A signature scheme from Learning with Truncation

In this paper we revisit the modular lattice signature scheme and its efficient instantiation known as pqNTRUSign. First, we show that a modular lattice signature scheme can be based on a standard lattice problem. As the fundamental problem that needs to be solved by the signer or a potential forger is recovering a lattice vector with a restricted norm, given the least significant bits, we refer to this general class of problems as the “learning with truncation” problem. We show that by replacing the uniform sampling in pqNTRUSign with a bimodal Gaussian sampling, we can further reduce the size of a signature. As an example, we show that the size of the signature can be as low as 4608 bits for a security level of 128 bits. The most significant new contribution, enabled by this Gaussian sam- pling version of pqNTRUSign, is that we can now perform batch verifi- cation, which allows the verifier to check approximately 2000 signatures in a single verification process

Additive twists and a conjecture by Mazur, Rubin and Stein

In this paper, a conjecture of Mazur, Rubin and Stein concerning certain averages of modular symbols is proved. To cover levels that are important for elliptic curves, namely those that are not square-free, we establish results about L-functions with additive twists that are of independent interest

MMSAT: A Scheme for Multimessage Multiuser Signature Aggregation

Post-Quantum (PQ) signature schemes are known for large key and signature sizes, which may inhibit their deployment in real world applications. In this work, we construct a PQ signature scheme MMSAT that is the first such scheme capable of aggregating unrelated messages signed individually by different parties. Our proposal extends the notion of multisignatures, which are signatures that support aggregation of signatures on a single message signed by multiple parties. Multisignatures are especially useful in blockchain applications, where a transaction may be signed by multiple users. The proposed construction achieves significant gains in bandwidth and storage requirements by allowing aggregation of unrelated transactions. Our construction is derived by extending the PASS scheme, and thus the security of our scheme relies on the hardness of the Vandermonde-SIS problem. When aggregated, a signature consists of two parts. The first part is a post-quantum size signature that grows very slowly, scaling by on the order of~$\log{K}$ bits for~$K$ signatures. The second part scales linearly with~$K$, with a very short fixed cost, roughly twice the bit security. Thus even when aggregating a modest number of signatures, the per signature cost of MMSAT is in line with that of traditional pre-quantum signature schemes such as ECDSA. As an extension to MMSAT, we describe a variant called MMSATK in which it the public keys required to verify an aggregated signature are compressed by a factor of~$20$ to~$30$

A signature scheme from the finite field isomorphism problem

In a recent paper the authors and their collaborators proposed a new hard problem, called the finite field isomorphism problem, and they used it to construct a fully homomorphic encryption scheme. In this paper, we investigate how one might build a digital signature scheme from this new problem. Intuitively, the hidden field isomorphism allows us to convert short vectors in the underlying lattice of one field into generic looking vectors in an isomorphic field

Modular lattice signatures, revisited

In this paper we revisit the modular lattice signature scheme and its efficient instantiation known as pqNTRUSign. First, we show that a modular lattice signature scheme can be based on a standard lattice problem. The fundamental problem that needs to be solved by the signer or a potential forger is recovering a lattice vector with a restricted norm, given the least significant bits. We show that this problem is equivalent to the short integer solution (SIS) problem over the corresponding lattice. In addition, we show that by replacing the uniform sampling in pqNTRUSign with a bimodal Gaussian sampling, we can further reduce the size of a signature. An important new contribution, enabled by this Gaussian sampling version of pqNTRUSign, is that we can now perform batch verification of messages signed by the same public key, which allows the verifier to check approximately 24 signatures in a single verification process

Fully Homomorphic Encryption from the Finite Field Isomorphism Problem

If $q$ is a prime and $n$ is a positive integer then any two finite fields of order $q^n$ are isomorphic. Elements of these fields can be thought of as polynomials with coefficients chosen modulo $q$, and a notion of length can be associated to these polynomials. A non-trivial isomorphism between the fields, in general, does not preserve this length, and a short element in one field will usually have an image in the other field with coefficients appearing to be randomly and uniformly distributed modulo $q$. This key feature allows us to create a new family of cryptographic constructions based on the difficulty of recovering a secret isomorphism between two finite fields. In this paper we describe a fully homomorphic encryption scheme based on this new hard problem

Toroidal automorphic forms, Waldspurger periods and double Dirichlet series

The space of toroidal automorphic forms was introduced by Zagier in the 1970s: a GL_2-automorphic form is toroidal if it has vanishing constant Fourier coefficients along all embedded non-split tori. The interest in this space stems (amongst others) from the fact that an Eisenstein series of weight s is toroidal for a given torus precisely if s is a non-trivial zero of the zeta function of the quadratic field corresponding to the torus. In this paper, we study the structure of the space of toroidal automorphic forms for an arbitrary number field F. We prove that it decomposes into a space spanned by all derivatives up to order n-1 of an Eisenstein series of weight s and class group character omega precisely if s is a zero of order n of the L-series corresponding to omega at s, and a space consisting of exactly those cusp forms the central value of whose L-series is zero. The proofs are based on an identity of Hecke for toroidal integrals of Eisenstein series and a result of Waldspurger about toroidal integrals of cusp forms combined with non-vanishing results for twists of L-series proven by the method of double Dirichlet series.Comment: 14 page

A Subfield Lattice Attack on Overstretched NTRU Assumptions:Cryptanalysis of Some FHE and Graded Encoding Schemes

International audienc