Abstract
In the light of NIST’s announced reopening of the call for digital signature proposals in 2023 due to lacking diversity, there is a strong need for constructions based on other established hardness assumptions. In this work we construct a new post-quantum secure digital signature scheme based on the MinRank problem, a problem with a long history of applications in cryptanalysis that led to a strong belief in its hardness. Initially following a design by Courtois (Asiacrypt ’01) based on the Fiat–Shamir transform, we make use of several recent developments in the design of sigma protocols to reduce signature size and improve efficiency. This includes the recently introduced sigma protocol with helper paradigm (Eurocrypt ’19) and combinations with cut-and-choose techniques (CCS ’18). Moreover, we introduce several improvements to the core of the scheme to further reduce its signature size.
As a second contribution, we formalize the natural extension of our construction to a ring signature scheme and show that it achieves desired anonymity and unforgeability guarantees. Our ring signature is characterized by a sublinear scaling of the signature size in the number of users. Moreover, we achieve competitive practical signature sizes for moderate amount of users in comparison to recent ring signature proposals.
C. Sanna is a member of GNSAGA of INdAM, and of CrypTO, the group of Cryptography and Number Theory of Politecnico di Torino.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The big-k algorithms is called big-m in [24].
References
Abdalla, M., An, J.H., Bellare, M., Namprempre, C.: From identification to signatures via the Fiat-Shamir transform: minimizing assumptions for security and forward-security. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 418–433. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_28
Au, M.H., Liu, J.K., Susilo, W., Yuen, T.H.: Secure ID-based linkable and revocable-iff-linked ring signature with constant-size construction. Theoret. Comput. Sci. 469, 1–14 (2013)
Bard, G.V.: Accelerating cryptanalysis with the method of four Russians. Cryptology ePrint Archive (2006)
Bardet, M., et al.: Improvements of algebraic attacks for solving the rank decoding and MinRank problems. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12491, pp. 507–536. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64837-4_17
Bardet, M., Bertin, M.: Improvement of algebraic attacks for solving superdetermined MinRank instances. CoRR abs/2208.01442 (2022). https://doi.org/10.48550/arXiv.2208.01442
Bardet, M., Briaud, P., Bros, M., Gaborit, P., Tillich, J.P.: Revisiting algebraic attacks on MinRank and on the rank decoding problem. Cryptology ePrint Archive, Paper 2022/1031 (2022). https://eprint.iacr.org/2022/1031
Barenghi, A., Biasse, J.-F., Persichetti, E., Santini, P.: LESS-FM: fine-tuning signatures from the code equivalence problem. In: Cheon, J.H., Tillich, J.-P. (eds.) PQCrypto 2021 2021. LNCS, vol. 12841, pp. 23–43. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-81293-5_2
Barenghi, A., Biasse, J.F., Ngo, T., Persichetti, E., Santini, P.: Advanced signature functionalities from the code equivalence problem. Int. J. Comput. Math. Comput. Syst. Theory 7(2), 112–128 (2022)
Barenghi, A., Biasse, J.F., Persichetti, E., Santini, P.: On the computational hardness of the code equivalence problem in cryptography. Cryptology ePrint Archive (2022)
Baum, C., Nof, A.: Concretely-efficient zero-knowledge arguments for arithmetic circuits and their application to lattice-based cryptography. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020. LNCS, vol. 12110, pp. 495–526. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45374-9_17
Bellini, E., Caullery, F., Gaborit, P., Manzano, M., Mateu, V.: Improved Veron identification and signature schemes in the rank metric. In: IEEE International Symposium on Information Theory, pp. 1872–1876 (2019)
Bellini, E., Gaborit, P., Hasikos, A., Mateu, V.: Enhancing code based zero-knowledge proofs using rank metric. In: Krenn, S., Shulman, H., Vaudenay, S. (eds.) CANS 2020. LNCS, vol. 12579, pp. 570–592. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-65411-5_28
Bender, A., Katz, J., Morselli, R.: Ring signatures: stronger definitions, and constructions without random oracles. J. Cryptol. 22(1), 114–138 (2009)
Beullens, W.: Improved cryptanalysis of UOV and rainbow. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12696, pp. 348–373. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_13
