Wuhan Univ. J. Nat. Sci.
Volume 27, Number 1, March 2022
|Page(s)||17 - 25|
|Published online||16 March 2022|
CLC number: TP391
An Algorithm Substitution Attack on Fiat-Shamir Signatures Based on Lattice
1 School of Cyber Security, Northwestern Polytechnical University, Xi’an 710072, Shaanxi, China
2 Research & Development Institute of Northwestern Polytechnical University, Shenzhen 518057, Guangdong, China
3 School of Cyber Security, Xi’an University of Posts and Telecommunications, Xi’an 710121, Shaanxi, China
4 School of Computer Science, Guizhou University of Finance and Economics, Guiyang 550025, Guizhou, China
5 School of Computer Science, Wuhan University, Wuhan 430072, Hubei, China
† To whom correspondence should be addressed. E-mail: firstname.lastname@example.org
Received: 15 September 2021
Many evidences have showed that some intelligence agencies (often called big brother) attempt to monitor citizens’ communication by providing coerced citizens a lot of subverted cryptographic algorithms and coercing them to adopt these algorithms. Since legalized services on large number of various applications and system architectures depend on digital signature techniques, in the context some coerced users who use double authentication preventing signatures to design some novel digital signature techniques, have some convincing dissertations to defuse requests from authorities and big brothers creating some corresponding subverted signatures. As rapid progress in quantum computers, National Security Agency advisory memorandum and announcement of National Institute of Standards and Technology procedures from standardization focus on some cryptographic algorithms which are post quantum secure. Motivated by these issues, we design an algorithm substitution attack against Fiat-Shamir family based on lattices (e.g., BLISS, BG, Ring-TESLA, PASSSign and GLP) that are proven post-quantum computational secure. We also show an efficient deterable way to eliminate big brother’s threat by leaking signing keys from signatures on two messages to be public. Security proof shows that our schemes satisfy key extraction, undetectability and deterability. Through parameters analysis and performance evaluation, we demonstrate that our deterring subverted Fiat-Shamir signature is practical, which means that it can be applied to privacy and protection in some system architectures.
Key words: algorithm substitution attack / double authentication preventing signatures / lattice / ring-SIS (small integer solution) problem
Biography: LIU Jinhui, female, Ph.D., research direction: information security and cryptography. E-mail: jh.liu6666@ nwpu.edu.cn
Foundation item: Supported by the National Natural Science Foundation of China (61802239, 61872229, 62062019, 62074131) , Key Research and Development Program of Shaanxi Province (2020ZDLGY09-06, 2021ZDLGY06-04, 2021ZDLGY05-01) , Natural Science Basic Research Plan in Shaanxi Province (2019JQ-667, 2020JQ-422) , and Shenzhen Fundamental Research Program (20210317191843003)
© Wuhan University 2022
This is an Open Access article distributed under the terms of the Creative Commons Attribution License (https://creativecommons.org/licenses/by/4.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
Since the first computer was intruded, hackers have been developing the technology of “backdoor” which allows them to enter the system again. The main functions of the backdoor is that it has no ability to prevent the system manager from entering this system again and discover these hackers. Many techniques have been used in this “backdoor”, such as intercepting postal shipping to steal and substitute networking hardware, sabotaging Internet routers, injecting malware, installing backdoors, wire-tapping undersea cables and so on [1-3].
In 2013, Edward Snowden brought shocking news that many ongoing surveillance programs with an underlying “backdoor” target at citizens conducting by National Security Agency (NSA) and partners from all over the world . A typical example is a pseudorandom generator (PRG) named Dual_EC_ DRBG backdoored by NSA, from NIST (National Institute of Standards and Technology). After choosing a few concrete parameters employed in the PRG, an attacker or any adversary is not able to differentiate exports on PRG from any random number but can forecast following exports. In this circumstances, post-Snowden cryptography attracts much of attentions in recent years.
