Appendix A. Full Security Proof
This section presents detailed security proof for the twoparty signature scheme.
Definition A1(noabort HonestVerifier ZeroKnowledge). An identification scheme is said to be ${\u03f5}_{ZK}$naHVZK if there exists a probabilistic expected polynomialtime algorithm $Sim$ that is given only the public key $pk$ and that outputs $(w,c,z)$ such that the following holds:
The distribution of the simulated transcript produced by $Sim$ ($(w,c,z)\leftarrow $$Sim\left(pk\right)$) has a statistical distance at most ${\u03f5}_{ZK}$ from the real transcript produced by the transcript algorithm $({w}^{\prime},{c}^{\prime},{z}^{\prime})\leftarrow Trans\left(sk\right)$.
The distribution of c from the output $(w,c,z)\leftarrow Sim\left(pk\right)$ conditioned on $c\ne \perp $ is uniformly random over the set C.
Theorem A1. Assume a homomorphic hash function $HomH:{\{0,1\}}^{a\xb7b}\to {\mathbb{Z}}_{p}^{b}$ is provably collisionresistant and ϵregular; then for any probabilistic polynomial time adversary $\mathcal{A}$ that makes a single query to the key generation oracle, ${q}_{s}$ queries to the signing oracle, and ${q}_{h}$ queries to the random oracles ${H}_{0},{H}_{1},{H}_{2},{H}_{3}$, the distributed signature protocol is DSUFCMA secure in the random oracle model under ModuleLWE, rejected ModuleLWE, and ModuleSIS assumptions.
Proof. Given an adversary $\mathcal{A}$ that succeeds in breaking the distributed signature protocol with advantage ${\mathrm{Adv}}^{\mathrm{DS}\mathrm{UF}\mathrm{CMA}}\left(\mathcal{A}\right)$, a simulator $\mathcal{B}$ is constructed. $\mathcal{B}$ simulates the behaviour of the single honest party without using honestly generated secret keys for the computation. Algorithm $\mathcal{B}$ is constructed such that it fits all the assumptions of the forking lemma. By the definition of forking algorithm, it was required that $\mathcal{B}$ is given a public key and a random oracle query replies as input. $\mathcal{B}$ simulates the behaviour of the honest party ${P}_{n}$, and the party ${P}_{i}$ is corrupted by the adversary. The algorithm $\mathcal{B}$ is defined in Algorithm A1.
Algorithm A1$\mathcal{B}$($pk,{h}_{1},\dots ,{h}_{{q}_{h}+{q}_{s}+1}$). 
1: Create empty hash tables $H{T}_{i}$ for $i\in \{0,\dots ,3\}$. 
2: Create a set of queried messages $\mathcal{M}=\varnothing $. 
3: Simulate the honest party oracle as follows: Upon receiving a query from $\mathcal{A}$ of the form $(sid,msg)$, reply to the query as described in $Sim{\mathcal{O}}_{KeyGen}$ (Oracle A1) and $Sim{\mathcal{O}}_{Sign}$ (Oracle A2). If one of the oracles terminates with output of the form $(0,\perp )$, then $\mathcal{B}$ also terminates with the same output $(0,\perp )$.

4: Simulate random oracles as follows:

5: Upon receiving a forgery $\sigma =({\mathbf{z}}_{1},{\mathbf{z}}_{2},c)$ on message ${m}^{\prime}$ from $\mathcal{A}$:
If ${m}^{\prime}\in \mathcal{M}$, then $\mathcal{B}$ terminates with output $(0,\perp )$. Compute $co{m}^{\prime}:=HomH({\mathbf{Az}}_{1}+{\mathbf{z}}_{2}c\mathbf{t})$. Make query ${c}^{\prime}\leftarrow {H}_{0}({m}^{\prime}\left\rightco{m}^{\prime})$. If $c\ne {c}^{\prime}$ or $\left\right{\mathbf{z}}_{1}{\left\right}_{\infty}\ge {\gamma}_{2}{\beta}_{2}$ or $\left\right{\mathbf{z}}_{2}{\left\right}_{\infty}\ge {\gamma}_{2}{\beta}_{2}$, then $\mathcal{B}$ terminates with output $(0,\perp )$. Find index ${i}_{f}\in [{q}_{h}+{q}_{s}+1]$ such that ${c}^{\prime}={h}_{{i}_{f}}$. $\mathcal{B}$ terminates with the output $({i}_{f},out=(co{m}^{\prime},{c}^{\prime},{\mathbf{z}}_{1},{\mathbf{z}}_{2},{m}^{\prime}))$

