Digital Signatures Based on the Hardness of Ideal Lattice Problems in All Rings

  • Vadim LyubashevskyEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10032)


Many practical lattice-based schemes are built upon the Ring-SIS or Ring-LWE problems, which are problems that are based on the presumed difficulty of finding low-weight solutions to linear equations over polynomial rings \(\mathbb {Z}_q[\mathbf{x}]/\langle \mathbf{f}\rangle \). Our belief in the asymptotic computational hardness of these problems rests in part on the fact that there are reduction showing that solving them is as hard as finding short vectors in all lattices that correspond to ideals of the polynomial ring \(\mathbb {Z}[\mathbf{x}]/\langle \mathbf{f}\rangle \). These reductions, however, do not give us an indication as to the effect that the polynomial \(\mathbf{f}\), which defines the ring, has on the average-case or worst-case problems.

As of today, there haven’t been any weaknesses found in Ring-SIS or Ring-LWE problems when one uses an \(\mathbf{f}\) which leads to a meaningful worst-case to average-case reduction, but there have been some recent algorithms for related problems that heavily use the algebraic structures of the underlying rings. It is thus conceivable that some rings could give rise to more difficult instances of Ring-SIS and Ring-LWE than other rings. A more ideal scenario would therefore be if there would be an average-case problem, allowing for efficient cryptographic constructions, that is based on the hardness of finding short vectors in ideals of \(\mathbb {Z}[\mathbf{x}]/\langle \mathbf{f}\rangle \) for every \(\mathbf{f}\).

In this work, we show that the above may actually be possible. We construct a digital signature scheme based (in the random oracle model) on a simple adaptation of the Ring-SIS problem which is as hard to break as worst-case problems in every \(\mathbf{f}\) whose degree is bounded by the parameters of the scheme. Up to constant factors, our scheme is as efficient as the highly practical schemes that work over the ring \(\mathbb {Z}[\mathbf{x}]/\langle \mathbf{x}^n+1\rangle \).


  1. [ABD16]
    Albrecht, M., Bai, S., Ducas, L.: A subfield lattice attack on overstretched NTRU assumptions: cryptanalysis of some FHE and graded encoding schemes. IACR Cryptology ePrint Archive 2016, p. 127 (2016)Google Scholar
  2. [Ajt96]
    Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: STOC, pp. 99–108 (1996)Google Scholar
  3. [BCLvV16]
    Bernstein, D.J., Chuengsatiansup, C., Lange, T., van Vredendaal, C.: NTRU prime. Cryptology ePrint Archive, Report 2016/461 (2016).
  4. [BN06]
    Bellare, M., Neven, G.: Multi-signatures in the plain public-key model and a general forking lemma. In: ACM Conference on Computer and Communications Security, pp. 390–399 (2006)Google Scholar
  5. [BS16]
    Jean-François Biasse and Fang Song. Efficient quantum algorithms for computing class groups and solving the principal ideal problem in arbitrary degree number fields. In: SODA, pp. 893–902 (2016)Google Scholar
  6. [CDPR16]
    Cramer, R., Ducas, L., Peikert, C., Regev, O.: Recovering short generators of principal ideals in cyclotomic rings. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 559–585. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49896-5_20 CrossRefGoogle Scholar
  7. [CGS14]
    Campbell, P., Groves, M., Shepherd, D.: Soliloquy: a cautionary tale. In: ETSI/IQC 2nd Quantum-Safe Crypto Workshop (2014)Google Scholar
  8. [CJL16]
    Cheon, J.H., Jeong, J., Lee, C.: An algorithm for NTRU problems and cryptanalysis of the GGH multilinear map without an encoding of zero. IACR Cryptology ePrint Archive (2016)Google Scholar
  9. [DDLL13]
    Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 40–56. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-40041-4_3 CrossRefGoogle Scholar
  10. [EHKS14]
    Eisenträger, K., Hallgren, S., Kitaev, A.Y., Song, F.: A quantum algorithm for computing the unit group of an arbitrary degree number field. In: STOC (2014)Google Scholar
  11. [GLP12]
    Güneysu, T., Lyubashevsky, V., Pöppelmann, T.: Practical lattice-based cryptography: a signature scheme for embedded systems. In: CHES, pp. 530–547 (2012)Google Scholar
  12. [GN08]
    Gama, N., Nguyen, P.Q.: Predicting lattice reduction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 31–51. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-78967-3_3 CrossRefGoogle Scholar
  13. [GS02]
    Gentry, C., Szydlo, M.: Cryptanalysis of the revised NTRU signature scheme. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 299–320. Springer, Heidelberg (2002). doi: 10.1007/3-540-46035-7_20 CrossRefGoogle Scholar
  14. [LM06]
    Lyubashevsky, V., Micciancio, D.: Generalized compact knapsacks are collision resistant. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 144–155. Springer, Heidelberg (2006). doi: 10.1007/11787006_13 CrossRefGoogle Scholar
  15. [LPR13]
    Lyubashevsky, V., Peikert, C.: On ideal lattices, learning with errors over rings. J. ACM 60(6), 43 (2013). Preliminary version appeared in EUROCRYPT 2010MathSciNetCrossRefzbMATHGoogle Scholar
  16. [Lyu09]
    Lyubashevsky, V.: Fiat-Shamir with aborts: applications to lattice and factoring-based signatures. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 598–616. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-10366-7_35 CrossRefGoogle Scholar
  17. [Lyu12]
    Lyubashevsky, V.: Lattice signatures without trapdoors. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 738–755. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-29011-4_43 CrossRefGoogle Scholar
  18. [MR08]
    Micciancio, D., Regev, O.: Lattice-based cryptography. In: Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.) Post-Quantum Cryptography, pp. 147–191. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  19. [PR06]
    Peikert, C., Rosen, A.: Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 145–166. Springer, Heidelberg (2006). doi: 10.1007/11681878_8 CrossRefGoogle Scholar
  20. [PR07]
    Peikert, C., Rosen, A.: Lattices that admit logarithmic worst-case to average-case connection factors. In: STOC, pp. 478–487 (2007)Google Scholar
  21. [SSTX09]
    Stehlé, D., Steinfeld, R., Tanaka, K., Xagawa, K.: Efficient public key encryption based on ideal lattices. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 617–635. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-10366-7_36 CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  1. 1.IBM Research – ZurichZurichSwitzerland

Personalised recommendations