Chaohui Du,Guoqiang Bai

DOI: https://doi.org/10.1109/fpl.2015.7293949

2015-01-01

Abstract:Modern lattice-based public key cryptosystems usually require sampling from discrete Gaussian distributions. In this paper, we propose a novel implementation of cumulative distribution function (CDF) inversion sampler with high precision and large tail bound. It has maximum statistical distance of 2−90 to a theoretical discrete Gaussian distribution. Our CDF inversion sampler exploits piecewise comparison to save more than 90% random bits and reduce the required large comparators to two small comparators. We speed up the sampler by using a small lookup table, and the hit rate of the lookup table is as high as 94%. With these optimizations, our sampler takes on average 9.44 random bits and 2.28 clock cycles to generate a sample. It consumes 1 block RAM and 17 slices on a Spartan-6 FPGA. With additional 13 slices, our sampler is able to generate n samples within around 1.14n clock cycles.

Sirui Shen,Wenqing Song,Xinyu Wang,Xinyu Shao,Yuxiang Fu,Zhonghai Lu,Li

DOI: https://doi.org/10.1109/iscas48785.2022.9937989

2022-01-01

Abstract:Discrete Gaussian sampling is one of the important components in lattice-based cryptosystems which are promising candidates for post-quantum cryptographic algorithms. For sufficient security and satisfactory performance, the Knuth-Yao algorithm is an efficient way to implement discrete Gaussian samplers. Nevertheless, most polynomials in lattice-based cryptography have 256 coefficients or more, which suffers from long latency to complete the sample generation. In this paper, the first parallel discrete Gaussian sampler with hierarchical structure is proposed, while keeping statistical distance to the actual distribution. Based on the imbalanced visiting frequency of the probability matrix, a three-stage generation strategy is adopted with hierarchical bit search units (BSUs) that can greatly reduce area consumption of the repeated costly lookup tables. Besides the architecture improvement, a lowest-set-bit scanning scheme is introduced to BSUs. Moreover, the parallelism of our design provides obfuscation ability against side-channel attacks (SCAs). A practical hardware implementation of discrete Gaussian distributions with $\sigma$=3.33 on the Xilinx Virtex-5 XC5VLX30 FPGA device spends 26.12 ns on average to generate 256 samples, consuming 994 slices. Results have verified its advantages of area efficiency over the state-of-the-arts (SOAs).

Chaohui Du,Guoqiang Bai

DOI: https://doi.org/10.1109/itnec.2016.7560353

2016-01-01

Abstract:Lattice-based cryptography is an important candidate for post-quantum cryptography. Many lattice-based cryptosystems need to sample vectors from discrete Gaussian distributions. This paper shows a high-performance and high-precision software implementation of discrete Gaussian sampler, which is based on the inverse cumulative distribution function. We exploit multi-level fast lookup tables to speed up the sampler and reduce the required random-bits. The multithreading technique is also applied to speed up the sampler. Experimental results on an Intel Core i7-4771 processor shows that our sampler costs on average 6.48 random-bits to get a Gaussian sample and the throughput of our implementation is as high as 265.322 Mega samples per second.

Hai Lu,Yan Zhu,Cecilia E Chen,Di Ma

DOI: https://doi.org/10.1109/tifs.2024.3376206

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:In the light of the advantages of ring, more and more Lattice-Based Cryptography (LBC) schemes are designed over it to provide small storage cost and high performance. Gaussian Sampler for Lattice Trapdoor (GSLT) plays an important role for these schemes, especially for key extraction. In this paper, we present an efficient GSLT scheme with On-line and Off-line stages. In the On-line stage, we extend the fast non-spherical Gadget-lattice sampling into the ring setting for high performance, and analyze the covariance matrix of output vectors. Subsequently, two optimized perturbation sampling constructions are designed for non-spherical Gadget-lattice sampler to avoid inefficient Cholesky decomposition during Off-line stage. The first construction aims to the spherical Gaussian distribution of preimage vectors, which is beneficial for theoretical analysis. In contrast, the second one is designed on the non-spherical distribution to improve the efficiency of perturbation sampling without leakage of trapdoor in statistic, and we further provide the method how to choose the Gaussian parameters. The complexity analysis and experimental results show that the On-line stage of our scheme has a better performance in comparison with the other works. In the Off-line stage, both of two perturbation sampling constructions can avoid low efficiency of Cholesky decomposition, and are more suitable for the non-spherical G-lattice sampling. In short, our work provides two candidates on either Gaussian parameter or sampling efficiency, thereby offering more options for key generation in LBC schemes.

