# Asymptotically Efficient Lattice-Based Digital Signatures

We give a direct construction of digital signatures based on the complexity of approximating the shortest vector in ideal (e.g., cyclic) lattices. The construction is provably secure based on the worst-case hardness of approximating the shortest vector in such lattices within a polynomial factor, and it is also asymptotically eﬃcient: the time complexity of the signing and veriﬁcation algorithms, as well as key and signature size is almost linear (up to poly-logarithmic factors) in the dimension n of the underlying lattice. Since no sub-exponential (in n) time algorithm is known to solve lattice problems in the worst case, even when restricted to cyclic lattices, our construction gives a digital signature scheme with an essentially optimal performance/security trade-of.

Digital signature schemes, initially proposed in Diﬃe and Hellman’s seminal paper [9] and later formalized by Goldwasser, Micali and Rivest, [15], are among the most important and widely used cryptographic primitives. Still, our understanding of these intriguing objects is somehow limited. The deﬁnition of digital signatures clearly ﬁts within the public key cryptography framework. However, eﬃciency considerations aside, the existence of secure digital signatures schemes can be shown to be equivalent to the existence of conventional (symmetric) cryptographic primitives like pseudorandom generators, one-way hash functions, private key encryption, or even just one-way functions [23, 27]. There is a big gap, both theoretical and practical, between the eﬃciency of known constructions implementing public-key and private-key cryptography. In the symmetric setting, functions are often expected to run in time which is linear or almost linear in the security parameter k. However, essentially all known public key encryption schemes with a supporting proof of security are based on algebraic functions that take at least Ω(k 2 ) time to compute, where 2 k is the conjectured hardness of the underlying problem. For example, all factoring based schemes must use keys of size approximately O(k 3 ) to achieve k bits of

## Free download research paper

**CSE PROJECTS**