Approximate Trapdoors for Lattices and Smaller Hash-and-Sign Signatures | SpringerLink
Skip to main content

Approximate Trapdoors for Lattices and Smaller Hash-and-Sign Signatures

  • Conference paper
  • First Online:
Advances in Cryptology – ASIACRYPT 2019 (ASIACRYPT 2019)

Abstract

We study a relaxed notion of lattice trapdoor called approximate trapdoor, which is defined to be able to invert Ajtai’s one-way function approximately instead of exactly. The primary motivation of our study is to improve the efficiency of the cryptosystems built from lattice trapdoors, including the hash-and-sign signatures.

Our main contribution is to construct an approximate trapdoor by modifying the gadget trapdoor proposed by Micciancio and Peikert [Eurocrypt 2012]. In particular, we show how to use the approximate gadget trapdoor to sample short preimages from a distribution that is simulatable without knowing the trapdoor. The analysis of the distribution uses a theorem (implicitly used in past works) regarding linear transformations of discrete Gaussians on lattices.

Our approximate gadget trapdoor can be used together with the existing optimization techniques to improve the concrete performance of the hash-and-sign signature in the random oracle model under (Ring-)LWE and (Ring-)SIS assumptions. Our implementation shows that the sizes of the public-key & signature can be reduced by half from those in schemes built from exact trapdoors.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
JPY 3498
Price includes VAT (Japan)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
JPY 5719
Price includes VAT (Japan)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
JPY 7149
Price includes VAT (Japan)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    We remark that the ratio \(\frac{s_1( \mathbf {R} )}{s_{2n}( \mathbf {R} )}\) is a small constant for commonly-used subgaussian distributions for \( \mathbf {R} \)’s entries [51].

  2. 2.

    https://bitbucket.org/malb/lwe-estimator.

  3. 3.

    For any lattice \( \mathbf {L} \), \(\lambda _1 \le \sqrt{r}\det ( \mathbf {L} )^{1/r}\) where r is the rank of the lattice.

  4. 4.

    When one applies our security estimate methods to Table 1 of [13], one gets 82-bit security under the \(\lambda = 97\), \(n = 512\), \(q =2^{24}\) column.

References

  1. Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 553–572. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_28

    Chapter  MATH  Google Scholar 

  2. Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: STOC, pp. 99–108 (1996)

    Google Scholar 

  3. Ajtai, M.: Generating hard instances of the short basis problem. In: Wiedermann, J., van Emde Boas, P., Nielsen, M. (eds.) ICALP 1999. LNCS, vol. 1644, pp. 1–9. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48523-6_1

    Chapter  Google Scholar 

  4. Alagic, G., et al.: Status report on the first round of the NIST post-quantum cryptography standardization process. US Department of Commerce, National Institute of Standards and Technology (2019)

    Google Scholar 

  5. Albrecht, M.R., et al.: Estimate all the LWE, NTRU schemes!. In: Catalano, D., De Prisco, R. (eds.) SCN 2018. LNCS, vol. 11035, pp. 351–367. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98113-0_19

    Chapter  Google Scholar 

  6. Albrecht, M.R., Ducas, L., Herold, G., Kirshanova, E., Postlethwaite, E.W., Stevens, M.: The general sieve kernel and new records in lattice reduction. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 717–746. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_25

    Chapter  Google Scholar 

  7. Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9(3), 169–203 (2015)

    Article  MathSciNet  Google Scholar 

  8. Alkim, E., Barreto, P.S.L.M., Bindel, N., Longa, P., Ricardini, J.E.: The lattice-based digital signature scheme qTESLA. IACR Cryptology ePrint Archive 2019, p. 85 (2019)

    Google Scholar 

  9. Alwen, J., Peikert, C.: Generating shorter bases for hard random lattices. Theory Comput. Syst. 48(3), 535–553 (2011)

    Article  MathSciNet  Google Scholar 

  10. Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_35

    Chapter  Google Scholar 

  11. Bai, S., Galbraith, S.D.: An improved compression technique for signatures based on learning with errors. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 28–47. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-04852-9_2

    Chapter  Google Scholar 

  12. Bai, S., Galbraith, S.D., Li, L., Sheffield, D.: Improved combinatorial algorithms for the inhomogeneous short integer solution problem. J. Cryptol. 32(1), 35–83 (2019)

    Article  MathSciNet  Google Scholar 

  13. El Bansarkhani, R., Buchmann, J.: Improvement and efficient implementation of a lattice-based signature scheme. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 48–67. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43414-7_3

    Chapter  Google Scholar 

  14. Bert, P., Fouque, P.-A., Roux-Langlois, A., Sabt, M.: Practical implementation of ring-SIS/LWE based signature and IBE. In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 271–291. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-79063-3_13

    Chapter  Google Scholar 

  15. Bourse, F., Del Pino, R., Minelli, M., Wee, H.: FHE circuit privacy almost for free. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 62–89. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_3

    Chapter  Google Scholar 

  16. Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: Proceedings of the Forty-Fifth Annual ACM Symposium on Theory of Computing, pp. 575–584. ACM (2013)

    Google Scholar 

  17. Brakerski, Z., Vaikuntanathan, V., Wee, H., Wichs, D.: Obfuscating conjunctions under entropic ring LWE. In: ITCS, pp. 147–156. ACM (2016)

    Google Scholar 

  18. Canetti, R., Chen, Y.: Constraint-hiding constrained PRFs for NC\(^1\) from LWE. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 446–476. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_16

    Chapter  Google Scholar 

  19. Cash, D., Hofheinz, D., Kiltz, E., Peikert, C.: Bonsai trees, or how to delegate a lattice basis. J. Cryptol. 25(4), 601–639 (2012)

    Article  MathSciNet  Google Scholar 

  20. Chen, C., Genise, N., Micciancio, D., Polyakov, Y., Rohloff, K.: Implementing token-based obfuscation under (ring) LWE. IACR Cryptology ePrint Archive 2018, p. 1222 (2018)

    Google Scholar 

  21. Chen, Y., Vaikuntanathan, V., Wee, H.: GGH15 beyond permutation branching programs: proofs, attacks, and candidates. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 577–607. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_20

    Chapter  Google Scholar 

  22. Chen, Y.: Réduction de réseau et sécurité concréte du chiffrement complétement homomorphe. PhD thesis, Paris 7 (2013)

    Google Scholar 

  23. del Pino, R., Lyubashevsky, V., Seiler, G.: Lattice-based group signatures and zero-knowledge proofs of automorphism stability. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, 15–19 October 2018, pp. 574–591 (2018)

    Google Scholar 

  24. Ducas, L.: Shortest vector from lattice sieving: a few dimensions for free. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 125–145. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_5

    Chapter  Google Scholar 

  25. Ducas, L., Galbraith, S., Prest, T., Yang, Y.: Integral matrix gram root and lattice Gaussian sampling without floats. IACR Cryptology ePrint Archive 2019, p. 320 (2019)

    Google Scholar 

  26. Ducas, L., et al.: CRYSTALS-Dilithium: a lattice-based digital signature scheme. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(1), 238–268 (2018)

    MathSciNet  Google Scholar 

  27. Fouque, P.-A., et al.: Falcon: fast-fourier lattice-based compact signatures over NTRU (2018)

    Google Scholar 

  28. Genise, N., Micciancio, D.: Faster Gaussian sampling for trapdoor lattices with arbitrary modulus. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 174–203. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_7

    Chapter  Google Scholar 

  29. Gentry, C.: Fully homomorphic encryption using ideal lattices. In: STOC, pp. 169–178 (2009)

    Google Scholar 

  30. Gentry, C., Gorbunov, S., Halevi, S.: Graph-induced multilinear maps from lattices. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 498–527. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46497-7_20

    Chapter  Google Scholar 

  31. Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC, pp. 197–206 (2008)

    Google Scholar 

  32. Gentry, C., Szydlo, M.: Cryptanalysis of the revised NTRU signature scheme. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 299–320. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_20

    Chapter  Google Scholar 

  33. Goldreich, O., Goldwasser, S., Halevi, S.: Public-key cryptosystems from lattice reduction problems. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 112–131. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052231

    Chapter  Google Scholar 

  34. Gorbunov, S., Vaikuntanathan, V., Wee, H.: Attribute-based encryption for circuits. In: STOC, pp. 545–554. ACM (2013)

    Google Scholar 

  35. Goyal, R., Koppula, V., Waters, B.: Lockable obfuscation. In: FOCS, pp. 612–621. IEEE Computer Society (2017)

    Google Scholar 

  36. Gür, K.D., Polyakov, Y., Rohloff, K., Ryan, G.W., Savas, E.: Implementation and evaluation of improved gaussian sampling for lattice trapdoors. In: Proceedings of the 6th Workshop on Encrypted Computing and Applied Homomorphic Cryptography, pp. 61–71. ACM (2018)

    Google Scholar 

  37. Halevi, S., Halevi, T., Shoup, V., Stephens-Davidowitz, N.: Implementing BP-obfuscation using graph-induced encoding. In: ACM Conference on Computer and Communications Security, pp. 783–798. ACM (2017)

    Google Scholar 

  38. Hoffstein, J., Howgrave-Graham, N., Pipher, J., Silverman, J.H., Whyte, W.: NTRUSign: digital signatures using the NTRU lattice. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 122–140. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36563-X_9

    Chapter  Google Scholar 

  39. Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054868

    Chapter  Google Scholar 

  40. Lyubashevsky, V.: Lattice signatures without trapdoors. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 738–755. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_43

    Chapter  Google Scholar 

  41. Micciancio, D.: Personal communication (2018)

    Google Scholar 

  42. Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_41

    Chapter  Google Scholar 

  43. Micciancio, D., Peikert, C.: Hardness of SIS and LWE with small parameters. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 21–39. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_2

    Chapter  Google Scholar 

  44. Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measure. SIAM J. Comput. 37(1), 267–302 (2007)

    Article  MathSciNet  Google Scholar 

  45. Micciancio, D., Walter, M.: On the bit security of cryptographic primitives. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 3–28. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_1

    Chapter  Google Scholar 

  46. Nguyen, P.Q., Regev, O.: Learning a parallelepiped: cryptanalysis of GGH and NTRU signatures. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 271–288. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_17

    Chapter  Google Scholar 

  47. Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem: extended abstract. In: Proceedings of the 41st Annual ACM Symposium on Theory of Computing, STOC 2009, Bethesda, MD, USA, 31 May - 2 June 2009, pp. 333–342 (2009)

    Google Scholar 

  48. Peikert, C., Regev, O., Stephens-Davidowitz, N.: Pseudorandomness of ring-LWE for any ring and modulus. In: STOC, pp. 461–473. ACM (2017)

    Google Scholar 

  49. Peikert, C., Rosen, A.: Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 145–166. Springer, Heidelberg (2006). https://doi.org/10.1007/11681878_8

    Chapter  Google Scholar 

  50. Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 34 (2009)

    Article  MathSciNet  Google Scholar 

  51. Vershynin, R.: Introduction to the non-asymptotic analysis of random matrices. In: Compressed Sensing, pp. 210–268. Cambridge University Press (2012)

    Google Scholar 

  52. Wichs, D., Zirdelis, G.: Obfuscating compute-and-compare programs under LWE. In: FOCS, pp. 600–611. IEEE Computer Society (2017)

    Google Scholar 

Download references

Acknowledgments

We are grateful to Daniele Micciancio for valuable advice and his generous sharing of ideas on the subject of this work. We would also like to thank Léo Ducas, Steven Galbraith, Thomas Prest, Yang Yu, Chuang Gao, Eamonn Postlethwaite, Chris Peikert, and the anonymous reviewers for their helpful suggestions and comments.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Yilei Chen .