computer science, theory & methods,engineering, electrical & electronic

Yang Yu,Huiwen Jia,Xiaoyun Wang

2023-05-21

Abstract:This work aims to improve the practicality of gadget-based cryptosystems, with a focus on hash-and-sign signatures. To this end, we develop a compact gadget framework in which the used gadget is a square matrix instead of the short and fat one used in previous constructions. To work with this compact gadget, we devise a specialized gadget sampler, called semi-random sampler, to compute the approximate preimage. It first deterministically computes the error and then randomly samples the preimage. We show that for uniformly random targets, the preimage and error distributions are simulatable without knowing the trapdoor. This ensures the security of the signature applications. Compared to the Gaussian-distributed errors in previous algorithms, the deterministic errors have a smaller size, which lead to a substantial gain in security and enables a practically working instantiation. As the applications, we present two practically efficient gadget-based signature schemes based on NTRU and Ring-LWE respectively. The NTRU-based scheme offers comparable efficiency to Falcon and Mitaka and a simple implementation without the need of generating the NTRU trapdoor. The LWE-based scheme also achieves a desirable overall performance. It not only greatly outperforms the state-of-the-art LWE-based hash-and-sign signatures, but also has an even smaller size than the LWE-based Fiat-Shamir signature scheme Dilithium. These results fill the long-term gap in practical gadget-based signatures.

Cryptography and Security

Qing Ye,Xiaomeng Yang,Xixi Yan,Zongqu Zhao

DOI: https://doi.org/10.1007/978-3-030-00012-7_50

2018-01-01

Abstract:Group signature schemes empower users to sign messages in the name of a group at the same time (1) keeping anonymity with respect to an outsider, and (2) guaranteeing traceability of a signer when needed. In this work we construct a new group signature scheme based on NTRU lattices. To achieve goals, we use a new algorithm for sampling a basis on NTRU lattice. Group signatures have many features, such as anonymity and traceability. They play an important role in the field of cryptography, and group-based group signatures are more resistant to quantum attacks. However, the unique advantages of lattice cryptography have the disadvantage of space consumption. At present the group signature schemes has high communication cost, and their size of system public key size is too large. Hence NTRU lattice is a kind of special lattice based on polynomial ring, and only involves polynomial ring small integer multiplication and modular arithmetic compared with the general case. NTRU lattice system shortens the length of public key, and has the faster computing speed. In order to reduce the size of the lattice key, this paper uses the Gaussian discrete distributed sampling algorithm on the NTRU lattice to construct a new NTRU lattice-based group signature. And provide relevant safety certification and efficiency analysis.

Oded Regev

DOI: https://doi.org/10.48550/arXiv.cs/0309051

2003-09-29

Abstract:We introduce the use of Fourier analysis on lattices as an integral part of a lattice based construction. The tools we develop provide an elegant description of certain Gaussian distributions around lattice points. Our results include two cryptographic constructions which are based on the worst-case hardness of the unique shortest vector problem. The main result is a new public key cryptosystem whose security guarantee is considerably stronger than previous results ($O(n^{1.5})$ instead of $O(n^7)$). This provides the first alternative to Ajtai and Dwork's original 1996 cryptosystem. Our second result is a family of collision resistant hash functions which, apart from improving the security in terms of the unique shortest vector problem, is also the first example of an analysis which is not based on Ajtai's iterative step. Surprisingly, both results are derived from one theorem which presents two indistinguishable distributions on the segment $[0,1)$. It seems that this theorem can have further applications and as an example we mention how it can be used to solve an open problem related to quantum computation.

Cryptography and Security

Fengxia Liu,Zhiyong Zheng,Zixian Gong,Kun Tian,Yi Zhang,Zhe Hu,Jia Li,Qun Xu

DOI: https://doi.org/10.1186/s42400-023-00198-1

2024-04-04

Abstract:Lattice-based digital signature has become one of the widely recognized post-quantum algorithms because of its simple algebraic operation, rich mathematical foundation and worst-case security, and also an important tool for constructing cryptography. This survey explores lattice-based digital signatures, a promising post-quantum resistant alternative to traditional schemes relying on factoring or discrete logarithm problems, which face increasing risks from quantum computing. The study covers conventional paradigms like Hash-and-Sign and Fiat-Shamir, as well as specialized applications including group, ring, blind, and proxy signatures. It analyzes the versatility and security strengths of lattice-based schemes, providing practical insights. Each chapter summarizes advancements in schemes, identifying emerging trends. We also pinpoint future directions to deploy lattice-based digital signatures including quantum cryptography.

