Open Access
Wuhan Univ. J. Nat. Sci.
Volume 27, Number 1, March 2022
Page(s) 17 - 25
Published online 16 March 2022

© Wuhan University 2022

Licence Creative CommonsThis is an Open Access article distributed under the terms of the Creative Commons Attribution License (, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

0 Introduction

Since the first computer was intruded, hackers have been developing the technology of “backdoor” which allows them to enter the system again. The main functions of the backdoor is that it has no ability to prevent the system manager from entering this system again and discover these hackers. Many techniques have been used in this “backdoor”, such as intercepting postal shipping to steal and substitute networking hardware, sabotaging Internet routers, injecting malware, installing backdoors, wire-tapping undersea cables and so on [1-3].

In 2013, Edward Snowden brought shocking news that many ongoing surveillance programs with an underlying “backdoor” target at citizens conducting by National Security Agency (NSA) and partners from all over the world [4]. A typical example is a pseudorandom generator (PRG) named Dual_EC_ DRBG backdoored by NSA, from NIST (National Institute of Standards and Technology). After choosing a few concrete parameters employed in the PRG, an attacker or any adversary is not able to differentiate exports on PRG from any random number but can forecast following exports[5]. In this circumstances, post-Snowden cryptography attracts much of attentions in recent years.

As one of the research topics in post-Snowden cryptography, the notion of algorithm substitution attack (ASA) was formalized by Bellare et al[6] in some semantics from algorithms named symmetric encryption algorithms. The ASA method is capable of any attacker or old big brother to substitute a few of pieces of randomized encryption algorithms or signature algorithms with a modified one such that it can leak secret keys subliminally and undetectably to the adversary. Ateniese et al[7] first proposed a model of ASA on signature schemes, however, the subverted signature is generic and inefficient. Then Liu et al[8] introduced a much high efficient ASA method about one affirmatory crowd in some signature schemes. Recently, Beak et al[9] presented a much more efficient and undetectable method ASA from a classical DSA (digital signature algorithm) digital signature. At present most proposed subverted signatures only consider how to subvert signature schemes, there still needs some countermeasures to address big brother’s threat, while a new proposed signatures named double authentication preventing signatures can be used to deter this kind of big brother’s action.

The double authentication preventing signatures (DAPS) are a class of extraordinary digital signatures with double signatures extractability which means deterable when there exist two different signatures from messages (m0, p1) and (m0, p2), where p1p2. When a signature is subverted and satisfies double signature extractability, the subverted signature can be deterable by revealing real signature’s signing secret keys to anyone. Unlike these two ring signatures with linkability and traceability[10-13], our DAPRS (double authentication preventing ring signatures) has stronger accountability which leads any two pairs of signatures produced by same member in a ring set to reveal his (or her) secret signing keys. As for linkable ring signatures, it allows anyone to efficiently decide whether any two pairs of signatures are produced by the same member without revealing his (or her) identity. As for traceable ring signatures, it can reveal his (or her) identity if any two signatures are produced by the same member. On the basis of the digital signatures in Refs. [14-16], most designed DAPS based on discrete logarithm problems and large integer factorization problems face new challenges because there exist polynomial computational complexity quantum algorithms to solve the two problems, such as Shor algorithm[17,18]. Hence, it is necessary to study some post quantum secure DAPS.

Lattice-based signature is a cutting-edge cryptographic “technology”. It has several interesting properties, such as high computational efficiency, novel and powerful cryptographic functionalities/applications, strong provable security guarantees, believed “post-quantum” security and so on. Therefore, it is vital for us to study some lattice-based algorithm substitution attacks. While most efficient lattice-based signatures which are a promising post-quantum cryptography belong to Fiat-Shamir signature paradigms (e.g., BLISS[19,20], GLP[21], PASSSign[22], Ring-TESLA[23]) and Hash-and-sign paradigms (e.g., GGH[24], NTRUSign[25], GPV[25]) at the NIST workshop on post-quantum cryptography. Lattice-based Hash-and-sign paradigm follows that a trapdoor function can be provided by a short lattice basis. Most of them are heuristic security (no actual security proofs) and are relatively inefficient than lattice-based Fiat-Shamir (FS) signature paradigms[26]. Furthermore most lattice-based Hash-and-sign paradigms have unique signatures which are against subversion attacks[7]. Hence we aim at algorithm substitution attacks on FS lattice signature paradigms (FS-LBS). In this paper, we present ASA against those schemes that any three consecutive subverted signatures can extract signing keys. At the same time, we provide some countermeasures against ASA by using DAPS to deter the big brother’s threaten. And we show that our scheme can be applied to some practical architectures based on some concrete experiment analysis.

The remainder of this paper is organized in the following sequence. Section 1 shows some preliminaries and cryptographic knowledge. Section 2 provides some notions about deterable subverted signatures and some design requirements. Section 3 presents our concrete deterable subverted FS-LBS scheme and gives proof of key extraction, undetectability and deterability. In Section 4, we make some parameter analysis and performance evaluation. Finally, we give our conclusions.

1 Preliminaries

1.1 Notations

Some basic notations have been shown in Table 1.

Table 1


1.2 Cryptographic Problems on Lattices

Definition 1   (Ring-SISq,m,β[27,28]) Given m uniformly elements at random and let , search a vector but not zero vector with the relation satisfying

Note that in ring-SIS, each corresponds to n related vectors in SIS, where n is the degree of . Each of a ring-SIS solution corresponds to a block of n integers, that means and .

Definition 2   (Ring-LWE [27,28]) Given m uniformly elements at random and let , this algorithm is to search a vector satisfying , here .

Definition 3   (Rejection sampling lemma [29-33])

Suppose that . Let be a random distribution from a Hash value, and . If a constant M exists, the following distribution



3) Output with probability of and the below distribution



3) Output with probability of is statistically indistinguishable within distance of . In the following, we use the RejectionSample to represent the algorithm.

1.3 Description of Lattice Based Fiat-Shamir Type Signature Schemes

The Fiat-Shamir type signatures based on lattice consist of algorithms in the following:

Key Generation:

1) Pick at random.

2) Choose uniformly random

3) Compute

4) Output a pair of public key and secret key:

Sign :

Select two random numbers

2) Calculate

3) Compute a value

4) Obtain

5) Run the RejectionSample and go to 1) if it rejects.

6) Output a pair of signature

Verify :

1) Check mod q whether holds or not.

2) Accept if and only if the equation and a small norm holds.

Here with tiny modulus is the subset of . Cryptographic Hash function H outputs a low norm subset of .

1.4 Double Authentication Preventing Signatures

A DAPS includes four probability polynomial time (PPT) algorithms (KGen, Sign,Ver, Extract) as follows:

1) Given a security parameter , the algorithm KGen(1λ) outputs public keys pk and private keys sk.

2) The algorithm Sign(sk, a, p) outputs a signature on a pair of public/private key (pk, sk) and a subject/message pair (a, p).

3) The algorithm Ver(pk, a, p, ) outputs either 0 for rejection or 1 for acceptance on pk, (a, p) and .

4) The algorithm Extract outputs the private key sk on input pk, and , where .

A DAPS satisfies two properties of existential unforgeability under chosen message attack (EUF-CMA) and double signature deterability (DSE)[13].

2 Our Deterable Subverted Signatures

We first provide the threat model in this section. Then we give formal definitions for the syntax of deterable subverted signatures. Compared with regular deterable digital signatures, these schemes need a “extraction key” for their manipulates if there exists a subversion attack. Finally we provide some security and functionality features of a deterable subverted signatures on the basis Refs. [7-9].

2.1 Threat Model

Since authentication services of various system models and applications depend upon digital signatures, in the context coerced users who use a DAPS to design some court convincing signatures to refuse big brothers’ (or attackers’) requirements, we construct a subverted signature with a deterable function by using an algorithm substitution attack on double authentication preventing signatures.

