Lattice Signature Schemes
Vadim Lyubashevsky
INRIA / ENS Paris
DIGITAL SIGNATURE SCHEMES
Digital Signatures
(sk,pk) KeyGen
Sign(sk,mi) = si
Verify(pk,mi,si) = YES / NO
Correctness: Verify(pk, mi, Sign(sk,mi)) = YES
Security: Unforgeability
1. Adversary gets pk
2. Adversary asks for signatures of m1, m2, …
3. Adversary outputs (m,s) where m ≠ mi and wins
if Verify(pk,m,s) = YES
Signature Schemes
• Hash-and-Sign
– Requires a trap-door function
• Fiat-Shamir transformation
– Conversion from an identification scheme
– No trap-door function needed
FIAT-SHAMIR SIGNATURE SCHEMES
Signature Scheme (Main Idea)
Secret Key: S
Public Key: A, T=AS mod q
Verify(z,c)
Sign(μ)
Pick a random y
Check that z is “small”
Compute c=H(Ay mod q,μ)
and
z=Sc+y
c = H(Az – Tc mod q, μ)
Output(z,c)
Main Security Intuition
Secret Key: S
Public Key: A, T=AS mod q
Verify(z,c)
Sign(μ)
Pick a random y
Check that z is “small”
Compute c=H(Ay mod q,μ)
and
z=Sc+y
c = H(Az – Tc mod q, μ)
Output(z,c)
Signature is independent of the secret key
Signature Scheme
Secret Key: S
Public Key: A, T=AS mod q
Sign(μ)
Pick a random y make y uniformly random mod q?
Compute c=H(Ay mod q,μ)
z=Sc+y
Output(z,c) then z is too big and forging is easy 
Signature Scheme
Secret Key: S
Public Key: A, T=AS mod q
Sign(μ)
make y small?
Pick a random y
Compute c=H(Ay mod q,μ)
z=Sc+y
Output(z,c) then z will not be independent of S

Rejection Sampling
Secret Key: S
Public Key: A, T=AS mod q
Sign(μ)
make y small
Pick a random y
Compute c=H(Ay mod q,μ)
z=Sc+y
Output(z,c) if z meets certain criteria, else repeat
Rejection Sampling
Have access to samples from g(x)
g(x)
f(x)
Want f(x)
Rejection Sampling
Have access to samples from g(x)
g(x)
f(x)/M
Want f(x)
Sample from g(x), accept x with probability f(x)/Mg(x) ≤ 1
Pr[x] = g(x)∙(f(x)/Mg(x)) = f(x)/M
Something is output with probability 1/M
Rejection Sampling
Impossible to tell whether g(x) or h(x) was the original distribution
Have access to samples from g(x)
g(x)
f(x)/M
Want f(x)
h(x)
Sample from g(x), accept x with probability f(x)/Mg(x) ≤ 1
or … Sample from h(x), accept x with probability f(x)/Mh(x) ≤ 1
Pr[x] = g(x)∙(f(x)/Mg(x)) = f(x)/M = h(x)∙(f(x)/Mh(x))
Something is output with probability 1/M
Rejection Sampling
Pick a random y
Compute c=H(Ay mod q,μ)
z=Sc+y
Output(z,c) w.p. …
f(y+Sc)
f(y)
Normal Distribution
1-dimensional Normal distribution:
ρσ(x) =
2/2σ2
-x
1/(√2πσ)e
It is:
Centered at 0
Standard deviation: σ
Examples
Shifted Normal Distribution
1-dimensional shifted Normal distribution:
ρσ,v(x) =
2/2σ2
-(x-v)
1/(√2πσ)e
It is:
Centered at v
Standard deviation: σ
n-Dimensional Normal Distribution
n-dimensional shifted Normal distribution:
ρσ,v(x) =
2/2σ2
-||x-v||
n
1/(√2πσ)
e
It is:
Centered at v
Standard deviation: σ
2-Dimensional Example
n-Dimensional Normal Distribution
n-dimensional shifted Normal distribution:
ρσ,v(x) =
2/2σ2
-||x-v||
n
1/(√2πσ)
e
It is:
Centered at v
Standard deviation: σ
Discrete Normal: for x in Zn,
Dσ,v (x)= ρσ,v(x) / ρσ,v(Zn)
Rejection Sampling
Pick a random y
Compute c=H(Ay mod q,μ)
z=Sc+y
Output(z,c) w.p. Dσ,0 (z) / (MDσ,Sc (z))
v
-v
for σ = 12v,
Dσ,0 (z) / (MDσ,Sc (z)) ≈ e/M
v=max ||Sc||
Security Reduction
Simulator
A
Pick random S
(zi,ci)=Sign(μi)
Adversary
A,AS
μi
(zi,ci)
…
A(z-z’)+T(c’-c)=0
A(z-z’+Sc’-Sc)=0
If this is not 0, then SIS is solved.
