Post-quantum Two-party Adaptor Signature Based on Coding Theory

: An adaptor signature can be viewed as a signature concealed with a secret value and, by 1 design, any two of the trio yield the other. In a multiparty setting, an initial adaptor signature 2 allows each party create additional adaptor signatures without the original secret. Adaptor 3 signatures help address scalability and interoperabity issues in blockchain. They can also bring 4 some important advantages to cryptocurrencies, such as low on-chain cost, improved transaction 5 fungibility, and less limitations of a blockchain’s scripting language. In this paper, we propose a 6 new two-party adaptor signature scheme that relies on quantum-safe hard problems in coding 7 theory. The proposed scheme uses a hash-and-sign code-based signature scheme introduced by 8 Debris-Alazard et al. and a code-based hard relation deﬁned from the well-known syndrome 9 decoding problem. To achieve all the basic properties of adaptor signatures formalized by Aumayr 10 et al., we introduce further modiﬁcations to the aforementioned signature scheme. We also give 11 a security analysis of our scheme and its application to the atomic swap . After providing a set 12 of parameters for our scheme, we show that it has the smallest pre-signature size compared to 13 existing post-quantum adaptor signatures. 14


Introduction
In cryptocurrencies and other blockchain applications, transactions are validated by 18 miners using decentralized consensus protocols. A transaction is akin to an application 19 formed by scripts. The scripting language of a blockchain allows the encoding of 20 potential functionalities and rules that make a transaction valid. Therefore, the fee 21 for a transaction corresponds to the storage and computational cost of executing the 22 transaction's script by a miner. The fee sometimes could be excessively high for some 23 cryptocurrencies with a scripting language that enables a more complex transaction 24 logic. In addition to the high fee issue, the public verifiability feature of transactions 25 and the permissionless nature of consensus protocols pose some other challenges with 26 regard to scalability, privacy and transaction throughput. 27 The main approach to addressing the aforementioned issues is to reduce the size 28 of on-chain transactions by handing off some transactions to off-chains. The goal here 29 is to use as few scripts as possible for on-chain transactions. To this end, Poelstra [1] 30 introduced a technique called scriptless script that enables us to create smart contracts 31 without a script. The technique was later formalized as an adaptor signature by Fournier 32 [2]. Recently, Aumayr et al. [3] have presented a full formalization of the adaptor 33 signature as a cryptographic primitive. 34 Adaptor signature is a two-step signing algorithm bound to a secret. It is defined 35 A linear code can be also defined by the right kernel of matrix H called parity-check matrix of C: C = x ∈ F n s.t. xH T = 0 The Hamming distance between two codewords is the number of positions (coordi-82 nates) where they differ. The minimal distance of a code is the minimal distance of all 83 codewords.

84
The weight of a word/vector x ∈ F n denoted by wt(x) is the number of its non-zero 85 positions. Then the minimal weight of a code C is the minimal weight of all non-zero 86 codewords. In the case of linear code C, its minimal distance is equal to the minimal 87 weight of the code. 88 In this paper, the set of vectors of length n and weight ω is denoted by S q,n,ω = {x ∈ In this subsection, we recall some NP-complete problems in coding theory. Input: A matrix H ∈ F r×n 2 , a vector s ∈ F r 2 , and an integer ω > 0.

95
Output: A vector y ∈ F n 2 such that wt(y) ≤ ω and s = yH T .

96
The SD problem was proved to be NP-complete in 1978 by McEliece and Van Tilbord 97 [12]. Some of its instances can be solved in polynomial time, depending on the input. In 98 particular, when the parameter ω is in the interval r 2 , n − r 2 , solving it becomes easy 99 -first determine a pseudo-inverse H −1 of the matrix H and then compute the product 100 sH −1 to return a valid solution with a high probability. However, when the value of the 101 parameter ω is not in r 2 , n − r 2 , if a single solution exists, finding it is much harder. For 102 non-binary finite field F q , the corresponding interval is given by (q−1)r q , n − r q [11]. We 103 now give the following definition: 104 Definition 1. Let n, k, and ω be non-zero integers. Let H ∈ F r×n q be a matrix where r = n − k. Let e ∈ S q,n,ω be an error vector such that s = eH T . We say that an instance of a syndrome decoding problem is -hard if for all probabilistic polynomial time (PPT) algorithm A with input (H, s) we have: The syndrome decoding problem is equivalent to the following problem: Input: A matrix G ∈ F k×n q , a vector y ∈ F n q , and an integer ω > 0.

