approximate trapdoors for lattices and smaller hash-and ... · scheme assumption, feature pk size...
TRANSCRIPT
![Page 1: Approximate Trapdoors for Lattices and Smaller Hash-and ... · Scheme Assumption, feature PK size Signature size Falcon NTRU, trapdoor 0.9 kB 0.6 kB Dilithium MLWE, rejection sampling](https://reader030.vdocument.in/reader030/viewer/2022040519/5e778682183c86537c092354/html5/thumbnails/1.jpg)
Approximate trapdoors for lattices & smaller hash-and-sign signatures
Yilei Chen Nicholas Genise Pratyay Mukherjee Visa Research UCSD -> Rutgers Visa Research
![Page 2: Approximate Trapdoors for Lattices and Smaller Hash-and ... · Scheme Assumption, feature PK size Signature size Falcon NTRU, trapdoor 0.9 kB 0.6 kB Dilithium MLWE, rejection sampling](https://reader030.vdocument.in/reader030/viewer/2022040519/5e778682183c86537c092354/html5/thumbnails/2.jpg)
Lattice signatures in NIST PQC (128-bit security)
Scheme Assumption, feature PK size Signature size
Falcon NTRU, trapdoor 0.9 kB 0.6 kB
Dilithium MLWE, rejection sampling 1.5 kB 2.7 kB
q-Tesla RingLWE, rejection sampling 4.1 kB 3.1 kB
![Page 3: Approximate Trapdoors for Lattices and Smaller Hash-and ... · Scheme Assumption, feature PK size Signature size Falcon NTRU, trapdoor 0.9 kB 0.6 kB Dilithium MLWE, rejection sampling](https://reader030.vdocument.in/reader030/viewer/2022040519/5e778682183c86537c092354/html5/thumbnails/3.jpg)
Lattice signatures in NIST PQC (128-bit security)
Scheme Assumption, feature PK size Signature size
Falcon NTRU, trapdoor 0.9 kB 0.6 kB
Dilithium MLWE, rejection sampling 1.5 kB 2.7 kB
q-Tesla RingLWE, rejection sampling 4.1 kB 3.1 kB
GPV08+MP12 RingLWE, trapdoor ??? ???
![Page 4: Approximate Trapdoors for Lattices and Smaller Hash-and ... · Scheme Assumption, feature PK size Signature size Falcon NTRU, trapdoor 0.9 kB 0.6 kB Dilithium MLWE, rejection sampling](https://reader030.vdocument.in/reader030/viewer/2022040519/5e778682183c86537c092354/html5/thumbnails/4.jpg)
Scheme Assumption, feature PK size Signature size
Falcon NTRU, trapdoor 0.9 kB 0.6 kB
Dilithium MLWE, rejection sampling 1.5 kB 2.7 kB
q-Tesla RingLWE, rejection sampling 4.1 kB 3.1 kB
GPV08+MP12 RingLWE, trapdoor 35 kB* 25 kB**Relatively close to the textbook schemes, without heavy optimizations.[BB13] Rachid El Bansarkhani and Johannes A. Buchmann. Improvement and efficient implementation of a lattice-based signature scheme.[GPRRS18] Kamil Doruk Gur, Yuriy Polyakov, Kurt Rohloff, Gerard W Ryan, and Erkay Savas. Implementation and evaluation of improved gaussian sampling for lattice trapdoors.
Lattice signatures in NIST PQC (128-bit security)
![Page 5: Approximate Trapdoors for Lattices and Smaller Hash-and ... · Scheme Assumption, feature PK size Signature size Falcon NTRU, trapdoor 0.9 kB 0.6 kB Dilithium MLWE, rejection sampling](https://reader030.vdocument.in/reader030/viewer/2022040519/5e778682183c86537c092354/html5/thumbnails/5.jpg)
Scheme Assumption, feature PK size Signature size
Falcon NTRU, trapdoor 0.9 kB 0.6 kB
Dilithium MLWE, rejection sampling 1.5 kB 2.7 kB
q-Tesla RingLWE, rejection sampling 4.1 kB 3.1 kB
GPV08+MP12 RingLWE, trapdoor 35 kB* 25 kB*This work RingLWE, approximate trapdoor Smaller ! Smaller !
Lattice signatures in NIST PQC (128-bit security)
![Page 6: Approximate Trapdoors for Lattices and Smaller Hash-and ... · Scheme Assumption, feature PK size Signature size Falcon NTRU, trapdoor 0.9 kB 0.6 kB Dilithium MLWE, rejection sampling](https://reader030.vdocument.in/reader030/viewer/2022040519/5e778682183c86537c092354/html5/thumbnails/6.jpg)
The rest of the talk:1. Recall GPV signature with exact trapdoors.2. Approximate trapdoor construction and analysis*.3. Parameters.
![Page 7: Approximate Trapdoors for Lattices and Smaller Hash-and ... · Scheme Assumption, feature PK size Signature size Falcon NTRU, trapdoor 0.9 kB 0.6 kB Dilithium MLWE, rejection sampling](https://reader030.vdocument.in/reader030/viewer/2022040519/5e778682183c86537c092354/html5/thumbnails/7.jpg)
A = mod qt
Inhomogeneous Short Integer Solution (ISIS):Given A, t, find a short vector x.
Recall ISIS
![Page 8: Approximate Trapdoors for Lattices and Smaller Hash-and ... · Scheme Assumption, feature PK size Signature size Falcon NTRU, trapdoor 0.9 kB 0.6 kB Dilithium MLWE, rejection sampling](https://reader030.vdocument.in/reader030/viewer/2022040519/5e778682183c86537c092354/html5/thumbnails/8.jpg)
A = mod qt
Inhomogeneous Short Integer Solution (ISIS):Given A, t, find a short vector x.
Recall ISIS
![Page 9: Approximate Trapdoors for Lattices and Smaller Hash-and ... · Scheme Assumption, feature PK size Signature size Falcon NTRU, trapdoor 0.9 kB 0.6 kB Dilithium MLWE, rejection sampling](https://reader030.vdocument.in/reader030/viewer/2022040519/5e778682183c86537c092354/html5/thumbnails/9.jpg)
A = mod qt
With the Trapdoor of A --> can solve ISIS efficiently.
Trapdoor of A
Recall Trapdoor
![Page 10: Approximate Trapdoors for Lattices and Smaller Hash-and ... · Scheme Assumption, feature PK size Signature size Falcon NTRU, trapdoor 0.9 kB 0.6 kB Dilithium MLWE, rejection sampling](https://reader030.vdocument.in/reader030/viewer/2022040519/5e778682183c86537c092354/html5/thumbnails/10.jpg)
Recall GPV signature [Gentry, Peikert, Vaikuntanathan 08]
A = mod qt
PK SK Signature H(m)
Trapdoor of A
![Page 11: Approximate Trapdoors for Lattices and Smaller Hash-and ... · Scheme Assumption, feature PK size Signature size Falcon NTRU, trapdoor 0.9 kB 0.6 kB Dilithium MLWE, rejection sampling](https://reader030.vdocument.in/reader030/viewer/2022040519/5e778682183c86537c092354/html5/thumbnails/11.jpg)
A = mod qtTrapdoor of A
![Page 12: Approximate Trapdoors for Lattices and Smaller Hash-and ... · Scheme Assumption, feature PK size Signature size Falcon NTRU, trapdoor 0.9 kB 0.6 kB Dilithium MLWE, rejection sampling](https://reader030.vdocument.in/reader030/viewer/2022040519/5e778682183c86537c092354/html5/thumbnails/12.jpg)
A = mod qtTrapdoor of A
Find a short x such that !" ≈ $ %&' (
Definition of approx. trapdoor:
ApproximateTrapdoor of A A = + mod qt
Approximate
![Page 13: Approximate Trapdoors for Lattices and Smaller Hash-and ... · Scheme Assumption, feature PK size Signature size Falcon NTRU, trapdoor 0.9 kB 0.6 kB Dilithium MLWE, rejection sampling](https://reader030.vdocument.in/reader030/viewer/2022040519/5e778682183c86537c092354/html5/thumbnails/13.jpg)
A = mod qtTrapdoor of A
ApproximateTrapdoor of A A = + mod qt
Hope: an approximate trapdoor can be set up with a smaller dimension.
before
afterHOPE:
![Page 14: Approximate Trapdoors for Lattices and Smaller Hash-and ... · Scheme Assumption, feature PK size Signature size Falcon NTRU, trapdoor 0.9 kB 0.6 kB Dilithium MLWE, rejection sampling](https://reader030.vdocument.in/reader030/viewer/2022040519/5e778682183c86537c092354/html5/thumbnails/14.jpg)
In | A’ = mod qtTrapdoor of A
beforeSolution 1:Hermite Normal Form
![Page 15: Approximate Trapdoors for Lattices and Smaller Hash-and ... · Scheme Assumption, feature PK size Signature size Falcon NTRU, trapdoor 0.9 kB 0.6 kB Dilithium MLWE, rejection sampling](https://reader030.vdocument.in/reader030/viewer/2022040519/5e778682183c86537c092354/html5/thumbnails/15.jpg)
In | A’ = mod qtTrapdoor of A
ApproximateTrapdoor of A’ A’ = - mod qt
before
afterSolution 1:Hermite Normal Form
Let ! ∈ #$×& . The HNF solution saves n dimensions. Can we save more?
![Page 16: Approximate Trapdoors for Lattices and Smaller Hash-and ... · Scheme Assumption, feature PK size Signature size Falcon NTRU, trapdoor 0.9 kB 0.6 kB Dilithium MLWE, rejection sampling](https://reader030.vdocument.in/reader030/viewer/2022040519/5e778682183c86537c092354/html5/thumbnails/16.jpg)
The rest of the talk:1. Recall GPV signature with exact trapdoor.2. Constructing approximate trapdoor.3. Parameters.
![Page 17: Approximate Trapdoors for Lattices and Smaller Hash-and ... · Scheme Assumption, feature PK size Signature size Falcon NTRU, trapdoor 0.9 kB 0.6 kB Dilithium MLWE, rejection sampling](https://reader030.vdocument.in/reader030/viewer/2022040519/5e778682183c86537c092354/html5/thumbnails/17.jpg)
Trapdoor from [Micciancio, Peikert 12]
GGadget =1, b, … bk-1
… …1, b, … bk-1
= !" ⊗ 1, b, … bk-1
Let $ = log) *. + ∈ -"×"/
“Power-of-b” matrix
The kernel-lattice of G has an easily computable short basis.
![Page 18: Approximate Trapdoors for Lattices and Smaller Hash-and ... · Scheme Assumption, feature PK size Signature size Falcon NTRU, trapdoor 0.9 kB 0.6 kB Dilithium MLWE, rejection sampling](https://reader030.vdocument.in/reader030/viewer/2022040519/5e778682183c86537c092354/html5/thumbnails/18.jpg)
Trapdoor from [Micciancio, Peikert 12]
A = mod qGR__I
where A = [ A’ | G – A’R ]
Trapdoor for A
Let ! = log& '. We have ( ∈ *+×+- , . ∈ *+×+(01-)
![Page 19: Approximate Trapdoors for Lattices and Smaller Hash-and ... · Scheme Assumption, feature PK size Signature size Falcon NTRU, trapdoor 0.9 kB 0.6 kB Dilithium MLWE, rejection sampling](https://reader030.vdocument.in/reader030/viewer/2022040519/5e778682183c86537c092354/html5/thumbnails/19.jpg)
before
GGadget =1, b, … bk-1
… …1, b, … bk-1
= !" ⊗ 1, b, … bk-1
Core IdeaApproximate
trapdoor
![Page 20: Approximate Trapdoors for Lattices and Smaller Hash-and ... · Scheme Assumption, feature PK size Signature size Falcon NTRU, trapdoor 0.9 kB 0.6 kB Dilithium MLWE, rejection sampling](https://reader030.vdocument.in/reader030/viewer/2022040519/5e778682183c86537c092354/html5/thumbnails/20.jpg)
before
after
Core IdeaApproximate
trapdoor
GGadget =1, b, … bk-1
… …1, b, … bk-1
= !" ⊗ 1, b, … bk-1
=Fbj, … bk-1
… …bj, … bk-1
= !" ⊗ bj, … bk-1
Cut the j smallest entries from G
SmallerGadget
![Page 21: Approximate Trapdoors for Lattices and Smaller Hash-and ... · Scheme Assumption, feature PK size Signature size Falcon NTRU, trapdoor 0.9 kB 0.6 kB Dilithium MLWE, rejection sampling](https://reader030.vdocument.in/reader030/viewer/2022040519/5e778682183c86537c092354/html5/thumbnails/21.jpg)
Approximate G-trapdoor
A = mod qFR__I
Approximate Trapdoor for A
Let ! = log& '. We have ( ∈ *+×+(./0) , 2 ∈ *+×+(34./0)
Cut the j smallest entries from G
where A = [ A’ | F – A’R ]
![Page 22: Approximate Trapdoors for Lattices and Smaller Hash-and ... · Scheme Assumption, feature PK size Signature size Falcon NTRU, trapdoor 0.9 kB 0.6 kB Dilithium MLWE, rejection sampling](https://reader030.vdocument.in/reader030/viewer/2022040519/5e778682183c86537c092354/html5/thumbnails/22.jpg)
The preimage sampling algorithm
Input: A, the trapdoor R, a target ! ∈ #$, a width parameter s. Output: % ∈ #& such that '% = ! + * +,- .,
and x, e are from distributions independent of the trapdoor.
1. Sample a perturbation / ← 1 23, 56 , where Σ8 = 9:& − <= >>? >>? :
2. Form @ = ! − '/ ∈ #A$.3. Sample y ← 1 DEF(H),J ∈ #$K, then drop the entries correspond to the j
small entries in each block of size k. Denote the result as L ∈ #$ KMN .
4. Output % = / + >: L
![Page 23: Approximate Trapdoors for Lattices and Smaller Hash-and ... · Scheme Assumption, feature PK size Signature size Falcon NTRU, trapdoor 0.9 kB 0.6 kB Dilithium MLWE, rejection sampling](https://reader030.vdocument.in/reader030/viewer/2022040519/5e778682183c86537c092354/html5/thumbnails/23.jpg)
The preimage sampling algorithm
Input: A, the trapdoor R, a target ! ∈ #$, a width parameter s. Output: % ∈ #& such that '% = ! + * +,- .,
and x, e are from distributions independent of the trapdoor.
1. Sample a perturbation / ← 1 23, 56 , where Σ8 = 9:& − <= >>? >>? :
2. Form @ = ! − '/ ∈ #A$.3. Sample y ← 1 DEF(H),J ∈ #$K, then drop the entries correspond to the j
small entries in each block of size k. Denote the result as L ∈ #$ KMN .
4. Output % = / + >: L
![Page 24: Approximate Trapdoors for Lattices and Smaller Hash-and ... · Scheme Assumption, feature PK size Signature size Falcon NTRU, trapdoor 0.9 kB 0.6 kB Dilithium MLWE, rejection sampling](https://reader030.vdocument.in/reader030/viewer/2022040519/5e778682183c86537c092354/html5/thumbnails/24.jpg)
The preimage sampling algorithm
Input: A, the trapdoor R, a target ! ∈ #$, a width parameter s. Output: % ∈ #& such that '% = ! + * +,- .,
and x, e are from distributions independent of the trapdoor.
1. Sample a perturbation / ← 1 23, 56 , where Σ8 = 9:& − <= >>? >>? :
2. Form @ = ! − '/ ∈ #A$.3. Sample y ← 1 DEF(H),J ∈ #$K, then drop the entries correspond to the j
small entries in each block of size k. Denote the result as L ∈ #$ KMN .
4. Output % = / + >: L
![Page 25: Approximate Trapdoors for Lattices and Smaller Hash-and ... · Scheme Assumption, feature PK size Signature size Falcon NTRU, trapdoor 0.9 kB 0.6 kB Dilithium MLWE, rejection sampling](https://reader030.vdocument.in/reader030/viewer/2022040519/5e778682183c86537c092354/html5/thumbnails/25.jpg)
The preimage sampling algorithm
Input: A, the trapdoor R, a target ! ∈ #$, a width parameter s. Output: % ∈ #& such that '% = ! + * +,- .,
and x, e are from distributions independent of the trapdoor.
1. Sample a perturbation / ← 1 23, 56 , where Σ8 = 9:& − <= >>? >>? :
2. Form @ = ! − '/ ∈ #A$.3. Sample y ← 1 DEF(H),J ∈ #$K, then drop the entries correspond to the j
small entries in each block of size k. Denote the result as L ∈ #$ KMN .
4. Output % = / + >: L
![Page 26: Approximate Trapdoors for Lattices and Smaller Hash-and ... · Scheme Assumption, feature PK size Signature size Falcon NTRU, trapdoor 0.9 kB 0.6 kB Dilithium MLWE, rejection sampling](https://reader030.vdocument.in/reader030/viewer/2022040519/5e778682183c86537c092354/html5/thumbnails/26.jpg)
The preimage sampling algorithm
Input: A, the trapdoor R, a target ! ∈ #$, a width parameter s. Output: % ∈ #& such that '% = ! + * +,- .,
and x, e are from distributions independent of the trapdoor.
1. Sample a perturbation / ← 1 23, 56 , where Σ8 = 9:& − <= >>? >>? :
2. Form @ = ! − '/ ∈ #A$.3. Sample y ← 1 DEF(H),J ∈ #$K, then drop the entries correspond to the j
small entries in each block of size k. Denote the result as L ∈ #$ KMN .
4. Output % = / + >: L
![Page 27: Approximate Trapdoors for Lattices and Smaller Hash-and ... · Scheme Assumption, feature PK size Signature size Falcon NTRU, trapdoor 0.9 kB 0.6 kB Dilithium MLWE, rejection sampling](https://reader030.vdocument.in/reader030/viewer/2022040519/5e778682183c86537c092354/html5/thumbnails/27.jpg)
The preimage sampling algorithm
Input: A, the trapdoor R, a target ! ∈ #$, a width parameter s. Output: % ∈ #& such that '% = ! + * +,- .,
and x, e are from distributions independent of the trapdoor.
1. Sample a perturbation / ← 1 23, 56 , where Σ8 = 9:& − <= >>? >>? :
2. Form @ = ! − '/ ∈ #A$.3. Sample y ← 1 DEF(H),J ∈ #$K, then drop the entries correspond to the j
small entries in each block of size k. Denote the result as L ∈ #$ KMN .
4. Output % = / + >: L
Correctness: Write (a permuted version of) O = P Q ], and OS = P Q ] TL
Small entries dropped entries
![Page 28: Approximate Trapdoors for Lattices and Smaller Hash-and ... · Scheme Assumption, feature PK size Signature size Falcon NTRU, trapdoor 0.9 kB 0.6 kB Dilithium MLWE, rejection sampling](https://reader030.vdocument.in/reader030/viewer/2022040519/5e778682183c86537c092354/html5/thumbnails/28.jpg)
The preimage sampling algorithm
Input: A, the trapdoor R, a target ! ∈ #$, a width parameter s. Output: % ∈ #& such that '% = ! + * +,- .,
and x, e are from distributions independent of the trapdoor.
1. Sample a perturbation / ← 1 23, 56 , where Σ8 = 9:& − <= >>? >>? :
2. Form @ = ! − '/ ∈ #A$.3. Sample y ← 1 DEF(H),J ∈ #$K, then drop the entries correspond to the j
small entries in each block of size k. Denote the result as L ∈ #$ KMN .
4. Output % = / + >: L
Correctness: Write (a permuted version of) O = P Q ], and OS = P Q ] TL
So '% = '/ + ' >: L = '/ + QL = '/ + OS −PT = '/ + @ + * = ! + *
Small entries dropped entries
![Page 29: Approximate Trapdoors for Lattices and Smaller Hash-and ... · Scheme Assumption, feature PK size Signature size Falcon NTRU, trapdoor 0.9 kB 0.6 kB Dilithium MLWE, rejection sampling](https://reader030.vdocument.in/reader030/viewer/2022040519/5e778682183c86537c092354/html5/thumbnails/29.jpg)
Analysis of the distributions*
Notation: ! = # $ ], !& = # $ ] '( , Σ* = +,- − /0 112 1
12 ,34 = 35 + 3 1
, ( = 35 + $( = 35 + !& −#' = 35 + 7 + 8 = 9 + 8Goal: x, e are from distributions independent of the trapdoor.
![Page 30: Approximate Trapdoors for Lattices and Smaller Hash-and ... · Scheme Assumption, feature PK size Signature size Falcon NTRU, trapdoor 0.9 kB 0.6 kB Dilithium MLWE, rejection sampling](https://reader030.vdocument.in/reader030/viewer/2022040519/5e778682183c86537c092354/html5/thumbnails/30.jpg)
Analysis of the distributions*
Notation: ! = # $ ], !& = # $ ]'( , Σ* = +,- − /0 112 1
12 ,34 = 35 + 3 1
,( = 35 + $( = 35 + !& −#' = 35 + 7 + 8 = 9 + 8
Goal: x, e are from distributions independent of the trapdoor.
Idea: first prove for all t, 5, & = (5, (, ') ← >?@A B , C , DE⊕GH
![Page 31: Approximate Trapdoors for Lattices and Smaller Hash-and ... · Scheme Assumption, feature PK size Signature size Falcon NTRU, trapdoor 0.9 kB 0.6 kB Dilithium MLWE, rejection sampling](https://reader030.vdocument.in/reader030/viewer/2022040519/5e778682183c86537c092354/html5/thumbnails/31.jpg)
Analysis of the distributions*
Notation: ! = # $ ], !& = # $ ]'( , Σ* = +,- − /0 112 1
12 ,34 = 35 + 3 1
,( = 35 + $( = 35 + !& −#' = 35 + 7 + 8 = 9 + 8
Goal: x, e are from distributions independent of the trapdoor.
Idea: first prove for all t, 5, & = (5, (, ') ← >?@A B , C , DE⊕GH
I.e., consider two linear transformations L, M such thatI 5, ( = 4, #' = 8
Next, derive (x, e) from (p, z, n) using linear transformation theorems on Gaussians.
![Page 32: Approximate Trapdoors for Lattices and Smaller Hash-and ... · Scheme Assumption, feature PK size Signature size Falcon NTRU, trapdoor 0.9 kB 0.6 kB Dilithium MLWE, rejection sampling](https://reader030.vdocument.in/reader030/viewer/2022040519/5e778682183c86537c092354/html5/thumbnails/32.jpg)
Analysis of the distributions*
Notation: ! = # $ ], !& = # $ ]'( , Σ* = +,- − /0 112 1
12 ,34 = 35 + 3 1
,( = 35 + $( = 35 + !& −#' = 35 + 7 + 8 = 9 + 8
Goal: x, e are from distributions independent of the trapdoor.
Idea: first prove for all t, 5, & = (5, (, ') ← >?@A B , C , DE⊕GH
--- From personal communication with Micciancio.
Next, derive (x, e) from (p, z, n) using linear transformation theorems on Gaussians.
![Page 33: Approximate Trapdoors for Lattices and Smaller Hash-and ... · Scheme Assumption, feature PK size Signature size Falcon NTRU, trapdoor 0.9 kB 0.6 kB Dilithium MLWE, rejection sampling](https://reader030.vdocument.in/reader030/viewer/2022040519/5e778682183c86537c092354/html5/thumbnails/33.jpg)
Analysis of the distributions*
Notation: ! = # $ ], !& = # $ ]'( , Σ* = +,- − /0 112 1
12 ,34 = 35 + 3 1
,( = 35 + $( = 35 + !& −#' = 35 + 7 + 8 = 9 + 8
Goal: x, e are from distributions independent of the trapdoor.
Idea: first prove for all t, 5, & = (5, (, ') ← >?@A B , C , DE⊕GH
Next, derive (x, e) from (p, z, n) using linear transformation theorems on Gaussians.
(a special case proven by Ducas, Galbraith, Prest, Yu [eprint 2019/320] suffices for our app.)
![Page 34: Approximate Trapdoors for Lattices and Smaller Hash-and ... · Scheme Assumption, feature PK size Signature size Falcon NTRU, trapdoor 0.9 kB 0.6 kB Dilithium MLWE, rejection sampling](https://reader030.vdocument.in/reader030/viewer/2022040519/5e778682183c86537c092354/html5/thumbnails/34.jpg)
Analysis of the distributions*
Notation: ! = # $ ], !& = # $ ]'
(, Σ* = +,- − /0 112 1
12 ,
34 = 35 + 31
,( = 35 + $( = 35 + !& −#' = 35 + 7 + 8 = 9 + 8
Goal: x, e are from distributions independent of the trapdoor.
Idea: first prove for all t, 5, & = (5, (, ') ← >?@A B , C , DE⊕GH
Still, we are only able to show for uniformly random t (although it is enough for the signature application),
4 ← > IJ, K , 8 ← >ILM, G (NHMOP)/(NHOP)
Open problem: prove or disprove the statement for all t.
Next, derive (x, e) from (p, z, n) using linear transformation theorems on Gaussians.
![Page 35: Approximate Trapdoors for Lattices and Smaller Hash-and ... · Scheme Assumption, feature PK size Signature size Falcon NTRU, trapdoor 0.9 kB 0.6 kB Dilithium MLWE, rejection sampling](https://reader030.vdocument.in/reader030/viewer/2022040519/5e778682183c86537c092354/html5/thumbnails/35.jpg)
Parameters
Exact Approx Exact Approx Exact Approx Exact Approx
n 512 512 1024 1024
log2 q 24 16 18 18
b 2 4 4 8
k/j 24/0 8/0 9/0 6/0
|PK| (kB) 37.50 9.00 22.50 15.75
|Sig| (kB) 25.68 7.62 18.74 13.70
LWE 100.0 104.7 192.7 192.7
ApproxISIS 80.2 82.8 175.8 165.3
![Page 36: Approximate Trapdoors for Lattices and Smaller Hash-and ... · Scheme Assumption, feature PK size Signature size Falcon NTRU, trapdoor 0.9 kB 0.6 kB Dilithium MLWE, rejection sampling](https://reader030.vdocument.in/reader030/viewer/2022040519/5e778682183c86537c092354/html5/thumbnails/36.jpg)
Parameters
Exact Approx Exact Approx Exact Approx Exact Approx
n 512 512 512 512 1024 1024 1024 1024
log2 q 24 24 16 16 18 18 18 18
b 2 2 4 4 4 4 8 8
k/j 24/0 24/15 8/0 8/4 9/0 9/5 6/0 6/3
|PK| (kB) 37.50 15.00 9.00 5.00 22.50 11.25 15.75 9.00
|Sig| (kB) 25.68 10.51 7.62 4.45 18.74 9.38 13.70 8.36
LWE 100.0 100.0 104.7 104.7 192.7 192.7 192.7 192.7
ApproxISIS 80.2 81.1 82.8 87.8 175.8 183.7 165.3 174.9
![Page 37: Approximate Trapdoors for Lattices and Smaller Hash-and ... · Scheme Assumption, feature PK size Signature size Falcon NTRU, trapdoor 0.9 kB 0.6 kB Dilithium MLWE, rejection sampling](https://reader030.vdocument.in/reader030/viewer/2022040519/5e778682183c86537c092354/html5/thumbnails/37.jpg)
Approximate trapdoors for lattices & smaller hash-and-sign signatures
Yilei Chen Nicholas Genise Pratyay MukherjeeVisa Research UCSD -> Rutgers Visa Research
Q & A