Important for adversary to not know S.
μ, (z,c)
μ, (z’,c’)
INTERLUDE: THE SIS PROBLEM
The SIS Problem
Given a random A in Zqn x m,
Find a “small” s such that As = 0 mod q
n
A
m
= 0 (mod q)
s
The LWE Problem
s
m
A
+ e = b mod q
n
find s
||e|| is small
Decision LWE
Valid LWE Distribution
Uniformly Random
s
A
+ e=b
A
b
Solve SIS to Solve LWE
v
= 0 mod q
A
Solve SIS to Solve LWE
v
b
Solve SIS to Solve LWE
v
s
A
+e
Solve SIS to Solve LWE
Compute v∙b mod q. If b=As+e, then v∙b = v∙e is small.
If b is uniform, then v∙b mod q is uniform.
v
b
BACK TO SIGNATURES…
Improving the Rejection Sampling
Pick a random y
Compute c=H(Ay mod q,μ)
z=Sc+y
Output(z,c) w.p. Dσ,0 (z) / (MDσ,Sc (z))
Rejection Sampling from [Lyu12]
Bimodal Gaussians [DDLL ‘13]
Pick a random y
for σ = max ||Sc|| / √2
Compute c=H(Ay mod q,μ)
Dσ,0 (z) / M(½Dσ,Sc (z) + ½Dσ,-Sc (z)) ≈ e / M
Pick a random b in {-1,1}
z=bSc+y
Output(z,c) w.p. Dσ,0 (z) / M(½Dσ,Sc (z) + ½Dσ,-Sc (z))
Verify(z,c)
Check that z is “small”
and
c = H(Az – Tc mod q, μ)
Az – Tc = A(bSc+y) - Tc = bTc - Tc + Ay
Want: Tc = - Tc
Optimizations
• Base problem on the hardness of the NTRU
problem
• Compress the signature  not all of z needs
to be output if H only acts on the high order
bits
• A few other small tricks
Performance of the
Bimodal LattIce Signature Scheme
HASH-AND-SIGN SIGNATURE SCHEMES
Constructing the Trapdoor
A’
Random matrix
A’
R
+
G
Random matrix with
small coefficients
Special matrix that is
easy to invert
Easily-Invertible Matrix
Want: Matrix G such that:
For any b in Znq , you can find a 0/1 vector s such
that Gs=b mod q
1 2 4 8 … log2q
G=
1 2 4 8 … log2q
1 2 4 8 … log2q
......
1 2 4 8 … log2q
Inverting with a Trapdoor
A = [A’ | A’R+G]
Want to find a small s such that As=b
s = (s1,s2)
b = As = A’s1+(A’R+G)s2
= A’(s1+Rs2) + Gs2
set to 0
b = Gs2
s1 = - Rs2
Revealing R!
(probably bad…)
Inverting with a Trapdoor
A = [A’ | A’R+G]
Want to find a small s such that As=b
s = (s1,s2)
b = As = A’s1+(A’R+G)s2
= A’(s1+Rs2) + Gs2
small y
b - A’y = Gs2
Maybe y hides R?
s1 = y - Rs2
Signature Scheme
Secret (Signing) Key: R
Public (Verification) Key: A = [A’ | A’R+G]
Random Oracle H: {0,1}*  Znq
Sign(m):
Find short s such that As = H(m,u)
Verify (s,u,m)
Check that s is short, and As=H(m,u)
Security Proof Sketch
A
=
pick
= H(mi,ui )
from D
program the random oracle
sign mi
Security Proof Sketch
A
=
pick
= H(mi,uj )
from D
program the random oracle
give me H(mi,uj)
Security Proof Sketch
A
=
=
A
I will forge the
signature of m
To forge on m, the Adversary needs H(m,u)
So m is one of the mj he asked for H(mi,uj)
Thus we know an sj such that Asj=H(mi,uj)
Security Proof Sketch
A
=
0
-
short and hopefully non-zero
if it’s non-zero, then we have a solution to SIS
Properties Needed
= b
A
s
1. Can sample the distribution D of s without knowing the
trapdoor.
2. The following produce the same distribution of (s,b)
(a) Choose s ~ D. Set b=As
(b) Choose random b. Use the trapdoor to find an s such
that As=b.
3. For a random b, there is more than one likely possible
output s such that b=As.
Inverting with a Trapdoor
A = [A’ | A’R+G]
Want to find a small s such that As=b
s = (s1,s2)
H(m,u) = As = A’s1+(A’R+G)s2
= A’(s1+Rs2) + Gs2
small y
H(m,u) - A’y = Gs2
Maybe y hides R?
s1 = y - Rs2
Rejection Sampling
H(m,u) - A’y = Gs2
s1 = y - Rs2
Choose y to be a Gaussian.
