Paper 2023/1477

G+G: A Fiat-Shamir Lattice Signature Based on Convolved Gaussians

Julien Devevey, École Normale Supérieure de Lyon
Alain Passelègue, French Institute for Research in Computer Science and Automation, École Normale Supérieure de Lyon, CryptoLab, Inc.
Damien Stehlé, École Normale Supérieure de Lyon, CryptoLab, Inc.

We describe an adaptation of Schnorr's signature to the lattice setting, which relies on Gaussian convolution rather than flooding or rejection sampling as previous approaches. It does not involve any abort, can be proved secure in the ROM and QROM using existing analyses of the Fiat-Shamir transform, and enjoys smaller signature sizes (both asymptotically and for concrete security levels).

Note: Fixed parameter sizes. Fixed minor editorial mistakes.

Available format(s)
Public-key cryptography
Publication info
A minor revision of an IACR publication in ASIACRYPT 2023
Fiat-ShamirDigital SignatureLattice-based cryptographyconvolutionfloodingrejection samplingsigma protocol
Contact author(s)
julien devevey @ ens-lyon fr
alain passelegue @ cryptolab co kr
damien stehle @ cryptolab co kr
2023-11-13: revised
2023-09-26: received
See all versions
Short URL
Creative Commons Attribution


      author = {Julien Devevey and Alain Passelègue and Damien Stehlé},
      title = {G+G: A Fiat-Shamir Lattice Signature Based on Convolved Gaussians},
      howpublished = {Cryptology ePrint Archive, Paper 2023/1477},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.