Antian Wang,Weihang Tan,Keshab K. Parhi,Yingjie Lao

DOI: https://doi.org/10.48550/arXiv.2208.14270

2022-08-30

Cryptography and Security

Abstract:With the surge of the powerful quantum computer, lattice-based cryptography proliferated the latest cryptography hardware implementation due to its resistance against quantum computers. Among the computational blocks of lattice-based cryptography, the random errors produced by the sampler play a key role in ensuring the security of these schemes. This paper proposes an integral architecture for the sampler, which can reduce the overall resource consumption by reusing the multipliers and adders within the modular polynomial computation. For instance, our experimental results show that the proposed design can effectively reduce the discrete Ziggurat sampling method in DSP usage.

Liang Kong,Shuguo Li,Ruirui Liu

DOI: https://doi.org/10.1109/tc.2020.3001170

2021-01-01

Abstract:Discrete Gaussian distribution plays an essential role in lattice cryptography whereas naive implementations suffer from timing attacks. Unfortunately, conversion to secure constant-time variant incurs severe deterioration in performance. In Knuth-Yao sampling, we demonstrate several properties of the discrete distribution generation tree involving structural features and finite node height. Accordingly we propose a generic method independent of standard deviations, which focuses on minimizing the Boolean expressions for the mapping from input bit strings to output sample values, along with an in-depth efficiency analysis. Two optimization techniques are devised to further propel the minimization by replacing and adjusting nodes. To strike the balance of computational overhead and closeness to optimum, heuristic strategies are introduced. Finally, performance evaluation is conducted both in software and hardware. Running on a 3.4GHz Intel Core i7-6700 processor, our method improves sampling rate by up to 29.5 percent compared to the latest technique. Targeting hardware FPGA devices, our approach can be 2.7 times faster and achieves 57.3 percent resource reduction than the original constant-time Knuth-Yao sampling. Compared to the Cumulative Distribution Table algorithm with fixed step binary search, our sampler can be at least 12.6 times faster and gains 79/61 percent better area-time product than its counterpart without/with BRAM.

Miaomiao Tian,Liusheng Huang

DOI: https://doi.org/10.3233/FI-2016-1353

2016-01-01

Fundamenta Informaticae

Abstract:Identity-based signature is an important technique for light-weight authentication. Recently, many efforts have been made to construct identity-based signatures over lattice assumptions since they would remain secure in future quantum age. In this paper we present a new identity-based signature scheme from lattice problems. This scheme is more efficient than other lattice-based identity-based signature schemes in terms of both computation and communication complexities. We prove its security in the random oracle model under short integer solution assumption that is as hard as approximating several worst-case lattice problems. We also extend the scheme to an identity-based message recovery signature scheme that has better performance.

Zhenhua Liu,Yupu Hu,Xiangsong Zhang,Fagen Li

DOI: https://doi.org/10.1002/sec.531

IF: 1.968

2012-01-01

Security and Communication Networks

Abstract:ABSTRACTAn identity‐based signature scheme from lattices is constructed. The scheme is obtained from a modification of Agrawal, Boneh, and Boyen's lattice identity‐based encryption scheme. In this construction, we use two distinct trapdoors for finding short bases. One trapdoor enables the real implementation to generate short bases for all lattices. The other trapdoor enables the simulator to generate short bases for all lattices. Furthermore, the generating short bases are used to sample short vectors as signatures. Our scheme is computationally efficient. The scheme's strong unforgeability is proven in the standard model and rests on the hardness of the small integer solution problem. Finally, we extend the basic construction to obtain a hierarchical identity‐based signature scheme. Copyright © 2012 John Wiley & Sons, Ltd.

Miaomiao Tian,Liusheng Huang

DOI: https://doi.org/10.3233/FI-2016-1353

2016-01-01

Fundamenta Informaticae

Abstract:Identity-based signature is an important technique for light-weight authentication. Recently, many efforts have been made to construct identity-based signatures over lattice assumptions since they would remain secure in future quantum age. In this paper we present a new identity-based signature scheme from lattice problems. This scheme is more efficient than other lattice-based identity-based signature schemes in terms of both computation and communication complexities. We prove its security in the random oracle model under short integer solution assumption that is as hard as approximating several worst-case lattice problems. We also extend the scheme to an identity-based message recovery signature scheme that has better performance.

Yiming Li,Shengli Liu

DOI: https://doi.org/10.3233/jcs-220121

2024-01-01

Journal of Computer Security

Abstract:Identity-based chameleon hash (IBCH) is a cryptographic primitive with nice properties. IBCH equips each user with a trapdoor and the hash values can be publicly evaluated w.r.t. the identity of any user. On the one hand, it is hard to find collisions for the hash values without the user’s trapdoor. On the other hand, with the help of the user’s trapdoor, finding collisions becomes easy. An important application of IBCH is to upgrade an identity-based signature (IBS) scheme to an on-line/off-line identity-based signature (OO-IBS) scheme. OO-IBS is a useful tool to provide authenticity in lightweight smart devices, since it only involves light on-line computations and does not need key certificate. Up to now, there are many IBCH constructions from traditional number-theoretic assumptions like RSA, CDH, etc. However, none of the existing IBCH schemes achieve the post-quantum security in the standard model. In this paper, we propose a new IBCH scheme from lattices. The security of our IBCH is reduced to a well-accepted lattice-based assumption – the Short Integer Solution (SIS) assumption in the standard model. Our work provides the first post-quantum solution to IBCH in the standard model.

Leixiao Cheng,Quanshui Wu,Yunlei Zhao

DOI: https://doi.org/10.1007/978-3-319-72359-4_16

2017-01-01

Abstract:Lossy trapdoor functions (LTDF) and all-but-one trapdoor functions (ABO-TDF) are fundamental cryptographic primitives. And given the recent advances in quantum computing, it would be much desirable to develop new and improved lattice-based LTDF and ABO-TDF. In this work, we provide more compact constructions of LTDF and ABO-TDF based on the learning with errors (LWE) problem. In addition, our LWE-based ABO-TDF can allow smaller system parameters to support super-polynomially many injective branches in the construction of CCA secure public key encryption. As a core building tool, we provide a more compact homomorphic symmetric encryption schemes based on LWE, which might be of independent interest. To further optimize the ABO-TDF construction, we employ the full rank difference encoding technique. As a consequence, the results presented in this work can substantially improve the performance of all the previous LWE-based cryptographic constructions based upon LTDF and ABO-TDF.

Jie Cai,Han Jiang,Hao Wang,Qiuliang Xu

DOI: https://doi.org/10.1155/2020/8857815

IF: 1.968

2020-10-28

Security and Communication Networks

Abstract:In this paper, we design a new lattice-based linearly homomorphic signature scheme over F 2 . The existing schemes are all constructed based on hash-and-sign lattice-based signature framework, where the implementation of preimage sampling function is Gaussian sampling, and the use of trapdoor basis needs a larger dimension m ≥ 5 n log q . Hence, they cannot resist potential side-channel attacks and have larger sizes of public key and signature. Under Fiat–Shamir with aborting signature framework and general SIS problem restricted condition m ≥ n log q , we use uniform sampling of filtering technology to design the scheme, and then, our scheme has a smaller public key size and signature size than the existing schemes and it can resist side-channel attacks.

computer science, information systems,telecommunications

Xinwei Gao,Lin Li,Jintai Ding,Jiqiang Liu,R. Saraswathy,Zhe Liu

DOI: https://doi.org/10.1007/978-3-319-72359-4_33

2017-01-01

Abstract:LWE/RLWE-based cryptosystems require sampling error term from discrete Gaussian distribution. However, some existing samplers are somehow slow under certain circumstances therefore efficiency of such schemes is restricted. In this paper, we introduce a more efficient discretized Gaussian sampler based on ziggurat sampling algorithm. We also analyze statistical quality of our sampler to prove that it can be adopted in LWE/RLWE-based cryptosystems. Compared with ziggurat-based sampler by Buchmann et al. related samplers by Peikert, Ducas et al. and Knuth-Yao, our sampler achieves more than 2x speedup when standard deviation is large. This can benefit constructions rely on noise flooding (e.g., homomorphic encryption). We also present two applications: First, we use our sampler to optimize the RLWE-based authenticated key exchange (AKE) protocol by Zhang et al. We achieve 1.14x speedup on total runtime of this protocol over major parameter choices. Second, we give practical post-quantum Transport Layer Security (TLS) ciphersuite. Our ciphersuite inherits advantages from TLS and the optimized AKE protocol. Performance of our proof-of-concept implementation is close to TLS v1.2 ciphersuites and one post-quantum TLS construction.

