Next Article in Journal
Flexible and Efficient Inference with Particles for the Variational Gaussian Approximation
Next Article in Special Issue
The Ring-LWE Problem in Lattice-Based Cryptography: The Case of Twisted Embeddings
Previous Article in Journal
Qubit-Based Clock Synchronization for QKD Systems Using a Bayesian Approach
Previous Article in Special Issue
Lattice-Based Logarithmic-Size Non-Interactive Deniable Ring Signatures
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

DiLizium: A Two-Party Lattice-Based Signature Scheme

by
Jelizaveta Vakarjuk
1,2,*,
Nikita Snetkov
1,2 and
Jan Willemson
1
1
Cybernetica AS, Mäealuse 2/1, 12618 Tallinn, Estonia
2
STACC OÜ, Narva mnt 20, 51009 Tartu, Estonia
*
Author to whom correspondence should be addressed.
Entropy 2021, 23(8), 989; https://doi.org/10.3390/e23080989
Submission received: 11 June 2021 / Revised: 28 July 2021 / Accepted: 28 July 2021 / Published: 30 July 2021

Abstract

:
In this paper, we propose DiLizium: a new lattice-based two-party signature scheme. Our scheme is constructed from a variant of the Crystals-Dilithium post-quantum signature scheme. This allows for more efficient two-party implementation compared with the original but still derives its post-quantum security directly from the Module Learning With Errors and Module Short Integer Solution problems. We discuss our design rationale, describe the protocol in full detail, and provide performance estimates and a comparison with previous schemes. We also provide a security proof for the two-party signature computation protocol against a classical adversary. Extending this proof to a quantum adversary is subject to future studies. However, our scheme is secure against a quantum attacker who has access to just the public key and not the two-party signature creation protocol.

1. Introduction

Ever since Peter Shor proposed an algorithm that was able to efficiently break most of the classical asymmetric cryptographic primitives such as RSA or ECDSA in the 1990s [1,2], research has been conducted to find quantum-resistant replacements. This work has recently been coordinated by the U.S. National Institute of Standards and Technology (NIST). In 2016, NIST announced an effort to standardise some of the proposed public key encryption algorithms, key-establishment algorithms, and signature schemes [3].
The primary focus of NIST is to obtain drop-in replacements for the current standardised primitives in order to ease the transition. However, not all of the current application areas are covered by the standardisation process.
One important class of examples is threshold signatures. In a ( t , n )-threshold scheme, the secret key is shared between n users/devices. To create a valid signature, a subset of t users/devices should collaborate and use their secret key shares. Over the years, threshold versions of a number of major cryptographic algorithms including RSA and (EC)DSA have been studied [4,5,6,7,8]. Recent interest in threshold versions of ECDSA has been influenced by applications in blockchains. However, our motivation stems more from server-assisted RSA signatures, as proposed in the scheme by Buldas et al. [9]. This scheme has been implemented in a Smart-ID mobile application and was recognised as a qualified signature creation device (QSCD) in November 2018 [10]. In 2021, the number of Smart-ID users in the Baltic countries was estimated at 2.9 million [11].
In 2019, D. Cozzo and N. Smart analysed a number of NIST post-quantum standardisation candidates and concluded that none of them provide a threshold implementation that would be comparable in efficiency to threshold RSA or even ECDSA [12].
The goal of this research is to find a suitable version of one of the NIST signature candidates (Crystals-Dilithium) that would allow for a more efficient two-party implementation but would still provide post-quantum security. From this, we propose a concrete/specific two-party signature scheme and prove its security in this paper.
To be able to compute the private key or a signature forgery having access only to the public key, the attacker would need to solve Module Learning With Errors, Rejected Module Learning With Errors, and Module Short Integer Solution problems. These are considered hard even for quantum computers. We present security proof for the two-party signing protocol itself; however, it only provides security against a classical attacker. Extending the proof to cover quantum attackers is a task for future work.

Contributions

In this paper, we construct DiLizium, a lattice-based two-party signature scheme that follows the Fiat–Shamir with Aborts (FSwA) paradigm, and prove the security of the proposed scheme in the classical random oracle model. The security of the proposed signature scheme relies on the hardness of solving the Module-LWE and Module-SIS problems. Our two-party signature protocol is based on the scheme described in the paper by Kiltz et al., Appendix B [13]. Initially, we attempted to construct a two-party version of the Crystals-Dilithium digital signature submitted to the NIST PQC completion. However, we concluded that there are no straightforward approaches for modification thereof to the distributed version. Solutions require using a two-party computation protocol, which increases not only the signing time but also the communication complexity. The simplified version of the Crystals-Dilithium scheme from [13] is easier to work with because there are no additional bit decomposition algorithms used. Having a bit decomposition protocol would require an additional secure two-party computation protocol that would allow client and server to jointly compute high-order bits without revealing their private intermediate values. That would lead to an increased number of communication rounds and usage of additional security assumptions.
Additionally, DiLizium scheme does not require sampling from a discrete Gaussian distribution. We decided to use the scheme with uniform distribution because the Gaussian distribution is known to be hard to implement securely [14,15]. Our work follows the approach from [16], but instead of using homomorphic commitments, we decided to use the homomorphic hash function. We wanted to find an alternative to the commitment scheme introduced in [16] to increase the computational efficiency of the signature scheme. Due to the way our scheme is constructed, in the security proof, we rely on rejected Module-LWE, which is a non-standard security assumption, and it is not used in this work [16].

2. Related Work

In 2020, NIST announced fifteen third-round candidates for the PQC competition, of which seven were selected as finalists and eight were selected as alternate candidates [17]. The finalists in the digital signature category were Crystals-Dilithium [18], Falcon [19], and Rainbow [20]. Crystals-Dilithium and Falcon are both lattice-based signature schemes. Falcon has better performance, signature, and key sizes; however, its implementation is more complex, as it requires sampling from the Gaussian distribution and it utilises floating-point numbers to implement an optimised polynomial multiplication [19]. The performance of a Crystals-Dilithium signature scheme is slightly slower, and the signature and key sizes are larger than the ones in Falcon; however, the signature scheme itself has a simpler structure [18]. Rainbow is a multivariate signature scheme with fast signing and verifying processes. The size of the Rainbow signature is the shortest among the finalists; however, the public key size is the largest [20].
Due to the interest aroused by the PQC competition, several works were proposed that introduce lattice-based threshold signatures and lattice-based multisignatures. The works [21,22,23,24,25,26] focused on creating multisignatures that followed the FSwA paradigm. These schemes use rejection sampling, due to which the signing process is repeated until a valid signature is created. Additionally, intermediate values produced during the signature generation process need to be kept secret until the rejection sampling has been completed. There are currently no known techniques to prove the security of FSwA signatures if intermediate values are published before the rejection sampling is performed [16]. In multisignatures [21,22,23,24,25], intermediate values are published before the rejection sampling is completed, which leads to incomplete security proofs in these works [16]. The work by M. Fukumitsu and S. Hasegawa [26] solves the problem with aborted executions of the protocol by introducing a non-standard hardness assumption (rejected Module-LWE).
In 2019, D. Cozzo and N. Smart analysed the second round NIST PQC competition signature schemes to determine whether it is possible to create threshold versions of these signature schemes [12]. The authors proposed a possible threshold version for each of the schemes using only generic Multiparty Computation (MPC) techniques, such as linear secret sharing and garbled circuits. As a result, the authors proposed that the most suitable signature scheme is Rainbow, which belongs to the multivariate family. The authors described a threshold version of Crystals-Dilithium, which is estimated to take around 12 s to produce a single signature. The authors explained that the problems with performance arise from the fact that the signature scheme consists of both linear and nonlinear operations and that it is inefficient to switch between these representations using generic MPC techniques. However, the goal of the current work is to focus on the two-party scenario. This means that some of the difficulties in D. Cozzo and N. Smart paper can be avoided.
R. Bendlin, S. Krehbiel, and C. Peikert proposed threshold protocols for generating a hard lattice with trapdoor and sampling from the discrete Gaussian distribution using the trapdoor [27]. These two protocols are the main building blocks for the Gentry–Peikert–Vaikuntanathan (GPV) signature scheme (based on hash-and-sign paradigm), where generating a hard lattice is needed for the key generation and Gaussian sampling is needed for the signing process. M. Kansal and R. Dutta proposed a lattice-based multisignature scheme with a single round signature generation that has key aggregation and signature compression in [28]. The underlying signature scheme follows neither the hash-and-sign nor FSwA paradigms, which are the main techniques used to construct lattice-based signature schemes.
In 2020, I. Damgård, C. Orlandi, A. Takahashi, and M. Tibouchi proposed a lattice-based multisignature and distributed signing protocols that are based on the Dilithium-G signature scheme [16]. Dilithium-G is a version of the Crystals-Dilithium signature that requires sampling from a discrete Gaussian distribution [29]. The work contains complete classical security proofs for the proposed schemes. The work solves the problem with the aborted executions by using commitments such that, in the case of an abort, only commitment is published, the intermediate value itself stays secret. The proposed distributed signature scheme could potentially fit the Smart-ID framework; however, some questions need to be addressed. More precisely, the scheme is based on a modified version of Crystals-Dilithium from the NIST PQC competition project and uses Gaussian sampling. It is known that generating samples from the Gaussian distribution is nontrivial, which means that the insecure implementation may lead to side-channel attacks [30]. The open question is whether it is possible to use a version of the scheme more similar to the one being submitted to the NIST PQC competition.

3. Preliminaries

3.1. Notation

  • Let Z be a ring of all integers. Z q = Z / q Z denotes a ring of residue classes modulo q. Z [ x ] denotes a ring of polynomials in the variable x with integer coefficients.
  • R denotes a quotient ring Z [ x ] / ( x n + 1 ) , where n N and R q denotes a quotient ring Z q [ x ] / ( x n + 1 ) , where n N .
  • Polynomials are denoted in italic lowercase p. p R q is a polynomial of degree bound by n: p = p 0 + p 1 x + + p n 1 x n 1 . It can also be expressed in a vector notation through its coefficients ( p 0 , p 1 , , p n 1 ).
  • Vectors are denoted in bold lowercase v . v R q n is a vector of dimension n: v = ( v 0 , , v n 1 ) , where each element v i is a polynomial in R q .
  • Matrices are denoted in bold uppercase A . A R q n × m is a n × m matrix with elements in R q .
  • For an even positive integer α and for every x Z , define x = x mod ± α , as x in the range α 2 < x α 2 such that x x ( mod α ) . For an odd positive integer α and for every x Z , define x = x mod ± α , as x in the range α 1 2 x α 1 2 such that x x ( mod α ) . For any positive integer α , define x = x mod α , as x in the range 0 x < α such that x x ( mod α ) .
  • For an element p = p 0 + p 1 x + + p n 1 x n 1 R q , its l 2 norm is defined as | | p | | 2 = ( i | p i | 2 ) 1 2 .
  • For an element x Z q , its infinity norm is defined as | | x | | = | x mod ± q | , where | x | denotes the absolute value of the element. For an element p = p 0 + p 1 x + + p n 1 x n 1 R q , | | p | | = max i | | p i | | . Similarly for an element v = ( p 0 , , p n ) R q n , | | v | | = max i | | p i | | .
  • S η denotes a set of all elements p R such that | | p | | η .
  • a A denotes sampling an element uniformly at random from the set A.
  • a χ ( A ) denotes sampling an element from the distribution χ defined over the set A.
  • x denotes mapping x to the least integer greater than or equal to x (e.g., 5.2 = 6 ).
  • The symbol ⊥ is used to indicate a failure or rejection.

3.2. Definitions of Lattice Problems

Definition 1(Decisional Module-LWE ( q , n , m , η , χ )).
Let χ be an error distribution, given a pair ( A , t ) ( R q n × m × R q n ) decide whether it was generated uniformly at random from R q n × m × R q n or it was generated as A R q n × m , ( s 1 , s 2 ) χ ( S η m × S η n ) and t : = As 1 + s 2 .
The advantage of adversary A in breaking decisional Module-LWE for the set of parameters ( q , n , m , η , χ ) can be defined as follows:
Adv ( q , n , m , η , χ ) Dec - MLWE ( A ) : = | Pr [ b = 1 : A R q n × m , ( s 1 , s 2 ) χ ( S η m × S η n ) , t : = As 1 + s 2 , b A ( A , t ) ] Pr [ b = 1 : A R q n × m , t R q n , b A ( A , t ) ] | .
Definition 2(Computational Module-LWE ( q , n , m , η , χ )).
Let χ be an error distribution, given a pair ( A , t ) ( R q n × m × R q n ) , where A R q n × m , ( s 1 , s 2 ) χ ( S η m × S η n ) , and t : = As 1 + s 2 when finding a vector s 1 .
The advantage of adversary A in breaking computational Module-LWE for the set of parameters ( q , n , m , η , χ ) can be defined as follows:
Adv ( q , n , m , η , χ ) Com - MLWE ( A ) : = Pr [ s 1 = s 1 : A R q n × m , ( s 1 , s 2 ) χ ( S η m × S η n ) , t : = As 1 + s 2 , s 1 A ( A , t ) ] .
Definition 3(Module-SIS ( q , n , m , η )).
Given a uniformly random matrix A R q n × m , find a vector x R q n + m such that A | I · x = 0 and 0 < | | x | | η .
The advantage of adversary A in breaking Module-SIS for the set of parameters ( q , n , m , η ) can be defined as follows:
Adv ( q , n , m , η ) MSIS ( A ) : = Pr [ A | I · x = 0   and   0 < | | x | | η : A R q n × m , x A ( A ) ] .
Additionally, we define the rejected Module-LWE assumption adapted from [26].
Definition 4(Rejected Module-LWE  ( q , n , m , γ , χ , β )).
Let χ be an error distribution, and let C be a set of all challenges. Let A R q n × m , s 1 , s 2 χ ( S η m × S η n ) , y 1 , y 2 χ ( S γ 1 m × S γ 1 n ) , and c C . Assume that y 1 + c s 1 γ β or y 2 + c s 2 γ β hold. Given ( A , w , c ) , decide whether w was generated uniformly at random from R q n or it was generated as w = Ay 1 + y 2 .
The advantage of adversary A in breaking the rejected Module-LWE for the set of parameters ( q , n , m , γ , χ , β ) can be defined as follows:
Adv ( q , n , m , γ , χ , β ) R - MLWE ( A ) : = | Game 0 R - MLWE Game 1 R - MLWE | .
Game 0 R - MLWE : = Pr [ b = 1 : A R q n × m , ( s 1 , s 2 ) χ ( S η m × S η n ) , ( y 1 , y 2 ) χ ( S γ 1 m × S γ 1 n ) , c C , w : = Ay 1 + y 2 , b A ( A , w , c ) y 1 + c s 1 γ β or y 2 + c s 2 γ β ]
Game 1 R - MLWE : = Pr [ b = 1 : A R q n × m , ( s 1 , s 2 ) χ ( S η m × S η n ) , ( y 1 , y 2 ) χ ( S γ 1 m × S γ 1 n ) , c C , w R q n , b A ( A , w , c ) y 1 + c s 1 γ β or y 2 + c s 2 γ β ]

3.3. Forking Lemma

The following forking lemma is adapted from [31]. x can be viewed as a public key of the signature scheme, and h 1 , , h q can be viewed as replies to the random oracle queries.
Lemma 1
(General forking lemma).Fix an integer q 1 to be the number of queries. Fix set C of size | C | 2 . Let B be a randomised algorithm that takes as input x , h 1 , , h q , where ( h 1 , , h q ) C , and returns a pair with the first element being index i (integer in the range { 0 , , q } ) and the second element being side output o u t . Let IG be a randomised input generation algorithm. Let the accepted probability of B be denoted as a c c . This is the probability that i 0 in the following experiment:
  • x IG
  • h 1 , , h q C
  • ( i , o u t ) B ( x , h 1 , , h q )
The forking algorithm F B connected with B is defined in Algorithm 1.
Algorithm 1 F B ( x )
1: Pick random coins ρ for B
2: h 1 , , h q C
3: ( i , o u t ) B ( x , h 1 , , h q ; ρ )
4: If i = 0 , then return ( 0 , , )
5: Regenerate h i , , h q C
6: ( i , o u t ) B ( x , h 1 , , h i 1 , h i , , h q ; ρ )
7: If i = i and h i h i , then return ( 1 , o u t , o u t )
8: Otherwise, return ( 0 , , )
Let us define the f r k probability as
f r k = Pr [ b = 1 : x IG ; ( b , o u t , o u t ) F B ( x ) ] .
Then,
f r k a c c · a c c q 1 | C | .
Alternatively,
a c c q | C | + q · f r k .

3.4. Lattice-Based Signature Scheme

Lattice-based cryptography is a promising candidate for the post-quantum public key cryptography standards. Among all of the submissions to the NIST PQC competition, the majority of schemes belong to the lattice-based family [17]. Many lattice-based signatures are constructed from the identification schemes using the Fiat–Shamir (FS) transform. The FS transform technique introduced in [32] allows for creating a digital signature scheme by combining an identification scheme with a hash function.
The following definition is adapted from [13].
Definition 5(Identification scheme).
An identification scheme I D is defined as a tuple of algorithms I D : = ( I G e n , P , C , V ) .
  • The key generation algorithm I G e n takes as input system parameters p a r and returns the public key and secret key as output ( p k , s k ) . Public key p k defines the set of challenges C, the set of commitments W, and the set of responses Z.
  • The prover algorithm P = ( P 1 , P 2 ) consists of two sub-algorithms. P 1 takes as input the secret key and returns a commitment w W and a state s t . P 2 takes as input the secret key, a commitment, a challenge, and a state and returns a response z Z { } .
  • The verifier algorithm V takes as input the public key and the conversation transcript and outputs a decision bit b = 1 (accepted) or b = 0 (rejected).
In the signature scheme that uses FS transform, the signing algorithm generates a transcript ( w , c , z ) , where a challenge c is derived from a commitment w and the message to be signed m as follows c : = H ( w | | m ) . The signature σ = ( w , z ) is valid if the transcript ( w , c , z ) passes the verification algorithm with b = 1 . The publication [33] introduced a generalisation to this technique called Fiat–Shamir, with aborts transformation that takes into consideration aborting provers.
The following signature scheme (further referred to as the basic scheme) is a slightly modified version of the scheme [34]; the description below is based on a version described in [13] (Appendix B). The signature scheme makes use of a hash function, which produces a vector of size n with elements in { 1 , 0 , 1 } [18]. The hashing algorithm starts with applying a collision-resistant hash function (e.g., SHAKE-256) to the input to obtain a vector s { 0 , 1 } τ from the first τ bits of the hash function’s output. Then, SampleInBall algorithm (Algorithm 1) is invoked to create a vector c in { 1 , 0 , 1 } n with exactly τ nonzero elements. In each iteration of the for loop, the SampleInBall algorithm generates an element j { 0 , , i } using the output of a collision-resistant hash function. Then, the algorithm performs shuffling of the elements in the vector c and takes an element from the vector s to generate 1 or 1. For an in-depth overview of the algorithm, refer to the original paper [18].
Algorithm 2 SampleInBall.
1: Initialise c as zero vector of length n
2: for i : = n τ to n 1
  1: j { 0 , 1 , , i }
  2. s { 0 , 1 }
  3. c i : = c j
  4. c j : = ( 1 ) s
3: return c
All of the algebraic operations in the signature scheme are performed over the ring R q . A formal definition of the key generation, signing, and verification is presented in Algorithms 3–5.
Algorithm 3 KeyGen( p a r ).
1: A R q k × k
2: s 1 , s 2 S η k
3: t : = As 1 + s 2
4: return p k = ( A , t ) , s k = ( A , t , s 1 , s 2 )
Algorithm 4 Sign( s k , m ).
1: ( z 1 , z 2 ) = ( , )
2: while ( z 1 , z 2 ) = ( , ) do:
  1: y 1 , y 2 S γ 1 1 k
  2. w : = Ay 1 + y 2
  3. c : = H 0 ( m | | w ) B τ
  4. z 1 : = y 1 + c s 1 and z 2 : = y 2 + c s 2
  5. if | | z 1 | | γ 1 β or | | z 2 | | γ 1 β , then ( z 1 , z 2 ) : = ( , )
3: return σ = ( z 1 , z 2 , c )
Algorithm 5 Verify( p k , m , σ ).
1:
w : = Az 1 + z 2 c t
2:
if c = H 0 ( m | | w ) and | | z 1 | | < γ 1 β and | | z 2 | | < γ 1 β , return 1 (success).
3:
else: return 0.

Correctness

Since w = Ay 1 + y 2 , t = As 1 + s 2 , z 1 = y 1 + c s 1 . and z 2 = y 2 + c s 2 , it holds that
Az 1 + z 2 c t = A ( y 1 + c s 1 ) + ( y 2 + c s 2 ) c ( As 1 + s 2 ) = Ay 1 + A c s 1 + y 2 + c s 2 c As 1 c s 2 = Ay 1 + y 2 .
Therefore, if a signature was generated correctly, it will successfully pass the verification.

3.5. Homomorphic Hash Function

We decided to use a homomorphic hash function instead of a homomorphic commitment scheme as in [16].
Definition 6(Homomorphic hash function).
Let + be an operation defined over X, and let ⊕ be an operation defined over R. Let x 1 , x 2 X be any two inputs to the hash function. A hash function f : X R is homomorphic if it holds that
f ( x 1 + x 2 ) = f ( x 1 ) f ( x 2 ) .
Definition 7(Regular hash function).
Let F = { f a } a A , where f a : X R be a collection of functions indexed by a set A. A family of hash functions F is called ϵ-regular if the statistical distance between its output distribution { ( a , f a ( x ) ) : a A , x X } and the uniform distribution { ( a , r ) : a A , r R } is at most ϵ.
One of the homomorphic hash functions available is called SWIFFT; it is a special case of the function proposed in [35,36,37]. SWIFFT is a collection of compression functions that are provably one-way and collision-resistant [38]. Additionally, SWIFFT has several statistical properties that can be proven unconditionally: universal hashing, regularity, and randomness extraction. However, due to the linearity, SWIFFT functions are not pseudorandom. It follows that the function is not a suitable instantiation of a random oracle [38]. Therefore, in the security proofs of the two-party signature scheme, SWIFFT is not used as a random oracle. Security proof makes use of such provable properties as regularity and collision resistance.

4. Proposed Two-Party Signature Scheme (DiLizium)

In the following section, we define and give detailed description of our two-party signature scheme: DiLizium. We start by defining the distributed signature scheme; the following definition is adapted from [16].
Definition 8(Distributed signature protocol).
Distributed signature protocol is a protocol between P 1 , , P n parties that consists of the following algorithms:
  • Generate public parameters p a r using security parameter λ as input: p a r Setup( 1 λ ).
  • Each party P j generates a key pair consisting of secret key share and a public key using interactive algorithm and public parameters as input: ( s k j , p k ) KeyGen j ( p a r ) for each j { 1 , , n } .
  • To sign a message m, each party P j runs an interactive signing algorithm using secret key share: ( σ ) Sign j ( s k j , m ) for each j { 1 , , n } .
  • To verify a signature, the verifier needs to check if Verify( p k , m , σ ) = 1. If the signature was generated correctly, verification should always succeed.

4.1. Specification and Overview of DiLizium Signature Scheme

Table 1 describes the parameters used in the two-party signature scheme.

4.1.1. Parameter Setup

Let us assume that, before starting the key generation and signing protocols, the parties invoke a Setup( 1 λ ) function that, based on the security parameter λ , outputs a set of public parameters p a r that are described in Table 1.

4.1.2. Key Generation

H 1 and H 2 are some collision-resistant hash functions. The key generation protocol is parametrised by the set of public parameters p a r . The client begins the key generation process by sampling a share of matrix A c and by sending out the commitment to this share h k c = H 1 ( A c ) . The server generates its matrix share A s and sends commitment h k s to the client. Upon receiving commitments, the client and server exchange matrix shares and check if the openings for the commitments were correct. If openings are successfully verified, the client and server locally compute composed matrix A = A c + A s .
The client proceeds by generating two secret vectors ( s 1 c , s 2 c ) and by computing its share of the public key t c = As 1 c + s 2 c . The client sends out a commitment to the public key share c o m k c = H 2 ( t c ) . The server samples its secret vectors ( s 1 s , s 2 s ) and uses them to compute its public key share t s . Next, the server sends commitment to the public key share c o m k s to the client.
Once the client and server have received commitments from each other, the client and server exchange public key shares. Next, the client and server both locally check if the commitments were opened correctly. If these checks succeed, the client and server locally compute the composed public key t = t c + t s . The final public key consists of composed matrix A and vector t .
It is necessary to include the server’s public key share t s to the client’s secret key s k c and vice versa. During the signing process, the client needs to use the server’s public key share to verify the correctness of a commitment.
Protocol 1 describes two-party key generation between the parties in a more formal way. Instructions of the protocol are the same for the client and server. Therefore, Protocol 1 presents the behavior of the nth party, n { c , s } .

4.1.3. Signing

H o m H is a homomorphic hash function from the SWIFFT family. H 0 is a hash function that outputs a vector of length n with exactly τ coefficients being either 1 or 1 and the rest being 0 as described in Algorithm 2. H 3 is a collision-resistant hash function.
The client starts the signing process by generating its shares of masking vectors ( y 1 c , y 2 c ) and by computing a share of w . Next, the client uses a homomorphic hash function to compute c o m c = H o m H ( w c ) and hashes it using some collision-resistant hash function h c = H 3 ( c o m c ) . The composed output of the homomorphic hash function c o m = c o m c + c o m s is later used to derive a challenge. Therefore, it is crucial to ensure that c o m c , c o m s have not been chosen maliciously. Thus, before publishing these shares, the client and server should exchange commitments to the shares h c , h s .
The server, in turn, generates its shares of masking vectors ( y 1 s , y 2 s ), computes its share of w , and sends commitment to c o m s = H o m H ( w s ) . After receiving commitments h c , h s from each other, the client and server open the commitments by sending out shares c o m s , c o m c .
The client proceeds by checking if the server opened its commitment correctly. If the check succeeds, the client computes c o m = c o m c + c o m s and derives challenge c = H 0 ( m | | c o m ) . Next, the client computes potential signature shares ( z 1 c , z 2 c ) and performs rejection sampling. If all of the conditions in rejection sampling are satisfied, the client sends its signature share to the server.
The server checks if the client opened its commitment correctly. If the check succeeds, the server computes composed c o m and derives challenge c. Next, the server computes its potential signature shares ( z 1 s , z 2 s ) and performs rejection sampling. If all of the conditions in rejection sampling are satisfied, the server sends its signature share to the client.
Finally, the client performs verification if c o m s indeed contains w s . The client reconstructs w s as Az 1 s + z 2 s c t s and checks if it is a valid opening for c o m s . If the check succeeds, the client computes the final signature ( z 1 , z 2 ) . The server performs the same verification that c o m c indeed contains w c using ( z 1 c , z 2 c ) and t c . If the check succeeds, the server computes and outputs the final signature.
Protocol 2 describes the two-party signing process in the more formal way.

4.1.4. Verification

Verification is almost the same as in the original scheme except the verifier needs to apply homomorphic hash function on the reconstructed w in order to check the correctness of challenge. Algorithm 6 describes verification in the more formal way.

4.1.5. Correctness

Since w = Ay 1 + y 2 , t = As 1 + s 2 , z 1 = y 1 + c s 1 and z 2 = y 2 + c s 2 it holds that:
Az 1 + z 2 c t = A ( y 1 + c s 1 ) + ( y 2 + c s 2 ) c ( As 1 + s 2 ) = Ay 1 + A c s 1 + y 2 + c s 2 c As 1 c s 2 = Ay 1 + y 2 .
Furthermore, by triangle inequality, it holds that if | | z 1 s | | < γ β and | | z 1 c | | < γ β , then | | z 1 | | = | | z 1 s + z 1 c | | < | | z 1 s | | + | | z 1 c | | = 2 γ 2 β . The same holds for the second signature component z 2 . This means that γ 2 can be defined as γ 2 = 2 γ and β 2 = 2 β . Therefore, if a signature was generated correctly, verification always succeed.
Entropy 23 00989 i001
Entropy 23 00989 i002
Algorithm 6 Verify( p k , σ , m )
1: Compute w : = Az 1 + z 2 c t .
2: if c = H( m | | H o m H ( w ) ) and | | z 1 | | < γ 2 β 2 and | | z 2 | | < γ 2 β 2 : return 1 (success).
3: else: return 0.
Security
Definition 9 (Existential Unforgeability under Chosen Message Attack).
The distributed signature protocol is Existentially Unforgeable under Chosen Message Attack (DS-UF-CMA) if, for any probabilistic polynomial time adversary A , its advantage of creating successful signature forgery is negligible. The advantage of adversary is defined as the probability of winning in the experiment Exp DS - UF - CMA :
Adv DS - UF - CMA ( A ) : = Pr [ Exp DS - UF - CMA ( A ) 1 ] .
Entropy 23 00989 i003
Entropy 23 00989 i004
Entropy 23 00989 i005
Theorem 1.
Assume a homomorphic hash function H o m H : { 0 , 1 } a · b Z p b is provably collision-resistant and ϵ-regular then for any probabilistic polynomial time adversary A that makes a single query to the key generation oracle; q s queries to the signing oracle; and q h queries to the random oracles H 0 , H 1 , H 2 , and H 3 , the distributed signature protocol is DS-UF-CMA secure in the random oracle model under Module-LWE, rejected Module-LWE, and Module-SIS assumptions.
This section presents the main idea for the security proof of the proposed scheme; the full proof is given in Appendix A. The proof considers only the classical adversary and relies on the forking lemma. The idea of the proof is, given an adversary A that succeeds in creating forgeries for the distributed signature protocol, to construct an algorithm around it that can be used to solve Module-SIS problem or to break the collision resistance of the homomorphic hash function. The idea of our proof relies on the proofs from [7,16,31,39].
The proof consists of two major steps. In the first step, we construct a simulator B . Algorithm B is constructed such that it fits all of the assumptions of the forking lemma. B simulates the behavior of a single honest party P n without using its actual secret key share. In the second step, the forking algorithm is invoked to obtain two forgeries with distinct challenges and the same commitments.

4.1.6. Simulation

In the key-generation process, we need to simulate the way the matrix share A n and the public vector share t n are constructed. Due to the use of random oracle commitments, once the simulator obtains the adversary’s commitment h k i , it can extract the matrix share A i . Next, the simulator computes its matrix share A n : = A A i using a resulting random matrix A R q k × k and programs random oracle H 1 ( A n ) : = h k n .
Due to the Module-LWE assumption, the public vector share of the honest party t n is indistinguishable from the uniformly random vector sampled from the ring R q k . Using the same strategy as that for the matrix share, the simulator sets it public vector share t n : = t t i after seeing the adversary’s commitment and programs the random oracle H 2 ( t n ) : = c o m k n .
The signature share generation starts with choosing a random challenge c C from the set of all possible challenges. Then, the simulator proceeds with randomly sampling two signature shares from the set of all possible signature shares z 1 n , z 2 n S γ β 1 k . The share of vector w is computed from the signature shares, public vector share, and challenge as w n = Az 1 n + z 2 n c t n . Then, the simulator extracts value c o m i from the adversary’s commitment h i , computes the composed value c o m , and programs random oracle H 0 ( c o m | | m ) : = c .

4.1.7. Forking Lemma

The combined public key consists of matrix A uniformly distributed in R q k × k and vector t uniformly distributed in R q k . We want to replace it with the Module-SIS instance A | I , where A R q k × ( k + 1 ) . The view of adversary does not change if we set A = A | t .
In order to conclude the proof, we need to invoke the forking lemma to receive two valid forgeries from the adversary that are constructed using the same commitment c o m = c o m but different challenges c c . Using these forgeries, it is possible to find a solution to the Module-SIS problem on input A = A | t or to break the collision resistance of the homomorphic hash function.
As both forgeries o u t = ( c o m , c , z 1 , z 2 , m ) and o u t = ( c o m , c , z 1 , z 2 , m ) are valid, it holds that
H o m H ( Az 1 + z 2 c t ) = c o m = c o m = H o m H ( Az 1 + z 2 c t )
If Az 1 + z 2 c t Az 1 + z 2 c t , then we found a collision for the homomorphic hash function. If Az 1 + z 2 c t = Az 1 + z 2 c t , then it can be rearranged as Az 1 Az 1 + z 2 z 2 c t + c t = 0 and this in turn leads to
A | I | t z 1 z 1 z 2 z 2 c c = 0
Considering that A | I | t is an instance of Module-SIS problem, we found a solution for Module-SIS with parameters ( q , k , k + 1 , ξ ) , where ξ 2 ( γ 2 β 2 ) .

5. Performance

In this section, we analyse the performance of our scheme according to the following metrics:
  • Number of communication rounds in key generation and signing protocols,
  • Keys and signature sizes, and
  • Number of rejection sampling rounds.
It should be noted that this section does not present the exact parameter choice for the scheme and does not argue the bit security of the scheme for these parameters. The parameter choice presented in this section is illustrative and is given to provide performance estimations of the proposed scheme. Choosing correct parameters for post-quantum schemes is a nontrivial multidimensional optimisation task as parameters should be chosen such that the scheme has the small signature and key sizes while having enough bits of security and an optimal number of communication rounds. Additionally, the security of the proposed scheme relies on rejected Module-LWE, which is not a well-studied assumption, and therefore, it is difficult to estimate the bit security of the proposed scheme. The parameters presented in Table 2 are chosen based on parameters proposed in Crystals-Dilithium [18] so that the expected number of repetitions of the signing process is practical.

5.1. Number of Rejection Sampling Rounds

To estimate the number of rejection sampling rounds in the signing process, it is necessary to compute the probability that the following holds for both parties: | | z 1 n | | < γ β and | | z 2 n | | < γ β . Let σ be a coefficient of c s i n . If coefficients of y i n are in the range { γ + β + 1 σ , , γ β 1 σ } , then the corresponding coefficients of z i n are in the range { γ + β + 1 , , γ β 1 } . Therefore, the size of the correct coefficient range for y i n is 2 ( γ β ) 1 and the coefficients of y i n have 2 γ 1 possibilities. Then, the probability that every coefficient of y i n in the correct range is as follows:
2 ( γ β ) 1 2 γ 1 n · k
As the client and server sample vectors y i n independently in the beginning of the signing protocol, the probability that the check succeeds for both signature components on the client and server side is the following:
Pr [ success ] = 2 ( γ β ) 1 2 γ 1 n · k · 4
The expected number of repetitions can be estimated as E = 1 / Pr [ success ] .

5.2. Signature and Key Sizes

The public key consists of two components: matrix A R q k × k and vector t R q k . The matrix A can be generated out of 256-bit seed using an extendable output function, as proposed in the Crystals-Dilithium signature scheme [18]. While using this approach, only the seed used to generate the matrix needs to be stored. As both parties need to generate their matrix share, two seeds should be stored to represent matrix A . Each seed is converted to the matrix form using an extendable output function; after that, two matrix shares can be added together. The size of the public key in bytes is as follows:
2 · 256 + n · k · log ( q ) 8 .
The secret key of the party P n consists of two vectors s 1 n , s 2 n S η k , matrix A , and vector t i R q k . It should be noted that vectors s 1 n , s 2 n may contain negative values as well, so one bit should be reserved for each coefficient to indicate the sign. Therefore, the size of the secret key in bytes can be computed as follows:
2 · n · k · ( log ( η ) + 1 ) + 2 · 256 + n · k · log ( q ) 8 = n · k · ( 2 · ( log ( η ) + 1 ) + log ( q ) ) + 2 · 256 8 .
Finally, a signature consists of three components: z 1 , z 2 S γ 2 β 2 1 k , and c { 0 , 1 } n with exactly τ coefficients being either 1 or 1 and the rest being 0. All of the components may contain negative values, so for each coefficient of z 1 , z 2 , c one bit should be reserved to indicate the sign. With regard to storing c, it is possible to store only the positions of 1 and 1 in c. Therefore, the size of the signature in bytes can be computed as
2 · n · k · ( log ( γ 2 β 2 1 ) + 1 ) + τ · ( log ( n ) + 1 ) 8 .
In order to better understand key and signature sizes, let us assume the choice of parameters defined in Table 2. The key and signature sizes corresponding to this choice of parameters are listed in Table 3.

5.3. Communication between Client and Server

In order to generate a key pair, four rounds of communication between the client and server are needed. Table 4 shows the sizes of messages that are exchanged between the client and server during the key generation process using illustrative parameters from Table 2. The first message is output of a hash function (commitment to matrix A i ), which consists of 256 bits. The second message contains not the matrix share itself but the seed of 256 bits that was use to generate it. The third message is output of a hash function (commitment to vector t i ), which consists of 256 bits. The fourth message is the share of public key t i , the size of which is n · k · log ( q ) 8 bytes.
The number of communication rounds during the signing process depends on the number of rejections E. If there are no rejections, the signature generation process requires three rounds of communication between the client and server. For E rejections, the number of communication rounds equals to 2 E + 1 . Table 5 shows the sizes of messages exchanged between the client and server during the signing process using illustrative parameters from Table 2. The first message is output of a hash function (commitment to c o m i ), which consists of 256 bits. The size of the second message in the signing process c o m i is caused by the structure of SWIFFT hash function. To calculate H o m H ( w i ) , the vector w i that consists of n k elements is divided into 15 input blocks of 256 bytes each. The output produced by the homomorphic hash function consists of 15 blocks of 128 bytes each. The third message consists of the signature shares ( z 1 i , z 2 i ) , the size of which is 2 · n · k · ( log ( γ 2 β 2 1 ) + 1 ) 8  bytes.

6. Comparison to Prior Work

Table 6 presents the comparison of our scheme DiLizium with other lattice-based threshold signature schemes [16,27,40]. Column “Rounds” shows the number of communication rounds in signing protocol; for the schemes with rejection sampling, it is assumed that the rejection sample passes from the first attempt. We also provide a more detailed comparison with [16], due to the fact both works are based on variants of Crystals-Dilithium and have a similar structure. We leave out the comparison with publications [21,22,23,24,25,26] as these discuss multisignatures instead of threshold.
The threshold signature schemes from [16] are based on Dilithium-G, which is a version of Crystals-Dilithium that uses sampling from a discrete Gaussian distribution for the generation of secret vectors. The usage of Gaussian distribution helps to decrease the number of rejections in signature schemes that follow the FSwA paradigm [16]. However, the implementation of sampling from a discrete Gaussian distribution in a manner secure against side-channel attacks is considered difficult. Therefore, in our scheme, we decided to use sampling from a uniform distribution.
Due to the structure of our scheme, we use a non-standard security assumption that was introduced in [26]. In future work, we aim to modify security proof such that it will no longer be needed to rely on rejected Module-LWE. The security of threshold signature scheme from [16] relies only on standard problem: Module-LWE and Module-SIS.
Additionally, we compare the message sizes of Dåmgard et al. [16] D S 3 with our scheme. Since this paper [16] does not provide an instantiation of parameters, we use the recommended parameters for Dilithium-G from [29] for the signature scheme. We only changed the modulus q, since by Theorem 4 [16], q should satisfy q = 5 mod 8 . We selected parameters for the homomorphic commitment scheme based on the third parameter set from Baum et al. [42] (Table 2) such that the conditions from Lemma 5 and Lemma 7 are satisfied. Table 7 and Table 8 present parameters that are needed to compute message sizes. We only provide a comparison of messages sent during the signing process because messages exchanged during the key generation process are similar in both schemes (Table 9).
The first message is the output of a hash function (commitment to c o m n ), which consists of 256 bits. The second message is a commitment c o m n . The homomorphic commitment scheme defined in Dåmgard et al. [16] (Figure 7) describes a commitment to a single ring element w R q . In order to commit to a vector w R q k , it is proposed to commit to each vector element separately. Therefore, the byte size of the second message can be computed as k s i g · N · ( m + k c o m ) · log ( q c o m ) 8 . The third message consists of a signature share z n and an opening for the commitment r n . We know that, for a valid signature share, it holds that | | z n | | 2 B s i g and we know that | | x | | | | x | | 2 . The signature share may contain negative values, so for each coefficient of z n , one bit should be reserved to indicate the sign. Therefore, the approximate byte size of the signature share is n · ( l + k s i g ) · ( log ( B s i g ) + 1 ) 8 . For a valid opening, it holds that | | r n | | 2 B c o m . The value r n also may contain negative values, so for each coefficient of r n , one bit should be reserved to indicate the sign. The approximate byte size of the commitment opening is k s i g · N · m · ( log ( B c o m ) + 1 ) 8 .
From Table 9, we can see that the size of the second and the third messages in Dåmgard et al.’s D S 3 scheme is much larger than that in DiLizium. The reason is that scheme D S 3 Dåmgard et al. uses lattice-based homomorphic commitments. For the signature scheme to be secure, it was required to have statistical binding. Parameters that guarantee statistical binding are not very practical; however, there may exist optimal parameter choice.
Currently, it is not possible to provide a more detailed comparison of the efficiency of these schemes. The main reason is that neither of the works have a reference implementation yet. Therefore, we leave the implementation of the proposed scheme and a detailed comparison for future research.

7. Conclusions

Nowadays, threshold signature schemes have a variety of practical applications. There are several efficient threshold versions of the RSA and (EC)DSA signature schemes that are used in practice. However, threshold instantiations of post-quantum signature schemes are less researched. Previous researches have demonstrated that creating threshold post-quantum signatures is a highly non-trivial task. Some of the proposed schemes yield inefficient implementation, while others have incomplete security proofs.
In this work, we presented a new lattice-based two-party signature scheme: DiLizium. Our construction uses the SWIFFT homomorphic hash function to compute commitment in the signing process. We provide security proof for our scheme in the classical random oracle model under the Module-LWE, rejected Module-LWE, and Module-SIS assumptions. The proposed scheme can potentially substitute distributed RSA and ECDSA signature schemes in authentication applications such as Smart-ID [11]. This would allow for using these applications even in the quantum computing era.
Compared with the scheme proposed in [16], this work does not use sampling from the discrete Gaussian distribution and does not use a lattice-based homomorphic commitment scheme. In the key generation and signing processes, our scheme uses uniform sampling, which facilitates secure implementations in the future.
The security proof of the proposed scheme is based on non-standard security assumption: rejected Module-LWE. Removing this assumption from the security proof is an important part of future work. Furthermore, the concept of homomorphic hash functions is new and has not been properly studied yet. We aim to research the properties and usage of homomorphic hash functions more deeply in future work. The implementation of the proposed scheme and the exact choice of parameters for this implementation is left for future research, which may also involve optimisation of the size of keys and signature, and security proof against the quantum adversary.

Author Contributions

Conceptualisation, J.V.; formal analysis and scheme design, J.V. and N.S.; security proof, J.V.; performance analysis, J.V. and N.S.; writing—original draft preparation, J.V. and N.S.; writing—review and editing, J.V., N.S. and J.W.; visualisation, J.V.; supervision, J.W.; project administration, J.W.; funding acquisition, J.W. All authors have read and agreed to the published version of the manuscript.

Funding

This paper has been supported by the Estonian Personal Research grant number 920 and European Regional Development Fund through the grant number EU48684.

Acknowledgments

The authors are grateful to Ahto Buldas and Alisa Pankova for their support throughout the process of research.

Conflicts of Interest

The authors declare no conflict of interest.

Abbreviations

The following abbreviations are used in this manuscript:
RSARivest–Shamir–Adleman cryptosystem
DSADigital Signature Algorithm
ECDSAElliptic Curve Digital Signature Algorithm
NISTNational Institute of Standards and Technology
PQCPost-Quantum Cryptography
QSCDQualified Electronic Signature Creation Device
LWELearning with Errors
SISShort Integer Solution
FSwAFiat–Shamir with Aborts
MPCMultiparty Computation
GPVGentry–Peikert–Vaikuntanathan
FSFiat-Shamir
SHAKESecure Hash Algorithm and KECCAK
DS-UF-CMADistributed Signature Unforgeability Against Chosen Message Attacks
naHVZKno-abort Honest-Verifier Zero-Knowledge

Appendix A. Full Security Proof

This section presents detailed security proof for the two-party signature scheme.
Definition A1(no-abort Honest-Verifier Zero-Knowledge).
An identification scheme is said to be ϵ Z K -naHVZK if there exists a probabilistic expected polynomial-time algorithm S i m that is given only the public key p k and that outputs ( w , c , z ) such that the following holds:
  • The distribution of the simulated transcript produced by S i m ( ( w , c , z ) S i m ( p k ) ) has a statistical distance at most ϵ Z K from the real transcript produced by the transcript algorithm ( w , c , z ) T r a n s ( s k ) .
  • The distribution of c from the output ( w , c , z ) S i m ( p k ) conditioned on c is uniformly random over the set C.
Theorem A1.
Assume a homomorphic hash function H o m H : { 0 , 1 } a · b Z p b is provably collision-resistant and ϵ-regular; then for any probabilistic polynomial time adversary A that makes a single query to the key generation oracle, q s queries to the signing oracle, and q h queries to the random oracles H 0 , H 1 , H 2 , H 3 , the distributed signature protocol is DS-UF-CMA secure in the random oracle model under Module-LWE, rejected Module-LWE, and Module-SIS assumptions.
Proof. 
Given an adversary A that succeeds in breaking the distributed signature protocol with advantage Adv DS - UF - CMA ( A ) , a simulator B is constructed. B simulates the behaviour of the single honest party without using honestly generated secret keys for the computation. Algorithm B is constructed such that it fits all the assumptions of the forking lemma. By the definition of forking algorithm, it was required that B is given a public key and a random oracle query replies as input. B simulates the behaviour of the honest party P n , and the party P i is corrupted by the adversary. The algorithm B is defined in Algorithm A1.
Algorithm A1 B ( p k , h 1 , , h q h + q s + 1 ).
1: Create empty hash tables H T i for i { 0 , , 3 } .
2: Create a set of queried messages M = .
3: Simulate the honest party oracle as follows:
  • Upon receiving a query from A of the form ( s i d , m s g ) , reply to the query as described in S i m O K e y G e n (Oracle A1) and S i m O S i g n (Oracle A2).
  • If one of the oracles terminates with output of the form ( 0 , ) , then B also terminates with the same output ( 0 , ) .
4: Simulate random oracles as follows:
  • Upon receiving a query from A to the random oracle, reply to the query as described in Algorithm A2.
5: Upon receiving a forgery σ = ( z 1 , z 2 , c ) on message m from A :
  • If m M , then B terminates with output ( 0 , ) .
  • Compute c o m : = H o m H ( Az 1 + z 2 c t ) .
  • Make query c H 0 ( m | | c o m ) .
  • If c c or | | z 1 | | γ 2 β 2 or | | z 2 | | γ 2 β 2 , then B terminates with output ( 0 , ) .
  • Find index i f [ q h + q s + 1 ] such that c = h i f . B terminates with the output ( i f , o u t = ( c o m , c , z 1 , z 2 , m ) )
Entropy 23 00989 i006
Entropy 23 00989 i007

Appendix A.1. Random Oracle Simulation

There are several random oracles that need to be simulated:
  • H 0 : { 0 , 1 } * C
    [C is a set of all vectors in { 1 , 0 , 1 } n with exactly τ nonzero elements]
  • H 1 : { 0 , 1 } * { 0 , 1 } l 1
  • H 2 : { 0 , 1 } * { 0 , 1 } l 2
  • H 3 : { 0 , 1 } * { 0 , 1 } l 3
All of the random oracles are simulated as described in Algorithm A2. Additionally, there is a searchHash( H T , h ) algorithm for searching entries from the hash table defined in Algorithm A3.
Algorithm A2 H i ( x ) .
H T i is a hash table that is initially empty.
1: On a query x, return element H T i [ x ] if it was previously defined.
2: Otherwise, sample output y uniformly at random from the range of H i and return H T i [ x ] : = y
Algorithm A3 searchHash( H T , h )
1: For value h, find its preimage m in the hash table such that H T [ m ] = h .
2: If preimage of value h does not exist, set flag a l e r t and set preimage m = .
3: If for value h more than one preimage exists in hash table H T , set flag b a d .
4: Output: ( m , a l e r t , b a d )
Simulators for the key generation and signing processes were constructed using several intermediate games. The goal was to remove the usage of the actual secret key share of the party P n from both processes. Let Pr[ G i ] denote the probability that B does not output (0,⊥) in the game G i . This means that the adversary must have created a valid forgery (as defined in Algorithm A1). Then, Pr[ G 0 ] = Adv DS - UF - CMA ( A ) . In Game 0, B simulates the honest party behaviour using the same instructions as in the original KeyGen n ( p a r ) and Sign n ( s k n , m ) protocols.

Appendix A.2. Game 1

In Game 1, only signing process ics changed with respect to the previous game. The simulator for the signing process in Game 1 is described in Algorithm A4. Challenge c is now sampled uniformly at random, and the signature shares are computed without communicating with the adversary. Changes with respect to the previous game are highlighted.
Algorithm A4 S i m S i g n ( s k n , p k , m ) .
1: c C .
2: y 1 n , y 2 n S γ 1 k .
3: w n : = Ay 1 n + y 2 n .
4: z 1 n : = y 1 n + c s 1 n and z 2 n : = y 2 n + c s 2 n .
5: c o m n H o m H ( w n ) , send out h n H 3 ( c o m n ) .
6: Upon receiving h i , search for ( c o m i , a l e r t , b a d 7 ) searchHash ( H T 3 , h i ) .
7: If the flag b a d 7 is set, then simulation fails with output ( 0 , ) .
If the flag a l e r t is set, then send out c o m n .
8: c o m : = c o m n + c o m i .
9: Program random oracle H 0 to respond queries ( m | | c o m ) with c.
Set H T 0 [ ( m | | c o m ) ] : = c . If H T 0 [ ( m | | c o m ) ] has been already set, set flag b a d 8 and the simulation fails with output ( 0 , ) .
10: Send out c o m n . Upon receiving c o m i :
  • if H 3 ( c o m i ) h i : send out ABORT.
  • if the flag a l e r t is set and H 3 ( c o m i ) = h i : set the flag b a d 9 and the simulation fails with output ( 0 , ) .
11: Otherwise, run rejection sampling, if it did not pass: send out RESTART and go to the step 1.
12: Otherwise, send out ( z 1 n , z 2 n ) . Upon receiving RESTART, go to step 1.
13: Upon receiving ( z 1 i , z 2 i ) , reconstruct w i : = Az 1 i + z 2 i c t i and check that H o m H ( w i ) = c o m i , if not: send out ABORT.
14: Otherwise, set z 1 : = z 1 n + z 1 i , z 2 : = z 2 n + z 2 i and output composed signature σ : = ( z 1 , z 2 , c ) .
Game 0 → Game 1:
The difference between Game 0 and Game 1 can be expressed using the b a d events that can happen with the following probabilities:
  • Pr[ b a d 7 ] is the probability that at least one collision occurs during at most q h + 2 q s queries to the random oracle H 3 made by adversary or simulator. This means that two values c o m j c o m j were found such that H T 3 [ c o m j ] = H T 3 [ c o m j ] . As all of the responses of H 3 are chosen uniformly at random from { 0 , 1 } l 3 and there are at most q h + 2 q s queries to the random oracle H 3 , the probability of at least one collision occurring can be expressed as ( q h + 2 q s ) ( q h + 2 q s + 1 ) / 2 2 l 3 ( q h + 2 q s + 1 ) 2 2 l 3 + 1 , where l 3 is the length of H 3 output.
  • Pr[ b a d 8 ] is the probability that programming random oracle H 0 fails at least once during q s queries. This event can happen in the following two cases: H 3 ( c o m n ) was previously queried by the adversary or it was not queried by the adversary:
    -
    Case 1: H 3 ( c o m n ) has been already asked by adversary during at most q h + 2 q s queries to H 3 . This means that the adversary knows c o m and may have queried H 0 ( m | | c o m ) before. This event corresponds to guessing the value of c o m n .
    Let the uniform distribution over Z p b be denoted as X and the distribution of H o m H output be denoted as Y. As H o m H is ϵ -regular (for some negligibly small ϵ ), it holds that SD ( X , Y ) ϵ . Then, for any subset T of Z p b , by definition of statistical distance, it holds that Pr [ X T ] Pr [ Y T ] + ϵ . Therefore, for a uniform distribution X, the probability of guessing Y by T is bounded by 1 | Z p b | + ϵ .
    Since c o m n was produced by B in the beginning of the signing protocol completely independently from A , the probability that A queried H 3 ( c o m n ) is at most 1 | Z p b | + ϵ for each query.
    -
    Case 2: H T 0 [ m | | c o m ] has been set by adversary or simulator by chance during at most q h + q s prior queries to the H 0 . Since A has not queried H 3 ( c o m n ) before, adversary does not know c o m n and the view of A is completely independent from c o m . The probability that c o m occurred by chance in one of the previous queries to H 0 is at most q h + q s 1 | Z p b | + ϵ .
  • Pr[ b a d 9 ] is the probability that the adversary predicted at least one of two outputs of the random oracle H 3 without making a query to it. In this case, there is no record in the hash table H T 3 that corresponds to the preimage c o m j . This can happen with probability at most 2 2 l 3 for each signing query.
Therefore, the difference between two games is
| Pr [ G 1 ] Pr [ G 0 ] | Pr [ b a d 7 ] + Pr [ b a d 8 ] + Pr [ b a d 9 ] q h + 2 q s + 1 2 2 l 3 + 1 + q s q h + 2 q s 1 | Z p b | + ϵ + q h + q s 1 | Z p b | + ϵ + 2 2 l 3 = q h + 2 q s + 1 2 2 l 3 + 1 + q s 1 | Z p b | + ϵ · 2 q h + 3 q s + 2 2 l 3 .

Appendix A.3. Game 2

In Game 2, when the signature share gets rejected, simulator commits to a uniformly random vector w n from the ring R q instead of committing to a vector computed as Ay 1 n + y 2 n . The simulator for the signing process in Game 2 is described in Algorithm 5.
Game 1 → Game 2:
The difference between Game 1 and Game 2 can be expressed with the probability that the adversary can distinguish simulated commitment with random w n from the real one when the rejection sampling algorithm does not pass. If the signature shares are rejected, it means that z 1 n γ β or z 2 n γ β .
Let us assume that there exists an adversary D who succeeds in distinguish simulated commitment with random w n from the real one with nonnegligible probability:
Adv ( D ) = Pr [ b = b : A R q k × k , s 1 , s 2 S η 1 k , c C , y 1 , y 2 S γ 1 k , w 0 Ay 1 + y 2 , w 1 R q k , b { 0 , 1 } , h b H o m H ( w b ) , b D ( A , h b , c ) y 1 + c s 1 γ β or y 2 + c s 2 γ β ] .
Then, the adversary D can be used to construct an adversary A R M L W E who solves the rejected Module-LWE for parameters ( q , k , k , γ , U , β ) , where U is the uniform distribution. The adversary A R M L W E is defined in Algorithm A6.
Algorithm A5 S i m S i g n ( s k n , p k , m ) .
1: c C .
2: y 1 n , y 2 n S γ 1 k .
3: z 1 n : = y 1 n + c s 1 n and z 2 n : = y 2 n + c s 2 n .
4: Run rejection sampling; if it does not pass, proceed as follows:
  1. w n R q k .
  2. c o m n H o m H ( w n ) , send out h n H 3 ( c o m n ) .
  3. Upon receiving h i , search for ( c o m i , a l e r t , b a d 7 ) searchHash ( H T 3 , h i ) .
  4. If the flag b a d 7 is set, then simulation fails with output ( 0 , ) . If the flag a l e r t is set, then send out c o m n .
  5. c o m : = c o m n + c o m i .
  6. Program random oracle H 0 to respond queries ( m | | c o m ) with c. Set H T 0 [ ( m | | c o m ) ] : = c . If H T 0 [ ( m | | c o m ) ] has been already set, set flag b a d 8 and the simulation fails with output ( 0 , ) .
  7. Send out c o m n . Upon receiving c o m i :
  • if H 3 ( c o m i ) h i : send out ABORT.
  • if the flag a l e r t is set and H 3 ( c o m i ) = h i : set the flag b a d 9 and the simulation fails with output ( 0 , ) .
  8. Otherwise, send out RESTART and go to step 1.
5: If rejection sampling passes, proceed as follows:
  1. w n : = Ay 1 n + y 2 n .
  2. c o m n H o m H ( w n ) , send out h n H 3 ( c o m n ) .
  3. Upon receiving h i , search for ( c o m i , a l e r t , b a d 7 ) searchHash ( H T 3 , h i ) .
  4. If the flag b a d 7 is set, then simulation fails with output ( 0 , ) . If the flag a l e r t is set, then continue.
  5. c o m : = c o m n + c o m i .
  6. Program random oracle H 0 to respond queries ( m | | c o m ) with c. Set H T 0 [ ( m | | c o m ) ] : = c . If H T 0 [ ( m | | c o m ) ] has been already set, set flag b a d 8 and the simulation fails with output ( 0 , ) .
  7. Send out c o m n .Upon receiving c o m i :
  • if H 3 ( c o m i ) h i : send out ABORT.
  • if the flag a l e r t is set and H 3 ( c o m i ) = h i : set the flag b a d 9 and the simulation fails with output ( 0 , ) .
  8. Otherwise, send out ( z 1 n , z 2 n ) . Upon receiving RESTART, go to step 1.
  9. Upon receiving ( z 1 i , z 2 i ) , reconstruct w i : = Az 1 i + z 2 i c t i and check that H o m H ( w i ) = c o m i , if not: send out ABORT.
  10. Otherwise, set z 1 : = z 1 n + z 1 i , z 2 : = z 2 n + z 2 i and output composed signature σ : = ( z 1 , z 2 , c ) .
Algorithm A6 A R M L W E ( A , w b , c ) .
1: h b H o m H ( w b )
2: b D ( A , h b , c )
3: return b
As a consequence, the difference between the two games is bounded by the following:
| Pr [ G 2 ] Pr [ G 1 ] | q s · Adv q , k , k , γ , U , β R - MLWE

Appendix A.4. Game 3

In Game 3, the simulator does not generate the signature shares honestly and thus does not perform rejection sampling honestly. Rejection sampling is simulated as follows:
  • Rejection case: with probability 1 1 | S γ β 1 k | | S γ 1 k | 2 simulator generates commitment to the random w n as in the previous game.
  • Otherwise, sample signature shares from the set S γ β 1 and compute w n out of it.
The simulator for the signing process in Game 3 is described in Algorithm A7.
Game 2 → Game 3:
The signature shares generated in Algorithm A7 are indistinguishable from the real ones because of the ϵ Z K -naHVZK property of the underlying identification scheme from [13], appendix B. Therefore, the difference between Game 2 and Game 3 can be defined as follows:
| Pr [ G 3 ] Pr [ G 2 ] | ϵ Z K
According to the proof from [13], ϵ Z K = 0 for the underlying identification scheme.
Algorithm A7 S i m S i g n ( t n , p k , m ) .
1: With probability 1 1 | S γ β 1 k | | S γ 1 k | 2 , proceed as follows:
1.
c C .
2.
w n R q k .
3.
c o m n H o m H ( w n ) , send out h n H 3 ( c o m n ) .
4.
Upon receiving h i , search for ( c o m i , a l e r t , b a d 7 ) searchHash ( H T 3 , h i ) .
5.
If the flag b a d 7 is set, then simulation fails with output ( 0 , ) . If the flag a l e r t is set, then send out c o m n .
6.
c o m : = c o m n + c o m i .
7.
Program random oracle H 0 to respond queries ( m | | c o m ) with c. Set H T 0 [ ( m | | c o m ) ] : = c . If H T 0 [ ( m | | c o m ) ] has been already set, set flag b a d 8 and the simulation fails with output ( 0 , ) .
8.
Send out c o m n . Upon receiving c o m i :
  • if H 3 ( c o m i ) h i : send out ABORT.
  • if the flag a l e r t is set and H 3 ( c o m i ) = h i : set the flag b a d 9 and the simulation fails with output ( 0 , ) .
9.
Otherwise, send out RESTART and go to step 1.
2: Otherwise, proceed as follows:
1.
c C .
2.
z 1 n S γ β 1 k and z 2 n S γ β 1 k .
3.
w n : = Az 1 n + z 2 n c t n .
4.
c o m n H o m H ( w n ) , send out h n H 3 ( c o m n ) .
5.
Upon receiving h i , search for ( c o m i , a l e r t , b a d 7 ) searchHash ( H T 3 , h i ) .
6.
If the flag b a d 7 is set, then simulation fails with output ( 0 , ) . If the flag a l e r t is set, then continue.
7.
c o m : = c o m n + c o m i .
8.
Program random oracle H 0 to respond queries ( m | | c o m ) with c. Set H T 0 [ ( m | | c o m ) ] : = c . If H T 0 [ ( m | | c o m ) ] has been already set, set flag b a d 8 and the simulation fails with output ( 0 , ) .
9.
Send out c o m n . Upon receiving c o m i :
  • if H 3 ( c o m i ) h i : send out ABORT.
  • if the flag a l e r t is set and H 3 ( c o m i ) = h i : set the flag b a d 9 and the simulation fails with output ( 0 , ) .
10.
Otherwise, send out ( z 1 n , z 2 n ) . Upon receiving RESTART, go to step 1.
11.
Upon receiving ( z 1 i , z 2 i ) , reconstruct w i : = Az 1 i + z 2 i c t i and check that H o m H ( w i ) = c o m i , if not: send out ABORT.
12.
Otherwise, set z 1 : = z 1 n + z 1 i , z 2 : = z 2 n + z 2 i and output composed signature σ : = ( z 1 , z 2 , c ) .

Appendix A.5. Game 4

Now, the signing process does not rely on the actual secret key share of the honest party P n . In the next games, the key generation process is changed so that it does not use secret keys as well. In this game, the simulator is given a predefined uniformly random matrix A R q k × k , and the simulator defines its own matrix share out of it. By definition, the algorithm B (Algorithm A1) receives a pre-generated public key p k as the input. Therefore, the simulator in Game 4 is given a predefined matrix A , and in the later games, the simulator is changed so that it receives the entire public key and uses it to compute its shares A n , t n . The simulator for the key generation process in Game 4 is described in Algorithm A8.
Algorithm A8 S i m K e y G e n ( p a r , A ).
1: Send out h k n { 0 , 1 } l 1
2: Upon receiving h k i :
  • search for ( A i , a l e r t , b a d 1 ) searchHash ( H T 1 , h k i ) .
  • if the flag b a d 1 is set, then simulation fails with output ( 0 , ) .
  • if the flag a l e r t is set, then sample A n R q k × k .
    Otherwise, define A n : = A A i .
3: Program random oracle H 1 to respond queries A n with h k n . Set H T 1 [ A n ] : = h k n . If H T 1 [ A n ] has been already set, then set the flag b a d 2 and the simulation fails with output ( 0 , ) .
4: Send out A n . Upon receiving A i :
  • if H 1 ( A i ) h k i : send out ABORT.
  • if the flag a l e r t is set and H 1 ( A i ) = h k i : set the flag b a d 3 and the simulation fails with output ( 0 , ) .
5: ( s 1 n , s 2 n ) S η k × S η k .
6: t n : = As 1 n + s 2 n , send out c o m k n : = H 2 ( t n ) .
7: Upon receiving c o m k i , send out t n .
8: Upon receiving t i , check that H 2 ( t i ) = c o m k i . If not: send out ABORT.
9: Otherwise, t : = t n + t i , p k : = ( A , t ) and s k : = ( A , t i , s n , s n ) .
Game 3 → Game 4:
The distribution of public matrix A does not change between Game 3 and Game 4. The difference between Game 3 and Game 4 can be expressed using b a d events that happen with the following probabilities:
  • Pr[ b a d 1 ] is the probability that at least one collision occurs during at most q h queries to the random oracle H 1 made by adversary or simulator. This can happen with probability at most q h ( q h + 1 ) / 2 2 l 1 + 1 , where l 1 is the length of H 1 output.
  • Pr[ b a d 2 ] is the probability that programming random oracle H 1 fails, which happens if H 1 ( A n ) has been previously asked by adversary during at most q h queries to the random oracle H 1 . This event corresponds to guessing random A n , for each query the probability of this event is bounded by 1 q n · k · k .
  • Pr[ b a d 3 ] is the probability that adversary predicted at least one of two outputs of the random oracle H 1 without making a query to it. This can happen with probability at most 2 2 l 1 .
Therefore, the difference between the two games is
| Pr [ G 4 ] Pr [ G 3 ] | Pr [ b a d 1 ] + Pr [ b a d 2 ] + Pr [ b a d 3 ] ( q h + 1 ) q h 2 l 1 + 1 + q h q n · k · k + 2 2 l 1

Appendix A.6. Game 5

In Game 5, the simulator picks public key share t n randomly from the ring instead of computing it using secret keys. The simulator for the key generation process in Game 5 is described in Algorithm A9.
Algorithm A9 S i m K e y G e n ( p a r , A ) .
1: Send out h k n { 0 , 1 } l 1 .
2: Upon receiving h k i :
  • search for ( A i , a l e r t , b a d 1 ) searchHash ( H T 1 , h k i ) .
  • if the flag b a d 1 is set, then simulation fails with output ( 0 , ) .
  • if the flag a l e r t is set, then sample A n R q k × k . Otherwise, define A n : = A A i .
3: Program random oracle H 1 to respond queries A n with h k n . Set H T 1 [ A n ] : = h k n . If H T 1 [ A n ] has been already set, then set the flag b a d 2 and the simulation fails with output ( 0 , ) .
4: Send out A n . Upon receiving A i :
  • if H 1 ( A i ) h k i : send out ABORT.
  • if the flag a l e r t is set and H 1 ( A i ) = h k i : set the flag b a d 3 and the simulation fails with output ( 0 , ) .
5: t n R q k , send out c o m k n = H 2 ( t n ) .
6: Upon receiving c o m k i , send out t n .
7: Upon receiving t i , check that H 2 ( t i ) = c o m k i . If not: send out ABORT.
8: Otherwise, t : = t n + t i , p k : = ( A , t ) .
Game 4 → Game 5:
In Game 5, public key share t n is sampled uniformly at random from R q k instead of computing it as As 1 n + s 2 n , where s 1 n , s 2 n are random elements from S η k . As matrix A follows the uniform distribution over R q k × k , if adversary can distinguish between Game 3 and Game 4, this adversary can be used as a distinguisher that breaks the decisional Module-LWE problem for parameters ( q , k , k , η , U ) , where U is the uniform distribution.
Therefore, the difference between two games is bounded by the advantage of adversary in breaking decisional Module-LWE:
| Pr [ G 5 ] Pr [ G 4 ] | Adv ( q , k , k , η , U ) Dec - MLWE

Appendix A.7. Game 6

In Game 6, the simulator uses as input a random resulting public key t R q k to compute its own share t n . The simulator for the key generation process in Game 6 is described in Algorithm A10.
Game 5 → Game 6:
The distributions of t , t n do not change with respect to Game 5. The difference between Game 5 and Game 6 can be expressed using b a d events that happen with the following probabilities:
  • Pr[ b a d 4 ] is the probability that at least one collision occurs during at most q h queries to the random oracle H 2 made by adversary or simulator. This can happen with probability at most q h ( q h + 1 ) / 2 2 l 2 + 1 , where l 2 is the length of H 2 output.
  • Pr[ b a d 5 ] is the probability that programming random oracle H 2 fails, which happens if H 2 ( t n ) was previously asked by adversary during at most q h queries to the random oracle H 2 . This event corresponds to guessing a uniformly random t n R q k , for each query the probability of this event is bounded by 1 q n · k .
  • Pr[ b a d 6 ] is the probability that adversary predicted at least one of two outputs of the random oracle H 2 without making a query to it. This can happen with probability at most 2 2 l 2 .
Therefore, the difference between the two games is
| Pr [ G 6 ] Pr [ G 5 ] | Pr [ b a d 4 ] + Pr [ b a d 5 ] + Pr [ b a d 6 ] ( q h + 1 ) q h 2 l 2 + 1 + q h q n · k + 2 2 l 2
Algorithm A10 S i m K e y G e n ( p a r , A , t ) .
1: Send out h k n { 0 , 1 } l 1 .
2: Upon receiving h k i :
  • search for ( A i , a l e r t , b a d 1 ) searchHash ( H T 1 , h k i ) .
  • if the flag b a d 1 is set, then simulation fails with output ( 0 , ) .
  • if the flag a l e r t is set, then sample A n R q k × k . Otherwise, define A n : = A A i .
3: Program random oracle H 1 to respond queries A n with h k n . Set H T 1 [ A n ] : = h k n . If H T 1 [ A n ] has been already set, then set the flag b a d 2 and the simulation fails with output ( 0 , ) .
4: Send out A n . Upon receiving A i :
  • if H 1 ( A i ) h k i : send out ABORT.
  • if the flag a l e r t is set and H 1 ( A i ) = h k i : set the flag b a d 3 and the simulation fails with output ( 0 , ) .
5: Send out c o m k n { 0 , 1 } l 2 .
6: Upon receiving c o m k i , search for ( t i , a l e r t , b a d 4 ) searchHash ( H T 2 , c o m k i ) .
7: If the flag b a d 4 is set, then simulation fails with output ( 0 , ) .
8: Compute public key share:
  • If the flag a l e r t is set, t n R q k .
  • Otherwise, t n : = t t i .
9: Program random oracle H 2 to respond queries t n with c o m k n . Set H T 2 [ t n ] : = c o m k n .
If H T 2 [ t n ] has been already set, set flag b a d 5 and the simulation fails with output ( 0 , ) .
10: Send out t n . Upon receiving t i :
  • if H 2 ( t i ) c o m k i : send out ABORT.
  • if the flag a l e r t is set and H 2 ( t i ) = c o m k i : set the flag b a d 6 and simulation fails with output ( 0 , ) .
11: Otherwise, t : = t n + t i , p k : = ( A , t ) .

Appendix A.8. Forking Lemma

Now, both key generation and signing do not rely on the actual secret key share of the honest party P n . In order to conclude the proof, it is needed to invoke forking lemma to receive two valid forgeries that are constructed using the same commitment c o m = c o m but different challenges c c .
Currently, the combined public key consists of matrix A uniformly distributed in R q k × k and vector t uniformly distributed in R q k . We want to replace it with Module-SIS instance A | I , where A R q k × ( k + 1 ) . The view of adversary will not be changed if we set A = A | t .
Let us define an input generation algorithm IG such that it produces the following input: ( A , t ) for the F B . Now, let us construct B around the previously defined simulator B . B invokes the forking algorithm F B on the input ( A , t ) .
As a result, with probability f r k two valid forgeries o u t = ( c o m , c , z 1 , z 2 , m ) and o u t = ( c o m , c , z 1 , z 2 , m ) are obtained. Here, by the construction of F B , it holds that c c , c o m = c o m , m = m . The probability f r k satisfiesollowing:
Pr [ G 6 ] = a c c q h + q s + 1 | C | + ( q h + q s + 1 ) · f r k
Since both signatures are valid, it holds that
H o m H ( Az 1 + z 2 c t ) = c o m = c o m = H o m H ( Az 1 + z 2 c t )
Let us examine the following cases:
Case 1 :
Az 1 + z 2 c t Az 1 + z 2 c t , and B is able to break the collision resistance of the hash function (that is hard under the worst-case difficulty of finding short vectors in cyclic/ideal lattices), as was proven in [35,36].
Case 2 :
Az 1 + z 2 c t = Az 1 + z 2 c t . It can be rearranged as Az 1 Az 1 + z 2 z 2 c t + c t = 0 , and this, in turn, leads to
A | I | t z 1 z 1 z 2 z 2 c c = 0
Now, recall that A | I | t is an instance of Module-SIS problem; this means that we found a solution for Module-SIS with parameters ( q , k , k + 1 , ξ ) , where ξ 2 ( γ 2 β 2 ) .
Therefore, the probability f r k is the following:
f r k Adv ( q , k , k + 1 , ξ ) MSIS + Adv CR
Finally, taking into account that the underlying identification scheme has perfect naHVZK (i.e., ϵ Z K = 0 ), the advantage of the adversary is bounded by the following:
Adv DS - UF - CMA ( A ) q h + 2 q s + 1 2 2 l 3 + 1 + q s · 1 | Z p b | · 2 q h + 3 q s + 2 2 l 3 + q s · Adv q , k , k , γ , U , β R - MLWE + q h + 1 q h 2 l 1 + 1 + q h q n · k · k + 2 2 l 1 + Adv q , k , k , η , U Dec - MLWE + q h + 1 q h 2 l 2 + 1 + q h q n · k + 2 2 l 2 + q h + q s + 1 | C | + q h + q s + 1 · Adv ( q , k , k + 1 , ξ ) MSIS + Adv CR

References

  1. Shor, P.W. Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer. SIAM J. Comput. 1997, 26, 1484–1509. [Google Scholar] [CrossRef] [Green Version]
  2. Shor, P.W. Algorithms for quantum computation: Discrete logarithms and factoring. In Proceedings of the 35th Annual Symposium on Foundations of Computer Science, Santa Fe, NM, USA, 20–22 November 1994; pp. 124–134. [Google Scholar] [CrossRef]
  3. Chen, L.; Jordan, S.; Liu, Y.K.; Moody, D.; Peralta, R.; Perlner, R.; Smith-Tone, D. Report on Post-Quantum Cryptography; Technical Report; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2016. [Google Scholar] [CrossRef]
  4. Shoup, V. Practical Threshold Signatures. In Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques; Springer: Berlin/Heidelberg, Germany, 2000; Volume 1807, pp. 207–220. [Google Scholar] [CrossRef] [Green Version]
  5. Damgård, I.; Koprowski, M. Practical Threshold RSA Signatures without a Trusted Dealer. In International Conference on the Theory and Applications of Cryptographic Techniques; Springer: Berlin/Heidelberg, Germany, 2001; Volume 2045, pp. 152–165. [Google Scholar] [CrossRef] [Green Version]
  6. MacKenzie, P.D.; Reiter, M.K. Two-party generation of DSA signatures. Int. J. Inf. Sec. 2004, 2, 218–239. [Google Scholar] [CrossRef]
  7. Lindell, Y. Fast Secure Two-Party ECDSA Signing. In Proceedings of the Annual International Cryptology Conference; Katz, J., Shacham, H., Eds.; Springer: Berlin/Heidelberg, Germany, 2017; Volume 10402, pp. 613–644. [Google Scholar] [CrossRef]
  8. Doerner, J.; Kondi, Y.; Lee, E.; Shelat, A. Secure Two-party Threshold ECDSA from ECDSA Assumptions. In Proceedings of the 2018 IEEE Symposium on Security and Privacy, San Francisco, CA, USA, 20–24 May 2018; pp. 980–997. [Google Scholar] [CrossRef]
  9. Buldas, A.; Kalu, A.; Laud, P.; Oruaas, M. Server-Supported RSA Signatures for Mobile Devices. In Proceedings of the Computer Security– ESORICS 2017, Oslo, Norway, 11–15 September 2017; pp. 315–333. [Google Scholar]
  10. SK ID Solutions. eID Scheme: SMART-ID; Public Version, 1.0. 2019. Available online: https://www.ria.ee/sites/default/files/content-editors/EID/smart-id_skeemi_kirjeldus.pdf (accessed on 29 July 2021).
  11. Solutions, S.I. Smart-ID Is a Smart Way to Identify Yourself. 2021. Available online: https://www.smart-id.com/ (accessed on 15 April 2021).
  12. Cozzo, D.; Smart, N.P. Sharing the LUOV: Threshold Post-quantum Signatures. In Proceedings of the Cryptography and Coding—17th IMA International Conference, IMACC 2019, Oxford, UK, 16–18 December 2019; Volume 11929, pp. 128–153. [Google Scholar] [CrossRef]
  13. Kiltz, E.; Lyubashevsky, V.; Schaffner, C. A Concrete Treatment of Fiat-Shamir Signatures in the Quantum Random-Oracle Model. Cryptology ePrint Archive, Report 2017/916. 2017. Available online: https://eprint.iacr.org/2017/916 (accessed on 29 July 2021).
  14. Bruinderink, L.G.; Hülsing, A.; Lange, T.; Yarom, Y. Flush, Gauss, and Reload—A Cache Attack on the BLISS Lattice-Based Signature Scheme. In Proceedings of the Cryptographic Hardware and Embedded Systems—CHES 2016—18th International Conference, Santa Barbara, CA, USA, 17–19 August 2016; Volume 9813, pp. 323–345. [Google Scholar] [CrossRef] [Green Version]
  15. Espitau, T.; Fouque, P.; Gérard, B.; Tibouchi, M. Side-Channel Attacks on BLISS Lattice-Based Signatures: Exploiting Branch Tracing against strongSwan and Electromagnetic Emanations in Microcontrollers. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, 30 October–3 November 2017; pp. 1857–1874. [Google Scholar] [CrossRef] [Green Version]
  16. Damgård, I.; Orlandi, C.; Takahashi, A.; Tibouchi, M. Two-round n-out-of-n and Multi-Signatures and Trapdoor Commitment from Lattices. Cryptology ePrint Archive, Report 2020/1110. 2020. Available online: https://eprint.iacr.org/2020/1110 (accessed on 29 July 2021).
  17. Moody, D.; Alagic, G.; Apon, D.C.; Cooper, D.A.; Dang, Q.H.; Kelsey, J.M.; Liu, Y.K.; Miller, C.A.; Peralta, R.C.; Perlner, R.A.; et al. Status Report on the Second Round of the NIST Post-Quantum Cryptography Standardization Process; Technical Report; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2020. [Google Scholar] [CrossRef]
  18. Lyubashevsky, V.; Ducas, L.; Kiltz, E.; Lepoint, T.; Schwabe, P.; Seiler, G.; Stehle, D.; Bai, S. CRYSTALS-Dilithium. Algorithm Specifications and Supporting Documentation. 2020. Available online: https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions (accessed on 29 July 2021).
  19. Prest, T.; Fouque, P.A.; Hoffstein, J.; Kirchner, P.; Lyubashevsky, V.; Pornin, T.; Ricosset, T.; Seiler, G.; Whyte, W.; Zhang, Z. Falcon: Fast-Fourier Lattice-Based Compact Signatures over NTRU. 2020. Available online: https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions (accessed on 29 July 2021).
  20. Ding, J.; Chen, M.S.; Petzoldt, A.; Schmidt, D.; Yang, B.Y.; Kannwischer, M.; Patarin, J. Rainbow—Algorithm Specification and Documentation. The 3rd Round Proposal. 2020. Available online: https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions (accessed on 29 July 2021).
  21. Bansarkhani, R.E.; Sturm, J. An Efficient Lattice-Based Multisignature Scheme with Applications to Bitcoins. In Proceedings of the Cryptology and Network Security—15th International Conference, CANS 2016, Milan, Italy, 14–16 November 2016; Volume 10052, pp. 140–155. [Google Scholar] [CrossRef]
  22. Fukumitsu, M.; Hasegawa, S. A Tightly-Secure Lattice-Based Multisignature. In Proceedings of the 6th on ASIA Public-Key Cryptography Workshop, APKC@AsiaCCS 2019, Auckland, New Zealand, 8 July 2019; pp. 3–11. [Google Scholar] [CrossRef]
  23. Tso, R.; Liu, Z.; Tseng, Y. Identity-Based Blind Multisignature From Lattices. IEEE Access 2019, 7, 182916–182923. [Google Scholar] [CrossRef]
  24. Ma, C.; Jiang, M. Practical Lattice-Based Multisignature Schemes for Blockchains. IEEE Access 2019, 7, 179765–179778. [Google Scholar] [CrossRef]
  25. Toluee, R.; Eghlidos, T. An Efficient and Secure ID-Based Multi-Proxy Multi-Signature Scheme Based on Lattice. Cryptology ePrint Archive, Report 2019/1031. 2019. Available online: https://eprint.iacr.org/2019/1031 (accessed on 29 July 2021).
  26. Fukumitsu, M.; Hasegawa, S. A Lattice-Based Provably Secure Multisignature Scheme in Quantum Random Oracle Model. In Proceedings of the Provable and Practical Security—14th International Conference, ProvSec 2020, Singapore, 29 November–1 December 2020; Volume 12505, pp. 45–64. [Google Scholar] [CrossRef]
  27. Bendlin, R.; Krehbiel, S.; Peikert, C. How to Share a Lattice Trapdoor: Threshold Protocols for Signatures and (H)IBE. In Proceedings of the Applied Cryptography and Network Security—11th International Conference, ACNS 2013, Banff, AB, Canada, 25–28 June 2013; Volume 7954, pp. 218–236. [Google Scholar] [CrossRef] [Green Version]
  28. Kansal, M.; Dutta, R. Round Optimal Secure Multisignature Schemes from Lattice with Public Key Aggregation and Signature Compression. In Proceedings of the Progress in Cryptology—AFRICACRYPT 2020—12th International Conference on Cryptology in Africa, Cairo, Egypt, 20–22 July 2020; Volume 12174, pp. 281–300. [Google Scholar] [CrossRef]
  29. Ducas, L.; Lepoint, T.; Lyubashevsky, V.; Schwabe, P.; Seiler, G.; Stehle, D. CRYSTALS—Dilithium: Digital Signatures from Module Lattices. Cryptology ePrint Archive, Report 2017/633. 2017. Available online: https://eprint.iacr.org/2017/633 (accessed on 29 July 2021).
  30. Pessl, P.; Bruinderink, L.G.; Yarom, Y. To BLISS-B or not to be: Attacking strongSwan’s Implementation of Post-Quantum Signatures. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, 30 October–3 November 2017; pp. 1843–1855. [Google Scholar] [CrossRef] [Green Version]
  31. Bellare, M.; Neven, G. Multi-signatures in the plain public-key model and a general forking lemma. In Proceedings of the 13th ACM Conference on Computer and Communications Security—CCS’06, Alexandria, VA, USA, 30 October–3 November 2006. [Google Scholar] [CrossRef] [Green Version]
  32. Fiat, A.; Shamir, A. How to Prove Yourself: Practical Solutions to Identification and Signature Problems. In Proceedings of the Advances in Cryptology—CRYPTO’86, Santa Barbara, CA, USA, 11–15 August 1986; Voloume 263; pp. 186–194. [Google Scholar] [CrossRef] [Green Version]
  33. Lyubashevsky, V. Fiat-Shamir with Aborts: Applications to Lattice and Factoring-Based Signatures. In Proceedings of the Advances in Cryptology—ASIACRYPT 2009, 15th International Conference on the Theory and Application of Cryptology and Information Security, Tokyo, Japan, 6–10 December 2009; Volume 5912, pp. 598–616. [Google Scholar]
  34. Güneysu, T.; Lyubashevsky, V.; Pöppelmann, T. Practical Lattice-Based Cryptography: A Signature Scheme for Embedded Systems. In Proceedings of the Cryptographic Hardware and Embedded Systems—CHES 2012—14th International Workshop, Leuven, Belgium, 9–12 September 2012; Volume 7428, pp. 530–547. [Google Scholar] [CrossRef] [Green Version]
  35. Lyubashevsky, V.; Micciancio, D. Generalized Compact Knapsacks Are Collision Resistant. In Proceedings of the Automata, Languages and Programming, 33rd International Colloquium, ICALP 2006, Venice, Italy, 10–14 July 2006; Volume 4052, pp. 144–155. [Google Scholar] [CrossRef]
  36. Micciancio, D. Generalized Compact Knapsacks, Cyclic Lattices, and Efficient One-Way Functions from Worst-Case Complexity Assumptions. In Proceedings of the 43rd Symposium on Foundations of Computer Science (FOCS 2002), Vancouver, BC, Canada, 16–19 November 2002; pp. 356–365. [Google Scholar] [CrossRef]
  37. Peikert, C.; Rosen, A. Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices. In Proceedings of the Theory of Cryptography, Third Theory of Cryptography Conference, TCC 2006, New York, NY, USA, 4–7 March 2006; Volume 3876, pp. 145–166. [Google Scholar] [CrossRef] [Green Version]
  38. Lyubashevsky, V.; Micciancio, D.; Peikert, C.; Rosen, A. SWIFFT: A Modest Proposal for FFT Hashing. In Proceedings of the Fast Software Encryption, 15th International Workshop, FSE 2008, Lausanne, Switzerland, 10–13 February 2008; Volume 5086, pp. 54–72. [Google Scholar] [CrossRef] [Green Version]
  39. Bellare, M.; Neven, G. New Multi-Signature Schemes and a General Forking Lemma. 2005. Available online: https://soc1024.ece.illinois.edu/teaching/ece498ac/fall2018/forkinglemma.pdf (accessed on 29 July 2021).
  40. Boneh, D.; Gennaro, R.; Goldfeder, S.; Jain, A.; Kim, S.; Rasmussen, P.M.R.; Sahai, A. Threshold Cryptosystems from Threshold Fully Homomorphic Encryption. In Proceedings of the Advances in Cryptology—CRYPTO 2018, Santa Barbara, CA, USA, 19–23 August 2018; pp. 565–596. [Google Scholar]
  41. Gentry, C.; Peikert, C.; Vaikuntanathan, V. Trapdoors for Hard Lattices and New Cryptographic Constructions. Cryptology ePrint Archive, Report 2007/432. 2007. Available online: https://eprint.iacr.org/2007/432 (accessed on 29 July 2021).
  42. Baum, C.; Damgård, I.; Lyubashevsky, V.; Oechsner, S.; Peikert, C. More Efficient Commitments from Structured Lattice Assumptions. In Security and Cryptography for Networks; Catalano, D., De Prisco, R., Eds.; Springer International Publishing: Cham, Switzerland, 2018; pp. 368–385. [Google Scholar]
Table 1. Parameters for the two-party protocol.
Table 1. Parameters for the two-party protocol.
ParameterDescription
ndegree bound of the polynomials in the ring
qmodulus
( k , k ) dimension of matrix and vectors used in the scheme
γ size bound of the coefficients in the masking vector share
γ 2 size bound of coefficients in the composed masking vector
η size bound of coefficients in the secret key share
τ number on nonzero elements in the output of special hash function H 0
β maximum possible coefficient of the client’s and server’s shares of c s i , where i { 1 , 2 }
β 2 maximum possible coefficient of c s i , where i { 1 , 2 }
( a , b , p ) parameters for the homomorphic hash function: a · b is the input length, b is the output length, and p is the modulus
Table 2. Illustrative parameters.
Table 2. Illustrative parameters.
ParametersSizes
n256
q8,380,417
( k , k ) (5, 5)
γ 2 19
γ 2 2 20
η 2
τ 60
β 120
β 2 240
( a , b , p ) ( 64 , 16 , 257 )
Table 3. Key and signature sizes and expected number of repetitions of the signing protocol.
Table 3. Key and signature sizes and expected number of repetitions of the signing protocol.
ValuesSizes
Public key p k 3744 bytes
Secret key share s k i 4384 bytes
Signature σ 6788 bytes
Expected number of repetitions3.23
Table 4. Message sizes in the key generation process.
Table 4. Message sizes in the key generation process.
MessagesSizes
First message h k i 256 bits
Second message A i (as seed)256 bits
Third message c o m k i 256 bits
Fourth message t i 3680 bytes
Table 5. Message sizes in the signing process.
Table 5. Message sizes in the signing process.
MessagesSizes
First message ( h i ) 256 bits
Second message c o m i 1920 bytes
Third message ( z 1 i , z 2 i ) 6080 bytes
Table 6. Comparison with prior work.
Table 6. Comparison with prior work.
FunctionalityParadigmRoundsSecurity
Bendlin et al. [27]t-out-of-nHash-and-Sign1Gentry et al. [41]
Boneh et al. [40]t-out-of-nAny (Universal Thresholdizer)1LWE
Dåmgard et al. [16] D S 2 n-out-of-nFSwA2MLWE
Dåmgard et al. [16] D S 3 n-out-of-nFSwA3MLWE, MSIS
Our protocol (DiLizium)2-out-of-2FSwA3MLWE, MSIS, R-MLWE
Table 7. Illustrative parameters for Dåmgard et al. D S 3 [16].
Table 7. Illustrative parameters for Dåmgard et al. D S 3 [16].
Parameters for Signature SchemeDescriptionSizes
nThe degree bound of the polynomials in the ring256
q s i g Modulus8,380,781
( k s i g , l ) Dimension of matrix and vectors(4, 4)
η Size bound of coefficients in the secret key share5
τ Number on non-zero elements in the output of hash function H 0 60
σ s i g Standard deviation of the Gaussian distribution≈17,900
B s i g The maximum l 2 norm of signature share z j R q s i g l + k s i g ≈990,000
Table 8. Illustrative parameters for Dåmgard et al. [16] statistically binding commitment scheme.
Table 8. Illustrative parameters for Dåmgard et al. [16] statistically binding commitment scheme.
Parameters for Commitment SchemeDescriptionSizes
NThe degree bound of the polynomials in the ring1024
q c o m Modulus≈2 55
( m , m , k c o m ) Dimension of matrices and vectors(6, 9, 1)
σ c o m Standard deviation of the Gaussian distribution≈46,000
B c o m = 4 σ c o m m N The maximum l 2 of commitment opening r j R q c o m m ≈17,664,000
Table 9. Illustrative comparison of DiLizium and Dåmgard et al. D S 3 message sizes.
Table 9. Illustrative comparison of DiLizium and Dåmgard et al. D S 3 message sizes.
MessagesDiLiziumDåmgard et al. DS 3
First message256 bits256 bits
Second message1920 bytes197,120 bytes
Third message6080 bytes125,184 bytes
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Share and Cite

MDPI and ACS Style

Vakarjuk, J.; Snetkov, N.; Willemson, J. DiLizium: A Two-Party Lattice-Based Signature Scheme. Entropy 2021, 23, 989. https://doi.org/10.3390/e23080989

AMA Style

Vakarjuk J, Snetkov N, Willemson J. DiLizium: A Two-Party Lattice-Based Signature Scheme. Entropy. 2021; 23(8):989. https://doi.org/10.3390/e23080989

Chicago/Turabian Style

Vakarjuk, Jelizaveta, Nikita Snetkov, and Jan Willemson. 2021. "DiLizium: A Two-Party Lattice-Based Signature Scheme" Entropy 23, no. 8: 989. https://doi.org/10.3390/e23080989

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop