Skip to main content
SpringerLink
Log in
Book cover

International Conference on Cryptology and Network Security

CANS 2018: Cryptology and Network Security pp 299–320Cite as

SETLA: Signature and Encryption from Lattices

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11124))

Abstract

In data security, the main objectives one tries to achieve are confidentiality, data integrity and authentication. In a public-key setting, confidentiality is reached through asymmetric encryption and both data integrity and authentication through signature. Meeting all the security objectives for data exchange requires to use a concatenation of those primitives in an encrypt-then-sign or sign-then-encrypt fashion. Signcryption aims at providing all the security requirements in one single primitive at a lower cost than using encryption and signature together. Most existing signcryption schemes are using ElGamal-based or pairing-based techniques and thus rely on the decisional Diffie-Hellman assumption. With the current growth of a quantum threat, we seek for post-quantum counterparts to a vast majority of public-key primitives. In this work, we propose a lattice-based signcryption scheme in the random oracle model inspired from a construction of Malone-Lee. It comes in two flavors, one integrating the usual lattice-based key exchange into the signature and the other merging the scheme with a RLWE encryption. Our instantiation is based on a ring version of the scheme of Bai and Galbraith as was done in ring-TESLA and TESLA\(\sharp \). It targets 128 bits of classical security and offers a save in bandwidth over a naive concatenation of state-of-the-art key exchanges and signatures from the literature. Another lightweight instantiation derived from GLP is feasible but raises long-term security concerns since the base scheme is somewhat outdated.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    The considered naive constructions are actually KEM + signature and not directly encryption + signature.

References

  1. Akleylek, S., Bindel, N., Buchmann, J., Krmer, J., Marson, G.A.: An efficient lattice-based signature scheme with provably secure instantiation. Cryptology ePrint Archive, Report 2016/030 (2016). https://eprint.iacr.org/2016/030

  2. Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. Cryptology ePrint Archive, Report 2015/046 (2015). https://bitbucket.org/malb/lwe-estimator

  3. Alkim, E., et al.: Revisiting TESLA in the quantum random oracle model. Cryptology ePrint Archive, Report 2015/755 (2015). http://eprint.iacr.org/2015/755

  4. Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Newhope without reconciliation. Cryptology ePrint Archive, Report 2016/1157 (2016). http://eprint.iacr.org/2016/1157

  5. Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange—a new hope. In: 25th USENIX Security Symposium (USENIX Security 2016), Austin, TX, pp. 327–343. USENIX Association (2016)

    Google Scholar 

  6. Baek, J., Steinfeld, R., Zheng, Y.: Formal proofs for the security of signcryption. J. Cryptol. 20(2), 203–235 (2007)

    Article  MathSciNet  Google Scholar 

  7. Bai, S., Galbraith, S.D.: An improved compression technique for signatures based on learning with errors. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 28–47. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-04852-9_2

    Chapter  Google Scholar 

  8. Barreto, P.S.L.M., Longa, P., Naehrig, M., Ricardini, J.E., Zanon, G.: Sharper ring-LWE signatures. Cryptology ePrint Archive, Report 2016/1026 (2016). https://eprint.iacr.org/2016/1026

  9. Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. Cryptology ePrint Archive, Report 2010/428 (2010). https://eprint.iacr.org/2010/428

  10. Bos, J., et al.: Crystals - kyber: a CCA-secure module-lattice-based KEM. Cryptology ePrint Archive, Report 2017/634 (2017). http://eprint.iacr.org/2017/634

  11. Bos, J.W., et al.: Frodo: take off the ring! Practical, quantum-secure key exchange from LWE (2016)

    Google Scholar 

  12. Bos, J.W., Costello, C., Naehrig, M., Stebila, D.: Post-quantum key exchange for the TLS protocol from the ring learning with errors problem. In: 2015 IEEE Symposium on Security and Privacy, pp. 553–570, May 2015

    Google Scholar 

  13. Dagdelen, Ö., et al.: High-speed signatures from standard lattices. In: Aranha, D.F., Menezes, A. (eds.) LATINCRYPT 2014. LNCS, vol. 8895, pp. 84–103. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16295-9_5

    Chapter  Google Scholar 

  14. de Clercq, R., Roy, S.S., Vercauteren, F., Verbauwhede, I.: Efficient software implementation of ring-LWE encryption. In: Proceedings of the 2015 Design, Automation & Test in Europe Conference & Exhibition, DATE 2015, San Jose, CA, USA, pp. 339–344, EDA Consortium (2015)

    Google Scholar 

  15. Dent, A.W., Zheng, Y.: Practical Signcryption. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-540-89411-7

    Book  MATH  Google Scholar 

  16. Dodis, Y., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 523–540. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_31

    Chapter  Google Scholar 

  17. Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 40–56. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_3

    Chapter  Google Scholar 

  18. Ducas, L., Lepoint, T., Lyubashevsky, V., Schwabe, P., Seiler, G., Stehle, D.: Crystals - dilithium: digital signatures from module lattices. Cryptology ePrint Archive, Report 2017/633 (2017). https://eprint.iacr.org/2017/633

  19. Güneysu, T., Lyubashevsky, V., Pöppelmann, T.: Practical lattice-based cryptography: a signature scheme for embedded systems. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 530–547. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33027-8_31

    Chapter  MATH  Google Scholar 

  20. Lin, X., Ding, J., Xie, X.: A simple provably secure key exchange scheme based on the learning with errors problem. Cryptology ePrint Archive, Report 2012/688 (2012). https://eprint.iacr.org/2012/688

