A Digital Signature Scheme Based on CVP  ∞

Plantard, Thomas; Susilo, Willy; Win, Khin Than

doi:10.1007/978-3-540-78440-1_17

Cited by 13 publications

(28 citation statements)

References 49 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In PKC'08, Plantard, Susilo, and Win [17] proposed a new digital signature based on CVP ∞ , which was claimed to be a countermeasure against the Nguyen-Regev attack.…”

Section: Lattice Problems and Algorithmsmentioning

confidence: 99%

“…Since each component of w i is in (−d, d), we know that each component of w i − w j is in (−2d, 2d). Since d ∈ Θ( √ n) as stated in [17], the lattice vectors w i − w j 's are very short.…”

Section: Key Idea Of Our Chosen Message Attackmentioning

confidence: 99%

“…As important cryptographic primitives, several lattice-based digital signature schemes have been proposed in recent years, such as [8,9,17,7,5]. In 1997, Goldreich, Goldwasser and Halevi [8] proposed the GGH signature scheme based on lattices, whose security is related to the hardness of approximate CVP.…”

Section: Introductionmentioning

confidence: 99%

“…In 2008, Plantard, Susilo, and Win [17] proposed another signature scheme at PKC'08 to resist the Nguyen-Regev attack. They employed a special type of lattices as the good basis which has a basis that can be written into the sum of a diagonal matrix and a ternary random matrix.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Cryptanalysis of the Randomized Version of a Lattice-Based Signature Scheme from PKC’08

Liu

Nitaj

et al. 2018

Information Security and Privacy

View full text Add to dashboard Cite

In PKC'08, Plantard, Susilo and Win proposed a latticebased signature scheme, whose security is based on the hardness of the closest vector problem with the infinity norm (CVP∞). This signature scheme was proposed as a countermeasure against the Nguyen-Regev attack, which improves the security and the efficiency of the Goldreich, Goldwasser and Halevi scheme (GGH). Furthermore, to resist potential side channel attacks, the authors suggested modifying the deterministic signing algorithm to be randomized. In this paper, we propose a chosen message attack against the randomized version. Note that the randomized signing algorithm will generate different signature vectors in a relatively small cube for the same message, so the difference of any two signature vectors will be relatively short lattice vector. Once collecting enough such short difference vectors, we can recover the whole or the partial secret key by lattice reduction algorithms, which implies that the randomized version is insecure under the chosen message attack.

show abstract

“…In PKC'08, Plantard, Susilo, and Win [17] proposed a new digital signature based on CVP ∞ , which was claimed to be a countermeasure against the Nguyen-Regev attack.…”

Section: Lattice Problems and Algorithmsmentioning

confidence: 99%

Section: Key Idea Of Our Chosen Message Attackmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Cryptanalysis of the Randomized Version of a Lattice-Based Signature Scheme from PKC’08

Liu

Nitaj

et al. 2018

Information Security and Privacy

View full text Add to dashboard Cite

show abstract

“…k ← k + 1, i ← (i + 1) mod n 9: until k = n 10: return w In brief, the message reduction is reducing successively each large coefficient m i of the message m by qD such that |m i − qD| < D but adding ±q, ±qb to m j with j = i according to the entries of M, until all coefficients of the reduced message are within (−D, D). Since S is diagonal dominant, the message can be reduced within bounded steps as proved in [26,27].…”

Section: Algorithm 1 Message Reduction In Drs Signature Algorithmmentioning

confidence: 99%

Learning Strikes Again: The Case of the DRS Signature Scheme

Ducas

2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Lattice signature schemes generally require particular care when it comes to preventing secret information from leaking through signature transcript. For example, the Goldreich-Goldwasser-Halevi (GGH) signature scheme and the NTRUSign scheme were completely broken by the parallelepiped-learning attack of Nguyen and Regev (Eurocrypt 2006). Several heuristic countermeasures were also shown vulnerable to similar statistical attacks.At PKC 2008, Plantard, Susilo and Win proposed a new variant of GGH, informally arguing resistance to such attacks. Based on this variant, Plantard, Sipasseuth, Dumondelle and Susilo proposed a concrete signature scheme, called DRS, that has been accepted in the round 1 of the NIST post-quantum cryptography project.In this work, we propose yet another statistical attack and demonstrate a weakness of the DRS scheme: one can recover some partial information of the secret key from sufficiently many signatures. One difficulty is that, due to the DRS reduction algorithm, the relation between the statistical leak and the secret seems more intricate. We work around this difficulty by training a statistical model, using a few features that we designed according to a simple heuristic analysis.While we only recover partial information on the secret key, this information is easily exploited by lattice attacks, significantly decreasing their complexity. Concretely, we claim that, provided that 100 000 signatures are available, the secret key may be recovered using BKZ-138 for the first set of DRS parameters submitted to the NIST. This puts the security level of this parameter set below 80-bits (maybe even 70-bits), to be compared to an original claim of 128-bits.

show abstract

A provably secure code‐based short signature scheme and its nontransferable variant

Asaar

Salmasizadeh

Aref

2018

Int J Communication

View full text Add to dashboard Cite

SummarySignatures with partially message recovery in which some parts of messages are not transmitted with signatures to make them shorter are helpful where bandwidth is one of the critical concern. This primitive is especially used for signing short messages in applications such as time stamping, certified email services, and identity‐based cryptosystems. In this paper, to have quantum‐attack‐resistant short signatures, the first signature scheme with partially message recovery based on coding theory is presented. Next, it is shown that the proposal is secure under Goppa Parametrized Bounded Decoding and the Goppa Code Distinguishing assumptions in the random oracle model. Relying on the partially message recovery property, the proposal is shorter than Dallot signature scheme, the only provably secure and practical code‐based signature scheme, while it preserves Dallot signature efficiency. We should highlight that our scheme can be used as a building block to construct short code‐based signature schemes with special properties. To show this, we present a provably secure short designated verifier signature scheme, a nontransferable form of short signatures, which is used in electronic voting and deniable authentication protocols.

show abstract

A Digital Signature Scheme Based on CVP ∞

Cited by 13 publications

References 49 publications

Cryptanalysis of the Randomized Version of a Lattice-Based Signature Scheme from PKC’08

Cryptanalysis of the Randomized Version of a Lattice-Based Signature Scheme from PKC’08

Learning Strikes Again: The Case of the DRS Signature Scheme

A provably secure code‐based short signature scheme and its nontransferable variant

Contact Info

Product

Resources

About