If y has a lot of entropy, the distribution of s2 is
uniform and does not depend on the exact value of y.
s1 = y-Rs2 is now a shifted Gaussian. Use rejection
sampling as before (this requires a proof).
Another Approach for Sampling
Suppose we have a matrix A and a trapdoor R such
that AR=G.
Here is another way to generate an s such that As=b
Sample some vector p
Sample a z such that Gz = b - Ap
Output s = p + Rz ( so As=Ap+Gz=b)
Correcting the Distribution
Sample some vector p
Sample a z such that Gz = b - Ap
Output s = p + Rz ( so As=Ap+Gz=b)
How to make the distribution of s independent of R?
Tailor the distribution of p to R
Rz
+
p
=
s
IDENTITY-BASED ENCRYPTION
“Dual” Cryptosystem
A
= t
s
r
A
t
+
+
Public Key
Secret Key
(short)
0
m
=
u
v
“Dual” Cryptosystem
A
r
= t
A
s
t
+
+
v -
u
=
+
m
0
m
=
u
v
s
represent 0 by m=0
represent 1 by m=(q-1)/2
“Dual” Cryptosystem Security
A
= t
s
r
A
t
+
+
Pseudorandom
Random
0
m
=
u
v
Identity-Based Encryption
Key Authority
Master Public Key
Master Secret Key
Secret Key = s
Public Key = Bob
Identity-Based Encryption
Key Authority
Master Public Key
Master Secret Key
Secret Key = sBob
Public Key = Bob
Secret Key = sChris
Public Key = Chris
Secret Key = sDave
Public Key = Dave
Encrypt(Chris,msg)
Security for IBE
Key Authority
Master Public Key
Master Secret Key
Secret Key = sBob
Public Key = Bob
Secret Key = sChris
Public Key = Chris
Encrypt(Chris,msg)
CPA-Security: For all mi Encrypt(Chris,mi) are
computationally indistinguishable from each other
Secret Key = sDave
Public Key = Dave
IBE Based on LWE
= b
A
s
Master Public Key: A
Master Secret Key: R
Identity = “Bob”
b = H(Bob)
Use the sampling algorithm to find
a short s such that As = b mod q
Use “Dual” LWE encryption to
Encrypt to Bob
Security Proof Sketch
Show that breaking IBE implies breaking the “Dual” cryptosystem
master public key
public key
A
A
t
ciphertext
u
=
pick
v
= H(Bob)
from D
program the random oracle
Bob
Security Proof Sketch
Show that breaking IBE implies breaking the “Dual” cryptosystem
master public key
public key
A
A
t
=
= H(Bob)
ciphertext
u
v
program the random oracle
Bob
Security Proof Sketch
Show that breaking IBE implies breaking the “Dual” cryptosystem
master public key
public key
A
t
A
v
u
t = H(Dave)
ciphertext
u
v
Decryption
I will break an encryption to Dave
SIGNATURES WITHOUT RANDOM ORACLES
Signatures without Random Oracles
Public Key: [ A | AR ], b
Messages will be square invertible matrices M
To sign M, find a short s such that [ A | AR+MG ]s = b
A(s1+Rs2)+MGs2 = b
Gs2 = M-1(b - A(s1+Rs2))
s1 = s1+Rs2 - Rs2
Proof of “Selective” Security
In a selectively secure scheme, the adversary
declares the message he will forge on before
seeing the public key.
Proof of “Selective” Security
Given A, b, want to find a short r such that Ar=b.
Adversary gives message M’ on which he will forge
We want to construct a public key [A | B] so that a signature
of M’ will be an s that [ A | B + M’G]s = b will let us find the
short r
Pick a trap-door R and let B = AR - M’G
Then if the adversary can forge, we will get [A|AR]s =b
So A(s1+Rs2)=b, and so s1+Rs2 is the r we need.
Proof of “Selective” Security
Adversary designed to work on public key
[A | AR]
We give it public key [A | AR - M’G]
Will it still succeed in forging?
Yes, if [A | AR] is uniformly random, then
[A | AR] has the same distribution as [A | AR - M’G]
Adversary may ask us to sign other messages M.
How do we do it?
Proof of “Selective” Security
To sign M, we need to find an s such that
[A | AR - M’G + MG]s = b
A(s1+Rs2) + (M-M’)Gs2 = b
Gs2 = (M-M’)-1(b - A(s1+Rs2))
s1=s1+Rs2 - Rs2
Need M-M’ to always be invertible.
Such a set of size qn is easy to construct.
Hint: consider a field F of order qn. Every difference of
polynomials in the field is invertible.
How do you map this to matrices?