete log-based scheme of Girault et al. (J Cryptol 19(4):463–487, 2006). Our scheme has a tight reduction to the decisional short discrete logarithm problem, while still maintaining the non-tight reduction to the computational version of the problem upon which the original scheme of Girault et al. is based. The second signature scheme we construct is a modification of the scheme of Lyubashevsky (Advances in Cryptology—ASIACRYPT 2009, vol 5912 of Lecture Notes in Computer Science, pp 598–616, Tokyo, Japan, December 6–10, 2009. Springer, Berlin, 2009) that is based on the worst-case hardness of the shortest vector problem in ideal lattices. And the third scheme is a very simple signature scheme that is based directly on the hardness of the subset sum problem. We also present a general transformation that converts what we term \(lossy \) identification schemes into signature schemes with tight security reductions. We believe that this greatly simplifies the task of constructing and proving the security of such signature schemes.

Keywords

Signature schemes Tight reductions Fiat-Shamir 

References

  1. 1.
    M. Abdalla, J.H. An, M. Bellare, C. Namprempre, From identification to signatures via the Fiat-Shamir transform: minimizing assumptions for security and forward-security, in L.R. Knudsen, editor, Advances in Cryptology—EUROCRYPT 2002, vol. 2332 of Lecture Notes in Computer Science, pp. 418–433, Amsterdam, The Netherlands, April 28–May 2, 2002. Springer, BerlinGoogle Scholar
  2. 2.
    M. Abdalla, P.-A. Fouque, V. Lyubashevsky, M. Tibouchi, Tightly-secure signatures from lossy identification schemes, in D. Pointcheval, T. Johansson, editors, Advances in Cryptology—EUROCRYPT 2012, vol. 7237 of Lecture Notes in Computer Science, pp. 572–590, Cambridge, UK, April 15–19, 2012. Springer, BerlinGoogle Scholar
  3. 3.
    A. Becker, J.-Sébastien Coron, A. Joux, Improved generic algorithms for hard knapsacks, in K.G. Paterson, editor, Advances in Cryptology—EUROCRYPT 2011, vol. 6632 of Lecture Notes in Computer Science, pp. 364–385, Tallinn, Estonia, May 15–19, 2011. Springer, BerlinGoogle Scholar
  4. 4.
    M. Bellare, D. Hofheinz, S. Yilek, Possibility and impossibility results for encryption and commitment secure under selective opening, in A. Joux, editor, Advances in Cryptology—EUROCRYPT 2009, vol. 5479 of Lecture Notes in Computer Science, pp. 1–35, Cologne, Germany, April 26–30, 2009. Springer, BerlinGoogle Scholar
  5. 5.
    M. Bellare, P. Rogaway, The exact security of digital signatures: how to sign with RSA and Rabin, in U.M. Maurer, editor, Advances in Cryptology—EUROCRYPT’96, vol. 1070 of Lecture Notes in Computer Science, pp. 399–416, Saragossa, Spain, May 12–16, 1996. Springer, BerlinGoogle Scholar
  6. 6.
    M. Bellare, S. Micali, R. Ostrovsky, The (true) complexity of statistical zero knowledge, in 22nd Annual ACM Symposium on Theory of Computing, pp. 494–502, Baltimore, Maryland, USA, May 14–16, 1990. ACM Press, New YorkGoogle Scholar
  7. 7.
    X. Boyen, Lattice mixing and vanishing trapdoors: a framework for fully secure short signatures and more, in P.Q. Nguyen, D. Pointcheval, editors, PKC 2010: 13th International Conference on Theory and Practice of Public Key Cryptography, vol. 6056 of Lecture Notes in Computer Science, pp. 499–517, Paris, France, May 26–28, 2010. Springer, BerlinGoogle Scholar
  8. 8.
    D. Cash, D. Hofheinz, E. Kiltz, C. Peikert, Bonsai trees, or how to delegate a lattice basis, in H. Gilbert, editor, Advances in Cryptology—EUROCRYPT 2010, vol. 6110 of Lecture Notes in Computer Science, pp. 523–552, French Riviera, May 30–June 3, 2010. Springer, BerlinGoogle Scholar
  9. 9.
    B. Chevallier-Mames, An efficient CDH-based signature scheme with a tight security reduction, in V. Shoup, editor, Advances in Cryptology—CRYPTO 2005, vol. 3621 of Lecture Notes in Computer Science, pp. 511–526, Santa Barbara, CA, USA, August 14–18, 2005. Springer, BerlinGoogle Scholar
  10. 10.
    B. Chor, O. Goldreich, Unbiased bits from sources of weak randomness and probabilistic communication complexity (extended abstract), in 26th Annual Symposium on Foundations of Computer Science, pp. 429–442, Portland, Oregon, October 21–23, 1985. IEEE Computer Society Press, Los AlamitosGoogle Scholar
  11. 11.
    R. Cramer, Modular Design of Secure Yet Practical Cryptographic Protocols. PhD thesis, CWI and University of Amsterdam, Amsterdam, The Netherlands, November 1996Google Scholar
  12. 12.
    Ronald Cramer and Victor Shoup. Signature schemes based on the strong RSA assumption. ACM Transactions on Information and System Security, 3(3):161–185, 2000CrossRefGoogle Scholar
  13. 13.
    S. Even, O. Goldreich, S. Micali. On-line/off-line digital schemes, in G. Brassard, editor, Advances in Cryptology—CRYPTO’89, vol. 435 of Lecture Notes in Computer Science, pp. 263–275, Santa Barbara, CA, USA, August 20–24, 1990. Springer, BerlinGoogle Scholar
  14. 14.
    Shimon Even, Oded Goldreich, and Silvio Micali. On-line/off-line digital signatures. Journal of Cryptology, 9(1):35–67, 1996MathSciNetCrossRefMATHGoogle Scholar
  15. 15.
    Alan M. Frieze. On the Lagarias-Odlyzko algorithm for the subset sum problem. SIAM Journal on Computing, 15(2):536–539, 1986MathSciNetCrossRefMATHGoogle Scholar
  16. 16.
    A. Fiat, A. Shamir, How to prove yourself: practical solutions to identification and signature problems, in A.M. Odlyzko, editor, Advances in Cryptology—CRYPTO’86, vol. 263 of Lecture Notes in Computer Science, pages 186–194, Santa Barbara, CA, USA, August 1987. Springer, BerlinGoogle Scholar
  17. 17.
    R. Gennaro, An improved pseudo-random generator based on discrete log, in M. Bellare, editor, Advances in Cryptology—CRYPTO 2000, vol. 1880 of Lecture Notes in Computer Science, pp. 469–481, Santa Barbara, CA, USA, August 20–24, 2000. Springer, BerlinGoogle Scholar
  18. 18.
    Rosario Gennaro. An improved pseudo-random generator based on the discrete logarithm problem. Journal of Cryptology, 18(2):91–110, 2005Google Scholar
  19. 19.
    R. Gennaro, S. Halevi, T. Rabin, Secure hash-and-sign signatures without the random oracle, in J. Stern, editor, Advances in Cryptology—EUROCRYPT’99, vol. 1592 of Lecture Notes in Computer Science, pp. 123–139, Prague, Czech Republic, May 2–6, 1999. Springer, BerlinGoogle Scholar
  20. 20.
    M. Girault, An identity-based identification scheme based on discrete logarithms modulo a composite number (rump session), in I. Damgård, editor, Advances in Cryptology—EUROCRYPT’90, vol. 473 of Lecture Notes in Computer Science, pp. 481–486, Aarhus, Denmark, May 21–24, 1991. Springer, BerlinGoogle Scholar
  21. 21.
    E.-J. Goh, S. Jarecki, A signature scheme as secure as the Diffie-Hellman problem, in E. Biham, editor, Advances in Cryptology—EUROCRYPT 2003, vol. 2656 of Lecture Notes in Computer Science, pp. 401–415, Warsaw, Poland, May 4–8, 2003. Springer, BerlinGoogle Scholar
  22. 22.