Appendix A.1. Random Oracle Simulation
There are several random oracles that need to be simulated:
${H}_{0}:{\{0,1\}}^{*}\to C$
[C is a set of all vectors in ${\{1,0,1\}}^{n}$ with exactly $\tau $ nonzero elements]
${H}_{1}:{\{0,1\}}^{*}\to {\{0,1\}}^{{l}_{1}}$
${H}_{2}:{\{0,1\}}^{*}\to {\{0,1\}}^{{l}_{2}}$
${H}_{3}:{\{0,1\}}^{*}\to {\{0,1\}}^{{l}_{3}}$
All of the random oracles are simulated as described in Algorithm A2. Additionally, there is a searchHash($HT,h$) algorithm for searching entries from the hash table defined in Algorithm A3.
Algorithm A2${H}_{i}\left(x\right)$. 
$H{T}_{i}$ is a hash table that is initially empty. 
1: On a query x, return element $H{T}_{i}\left[x\right]$ if it was previously defined. 
2: Otherwise, sample output y uniformly at random from the range of ${H}_{i}$ and return $H{T}_{i}\left[x\right]:=y$ 
Algorithm A3 searchHash($HT,h$) 
1: For value h, find its preimage m in the hash table such that $HT\left[m\right]=h$. 
2: If preimage of value h does not exist, set flag $alert$ and set preimage $m=\perp $. 
3: If for value h more than one preimage exists in hash table $HT$, set flag $bad$. 
4: Output: $(m,alert,bad)$ 
Simulators for the key generation and signing processes were constructed using several intermediate games. The goal was to remove the usage of the actual secret key share of the party ${P}_{n}$ from both processes. Let Pr[${\mathbf{G}}_{i}$] denote the probability that $\mathcal{B}$ does not output (0,⊥) in the game ${\mathbf{G}}_{i}$. This means that the adversary must have created a valid forgery (as defined in Algorithm A1). Then, Pr[${\mathbf{G}}_{0}$] $={\mathrm{Adv}}^{\mathrm{DS}\mathrm{UF}\mathrm{CMA}}\left(\mathcal{A}\right)$. In Game 0, $\mathcal{B}$ simulates the honest party behaviour using the same instructions as in the original KeyGen ${}_{n}\left(par\right)$ and Sign ${}_{n}(s{k}_{n},m)$ protocols.
Appendix A.2. Game 1
In Game 1, only signing process ics changed with respect to the previous game. The simulator for the signing process in Game 1 is described in Algorithm A4. Challenge c is now sampled uniformly at random, and the signature shares are computed without communicating with the adversary. Changes with respect to the previous game are highlighted.
Algorithm A4$Si{m}_{Sign}(s{k}_{n},pk,m)$. 
1: $c\leftarrow C$. 
2: ${\mathbf{y}}_{1}^{n},{\mathbf{y}}_{2}^{n}\leftarrow {S}_{\gamma 1}^{k}$. 
3: ${\mathbf{w}}_{n}:={\mathbf{Ay}}_{1}^{n}+{\mathbf{y}}_{2}^{n}$. 
4: ${\mathbf{z}}_{1}^{n}:={\mathbf{y}}_{1}^{n}+c{\mathbf{s}}_{1}^{n}$ and ${\mathbf{z}}_{2}^{n}:={\mathbf{y}}_{2}^{n}+c{\mathbf{s}}_{2}^{n}$. 
5: $co{m}_{n}\leftarrow HomH\left({\mathbf{w}}_{n}\right)$, send out ${h}_{n}\leftarrow {H}_{3}\left(co{m}_{n}\right)$. 
6: Upon receiving ${h}_{i}$, search for $(co{m}_{i},alert,ba{d}_{7})\leftarrow \mathrm{searchHash}(H{T}_{3},{h}_{i})$. 
7: If the flag $ba{d}_{7}$ is set, then simulation fails with output $(0,\perp )$. If the flag $alert$ is set, then send out $co{m}_{n}$. 
8: $com:=co{m}_{n}+co{m}_{i}$. 
9: Program random oracle ${H}_{0}$ to respond queries $\left(m\right\leftcom\right)$ with c. Set $H{T}_{0}\left[\right(m\left\rightcom\left)\right]:=c$. If $H{T}_{0}\left[\right(m\left\rightcom\left)\right]$ has been already set, set flag $ba{d}_{8}$ and the simulation fails with output $(0,\perp )$. 
10: Send out $co{m}_{n}$. Upon receiving $co{m}_{i}$:
if ${H}_{3}\left(co{m}_{i}\right)\ne {h}_{i}$: send out ABORT. if the flag $alert$ is set and ${H}_{3}\left(co{m}_{i}\right)={h}_{i}$: set the flag $ba{d}_{9}$ and the simulation fails with output $(0,\perp )$.

11: Otherwise, run rejection sampling, if it did not pass: send out RESTART and go to the step 1. 
12: Otherwise, send out $({\mathbf{z}}_{1}^{n},{\mathbf{z}}_{2}^{n})$. Upon receiving RESTART, go to step 1. 
13: Upon receiving $({\mathbf{z}}_{1}^{i},{\mathbf{z}}_{2}^{i})$, reconstruct ${\mathbf{w}}_{i}:={\mathbf{Az}}_{1}^{i}+{\mathbf{z}}_{2}^{i}c{\mathbf{t}}_{i}$ and check that $HomH\left({\mathbf{w}}_{i}\right)=co{m}_{i}$, if not: send out ABORT. 
14: Otherwise, set ${\mathbf{z}}_{1}:={\mathbf{z}}_{1}^{n}+{\mathbf{z}}_{1}^{i}$, ${\mathbf{z}}_{2}:={\mathbf{z}}_{2}^{n}+{\mathbf{z}}_{2}^{i}$ and output composed signature $\sigma :=({\mathbf{z}}_{1},{\mathbf{z}}_{2},c)$. 
Game 0 → Game 1:
The difference between Game 0 and Game 1 can be expressed using the $bad$ events that can happen with the following probabilities:
Pr[$ba{d}_{7}$] is the probability that at least one collision occurs during at most ${q}_{h}+2{q}_{s}$ queries to the random oracle ${H}_{3}$ made by adversary or simulator. This means that two values $co{m}_{j}\ne co{m}_{j}^{\prime}$ were found such that $H{T}_{3}\left[co{m}_{j}\right]=H{T}_{3}\left[co{m}_{j}^{\prime}\right]$. As all of the responses of ${H}_{3}$ are chosen uniformly at random from ${\{0,1\}}^{{l}_{3}}$ and there are at most ${q}_{h}+2{q}_{s}$ queries to the random oracle ${H}_{3}$, the probability of at least one collision occurring can be expressed as $\frac{\left(\right)open="("\; close=")">({q}_{h}+2{q}_{s})({q}_{h}+2{q}_{s}+1)}{/}{2}^{{l}_{3}}$, where ${l}_{3}$ is the length of ${H}_{3}$ output.
Pr[$ba{d}_{8}$] is the probability that programming random oracle ${H}_{0}$ fails at least once during ${q}_{s}$ queries. This event can happen in the following two cases: ${H}_{3}\left(co{m}_{n}\right)$ was previously queried by the adversary or it was not queried by the adversary:
 
Case 1: ${H}_{3}\left(co{m}_{n}\right)$ has been already asked by adversary during at most ${q}_{h}+2{q}_{s}$ queries to ${H}_{3}$. This means that the adversary knows $com$ and may have queried ${H}_{0}\left(m\right\leftcom\right)$ before. This event corresponds to guessing the value of $co{m}_{n}$.
Let the uniform distribution over ${\mathbb{Z}}_{p}^{b}$ be denoted as X and the distribution of $HomH$ output be denoted as Y. As $HomH$ is $\u03f5$regular (for some negligibly small $\u03f5$), it holds that SD $(X,Y)\le \u03f5$. Then, for any subset T of ${\mathbb{Z}}_{p}^{b}$, by definition of statistical distance, it holds that $\mathrm{Pr}[X\in T]\le \mathrm{Pr}[Y\in T]+\u03f5$. Therefore, for a uniform distribution X, the probability of guessing Y by T is bounded by $\frac{1}{{\mathbb{Z}}_{p}^{b}}+\u03f5$.
Since $co{m}_{n}$ was produced by $\mathcal{B}$ in the beginning of the signing protocol completely independently from $\mathcal{A}$, the probability that $\mathcal{A}$ queried ${H}_{3}\left(co{m}_{n}\right)$ is at most $\frac{1}{{\mathbb{Z}}_{p}^{b}}+\u03f5$ for each query.
 
Case 2: $H{T}_{0}\left[m\right\leftcom\right]$ has been set by adversary or simulator by chance during at most ${q}_{h}+{q}_{s}$ prior queries to the ${H}_{0}$. Since $\mathcal{A}$ has not queried ${H}_{3}\left(co{m}_{n}\right)$ before, adversary does not know $co{m}_{n}$ and the view of $\mathcal{A}$ is completely independent from $com$. The probability that $com$ occurred by chance in one of the previous queries to ${H}_{0}$ is at most $\left(\right)open="("\; close=")">{q}_{h}+{q}_{s}$.
Pr[$ba{d}_{9}$] is the probability that the adversary predicted at least one of two outputs of the random oracle ${H}_{3}$ without making a query to it. In this case, there is no record in the hash table $H{T}_{3}$ that corresponds to the preimage $co{m}_{j}$. This can happen with probability at most $\frac{2}{{2}^{{l}_{3}}}$ for each signing query.
Therefore, the difference between two games is
Appendix A.3. Game 2
In Game 2, when the signature share gets rejected, simulator commits to a uniformly random vector ${\mathbf{w}}_{n}$ from the ring ${R}_{q}$ instead of committing to a vector computed as ${\mathbf{Ay}}_{1}^{n}+{\mathbf{y}}_{2}^{n}$. The simulator for the signing process in Game 2 is described in Algorithm 5.
Game 1 → Game 2:
The difference between Game 1 and Game 2 can be expressed with the probability that the adversary can distinguish simulated commitment with random ${\mathbf{w}}_{n}$ from the real one when the rejection sampling algorithm does not pass. If the signature shares are rejected, it means that ${\mathbf{z}}_{1}^{n}\ge \gamma \beta $ or ${\mathbf{z}}_{2}^{n}\ge \gamma \beta $.
Let us assume that there exists an adversary
$\mathcal{D}$ who succeeds in distinguish simulated commitment with random
${\mathbf{w}}_{n}$ from the real one with nonnegligible probability:
Then, the adversary $\mathcal{D}$ can be used to construct an adversary ${\mathcal{A}}_{RMLWE}$ who solves the rejected ModuleLWE for parameters $(q,k,k,\gamma ,U,\beta )$, where U is the uniform distribution. The adversary ${\mathcal{A}}_{RMLWE}$ is defined in Algorithm A6.
Algorithm A5$Si{m}_{Sign}(s{k}_{n},pk,m)$. 
1: $c\leftarrow C$. 
2:${\mathbf{y}}_{1}^{n},{\mathbf{y}}_{2}^{n}\leftarrow {S}_{\gamma 1}^{k}$. 
3: ${\mathbf{z}}_{1}^{n}:={\mathbf{y}}_{1}^{n}+c{\mathbf{s}}_{1}^{n}$ and ${\mathbf{z}}_{2}^{n}:={\mathbf{y}}_{2}^{n}+c{\mathbf{s}}_{2}^{n}$. 
4: Run rejection sampling; if it does not pass, proceed as follows:

1. ${\mathbf{w}}_{n}\leftarrow {R}_{q}^{k}$. 
2. $co{m}_{n}\leftarrow HomH\left({\mathbf{w}}_{n}\right)$, send out ${h}_{n}\leftarrow {H}_{3}\left(co{m}_{n}\right)$. 
3. Upon receiving ${h}_{i}$, search for $(co{m}_{i},alert,ba{d}_{7})\leftarrow \mathrm{searchHash}(H{T}_{3},{h}_{i})$. 
4. If the flag $ba{d}_{7}$ is set, then simulation fails with output $(0,\perp )$. If the flag $alert$ is set, then send out $co{m}_{n}$. 
5. $com:=co{m}_{n}+co{m}_{i}$. 
6. Program random oracle ${H}_{0}$ to respond queries $\left(m\right\leftcom\right)$ with c. Set $H{T}_{0}\left[\right(m\left\rightcom\left)\right]:=c$. If $H{T}_{0}\left[\right(m\left\rightcom\left)\right]$ has been already set, set flag $ba{d}_{8}$ and the simulation fails with output $(0,\perp )$. 
7. Send out $co{m}_{n}$. Upon receiving $co{m}_{i}$:
if ${H}_{3}\left(co{m}_{i}\right)\ne {h}_{i}$: send out ABORT. if the flag $alert$ is set and ${H}_{3}\left(co{m}_{i}\right)={h}_{i}$: set the flag $ba{d}_{9}$ and the simulation fails with output $(0,\perp )$.

8. Otherwise, send out RESTART and go to step 1.

5: If rejection sampling passes, proceed as follows: 
1. ${\mathbf{w}}_{n}:={\mathbf{Ay}}_{1}^{n}+{\mathbf{y}}_{2}^{n}$. 
2. $co{m}_{n}\leftarrow HomH\left({\mathbf{w}}_{n}\right)$, send out ${h}_{n}\leftarrow {H}_{3}\left(co{m}_{n}\right)$. 
3. Upon receiving ${h}_{i}$, search for $(co{m}_{i},alert,ba{d}_{7})\leftarrow \mathrm{searchHash}(H{T}_{3},{h}_{i})$. 
4. If the flag $ba{d}_{7}$ is set, then simulation fails with output $(0,\perp )$. If the flag $alert$ is set, then continue. 
5. $com:=co{m}_{n}+co{m}_{i}$. 
6. Program random oracle ${H}_{0}$ to respond queries $\left(m\right\leftcom\right)$ with c. Set $H{T}_{0}\left[\right(m\left\rightcom\left)\right]:=c$. If $H{T}_{0}\left[\right(m\left\rightcom\left)\right]$ has been already set, set flag $ba{d}_{8}$ and the simulation fails with output $(0,\perp )$. 
7. Send out $co{m}_{n}$.Upon receiving $co{m}_{i}$:
if ${H}_{3}\left(co{m}_{i}\right)\ne {h}_{i}$: send out ABORT. if the flag $alert$ is set and ${H}_{3}\left(co{m}_{i}\right)={h}_{i}$: set the flag $ba{d}_{9}$ and the simulation fails with output $(0,\perp )$.

8. Otherwise, send out $({\mathbf{z}}_{1}^{n},{\mathbf{z}}_{2}^{n})$. Upon receiving RESTART, go to step 1. 
9. Upon receiving $({\mathbf{z}}_{1}^{i},{\mathbf{z}}_{2}^{i})$, reconstruct ${\mathbf{w}}_{i}:={\mathbf{Az}}_{1}^{i}+{\mathbf{z}}_{2}^{i}c{\mathbf{t}}_{i}$ and check that $HomH\left({\mathbf{w}}_{i}\right)=co{m}_{i}$, if not: send out ABORT. 
10. Otherwise, set ${\mathbf{z}}_{1}:={\mathbf{z}}_{1}^{n}+{\mathbf{z}}_{1}^{i}$, ${\mathbf{z}}_{2}:={\mathbf{z}}_{2}^{n}+{\mathbf{z}}_{2}^{i}$ and output composed signature $\sigma :=({\mathbf{z}}_{1},{\mathbf{z}}_{2},c)$.

Algorithm A6${\mathcal{A}}_{RMLWE}(\mathbf{A},{\mathbf{w}}_{b},c)$. 
1: ${h}_{b}\leftarrow HomH\left({\mathbf{w}}_{b}\right)$ 
2: ${b}^{\prime}\leftarrow \mathcal{D}(\mathbf{A},{h}_{b},c)$ 
3: return ${b}^{\prime}$ 
As a consequence, the difference between the two games is bounded by the following:
Appendix A.4. Game 3
In Game 3, the simulator does not generate the signature shares honestly and thus does not perform rejection sampling honestly. Rejection sampling is simulated as follows:
Rejection case: with probability $1{\left(\right)}^{1}2$ simulator generates commitment to the random ${\mathbf{w}}_{n}$ as in the previous game.
Otherwise, sample signature shares from the set ${S}_{\gamma \beta 1}$ and compute ${\mathbf{w}}_{n}$ out of it.
The simulator for the signing process in Game 3 is described in Algorithm A7.
Game 2 → Game 3:
The signature shares generated in Algorithm A7 are indistinguishable from the real ones because of the
${\u03f5}_{ZK}$naHVZK property of the underlying identification scheme from [
13], appendix B. Therefore, the difference between Game 2 and Game 3 can be defined as follows:
According to the proof from [
13],
${\u03f5}_{ZK}=0$ for the underlying identification scheme.
Algorithm A7$Si{m}_{Sign}({\mathbf{t}}_{n},pk,m)$. 
1: With probability $1{\left(\right)}^{1}2$, proceed as follows: 1.
$c\leftarrow C$.  2.
${\mathbf{w}}_{n}\leftarrow {R}_{q}^{k}$.  3.
$co{m}_{n}\leftarrow HomH\left({\mathbf{w}}_{n}\right)$, send out ${h}_{n}\leftarrow {H}_{3}\left(co{m}_{n}\right)$.  4.
Upon receiving ${h}_{i}$, search for $(co{m}_{i},alert,ba{d}_{7})\leftarrow \mathrm{searchHash}(H{T}_{3},{h}_{i})$.  5.
If the flag $ba{d}_{7}$ is set, then simulation fails with output $(0,\perp )$. If the flag $alert$ is set, then send out $co{m}_{n}$.  6.
$com:=co{m}_{n}+co{m}_{i}$.  7.
Program random oracle ${H}_{0}$ to respond queries $\left(m\right\leftcom\right)$ with c. Set $H{T}_{0}\left[\right(m\left\rightcom\left)\right]:=c$. If $H{T}_{0}\left[\right(m\left\rightcom\left)\right]$ has been already set, set flag $ba{d}_{8}$ and the simulation fails with output $(0,\perp )$.  8.
Send out $co{m}_{n}$. Upon receiving $co{m}_{i}$: if ${H}_{3}\left(co{m}_{i}\right)\ne {h}_{i}$: send out ABORT. if the flag $alert$ is set and ${H}_{3}\left(co{m}_{i}\right)={h}_{i}$: set the flag $ba{d}_{9}$ and the simulation fails with output $(0,\perp )$.
 9.
Otherwise, send out RESTART and go to step 1.

2: Otherwise, proceed as follows:
 1.
$c\leftarrow C$.  2.
${\mathbf{z}}_{1}^{n}\leftarrow {S}_{\gamma \beta 1}^{k}$ and ${\mathbf{z}}_{2}^{n}\leftarrow {S}_{\gamma \beta 1}^{k}$.  3.
${\mathbf{w}}_{n}:={\mathbf{Az}}_{1}^{n}+{\mathbf{z}}_{2}^{n}c{\mathbf{t}}_{n}$.  4.
$co{m}_{n}\leftarrow HomH\left({\mathbf{w}}_{n}\right)$, send out ${h}_{n}\leftarrow {H}_{3}\left(co{m}_{n}\right)$.  5.
Upon receiving ${h}_{i}$, search for $(co{m}_{i},alert,ba{d}_{7})\leftarrow \mathrm{searchHash}(H{T}_{3},{h}_{i})$.  6.
If the flag $ba{d}_{7}$ is set, then simulation fails with output $(0,\perp )$. If the flag $alert$ is set, then continue.  7.
$com:=co{m}_{n}+co{m}_{i}$.  8.
Program random oracle ${H}_{0}$ to respond queries $\left(m\right\leftcom\right)$ with c. Set $H{T}_{0}\left[\right(m\left\rightcom\left)\right]:=c$. If $H{T}_{0}\left[\right(m\left\rightcom\left)\right]$ has been already set, set flag $ba{d}_{8}$ and the simulation fails with output $(0,\perp )$.  9.
Send out $co{m}_{n}$. Upon receiving $co{m}_{i}$: if ${H}_{3}\left(co{m}_{i}\right)\ne {h}_{i}$: send out ABORT. if the flag $alert$ is set and ${H}_{3}\left(co{m}_{i}\right)={h}_{i}$: set the flag $ba{d}_{9}$ and the simulation fails with output $(0,\perp )$.
 10.
Otherwise, send out $({\mathbf{z}}_{1}^{n},{\mathbf{z}}_{2}^{n})$. Upon receiving RESTART, go to step 1.  11.
Upon receiving $({\mathbf{z}}_{1}^{i},{\mathbf{z}}_{2}^{i})$, reconstruct ${\mathbf{w}}_{i}:={\mathbf{Az}}_{1}^{i}+{\mathbf{z}}_{2}^{i}c{\mathbf{t}}_{i}$ and check that $HomH\left({\mathbf{w}}_{i}\right)=co{m}_{i}$, if not: send out ABORT.  12.
Otherwise, set ${\mathbf{z}}_{1}:={\mathbf{z}}_{1}^{n}+{\mathbf{z}}_{1}^{i}$, ${\mathbf{z}}_{2}:={\mathbf{z}}_{2}^{n}+{\mathbf{z}}_{2}^{i}$ and output composed signature $\sigma :=({\mathbf{z}}_{1},{\mathbf{z}}_{2},c)$.

Appendix A.5. Game 4
Now, the signing process does not rely on the actual secret key share of the honest party ${P}_{n}$. In the next games, the key generation process is changed so that it does not use secret keys as well. In this game, the simulator is given a predefined uniformly random matrix $\mathbf{A}\leftarrow {R}_{q}^{k\times k}$, and the simulator defines its own matrix share out of it. By definition, the algorithm $\mathcal{B}$ (Algorithm A1) receives a pregenerated public key $pk$ as the input. Therefore, the simulator in Game 4 is given a predefined matrix $\mathbf{A}$, and in the later games, the simulator is changed so that it receives the entire public key and uses it to compute its shares ${\mathbf{A}}_{n},{\mathbf{t}}_{n}$. The simulator for the key generation process in Game 4 is described in Algorithm A8.
Algorithm A8$Si{m}_{KeyGen}(par,$$\mathbf{A}$). 
1: Send out $h{k}_{n}\leftarrow {\{0,1\}}^{{l}_{1}}$ 
2: Upon receiving $h{k}_{i}$:

search for $({\mathbf{A}}_{i},alert,ba{d}_{1})\leftarrow \mathrm{searchHash}(H{T}_{1},h{k}_{i})$. if the flag $ba{d}_{1}$ is set, then simulation fails with output $(0,\perp )$. if the flag $alert$ is set, then sample ${\mathbf{A}}_{n}\leftarrow {R}_{q}^{k\times k}$. Otherwise, define ${\mathbf{A}}_{n}:=\mathbf{A}{\mathbf{A}}_{i}$.

3: Program random oracle ${H}_{1}$ to respond queries ${\mathbf{A}}_{n}$ with $h{k}_{n}$. Set $H{T}_{1}\left[{\mathbf{A}}_{n}\right]:=h{k}_{n}$. If $H{T}_{1}\left[{\mathbf{A}}_{n}\right]$ has been already set, then set the flag $ba{d}_{2}$ and the simulation fails with output $(0,\perp )$. 
4: Send out ${\mathbf{A}}_{n}$. Upon receiving ${\mathbf{A}}_{i}$:
if ${H}_{1}\left({\mathbf{A}}_{i}\right)\ne h{k}_{i}$: send out ABORT. if the flag $alert$ is set and ${H}_{1}\left({\mathbf{A}}_{i}\right)=h{k}_{i}$: set the flag $ba{d}_{3}$ and the simulation fails with output $(0,\perp )$.

5: (${\mathbf{s}}_{1}^{n}$, ${\mathbf{s}}_{2}^{n}$) $\leftarrow {S}_{\eta}^{k}\times {S}_{\eta}^{k}$. 
6: ${\mathbf{t}}_{n}:={\mathbf{As}}_{1}^{n}+{\mathbf{s}}_{2}^{n}$, send out $com{k}_{n}:={H}_{2}\left({\mathbf{t}}_{n}\right)$. 
7: Upon receiving $com{k}_{i}$, send out ${\mathbf{t}}_{n}$. 
8: Upon receiving ${\mathbf{t}}_{i}$, check that ${H}_{2}\left({\mathbf{t}}_{i}\right)=com{k}_{i}$. If not: send out ABORT. 
9: Otherwise, $\mathbf{t}:={\mathbf{t}}_{n}+{\mathbf{t}}_{i}$, $pk:=(\mathbf{A},\mathbf{t})$ and $sk:=(\mathbf{A},{\mathbf{t}}_{i},{\mathbf{s}}_{n},{\mathbf{s}}_{n}^{\prime})$. 
Game 3 → Game 4:
The distribution of public matrix $\mathbf{A}$ does not change between Game 3 and Game 4. The difference between Game 3 and Game 4 can be expressed using $bad$ events that happen with the following probabilities:
Pr[$ba{d}_{1}$] is the probability that at least one collision occurs during at most ${q}_{h}$ queries to the random oracle ${H}_{1}$ made by adversary or simulator. This can happen with probability at most $\frac{{q}_{h}({q}_{h}+1)/2}{{2}^{{l}_{1}+1}}$, where ${l}_{1}$ is the length of ${H}_{1}$ output.
Pr[$ba{d}_{2}$] is the probability that programming random oracle ${H}_{1}$ fails, which happens if ${H}_{1}\left({\mathbf{A}}_{n}\right)$ has been previously asked by adversary during at most ${q}_{h}$ queries to the random oracle ${H}_{1}$. This event corresponds to guessing random ${\mathbf{A}}_{n}$, for each query the probability of this event is bounded by $\frac{1}{{q}^{n\xb7k\xb7k}}$.
Pr[$ba{d}_{3}$] is the probability that adversary predicted at least one of two outputs of the random oracle ${H}_{1}$ without making a query to it. This can happen with probability at most $\frac{2}{{2}^{{l}_{1}}}$.
Therefore, the difference between the two games is
Appendix A.6. Game 5
In Game 5, the simulator picks public key share ${\mathbf{t}}_{n}$ randomly from the ring instead of computing it using secret keys. The simulator for the key generation process in Game 5 is described in Algorithm A9.
Algorithm A9$Si{m}_{KeyGen}(par,\mathbf{A})$. 
1: Send out $h{k}_{n}\leftarrow {\{0,1\}}^{{l}_{1}}$. 
2: Upon receiving $h{k}_{i}$:
search for $({\mathbf{A}}_{i},alert,ba{d}_{1})\leftarrow \mathrm{searchHash}(H{T}_{1},h{k}_{i})$. if the flag $ba{d}_{1}$ is set, then simulation fails with output $(0,\perp )$. if the flag $alert$ is set, then sample ${\mathbf{A}}_{n}\leftarrow {R}_{q}^{k\times k}$. Otherwise, define ${\mathbf{A}}_{n}:=\mathbf{A}{\mathbf{A}}_{i}$.

3: Program random oracle ${H}_{1}$ to respond queries ${\mathbf{A}}_{n}$ with $h{k}_{n}$. Set $H{T}_{1}\left[{\mathbf{A}}_{n}\right]:=h{k}_{n}$. If $H{T}_{1}\left[{\mathbf{A}}_{n}\right]$ has been already set, then set the flag $ba{d}_{2}$ and the simulation fails with output $(0,\perp )$. 
4: Send out ${\mathbf{A}}_{n}$. Upon receiving ${\mathbf{A}}_{i}$:
if ${H}_{1}\left({\mathbf{A}}_{i}\right)\ne h{k}_{i}$: send out ABORT. if the flag $alert$ is set and ${H}_{1}\left({\mathbf{A}}_{i}\right)=h{k}_{i}$: set the flag $ba{d}_{3}$ and the simulation fails with output $(0,\perp )$.

5: ${\mathbf{t}}_{n}\leftarrow {R}_{q}^{k}$, send out $com{k}_{n}={H}_{2}\left({\mathbf{t}}_{n}\right)$. 
6: Upon receiving $com{k}_{i}$, send out ${\mathbf{t}}_{n}$. 
7: Upon receiving ${\mathbf{t}}_{i}$, check that ${H}_{2}\left({\mathbf{t}}_{i}\right)=com{k}_{i}$. If not: send out ABORT. 
8: Otherwise, $\mathbf{t}:={\mathbf{t}}_{n}+{\mathbf{t}}_{i}$, $pk:=(\mathbf{A},\mathbf{t})$. 
Game 4 → Game 5:
In Game 5, public key share ${\mathbf{t}}_{n}$ is sampled uniformly at random from ${R}_{q}^{k}$ instead of computing it as ${\mathbf{As}}_{1}^{n}+{\mathbf{s}}_{2}^{n}$, where ${\mathbf{s}}_{1}^{n},{\mathbf{s}}_{2}^{n}$ are random elements from ${S}_{\eta}^{k}$. As matrix $\mathbf{A}$ follows the uniform distribution over ${R}_{q}^{k\times k}$, if adversary can distinguish between Game 3 and Game 4, this adversary can be used as a distinguisher that breaks the decisional ModuleLWE problem for parameters $(q,k,k,\eta ,U)$, where U is the uniform distribution.
Therefore, the difference between two games is bounded by the advantage of adversary in breaking decisional ModuleLWE:
Appendix A.7. Game 6
In Game 6, the simulator uses as input a random resulting public key $\mathbf{t}\in {R}_{q}^{k}$ to compute its own share ${\mathbf{t}}_{n}$. The simulator for the key generation process in Game 6 is described in Algorithm A10.
Game 5 → Game 6:
The distributions of $\mathbf{t},{\mathbf{t}}_{n}$ do not change with respect to Game 5. The difference between Game 5 and Game 6 can be expressed using $bad$ events that happen with the following probabilities:
Pr[$ba{d}_{4}$] is the probability that at least one collision occurs during at most ${q}_{h}$ queries to the random oracle ${H}_{2}$ made by adversary or simulator. This can happen with probability at most $\frac{{q}_{h}({q}_{h}+1)/2}{{2}^{{l}_{2}+1}}$, where ${l}_{2}$ is the length of ${H}_{2}$ output.
Pr[$ba{d}_{5}$] is the probability that programming random oracle ${H}_{2}$ fails, which happens if ${H}_{2}\left({\mathbf{t}}_{n}\right)$ was previously asked by adversary during at most ${q}_{h}$ queries to the random oracle ${H}_{2}$. This event corresponds to guessing a uniformly random ${\mathbf{t}}_{n}\in {R}_{q}^{k}$, for each query the probability of this event is bounded by $\frac{1}{{q}^{n\xb7k}}$.
Pr[$ba{d}_{6}$] is the probability that adversary predicted at least one of two outputs of the random oracle ${H}_{2}$ without making a query to it. This can happen with probability at most $\frac{2}{{2}^{{l}_{2}}}$.
Therefore, the difference between the two games is
Algorithm A10$Si{m}_{KeyGen}(par,\mathbf{A},\mathbf{t})$. 
1: Send out $h{k}_{n}\leftarrow {\{0,1\}}^{{l}_{1}}$. 
2: Upon receiving $h{k}_{i}$:
search for $({\mathbf{A}}_{i},alert,ba{d}_{1})\leftarrow \mathrm{searchHash}(H{T}_{1},h{k}_{i})$. if the flag $ba{d}_{1}$ is set, then simulation fails with output $(0,\perp )$. if the flag $alert$ is set, then sample ${\mathbf{A}}_{n}\leftarrow {R}_{q}^{k\times k}$. Otherwise, define ${\mathbf{A}}_{n}:=\mathbf{A}{\mathbf{A}}_{i}$.

3: Program random oracle ${H}_{1}$ to respond queries ${\mathbf{A}}_{n}$ with $h{k}_{n}$. Set $H{T}_{1}\left[{\mathbf{A}}_{n}\right]:=h{k}_{n}$. If $H{T}_{1}\left[{\mathbf{A}}_{n}\right]$ has been already set, then set the flag $ba{d}_{2}$ and the simulation fails with output $(0,\perp )$. 
4: Send out ${\mathbf{A}}_{n}$. Upon receiving ${\mathbf{A}}_{i}$:
if ${H}_{1}\left({\mathbf{A}}_{i}\right)\ne h{k}_{i}$: send out ABORT. if the flag $alert$ is set and ${H}_{1}\left({\mathbf{A}}_{i}\right)=h{k}_{i}$: set the flag $ba{d}_{3}$ and the simulation fails with output $(0,\perp )$.

5: Send out $com{k}_{n}\leftarrow {\{0,1\}}^{{l}_{2}}$. 
6: Upon receiving $com{k}_{i}$, search for $({\mathbf{t}}_{i},alert,ba{d}_{4})\leftarrow \mathrm{searchHash}(H{T}_{2},com{k}_{i})$. 
7: If the flag $ba{d}_{4}$ is set, then simulation fails with output $(0,\perp )$. 
8: Compute public key share:
If the flag $alert$ is set, ${\mathbf{t}}_{n}\leftarrow {R}_{q}^{k}$. Otherwise, ${\mathbf{t}}_{n}:=\mathbf{t}{\mathbf{t}}_{i}$.

9: Program random oracle ${H}_{2}$ to respond queries ${\mathbf{t}}_{n}$ with $com{k}_{n}$. Set $H{T}_{2}\left[{\mathbf{t}}_{n}\right]:=com{k}_{n}$. If $H{T}_{2}\left[{\mathbf{t}}_{n}\right]$ has been already set, set flag $ba{d}_{5}$ and the simulation fails with output $(0,\perp )$.

10: Send out ${\mathbf{t}}_{n}$. Upon receiving ${\mathbf{t}}_{i}$:
if ${H}_{2}\left({t}_{i}\right)\ne com{k}_{i}$: send out ABORT. if the flag $alert$ is set and ${H}_{2}\left({\mathbf{t}}_{i}\right)=com{k}_{i}$: set the flag $ba{d}_{6}$ and simulation fails with output $(0,\perp )$.

11: Otherwise, $\mathbf{t}:={\mathbf{t}}_{n}+{\mathbf{t}}_{i}$, $pk:=(\mathbf{A},\mathbf{t})$.

Appendix A.8. Forking Lemma
Now, both key generation and signing do not rely on the actual secret key share of the honest party ${P}_{n}$. In order to conclude the proof, it is needed to invoke forking lemma to receive two valid forgeries that are constructed using the same commitment $com=co{m}^{\prime}$ but different challenges $c\ne {c}^{\prime}$.
Currently, the combined public key consists of matrix $\mathbf{A}$ uniformly distributed in ${R}_{q}^{k\times k}$ and vector $\mathbf{t}$ uniformly distributed in ${R}_{q}^{k}$. We want to replace it with ModuleSIS instance $\left. [\begin{array}{c}{\mathbf{A}}^{\prime}\mathbf{I}\end{array}\right]$, where ${\mathbf{A}}^{\prime}\in {R}_{q}^{k\times (k+1)}$. The view of adversary will not be changed if we set ${\mathbf{A}}^{\prime}=\left. [\begin{array}{c}\mathbf{A}\mathbf{t}\end{array}\right]$.
Let us define an input generation algorithm $\mathcal{IG}$ such that it produces the following input: $(\mathbf{A},\mathbf{t})$ for the ${\mathcal{F}}_{B}$. Now, let us construct ${\mathcal{B}}^{\prime}$ around the previously defined simulator $\mathcal{B}$. ${\mathcal{B}}^{\prime}$ invokes the forking algorithm ${\mathcal{F}}_{B}$ on the input $(\mathbf{A},\mathbf{t})$.
As a result, with probability $frk$ two valid forgeries $out=(com,c,{\mathbf{z}}_{1},{\mathbf{z}}_{2},m)$ and $ou{t}^{\prime}=(co{m}^{\prime},{c}^{\prime},{\mathbf{z}}_{1}^{\prime},{\mathbf{z}}_{2}^{\prime},{m}^{\prime})$ are obtained. Here, by the construction of ${\mathcal{F}}_{B}$, it holds that $c\ne {c}^{\prime}$, $com=co{m}^{\prime},m={m}^{\prime}$. The probability $frk$ satisfiesollowing:
Since both signatures are valid, it holds that
Let us examine the following cases:
Case 1 : ${\mathbf{Az}}_{1}+{\mathbf{z}}_{2}c\mathbf{t}\ne {\mathbf{Az}}_{1}^{\prime}+{\mathbf{z}}_{2}^{\prime}{c}^{\prime}\mathbf{t}$, and
${\mathcal{B}}^{\prime}$ is able to break the collision resistance of the hash function (that is hard under the worstcase difficulty of finding short vectors in cyclic/ideal lattices), as was proven in [
35,
36].
Case 2 : ${\mathbf{Az}}_{1}+{\mathbf{z}}_{2}c\mathbf{t}={\mathbf{Az}}_{1}^{\prime}+{\mathbf{z}}_{2}^{\prime}{c}^{\prime}\mathbf{t}$. It can be rearranged as ${\mathbf{Az}}_{1}{\mathbf{Az}}_{1}^{\prime}+{\mathbf{z}}_{2}{\mathbf{z}}_{2}c\mathbf{t}+{c}^{\prime}\mathbf{t}=\mathbf{0}$, and this, in turn, leads to
Now, recall that $\left. [\begin{array}{c}\mathbf{A}\left\mathbf{I}\right\mathbf{t}\end{array}\right]$ is an instance of ModuleSIS problem; this means that we found a solution for ModuleSIS with parameters $(q,k,k+1,\xi )$, where $\xi \le 2({\gamma}_{2}{\beta}_{2})$.
Therefore, the probability $frk$ is the following:
Finally, taking into account that the underlying identification scheme has perfect naHVZK (i.e.,
${\u03f5}_{ZK}=0$), the advantage of the adversary is bounded by the following:
☐