Editor information

Editors and Affiliations

A The Smoothing Parameter of \(\varLambda _{ \mathbf {L} }\)

A The Smoothing Parameter of \(\varLambda _{ \mathbf {L} }\)

Recall the notations that \( \mathbf {R} ' = \begin{bmatrix} \mathbf {R} \\ \mathbf {I} _{n(k-l)} \end{bmatrix}\in \mathbb {Z}^{m\times (n(k-l))}\), \(\varSigma _p := s^2 \mathbf {I} _m - \mathbf {R} '( \mathbf {R} ')^t\). Here we derive the conditions of s so that \(\sqrt{\varSigma _p \oplus \sigma ^2 \mathbf {I} _{n(k-l)}} \ge \eta _{\epsilon }(\varLambda _{ \mathbf {L} })\) holds, where \(\varLambda _{ \mathbf {L} }\) is the lattice generated by

$$\begin{aligned} \mathbf {B} := \begin{bmatrix} - \mathbf {R} ' \\ \mathbf {I} _{n(k-l)} \end{bmatrix} . \end{aligned}$$

We do this in three steps: first we write out the dual basis of \( \mathbf {B} \), then we reduce \(\sqrt{\varSigma _p \oplus \sigma ^2 \mathbf {I} _{n(k-l)}} \ge \eta _{\epsilon }(\varLambda _{ \mathbf {L} })\) to a statement about the smoothing parameter of \(\mathbb Z^{n(k-l)}\), and finally we find when \(\sqrt{\varSigma _p \oplus \sigma ^2 \mathbf {I} _{n(k-l)}} \ge \eta _{\epsilon }(\varLambda _{ \mathbf {L} })\) as a function of s.

Dual basis, \( \mathbf {B} ^*\) : Let \(\varSigma = \varSigma _p \oplus \sigma ^2 \mathbf {I} _{n(k-l)}\). By definition, we need \(\rho (\sqrt{\varSigma }^t \varLambda _{ \mathbf {L} }^*) \le 1 + \epsilon \). In general, the dual basis \(\varLambda ^*\) is generated by the dual basis \( \mathbf {B} ( \mathbf {B} ^t \mathbf {B} )^{-1}\). In the case of \(\varLambda _{ \mathbf {L} }\), we can write the dual basis as

$$ \mathbf {B} ^* := \begin{bmatrix} - \mathbf {R} ' \\ \mathbf {I} _{n(k-l)} \end{bmatrix} \begin{bmatrix} \mathbf {R} ^t \mathbf {R} + 2 \mathbf {I} \end{bmatrix}^{-1}.$$

Reducing to \(\eta _\epsilon (\mathbb Z^{n(k-l)})\) : Next, the gaussian sum \(\rho (\sqrt{\varSigma }^t \varLambda _{ \mathbf {L} }^*)\) is equal to

$$\sum _{ \mathbf {x} \in \mathbb Z^{n(k-l)}} \exp (-\pi \mathbf {x} ^t( \mathbf {B} ^*)^t\varSigma \mathbf {B} ^* \mathbf {x} ).$$

This reduces to showing \(\sqrt{( \mathbf {B} ^*)^t\varSigma \mathbf {B} ^*} \ge \eta _\epsilon (\mathbb Z^{n(k-l)})\).

Now we write out the matrix product \(( \mathbf {B} ^*)^t\varSigma \mathbf {B} ^*\),

$$\begin{aligned} ( \mathbf {B} ^*)^t\varSigma \mathbf {B} ^*&= \begin{bmatrix} \mathbf {R} ^t \mathbf {R} + 2 \mathbf {I} \end{bmatrix}^{-t} \begin{bmatrix} -( \mathbf {R} ')^{t}&\mathbf {I} \end{bmatrix} \begin{bmatrix} \varSigma _p &{} \mathbf {0} \\ \mathbf {0} &{} \sigma ^2 \mathbf {I} \end{bmatrix} \begin{bmatrix} - \mathbf {R} ' \\ \mathbf {I} \end{bmatrix} \begin{bmatrix} \mathbf {R} ^t \mathbf {R} + 2 \mathbf {I} \end{bmatrix}^{-1} \\&= \begin{bmatrix} \mathbf {R} ^t \mathbf {R} + 2 \mathbf {I} \end{bmatrix}^{-t} \begin{bmatrix} ( \mathbf {R} ')^t \varSigma _p \mathbf {R} ' + \sigma ^2 \mathbf {I} \end{bmatrix} \begin{bmatrix} \mathbf {R} ^t \mathbf {R} + 2 \mathbf {I} \end{bmatrix}^{-1}. \end{aligned}$$

Before we continue, we consider the structure of the middle matrix:

$$\begin{aligned} \varSigma _s := ( \mathbf {R} ')^t \varSigma _p \mathbf {R} '&= \begin{bmatrix} \mathbf {R} ^t&\mathbf {I} \end{bmatrix} \left( s^2 \mathbf {I} - \sigma ^2\begin{bmatrix} \mathbf {R} \\ \mathbf {I} \end{bmatrix} \begin{bmatrix} \mathbf {R} ^t&\mathbf {I} \end{bmatrix} \right) \begin{bmatrix} \mathbf {R} \\ \mathbf {I} \end{bmatrix} \\&= \begin{bmatrix} \mathbf {R} ^t \mathbf {R} + \mathbf {I} \end{bmatrix}\left( s^2 \mathbf {I} - \sigma ^2\begin{bmatrix} \mathbf {R} ^t \mathbf {R} + \mathbf {I} \end{bmatrix} \right) . \end{aligned}$$

Derive the condition for s : Now we will derive the condition for s so that

$$ \begin{bmatrix} \mathbf {R} ^t \mathbf {R} + 2 \mathbf {I} \end{bmatrix}^{-t}[\varSigma _s + \sigma ^2 \mathbf {I} ]\begin{bmatrix} \mathbf {R} ^t \mathbf {R} + 2 \mathbf {I} \end{bmatrix}^{-1} \ge \eta ^2_\epsilon (\mathbb Z^{n(k-l)}). $$

Claim

All invertible matrices of the form \(( \mathbf {R} ^t \mathbf {R} + \alpha \mathbf {I} )^i\) for \(i \in \mathbb Z, \alpha \in \mathbb {R}\) commute.

Proof

Let \( \mathbf {Q} \mathbf {S} \mathbf {V} ^t\) be \( \mathbf {R} \)’s singular value decomposition. Now, \( \mathbf {R} ^t \mathbf {R} + \alpha \mathbf {I} = \mathbf {V} \mathbf {D} \mathbf {V} ^t + \mathbf {V} (\alpha \mathbf {I} ) \mathbf {V} ^t\) where \( \mathbf {D} = \mathbf {S} ^t \mathbf {S} = \text {diag}(s^2_i( \mathbf {R} ))\) since \( \mathbf {V} , \mathbf {Q} \) are orthogonal. Equivalently, we have \( \mathbf {R} ^t \mathbf {R} + \alpha \mathbf {I} = \mathbf {V} \mathbf {D} _\alpha \mathbf {V} ^t\) where \( \mathbf {D} _\alpha = \text {diag}(s^2_i( \mathbf {R} ) + \alpha ) = \mathbf {S} ^t \mathbf {S} + \alpha \mathbf {I} _{2n}\). By induction, we have \(( \mathbf {R} ^t \mathbf {R} + \alpha \mathbf {I} )^i = \mathbf {V} \mathbf {D} _\alpha ^i \mathbf {V} ^t\), \(i \in \mathbb Z\). Finally, \( \mathbf {D} _\alpha ^i\) is a diagonal matrix so \( \mathbf {D} _{\alpha }^i\) and \( \mathbf {D} _{\alpha '}^j\) commute for all \(\alpha , \alpha '\) since diagonal matrices commute. The result follows from the orthogonality of \( \mathbf {V} \) (\( \mathbf {V} ^t \mathbf {V} = \mathbf {I} \)).

Claim A allows us to lower-bound the smallest eigenvalue of

$$\begin{aligned}( \mathbf {B} ^*)^t\varSigma \mathbf {B} ^*&= \begin{bmatrix} \mathbf {R} ^t \mathbf {R} + 2 \mathbf {I} \end{bmatrix}^{-2} \left( \begin{bmatrix} \mathbf {R} ^t \mathbf {R} + \mathbf {I} \end{bmatrix} \left[ s^2 \mathbf {I} - \sigma ^2\begin{bmatrix} \mathbf {R} ^t \mathbf {R} + \mathbf {I} \end{bmatrix}\right] +\sigma ^2 \mathbf {I} \right) \\&= \begin{bmatrix} \mathbf {R} ^t \mathbf {R} + 2 \mathbf {I} \end{bmatrix}^{-2} \left( s^2[ \mathbf {R} ^t \mathbf {R} + \mathbf {I} ] - \sigma ^2[2 \mathbf {R} ^t \mathbf {R} + ( \mathbf {R} ^t \mathbf {R} )^2]\right) .\end{aligned}$$

Viewing these matrices as their diagonal matrices of eigenvalues, we see \(( \mathbf {B} ^*)^t\varSigma \mathbf {B} ^*\)’s least eigenvalue is lower-bounded by

$$\begin{aligned} \lambda _{lb}(s, \mathbf {R} ) := \frac{s^2(s_{2n}^2( \mathbf {R} )+1) - \sigma ^2(s_1^4( \mathbf {R} )+2s_1^2( \mathbf {R} ) ) }{(s_1^2( \mathbf {R} )+2)^2} . \end{aligned}$$

Next, we assume \(\sigma = \sqrt{b^2+1}\eta _\epsilon (\mathbb Z^{nk}) \ge \eta _\epsilon (\varLambda ^\perp _q( \mathbf {G} ))\) and solve for s using \(\lambda _{lb}(s, \mathbf {R} ) \ge \eta ^2_\epsilon (\mathbb Z^{n(k-l)})\),

$$s^2 \ge \frac{s_1^2( \mathbf {R} )+ 1}{s_{2n}^2( \mathbf {R} )+ 1}\eta ^2_\epsilon (\mathbb Z^{n(k-l)}) + \frac{(b^2 + 1)(s_1^4( \mathbf {R} ) + 2s_1^2( \mathbf {R} ))}{s_{2n}^2( \mathbf {R} )+ 1} \eta ^2_\epsilon (\mathbb Z^{nk}).$$

This is

$$s \gtrsim \sqrt{b^2+1}\frac{s_1^2( \mathbf {R} )}{s_{2n}( \mathbf {R} )} \eta _\epsilon (\mathbb Z^{nk}).$$

We remark that the ratio \(\frac{s_1( \mathbf {R} )}{s_{2n}( \mathbf {R} )}\) is a constant for commonly-used subgaussian distributions for \( \mathbf {R} \)’s entries [51].

Rights and permissions

Reprints and permissions

Copyright information

© 2019 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Chen, Y., Genise, N., Mukherjee, P. (2019). Approximate Trapdoors for Lattices and Smaller Hash-and-Sign Signatures. In: Galbraith, S., Moriai, S. (eds) Advances in Cryptology – ASIACRYPT 2019. ASIACRYPT 2019. Lecture Notes in Computer Science(), vol 11923. Springer, Cham. https://doi.org/10.1007/978-3-030-34618-8_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-34618-8_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-34617-1

  • Online ISBN: 978-3-030-34618-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics