We give a direct construction of digital signatures based on the
complexity of approximating the shortest vector in ideal (e.g.,
cyclic) lattices. The construction is provably secure based on the
worst-case hardness of approximating the shortest vector in such
lattices within a polynomial factor, and it is also asymptotically
efficient: the time complexity of the signing and verification
algorithms, as well as key and signature size is almost linear (up
to poly-logarithmic factors) in the dimension *n* of the
underlying lattice. Since no sub-exponential (in *n*) time
algorithm is known to solve lattice problems in the worst case, even
when restricted to cyclic lattices, our construction gives a digital
signature scheme with an essentially optimal performance/security
trade-off.