As one of the research topics in post-Snowden cryptography, the notion of algorithm substitution attack (ASA) was formalized by Bellare et al in some semantics from algorithms named symmetric encryption algorithms. The ASA method is capable of any attacker or old big brother to substitute a few of pieces of randomized encryption algorithms or signature algorithms with a modified one such that it can leak secret keys subliminally and undetectably to the adversary. Ateniese et al first proposed a model of ASA on signature schemes, however, the subverted signature is generic and inefficient. Then Liu et al introduced a much high efficient ASA method about one affirmatory crowd in some signature schemes. Recently, Beak et al presented a much more efficient and undetectable method ASA from a classical DSA (digital signature algorithm) digital signature. At present most proposed subverted signatures only consider how to subvert signature schemes, there still needs some countermeasures to address big brother’s threat, while a new proposed signatures named double authentication preventing signatures can be used to deter this kind of big brother’s action.
The double authentication preventing signatures (DAPS) are a class of extraordinary digital signatures with double signatures extractability which means deterable when there exist two different signatures from messages (m0, p1) and (m0, p2), where p1≠p2. When a signature is subverted and satisfies double signature extractability, the subverted signature can be deterable by revealing real signature’s signing secret keys to anyone. Unlike these two ring signatures with linkability and traceability[10-13], our DAPRS (double authentication preventing ring signatures) has stronger accountability which leads any two pairs of signatures produced by same member in a ring set to reveal his (or her) secret signing keys. As for linkable ring signatures, it allows anyone to efficiently decide whether any two pairs of signatures are produced by the same member without revealing his (or her) identity. As for traceable ring signatures, it can reveal his (or her) identity if any two signatures are produced by the same member. On the basis of the digital signatures in Refs. [14-16], most designed DAPS based on discrete logarithm problems and large integer factorization problems face new challenges because there exist polynomial computational complexity quantum algorithms to solve the two problems, such as Shor algorithm[17,18]. Hence, it is necessary to study some post quantum secure DAPS.
Lattice-based signature is a cutting-edge cryptographic “technology”. It has several interesting properties, such as high computational efficiency, novel and powerful cryptographic functionalities/applications, strong provable security guarantees, believed “post-quantum” security and so on. Therefore, it is vital for us to study some lattice-based algorithm substitution attacks. While most efficient lattice-based signatures which are a promising post-quantum cryptography belong to Fiat-Shamir signature paradigms (e.g., BLISS[19,20], GLP, PASSSign, Ring-TESLA) and Hash-and-sign paradigms (e.g., GGH, NTRUSign, GPV) at the NIST workshop on post-quantum cryptography. Lattice-based Hash-and-sign paradigm follows that a trapdoor function can be provided by a short lattice basis. Most of them are heuristic security (no actual security proofs) and are relatively inefficient than lattice-based Fiat-Shamir (FS) signature paradigms. Furthermore most lattice-based Hash-and-sign paradigms have unique signatures which are against subversion attacks. Hence we aim at algorithm substitution attacks on FS lattice signature paradigms (FS-LBS). In this paper, we present ASA against those schemes that any three consecutive subverted signatures can extract signing keys. At the same time, we provide some countermeasures against ASA by using DAPS to deter the big brother’s threaten. And we show that our scheme can be applied to some practical architectures based on some concrete experiment analysis.
The remainder of this paper is organized in the following sequence. Section 1 shows some preliminaries and cryptographic knowledge. Section 2 provides some notions about deterable subverted signatures and some design requirements. Section 3 presents our concrete deterable subverted FS-LBS scheme and gives proof of key extraction, undetectability and deterability. In Section 4, we make some parameter analysis and performance evaluation. Finally, we give our conclusions.
Some basic notations have been shown in Table 1.
Note that in ring-SIS, each corresponds to n related vectors in SIS, where n is the degree of . Each of a ring-SIS solution corresponds to a block of n integers, that means and .
Suppose that . Let be a random distribution from a Hash value, and . If a constant M exists, the following distribution
3) Output with probability of and the below distribution
3) Output with probability of is statistically indistinguishable within distance of . In the following, we use the RejectionSample to represent the algorithm.