2.2 Notions of Deterable Subverted Signatures

Definition 4   A deterable subverted signature for nonsubverted signature SIG includes four PPT algorithms as follows:

1) On inputting a security parameter , this algorithm outputs a subversion key subk.

2) On inputting a subversion key subk, a state l, a private key sk, and a message , the algorithm outputs a subverted signature by an updated status l.

3) On inputting a message , a public key pk and a subverted signature , this algorithm Ver outputs 1 which means accept and outputs 0 which means reject.

4) On inputting a pair of colliding messages , a public key pk, and its corresponding non-subverted signatures , this algorithm Deter outputs the private key sk.

2.3 Security and Functionality Features

The key extraction algorithm means that anyone including big brothers and attackers can compute the signature private key from known information if he or she makes a signature on a pair of colliding messages.

Definition 5   Assume that is generic signature scheme and is a deterable subverted signatures for SIG. Consider a key extraction game as follows:

1) Using , it can generate a pair of (pk, sk).

2) By the algorithm , it can generate a subversion key subk.

3) For ,


if an adversary ℬ queries every message

Return to ℬ.

4) ℬ outputs by

5) Check the equation whether holds or not. If it holds, return 1. Otherwise, it returns 0.

Define an advantage

Given the private key sk and its corresponding public key pair pk, the functionality undetectability means that any users can not find the detecting subversion.

Definition 6   Assume that a general signature and a deterable signaturefor SIG. Consider an undetectability game

as follows:

1) Generate a pair of public/private key by the algorithm .

2) By the algorithm , it can generate a subversion key subk.

3) Choose randomly, the game outputs its guess .

4) If , it returns 0, otherwise it returns 1.

is given as follows:

5) If b = 0, compute

6) If b = 1, compute

7) Return

Reset(∙) is given as follows: Reset(rti) ∥ rti is a reset query.

Define advantage

For any PPT adversary , if there exists a negligible function satisfyingthe deterable subverted signature is undetectable. It means that the Ver algorithm can output some same results when it is a subverted signature or a normal signature on some same messages.

Deterability means that it can be deterred if there exists algorithm substitution attack on signature scheme.

Definition 7   Given a general signature and a deterrable signature

for SIG, the detera- bility game is given as follows:

1) According to the algorithm , it generates a pair of public/private (pk, sk).

2) Run (pk, sk), then generate .

3) Return 0 if and are not colliding.

4) for i = 1, 2.

5) Return 0 if or .

6) Run , then generate sk’.

7) Return 0 if . Else return 1.

We define the advantage

The advantage means that for any PPT adversary , if there exists a negligible function ε(∙) satisfyingthe deterable subverted signature is deterable. It means that our scheme can deter some signatures embedding backdoors.

3 Our Deterable Subverted Lattice Based Fiat-Shamir Type Signatures

This section introduces a self-enhancement or subverted attack on Fiat-Shamir type lattice signatures.

Our subverted Fiat-Shamir type lattice-based signatures (FS-LBS) are described as follows:

● Subverted key generation : On inputting a security parameter , a pseudo random Hash function and a random number , the algorithm outputs and F which can be described as subk = (descF, ).

● Subverted sign : On inputting public keys of FS-LBS, message , private keys , subversion key subk and a state , the algorithm outputs as follows.

j ← 0, τ← 0

If mod 2,

1) Select two random numbers

2) Calculate

3) Compute a value

4) Obtain

5) Run the RejectionSample and go to 1) if it rejects.

6) Let and


7) Calculate

8) Compute a value

9) Obtain

10) Run RejectionSample and go to 1) if it rejects.

11) Set and

j = j + 1


Return (

Verify :

1) Check mod whether holds or not.

2) Accept if and only if the equation and a small norm hold.

If a FS-LBS scheme is subverted, the action of the signer can be found by revealing real signer’s signing secret keys to anyone. When the signing keys is vital for him, in some cases the signer will be punished or the signer will result in great economic losses, or there exist some court convincing reasons to deny big-brother or authority agency demands. Aiming at the subverted lattice-based Fiat-Shamir type signatures, we add a Deter algorithm. Our Deter algorithm makes sure that the lattice-based Fiat-Shamir type signature is against algorithm substitution attack.

