Lattice-Based Identification Schemes Secure Under Active Attacks

  • Vadim Lyubashevsky
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4939)


There is an inherent difficulty in building 3-move ID schemes based on combinatorial problems without much algebraic structure. A consequence of this, is that most standard ID schemes today are based on the hardness of number theory problems. Not having schemes based on alternate assumptions is a cause for concern since improved number theoretic algorithms or the realization of quantum computing would make the known schemes insecure. In this work, we examine the possibility of creating identification protocols based on the hardness of lattice problems. We construct a 3-move identification scheme whose security is based on the worst-case hardness of the shortest vector problem in all lattices, and also present a more efficient version based on the hardness of the same problem in ideal lattices.


Hash Function Active Attack Ideal Lattice Short Vector Short Vector Problem 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Ajtai, M.: Generating hard instances of lattice problems. In: STOC, pp. 99–108 (1996)Google Scholar
  2. 2.
    Ajtai, M.: The shortest vector problem in ℓ2 is NP-hard for randomized reductions. In: STOC, pp. 10–19 (1998)Google Scholar
  3. 3.
    Ajtai, M., Dwork, C.: A public-key cryptosystem with worst-case/average-case equivalence. In: STOC, pp. 284–293 (1997)Google Scholar
  4. 4.
    Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: STOC, pp. 601–610 (2001)Google Scholar
  5. 5.
    Blömer, J., Naewe, S.: Sampling methods for shortest vectors, closest vectors and successive minima. In: Arge, L., Cachin, C., Jurdziński, T., Tarlecki, A. (eds.) ICALP 2007. LNCS, vol. 4596, pp. 65–77. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  6. 6.
    Blömer, J., Seifert, J.-P.: On the complexity of computing short linearly independent vectors and short bases in a lattice. In: STOC, pp. 711–720 (1999)Google Scholar
  7. 7.
    Feige, U., Fiat, A., Shamir, A.: Zero-knowledge proofs of identity. J. Cryptology 1(2), 77–94 (1988)zbMATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    Feige, U., Shamir, A.: Witness indistinguishable and witness hiding protocols. In: STOC, pp. 416–426 (1990)Google Scholar
  9. 9.
    Fiat, A., Shamir, A.: How to prove yourself: Practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)Google Scholar
  10. 10.
    Girault, M., Poupard, G., Stern, J.: On the fly authentication and signature schemes based on groups of unknown order. J. Cryptology 19(4), 463–487 (2006)zbMATHCrossRefMathSciNetGoogle Scholar
  11. 11.
    Guillou, L., Quisquater, J.J.: A “paradoxical” indentity-based signature scheme resulting from zero-knowledge. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 216–231. Springer, Heidelberg (1990)Google Scholar
  12. 12.
    Impagliazzo, R., Zuckerman, D.: How to recycle random bits. In: FOCS, pp. 248–253 (1989)Google Scholar
  13. 13.
    Khot, S.: Hardness of approximating the shortest vector problem in lattices. In: FOCS, pp. 126–135 (2004)Google Scholar
  14. 14.
    Kumar, R., Sivakumar, D.: On polynomial-factor approximations to the shortest lattice vector length. SIAM J. Discrete Math. 16(3), 422–425 (2003)zbMATHCrossRefMathSciNetGoogle Scholar
  15. 15.
    Lyubashevsky, V., Micciancio, D.: Generalized compact knapsacks are collision resistant. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 144–155. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  16. 16.
    Lyubashevsky, V., Micciancio, D., Peikert, C., Rosen, A.: SWIFFT: A modest proposal for FFT hashing. In: Fast Software Encryption (FSE) (2008); Preliminary version appeared at the 2nd NIST Cryptographic Hash Function Workshop (to appear)Google Scholar
  17. 17.
    Micciancio, D.: Generalized compact knapsacks, cyclic lattices, and efficient one-way functions from worst-case complexity assumptions. In: Computational Complexity (2002); Preliminary version in FOCS 2002 (to appear)Google Scholar
  18. 18.
    Micciancio, D.: Efficient reductions among lattice problems. In: SODA (to appear, 2008)Google Scholar
  19. 19.
    Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measures. SIAM J. on Computing 37(1), 267–302 (2007)CrossRefMathSciNetGoogle Scholar
  20. 20.
    Micciancio, D., Vadhan, S.: Statistical zero-knowledge proofs with efficient provers: Lattice problems and more. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 282–298. Springer, Heidelberg (2003)Google Scholar
  21. 21.
    Okamoto, T.: Provably secure and practical identification schemes and corresponding signature schemes. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 31–53. Springer, Heidelberg (1993)Google Scholar
  22. 22.
    Peikert, C., Rosen, A.: Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, Springer, Heidelberg (2006)Google Scholar
  23. 23.
    Pointcheval, D.: The composite discrete logarithm and secure authentication. In: Public Key Cryptography, pp. 113–128 (2000)Google Scholar
  24. 24.
    Regev, O.: New lattice based cryptographic constructions. In: STOC, pp. 407–416 (2003)Google Scholar
  25. 25.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC (2005)Google Scholar
  26. 26.
    Schnorr, C.P.: Efficient signature generation by smart cards. J. Cryptology 4(3), 161–174 (1991)zbMATHCrossRefMathSciNetGoogle Scholar
  27. 27.
    Shamir, A.: An efficient identification scheme based on permuted kernels (extended abstract). In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 606–609. Springer, Heidelberg (1990)Google Scholar
  28. 28.
    Shor, P.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)zbMATHCrossRefMathSciNetGoogle Scholar
  29. 29.
    Shoup, V.: On the security of a practical identification scheme. J. Cryptology 12(4), 247–260 (1999)zbMATHCrossRefMathSciNetGoogle Scholar
  30. 30.
    Stern, J.: A new paradigm for public key identification. IEEE Transactions on Information Theory 42 (1996)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Vadim Lyubashevsky
    • 1
  1. 1.University of CaliforniaSan DiegoUSA

Personalised recommendations