DOI QR코드

DOI QR Code

Efficient Signature Schemes from R-LWE

  • Wang, Ting (ATR Key Laboratory of National Defense Technology, Shenzhen University) ;
  • Yu, Jianping (ATR Key Laboratory of National Defense Technology, Shenzhen University) ;
  • Zhang, Peng (ATR Key Laboratory of National Defense Technology, Shenzhen University) ;
  • Zhang, Yong (ATR Key Laboratory of National Defense Technology, Shenzhen University)
  • Received : 2015.07.17
  • Accepted : 2016.07.03
  • Published : 2016.08.31

Abstract

Compared to the classical cryptography, lattice-based cryptography is more secure, flexible and simple, and it is believed to be secure against quantum computers. In this paper, an efficient signature scheme is proposed from the ring learning with errors (R-LWE), which avoids sampling from discrete Gaussians and has the characteristics of the much simpler description etc. Then, the scheme is implemented in C/C++ and makes a comparison with the RSA signature scheme in detail. Additionally, a linearly homomorphic signature scheme without trapdoor is proposed from the R-LWE assumption. The security of the above two schemes are reducible to the worst-case hardness of shortest vectors on ideal lattices. The security analyses indicate the proposed schemes are unforgeable under chosen message attack model, and the efficiency analyses also show that the above schemes are much more efficient than other correlative signature schemes.

Keywords

1. Introduction

Digital signature is one of the most important and widely used cryptographic primitives. At present all signature schemes from classical cryptography were proved to be either insecure or function-limited especially under quantum attacks [1-3], so lattice-based cryptography has become a hot research topic because of its security. Since new trapdoors for hard lattices were developed successfully [4], many lattice-based signature schemes have been proposed owing to the excellent algebraic characteristic, implementation simplicity, stronger security proofs of the lattice cryptography [5-7].

Homomorphic signature is intriguing because which has been proved to be well-suited to guarantee information security in message-operated scenario, such as network coding, sensor networks and cloud storage etc [1,8-12]. Homomorphic signature can sign n-dimensional vectors v1,⋯,vl from a message space M and outputs the signaturei σi of every vector vi. Given these signatures, the homomorphic property of signature scheme is that anyone can evaluate a signature on the vector v = f(v1,⋯,vl) in M.

Homomorphic signature schemes were first given by Micali and Rivest for undirected graphs [13]. Subsequently Johnson proposed the basic definitions of homomorphic signature scheme and showed that a variety of homomorphic signature schemes can be designed [14]. The signature scheme from [5] was the first linear homomorphic scheme that authenticated vectors from binary fields, and its security was based on a new lattice problem, which is named k−SIS. Based on the trapdoor functions with preimage sampling [4] and a homomorphic hash function family, WANG FengHe gave a linely homomorphic signature scheme over binary field [15]. Using ideal lattices, Boneh et al presented the first homomorphic signature scheme for polynomial functions [6], and then Catalano, Fiore and Warinschi provided an alternative to the homomorphic signature scheme of Boneh and Freeman [16]. All of the above homomorphic signature schemes have their corresponding advantages and application scenes, the more detailed descriptions are shown in Table 1. However, they tend to be inefficient for practical applications.

Table 1.The properties of the current homomorphic signature schemes

In order to resolve the efficiency problem, unlike GPV08 scheme that needs to generate a trapdoor and sample from discrete Gaussians, we give a more efficient signature scheme from the ring learning with errors (R-LWE) using the idea from Lyubashevsky [17]. Subsequently, based on the work of WANG FengHe, a more efficient linearly homomorphic signature scheme without trapdoor on signed data is presented in this paper. Because of the much more compact algebraic structure of the R-LWE problem, the efficiency of the proposed signature schemes is improved greatly, and the analyses show that schemes are secure in adaptive chosen message attack model, assuming that it is hard for probabilistic polynomial-time even quantum adversary to resolve the shortest vector problem on ideal lattices.

The remainder of this paper is arranged as follows. In Section 2, the preliminaries are introduced firstly, and then a general lattice-based signature scheme is given and discussed in detail in Section 3. In Section 4, the definition of homomorphic signature is expounded firstly. Secondly, we propose an efficient linearly homomorphic signature scheme from R-LWE assumption. Finally, the security and the efficiency are analyzed in this Section. The whole paper is concluded in Section 5.

 

2. Preliminaries

2.1 Lattices

Lattice can be regarded as the set of discrete points with a regular structure in geometry, which can be described formally as follows.

Definition 1. Suppose that b1,⋯,bn ∈ Rn are linearly independent n-dimensional vectors, then the lattice can be defined as

Where b1,⋯,bn is a basis of the lattice, and its rank is n.

The standard worst-case approximation lattice problem GapSVPγ is given in the decision version.

Definition 2 (Shortest Vector Problem). Given a lattice basis B, d ∈ R. If λ1 (L(B)) ≤ d, it is a YES instance. If λ1 (L(B)) > γ(n)⋅d, it is a NO instance, where the parameter γ(n) ≥ 1 is a approximation factor and λ1 (L(B)) is the minimum distance of a lattice L(B).

2.2 Learning with Errors over Rings (R-LWE)

Let f(x) = xn + 1 ∈ Z[x] where n = 2k (k ∈ Z) is a security parameter, which makes f(x) irreducible over the rational number field, R = Z[x]/ be the integer polynomial ring modulo f(x), and assume that q = 1mod2n is a large prime modulus ( bounded by poly(n)), Rq = R/ = Zq[x]/ is the integer polynomial ring modulo f(x) and q. It is obvious that the elements of Rq are typically represented by integer polynomials of degree less than n, and its coefficients are chosen from {0,1,⋯,q-1}.

In the integer polynomial ring Rq, the R-LWE problem can be defined as follows [18]. For a uniformly random s ∈ Rq (secret key), define two distributions on Rq × Rq : (1) (a, b = a × s + e) ∈ Rq × Rq, where a is chosen uniformly at random from Rq, and e is an independent error term from the distribution χ ⊂ R. (2) (a,c), where a,c ← Rq are uniformly random. The R-LWE problem is to distinguish the two distributions described above with non-negligible advantage. In other words, if R-LWE is hard, then the independent samples of ‘random noise equations’ (a, a × s + e) is pseudorandom, and all operations are performed in Rq.

Lyubashevsky, Peikert and Regev proved that the R-LWE problem is hard under the worst-case assumptions on ideal lattices [18] (see Theorem 1).

Theorem 1. For a approximation factor γ ≥ 1( bounded by a fixed poly(n)), assume that it is hard for any polynomial-time even quantum algorithms to find an approximation of the shortest vector on ideal lattices. Then any poly(n) independent samples (ai, ai × s + ei) from the R-LWE distribution As,χ ⊂ Rq × Rq are pseudorandom.

2.3 A Hash Function Family

Lyubashevsky et al. [19] defined a hash function family HZq,n that maps to Zq. The function h ∈ HZq,n is indexed by a certain fixed vector h takes as input an element and the output is the dot product as <α, β> = a1b1 + ⋯ + anbn. It is denoted by hα(β) = <α, β>. The hardness of the hash function is based on the approximate worst-case lattice problems, and the hash function is a collision resistant hash.

HZq,n is a linear hash function family. That is to say, for every k ∈ Zq and hα ∈ HZq,n, the following two properties are satisfied:

 

3. Signature Scheme

3.1 The Proposed Scheme

First we give the probability distribution χ which will be used in the following, and χ is derived from a Gaussian. For any β > 0, the density function of a Gaussian distribution over the real domain is given by Dβ(x) = 1/β · exp(-π(x/β)2). For an integer q ≥ 2, define to be the distribution on Zq obtained by drawing y ← Dβ and outputting (modq). Let χ ⊂ Rq denotes the set of polynomials whose coefficients are chosen from

Unlike GPV08 scheme that needs to generate a trapdoor and sample from discrete Gaussians, using the idea from Lyubashevsky, an efficient signature scheme S = (KeyGen, Sign, Verify) from R-LWE problem can be constructed in Fig. 1.

Fig. 1.The proposed signature sheme from R-LWE

Let n = 2k(k ∈ Z), a prime number p << q = 1mod(2n) (q be a sufficiently large public prime modulus), χ ⊂ Rq be the error distribution and Rq = Zq[x]/ be the ring of integer polynomials modulo xn + 1 and q. For a set R, means that s is chosen uniformly at random from R.

Polynomial addition is the usual coordinate-wise addition, and multiplication is the usual polynomial multiplication followed by reduction modulo xn + 1.

Claim 1. The signature scheme described above is correct.

Proof. Consider a signature (σ = s·c + t + pe2, c) of a message m under the public key (a,b = a·s + pe1), as the verification process can be computed as

So c = H[a·σ - b·c)mod p,m] and we can conclude the signature scheme is correct.

3.2 Security Analysis

Claim 2. The scheme S described above is secure against chosen-plaintext attacks (CPA) in the random oracle model, assuming that the R-LWE is hard and hash function H is secure.

Proof. Assume there is a probabilistic polynomial-time (PPT) adversary A which can win the unforgeability game with probability ε. We can construct a PPT challenger C to solve the R-LWE problem with probability close to ε. Assume that A queries the random oracle H h times and the sign algorithm k times. And queries H on every message mi(i = 1,…,h) before making a sign query.

Let l = h + k be the bound of the query times on random oracle H during A’s attack, pick r1, r2,⋯, rl from {-1,0,1}n uniformly at random, which will correspond to the responses of the H. The challenger C takes as input (a,b,r1,r2,⋯,rl) and runs A by giving it the public key (a,b = a·s + pe1). When A makes queries to the H, the reply will be the first ri in the list (r1, r2,⋯, rl) that has not been used. When A makes sign queries, C programs the random oracle output so that the signatures are valid even though C don’t know the signing key, and the responses of the H is first unused ri in the list (r1, r2,⋯, rl), if the same query is made again, it will respond with the previous answer ri. When A finishes the queries and outputs a forgery sucessfully with probability ε, C outputs the same output.

Suppose A outputs a message m and its signature (σ,c) such that σ ∈ Rq and c = H[a·σ - b·c)mod p,m]. If H was not queried or pragrammed on (a·σ - b·c)mod p, then the probability that A produces a c such that c = H[a·σ - b·c)mod p,m] is 3-n, hence c is one of the ri from (r1, r2,⋯, rl) with probability 1-3-n. Assume j is such that c = rj, which was a responses to the oracle query H made by A. From the “forking lemma” of Pointcheval and Stern [20], we can produce two different signatures of the message m, (σ,c) and (σ',c') with the probability ε-3-n, such that

which means that (a·σ - b·c) = (a·σ' - b·c')mod p, as b = a·s + pe1, we can obtain a(σ' - sc' - σ + sc) = 0, so (σ' - σ) - s(c - c') = 0, namely (σ' - σ) = s(c - c'), then C can obtain the private key s with the probability ε-3-n by multiplying (c - c')-1, So R-LWE problem is solved successfully.

3.3 Efficiency Analysis

Because of the special algebraic structure of R-LWE, the signature scheme from the R-LWE problem has the advantages of much simpler description, analysis and very high efficiency. The efficiency analysis of the scheme is shown in Table 2.

Table 2.Efficiency analysis of the scheme from R-LWE

In the following parts, the scheme from R-LWE is compared with the RSA scheme on the same parametric conditions and operation environment. We use the same usual personal computer to evaluate the implementation performance of the two schemes: Running them on a Microsoft Windows XP Professional 2002 System, featuring a Pentium (R) D CPU processor, running at 3.0GHz, with 1.0GB of RAM. The implementation uses Shoup's NTL library version 5.5.2 for high-level numeric algorithms, and the code is compiled using Microsoft Visual C++ 6.0 compiler.

Table 3 and Table 4 show the simulation results of the two different schemes respectively. Each test is repeated ten times and the datum shown in the two tables are the means of these ten different repetitions. As can be seen from Table 3 and Table 4, the runtime of the scheme from R-LWE is more efficient than the RSA scheme under the same conditions, especially the key generation time and signature time. Regardless of the inefficiency of the verification compared to RSA scheme, the total runtime of our scheme is much more efficient than that of the RSA scheme with the increase of security parameter n.

Table 3.Implementation time of the scheme from R-LWE

Table 4.Implementation time of the RSA scheme

Modulus q takes the minimum integer satisfying corresponding conditions in the two schemes, and the length of messages encrypted in the two scheme is nlogq bit.

More detailed simulation results of the two above-described schemes are shown in Fig. 2 to Fig. 5. And Fig. 2, Fig. 3 and Fig. 4 indicate the efficiency of the key generation, signature and verification in the two schemes respectively, and the comparison of the total implementation time of the two schemes is shown in Fig. 5. At the same time, the figures also show the change tendencies of the implementation time of the two encryption schemes along with the change of the security parameter n.