Beullens, W., Katsumata, S., Pintore, F.: Calamari and Falafl: logarithmic (linkable) ring signatures from isogenies and lattices. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12492, pp. 464–492. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64834-3_16
Beullens, W.: Not enough LESS: an improved algorithm for solving code equivalence problems over \(\mathbb{F}_q\). In: Dunkelman, O., Jacobson, Jr., M.J., O’Flynn, C. (eds.) SAC 2020. LNCS, vol. 12804, pp. 387–403. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-81652-0_15
Beullens, W.: Sigma protocols for MQ, PKP and SIS, and fishy signature schemes. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12107, pp. 183–211. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45727-3_7
Biasse, J.-F., Micheli, G., Persichetti, E., Santini, P.: LESS is more: code-based signatures without syndromes. In: Nitaj, A., Youssef, A. (eds.) AFRICACRYPT 2020. LNCS, vol. 12174, pp. 45–65. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-51938-4_3
Billet, O., Gilbert, H.: Cryptanalysis of rainbow. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 336–347. Springer, Heidelberg (2006). https://doi.org/10.1007/11832072_23
Briaud, P., Tillich, J.-P., Verbel, J.: A polynomial time key-recovery attack on the Sidon cryptosystem. In: AlTawy, R., Hülsing, A. (eds.) SAC 2021. LNCS, vol. 13203, pp. 419–438. Springer, Cham (2022). https://doi.org/10.1007/978-3-030-99277-4_20
Buss, J.F., Frandsen, G.S., Shallit, J.O.: The computational complexity of some problems of linear algebra. J. Comput. Syst. Sci. 58(3), 572–596 (1999)
Cabarcas, D., Smith-Tone, D., Verbel, J.A.: Key recovery attack for ZHFE. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 289–308. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59879-6_17
Courtois, N.T.: Efficient zero-knowledge authentication based on a linear algebra problem MinRank. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 402–421. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_24
Courtois, N.T.: La sécurité des primitives cryptographiques basées sur des problèmes algébriques multivariables: MQ, IP, MinRank, HFE. Ph.D. thesis, Université de Paris 6 - Pierre et Marie Curie (2001)
Dodis, Y., Kiayias, A., Nicolosi, A., Shoup, V.: Anonymous identification in ad hoc groups. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 609–626. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_36
Esgin, M.F., Zhao, R.K., Steinfeld, R., Liu, J.K., Liu, D.: MatRiCT: efficient, scalable and post-quantum blockchain confidential transactions protocol. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 567–584 (2019)
Faugère, J.C., Safey El Din, M., Spaenlehauer, P.J.: Computing loci of rank defects of linear matrices using Gröbner bases and applications to cryptology. In: Proceedings of the 2010 International Symposium on Symbolic and Algebraic Computation, ISSAC 2010, pp. 257–264 (2010)
Feneuil, T., Joux, A., Rivain, M.: Shared permutation for syndrome decoding: new zero-knowledge protocol and code-based signature. Cryptology ePrint Archive (2021)
Feneuil, T., Joux, A., Rivain, M.: Syndrome decoding in the head: shorter signatures from zero-knowledge proofs. Cryptology ePrint Archive (2022)
Gaborit, P., Schrek, J., Zémor, G.: Full cryptanalysis of the Chen identification protocol. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 35–50. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_3
Goubin, L., Courtois, N.T.: Cryptanalysis of the TTM cryptosystem. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 44–57. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_4
Gueron, S., Persichetti, E., Santini, P.: Designing a practical code-based signature scheme from zero-knowledge proofs with trusted setup. Cryptography 6(1), 5 (2022)
Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Zero-knowledge proofs from secure multiparty computation. SIAM J. Comput. 39(3), 1121–1152 (2009)
Katz, J., Kolesnikov, V., Wang, X.: Improved non-interactive zero knowledge with applications to post-quantum signatures. In: Proceedings of the ACM Conference on Computer and Communications Security, pp. 525–537 (2018)
Kipnis, A., Shamir, A.: Cryptanalysis of the HFE public key cryptosystem by relinearization. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 19–30. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_2
Linton, S., Nebe, G., Niemeyer, A., Parker, R., Thackray, J.: A parallel algorithm for Gaussian elimination over finite fields. arXiv preprint arXiv:1806.04211 (2018)