107
Output: Two vectors m ∈ F k q and e ∈ F n q such that wt(e) = ω and y = mG + e. Input: A matrix H ∈ F r×n q .

110
Output: Decide whether H is a parity-check matrix of a generalized (U, U + V) code.

111
Problem 3 is one of the problems on which the security assumption of our adaptor 112 signature scheme relies. It is hard in the worst case and for more information about its 113 hardness or NP-completeness, we refer the reader to [11,13].

114
The following problem is used in the security proof of the underlying signature 115 scheme that we use in this paper. It was first considered by Johansson and Jonsson in 116 [14] and was analysed later by Sendrier in [15].
The language associated to the relation R is the set denoted by L R and defined by: The first secure code-based signature is due to Courtois et al. (CFS) [16]. It uses 127 two security assumptions: the indistinguishability of random binary linear codes and 128 the hardness of syndrome decoding problem. This scheme is not considered practical 129 due to the difficulty of finding a random decodable syndrome. It was later modified by 130 Dallot [17] and became to be known as the mCFS (modified Courtois-Finiasz-Sendrier) 131 signature scheme. One of the security assumptions in mCFS is the indistinguishability of 132 random Goppa binary codes. This has led to the emergence of an attack [18]. Currently, 133 the latest code-based signature scheme of this type is due to Debris-Alazard et al. [11]. Wave is given in Figure 1.

138
Common parameters: Length n, dimensional k U (resp. k V ) of U (resp. V), vector error weight ω, a cryptographic hash function H : {0; 1} * −→ F n−k 3 , where k = k U + k V Secret Key: sk := (S, H sk , P) where S ∈ F (n−k)×(n−k) q is an invertible matrix, H sk ∈ F (n−k)×n q a random generalized (U, U + V) code over F 3 of length n and dimension k = k u + k v , and P ∈ F n×n 2 is a permutation matrix. Public Key: pk := H pk where H pk = SH sk P.
if s =ẽH T pk or wt(ẽ) = ω: Return 0 4. Return 1 Figure 1. Wave signature scheme [11] 2.5. Adaptor signature scheme 139 In this subsection we recall the formal definition of adaptor signature followed by 140 its basic security properties. • PreVerif(pk, m, Y,oe) is a DPT algorithm that takes as input a public key pk, a statement 148 Y, and a pre-signatureσ, and produces 0 or 1 as output.

149
• Adapt(σ, x) is a DPT algorithm that takes as input a pre-signatureσ and witness y and 150 outputs a valid signature σ.
is a DPT algorithm that on input a signature σ, pre-signatureσ and statement 152 Y ∈ L R , outputs a witness x such that (Y, x) ∈ R, or the symbol ⊥.

153
Note that adaptor signature schemes inherit the key generation, signature and 154 verification algorithms of the underlying signature scheme, and hence acquire the 155 correctness of the standard digital signature scheme. An adaptor signature scheme, 156 however, has to verify some supplementary properties given by the following definitions. An adaptor signature Π R,Ξ satisfies pre-correctness if for every λ ∈ N, every message m ∈ {0; 1} * and every statement/witness pair (Y, x) ∈ R, the following holds: More precisely, the pre-signature correctness states that a valid pre-signatureσ, 159 which is honestly generated w.r.t. a statement Y ∈ L R H pk , could be adapted into a valid  An adaptor signature Π R,Ξ satisfies pre-signature adaptability if for any λ ∈ N, any message m ∈ {0; 1} * , any statement/witness pair (Y, x) ∈ R, any key pair (sk, pk) ←− Gen(1˘) and any pre-signatureσ with PreVerif (pk, m, Y,oe) = 1, we have: The pre-signature adaptability states that in reality all valid pre-signature w.r.t. a 166 statement Y ∈ L R can be adapted to a valid one using a witness x such that (Y, x) ∈ R. An adaptor signature scheme Π R,Ξ is aEUF-CMA secure if for every PPT adversary A there exists a negligible function such that: where aSigForge A,Π R,Ξ is the experiment given below in Figure 2.
Returnσ to be hard.

179
The witness extractability experiment and criteria for an adaptor signature are given 180 by the following definitions. there exists a negligible function such that: where aWitExt A,Π R,Ξ is the experiment in Figure 3. The main difference between the witness extractability and the aEUF-CMA exper-186 iment is that in the first one the adversary is allowed to choose a forgery statement Y.
Assuming that the adversary knows a witness for Y, it can therefore generate a valid 188 signature for the forgery message m. Then, it wins when the valid signature does not 189 reveal a witness for Y. 190 The following is the definition of a secure adaptor signature.  In this section, we present our code-based adaptor signature scheme Π R H pk ,Wave .

196
Its security relies on the hardness of the syndrome decoding problem.

197
Let C be a random q-ary linear code of length n, dimension k, with parity-check 198 matrix H pk and error correction capability t. Let x ∈ S q,n,t and Y ∈ F n−k q . Let the relation 199 R H pk be defined by: pk and wt(x) = t} We denote the language associated to the relation R H pk by L R H pk , which is defined For signing a message m in Wave, the sender chooses a random vector r ∈ F 2λ 2 , 203 computes s = H 0 (m r) and decodes s by using its secret key to find the error vector e of 204 weight ω such that s = eH T . Therefore, the signature corresponding to the message m is 205 given by the pair σ = (eP, r).

206
In our scheme, we use the ternary finite field F 3 . We also use two different hash functions H 0 : {0; 1} * −→ F n−k 3 and H 1 : {0; 1} * −→ S 3,n,δ for a well chosen value of the integer δ. In the PreSign algorithm of our adaptor signature, we first randomly choose r in F 2λ 2 . Then, for all given (Y, y) ∈ R H pk , we compute s = H 0 (m Y − H 1 (r)H T pk ) ∈ F n−k 3 instead of s = H 0 (m r). The PreVerif algorithm of our scheme is similar to the Verification algorithm Verif of Wave. Indeed, the receiver has to check that the following equality holds.
Compared to Wave, the signature of a message m in our scheme is a pair σ = (e, r ) 207 with eH T pk = H 0 (m r H T pk ) and r ∈ F n 2 instead of eH T pk = H 0 (m r ) and r ∈ F 2λ 2 .

208
The Adapt algorithm in our scheme takes as input a tuple ((ẽ,r), x) and output

Common parameters:
Length n, dimensional k U (resp. k V ) of a U (resp. V), vector error weight ω, witness weight t and integer δ such 0 < |δ − t| and δ + t < 2(n−k)  (S, H sk , P), where H sk is a parity of a random (U, U + V) code over F 3 of length n, dimension k = k u + k v and decoding algorithm D H sk .
Public Key: pk := H pk where H pk = SH sk P, S ∈ F (n−k)×(n−k) 3 is an invertible matrix and P a permutation matrix of size n × n.
Return z . We can therefore verify that Proposition 2. The code-based adaptor signature Π R H pk ,Wave described in Figure 4 satisfies the 228 pre-signature correctness. Using the public key pk (respectively the secret key sk), we can compute the 234 syndrome s := H 0 (m Y − H 1 (r)H T pk ) (respectively the corresponding error vector 235ẽ := D H sk (s(U −1 ) T )). Therefore, the pre-signature of the message m is given by 236σ := (ẽ,r), whereẽ =ẽ P. For the pre-verification, we have to check the following 237 equality: Whenẽ is honestly computed, equality (1) always holds and then PreVerif(pk, m, Y,oe) = 239 1.

240
According to Figure 4, the output of the adaptor algorithm is given by σ = (e, r) = Adapt(σ, x), where r = x − H 1 (r) with (Y, x) ∈ R H pk and that of the extractor algorithm is given by H 1 (r) + r = x − H 1 (r) + H 1 (r) = x with (Y, x) ∈ R H pk . The fact thatẽ is honestly computed, we have Therefore, in our scheme, σ = (e, r) is a valid signature for the message m.

241
For the security analysis of the scheme, below we state the assumptions which the Under Assumption 1, the relation R H pk defined in Subsection 3.1 is hard relation 253 and under Assumptions 1 and 2 the Wave signature is EUF-CMA secure [11]. Therefore 254 we have the following.

269
The best way to find such a vector r is to solve the equation Y = xH T pk , i.e., to solve 270 a hard instance of syndrome decoding problem.