Fig. 2.Efficiency comparison of key generation between our signature scheme and RSA scheme. Security parameter n = 128,256,512,1024,2048,4096

Fig. 3.Efficiency comparison of signature between our signature scheme and RSA scheme. Security parameter n = 128,256,512,1024,2048,4096

Fig. 4.Efficiency comparison of verification between our signature scheme and RSA scheme. Security parameter n = 128,256,512,1024,2048,4096

Fig. 5.Comparison of total implementation time between our signature scheme and RSA scheme. Security parameter n = 128,256,512,1024,2048,4096

As can be seen from Fig. 2 to Fig. 5, the efficiency of the scheme from R-LWE is more eximious than the RSA signature scheme, and the increasing tendency of the scheme from R-LWE in runtime is much slower than that of the RSA scheme with the increase of security parameter n. Furthermore, the scheme from R-LWE is believed to be secure against quantum computers.

 

4. Linearly Homomorphic Signature Scheme

4.1. Scheme

Definition 3. A homomorphic signature scheme is composed of four probabilistic polynomial-time (PPT) algorithms (Setup,Sign,Evaluate,Verify) such that:

It is required that for any (pk,sk) ← Setup(1n,1l), the following hold:

The homomorphic signature scheme described above is defined as F-homomorphic. Especially, if F is composed of all integer linear functions, we say that the scheme is a linearly homomorphic signature scheme.

Now we begin to describe the linearly homomorphic signature scheme proposed in this paper, and Fig. 6 provides an overview of the scheme.

Fig. 6.The signature scheme S from R-LWE

For any positive parameter δ > 0, the Gaussian function with center 0 over the real domain is given by Dδ(x) = 1/δ·exp(-π(x/δ)2). On an integer q ≥ 2, define to be the distribution over Zq obtained by choosing y ← Dδ and outputting (modq). Let the error distribution χ ⊂ Rq denotes the set of polynomials whose coefficients are chosen from Rq = Zq[x]/ be the integer polynomial ring modulo f(x) and q, and is a random oracle that maps {0,1}* to

Using a homomorphic hash function family [18], an efficient linearly homomorphic signature scheme S = (Setup,Sign,Evaluate,Verify) without trapdoor from R-LWE assumption is constructed as follows:

1) For j = 1,⋯, n, compute αj = H(τ||j).

2) hmi = (hi1,⋯,hin) = (,⋯,).

3)

where ei is chosen independently from a probability distribution χ. Output the signature (τ,mi,σi,vi).

1) αj = H(τ||j)(j = 1,⋯,n).

2) hm = (hi,⋯,hi) = (,⋯,).

3) If σ ∈ Rq and a·σ - b·v = b·hm(modp), output1. Else, output 0.

The scheme described above is correct, in fact:

Claim 3. The polynomial ring signature scheme over Rp described above is linearly homomorphic.

Proof. Given messages mi such that Verify{τ,(a,b),mi,(σi,vi)} = 1 for all i. As all operations are performed in Rq, the signature output by satisfies the condition σ,v ∈ Rq. On the other hand, as

Hence the conclusion is correct.

4.2. Security Analysis

A homomorphic signature scheme S = (Setup,Sign,Evaluate,Verify) is unforgeable under chosen-message attack, if for all probabilistic polynomial-time adversary (PPT) A, the success probability of A in the following game is negligible in the security parameter n.

The adversary succeeds if Verify(τ*,(a,b),m*,σ*) = 1 but m* ≠ mi(i = 1,⋯,Q).

Claim 4. For any parameters n, q and polynomial f(x) satisfying the condition of the R-LWE problem, the signature scheme S is unforgeable in the chosen message attack model (CMA), assuming that the R-LWE problem is hard.

Proof. The proof is similar to that of the Claim 2 except that the random oracle query. Assume there is a probabilistic polynomial-time (PPT) adversary A which can win the unforgeability game with probability ε. We can construct a PPT challenger C to solve the R-LWE problem with probability close to ε. Assume that A queries the sign algorithm k times. Then C runs A by giving it the public key(a,b = a·s + pe*).

When A makes sign queries, C programs the random oracle output so that the signatures are valid even though C don’t know the signing key. When A finishes the queries and outputs a forgery sucessfully with probability ε, C outputs the same output.

Suppose A outputs a message m and its signature (σ,v) such that σ,v ∈ Rq and a·σ - b·v = b·hm(modp). If H was not queried or pragrammed on (a·σ - b·v)modp, then the probability that A produces a c = b·hm such that a·σ - b·v = b·hm(modp) is q-n, From the “forking lemma” of Pointcheval and Stern [20], we can produce two different signatures of the message m, (σ,v) and (σ',v') with the probability ε-q-n, such that

as b = a·s + pe*, we can obtain α(σ' - sv' - σ + sv) = 0, so (σ' - σ) - s(v - v') = 0, namely (σ' - σ) = s(v - v'), then C can obtain the private key s with the probability ε-q-n by multiplying (v - v')-1, So R-LWE problem is solved successfully.

4.3. Efficiency Analysis

Because of the special algebraic structure of R-LWE, the linearly homomorphic signature scheme from R-LWE problem has the advantages of much simpler description, analysis and very high efficiency. Compared with the signatures scheme of [5,15], the efficiency improvement of our scheme is shown in Table 5.

Table 5.Efficiency comparison.

In the scheme of Boneh, psf and bt denote the computational cost of running preimage sampling functions (PSF) [4] and ExtBasis algorithm [21] respectively. The scheme of Boneh needs to use the ExtBasis algorithm and PSF to sign messages, and the PSF is a sub-algorithm of the ExtBasis algorithm. As the PSF algorithm is rather inefficient, whose time complexity is Ω(n3), the operations for signature of the scheme of Boneh is more than 2 psf ≥ 2Ω(n3). The data in Table 5 indicates that the scheme from R-LWE is more efficient than other correlative sign schemes, especially its public key, private key and operations for signature are incomparable to the scheme based on the PSF algorithm.

 

5. Conclusion

Digital signature can solve many security issues from internal and external malicious attacks in network coding, sensor networks and cloud storage etc. In order to guarantee the security of the network data, owing to the flexible structure and implementation simplicity of lattice cryptography, two efficient digital signature schemes from R-LWE assumption are proposed, and the analyses show that they are unforgeable in the chosen message attack model. The schemes mainly use modular addition and modular multiplication operations of the ring of integer polynomials, especially based on the special algebraic structure of R-LWE assumption, hence they are more efficient than previous interrelated signature schemes using ExtBasis or PSF algorithm. In the future, we will explore the fully homomorphic signature from lattice.

References

  1. D. Boneh, D. Freeman, J. Katz, and B. Waters, "Signing a Linear Subspace: Signature Schemes for Network Coding," in Proc. of PKC 2009, Lecture Notes in Computer Science, vol. 5443, pp. 68-87, March 18-20, 2009. Article (CrossRef Link).
  2. Y. Wang, "Insecure 'Provably Secure Network Coding' and Homomorphic Authentication Schemes for Network Coding," IACR Cryptology ePrint Archive, no. 60, pp. 1-9, June, 2010. Article (CrossRef Link)
  3. H. Xiong, Z. Chen, and F. Li, "Bidder-anonymous English auction protocol based on revocable ring signature," Expert Systems with Applications, vol. 39, no. 8, pp. 7062-7066, June, 2012. Article (CrossRef Link). https://doi.org/10.1016/j.eswa.2012.01.040
  4. C. Gentry, C. Peikert, and V. Vaikuntanathan, "Trapdoors for Hard Lattices and New Cryptographic Constructions," in Proc. of the 40th Annual ACM Symposium on Theory of Computing (STOC 2008), pp. 197-206, May 17-20, 2008. Article (CrossRef Link).
  5. D. Boneh and D. M. Freeman, "Linearly Homomorphic Signatures over Binary Fields and New Tools for Lattice-Based Signatures," in Proc. of PKC 2011, Lecture Notes in Computer Science, vol. 6571, pp. 1-16, March 6-9, 2011. Article (CrossRef Link).
  6. D. Boneh and D. M. Freeman, "Homomorphic Signatures for Polynomial Functions," in Proc. of Eurocrypt 2011, Lecture Notes in Computer Science, vol. 6632, pp. 149-168, May 15-19, 2011. Article (CrossRef Link).
  7. S. D. Gordon, J. Katz and V. Vaikuntanathan, "A Group Signature Scheme from Lattice Assumptions," in Proc. of Asiacrypt 2010, Lecture Notes in Computer Science, vol. 6477, pp. 395-412, December 5-9, 2010. Article (CrossRef Link).
  8. H. Feng and F. Zhao, "Research on Dynamic Data Integrity Detection on Cloud Storage," Journal of Chinese Computer Systems, vol. 35, no. 2, pp. 239-243, February, 2014. Article (CrossRef Link).
  9. A. Jain and, B. V. R. Reddy, "Eigenvector centrality based cluster size control in randomly deployed wireless sensor networks," Expert Systems with Applications, vol. 42, no. 5, pp. 2657-2669, April, 2015. Article (CrossRef Link). https://doi.org/10.1016/j.eswa.2014.11.015
  10. Z. Li and G. Gong, "Data Aggregation Integrity Based on Homomorphic Primitives in Sensor Networks," in Proc. of the 9th International Conference on Ad-hoc, Mobile and Wireless Networks, Lecture Notes in Computer Science, vol. 6288, pp. 149-162, August 20-22, 2010. Article (CrossRef Link).
  11. W. Liao, Y. Kao and Y. Li, "A sensor deployment approach using glowworm swarm optimization algorithm in wireless sensor networks," Expert Systems with Applications, vol. 38, no. 10, pp. 12180-12188, September, 2011. Article (CrossRef Link). https://doi.org/10.1016/j.eswa.2011.03.053
  12. Y. Yong, N. Jianbing, H. A. Man, L. Hongyu, W. Hua and X. Chunxiang, "Improved security of a dynamic remote data possession checking protocol for cloud storage," Expert Systems with Applications, vol. 41, no. 17, pp. 7789-7796, December, 2014. Article (CrossRef Link). https://doi.org/10.1016/j.eswa.2014.06.027
  13. S. Micali and R. L. Rivest, "Transitive signature schemes," in Proc. of CT-RSA 2002, Lecture Notes in Computer Science, vol. 2271, pp. 236-243, February 18-22, 2002. Article (CrossRef Link).
  14. R. Johnson, D. Molnar, D. Song and D. Wagner, "Homomorphic signature schemes," in Proc. of CT-RSA 2002, Lecture Notes in Computer Science, vol. 2271, pp. 244-262, February 18-22, 2002. Article (CrossRef Link).
  15. W. FengHe, H. YuPu and W. BaoCang, "Lattice-based linearly homomorphic signature scheme over binary field," Science China Information Sciences, vol. 56, no. 11, pp. 1-9, November, 2013. Article (CrossRef Link). https://doi.org/10.1007/s11432-013-5009-0
  16. D. Catalano, D. Fiore and B. Warinschi, "Homomorphic Signatures with Efficient Verification for Polynomial Functions," in Proc. of CRYPTO 2014, Part I, Lecture Notes in Computer Science, vol. 8616, pp. 371-389, August 17-21, 2014. Article (CrossRef Link).
  17. V. Lyubashevsky, "Lattice signatures without trapdoors," in Proc. of 31th Int. Conf. on the Theory and Applications of Cryptographic Techniques (EUROCRYPT), pp. 738-755, April 15-19, 2012. Article (CrossRef Link).
  18. V. Lynbashevsky, C. Peikert and O. Regev, "On Ideal Lattices and Learning with Errors over Rings," in Proc. of 29th Int. Conf. on the Theory and Applications of Cryptographic Techniques (EUROCRYPT), Lecture Notes in Computer Science, vol. 6110, pp. 1-23, May 30 - June 3, 2010. Article (CrossRef Link).
  19. V. Lyubashevsky and D. Micciancio, "Asymptotically efficient lattice-based digital signatures," in Proc. of the TCC 2008, Lecture Notes in Computer Science, vol. 4948, pp. 37-54, March 19-21, 2008. Article (CrossRef Link).
  20. D. Pointcheval and J. Stern, "Security arguments for digital signatures and blind signatures," Journal of Cryptology , vol. 13, no. 3, pp. 361-396, June, 2000. Article (CrossRef Link). https://doi.org/10.1007/s001450010003
  21. D. Cash, D. Hofheinz, E. Kiltz and C. Peikert, "Bonsai Trees, or How to Delegate a Lattice Basis," Journal of Cryptology, vol. 25, no. 4, pp. 601-639, October, 2012. Article (CrossRef Link). https://doi.org/10.1007/s00145-011-9105-2