Lu, X., Au, M.H., Zhang, Z.: Raptor: a practical lattice-based (linkable) ring signature. In: Deng, R.H., Gauthier-Umaña, V., Ochoa, M., Yung, M. (eds.) ACNS 2019. LNCS, vol. 11464, pp. 110–130. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-21568-2_6
Lyubashevsky, V.: Fiat-Shamir with aborts: applications to lattice and factoring-based signatures. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 598–616. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_35
MATZOV: Report on the security of LWE: improved dual lattice attack (2022)
Moody, D., et al.: Status report on the second round of the NIST post-quantum cryptography standardization process (2020)
Moody, D., Perlner, R., Smith-Tone, D.: Key recovery attack on the cubic ABC simple matrix multivariate encryption scheme. In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS, vol. 10532, pp. 543–558. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69453-5_29
Ohta, K., Okamoto, T.: A digital multisignature scheme based on the Fiat-Shamir scheme. In: Imai, H., Rivest, R.L., Matsumoto, T. (eds.) ASIACRYPT 1991. LNCS, vol. 739, pp. 139–148. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-57332-1_11
Peikert, C.: He gives C-Sieves on the CSIDH. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12106, pp. 463–492. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_16
Santoso, B., Ikematsu, Y., Nakamura, S., Yasuda, T.: Three-pass identification scheme based on MinRank problem with half cheating probability. https://arxiv.org/abs/2205.03255
Smith-Tone, D., Verbel, J.: A rank attack against extension field cancellation. In: Ding, J., Tillich, J.-P. (eds.) PQCrypto 2020. LNCS, vol. 12100, pp. 381–401. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-44223-1_21
Stern, J.: A new identification scheme based on syndrome decoding. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 13–21. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_2
Strassen, V., et al.: Gaussian elimination is not optimal. Numer. Math. 13(4), 354–356 (1969)
Tao, C., Petzoldt, A., Ding, J.: Efficient key recovery for all HFE signature variants. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12825, pp. 70–93. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84242-0_4
Véron, P.: Improved identification schemes based on error-correcting codes. Appl. Algebra Eng. Commun. Comput. 8(1), 57–69 (1996)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A A Commitment Scheme
In this section we give the formal definition of a computation hiding and computation binding commitment scheme.
Definition 3 (Computational hiding)
We say that \(\textsf{Com}\) is computationally hiding if for all polynomial time algorithms \(\mathcal {A}\), and every pair of messages m, \(m^\prime \) the advantage \(\textsf{Adv}^\textrm{hiding}_{\textsf{Com}}(\mathcal {A}, m, m^\prime )\) is a negligible function of the security parameter \(\lambda \), where
Definition 4 (Computational binding)
We say that \(\textsf{Com}\) is computationally binding if for all polynomial time algorithms \(\mathcal {A}\), the advantage \(\textsf{Adv}^\textrm{binding}_{\textsf{Com}}(\mathcal {A})\) is a negligible function of the security parameter \(\lambda \), where
B B Ring Signatures
In the following we give the formal definition of a ring signature scheme.
Definition 5 (Ring signature scheme)
A ring signature scheme is a triple of polynomial time algorithms \((\textsf {Gen}, \textsf {Sign}, \textsf {Verify})\) that generates keys, sign a message, and verify the signature of a message, respectively. Formally:
-
\(\textsf {Gen}(1^\lambda )\) outputs a key pair \((\textsf{pk}, \textsf{sk})\), where \(\textsf{pk}\) denotes the public key and \(\textsf{sk}\) its corresponding secret key.
-
\(\textsf {Sign}_{\textsf{sk}_{i}}(\textsf {msg}, \textsf {R})\) outputs a signature \(\sigma \) of the message \(\textsf {msg}\) with respect to the ring \(\textsf {R}= (\textsf{pk}_1,\ldots , \textsf{pk}_u)\). Here it is assumed that: (1) \((\textsf{pk}_{i}, \textsf{sk}_{i})\) is a valid key-pair output by \(\textsf {Gen}\); (2) \(| \textsf {R}| \ge 2\); and (3) each public key in the ring is distinct.
-
\(\textsf {Verify}_{\textsf {R}}(\textsf {msg}, \sigma )\) verifies a signature \(\sigma \) of the message \(\textsf {msg}\) with respect to \(\textsf {R}\).
We say that a ring signature scheme is correct if it satisfy the following correctness condition: for every \(\lambda \) and for every set of outputs \(\{(\textsf{pk}_i, \textsf{sk}_i)\}_{i=1}^{u}\) of \(\textsf {Gen}(1^\lambda )\) it holds
where \(\textsf {R}= (\textsf{pk}_1,\ldots , \textsf{pk}_u)\).
1.1 A.1 B.1 Security Definitions
Next we give the security definitions for ring signatures following Bender, Katz, and Morselli [13].
Definition 6 (Anonymity w.r.t adversarially-chosen keys)
Let \((\textsf {Gen}, \textsf {Sign}, \textsf {Verify})\) be a ring signature scheme, \(u(\cdot )\) a polynomial, and let \(\mathcal {A}\) be a PPT adversary. Consider the following game:
-
1.
The key pairs \(\{(\textsf{pk}_{i}, \textsf{sk}_{i})\}_{i=1}^{u(\lambda )}\) are generated using \(\textsf {Gen}(1^\lambda )\), and the set of public keys \(S := \{\textsf{pk}_{i}\}_{i=1}^{u(\lambda )}\) is given to \(\mathcal {A}\).
-
2.
\(\mathcal {A}\) is given access to an oracle \(\textsf {OSign}(\cdot , \cdot , \cdot )\) such that for every \(\textsf {R}\) and \(1\le i\le u(\lambda )\) it holds \(\textsf {OSign}(i, \textsf {msg}, \textsf {R}):= \textsf {Sign}_{\textsf{sk}_{i}}(\textsf {msg}, \textsf {R})\), where \(\textsf{pk}_{i} \in \textsf {R}\).
-
3.
\(\mathcal {A}\) outputs a message \(\textsf {msg}\) and a ring \(\textsf {R}\) that contains at least two public keys \(\textsf{pk}_{i_0}, \textsf{pk}_{i_1}\in S\).
-
4.
A challenge signature \(\sigma \leftarrow \textsf {Sign}_{\textsf{sk}_{i_b}}(\textsf {msg}, \textsf {R})\), where \(b {\mathop {\leftarrow }\limits ^{\,\$}}\{0,1\}\) is a random bit, is given to \(\mathcal {A}\).
-
5.
\(\mathcal {A}\) outputs a bit \(b'\), and it succeeds if \(b ' = b\).
We say \((\textsf {Gen}, \textsf {Sign}, \textsf {Verify})\) achieves Anonymity w.r.t adversarially-chosen keys if, for any PPT \(\mathcal {A}\) and any polynomial \(u(\cdot )\), the success probability of \(\mathcal {A}\) in the aforementioned game is negligibly close to \(\frac{1}{2}\).
Note that in contrast to the weaker security notion of basic anonymity the property of anonymity w.r.t adversarially-chosen keys allows the adversary to inject own public keys in \(\textsf {R}\). This holds for the usage of the oracle in step 2 as well as when providing the challenge data in step 3.
Definition 7 (Unforgeability against fixed-ring attacks)
We say that a ring signature \((\textsf {Gen}, \textsf {Sign}, \textsf {Verify})\) is unforgeable against fixed-ring attacks if for any \(\textsf {PPT}\) adversary \(\mathcal {A}\) and for any polynomial \(u(\cdot )\), the probability that \(\mathcal {A}\) succeeds in the following game is negligible:
-
1.
The key pairs \(\{(\textsf{pk}_{i}, \textsf{sk}_{i})\}_{i=1}^{u(\lambda )}\) are generated using \(\textsf {Gen}(1^\lambda )\), and the set of public keys \(\textsf {R}:=\{\textsf{pk}_{i}\}_{i=1}^{u(\lambda )} \) is given to \(\mathcal {A}\).
-
2.
\(\mathcal {A}\) is given access to a signing oracle \(\textsf {OSign}(\cdot , \cdot )\), where \(\textsf {OSign}(i, \textsf {msg})\) outputs \(\textsf {Sign}_{\textsf{sk}_{i}}(\textsf {msg}, \textsf {R})\).
-
3.
\(\mathcal {A}\) outputs \((\textsf {msg}^*, \sigma ^*)\), and succeeds if \(\textsf {Verify}(\textsf {msg}^*, \sigma ^*) = 1\) and also \(\mathcal {A}\) never made a query of the form \(\textsf {OSign}(*, \textsf {msg}^*)\).
1.2 B.2 B.2 Proofs
In the following we prove the correctness, anonymity, and unforgeability of our ring-signature scheme defined in Sect. 5.1.
Correctness. Let \(\boldsymbol{\varepsilon }_{i}\) be the i-th canonical vector in \(\mathbb {F}_{q}^{u}\) and \(\textsf{sk}_i\) denote the secret key of the i-th user in the ring \(\textsf {R}\). Clearly, \(\gamma _i:=(\textsf{sk}_i, \boldsymbol{\varepsilon }_{i})\) is a solution to the MinRank problem defined on \(\widetilde{\boldsymbol{M}}:=(\boldsymbol{M}, \textsf {R})\). The correctness of the ring signature scheme now follows from the correctness of our basic signature scheme by observing that
Anonymity w.r.t Adversarially-Chosen Keys. We proof anonymity w.r.t adversarially-chosen keys in the random oracle model by showing the existence of a simulator that, without knowing any of the secret keys corresponding to one of the public keys in the ring, can produce signatures that are indistinguishable from signatures build by a legitimate user.
First note that from the HVZK property of our sigma protocol in the random oracle model it follows that there exists a simulator \(\mathcal {S}'\) which is able to provide values \(\sigma '\) indistinguishable from legitimate signatures produced with MR-Sign. To construct \(\mathcal {S}'\) we simply follow the Fiat–Shamir transform but using the simulator \(\mathcal {S}\) of our sigma protocol whenever a valid transcript is needed.
Now, recall that the signing operation of our ring signature is a call to MR-Sign with adapted public-key \((\boldsymbol{M},\textsf {R})\), where
Therefore we can use \(\mathcal {S}'\) as a simulator to obtain values \(\sigma '\) which are indistinguishable from legitimate ring signatures.
Now, let \(G_0\) denote the game described in Definition 6. We modify step 4 in \(G_0\) to define a new game \(G_1\). Instead of \(\sigma \leftarrow \textsf {Sign}_{\textsf{sk}_{i_b}}(\textsf {msg}, \textsf {R})\), the output of step 4 in \(G_1\) is \(\sigma ' \leftarrow \mathcal {S}'(\textsf {msg},\textsf {R})\). Notice \(G_0\) and \(G_1\) are indistinguishable games. Hence, the advantage of any adversary \(\mathcal {A}\) against \(G_0\) and \(G_1\) is the same. Also, the challenge \(\sigma '\) given in \(G_1\) does not depend on the bit b chosen in step 3. Therefore, the advantage of an adversary \(\mathcal {A}\) against game \(G_1\) is zero.
Unforgeability Against Fixed-Ring Attacks. Forging a signature for a fixed ring \(\textsf {R}\), i.e., winning the game given in Definition 7, directly reduces to forging a signature for MR-Sign with public-key \((\boldsymbol{M},\textsf {R})\). The unforgeability for MR-Sign now follows from the Fiat–Shamir transform applied to the sigma protocol and its HVZK property.
C C A Note on Santoso et al.’s Scheme
The parameters given by Santoso et al. [44] to obtain a security level of \(\lambda \) bits are shown in Table 5.
Missing Commitments in the Signature Size. The authors of [44] disregard the size of the initial commitments in their analysis of the communication complexity. Taking commitment sizes into account (\(2\lambda \) bits for each hash, to be collision-resistant) the signature size of [44] is given by
While the signature size of Courtiois’ scheme is given by
Random Solutions. As stated in Sect. 4.6, a random instance of the MinRank problem with parameters (q, n, m, k, r) has, in expectation, \(n_{sol} := q^{k - (m-r)(n-r)}\) solutions. Some algorithms, as e.g., the kernel search algorithm, can directly benefit from multiple solutions by obtaining a speed-up of magnitude \(n_{sol}>1\) in those cases. It turns out that the parameter sets given in [44] contain a large amount of solutions, affecting security.
New Security Estimates and Signature Size. Table 6 shows the bit-security of the kernel search algorithm for parameters suggested in [44]. Note that all the parameter sets are far below the claimed bit-security, which is 128 for set A, 192 for set B, and 256 for set C. Also, observe that the signature size is larger than the one of standard Courtois for all suggested parameters.
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Bellini, E., Esser, A., Sanna, C., Verbel, J. (2022). MR-DSS – Smaller MinRank-Based (Ring-)Signatures. In: Cheon, J.H., Johansson, T. (eds) Post-Quantum Cryptography. PQCrypto 2022. Lecture Notes in Computer Science, vol 13512. Springer, Cham. https://doi.org/10.1007/978-3-031-17234-2_8
Download citation
DOI: https://doi.org/10.1007/978-3-031-17234-2_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-17233-5
Online ISBN: 978-3-031-17234-2
eBook Packages: Computer ScienceComputer Science (R0)