The Fiat-Shamir type signatures based on lattice consist of algorithms in the following:
1) Pick at random.
2) Choose uniformly random
4) Output a pair of public key and secret key:
3) Compute a value
5) Run the RejectionSample and go to 1) if it rejects.
6) Output a pair of signature
1) Check mod q whether holds or not.
2) Accept if and only if the equation and a small norm holds.
Here with tiny modulus is the subset of . Cryptographic Hash function H outputs a low norm subset of .
A DAPS includes four probability polynomial time (PPT) algorithms (KGen, Sign,Ver, Extract) as follows:
1) Given a security parameter , the algorithm KGen(1λ) outputs public keys pk and private keys sk.
2) The algorithm Sign(sk, a, p) outputs a signature on a pair of public/private key (pk, sk) and a subject/message pair (a, p).
3) The algorithm Ver(pk, a, p, ) outputs either 0 for rejection or 1 for acceptance on pk, (a, p) and .
4) The algorithm Extract outputs the private key sk on input pk, and , where .
A DAPS satisfies two properties of existential unforgeability under chosen message attack (EUF-CMA) and double signature deterability (DSE).
We first provide the threat model in this section. Then we give formal definitions for the syntax of deterable subverted signatures. Compared with regular deterable digital signatures, these schemes need a “extraction key” for their manipulates if there exists a subversion attack. Finally we provide some security and functionality features of a deterable subverted signatures on the basis Refs. [7-9].
Since authentication services of various system models and applications depend upon digital signatures, in the context coerced users who use a DAPS to design some court convincing signatures to refuse big brothers’ (or attackers’) requirements, we construct a subverted signature with a deterable function by using an algorithm substitution attack on double authentication preventing signatures.
Definition 4 A deterable subverted signature for nonsubverted signature SIG includes four PPT algorithms as follows:
1) On inputting a security parameter , this algorithm outputs a subversion key subk.
2) On inputting a subversion key subk, a state l, a private key sk, and a message , the algorithm outputs a subverted signature by an updated status l.
3) On inputting a message , a public key pk and a subverted signature , this algorithm Ver outputs 1 which means accept and outputs 0 which means reject.
4) On inputting a pair of colliding messages , a public key pk, and its corresponding non-subverted signatures , this algorithm Deter outputs the private key sk.
The key extraction algorithm means that anyone including big brothers and attackers can compute the signature private key from known information if he or she makes a signature on a pair of colliding messages.
Definition 5 Assume that is generic signature scheme and is a deterable subverted signatures for SIG. Consider a key extraction game as follows:
1) Using , it can generate a pair of (pk, sk).
2) By the algorithm , it can generate a subversion key subk.
3) For ,
if an adversary ℬ queries every message
Return to ℬ.
4) ℬ outputs by
5) Check the equation whether holds or not. If it holds, return 1. Otherwise, it returns 0.
Given the private key sk and its corresponding public key pair pk, the functionality undetectability means that any users can not find the detecting subversion.
1) Generate a pair of public/private key by the algorithm .
2) By the algorithm , it can generate a subversion key subk.
3) Choose randomly, the game outputs its guess .
4) If , it returns 0, otherwise it returns 1.
is given as follows:
5) If b = 0, compute
Reset(∙) is given as follows: Reset(rti) ∥ rti is a reset query.
For any PPT adversary , if there exists a negligible function satisfyingthe deterable subverted signature is undetectable. It means that the Ver algorithm can output some same results when it is a subverted signature or a normal signature on some same messages.
Deterability means that it can be deterred if there exists algorithm substitution attack on signature scheme.
Definition 7 Given a general signature and a deterrable signature
for SIG, the detera- bility game is given as follows:
1) According to the algorithm , it generates a pair of public/private (pk, sk).
2) Run (pk, sk), then generate .
3) Return 0 if and are not colliding.
4) for i = 1, 2.
5) Return 0 if or .
6) Run , then generate sk’.
7) Return 0 if . Else return 1.
The advantage means that for any PPT adversary , if there exists a negligible function ε(∙) satisfyingthe deterable subverted signature is deterable. It means that our scheme can deter some signatures embedding backdoors.
This section introduces a self-enhancement or subverted attack on Fiat-Shamir type lattice signatures.
Our subverted Fiat-Shamir type lattice-based signatures (FS-LBS) are described as follows:
● Subverted key generation : On inputting a security parameter , a pseudo random Hash function and a random number , the algorithm outputs and F which can be described as subk = (descF, ).
● Subverted sign : On inputting public keys of FS-LBS, message , private keys , subversion key subk and a state , the algorithm outputs as follows.
j ← 0, τ← 0
If mod 2,
3) Compute a value
5) Run the RejectionSample and go to 1) if it rejects.
6) Let and
8) Compute a value
10) Run RejectionSample and go to 1) if it rejects.
11) Set and
j = j + 1
1) Check mod whether holds or not.
2) Accept if and only if the equation and a small norm hold.
If a FS-LBS scheme is subverted, the action of the signer can be found by revealing real signer’s signing secret keys to anyone. When the signing keys is vital for him, in some cases the signer will be punished or the signer will result in great economic losses, or there exist some court convincing reasons to deny big-brother or authority agency demands. Aiming at the subverted lattice-based Fiat-Shamir type signatures, we add a Deter algorithm. Our Deter algorithm makes sure that the lattice-based Fiat-Shamir type signature is against algorithm substitution attack.
On colliding messages and , respectively, anyone can obtain the signing secret key and by solving a linear equation respectively.
Then we present our scheme satisfying Key extraction, Undetectability and Deterability.
Key extraction. From the subverted FS-LBS , we show that the signing private keys of the FS-LBS can be extracted from the . That is to say, any consecutive starting with odd or even index is able to release the signing private keys. Below we give the formal proof.
Theorem 1 Given subverted FS-LBS scheme which outputs any three consecutive signatures, the signing private keys of FS-LBS can be revealed with probability 1.
Proof Given three messages , an adversary ℬ obtains three consecutive subverted FS-LBS , and , respectively.
Compute a value
Undetectability. We show that our constructed subverted FS-LBS scheme is undetectable by Theorem 2.
Theorem 2 Given subverted FS-LBS scheme , the detection advantage is negligible under the assumption of pseudo-random function (PRF) F.
Proof By a sequence of games, we prove the theorem. We define the events of games that is .
Game 1 As before, but we modify Game 0 to use b = 0 for answering ’s queries as Game 0 and to use a uniform random string for substituting b = 1 (j = 1 mod 2) and noncomputed by PRF. A detailed description is given as follows.
If b=0, this game responds to a valid FS-LBS scheme and j = 0, to after receiving every signing query on m and a reset query rt , respectively.
If b = 1, this game carries on as follows:
When does some signing queries on m,
j ←0, τ←0
If j = 0 mod 2
2) Compute and
3) Compute and
4) Calculate and
5) Run the RejectionSample , and return 0 if it accepts.
6) Set and .
1) If , pick randomly uniformly. Else extract and compute
6) Run the RejectionSample and go to 1) if it rejects.
When makes some reset queries rt, set j = 0, .
Aiming at Game 2, we modify this game as Game 1 in the following:
If j = 1 mod 2, whether in or not. If is not checked, is chosen randomly and .
Secondly, we denote Col be the event that for some . Game 1 and Game 2 are both proceeding identically if the algorithm Col can not happen, i.e., .
Due to Game 3, we modify this game as Game 2 in the following:
While makes some reset queries rt, Game 3 is not able to reset j and τ but it answers the adversary ’s other queries by some same ways similar to Game 2.
Finally, the distribution of subverted FS-LBS scheme is identical to the distribution of real FS-LBS scheme except of j=0 mod 2 and j=1 mod 2, because is chosen randomly and depends on . That is to say, though this game can not be able to do anything on receiving these reset queries, this distribution between Game 2 and Game 3 is the same. That also means that cannot be able to obtain any advantages in surmising from inquiring about some signing oracles, i.e., .
Theorem 3 (Deterability). Given FS-LBS scheme, the can be deterable under solving a linear equation with probability 1.
If FS-LBS scheme is subverted, the subverted signature can be found. Due to the solved secret keys, a signature can be verified whether the signature is an original FS-LBS signature or a subverted signature . Hence, the can be deterable by solving a linear equation with probability 1.
As for the storage overhead, it consists of size of pair of public/secret keys and size of signature which is listed in Table 2. The communication cost is determined by the number of j. As for the computational overhead, compared with the Hash functions, the most resource-consuming operation is the multiplication over ring . In the signing process, Ver process and Deter process, the computational overhead is listed in Table 2, where the number of multiplications over ring is linear to the number of j. For simplicity, we denote that PM represents the polynomial point multiplications, PA represents the polynomial additions, PS represents the polynomial subtraction, RS represents polynomial Gauss sampling and H and F represent the Hash functions.
By implementation analysis in Ref. , we can see that there needs at most three consecutive signatures in the subverted FS-LBS which does not affect practicality of the subverted FS-LBS. So in our constructed scheme, we do not consider signature loss. Here we only analyze the security level, size of secret keys (sk), size of public keys (pk) and size of signature for some deterable subverted FS-LBS in Refs. [20, 21, 29-32]. From Tables 2-3, we can see that our deterable subverted signatures have reasonable efficiency in terms of communication cost, computational overhead and storage overhead.
Storage and communication overhead of deterable subverted FS-LBS scheme
Computational overhead of deterable subverted FS-LBS scheme
The implementation is conducted with NFLlib, which is a NTT-based fast lattice cryptography library, on Intel i7-7700 CPU @ 3.60GHz and Ubuntu linux operation system. By statistics, these important algorithm operations mainly consist one polynomial addition, one polynomial multiplication and one polynomial Gaussian. Since the implementation of any Hash function is not included in NFLlib, we test the running time of three hash functions by a HMAC based on SM3 algorithm. The execution time of each cryptographic operation in different parameters is shown in Table 4. Here the execution time of these Hash functions we consider is the same.
Experimental results for proposed deterable subverted FS-LBS of each algorithm are depicted in Fig. 1. We increase the number of j from 2 to 10 for each test to see the time cost of , Ver and Deter algorithm. Here procedure of subversion key generation can be considered as a random number, so we can omit its time consumption.
Fig. 1 Simulation results of our construction for different j, l
Simulation results of our construction for different j, l
On one hand, for different parameters in Table 4, the time consuming of subverted sign algorithm is about 0.1278×l+0.2294×(j-l) ms, 0.1275×l+0.2351 ×(j-l) ms, 0.1895×l+0.3623×(j-l) ms, 0.2084×l+ 0.3789 ×(j-l) ms, 0.4141×l+0.674 4×(j-l) ms for the number of j, l. The time efficiency of Ver algorithm is about 0.3344 ms, 0.3451 ms, 0.5373 ms, 0.5559 ms, 0.9614 ms. The time efficiency of Deter algorithm is about 0.0050 ms, 0.0046 ms, 0.0074 ms, 0.0095 ms, 0.0240 ms. On the other hand, suppose that j =10 and l = 1, 2, 3, 4, 5, according to Fig. 1, we can see that time cost of the total algorithm justifies the feasibility.
The cryptographic operation time in the scheme ms
This paper first explores a novel algorithm substitution method on lattice-based Fiat-Shamir type signature schemes. Based on this, then we provide countermeasures to deterable signature subversion. Security proof shows that our construction satisfies three different security and privacy requirements. Parameter analysis demonstrates that our construction is feasible. In future, we will study our algorithm by widening range of possible schemes that is vulnerable to algorithm substitution attack or by other much more valuable methods and countermeasures on these post quantum secure signatures. In addition, some other possible work will focus on some algorithm substitution attacks on other cryptographic primitives.
- EasttomW. Cryptographic backdoors [C]//Modern Cryptography. Berlin: Springer-Verlag, 2021: 373-383. [Google Scholar]
- PeyrinT, WangH. The Malicious framework: Embedding backdoors into tweakable block ciphers[C]// Proc Annual International Cryptology Conference. Berlin: Springer- Verlag, 2020: 249-278. [Google Scholar]
- DautermanE, Corrigan-GibbsH, MazièresD, et al. True2F:Backdoor-resistant authentication tokens [C]// 2019 IEEE Symposium on Security and Privacy (SP). Washington D C: IEEE, 2019: 398-416. [Google Scholar]
- BallJ, BorgerJ, GreenwaldG. Revealed: How US and UK spy agencies defeat internet privacy and security[J]. The Guardian, 2013, ED-6: 2-8. [Google Scholar]
- BernsteinD J, LangeT, NiederhagenR. Dual EC: A standardized back door[J]. The New Codebreakers-Volume 9100, 2015: 256-281. DOI: https://doi.org/10.1007/978-3-662-49301- 4_17. [Google Scholar]
- BellareM, PatersonK G, RogawayP. Security of symmetric encryption against mass surveillance [C] // Advances in Cryptology, CRYPTO 2014. Berlin:Springer-Verlag, 2014: 1-19. [Google Scholar]
- AtenieseG, MagriB, VenturiD. Subversion-resilient signature schemes [C]// Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, New York: ACM, 2015: 364-375. [Google Scholar]
- LiuC, ChenR, WangY, et al. Asymmetric subversion attacks on signature schemes [C]// Australasian Conference on Information Security and Privacy. Berlin: Springer-Verlag, 2018: 376-395. [Google Scholar]
- BaekJ, SusiloW, KimJ, et al. Subversion in practice: How to efficiently undermine signatures [C]// IEEE Access, 2019: 376-395. [Google Scholar]
- CatalanoD, FuchsbauerG, SoleimanianA. Double-authentication-preventing signatures in the standard model [C]// International Conference on Security and Cryptography for Networks. Berlin: Springer-Verlag, 2020: 338-358. [Google Scholar]
- PoetteringB, StebilaD. Double-authentication-preventing signatures [C]// ESORICS. Berlin: Springer-Verlag, 2014: 1-22. [Google Scholar]
- BonehD, KimS, NikolaenkoV. Lattice-based DAPS and generalizations: Self-enforcement in signature schemes [C]// International Conference on Applied Cryptography and Network Security. Berlin: Springer-Verlag, 2017: 457-477. [Google Scholar]
- PoetteringB, StebilaD. Short double- and n-times-authenticationpreventing signatures from ECDSA and more [C]// 2018 IEEE European Symposium on Security and Privacy (EuroS&P). Washington D C: IEEE Press, 2018: 273-287. [Google Scholar]
- PoetteringB. Shorter double-authentication preventing signatures for small address spaces [C]//International Conference on Cryptology in Africa, AFRICACRYPT 2018. Lecture Notes in Computer Science. Berlin: Springer-Verlag, 2018: 344-361. [Google Scholar]
- DerlerD, RamacherS, SlamanigD. Generic double-authentication preventing signatures and a post-quantum instantiation [C]// International Conference on Cryptology in Africa. Berlin:Springer-Verlag, 2018: 258-276. [Google Scholar]
- LiuJ H, YuY, JiaJ, et al. Lattice-based double-authentica- tion-preventing ring signature for security and privacy in vehicular Ad-Hoc networks [J]. Tsinghua Science and Technology, 2019, 24(5): 575-584. [Google Scholar]
- LyubashevskyV. Lattice signatures without trapdoors [C]// Annual International Conference on the Theory and Applications of Cryptographic Techniques. Berlin: Springer-Verlag, 2012: 738-755. [Google Scholar]
- ShorP W. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer [J]. SIAM Review, 1999, 41(2): 303-332. [NASA ADS] [CrossRef] [MathSciNet] [Google Scholar]
