DiLizium: A Two-Party Lattice-Based Signature Scheme

Abstract

In this paper, we propose DiLizium: a new lattice-based two-party signature scheme. Our scheme is constructed from a variant of the Crystals-Dilithium post-quantum signature scheme. This allows for more efficient two-party implementation compared with the original but still derives its post-quantum security directly from the Module Learning With Errors and Module Short Integer Solution problems. We discuss our design rationale, describe the protocol in full detail, and provide performance estimates and a comparison with previous schemes. We also provide a security proof for the two-party signature computation protocol against a classical adversary. Extending this proof to a quantum adversary is subject to future studies. However, our scheme is secure against a quantum attacker who has access to just the public key and not the two-party signature creation protocol.

1. Introduction

Ever since Peter Shor proposed an algorithm that was able to efficiently break most of the classical asymmetric cryptographic primitives such as RSA or ECDSA in the 1990s [1,2], research has been conducted to find quantum-resistant replacements. This work has recently been coordinated by the U.S. National Institute of Standards and Technology (NIST). In 2016, NIST announced an effort to standardise some of the proposed public key encryption algorithms, key-establishment algorithms, and signature schemes [3].

The primary focus of NIST is to obtain drop-in replacements for the current standardised primitives in order to ease the transition. However, not all of the current application areas are covered by the standardisation process.

One important class of examples is threshold signatures. In a ($t,n$)-threshold scheme, the secret key is shared between n users/devices. To create a valid signature, a subset of t users/devices should collaborate and use their secret key shares. Over the years, threshold versions of a number of major cryptographic algorithms including RSA and (EC)DSA have been studied [4,5,6,7,8]. Recent interest in threshold versions of ECDSA has been influenced by applications in blockchains. However, our motivation stems more from server-assisted RSA signatures, as proposed in the scheme by Buldas et al. [9]. This scheme has been implemented in a Smart-ID mobile application and was recognised as a qualified signature creation device (QSCD) in November 2018 [10]. In 2021, the number of Smart-ID users in the Baltic countries was estimated at 2.9 million [11].

In 2019, D. Cozzo and N. Smart analysed a number of NIST post-quantum standardisation candidates and concluded that none of them provide a threshold implementation that would be comparable in efficiency to threshold RSA or even ECDSA [12].

The goal of this research is to find a suitable version of one of the NIST signature candidates (Crystals-Dilithium) that would allow for a more efficient two-party implementation but would still provide post-quantum security. From this, we propose a concrete/specific two-party signature scheme and prove its security in this paper.

To be able to compute the private key or a signature forgery having access only to the public key, the attacker would need to solve Module Learning With Errors, Rejected Module Learning With Errors, and Module Short Integer Solution problems. These are considered hard even for quantum computers. We present security proof for the two-party signing protocol itself; however, it only provides security against a classical attacker. Extending the proof to cover quantum attackers is a task for future work.

Contributions

In this paper, we construct DiLizium, a lattice-based two-party signature scheme that follows the Fiat–Shamir with Aborts (FSwA) paradigm, and prove the security of the proposed scheme in the classical random oracle model. The security of the proposed signature scheme relies on the hardness of solving the Module-LWE and Module-SIS problems. Our two-party signature protocol is based on the scheme described in the paper by Kiltz et al., Appendix B [13]. Initially, we attempted to construct a two-party version of the Crystals-Dilithium digital signature submitted to the NIST PQC completion. However, we concluded that there are no straightforward approaches for modification thereof to the distributed version. Solutions require using a two-party computation protocol, which increases not only the signing time but also the communication complexity. The simplified version of the Crystals-Dilithium scheme from [13] is easier to work with because there are no additional bit decomposition algorithms used. Having a bit decomposition protocol would require an additional secure two-party computation protocol that would allow client and server to jointly compute high-order bits without revealing their private intermediate values. That would lead to an increased number of communication rounds and usage of additional security assumptions.

Additionally, DiLizium scheme does not require sampling from a discrete Gaussian distribution. We decided to use the scheme with uniform distribution because the Gaussian distribution is known to be hard to implement securely [14,15]. Our work follows the approach from [16], but instead of using homomorphic commitments, we decided to use the homomorphic hash function. We wanted to find an alternative to the commitment scheme introduced in [16] to increase the computational efficiency of the signature scheme. Due to the way our scheme is constructed, in the security proof, we rely on rejected Module-LWE, which is a non-standard security assumption, and it is not used in this work [16].

2. Related Work

In 2020, NIST announced fifteen third-round candidates for the PQC competition, of which seven were selected as finalists and eight were selected as alternate candidates [17]. The finalists in the digital signature category were Crystals-Dilithium [18], Falcon [19], and Rainbow [20]. Crystals-Dilithium and Falcon are both lattice-based signature schemes. Falcon has better performance, signature, and key sizes; however, its implementation is more complex, as it requires sampling from the Gaussian distribution and it utilises floating-point numbers to implement an optimised polynomial multiplication [19]. The performance of a Crystals-Dilithium signature scheme is slightly slower, and the signature and key sizes are larger than the ones in Falcon; however, the signature scheme itself has a simpler structure [18]. Rainbow is a multivariate signature scheme with fast signing and verifying processes. The size of the Rainbow signature is the shortest among the finalists; however, the public key size is the largest [20].

Due to the interest aroused by the PQC competition, several works were proposed that introduce lattice-based threshold signatures and lattice-based multisignatures. The works [21,22,23,24,25,26] focused on creating multisignatures that followed the FSwA paradigm. These schemes use rejection sampling, due to which the signing process is repeated until a valid signature is created. Additionally, intermediate values produced during the signature generation process need to be kept secret until the rejection sampling has been completed. There are currently no known techniques to prove the security of FSwA signatures if intermediate values are published before the rejection sampling is performed [16]. In multisignatures [21,22,23,24,25], intermediate values are published before the rejection sampling is completed, which leads to incomplete security proofs in these works [16]. The work by M. Fukumitsu and S. Hasegawa [26] solves the problem with aborted executions of the protocol by introducing a non-standard hardness assumption (rejected Module-LWE).

In 2019, D. Cozzo and N. Smart analysed the second round NIST PQC competition signature schemes to determine whether it is possible to create threshold versions of these signature schemes [12]. The authors proposed a possible threshold version for each of the schemes using only generic Multiparty Computation (MPC) techniques, such as linear secret sharing and garbled circuits. As a result, the authors proposed that the most suitable signature scheme is Rainbow, which belongs to the multivariate family. The authors described a threshold version of Crystals-Dilithium, which is estimated to take around 12 s to produce a single signature. The authors explained that the problems with performance arise from the fact that the signature scheme consists of both linear and nonlinear operations and that it is inefficient to switch between these representations using generic MPC techniques. However, the goal of the current work is to focus on the two-party scenario. This means that some of the difficulties in D. Cozzo and N. Smart paper can be avoided.

R. Bendlin, S. Krehbiel, and C. Peikert proposed threshold protocols for generating a hard lattice with trapdoor and sampling from the discrete Gaussian distribution using the trapdoor [27]. These two protocols are the main building blocks for the Gentry–Peikert–Vaikuntanathan (GPV) signature scheme (based on hash-and-sign paradigm), where generating a hard lattice is needed for the key generation and Gaussian sampling is needed for the signing process. M. Kansal and R. Dutta proposed a lattice-based multisignature scheme with a single round signature generation that has key aggregation and signature compression in [28]. The underlying signature scheme follows neither the hash-and-sign nor FSwA paradigms, which are the main techniques used to construct lattice-based signature schemes.

In 2020, I. Damgård, C. Orlandi, A. Takahashi, and M. Tibouchi proposed a lattice-based multisignature and distributed signing protocols that are based on the Dilithium-G signature scheme [16]. Dilithium-G is a version of the Crystals-Dilithium signature that requires sampling from a discrete Gaussian distribution [29]. The work contains complete classical security proofs for the proposed schemes. The work solves the problem with the aborted executions by using commitments such that, in the case of an abort, only commitment is published, the intermediate value itself stays secret. The proposed distributed signature scheme could potentially fit the Smart-ID framework; however, some questions need to be addressed. More precisely, the scheme is based on a modified version of Crystals-Dilithium from the NIST PQC competition project and uses Gaussian sampling. It is known that generating samples from the Gaussian distribution is nontrivial, which means that the insecure implementation may lead to side-channel attacks [30]. The open question is whether it is possible to use a version of the scheme more similar to the one being submitted to the NIST PQC competition.

3. Preliminaries

3.1. Notation

• Let $\mathbb{Z}$ be a ring of all integers. ${\mathbb{Z}}_q=\mathbb{Z}/q\mathbb{Z}$ denotes a ring of residue classes modulo q. $\mathbb{Z}\left[x\right]$ denotes a ring of polynomials in the variable x with integer coefficients.
• R denotes a quotient ring $\mathbb{Z}\left[x\right]/(x^n+1)$, where $n\in \mathbb{N}$ and $R_q$ denotes a quotient ring ${\mathbb{Z}}_q\left[x\right]/(x^n+1)$, where $n\in \mathbb{N}$.
• Polynomials are denoted in italic lowercase p. $p\in R_q$ is a polynomial of degree bound by n: $p=p_0+p_{1}x+\dots +p_{n-1}{x}^{n-1}$. It can also be expressed in a vector notation through its coefficients ($p_0,p_1,\dots ,p_{n-1}$).
• Vectors are denoted in bold lowercase $\mathbf{v}$. $\mathbf{v}\in R_q^n$ is a vector of dimension n: $\mathbf{v}=(v_0,\dots ,v_{n-1})$, where each element $v_i$ is a polynomial in $R_q$.
• Matrices are denoted in bold uppercase $\mathbf{A}$. $\mathbf{A}\in R_q^{n\times m}$ is a $n\times m$ matrix with elements in $R_q$.
• For an even positive integer $\alpha$ and for every $x\in \mathbb{Z}$, define $x^{\prime }=xmod{}^{\pm }\alpha$, as $x^{\prime }$ in the range $-\frac{\alpha }{2}<x^{\prime }\le \frac{\alpha }{2}$ such that $x^{\prime }\equiv x(mod\alpha )$. For an odd positive integer $\alpha$ and for every $x\in \mathbb{Z}$, define $x^{\prime }=xmod{}^{\pm }\alpha$, as $x^{\prime }$ in the range $-\frac{\alpha -1}{2}\le x^{\prime }\le \frac{\alpha -1}{2}$ such that $x^{\prime }\equiv x(mod\alpha )$. For any positive integer $\alpha$, define $x^{\prime }=xmod\alpha$, as $x^{\prime }$ in the range $0\le x^{\prime }<\alpha$ such that $x^{\prime }\equiv x(mod\alpha )$.
• For an element $p=p_0+p_{1}x+\dots +p_{n-1}{x}^{n-1}\in R_q$, its $l_2$ norm is defined as ${\left|\right|p\left|\right|}_2=({\sum }_i|p_i{{|}^2)}^{\frac{1}{2}}$.
• For an element $x\in {\mathbb{Z}}_q$, its infinity norm is defined as ${\left|\right|x\left|\right|}_{\infty }=|xmod{}^{\pm }q|$, where $\left|x\right|$ denotes the absolute value of the element. For an element $p=p_0+p_{1}x+\dots +p_{n-1}{x}^{n-1}\in R_q$, ${\left|\right|p\left|\right|}_{\infty }={max}_i\left|\right|p_i{\left|\right|}_{\infty }$. Similarly for an element $\mathbf{v}=(p_0,\dots ,p_n)\in R_q^n$, ${\left|\right|\mathbf{v}\left|\right|}_{\infty }={max}_i\left|\right|p_i{\left|\right|}_{\infty }$.
• $S_{\eta }$ denotes a set of all elements $p\in R$ such that ${\left|\right|p\left|\right|}_{\infty }\le \eta$.
• $a\leftarrow A$ denotes sampling an element uniformly at random from the set A.
• $a\leftarrow \chi \left(A\right)$ denotes sampling an element from the distribution $\chi$ defined over the set A.
• $\lceil x\rceil$ denotes mapping x to the least integer greater than or equal to x (e.g., $\lceil 5.2\rceil =6$).
• The symbol ⊥ is used to indicate a failure or rejection.

3.2. Definitions of Lattice Problems

Definition 1(Decisional Module-LWE ($q,n,m,\eta ,\chi$)).

Let χ be an error distribution, given a pair $(\mathbf{A},\mathbf{t})\in (R_q^{n\times m}\times R_q^n)$ decide whether it was generated uniformly at random from $R_q^{n\times m}\times R_q^n$ or it was generated as $\mathbf{A}\leftarrow R_q^{n\times m}$, (${\mathbf{s}}_1,{\mathbf{s}}_2)\leftarrow \chi (S_{\eta }^m\times S_{\eta }^n)$ and $\mathbf{t}:={\mathbf{As}}_1+{\mathbf{s}}_2$.

The advantage of adversary $\mathcal{A}$ in breaking decisional Module-LWE for the set of parameters ($q,n,m,\eta ,\chi$) can be defined as follows:

$$\begin{array}{c}{\mathrm{Adv}}_{(q,n,m,\eta ,\chi )}^{\mathrm{Dec}-\mathrm{MLWE}}\left(\mathcal{A}\right):=|\mathrm{Pr}[b=1:\mathbf{A}\leftarrow R_q^{n\times m},({\mathbf{s}}_1,{\mathbf{s}}_2)\leftarrow \chi (S_{\eta }^m\times S_{\eta }^n),\mathbf{t}:={\mathbf{As}}_1+{\mathbf{s}}_2,b\leftarrow \mathcal{A}(\mathbf{A},\mathbf{t})]\\ -\mathrm{Pr}[b=1:\mathbf{A}\leftarrow R_q^{n\times m},\mathbf{t}\leftarrow R_q^n,b\leftarrow \mathcal{A}(\mathbf{A},\mathbf{t})]|.\end{array}$$

Definition 2(Computational Module-LWE ($q,n,m,\eta ,\chi$)).

Let χ be an error distribution, given a pair $(\mathbf{A},\mathbf{t})\in (R_q^{n\times m}\times R_q^n)$, where $\mathbf{A}\leftarrow R_q^{n\times m}$, (${\mathbf{s}}_1,{\mathbf{s}}_2)\leftarrow \chi (S_{\eta }^m\times S_{\eta }^n)$, and $\mathbf{t}:={\mathbf{As}}_1+{\mathbf{s}}_2$ when finding a vector ${\mathbf{s}}_1$.

The advantage of adversary $\mathcal{A}$ in breaking computational Module-LWE for the set of parameters ($q,n,m,\eta ,\chi$) can be defined as follows:

$${\mathrm{Adv}}_{(q,n,m,\eta ,\chi )}^{\mathrm{Com}-\mathrm{MLWE}}\left(\mathcal{A}\right):=\mathrm{Pr}[{\mathbf{s}}_1={\mathbf{s}}_1^{\prime }:\mathbf{A}\leftarrow R_q^{n\times m},({\mathbf{s}}_1,{\mathbf{s}}_2)\leftarrow \chi (S_{\eta }^m\times S_{\eta }^n),\mathbf{t}:={\mathbf{As}}_1+{\mathbf{s}}_2,{\mathbf{s}}_1^{\prime }\leftarrow \mathcal{A}(\mathbf{A},\mathbf{t})].$$

Definition 3(Module-SIS ($q,n,m,\eta$)).

Given a uniformly random matrix$\mathbf{A}\leftarrow R_q^{n\times m}$, find a vector$\mathbf{x}\leftarrow R_q^{n+m}$such that$\left. [\begin{array}{c}\mathbf{A}|\mathbf{I}\end{array}\right]·\mathbf{x}=\mathbf{0}$and${0<\left|\right|\mathbf{x}\left|\right|}_{\infty }\le \eta$.