    Eu-Jin Goh, Stanislaw Jarecki, Jonathan Katz, and Nan Wang. Efficient signature schemes with tight reductions to the Diffie-Hellman problems. Journal of Cryptology, 20(4):493–514, 2007Google Scholar
  23. 23.
    R. Gennaro, H. Krawczyk, T. Rabin, Secure Hashed Diffie-Hellman over non-DDH groups, in C. Cachin, J. Camenisch, editors, Advances in Cryptology—EUROCRYPT 2004, vol. 3027 of Lecture Notes in Computer Science, pp. 361–381, Interlaken, Switzerland, May 2–6, 2004. Springer, BerlinGoogle Scholar
  24. 24.
    Shafi Goldwasser, Silvio Micali, and Ronald L. Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal on Computing, 17(2):281–308, 1988.MathSciNetCrossRefMATHGoogle Scholar
  25. 25.
    Shafi Goldwasser, Silvio Micali, and Charles Rackoff. The knowledge complexity of interactive proof systems. SIAM Journal on Computing, 18(1):186–208, 1989MathSciNetCrossRefMATHGoogle Scholar
  26. 26.
    Marc Girault, Guillaume Poupard, and Jacques Stern. On the fly authentication and signature schemes based on groups of unknown order. Journal of Cryptology, 19(4):463–487, 2006Google Scholar
  27. 27.
    C. Gentry, C. Peikert, V. Vaikuntanathan, Trapdoors for hard lattices and new cryptographic constructions, in R.E. Ladner, C. Dwork, editors, 40th Annual ACM symposium on theory of computing, pp. 197–206, Victoria, British Columbia, Canada, May 17–20, 2008. ACM Press, New YorkGoogle Scholar
  28. 28.
    L.C. Guillou, J.-J. Quisquater, A "paradoxical" indentity-based signature scheme resulting from zero-knowledge, in S. Goldwasser, editor, Advances in cryptology—CRYPTO’88, vol. 403 of Lecture Notes in Computer Science, pp. 216–231, Santa Barbara, CA, USA, August 21–25, 1990. Springer, BerlinGoogle Scholar
  29. 29.
    S. Hohenberger, B. Waters, Short and stateless signatures from the RSA assumption, in S. Halevi, editor, Advances in cryptology—CRYPTO 2009, vol. 5677 of Lecture Notes in Computer Science, pp. 654–670, Santa Barbara, CA, USA, August 16–20, 2009. Springer, BerlinGoogle Scholar
  30. 30.
    Russell Impagliazzo and Moni Naor. Efficient cryptographic schemes provably as secure as subset sum. Journal of Cryptology, 9(4):199–216, 1996MathSciNetCrossRefMATHGoogle Scholar
  31. 31.
    A. Kawachi, K. Tanaka, K. Xagawa, Concurrently secure identification schemes based on the worst-case hardness of lattice problems, in J. Pieprzyk, editor, Advances in Cryptology—ASIACRYPT 2008, vol. 5350 of Lecture Notes in Computer Science, pp. 372–389, Melbourne, Australia, December 7–11, 2008. Springer, BerlinGoogle Scholar
  32. 32.
    J. Katz, N. Wang, Efficiency improvements for signature schemes with tight security reductions, in S. Jajodia, V. Atluri, T. Jaeger, editors, ACM CCS 03: 10th Conference on Computer and Communications Security, pp. 155–164, Washington, DC, USA, October 27–30, 2003. ACM Press, New YorkGoogle Scholar
  33. 33.
    T. Koshiba, K. Kurosawa, Short exponent Diffie-Hellman problems, in F. Bao, R. Deng, J. Zhou, editors, PKC 2004: 7th International Workshop on Theory and Practice in Public Key Cryptography, vol. 2947 of Lecture Notes in Computer Science, pp. 173–186, Singapore, March 1–4, 2004. Springer, BerlinGoogle Scholar
  34. 34.
    J.C. Lagarias, A.M. Odlyzko, Solving low-density subset sum problems, in 24th Annual Symposium on Foundations of Computer Science, pp. 1–10, Tucson, Arizona, November 7–9, 1983. IEEE Computer Society Press, Los AlamitosGoogle Scholar
  35. 35.
    V. Lyubashevsky, D. Micciancio, Generalized compact Knapsacks are collision resistant, in M. Bugliesi, B. Preneel, V. Sassone, I. Wegener, editors, ICALP 2006: 33rd International Colloquium on Automata, Languages and Programming, Part II, vol. 4052 of Lecture Notes in Computer Science, pp. 144–155, Venice, Italy, July 10–14, 2006. Springer, BerlinGoogle Scholar
  36. 36.
    V. Lyubashevsky, C. Peikert, O. Regev, On ideal lattices and learning with errors over rings. Journal of the ACM, 60(6):43, 2013. doi:10.1145/2535925
  37. 37.
    V. Lyubashevsky, Lattice-based identification schemes secure under active attacks, in R. Cramer, editor, PKC 2008: 11th International Conference on Theory and Practice of Public Key Cryptography, vol. 4939 of Lecture Notes in Computer Science, pp. 162–179, Barcelona, Spain, March 9–12, 2008. Springer, BerlinGoogle Scholar
  38. 38.
    V. Lyubashevsky, Fiat-Shamir with aborts: applications to lattice and factoring-based signatures, in M. Matsui, editor, Advances in Cryptology—ASIACRYPT 2009, vol. 5912 of Lecture Notes in Computer Science, pp. 598–616, Tokyo, Japan, December 6–10, 2009. Springer, BerlinGoogle Scholar
  39. 39.
    V. Lyubashevsky, Lattice signatures without trapdoors, in D. Pointcheval, T. Johansson, editors, Advances in Cryptology—EUROCRYPT 2012, vol. 7237 of Lecture Notes in Computer Science, pp. 738–755, Cambridge, UK, April 15–19, 2012. Springer, BerlinGoogle Scholar
  40. 40.
    Daniele Micciancio. Generalized compact knapsacks, cyclic lattices, and efficient one-way functions. SIAM Journal on Computing, 16(4):365–411, 2007MathSciNetMATHGoogle Scholar
  41. 41.
    D. Micciancio, P. Mol, Pseudorandom knapsacks and the sample complexity of LWE search-to-decision reductions, in P. Rogaway, editor, Advances in Cryptology—CRYPTO 2011, vol. 6841 of Lecture Notes in Computer Science, pp. 465–484, Santa Barbara, CA, USA, August 14–18, 2011. Springer, BerlinGoogle Scholar
  42. 42.
    D. Micciancio, C. Peikert, Trapdoors for lattices: simpler, tighter, faster, smaller, in D. Pointcheval, T. Johansson, editors, Advances in Cryptology—EUROCRYPT 2012, vol. 7237 of Lecture Notes in Computer Science, pages 700–718, Cambridge, UK, April 15–19, 2012. Springer, BerlinGoogle Scholar
  43. 43.
    Silvio Micali and Leonid Reyzin. Improving the exact security of digital signature schemes. Journal of Cryptology, 15(1):1–18, 2002MathSciNetCrossRefMATHGoogle Scholar
  44. 44.
    D. Micciancio, S.P. Vadhan. Statistical zero-knowledge proofs with efficient provers: lattice problems and more, in D. Boneh, editor, Advances in Cryptology—CRYPTO 2003, vol. 2729 of Lecture Notes in Computer Science, pp. 282–298, Santa Barbara, CA, USA, August 17–21, 2003. Springer, BerlinGoogle Scholar
  45. 45.
    S. Patel, G.S. Sundaram, An efficient discrete log pseudo random generator, in H. Krawczyk, editor, Advances in Cryptology—CRYPTO’98, vol. 1462 of Lecture Notes in Computer Science, pp. 304–317, Santa Barbara, CA, USA, August 23–27, 1998. Springer, BerlinGoogle Scholar
  46. 46.