- AjtaiM. Generating hard instances of lattice problems [C]// Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing. New York: ACM, 1996: 99-108. [Google Scholar]
- DucasL, DurmusA, LepointT, et al. Lattice signatures and bimodal Gaussians [C]// Annual Cryptology Conference. Berlin: Springer-Verlag, 2013: 40-56. [Google Scholar]
- GüneysuT, LyubashevskyV, PöppelmannT, et al. Practical latticebased cryptography: A signature scheme for embedded systems [C]// International Workshop on Cryptographic Hardware and Embedded Systems, ACM Transactions on Embedded Computter Systems. New York: ACM, 2012: 530-547. [Google Scholar]
- HoffsteinJ, PipherJ, SchanckJ M, et al. Practical signatures from the partial Fourier recovery problem [C]//International Conference on Applied Cryptography and Network Security. Berlin: Springer-Verlag, 2014: 476-493. [Google Scholar]
- AkleylekS, BindelN, BuchmannJ, et al. An efficient lattice based signature scheme with provably secure instantiation [C]// International Conference on Cryptology in Africa. Berlin: Springer-Verlag, 2016: 44-60. [Google Scholar]
- GoldreichO, GoldwasserS, HaleviS. Public-key cryptosystems from lattice reduction problems [C]//Annual International Cryptology Conference. Berlin: Springer-Verlag, 1997: 112-131. [Google Scholar]
- HoffsteinJ, Howgrave-GrahamN, PipherJ, et al. Digital signatures using the NTRU lattice [C]//Cryptographers Track RSA Conference. Berlin: Springer-Verlag, 2003: 122-140. [Google Scholar]
- EspitauT, FouqueP A, GerardB, et al. Loop-abort faults on lattice based signature schemes and key exchange protocols [J]. IEEE Transactions on Computers, 2018, 67(11): 1535-1549. [MathSciNet] [Google Scholar]
- LyubashevskyV, PeikertC, RegevO. On ideal lattices and learning with errors over rings [J]. Journal of the ACM, 2013, 60(6): 1-34. [CrossRef] [Google Scholar]
- BertP, FouqueP A, Roux-LangloisA, et al. Practical implementation of ring-SIS/LWE based signature and IBE [C]//International Conference on Post-Quantum Cryptography. Berlin: Springer-Verlag, 2018: 271-291. [Google Scholar]
- BaiS, GalbraithS D. An improved compression technique for signatures based on learning with errors [C]// Cryptographers’ Track at the RSA Conference. Berlin: Springer- Verlag, 2014: 28-47. [Google Scholar]
- DucasL, KiltzE, LepointT, et al. Crystals-dilithium: A lattice-based digital signature scheme [C]//IACR Transactions on Cryptographic Hardware and Embedded Systems, A Lattice-Based Digital Signature Scheme. New York: IACR, 2018: 238-268. [Google Scholar]
- ChopraA. GLYPH: A new insantiation of the GLP digital signature scheme [C]// IACR Cryptology ePrint Archive. New York: IACR, 2017: 1-14. [Google Scholar]
- DucasL. Accelerating Bliss: The geometry of ternary polynomials[C]// IACR Cryptology ePrint Archive. New York: IACR, 2014: 1-12. [Google Scholar]
- GentryC, PeikertC, VaikuntanathanV. Trapdoors for hard lattices and new cryptographic constructions [C]// Proceedings of the 40th Annual ACM Symposium on Theory of Computing. New York: ACM Press, 2008: 17-20. [Google Scholar]
Current usage metrics show cumulative count of Article Views (full-text article views including HTML views, PDF and ePub downloads, according to the available data) and Abstracts Views on Vision4Press platform.
Data correspond to usage on the plateform after 2015. The current usage metrics is available 48-96 hours after online publication and is updated daily on week days.
Initial download of the metrics may take a while.