An Efficient Lattice-Based Signature Scheme with Provably Secure Instantiation

Abstract

In view of the expected progress in cryptanalysis it is important to find alternatives for currently used signature schemes such as RSA and ECDSA. The most promising lattice-based signature schemes to replace these schemes are (CRYPTO 2013) and GLP (CHES 2012). Both come with a security reduction from a lattice problem and have high performance. However, their parameters are not chosen according to their provided security reduction, i.e., the instantiation is not provably secure. In this paper, we present the first lattice-based signature scheme with good performance when provably secure instantiated. To this end, we provide a tight security reduction for the new scheme from the ring learning with errors problem which allows for provably secure and efficient instantiations. We present experimental results obtained from a software implementation of our scheme. They show that our scheme, when provably secure instantiated, performs comparably with BLISS and the GLP scheme.

A Extended Definitions and Security Notions

1.1 A.1 Syntax, Functionality, and Security of Signature Schemes

A signature scheme with key space \(\mathcal {K}\), message space \(\mathcal {M}\), and signature space \(\mathcal {S}\), is a tuple \(\varSigma = (\mathsf {KeyGen},\mathsf {Sign},\mathsf {Verify})\) of algorithms defined as follows.

• The (probabilistic) key generation algorithm on input the security parameter \(1^\lambda \) returns a key pair \((\mathsf {sk},\mathsf {pk})\in \mathcal {K}\). We write \((\mathsf {sk},\mathsf {pk})\leftarrow \mathsf {KeyGen}(1^\lambda )\) and call \(\mathsf {sk} \) the secret or signing key and \(\mathsf {pk} \) the public or verification key.

• The (probabilistic) signing algorithm takes as input a signing key \(\mathsf {sk} \), a message \(\mu \in \mathcal {M}\), and outputs a signature \(\sigma \in \mathcal {S}\). We write \(\sigma \leftarrow \mathsf {Sign}(\mathsf {sk},\mu )\).

• The verification algorithm, on input a verification key \(\mathsf {pk} \), a message \(\mu \in \mathcal {M}\), and a signature \(\sigma \in \mathcal {S}\), returns a bit b: if \(b = 1\) we say that the algorithm accepts, otherwise we say that it rejects. We write \(b \leftarrow \mathsf {Verify}(\mathsf {pk},\mu ,\sigma )\).

We require (perfect) correctness of the signature scheme: for every security parameter \(\lambda \), every choice of the randomness of the probabilistic algorithms, every key pair \((\mathsf {sk},\mathsf {pk})\leftarrow \mathsf {KeyGen}(1^\lambda )\), every message \(\mu \in \mathcal {M}\), and every signature \(\sigma \leftarrow \mathsf {Sign}(\mathsf {sk},\mu )\), \(\mathsf {Verify}(\mathsf {pk},\mu ,\sigma ) = 1\) holds.

Fig. 3.

Security experiment of unforgeability under chosen-message attack for an adversary \(\mathcal {A}\) against a signature scheme \(\varSigma = (\mathsf {KeyGen},\mathsf {Sign},\mathsf {Verify})\) in the random oracle model (i.e., all parties including \(\mathcal {A}\) have access to a public function H with uniformly distributed output).

We target the standard security requirement for signature schemes, namely unforgeability under chosen-message attack (\(\mathsf {ufcma}\)). The corresponding experiment involving an adversary \(\mathcal {A}\) against a signature scheme \(\varSigma \) is depicted in Fig. 3. Since we prove security of the scheme presented in Sect. 3 in the random oracle model, we reproduce a corresponding \(\mathsf {ufcma}\) experiment which grants \(\mathcal {A}\) access to a random oracle H. Given the experiment, we say that a signature scheme \(\varSigma \) is \((t,q_s,q_h,\epsilon )\) -unforgeable under chosen-message attack if every adversary \(\mathcal {A}\) which runs in time t and poses at most \(q_s\) queries to the signing oracle and \(q_h\) queries to the random oracle has advantage

$$\begin{aligned} \text {Adv}^{\mathsf {ufcma}}_{\varSigma }(\mathcal {A}) = \Pr \left[ \mathrm {Expt}^{\mathsf {ufcma}}_{\varSigma ,\mathcal {A}} = 1 \right] \le \epsilon . \end{aligned}$$