271
• If σ = σ, we have two cases: e = e and r = r: this case implies that e H T pk = H 0 (m * r H T pk ) = H 0 (m * rH T pk ) = eH T pk It means that either we have r H T pk = rH T pk or A is able to find a collision of the hash function H 0 . With collision resistant of the hash function H 0 , the probability that this case happen is less than where 1 3 n−k is the probability for having the equality r H T pk = rH T pk (see [11]). 273 e = e and r = r : this last case means that the adversary A is able to forge a 274 valid signature using the modify version of Wave that we use in our scheme 275 which is EUF-CMA secure.

276
By putting it all together, we have have where Adv Wave is the advantage of an adversary against Wave in EUF-CMA game and 277 Adv SD is that for solving the syndrome decoding problem.

283
That means if Ext outputs x , we have (Y, x ) ∈ R H pk with a high probability.

284
Let σ = (e, r) be a valid signature computed w.r.t.σ by the honest witness owner. The fact that in the witness extractability game, we should have (Y, x ) / ∈ R H pk , we have: Therefore, the rest of the proof corresponds to the second part of the proof of Theorem 285 1 286

287
Parameter values and signature sizes:

288
Referring to Figure 4 and [19], we can see that the length of pre-signature is given 289 by |σ| = k + 2λ and that of the signature is given by |σ| = k + n. By using parameters of 290 the Wave scheme [11,19], we can determine the exact sizes of the pre-signature and the 291 signature as given in Table 1 Table 1: Parameters setting of our scheme [11] Using the above-mentioned parameter values, we give in Table 2 a numerical 294 comparison of the pre-signature and signature sizes of our scheme with those of [5,10]. 295 In the table, we see that for these parameter values our scheme has a shorter pre-signature 296 size but a slightly larger signature size. Specifically, for the parameter values in Table  1, the pre-signature size of the scheme described in Figure 4 is more than 16x and 2.8x 298 smaller than those in [10] and [5], respectively. On the other hand, the signature size of 299 the proposed scheme is 1.03x and 1.5x lager than those of [5] and [10], respectively.

300
Post-quantum adaptor signature Pre-signature Signature Paper [10] 18327 ≤ |σ| ≤ 19944 263 ≤ |σ| ≤ 1880 Paper [5] |σ| = 3210 |σ| = 2701 Our paper |σ| = 1143 |σ| = 2793 Table 2: Comparison of pre-signature and signature sizes (in bytes) using parameters of [11,19] Software prototype: 301 We have implemented the proposed scheme in software using the C programming 302 language. For this, we adapted the source code of Bamegas et al. [19] Table 3: Timing results of the proposed code-based adaptor signature 5. An application of code-based adaptor signature 310 In this section, we provide an example blockchain application, namely atomic swap, 311 utilizing our adaptor signature. For this, we assume that the underlying blockchain is 312 using the mCFS signature based on coding theory.  Indeed, when a user receives a HTLC transaction, it has to submit a cryptographic proof 324 within a specific time-frame. Otherwise, the funds will be returned to the original sender. Let (sk i , pk i ) be the key pair of user u i for i = 1, 2. Below, we describe how atomic 327 swap could be executed using our code-based adaptor signature.

328
• We start with user u 1 who randomly generates (Y, x) ∈ R H pk . The user also 329 generates transaction Tx 1 to spend currency c for user u 2 .

330
• User u 1 computes the pre-signatureσ 1 = PreSign(sk 1 , Tx 1 , Y) and then sends • User u 2 checksσ 1 using the pre-verification algorithm PreVerif. If the verification is 333 successful, it generates transaction Tx 2 to spend currency c for user u 1 .

337
If the pre-verification fails, it aborts the transaction. When the pre-verification on 338σ 2 is successful, user u 1 runs the adaptor algorithm Adapt to compute the signature 339 σ 2 = Adapt(σ 2 , x), publishes σ 2 on the blockchain and sends it to user u 2 .

343
The above procedure is depicted in Figure 5.

345
In this paper, we have proposed an adaptor signature scheme based on hard 346 problems in coding theory. We use the code-based signature scheme Wave as our 347 underlying signature scheme. In order to equip our scheme with common features and 348 security properties, we have presented some modifications to the Wave signature. We