J Cryptol (2018) 31:774–797
Asymptotically Efﬁcient Lattice-Based Digital
IBM Research, Zurich, Switzerland
University of California, San Diego, CA, USA
Communicated by Eike Kiltz.
Received 26 November 2013 / Revised 6 April 2017
Online publication 30 October 2017
Abstract. We present a general framework that converts certain types of linear collision-
resistant hash functions into one-time signatures. Our generic construction can be in-
stantiated based on both general and ideal (e.g., cyclic) lattices, and the resulting sig-
nature schemes are provably secure based on the worst-case hardness of approximating
the shortest vector (and other standard lattice problems) in the corresponding class of
lattices to within a polynomial factor. When instantiated with ideal lattices, the time
complexity of the signing and veriﬁcation algorithms, as well as key and signature size,
is almost linear (up to poly-logarithmic factors) in the dimension n of the underlying
lattice. Since no sub-exponential (in n) time algorithm is known to solve lattice problems
in the worst case, even when restricted to ideal lattices, our construction gives a digital
signature scheme with an essentially optimal performance/security trade-off.
Keywords. Lattice cryptography, Digital signatures.
Digital signature schemes, initially proposed in Difﬁe and Hellman’s seminal paper 
and later formalized by Goldwasser, Micali and Rivest , are among the most impor-
tant and widely used cryptographic primitives. Still, our understanding of these intriguing
objects is somehow limited. The deﬁnition of digital signatures clearly ﬁts within the
A preliminary version of this work appeared in Theory of Cryptography Conference—Proceedings of
TCC 2008. This is an improved, extended, and simpliﬁed version of that paper. Research supported in part by
NSF Grants CCF-0634909, CNS-1117936, SNSF ERC Transfer Grant CRETP2-166734—FELICITY, and
the H2020 Project Safecrypto. Any opinions, ﬁndings, and conclusions or recommendations expressed in this
material are those of the author(s) and do not necessarily reﬂect the views of the National Science Foundation.
© International Association for Cryptologic Research 2017