The advantage of adversary $\mathcal{A}$ in breaking Module-SIS for the set of parameters ($q,n,m,\eta$) can be defined as follows:

$${\mathrm{Adv}}_{(q,n,m,\eta )}^{\mathrm{MSIS}}\left(\mathcal{A}\right):=\mathrm{Pr}[\left. [\begin{array}{c}\mathbf{A}|\mathbf{I}\end{array}\right]·\mathbf{x}=\mathbf{0} \mathrm{and} {0<\left|\right|\mathbf{x}\left|\right|}_{\infty }\le \eta :\mathbf{A}\leftarrow R_q^{n\times m},\mathbf{x}\leftarrow \mathcal{A}\left(\mathbf{A}\right)].$$

Additionally, we define the rejected Module-LWE assumption adapted from [26].

Definition 4(Rejected Module-LWE  ( $q,n,m,\gamma ,\chi ,\beta$)).

Let χ be an error distribution, and let C be a set of all challenges. Let $\mathbf{A}\leftarrow R_q^{n\times m}$, ${\mathbf{s}}_1,{\mathbf{s}}_2\leftarrow \chi (S_{\eta }^m\times S_{\eta }^n)$, ${\mathbf{y}}_1,{\mathbf{y}}_2\leftarrow \chi (S_{\gamma -1}^m\times S_{\gamma -1}^n)$, and $c\leftarrow C$. Assume that ${\mathbf{y}}_1+c{\mathbf{s}}_1\ge \gamma -\beta$ or ${\mathbf{y}}_2+c{\mathbf{s}}_2\ge \gamma -\beta$ hold. Given $(\mathbf{A},\mathbf{w},c)$, decide whether $\mathbf{w}$ was generated uniformly at random from $R_q^n$ or it was generated as $\mathbf{w}={\mathbf{Ay}}_1+{\mathbf{y}}_2$.

The advantage of adversary $\mathcal{A}$ in breaking the rejected Module-LWE for the set of parameters ($q,n,m,\gamma ,\chi ,\beta$) can be defined as follows:

$${\mathrm{Adv}}_{(q,n,m,\gamma ,\chi ,\beta )}^{\mathrm{R}-\mathrm{MLWE}}\left(\mathcal{A}\right):=|{\mathrm{Game}}_0^{\mathrm{R}-\mathrm{MLWE}}-{\mathrm{Game}}_1^{\mathrm{R}-\mathrm{MLWE}}|.$$

${\mathrm{Game}}_0^{\mathrm{R}-\mathrm{MLWE}}:=\mathrm{Pr}[b=1:\mathbf{A}\leftarrow R_q^{n\times m},({\mathbf{s}}_1,{\mathbf{s}}_2)\leftarrow \chi (S_{\eta }^m\times S_{\eta }^n),({\mathbf{y}}_1,{\mathbf{y}}_2)\leftarrow \chi (S_{\gamma -1}^m\times S_{\gamma -1}^n),c\leftarrow C,\mathbf{w}:={\mathbf{Ay}}_1+{\mathbf{y}}_2,b\leftarrow \mathcal{A}(\mathbf{A},\mathbf{w},c)\mid {\mathbf{y}}_1+c{\mathbf{s}}_1\ge \gamma -\beta \mathrm{or}{\mathbf{y}}_2+c{\mathbf{s}}_2\ge \gamma -\beta ]$

${\mathrm{Game}}_1^{\mathrm{R}-\mathrm{MLWE}}:=\mathrm{Pr}[b=1:\mathbf{A}\leftarrow R_q^{n\times m},({\mathbf{s}}_1,{\mathbf{s}}_2)\leftarrow \chi (S_{\eta }^m\times S_{\eta }^n),({\mathbf{y}}_1,{\mathbf{y}}_2)\leftarrow \chi (S_{\gamma -1}^m\times S_{\gamma -1}^n),c\leftarrow C,\mathbf{w}\leftarrow R_q^n,b\leftarrow \mathcal{A}(\mathbf{A},\mathbf{w},c)\mid {\mathbf{y}}_1+c{\mathbf{s}}_1\ge \gamma -\beta \mathrm{or}{\mathbf{y}}_2+c{\mathbf{s}}_2\ge \gamma -\beta ]$

3.3. Forking Lemma

The following forking lemma is adapted from [31]. x can be viewed as a public key of the signature scheme, and $h_1,\dots ,h_q$ can be viewed as replies to the random oracle queries.

Lemma 1

(General forking lemma).Fix an integer $q\ge 1$ to be the number of queries. Fix set C of size $\left|C\right|\ge 2$. Let $\mathcal{B}$ be a randomised algorithm that takes as input $x,h_1,\dots ,h_q$, where $(h_1,\dots ,h_q)\in C$, and returns a pair with the first element being index i (integer in the range $\{0,\dots ,q\}$) and the second element being side output $out$. Let $\mathcal{IG}$ be a randomised input generation algorithm. Let the accepted probability of $\mathcal{B}$ be denoted as $acc$. This is the probability that $i\ne 0$ in the following experiment:

• $x\leftarrow \mathcal{IG}$
• $h_1,\dots ,h_q\leftarrow C$
• $(i,out)\leftarrow \mathcal{B}(x,h_1,\dots ,h_q)$

The forking algorithm ${\mathcal{F}}_B$ connected with $\mathcal{B}$ is defined in Algorithm 1.

Algorithm 1${\mathcal{F}}_B\left(x\right)$

1: Pick random coins ρ for $\mathcal{B}$

2: $h_1,\dots ,h_q\leftarrow C$

3: $(i,out)\leftarrow \mathcal{B}(x,h_1,\dots ,h_q;\rho )$

4: If $i=0$, then return $(0,\perp ,\perp )$

5: Regenerate $h_i^{\prime },\dots ,h_q^{\prime }\leftarrow C$

6: $(i^{\prime },ou{t}^{\prime })\leftarrow \mathcal{B}(x,h_1,\dots ,h_{i-1},h_i^{\prime },\dots ,h_q^{\prime };\rho )$

7: If $i=i^{\prime }$ and $h_i\ne h_i^{\prime }$, then return $(1,out,ou{t}^{\prime })$

8: Otherwise, return $(0,\perp ,\perp )$

Let us define the $frk$ probability as

$$frk=\mathrm{Pr}[b=1:x\leftarrow \mathcal{IG};(b,out,ou{t}^{\prime })\leftarrow {\mathcal{F}}_B\left(x\right)].$$

Then,

$$frk\ge acc·\left(\frac{acc}{q}-\frac{1}{\left|C\right|}\right).$$

Alternatively,

$$acc\le \frac{q}{\left|C\right|}+\sqrt{q·frk}.$$

3.4. Lattice-Based Signature Scheme

Lattice-based cryptography is a promising candidate for the post-quantum public key cryptography standards. Among all of the submissions to the NIST PQC competition, the majority of schemes belong to the lattice-based family [17]. Many lattice-based signatures are constructed from the identification schemes using the Fiat–Shamir (FS) transform. The FS transform technique introduced in [32] allows for creating a digital signature scheme by combining an identification scheme with a hash function.

The following definition is adapted from [13].

Definition 5(Identification scheme).

An identification scheme $ID$ is defined as a tuple of algorithms $ID:=(IGen,P,C,V).$

• The key generation algorithm $IGen$ takes as input system parameters $par$ and returns the public key and secret key as output $(pk,sk)$. Public key $pk$ defines the set of challenges C, the set of commitments W, and the set of responses Z.
• The prover algorithm $P=(P_1,P_2)$ consists of two sub-algorithms. $P_1$ takes as input the secret key and returns a commitment $w\in W$ and a state $st$. $P_2$ takes as input the secret key, a commitment, a challenge, and a state and returns a response $z\in Z\cup \{\perp \}$.
• The verifier algorithm V takes as input the public key and the conversation transcript and outputs a decision bit $b=1$ (accepted) or $b=0$ (rejected).

In the signature scheme that uses FS transform, the signing algorithm generates a transcript $(w,c,z)$, where a challenge c is derived from a commitment w and the message to be signed m as follows $c:=H\left(w\right|\left|m\right)$. The signature $\sigma =(w,z)$ is valid if the transcript $(w,c,z)$ passes the verification algorithm with $b=1$. The publication [33] introduced a generalisation to this technique called Fiat–Shamir, with aborts transformation that takes into consideration aborting provers.

The following signature scheme (further referred to as the basic scheme) is a slightly modified version of the scheme [34]; the description below is based on a version described in [13] (Appendix B). The signature scheme makes use of a hash function, which produces a vector of size n with elements in $\{-1,0,1\}$ [18]. The hashing algorithm starts with applying a collision-resistant hash function (e.g., SHAKE-256) to the input to obtain a vector $\mathbf{s}\in {\{0,1\}}^{\tau }$ from the first $\tau$ bits of the hash function’s output. Then, SampleInBall algorithm (Algorithm 1) is invoked to create a vector $\mathbf{c}$ in ${\{-1,0,1\}}^n$ with exactly $\tau$ nonzero elements. In each iteration of the for loop, the SampleInBall algorithm generates an element $j\in \{0,\dots ,i\}$ using the output of a collision-resistant hash function. Then, the algorithm performs shuffling of the elements in the vector $\mathbf{c}$ and takes an element from the vector $\mathbf{s}$ to generate $-1$ or 1. For an in-depth overview of the algorithm, refer to the original paper [18].

Algorithm 2 SampleInBall.

1: Initialise $\mathbf{c}$ as zero vector of length n

2: for $i:=n-\tau \mathrm{to}n-1$

1: $j\leftarrow \{0,1,\dots ,i\}$

2. $s\leftarrow \{0,1\}$

3. $c_i:=c_j$

4. $c_j:={(-1)}^s$

3: return $\mathbf{c}$

All of the algebraic operations in the signature scheme are performed over the ring $R_q$. A formal definition of the key generation, signing, and verification is presented in Algorithms 3–5.

Algorithm 3 KeyGen($par$).

1: $\mathbf{A}\leftarrow R_q^{k\times k}$

2: ${\mathbf{s}}_1,{\mathbf{s}}_2\leftarrow S_{\eta }^k$

3: $\mathbf{t}:={\mathbf{As}}_1+{\mathbf{s}}_2$

4: return $pk=(\mathbf{A},\mathbf{t}),sk=(\mathbf{A},\mathbf{t},{\mathbf{s}}_1,{\mathbf{s}}_2)$

Algorithm 4 Sign($sk,m$).

1: $({\mathbf{z}}_1,{\mathbf{z}}_2)=(\perp ,\perp )$

2: while $({\mathbf{z}}_1,{\mathbf{z}}_2)=(\perp ,\perp )$ do:

1: ${\mathbf{y}}_1,{\mathbf{y}}_2\leftarrow S_{{\gamma }_1-1}^k$

2. $\mathbf{w}:={\mathbf{Ay}}_1+{\mathbf{y}}_2$

3. $c:=H_0\left(m\right|\left|\mathbf{w}\right)\in B_{\tau }$

4. ${\mathbf{z}}_1:={\mathbf{y}}_1+c{\mathbf{s}}_1$ and ${\mathbf{z}}_2:={\mathbf{y}}_2+c{\mathbf{s}}_2$

5. if $\left|\right|{\mathbf{z}}_1{\left|\right|}_{\infty }\ge {\gamma }_1-\beta$ or $\left|\right|{\mathbf{z}}_2{\left|\right|}_{\infty }\ge {\gamma }_1-\beta$, then $({\mathbf{z}}_1,{\mathbf{z}}_2):=(\perp ,\perp )$

3: return $\sigma =({\mathbf{z}}_1,{\mathbf{z}}_2,c)$

Algorithm 5 Verify($pk,m,\sigma$).

1: ${\mathbf{w}}^{\prime }:={\mathbf{Az}}_1+{\mathbf{z}}_2-c\mathbf{t}$ 2: if$c=H_0\left(m\right||{\mathbf{w}}^{\prime }$) and $\left|\right|{\mathbf{z}}_1{\left|\right|}_{\infty }<{\gamma }_1-\beta$ and $\left|\right|{\mathbf{z}}_2{\left|\right|}_{\infty }<{\gamma }_1-\beta$, return 1 (success). 3: else: return 0.

Correctness

Since $\mathbf{w}={\mathbf{Ay}}_1+{\mathbf{y}}_2$, $\mathbf{t}={\mathbf{As}}_1+{\mathbf{s}}_2$, ${\mathbf{z}}_1={\mathbf{y}}_1+c{\mathbf{s}}_1$. and ${\mathbf{z}}_2={\mathbf{y}}_2+c{\mathbf{s}}_2$, it holds that

$$\begin{array}{c}{\mathbf{Az}}_1+{\mathbf{z}}_2-c\mathbf{t}=\mathbf{A}({\mathbf{y}}_1+c{\mathbf{s}}_1)+({\mathbf{y}}_2+c{\mathbf{s}}_2)-c({\mathbf{As}}_1+{\mathbf{s}}_2)=\\ {\mathbf{Ay}}_1+\mathbf{A}c{\mathbf{s}}_1+{\mathbf{y}}_2+c{\mathbf{s}}_2-c{\mathbf{As}}_1-c{\mathbf{s}}_2={\mathbf{Ay}}_1+{\mathbf{y}}_2.\end{array}$$

Therefore, if a signature was generated correctly, it will successfully pass the verification.

3.5. Homomorphic Hash Function

We decided to use a homomorphic hash function instead of a homomorphic commitment scheme as in [16].

Definition 6(Homomorphic hash function).

Let + be an operation defined over X, and let ⊕ be an operation defined over R. Let $x_1,x_2\in X$ be any two inputs to the hash function. A hash function $f:X\to R$ is homomorphic if it holds that

$$f(x_1+x_2)=f\left(x_1\right)\oplus f\left(x_2\right).$$

Definition 7(Regular hash function).

Let $\mathcal{F}={\left\{f_a\right\}}_{a\in A}$, where $f_a:X\to R$ be a collection of functions indexed by a set A. A family of hash functions $\mathcal{F}$ is called ϵ-regular if the statistical distance between its output distribution $\{(a,f_a\left(x\right)):a\leftarrow A,x\leftarrow X\}$ and the uniform distribution $\left\{\right(a,r):a\leftarrow A,r\leftarrow R\}$ is at most ϵ.

One of the homomorphic hash functions available is called SWIFFT; it is a special case of the function proposed in [35,36,37]. SWIFFT is a collection of compression functions that are provably one-way and collision-resistant [38]. Additionally, SWIFFT has several statistical properties that can be proven unconditionally: universal hashing, regularity, and randomness extraction. However, due to the linearity, SWIFFT functions are not pseudorandom. It follows that the function is not a suitable instantiation of a random oracle [38]. Therefore, in the security proofs of the two-party signature scheme, SWIFFT is not used as a random oracle. Security proof makes use of such provable properties as regularity and collision resistance.

4. Proposed Two-Party Signature Scheme (DiLizium)

In the following section, we define and give detailed description of our two-party signature scheme: DiLizium. We start by defining the distributed signature scheme; the following definition is adapted from [16].

Definition 8(Distributed signature protocol).

Distributed signature protocol is a protocol between $P_1,\dots ,P_n$ parties that consists of the following algorithms:

• Generate public parameters $par$ using security parameter λ as input: $par\leftarrow$ Setup($1^{\lambda }$).
• Each party $P_j$ generates a key pair consisting of secret key share and a public key using interactive algorithm and public parameters as input: $(s{k}_j,pk)\leftarrow$ KeyGen ${}_j\left(par\right)$ for each $j\in \{1,\dots ,n\}$.
• To sign a message m, each party $P_j$ runs an interactive signing algorithm using secret key share: $\left(\sigma \right)\leftarrow$ Sign ${}_j(s{k}_j,m)$ for each $j\in \{1,\dots ,n\}$.
• To verify a signature, the verifier needs to check if Verify($pk,m,\sigma$) = 1. If the signature was generated correctly, verification should always succeed.

4.1. Specification and Overview of DiLizium Signature Scheme

Table 1. Parameters for the two-party protocol.

Parameter	Description
n	degree bound of the polynomials in the ring
q	modulus
$(k,k)$	dimension of matrix and vectors used in the scheme
$\gamma$	size bound of the coefficients in the masking vector share
${\gamma }_2$	size bound of coefficients in the composed masking vector
$\eta$	size bound of coefficients in the secret key share
$\tau$	number on nonzero elements in the output of special hash function $H_0$
$\beta$	maximum possible coefficient of the client’s and server’s shares of $c{\mathbf{s}}_i$, where $i\in \{1,2\}$
${\beta }_2$	maximum possible coefficient of $c{\mathbf{s}}_i$, where $i\in \{1,2\}$
$(a,b,p)$	parameters for the homomorphic hash function: $a·b$ is the input length, b is the output length, and p is the modulus

describes the parameters used in the two-party signature scheme.

4.1.1. Parameter Setup

Let us assume that, before starting the key generation and signing protocols, the parties invoke a Setup($1^{\lambda }$) function that, based on the security parameter $\lambda$, outputs a set of public parameters $par$ that are described in Table 1.

4.1.2. Key Generation

$H_1$ and $H_2$ are some collision-resistant hash functions. The key generation protocol is parametrised by the set of public parameters $par$. The client begins the key generation process by sampling a share of matrix ${\mathbf{A}}_c$ and by sending out the commitment to this share $h{k}_c=H_1\left({\mathbf{A}}_c\right)$. The server generates its matrix share ${\mathbf{A}}_s$ and sends commitment $h{k}_s$ to the client. Upon receiving commitments, the client and server exchange matrix shares and check if the openings for the commitments were correct. If openings are successfully verified, the client and server locally compute composed matrix $\mathbf{A}={\mathbf{A}}_c+{\mathbf{A}}_s$.

The client proceeds by generating two secret vectors (${\mathbf{s}}_1^c$, ${\mathbf{s}}_2^c$) and by computing its share of the public key ${\mathbf{t}}_c={\mathbf{As}}_1^c+{\mathbf{s}}_2^c$. The client sends out a commitment to the public key share $com{k}_c=H_2\left({\mathbf{t}}_c\right)$. The server samples its secret vectors (${\mathbf{s}}_1^s$, ${\mathbf{s}}_2^s$) and uses them to compute its public key share ${\mathbf{t}}_s$. Next, the server sends commitment to the public key share $com{k}_s$ to the client.

Once the client and server have received commitments from each other, the client and server exchange public key shares. Next, the client and server both locally check if the commitments were opened correctly. If these checks succeed, the client and server locally compute the composed public key $\mathbf{t}={\mathbf{t}}_c+{\mathbf{t}}_s$. The final public key consists of composed matrix $\mathbf{A}$ and vector $\mathbf{t}$.

It is necessary to include the server’s public key share ${\mathbf{t}}_s$ to the client’s secret key $s{k}_c$ and vice versa. During the signing process, the client needs to use the server’s public key share to verify the correctness of a commitment.

Protocol 1 describes two-party key generation between the parties in a more formal way. Instructions of the protocol are the same for the client and server. Therefore, Protocol 1 presents the behavior of the nth party, $n\in \{c,s\}$.

4.1.3. Signing

$HomH$ is a homomorphic hash function from the SWIFFT family. $H_0$ is a hash function that outputs a vector of length n with exactly $\tau$ coefficients being either $-1$ or 1 and the rest being 0 as described in Algorithm 2. $H_3$ is a collision-resistant hash function.

The client starts the signing process by generating its shares of masking vectors (${\mathbf{y}}_1^c,{\mathbf{y}}_2^c$) and by computing a share of $\mathbf{w}$. Next, the client uses a homomorphic hash function to compute $co{m}_c=HomH\left({\mathbf{w}}_c\right)$ and hashes it using some collision-resistant hash function $h_c=H_3\left(co{m}_c\right)$. The composed output of the homomorphic hash function $com=co{m}_c+co{m}_s$ is later used to derive a challenge. Therefore, it is crucial to ensure that $co{m}_c,co{m}_s$ have not been chosen maliciously. Thus, before publishing these shares, the client and server should exchange commitments to the shares $h_c,h_s$.

The server, in turn, generates its shares of masking vectors (${\mathbf{y}}_1^s,{\mathbf{y}}_2^s$), computes its share of $\mathbf{w}$, and sends commitment to $co{m}_s=HomH\left({\mathbf{w}}_s\right)$. After receiving commitments $h_c,h_s$ from each other, the client and server open the commitments by sending out shares $co{m}_s,co{m}_c$.

The client proceeds by checking if the server opened its commitment correctly. If the check succeeds, the client computes $com=co{m}_c+co{m}_s$ and derives challenge $c=H_0\left(m\right|\left|com\right)$. Next, the client computes potential signature shares $({\mathbf{z}}_1^c,{\mathbf{z}}_2^c)$ and performs rejection sampling. If all of the conditions in rejection sampling are satisfied, the client sends its signature share to the server.

The server checks if the client opened its commitment correctly. If the check succeeds, the server computes composed $com$ and derives challenge c. Next, the server computes its potential signature shares $({\mathbf{z}}_1^s,{\mathbf{z}}_2^s)$ and performs rejection sampling. If all of the conditions in rejection sampling are satisfied, the server sends its signature share to the client.

Finally, the client performs verification if $co{m}_s$ indeed contains ${\mathbf{w}}_s$. The client reconstructs ${\mathbf{w}}_s$ as ${\mathbf{Az}}_1^s+{\mathbf{z}}_2^s-c{\mathbf{t}}_s$ and checks if it is a valid opening for $co{m}_s$. If the check succeeds, the client computes the final signature $({\mathbf{z}}_1,{\mathbf{z}}_2)$. The server performs the same verification that $co{m}_c$ indeed contains ${\mathbf{w}}_c$ using $({\mathbf{z}}_1^c,{\mathbf{z}}_2^c)$ and ${\mathbf{t}}_c$. If the check succeeds, the server computes and outputs the final signature.

Protocol 2 describes the two-party signing process in the more formal way.

4.1.4. Verification

Verification is almost the same as in the original scheme except the verifier needs to apply homomorphic hash function on the reconstructed ${\mathbf{w}}^{\prime }$ in order to check the correctness of challenge. Algorithm 6 describes verification in the more formal way.

4.1.5. Correctness

Since $\mathbf{w}={\mathbf{Ay}}_1+{\mathbf{y}}_2$, $\mathbf{t}={\mathbf{As}}_1+{\mathbf{s}}_2$, ${\mathbf{z}}_1={\mathbf{y}}_1+c{\mathbf{s}}_1$ and ${\mathbf{z}}_2={\mathbf{y}}_2+c{\mathbf{s}}_2$ it holds that:

${\mathbf{Az}}_1+{\mathbf{z}}_2-c\mathbf{t}=\mathbf{A}({\mathbf{y}}_1+c{\mathbf{s}}_1)+({\mathbf{y}}_2+c{\mathbf{s}}_2)-c({\mathbf{As}}_1+{\mathbf{s}}_2)={\mathbf{Ay}}_1+\mathbf{A}c{\mathbf{s}}_1+{\mathbf{y}}_2+c{\mathbf{s}}_2-c{\mathbf{As}}_1-c{\mathbf{s}}_2={\mathbf{Ay}}_1+{\mathbf{y}}_2$.

Furthermore, by triangle inequality, it holds that if $\left|\right|{\mathbf{z}}_1^s{\left|\right|}_{\infty }<\gamma -\beta$ and $\left|\right|{\mathbf{z}}_1^c{\left|\right|}_{\infty }<\gamma -\beta$, then $\left|\right|{\mathbf{z}}_1{\left|\right|}_{\infty }=\left|\right|{\mathbf{z}}_1^s+{\mathbf{z}}_1^c{\left|\right|}_{\infty }<\left|\right|{\mathbf{z}}_1^s{\left|\right|}_{\infty }+\left|\right|{\mathbf{z}}_1^c{\left|\right|}_{\infty }=2\gamma -2\beta$. The same holds for the second signature component ${\mathbf{z}}_2$. This means that ${\gamma }_2$ can be defined as ${\gamma }_2=2\gamma$ and ${\beta }_2=2\beta$. Therefore, if a signature was generated correctly, verification always succeed.

Algorithm 6 Verify($pk,\sigma ,m$)

1: Compute ${\mathbf{w}}^{\prime }:={\mathbf{Az}}_1+{\mathbf{z}}_2-c\mathbf{t}$.

2: if $c=$ H($m\left|\right|HomH\left({\mathbf{w}}^{\prime }\right)$) and $\left|\right|{\mathbf{z}}_1{\left|\right|}_{\infty }<{\gamma }_2-{\beta }_2$ and $\left|\right|{\mathbf{z}}_2{\left|\right|}_{\infty }<{\gamma }_2-{\beta }_2$: return 1 (success).

3: else: return 0.

Security

Definition 9 (Existential Unforgeability under Chosen Message Attack).

The distributed signature protocol is Existentially Unforgeable under Chosen Message Attack (DS-UF-CMA) if, for any probabilistic polynomial time adversary $\mathcal{A}$, its advantage of creating successful signature forgery is negligible. The advantage of adversary is defined as the probability of winning in the experiment ${\mathit{Exp}}^{\mathit{DS}-\mathit{UF}-\mathit{CMA}}$:

$${\mathit{Adv}}^{\mathit{DS}-\mathit{UF}-\mathit{CMA}}\left(\mathcal{A}\right):=\mathit{Pr}[{\mathit{Exp}}^{\mathit{DS}-\mathit{UF}-\mathit{CMA}}\left(\mathcal{A}\right)\to 1].$$

Theorem 1.

Assume a homomorphic hash function $HomH:{\{0,1\}}^{a·b}\to {\mathbb{Z}}_p^b$ is provably collision-resistant and ϵ-regular then for any probabilistic polynomial time adversary $\mathcal{A}$ that makes a single query to the key generation oracle; $q_s$ queries to the signing oracle; and $q_h$ queries to the random oracles $H_0,H_1,H_2,$ and $H_3$, the distributed signature protocol is DS-UF-CMA secure in the random oracle model under Module-LWE, rejected Module-LWE, and Module-SIS assumptions.

This section presents the main idea for the security proof of the proposed scheme; the full proof is given in Appendix A. The proof considers only the classical adversary and relies on the forking lemma. The idea of the proof is, given an adversary $\mathcal{A}$ that succeeds in creating forgeries for the distributed signature protocol, to construct an algorithm around it that can be used to solve Module-SIS problem or to break the collision resistance of the homomorphic hash function. The idea of our proof relies on the proofs from [7,16,31,39].

The proof consists of two major steps. In the first step, we construct a simulator $\mathcal{B}$. Algorithm $\mathcal{B}$ is constructed such that it fits all of the assumptions of the forking lemma. $\mathcal{B}$ simulates the behavior of a single honest party $P_n$ without using its actual secret key share. In the second step, the forking algorithm is invoked to obtain two forgeries with distinct challenges and the same commitments.

4.1.6. Simulation

In the key-generation process, we need to simulate the way the matrix share ${\mathbf{A}}_n$ and the public vector share ${\mathbf{t}}_n$ are constructed. Due to the use of random oracle commitments, once the simulator obtains the adversary’s commitment $h{k}_i$, it can extract the matrix share ${\mathbf{A}}_i$. Next, the simulator computes its matrix share ${\mathbf{A}}_n:=\mathbf{A}-{\mathbf{A}}_i$ using a resulting random matrix $\mathbf{A}\in R_q^{k\times k}$ and programs random oracle $H_1\left({\mathbf{A}}_n\right):=h{k}_n$.

Due to the Module-LWE assumption, the public vector share of the honest party ${\mathbf{t}}_n$ is indistinguishable from the uniformly random vector sampled from the ring $R_q^k$. Using the same strategy as that for the matrix share, the simulator sets it public vector share ${\mathbf{t}}_n:=\mathbf{t}-{\mathbf{t}}_i$ after seeing the adversary’s commitment and programs the random oracle $H_2\left({\mathbf{t}}_n\right):=com{k}_n$.

The signature share generation starts with choosing a random challenge $c\in C$ from the set of all possible challenges. Then, the simulator proceeds with randomly sampling two signature shares from the set of all possible signature shares ${\mathbf{z}}_1^n,{\mathbf{z}}_2^n\leftarrow S_{\gamma -\beta -1}^k$. The share of vector $\mathbf{w}$ is computed from the signature shares, public vector share, and challenge as ${\mathbf{w}}_n={\mathbf{Az}}_1^n+{\mathbf{z}}_2^n-c{\mathbf{t}}_n$. Then, the simulator extracts value $co{m}_i$ from the adversary’s commitment $h_i$, computes the composed value $com$, and programs random oracle $H_0\left(com\right|\left|m\right):=c$.

4.1.7. Forking Lemma

The combined public key consists of matrix $\mathbf{A}$ uniformly distributed in $R_q^{k\times k}$ and vector $\mathbf{t}$ uniformly distributed in $R_q^k$. We want to replace it with the Module-SIS instance $\left. [\begin{array}{c}{\mathbf{A}}^{\prime }|\mathbf{I}\end{array}\right]$, where ${\mathbf{A}}^{\prime }\in R_q^{k\times (k+1)}$. The view of adversary does not change if we set ${\mathbf{A}}^{\prime }=\left. [\begin{array}{c}\mathbf{A}|\mathbf{t}\end{array}\right]$.

In order to conclude the proof, we need to invoke the forking lemma to receive two valid forgeries from the adversary that are constructed using the same commitment $com=co{m}^{\prime }$ but different challenges $c\ne c^{\prime }$. Using these forgeries, it is possible to find a solution to the Module-SIS problem on input ${\mathbf{A}}^{\prime }=\left. [\begin{array}{c}\mathbf{A}|\mathbf{t}\end{array}\right]$ or to break the collision resistance of the homomorphic hash function.

As both forgeries $out=(com,c,{\mathbf{z}}_1,{\mathbf{z}}_2,m)$ and $ou{t}^{\prime }=(co{m}^{\prime },c^{\prime },{\mathbf{z}}_1^{\prime },{\mathbf{z}}_2^{\prime },m^{\prime })$ are valid, it holds that

$$HomH({\mathbf{Az}}_1+{\mathbf{z}}_2-c\mathbf{t})=com=co{m}^{\prime }=HomH({\mathbf{Az}}_1^{\prime }+{\mathbf{z}}_2^{\prime }-c^{\prime }\mathbf{t})$$

If ${\mathbf{Az}}_1+{\mathbf{z}}_2-c\mathbf{t}\ne {\mathbf{Az}}_1^{\prime }+{\mathbf{z}}_2^{\prime }-c^{\prime }\mathbf{t}$, then we found a collision for the homomorphic hash function. If ${\mathbf{Az}}_1+{\mathbf{z}}_2-c\mathbf{t}={\mathbf{Az}}_1^{\prime }+{\mathbf{z}}_2^{\prime }-c^{\prime }\mathbf{t}$, then it can be rearranged as ${\mathbf{Az}}_1-{\mathbf{Az}}_1^{\prime }+{\mathbf{z}}_2-{\mathbf{z}}_2-c\mathbf{t}+c^{\prime }\mathbf{t}=\mathbf{0}$ and this in turn leads to

$$\left. [\begin{array}{c}\mathbf{A}\left|\mathbf{I}\right|\mathbf{t}\end{array}\right]\left. [\begin{array}{c}{\mathbf{z}}_1-{\mathbf{z}}_1^{\prime }\\ {\mathbf{z}}_2-{\mathbf{z}}_2^{\prime }\\ c^{\prime }-c\end{array}\right]=\mathbf{0}$$

Considering that $\left. [\begin{array}{c}\mathbf{A}\left|\mathbf{I}\right|\mathbf{t}\end{array}\right]$ is an instance of Module-SIS problem, we found a solution for Module-SIS with parameters $(q,k,k+1,\xi )$, where $\xi \le 2({\gamma }_2-{\beta }_2)$.

5. Performance

In this section, we analyse the performance of our scheme according to the following metrics:

• Number of communication rounds in key generation and signing protocols,
• Keys and signature sizes, and
• Number of rejection sampling rounds.

It should be noted that this section does not present the exact parameter choice for the scheme and does not argue the bit security of the scheme for these parameters. The parameter choice presented in this section is illustrative and is given to provide performance estimations of the proposed scheme. Choosing correct parameters for post-quantum schemes is a nontrivial multidimensional optimisation task as parameters should be chosen such that the scheme has the small signature and key sizes while having enough bits of security and an optimal number of communication rounds. Additionally, the security of the proposed scheme relies on rejected Module-LWE, which is not a well-studied assumption, and therefore, it is difficult to estimate the bit security of the proposed scheme. The parameters presented in

Table 2. Illustrative parameters.

Parameters	Sizes
n	256
q	8,380,417
$(k,k)$	(5, 5)
$\gamma$	$2^{19}$
${\gamma }_2$	$2^{20}$
$\eta$	2
$\tau$	60
$\beta$	120
${\beta }_2$	240
$(a,b,p)$	$(64,16,257)$

are chosen based on parameters proposed in Crystals-Dilithium [18] so that the expected number of repetitions of the signing process is practical.

5.1. Number of Rejection Sampling Rounds

To estimate the number of rejection sampling rounds in the signing process, it is necessary to compute the probability that the following holds for both parties: $\left|\right|{\mathbf{z}}_1^n{\left|\right|}_{\infty }<\gamma -\beta$ and $\left|\right|{\mathbf{z}}_2^n{\left|\right|}_{\infty }<\gamma -\beta$. Let $\sigma$ be a coefficient of $c{\mathbf{s}}_i^n$. If coefficients of ${\mathbf{y}}_i^n$ are in the range $\{-\gamma +\beta +1-\sigma ,\dots ,\gamma -\beta -1-\sigma \}$, then the corresponding coefficients of ${\mathbf{z}}_i^n$ are in the range $\{-\gamma +\beta +1,\dots ,\gamma -\beta -1\}$. Therefore, the size of the correct coefficient range for ${\mathbf{y}}_i^n$ is $2(\gamma -\beta )-1$ and the coefficients of ${\mathbf{y}}_i^n$ have $2\gamma -1$ possibilities. Then, the probability that every coefficient of ${\mathbf{y}}_i^n$ in the correct range is as follows:

$${\left(\frac{2(\gamma -\beta )-1}{2\gamma -1}\right)}^{n·k}$$

As the client and server sample vectors ${\mathbf{y}}_i^n$ independently in the beginning of the signing protocol, the probability that the check succeeds for both signature components on the client and server side is the following:

$$\mathrm{Pr}\left[\mathrm{success}\right]={\left(\frac{2(\gamma -\beta )-1}{2\gamma -1}\right)}^{n·k·4}$$

The expected number of repetitions can be estimated as $E=1/\mathrm{Pr}\left[\mathrm{success}\right]$.

5.2. Signature and Key Sizes

The public key consists of two components: matrix $\mathbf{A}\in R_q^{k\times k}$ and vector $\mathbf{t}\in R_q^k$. The matrix $\mathbf{A}$ can be generated out of 256-bit seed using an extendable output function, as proposed in the Crystals-Dilithium signature scheme [18]. While using this approach, only the seed used to generate the matrix needs to be stored. As both parties need to generate their matrix share, two seeds should be stored to represent matrix $\mathbf{A}$. Each seed is converted to the matrix form using an extendable output function; after that, two matrix shares can be added together. The size of the public key in bytes is as follows:

$$\frac{2·256+n·k·\lceil log\left(q\right)\rceil }{8}.$$

The secret key of the party $P_n$ consists of two vectors ${\mathbf{s}}_1^n$, ${\mathbf{s}}_2^n\in S_{\eta }^k$, matrix $\mathbf{A}$, and vector ${\mathbf{t}}_i\in R_q^k$. It should be noted that vectors ${\mathbf{s}}_1^n$, ${\mathbf{s}}_2^n$ may contain negative values as well, so one bit should be reserved for each coefficient to indicate the sign. Therefore, the size of the secret key in bytes can be computed as follows:

$$\frac{2·n·k·(\lceil log(\eta )\rceil +1)+2·256+n·k·\lceil log\left(q\right)\rceil }{8}=\frac{n·k·(2·(\lceil log\left(\eta \right)\rceil +1)+\lceil log(q)\rceil )+2·256}{8}.$$

Finally, a signature consists of three components: ${\mathbf{z}}_1,{\mathbf{z}}_2\in S_{{\gamma }_2-{\beta }_2-1}^k$, and $c\in {\{0,1\}}^n$ with exactly $\tau$ coefficients being either $-1$ or 1 and the rest being 0. All of the components may contain negative values, so for each coefficient of ${\mathbf{z}}_1,{\mathbf{z}}_2,$c one bit should be reserved to indicate the sign. With regard to storing c, it is possible to store only the positions of $-1$ and 1 in c. Therefore, the size of the signature in bytes can be computed as

$$\frac{2·n·k·(\lceil log({\gamma }_2-{\beta }_2-1)\rceil +1)+\tau ·(\lceil log\left(n\right)\rceil +1)}{8}.$$

In order to better understand key and signature sizes, let us assume the choice of parameters defined in Table 2. The key and signature sizes corresponding to this choice of parameters are listed in

Table 3. Key and signature sizes and expected number of repetitions of the signing protocol.

Values	Sizes
Public key $pk$	3744 bytes
Secret key share $s{k}_i$	4384 bytes
Signature $\sigma$	6788 bytes
Expected number of repetitions	3.23

.

5.3. Communication between Client and Server

In order to generate a key pair, four rounds of communication between the client and server are needed.

Table 4. Message sizes in the key generation process.

Messages	Sizes
First message $h{k}_i$	256 bits
Second message ${\mathbf{A}}_i$ (as seed)	256 bits
Third message $com{k}_i$	256 bits
Fourth message ${\mathbf{t}}_i$	3680 bytes

shows the sizes of messages that are exchanged between the client and server during the key generation process using illustrative parameters from Table 2. The first message is output of a hash function (commitment to matrix ${\mathbf{A}}_i$), which consists of 256 bits. The second message contains not the matrix share itself but the seed of 256 bits that was use to generate it. The third message is output of a hash function (commitment to vector ${\mathbf{t}}_i$), which consists of 256 bits. The fourth message is the share of public key ${\mathbf{t}}_i$, the size of which is $\frac{n·k·\lceil log\left(q\right)\rceil }{8}$ bytes.

The number of communication rounds during the signing process depends on the number of rejections E. If there are no rejections, the signature generation process requires three rounds of communication between the client and server. For E rejections, the number of communication rounds equals to $2E+1$.

Table 5. Message sizes in the signing process.

Messages	Sizes
First message $\left(h_i\right)$	256 bits
Second message $co{m}_i$	1920 bytes
Third message $({\mathbf{z}}_1^i,{\mathbf{z}}_2^i)$	6080 bytes

shows the sizes of messages exchanged between the client and server during the signing process using illustrative parameters from Table 2. The first message is output of a hash function (commitment to $co{m}_i$), which consists of 256 bits. The size of the second message in the signing process $co{m}_i$ is caused by the structure of SWIFFT hash function. To calculate $HomH\left({\mathbf{w}}_i\right)$, the vector ${\mathbf{w}}_i$ that consists of $nk$ elements is divided into 15 input blocks of 256 bytes each. The output produced by the homomorphic hash function consists of 15 blocks of 128 bytes each. The third message consists of the signature shares $({\mathbf{z}}_1^i,{\mathbf{z}}_2^i)$, the size of which is $\frac{2·n·k·(\lceil log({\gamma }_2-{\beta }_2-1)\rceil +1)}{8}$ bytes.

6. Comparison to Prior Work

Table 6. Comparison with prior work.

	Functionality	Paradigm	Rounds	Security
Bendlin et al. [27]	t-out-of-n	Hash-and-Sign	1	Gentry et al. [41]
Boneh et al. [40]	t-out-of-n	Any (Universal Thresholdizer)	1	LWE
Dåmgard et al. [16] $D{S}_2$	n-out-of-n	FSwA	2	MLWE
Dåmgard et al. [16] $D{S}_3$	n-out-of-n	FSwA	3	MLWE, MSIS
Our protocol (DiLizium)	2-out-of-2	FSwA	3	MLWE, MSIS, R-MLWE

presents the comparison of our scheme DiLizium with other lattice-based threshold signature schemes [16,27,40]. Column “Rounds” shows the number of communication rounds in signing protocol; for the schemes with rejection sampling, it is assumed that the rejection sample passes from the first attempt. We also provide a more detailed comparison with [16], due to the fact both works are based on variants of Crystals-Dilithium and have a similar structure. We leave out the comparison with publications [21,22,23,24,25,26] as these discuss multisignatures instead of threshold.

The threshold signature schemes from [16] are based on Dilithium-G, which is a version of Crystals-Dilithium that uses sampling from a discrete Gaussian distribution for the generation of secret vectors. The usage of Gaussian distribution helps to decrease the number of rejections in signature schemes that follow the FSwA paradigm [16]. However, the implementation of sampling from a discrete Gaussian distribution in a manner secure against side-channel attacks is considered difficult. Therefore, in our scheme, we decided to use sampling from a uniform distribution.

Due to the structure of our scheme, we use a non-standard security assumption that was introduced in [26]. In future work, we aim to modify security proof such that it will no longer be needed to rely on rejected Module-LWE. The security of threshold signature scheme from [16] relies only on standard problem: Module-LWE and Module-SIS.

Additionally, we compare the message sizes of Dåmgard et al. [16] $D{S}_3$ with our scheme. Since this paper [16] does not provide an instantiation of parameters, we use the recommended parameters for Dilithium-G from [29] for the signature scheme. We only changed the modulus q, since by Theorem 4 [16], q should satisfy $q=5mod8$. We selected parameters for the homomorphic commitment scheme based on the third parameter set from Baum et al. [42] (Table 2) such that the conditions from Lemma 5 and Lemma 7 are satisfied.

Table 7. Illustrative parameters for Dåmgard et al. $D{S}_3$ [16].

Parameters for Signature Scheme	Description	Sizes
n	The degree bound of the polynomials in the ring	256
$q_{sig}$	Modulus	8,380,781
$(k_{sig},l)$	Dimension of matrix and vectors	(4, 4)
$\eta$	Size bound of coefficients in the secret key share	5
$\tau$	Number on non-zero elements in the output of hash function $H_0$	60
${\sigma }_{sig}$	Standard deviation of the Gaussian distribution	≈17,900
$B_{sig}$	The maximum $l_2$ norm of signature share ${\mathbf{z}}_j\in R_{q_{sig}}^{l+k_{sig}}$	≈990,000

and

Table 8. Illustrative parameters for Dåmgard et al. [16] statistically binding commitment scheme.

Parameters for Commitment Scheme	Description	Sizes
N	The degree bound of the polynomials in the ring	1024
$q_{com}$	Modulus	≈2${}^{55}$
$(m,m^{\prime },k_{com})$	Dimension of matrices and vectors	(6, 9, 1)
${\sigma }_{com}$	Standard deviation of the Gaussian distribution	≈46,000
$B_{com}=4{\sigma }_{com}\sqrt{m^{\prime }N}$	The maximum $l_2$ of commitment opening ${\mathbf{r}}_j\in R_{q_{com}}^{m^{\prime }}$	≈17,664,000

present parameters that are needed to compute message sizes. We only provide a comparison of messages sent during the signing process because messages exchanged during the key generation process are similar in both schemes (

Table 9. Illustrative comparison of DiLizium and Dåmgard et al. $D{S}_3$ message sizes.

Messages	DiLizium	Dåmgard et al. ${\mathit{DS}}_3$
First message	256 bits	256 bits
Second message	1920 bytes	197,120 bytes
Third message	6080 bytes	125,184 bytes

).

The first message is the output of a hash function (commitment to $co{m}_n$), which consists of 256 bits. The second message is a commitment $co{m}_n$. The homomorphic commitment scheme defined in Dåmgard et al. [16] (Figure 7) describes a commitment to a single ring element $w\in R_q$. In order to commit to a vector $\mathbf{w}\in R_q^k$, it is proposed to commit to each vector element separately. Therefore, the byte size of the second message can be computed as $\frac{k_{sig}·N·(m+k_{com})·\lceil log\left(q_{com}\right)\rceil }{8}$. The third message consists of a signature share ${\mathbf{z}}_n$ and an opening for the commitment ${\mathbf{r}}_n$. We know that, for a valid signature share, it holds that $\left|\right|{\mathbf{z}}_n{\left|\right|}_2\le B_{sig}$ and we know that ${\left|\right|x\left|\right|}_{\infty }\le {\left|\right|x\left|\right|}_2$. The signature share may contain negative values, so for each coefficient of ${\mathbf{z}}_n$, one bit should be reserved to indicate the sign. Therefore, the approximate byte size of the signature share is $\frac{n·(l+k_{sig})·(\lceil log\left(B_{sig}\right)\rceil +1)}{8}$. For a valid opening, it holds that $\left|\right|{\mathbf{r}}_n{\left|\right|}_2\le B_{com}$. The value ${\mathbf{r}}_n$ also may contain negative values, so for each coefficient of ${\mathbf{r}}_n$, one bit should be reserved to indicate the sign. The approximate byte size of the commitment opening is $\frac{k_{sig}·N·m^{\prime }·(\lceil log\left(B_{com}\right)\rceil +1)}{8}$.

From Table 9, we can see that the size of the second and the third messages in Dåmgard et al.’s $D{S}_3$ scheme is much larger than that in DiLizium. The reason is that scheme $D{S}_3$ Dåmgard et al. uses lattice-based homomorphic commitments. For the signature scheme to be secure, it was required to have statistical binding. Parameters that guarantee statistical binding are not very practical; however, there may exist optimal parameter choice.

Currently, it is not possible to provide a more detailed comparison of the efficiency of these schemes. The main reason is that neither of the works have a reference implementation yet. Therefore, we leave the implementation of the proposed scheme and a detailed comparison for future research.

7. Conclusions

Nowadays, threshold signature schemes have a variety of practical applications. There are several efficient threshold versions of the RSA and (EC)DSA signature schemes that are used in practice. However, threshold instantiations of post-quantum signature schemes are less researched. Previous researches have demonstrated that creating threshold post-quantum signatures is a highly non-trivial task. Some of the proposed schemes yield inefficient implementation, while others have incomplete security proofs.

In this work, we presented a new lattice-based two-party signature scheme: DiLizium. Our construction uses the SWIFFT homomorphic hash function to compute commitment in the signing process. We provide security proof for our scheme in the classical random oracle model under the Module-LWE, rejected Module-LWE, and Module-SIS assumptions. The proposed scheme can potentially substitute distributed RSA and ECDSA signature schemes in authentication applications such as Smart-ID [11]. This would allow for using these applications even in the quantum computing era.

Compared with the scheme proposed in [16], this work does not use sampling from the discrete Gaussian distribution and does not use a lattice-based homomorphic commitment scheme. In the key generation and signing processes, our scheme uses uniform sampling, which facilitates secure implementations in the future.

The security proof of the proposed scheme is based on non-standard security assumption: rejected Module-LWE. Removing this assumption from the security proof is an important part of future work. Furthermore, the concept of homomorphic hash functions is new and has not been properly studied yet. We aim to research the properties and usage of homomorphic hash functions more deeply in future work. The implementation of the proposed scheme and the exact choice of parameters for this implementation is left for future research, which may also involve optimisation of the size of keys and signature, and security proof against the quantum adversary.