Lei Zhang,Zhiyong Zheng,Wei Wang

DOI: https://doi.org/10.1007/978-981-15-8373-5_5

2021-01-01

Abstract:Group signatureGroup signature has two basic properties: anonymity and traceability. Due to its good properties, it has many applications in economy, politics, electronic voting, privacy protection, anonymous authentication and so on. But traditional group signature could not resist the quantum computational attacks. Lattice theory is seen as the most promising post-quantum crypto theory due to the fact that it is a kind of linear structure and that most of its operations are linear operations. Moreover, the lattice theory has better asymptotic efficiency than others do. The lattice-based group signature can not only keep its original security properties, but also resist quantum attacks, it has become a research hot spot. Therefore we think it’s necessary to sort out the achievements of lattice-based group signature in recent years. In this chapter we first simply reviewed the research progress of the traditional group signature, and then we summarized the main progress on lattice-based group signature schemes in recent years. Then we analysed the tools they used when designing signature schemes. In addition, we made a comparison about functionality and security assumptions. Finally, we put forward the further research direction and the development trend.

Jianhua Yan,Licheng Wang,Mianxiong Dong,Yixian Yang,Wenbin Yao

DOI: https://doi.org/10.1002/sec.1297

IF: 1.968

2015-01-01

Security and Communication Networks

Abstract:Signcryption as a cryptographic primitive can carry out signature and encryption simultaneously at a remarkably reduced cost. Identity-based cryptography is more convenient than public key infrastructure-based cryptography in certificate management. As a result, identity-based signcryption has been studied extensively, and many efficient and provably secure constructions have been proposed. However, most of these schemes are based on intractability assumptions from number theory, and these assumptions have been threatened by the booming quantum computation. Therefore, a recent trend in cryptography is to construct cryptosystems that are based on lattice-based intractability assumptions because of their plausible features of quantum attack resistance. In this paper, several identity-based signcryption schemes from lattice hardness assumptions are proposed. In the standard model, these schemes are indistinguishable against inner adaptively chosen ciphertext attacks (IND-CCA2) and strongly unforgeable against inner chosen message attacks. In our construction, it does not matter whether the original encryption scheme used to construct signcryption is deterministic or probabilistic; the resulted signcryption schemes can reach IND-CCA2 security. To achieve this, we carefully combine three techniques-the identity-based encryption from lattice due to Agrawal-Boneh-Boyen (EUROCRYPT 2010), the framework of lattice-based short signature due to Boyen (Public Key Cryptography 2010), and the Canetti-Halevi-Katz (abbr. CHK) technique, with necessary and tailored optimization-for transforming an (l + 1)-level indistinguishable under chosen plaintext attack secure hierarchical identity-based encryption (HIBE) into an l level IND-CCA2 secure HIBE scheme. In addition, our security proof also contains a more efficient simulation tool that might have separate interest in cryptographic applications. Copyright (C) 2015 John Wiley & Sons, Ltd.

Hong Zhao,Yan-yan Han,Shuhan Yu,Kaili Dou

DOI: https://doi.org/10.1117/12.2685750

2023-08-15

Abstract:The certificateless cryptography solves the certificate management and key escrow problems in the Internet of Things. However, these schemes are no longer safe in the quantum environment. Lattice cryptography has become the main method to solve quantum security. At present, only a few lattice-based certificateless signature schemes have been proposed and the use of the trapdoor function limits the efficiency of the lattice cryptography, and the security of these schemes can only reach existential unforgeability. We construct a lattice-based certificateless signature scheme based on Lyubashevsky's signature scheme. The security of our scheme can reach strong unforgeability and the computational efficiency of our scheme is lower than the previous schemes.

Computer Science,Engineering