● Deter

By the principle of DAPS, if there exists two FS-LBS signatures

On colliding messages and , respectively, anyone can obtain the signing secret key and by solving a linear equation respectively.

Then we present our scheme satisfying Key extraction, Undetectability and Deterability.

Key extraction. From the subverted FS-LBS , we show that the signing private keys of the FS-LBS can be extracted from the . That is to say, any consecutive starting with odd or even index is able to release the signing private keys. Below we give the formal proof.

Theorem 1   Given subverted FS-LBS scheme which outputs any three consecutive signatures, the signing private keys of FS-LBS can be revealed with probability 1.

Proof   Given three messages , an adversary ℬ obtains three consecutive subverted FS-LBS , and , respectively.

If mod 2, by using ℬ’s subversion keys subk , compute signing keys as follows:


Compute a value


Return .

If j = 1 mod 2, j + 1 = 0 mod 2. ℬ chooses and to compute the signing keys by using the same method as above, so ℬ can compute the signing keys by the subverted signature algorithm . Hence,

Undetectability. We show that our constructed subverted FS-LBS scheme is undetectable by Theorem 2.

Theorem 2   Given subverted FS-LBS scheme , the detection advantage is negligible under the assumption of pseudo-random function (PRF) F.

Proof   By a sequence of games, we prove the theorem. We define the events of games that is .

Game 0. The original undetectability game Detect

Game 1   As before, but we modify Game 0 to use b = 0 for answering ’s queries as Game 0 and to use a uniform random string for substituting b = 1 (j = 1 mod 2) and noncomputed by PRF. A detailed description is given as follows.

If b=0, this game responds to a valid FS-LBS scheme and j = 0, to after receiving every signing query on m and a reset query rt , respectively.

If b = 1, this game carries on as follows:

When does some signing queries on m,

j ←0, τ←0

If j = 0 mod 2

1) Pick

2) Compute and

3) Compute and

4) Calculate and

5) Run the RejectionSample , and return 0 if it accepts.

6) Set and .


1) If , pick randomly uniformly. Else extract and compute

2) ,




6) Run the RejectionSample and go to 1) if it rejects.

7) Set ,


When makes some reset queries rt, set j = 0, .

First, Game 0 and Game 1 are indistinguishable by the distinguishing between PRF and some random functions, i.e.,

Aiming at Game 2, we modify this game as Game 1 in the following:

If j = 1 mod 2, whether in or not. If is not checked, is chosen randomly and .

Secondly, we denote Col be the event that for some . Game 1 and Game 2 are both proceeding identically if the algorithm Col can not happen, i.e., .

Due to Game 3, we modify this game as Game 2 in the following:

While makes some reset queries rt, Game 3 is not able to reset j and τ but it answers the adversary ’s other queries by some same ways similar to Game 2.

Finally, the distribution of subverted FS-LBS scheme is identical to the distribution of real FS-LBS scheme except of j=0 mod 2 and j=1 mod 2, because is chosen randomly and depends on . That is to say, though this game can not be able to do anything on receiving these reset queries, this distribution between Game 2 and Game 3 is the same. That also means that cannot be able to obtain any advantages in surmising from inquiring about some signing oracles, i.e., .

Taking all together, we have

Theorem 3   (Deterability). Given FS-LBS scheme, the can be deterable under solving a linear equation with probability 1.

Proof   When FS-LBS scheme is not subverted, assume that an adversary gets two FS-LBS signatures on colliding messages . By the signature algorithm of FS-LBS, has the following relations:

There are four linear equations with four unknown information on . So these unknown information can be solved, i.e.,

If FS-LBS scheme is subverted, the subverted signature can be found. Due to the solved secret keys, a signature can be verified whether the signature is an original FS-LBS signature or a subverted signature . Hence, the can be deterable by solving a linear equation with probability 1.

4 Parameter Analysis

4.1 Numerical Analysis

This part first numerically makes some efficiency of our deterable subverted FS-LBS scheme in terms of storage overhead and computational overhead which are listed in Table 2 and Table 3.

As for the storage overhead, it consists of size of pair of public/secret keys and size of signature which is listed in Table 2. The communication cost is determined by the number of j. As for the computational overhead, compared with the Hash functions, the most resource-consuming operation is the multiplication over ring . In the signing process, Ver process and Deter process, the computational overhead is listed in Table 2, where the number of multiplications over ring is linear to the number of j. For simplicity, we denote that PM represents the polynomial point multiplications, PA represents the polynomial additions, PS represents the polynomial subtraction, RS represents polynomial Gauss sampling and H and F represent the Hash functions.

By implementation analysis in Ref. [9], we can see that there needs at most three consecutive signatures in the subverted FS-LBS which does not affect practicality of the subverted FS-LBS. So in our constructed scheme, we do not consider signature loss. Here we only analyze the security level, size of secret keys (sk), size of public keys (pk) and size of signature for some deterable subverted FS-LBS in Refs. [20, 21, 29-32]. From Tables 2-3, we can see that our deterable subverted signatures have reasonable efficiency in terms of communication cost, computational overhead and storage overhead.

Table 2

Storage and communication overhead of deterable subverted FS-LBS scheme

Table 3

Computational overhead of deterable subverted FS-LBS scheme

4.2 Implementation

The implementation is conducted with NFLlib, which is a NTT-based fast lattice cryptography library, on Intel i7-7700 CPU @ 3.60GHz and Ubuntu linux operation system. By statistics, these important algorithm operations mainly consist one polynomial addition, one polynomial multiplication and one polynomial Gaussian. Since the implementation of any Hash function is not included in NFLlib, we test the running time of three hash functions by a HMAC based on SM3 algorithm. The execution time of each cryptographic operation in different parameters is shown in Table 4. Here the execution time of these Hash functions we consider is the same.

Experimental results for proposed deterable subverted FS-LBS of each algorithm are depicted in Fig. 1. We increase the number of j from 2 to 10 for each test to see the time cost of , Ver and Deter algorithm. Here procedure of subversion key generation can be considered as a random number, so we can omit its time consumption.

thumbnail Fig. 1 Simulation results of our construction for different j, l

Simulation results of our construction for different j, l

On one hand, for different parameters in Table 4, the time consuming of subverted sign algorithm is about 0.1278×l+0.2294×(j-l) ms, 0.1275×l+0.2351 ×(j-l) ms, 0.1895×l+0.3623×(j-l) ms, 0.2084×l+ 0.3789 ×(j-l) ms, 0.4141×l+0.674 4×(j-l) ms for the number of j, l. The time efficiency of Ver algorithm is about 0.3344 ms, 0.3451 ms, 0.5373 ms, 0.5559 ms, 0.9614 ms. The time efficiency of Deter algorithm is about 0.0050 ms, 0.0046 ms, 0.0074 ms, 0.0095 ms, 0.0240 ms. On the other hand, suppose that j =10 and l = 1, 2, 3, 4, 5, according to Fig. 1, we can see that time cost of the total algorithm justifies the feasibility.

Table 4

The cryptographic operation time in the scheme ms

5 Conclusion

This paper first explores a novel algorithm substitution method on lattice-based Fiat-Shamir type signature schemes. Based on this, then we provide countermeasures to deterable signature subversion. Security proof shows that our construction satisfies three different security and privacy requirements. Parameter analysis demonstrates that our construction is feasible. In future, we will study our algorithm by widening range of possible schemes that is vulnerable to algorithm substitution attack or by other much more valuable methods and countermeasures on these post quantum secure signatures. In addition, some other possible work will focus on some algorithm substitution attacks on other cryptographic primitives.


  1. EasttomW. Cryptographic backdoors [C]//Modern Cryptography. Berlin: Springer-Verlag, 2021: 373-383. [Google Scholar]
  2. PeyrinT, WangH. The Malicious framework: Embedding backdoors into tweakable block ciphers[C]// Proc Annual International Cryptology Conference. Berlin: Springer- Verlag, 2020: 249-278. [Google Scholar]
  3. DautermanE, Corrigan-GibbsH, MazièresD, et al. True2F:Backdoor-resistant authentication tokens [C]// 2019 IEEE Symposium on Security and Privacy (SP). Washington D C: IEEE, 2019: 398-416. [Google Scholar]
  4. BallJ, BorgerJ, GreenwaldG. Revealed: How US and UK spy agencies defeat internet privacy and security[J]. The Guardian, 2013, ED-6: 2-8. [Google Scholar]
  5. BernsteinD J, LangeT, NiederhagenR. Dual EC: A standardized back door[J]. The New Codebreakers-Volume 9100, 2015: 256-281. DOI: 4_17. [Google Scholar]
  6. BellareM, PatersonK G, RogawayP. Security of symmetric encryption against mass surveillance [C] // Advances in Cryptology, CRYPTO 2014. Berlin:Springer-Verlag, 2014: 1-19. [Google Scholar]
  7. AtenieseG, MagriB, VenturiD. Subversion-resilient signature schemes [C]// Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, New York: ACM, 2015: 364-375. [Google Scholar]
  8. LiuC, ChenR, WangY, et al. Asymmetric subversion attacks on signature schemes [C]// Australasian Conference on Information Security and Privacy. Berlin: Springer-Verlag, 2018: 376-395. [Google Scholar]
  9. BaekJ, SusiloW, KimJ, et al. Subversion in practice: How to efficiently undermine signatures [C]// IEEE Access, 2019: 376-395. [Google Scholar]
  10. CatalanoD, FuchsbauerG, SoleimanianA. Double-authentication-preventing signatures in the standard model [C]// International Conference on Security and Cryptography for Networks. Berlin: Springer-Verlag, 2020: 338-358. [Google Scholar]
  11. PoetteringB, StebilaD. Double-authentication-preventing signatures [C]// ESORICS. Berlin: Springer-Verlag, 2014: 1-22. [Google Scholar]
  12. BonehD, KimS, NikolaenkoV. Lattice-based DAPS and generalizations: Self-enforcement in signature schemes [C]// International Conference on Applied Cryptography and Network Security. Berlin: Springer-Verlag, 2017: 457-477. [Google Scholar]
  13. PoetteringB, StebilaD. Short double- and n-times-authenticationpreventing signatures from ECDSA and more [C]// 2018 IEEE European Symposium on Security and Privacy (EuroS&P). Washington D C: IEEE Press, 2018: 273-287. [Google Scholar]
  14. PoetteringB. Shorter double-authentication preventing signatures for small address spaces [C]//International Conference on Cryptology in Africa, AFRICACRYPT 2018. Lecture Notes in Computer Science. Berlin: Springer-Verlag, 2018: 344-361. [Google Scholar]
  15. DerlerD, RamacherS, SlamanigD. Generic double-authentication preventing signatures and a post-quantum instantiation [C]// International Conference on Cryptology in Africa. Berlin:Springer-Verlag, 2018: 258-276. [Google Scholar]
  16. LiuJ H, YuY, JiaJ, et al. Lattice-based double-authentica- tion-preventing ring signature for security and privacy in vehicular Ad-Hoc networks [J]. Tsinghua Science and Technology, 2019, 24(5): 575-584. [Google Scholar]
  17. LyubashevskyV. Lattice signatures without trapdoors [C]// Annual International Conference on the Theory and Applications of Cryptographic Techniques. Berlin: Springer-Verlag, 2012: 738-755. [Google Scholar]
  18. ShorP W. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer [J]. SIAM Review, 1999, 41(2): 303-332. [NASA ADS] [CrossRef] [MathSciNet] [Google Scholar]
  19. AjtaiM. Generating hard instances of lattice problems [C]// Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing. New York: ACM, 1996: 99-108. [Google Scholar]
  20. DucasL, DurmusA, LepointT, et al. Lattice signatures and bimodal Gaussians [C]// Annual Cryptology Conference. Berlin: Springer-Verlag, 2013: 40-56. [Google Scholar]
  21. GüneysuT, LyubashevskyV, PöppelmannT, et al. Practical latticebased cryptography: A signature scheme for embedded systems [C]// International Workshop on Cryptographic Hardware and Embedded Systems, ACM Transactions on Embedded Computter Systems. New York: ACM, 2012: 530-547. [Google Scholar]
  22. HoffsteinJ, PipherJ, SchanckJ M, et al. Practical signatures from the partial Fourier recovery problem [C]//International Conference on Applied Cryptography and Network Security. Berlin: Springer-Verlag, 2014: 476-493. [Google Scholar]
  23. AkleylekS, BindelN, BuchmannJ, et al. An efficient lattice based signature scheme with provably secure instantiation [C]// International Conference on Cryptology in Africa. Berlin: Springer-Verlag, 2016: 44-60. [Google Scholar]
  24. GoldreichO, GoldwasserS, HaleviS. Public-key cryptosystems from lattice reduction problems [C]//Annual International Cryptology Conference. Berlin: Springer-Verlag, 1997: 112-131. [Google Scholar]
  25. HoffsteinJ, Howgrave-GrahamN, PipherJ, et al. Digital signatures using the NTRU lattice [C]//Cryptographers Track RSA Conference. Berlin: Springer-Verlag, 2003: 122-140. [Google Scholar]
  26. EspitauT, FouqueP A, GerardB, et al. Loop-abort faults on lattice based signature schemes and key exchange protocols [J]. IEEE Transactions on Computers, 2018, 67(11): 1535-1549. [MathSciNet] [Google Scholar]
  27. LyubashevskyV, PeikertC, RegevO. On ideal lattices and learning with errors over rings [J]. Journal of the ACM, 2013, 60(6): 1-34. [CrossRef] [Google Scholar]
  28. BertP, FouqueP A, Roux-LangloisA, et al. Practical implementation of ring-SIS/LWE based signature and IBE [C]//International Conference on Post-Quantum Cryptography. Berlin: Springer-Verlag, 2018: 271-291. [Google Scholar]
  29. BaiS, GalbraithS D. An improved compression technique for signatures based on learning with errors [C]// CryptographersTrack at the RSA Conference. Berlin: Springer- Verlag, 2014: 28-47. [Google Scholar]
  30. DucasL, KiltzE, LepointT, et al. Crystals-dilithium: A lattice-based digital signature scheme [C]//IACR Transactions on Cryptographic Hardware and Embedded Systems, A Lattice-Based Digital Signature Scheme. New York: IACR, 2018: 238-268. [Google Scholar]
  31. ChopraA. GLYPH: A new insantiation of the GLP digital signature scheme [C]// IACR Cryptology ePrint Archive. New York: IACR, 2017: 1-14. [Google Scholar]
  32. DucasL. Accelerating Bliss: The geometry of ternary polynomials[C]// IACR Cryptology ePrint Archive. New York: IACR, 2014: 1-12. [Google Scholar]
  33. GentryC, PeikertC, VaikuntanathanV. Trapdoors for hard lattices and new cryptographic constructions [C]// Proceedings of the 40th Annual ACM Symposium on Theory of Computing. New York: ACM Press, 2008: 17-20. [Google Scholar]

All Tables

Table 1


Table 2

Storage and communication overhead of deterable subverted FS-LBS scheme

Table 3

Computational overhead of deterable subverted FS-LBS scheme

Table 4

The cryptographic operation time in the scheme ms

All Figures

thumbnail Fig. 1 Simulation results of our construction for different j, l

Simulation results of our construction for different j, l

In the text

Current usage metrics show cumulative count of Article Views (full-text article views including HTML views, PDF and ePub downloads, according to the available data) and Abstracts Views on Vision4Press platform.

Data correspond to usage on the plateform after 2015. The current usage metrics is available 48-96 hours after online publication and is updated daily on week days.

Initial download of the metrics may take a while.