  21. Kiltz, E., Lyubashevsky, V., Schaffner, C.: A concrete treatment of fiat-shamir signatures in the quantum random-oracle model. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 552–586. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_18

    Chapter  MATH  Google Scholar 

  22. Li, F., Bin Muhaya, F.T., Khan, M.K., Takagi, T., Takagi, T.: Lattice-based signcryption. Concur. Comput. Pract. Exp. 25(14), 2112–2122 (2013)

    Article  Google Scholar 

  23. Liu, Z., Seo, H., Sinha Roy, S., Großschädl, J., Kim, H., Verbauwhede, I.: Efficient ring-LWE encryption on 8-bit avr processors. In: Güneysu, T., Handschuh, H. (eds.) CHES 2015. LNCS, vol. 9293, pp. 663–682. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48324-4_33

    Chapter  Google Scholar 

  24. Lu, X., Wen, Q., Jin, Z., Wang, L., Yang, C.: A lattice-based signcryption scheme without random oracles. Front. Comput. Sci. 8(4), 667–675 (2014)

    Article  MathSciNet  Google Scholar 

  25. Lyubashevsky, V.: Fiat-shamir with aborts: applications to lattice and factoring-based signatures. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 598–616. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_35

    Chapter  Google Scholar 

  26. Lyubashevsky, V.: Lattice signatures without trapdoors. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 738–755. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_43

    Chapter  Google Scholar 

  27. Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. J. ACM 60(6), 43:1–43:35 (2013)

    Article  MathSciNet  Google Scholar 

  28. Malone-Lee, J.: Signcryption with non-interactive non-repudiation. Des. Codes Crypt. 37(1), 81–109 (2005)

    Article  MathSciNet  Google Scholar 

  29. Peikert, C.: Lattice cryptography for the internet. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 197–219. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11659-4_12

    Chapter  MATH  Google Scholar 

  30. Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Crypt. 13(3), 361–396 (2000)

    Article  Google Scholar 

  31. Pöppelmann, T., Oder, T., Güneysu, T.: High-performance ideal lattice-based cryptography on 8-bit ATxmega microcontrollers. In: Lauter, K., Rodríguez-Henríquez, F. (eds.) LATINCRYPT 2015. LNCS, vol. 9230, pp. 346–365. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-22174-8_19

    Chapter  Google Scholar 

  32. Sato, S., Shikata, J.: Lattice-based signcryption without random oracles. In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 331–351. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-79063-3_16

    Chapter  Google Scholar 

  33. Yan, J., Wang, L., Wang, L., Yang, Y., Yao, W.: Efficient lattice-based signcryption in standard model. Math. Prob. Eng. 2013, 1–18 (2013)

    MathSciNet  Google Scholar 

  34. Zheng, Y.: Digital signcryption or how to achieve cost(signature & encryption) & cost(signature) + cost(encryption). In: Kaliski, B.S. (ed.) Advances in Cryptology – CRYPTO 1997. Lecture Notes in Computer Science, vol. 1294, pp. 165–179. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052234

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Université libre de Bruxelles, Brussels, Belgium

    François Gérard & Keno Merckx

Authors
  1. François Gérard
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Keno Merckx
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to François Gérard .

Editor information

Editors and Affiliations

  1. IBM Research - Zurich, Rüschlikon, Switzerland

    Jan Camenisch

  2. KTH Royal Institute of Technology, Stockholm, Sweden

    Panos Papadimitratos

Appendices

A Security Games for the KEM Version

Fig. 4.
figure 4

Sequence of games for the KEM version

Full size image

Game 0 \(\rightarrow \) Game 1: Rejection sampling

Game 1 \(\rightarrow \) Game 2: Decisional Compact Knapsack/RLWE

Game 2 \(\rightarrow \) Game 3: Decisional Compact Knapsack/RLWE

B Publicly Verifiable Signature from Signcryptext

An interesting feature of Malone-Lee’s signcryption scheme is that the receiver Bob can himself create a fully valid publicly verifiable signature under Alice’s secret key on the message he unsigncrypted. Even if we chose to start from this scheme for its similarity with Schnorr signature (and thus, lattice-based signature), this really helpful feature carries to our construction. Below are the algorithms for the KEX version but the same technique can trivially be applied to the KEM version.

figure g

SETLA-KEX SignExtract. (Algorithm 6) To extract a publicly verifiable signature \(\sigma (m)\) from a signcryptext, Bob will use the fact that the output of KEX-Signcrypt is essentially equivalent to a TESLA\(\sharp \) signature on m with a nonce depending on \(K, \mathbf {pk}_a\) and \(\mathbf {pk}_b\) queried to the random oracle. Since a verifier should obviously know the message to validate the signature, the confidentiality of the key K is not required anymore. Thus, KEX-SignExctract will output m and K together with the signature and anyone will be able to perform the verification.

figure h

PublicVerif. (Algorithm 7) The public verification is the same as in usual lattice-based signatures, except that the hash function also takes as input \(K, \mathbf {pk}_a\) and \(\mathbf {pk}_b\).

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Gérard, F., Merckx, K. (2018). SETLA: Signature and Encryption from Lattices. In: Camenisch, J., Papadimitratos, P. (eds) Cryptology and Network Security. CANS 2018. Lecture Notes in Computer Science(), vol 11124. Springer, Cham. https://doi.org/10.1007/978-3-030-00434-7_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-00434-7_15

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-00433-0

  • Online ISBN: 978-3-030-00434-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation