A Lattice-Based Provably Secure Multisignature Scheme in Quantum Random Oracle Model

Fukumitsu, Masayuki; Hasegawa, Shingo

doi:10.1007/978-3-030-62576-4_3

“…Our MS 2 and DS 3 have different pros and cons compared with their construction. First, although both MS 2 and [FH20] are proven secure in the plain public-key model, our scheme requires only two rounds of interaction while theirs is a threeround protocol that closely follows the existing paradigm of [BN06]. Due to the "abort" issue we raised earlier, their security proof required an additional hardness assumption rejected Module-LWE (rMLWE).…”

Section: Comparison With Fukumitsu and Hasegawa [Fh20]mentioning

confidence: 99%

Two-Round n-out-of-n and Multi-Signatures and Trapdoor Commitment from Lattices

Damgård

¹

,

Orlandi

²

,

Takahashi

³

et al. 2022

View full text Add to dashboard Cite

Although they have been studied for a long time, distributed signature protocols have garnered renewed interest in recent years in view of novel applications to topics like blockchains. Most recent works have focused on distributed versions of ECDSA or variants of Schnorr signatures, however, and in particular, little attention has been given to constructions based on post-quantum secure assumptions like the hardness of lattice problems. A few lattice-based threshold signature and multi-signature schemes have been proposed in the literature, but they either rely on hash-and-sign lattice signatures (which tend to be comparatively inefficient), use expensive generic transformations, or only come with incomplete security proofs.In this paper, we construct several lattice-based distributed signing protocols with low round complexity following the Fiat-Shamir with Aborts (FSwA) paradigm of Lyubashevsky (Asiacrypt 2009). Our protocols can be seen as distributed variants of the fast Dilithium-G signature scheme and the full security proof can be made assuming the hardness of module SIS and LWE problems. A key step to achieving security (unexplained in some earlier papers) is to prevent the leakage that can occur when parties abort after their first message-which can inevitably happen in the Fiat-Shamir with Aborts setting. We manage to do so using homomorphic commitments.Exploiting the similarities between FSwA and Schnorr-style signatures, our approach makes the most of observations from recent advancements in the discrete log setting, such as Drijvers et al.'s seminal work on two-round multi-signatures (S&P 2019). In particular, we observe that the use of commitment not only resolves the subtle issue with aborts, but also makes it possible to realize secure two-round n-out-of-n distributed signing and multi-signature in the plain public key model, by equipping the commitment with a trapdoor feature. The construction of suitable trapdoor commitment from lattices is a side contribution of this paper.

show abstract

“…Due to the interest aroused by the PQC competition, several works were proposed that introduce lattice-based threshold signatures and lattice-based multisignatures. The works [21][22][23][24][25][26] focused on creating multisignatures that followed the FSwA paradigm. These schemes use rejection sampling, due to which the signing process is repeated until a valid signature is created.…”

Section: Related Workmentioning

confidence: 99%

“…In multisignatures [21][22][23][24][25], intermediate values are published before the rejection sampling is completed, which leads to incomplete security proofs in these works [16]. The work by M. Fukumitsu and S. Hasegawa [26] solves the problem with aborted executions of the protocol by introducing a non-standard hardness assumption (rejected Module-LWE).…”

Section: Related Workmentioning

confidence: 99%

“…We also provide a more detailed comparison with [16], due to the fact both works are based on variants of Crystals-Dilithium and have a similar structure. We leave out the comparison with publications [21][22][23][24][25][26] as these discuss multisignatures instead of threshold. The threshold signature schemes from [16] are based on Dilithium-G, which is a version of Crystals-Dilithium that uses sampling from a discrete Gaussian distribution for the generation of secret vectors.…”

Section: Comparison To Prior Workmentioning

confidence: 99%

“…Due to the structure of our scheme, we use a non-standard security assumption that was introduced in [26]. In future work, we aim to modify security proof such that it will no longer be needed to rely on rejected Module-LWE.…”

Section: Comparison To Prior Workmentioning

confidence: 99%

See 2 more Smart Citations

DiLizium: A Two-Party Lattice-Based Signature Scheme

Vakarjuk

¹

,

Snetkov

²

,

Willemson

³

2021

Entropy

View full text Add to dashboard Cite

In this paper, we propose DiLizium: a new lattice-based two-party signature scheme. Our scheme is constructed from a variant of the Crystals-Dilithium post-quantum signature scheme. This allows for more efficient two-party implementation compared with the original but still derives its post-quantum security directly from the Module Learning With Errors and Module Short Integer Solution problems. We discuss our design rationale, describe the protocol in full detail, and provide performance estimates and a comparison with previous schemes. We also provide a security proof for the two-party signature computation protocol against a classical adversary. Extending this proof to a quantum adversary is subject to future studies. However, our scheme is secure against a quantum attacker who has access to just the public key and not the two-party signature creation protocol.

show abstract

Two-Round n-out-of-n and Multi-signatures and Trapdoor Commitment from Lattices

Damgård

¹

,

Orlandi

²

,

Takahashi

³

et al. 2021

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Although they have been studied for a long time, distributed signature protocols have garnered renewed interest in recent years in view of novel applications to topics like blockchains. Most recent works have focused on distributed versions of ECDSA or variants of Schnorr signatures, however, and in particular, little attention has been given to constructions based on post-quantum secure assumptions like the hardness of lattice problems. A few lattice-based threshold signature and multi-signature schemes have been proposed in the literature, but they either rely on hash-and-sign lattice signatures (which tend to be comparatively inefficient), use expensive generic transformations, or only come with incomplete security proofs.In this paper, we construct several lattice-based distributed signing protocols with low round complexity following the Fiat-Shamir with Aborts (FSwA) paradigm of Lyubashevsky (Asiacrypt 2009). Our protocols can be seen as distributed variants of the fast Dilithium-G signature scheme and the full security proof can be made assuming the hardness of module SIS and LWE problems. A key step to achieving security (unexplained in some earlier papers) is to prevent the leakage that can occur when parties abort after their first message-which can inevitably happen in the Fiat-Shamir with Aborts setting. We manage to do so using homomorphic commitments.Exploiting the similarities between FSwA and Schnorr-style signatures, our approach makes the most of observations from recent advancements in the discrete log setting, such as Drijvers et al.'s seminal work on two-round multi-signatures (S&P 2019). In particular, we observe that the use of commitment not only resolves the subtle issue with aborts, but also makes it possible to realize secure two-round n-out-of-n distributed signing and multi-signature in the plain public key model, by equipping the commitment with a trapdoor feature. The construction of suitable trapdoor commitment from lattices is a side contribution of this paper.

show abstract

A Lattice-Based Provably Secure Multisignature Scheme in Quantum Random Oracle Model

Cited by 21 publications

References 22 publications

Two-Round n-out-of-n and Multi-Signatures and Trapdoor Commitment from Lattices

Two-Round n-out-of-n and Multi-Signatures and Trapdoor Commitment from Lattices

DiLizium: A Two-Party Lattice-Based Signature Scheme

Two-Round n-out-of-n and Multi-signatures and Trapdoor Commitment from Lattices

Contact Info

Product

Resources

About