a590003

defined by G (or the semi-random matrix [Ā|G]) is fixed and public, while the random unimodular matrix
T = [ ]
I −R
0 I actually produces a new lattice by applying a (reversible) linear transformation to the original
lattice. In other words, in contrast with GGH we multiply a (short) unimodular matrix on the “other side” of
the original short basis, thus changing the lattice it generates.
A more appropriate comparison is to Ajtai’s original method [Ajt96] for generating a random A together
with a “weak” trapdoor of one or more short lattice vectors (but not a full basis). There, one simply chooses a
semi-random matrix A ′ = [Ā | 0] and outputs A = A′ · T = [Ā | −ĀR], with short vectors [ ]
R
I
. Perhaps
surprisingly, our strong trapdoor generator is just a simple twist on Ajtai’s original weak generator, replacing
0 with the gadget G.
Our constructions and inversion algorithms also draw upon several other techniques from throughout the
literature. The trapdoor basis generator of [AP09] and the LWE-based “lossy” injective trapdoor function
of [PW08] both use a fixed “gadget” matrix analogous to G, whose entries grow geometrically in a structured
way. In both cases, the gadget is concealed (either statistically or computationally) in the public key by
a small combination of uniformly random vectors. Our method for adding tags to the trapdoor is very
similar to a technique for doing the same with the lossy TDF of [PW08], and is identical to the method used
in [ABB10a] for constructing compact (H)IBE. Finally, in our preimage sampling algorithm for f A , we use
the “convolution” technique from [Pei10] to correct for some statistical skew that arises when converting
preimages for f G to preimages for f A , which would otherwise leak information about the trapdoor R.
1.3 Applications
Our improved trapdoor generator and inversion algorithms can be plugged into any scheme that uses such tools
as a “black box,” and the resulting scheme will inherit all the efficiency improvements. (Every application
we know of admits such a black-box replacement.) Moreover, the special properties of our methods allow
for further improvements to the design, efficiency, and security reductions of existing schemes. Here we
summarize some representative improvements that are possible to obtain; see Section 6 for complete details.
Hash-and-sign digital signatures. Our construction and supporting algorithms plug directly into the “full
domain hash” signature scheme of [GPV08], which is strongly unforgeable in the random oracle model, with
a tight security reduction. One can even use our computationally secure trapdoor generator to obtain a smaller
public verification key, though at the cost of a hardness-of-LWE assumption, and a somewhat stronger SIS
assumption (which affects concrete security). Determining the right balance between key size and security is
left for later work.
In the standard model, there are two closely related types of hash-and-sign signature schemes:
• The one of [CHKP10], which has signatures of bit length Õ(n2 ), and is existentially unforgeable (later
improved to be strongly unforgeable [Rüc10]) assuming the hardness of inverting f A with solution
length bounded by β = Õ(n1.5 ). 2
• The scheme of [Boy10], a lattice analogue of the pairing-based signature of [Wat05], which has
signatures of bit length Õ(n) and is existentially unforgeable assuming the hardness of inverting f A
with solution length bounded by β = Õ(n3.5 ).
We improve the latter scheme in several ways, by: (i) improving the length bound to β = Õ(n2.5 ); (ii) reducing
the online runtime of the signing algorithm from Õ(n3 ) to Õ(n2 ) via chameleon hashing [KR00]; (iii) making
the scheme strongly unforgeable a la [GPV08, Rüc10]; (iv) giving a tighter and simpler security reduction
2 All parameters in this discussion assume a message length of ˜Θ(n) bits.
7
4. Trapdoors for Lattices