Two-Round n-out-of-n and Multi-signatures and Trapdoor Commitment from Lattices

Abstract: Although they have been studied for a long time, distributed signature protocols have garnered renewed interest in recent years in view of novel applications to topics like blockchains. Most recent works have focused on distributed versions of ECDSA or variants of Schnorr signatures, however, and in particular, little attention has been given to constructions based on post-quantum secure assumptions like the hardness of lattice problems. A few lattice-based threshold signature and multi-signature schemes have … Show more

“…Although we can improve the polynomial loss factor concerning the Ring-LWE assumption in the security proof, a complete tight reduction is not achieved. This is because we require another cryptographic assumption to address the problem pointed out by [14], and a polynomial loss factor arises on the new cryptographic assumption. In [14], they found that all lattice-based multisignature schemes [1], [12], [13] using the rejection sampling [19], including our earlier version [1], have the common problem.…”

“…This is because we require another cryptographic assumption to address the problem pointed out by [14], and a polynomial loss factor arises on the new cryptographic assumption. In [14], they found that all lattice-based multisignature schemes [1], [12], [13] using the rejection sampling [19], including our earlier version [1], have the common problem. On the lattice-based FS-type signature scheme using the rejection sampling such as [17], [19], the signer restarts the signing protocol when a signature does not pass the verification check.…”

“…To address the issue concerning the Re-Ring-LWE assumption other than the thing above, we are likely to remove this assumption by setting long parameters so that such a rejection happens with a small probability, or by applying the technique [14], [20] to the proposed scheme in a way that such commitments of signatures are masked by a commitment scheme. In both cases, the size efficiency of the resulting multisignature scheme becomes worse than the original.…”

“…There are many lattice-based cryptographic protocols for various cryptographic primitives. For the multisignature, there are few lattice-based instantiations such as [12]- [14]. El Bansarkhani and Sturm [12] proposed the first lattice-based multisignature scheme, whose security is proven in the plain public-key model [4], for a constant number of signers.…”

“…Furthermore, these are based on the computational Diffie-Hellman assumption, namely, they are not quantum-resistant. On the other hand, the known lattice-based constructions [12]- [14] have only a loose security reduction, even [13] and [14] appeared after the earlier version of this paper [1] was published. Thus, to the best of our knowledge, it is an open problem to construct a quantum-resistant multisignature whose security is proven by a tight security reduction.…”

Tighter Reduction for Lattice-Based Multisignature

“…Although we can improve the polynomial loss factor concerning the Ring-LWE assumption in the security proof, a complete tight reduction is not achieved. This is because we require another cryptographic assumption to address the problem pointed out by [14], and a polynomial loss factor arises on the new cryptographic assumption. In [14], they found that all lattice-based multisignature schemes [1], [12], [13] using the rejection sampling [19], including our earlier version [1], have the common problem.…”

“…This is because we require another cryptographic assumption to address the problem pointed out by [14], and a polynomial loss factor arises on the new cryptographic assumption. In [14], they found that all lattice-based multisignature schemes [1], [12], [13] using the rejection sampling [19], including our earlier version [1], have the common problem. On the lattice-based FS-type signature scheme using the rejection sampling such as [17], [19], the signer restarts the signing protocol when a signature does not pass the verification check.…”

“…To address the issue concerning the Re-Ring-LWE assumption other than the thing above, we are likely to remove this assumption by setting long parameters so that such a rejection happens with a small probability, or by applying the technique [14], [20] to the proposed scheme in a way that such commitments of signatures are masked by a commitment scheme. In both cases, the size efficiency of the resulting multisignature scheme becomes worse than the original.…”

“…There are many lattice-based cryptographic protocols for various cryptographic primitives. For the multisignature, there are few lattice-based instantiations such as [12]- [14]. El Bansarkhani and Sturm [12] proposed the first lattice-based multisignature scheme, whose security is proven in the plain public-key model [4], for a constant number of signers.…”

“…Furthermore, these are based on the computational Diffie-Hellman assumption, namely, they are not quantum-resistant. On the other hand, the known lattice-based constructions [12]- [14] have only a loose security reduction, even [13] and [14] appeared after the earlier version of this paper [1] was published. Thus, to the best of our knowledge, it is an open problem to construct a quantum-resistant multisignature whose security is proven by a tight security reduction.…”

Tighter Reduction for Lattice-Based Multisignature

Two-Round n-out-of-n and Multi-signatures and Trapdoor Commitment from Lattices

Covert Authentication from Lattices