    C. Peikert, A. Rosen, Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices, in S. Halevi, T. Rabin, editors, TCC 2006: 3rd Theory of Cryptography Conference, vol. 3876 of Lecture Notes in Computer Science, pp. 145–166, New York, NY, USA, March 4–7, 2006. Springer, BerlinGoogle Scholar
  47. 47.
    David Pointcheval and Jacques Stern. Security arguments for digital signatures and blind signatures. Journal of Cryptology, 13(3):361–396, 2000CrossRefMATHGoogle Scholar
  48. 48.
    John M. Pollard. Kangaroos, monopoly and discrete logarithms. Journal of Cryptology, 13(4):437–447, 2000MathSciNetCrossRefMATHGoogle Scholar
  49. 49.
    G. Poupard, J. Stern, Security analysis of a practical "on the fly" authentication and signature generation, in K. Nyberg, editor, Advances in Cryptology—EUROCRYPT’98, vol. 1403 of Lecture Notes in Computer Science, pp. 422–436, Espoo, Finland, May 31–June 4, 1998. Springer, BerlinGoogle Scholar
  50. 50.
    O. Regev, On lattices, learning with errors, random linear codes, and cryptography. Journal of the ACM, 56(6):34, 2009. doi:10.1145/1568318.1568324
  51. 51.
    Claus-Peter Schnorr. Efficient signature generation by smart cards. Journal of Cryptology, 4(3):161–174, 1991MathSciNetCrossRefMATHGoogle Scholar
  52. 52.
    B. Santoso, K. Ohta, K. Sakiyama, G. Hanaoka, Improving efficiency of an ‘on the fly’ identification scheme by perfecting zero-knowledgeness, in J. Pieprzyk, editor, Topics in Cryptology - CT-RSA 2010, vol. 5985 of Lecture Notes in Computer Science, pp. 284–301, San Francisco, CA, USA, March 1–5, 2010. Springer, BerlinGoogle Scholar
  53. 53.
    D. Stehlé, R. Steinfeld, Making NTRU as secure as worst-case problems over ideal lattices, in K.G. Paterson, editor, Advances in Cryptology—EUROCRYPT 2011, vol. 6632 of Lecture Notes in Computer Science, pp. 27–47, Tallinn, Estonia, May 15–19, 2011. Springer, BerlinGoogle Scholar
  54. 54.
    D. Stehlé, R. Steinfeld, Making NTRUEncrypt and NTRUSign as secure as standard worst-case problems over ideal lattices. Cryptology ePrint Archive, Report 2013/004, 2013. http://eprint.iacr.org/2013/004
  55. 55.
    D. Stehlé, R. Steinfeld, K. Tanaka, K. Xagawa, Efficient public key encryption based on ideal lattices, in M. Matsui, editor, Advances in Cryptology—ASIACRYPT 2009, vol. 5912 of Lecture Notes in Computer Science, pp. 617–635, Tokyo, Japan, December 6–10, 2009. Springer, BerlinGoogle Scholar
  56. 56.
    P.C. van Oorschot, M.J. Wiener, On Diffie-Hellman key agreement with short exponents, in U.M. Maurer, editor, Advances in Cryptology—EUROCRYPT’96, vol. 1070 of Lecture Notes in Computer Science, pp. 332–343, Saragossa, Spain, May 12–16, 1996. Springer, BerlinGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  • Michel Abdalla
    • 1
  • Pierre-Alain Fouque
    • 2
  • Vadim Lyubashevsky
    • 3
  • Mehdi Tibouchi
    • 4
  1. 1.École Normale Supérieure and CNRSParisFrance
  2. 2.Université de Rennes I and Institut universitaire de FranceRennesFrance
  3. 3.École Normale Supérieure and INRIAParisFrance
  4. 4.NTT Secure Platform LaboratoriesTokyoJapan

Personalised recommendations