Cryptology ePrint Archive: Report 2019/973

On the Non-Existence of Short Vectors in Random Module Lattices

Ngoc Khanh Nguyen

Abstract: Recently, Lyubashevsky & Seiler (Eurocrypt 2018) showed that small polynomials in the cyclotomic ring $Z_q[X]/(X^n+1)$, where $n$ is a power of two, are invertible under special congruence conditions on prime modulus $q$. This result has been used to prove certain security properties of lattice-based constructions against unbounded adversaries. Unfortunately, due to the special conditions, working over the corresponding cyclotomic ring does not allow for efficient use of the Number Theoretic Transform (NTT) algorithm for fast multiplication of polynomials and hence, the schemes become less practical.

In this paper, we present how to overcome this limitation by analysing zeroes in the Chinese Remainder (or NTT) representation of small polynomials. As a result, we provide upper bounds on the probabilities related to the (non)-existence of a short vector in a random module lattice with no assumptions on the prime modulus. We apply our results, along with the generic framework by Kiltz et al. (Eurocrypt 2018), to a number of lattice-based Fiat-Shamir signatures so they can both enjoy tight security in the quantum random oracle model and support fast multiplication algorithms (at the cost of slightly larger public keys and signatures), such as the Bai-Galbraith signature scheme (CT-RSA 2014), Dilithium-QROM (Kiltz et al., Eurocrypt 2018) and qTESLA (Alkim et al., PQCrypto 2017). Our techniques can also be applied to prove that recent commitment schemes by Baum et al. (SCN 2018) are statistically binding with no additional assumptions on $q$.

Category / Keywords: public-key cryptography / Lattice-based cryptography, Fiat-Shamir signatures, module lattices, lossy identification schemes, provable security

Original Publication (with major differences): IACR-ASIACRYPT-2019

Date: received 27 Aug 2019

Contact author: nkn at zurich ibm com

Available format(s): PDF | BibTeX Citation

Version: 20190829:110909 (All versions of this report)

Short URL: ia.cr/2019/973


[ Cryptology ePrint archive ]