Digital Signatures from the Middle-Product LWE

Abstract

We construct digital signatures secure in the quantum random oracle model (QROM) under the middle-product learning with errors problem, which is recently proposed by Roşca et al. (CRYPTO 2017) and shown by Roşca et al. (EUROCRYPT 2018) that it can be reduced from the worst-case hardness of ideal lattice problems for a large class of polynomial rings. The previous signatures secure under the lattice problems not specified in a certain ring is based on the short integer solution (SIS) problems for bounded-degree polynomials (Lyubashevsky, ASIACRYPT 2016). The standard path to construct efficient signatures secure in the QROM (Kiltz et al., EUROCRYPT 2018) requires hardness of a decision problem, but the SIS problems for polynomial rings are not known to have search-to-decision reductions. Our signatures are the first efficient signatures secure in the QROM under the worst-case hardness of ideal lattice problems for many rings.

A Digital Signatures from the MPLWE

1.1 A.1 Digital Signatures

We first introduce the definition of digital signatures and pseudorandom functions.

Definition 13

A digital signature scheme consists of a triple of polynomial-time algorithms \(\Sigma :=\{\mathsf {Keygen}, \mathsf {Sign}, \mathsf {Verify}\}\) with the following syntax:

• \(\mathsf {KeyGen}(1^{\lambda })\): given a security parameter \(\lambda \), outputs secret and public keys \((\mathsf {sk}, \mathsf {pk})\).

• \(\mathsf {Sign}_{\mathsf {sk}}(\mu \in \{0,1\}^{*})\): given a secret key \(\mathsf {sk}\) and message \(\mu \), outputs a signature \(\sigma \).

• \(\mathsf {Verify}_{\mathsf {pk}}(\mu , \sigma )\): given a public key \(\mathsf {pk}\), message \(\mu \), and signature \(\sigma \), outputs 1 if \(\sigma \) is a valid signature of \(\mu \), and 0 otherwise.

The signature scheme has correctness error \(\gamma \) if for all \((\mathsf {pk}, \mathsf {sk})\in \mathsf {KeyGen}(1^{\lambda })\) and all message \(\mu \in \{0,1\}^{*}\), it holds that \(\Pr [\mathsf {Verify}_{\mathsf {pk}}(\mu , \mathsf {Sign}_{\mathsf {sk}}(\mu ))=0]\le \gamma \).

Let \(\mathcal {O}^{\mathsf {Sign}}\) be an oracle that outputs a signature for a queried message, and \(\mathcal {M}\) be the set of queried messages to \(\mathcal {O}^{\mathsf {Sign}}\). The advantage of an algorithm \(\mathcal {F}\) is defined as

$$ \mathsf {Adv}_{\Sigma , \mathcal {F}}^{\mathsf {EUF}\text {-}\mathsf {CMA}}(\lambda ) :=\Pr \left[ \begin{aligned}&\mathsf {Verify}_{\mathsf {pk}}(\mu ^{*}, \sigma ^{*})=1\\&\wedge \mu ^{*}\not \in \mathcal {M} \end{aligned} : \begin{aligned}&(\mathsf {pk}, \mathsf {sk});\\&(\mu ^{*}, \sigma ^{*})\\ \end{aligned} \right] . $$

The signature scheme \(\Sigma \) is called \(\mathsf {EUF}\text {-}\mathsf {CMA}\) secure if \(\mathsf {Adv}_{\Sigma , \mathcal {F}}^{\mathsf {EUF}\text {-}\mathsf {CMA}}(\lambda )=\mathsf {negl}(\lambda )\) for any PPT adversary \(\mathcal {F}\).

Definition 14

(Pseudorandom Function). For a security parameter \(\lambda \), let \(n=n(\lambda )\) and \(k=k(\lambda )\) be integers, and \(\mathcal {K}\) be a finite key space. The advantage of a map \(\mathsf {PRF}: \mathcal {K}\times \{0,1\}^{n}\rightarrow \{0,1\}^{k}\) for an adversary \(\mathcal {D}\) is defined as

$$ \mathsf {Adv}^{\mathsf {PR}}_{\mathsf {PRF}, \mathcal {D}}(\lambda ):= \left| \Pr [\mathcal {D}^{\mathsf {PRF}_{K}(\cdot )}(1^{\lambda })\rightarrow 1;K] -\Pr [\mathcal {D}^{\mathsf {RF}(\cdot )}(1^{\lambda })\rightarrow 1] \right| , $$

where \(\mathsf {RF}:\{0,1\}^{n}\rightarrow \{0,1\}^{k}\) be a random function. The map \(\mathsf {PRF}\) is called a pseudorandom function if \(\mathsf {Adv}^{\mathsf {PR}}_{\mathsf {PRF}, \mathcal {D}}(\lambda )=\mathsf {negl}(\lambda )\).

The following signatures \(\Sigma _{\mathsf {DFS}}\), obtained from the deterministic variant of Fiat-Shamir transformation for the (canonical) identification, is a triple of key generation, signing, and verification algorithm, but we omit the description of the key generation, since it is the same as the instance generation algorithm of the underlying identification. Let \(H: \{0,1\}^{*}\rightarrow R^{<k+1}\) be a hash function implemented by the random oracle, \(\mathsf {PRF}_{K}(\cdot )\) be a pseudorandom function with key K, and \(\kappa _{m}\) be a positive integer.

• \(\mathsf {Sign}_{\mathsf {sk}, K}(\mu \in \{0,1\}^{*})\): Set \(\kappa :=0\). Repeat the followings while \(z=\bot \) and \(\kappa \le \kappa _{m}\): set \(\kappa :=\kappa +1\); compute \((w, \mathsf {st}):=\mathsf {P}_{1}(\mathsf {sk}; \mathsf {PRF}_{K}(0\parallel \mu \parallel \kappa ))\); set \(c:=H(w\Vert \mu )\); compute \(z:=\mathsf {P}_{2}(\mathsf {sk}, w, c, \mathsf {st}; \mathsf {PRF}_{K}(1\Vert \mu \Vert \kappa ))\). If \(z=\bot \) then return \(\sigma :=\bot \), else return \(\sigma :=(w, z)\).

• \(\mathsf {Verify}_{\mathsf {pk}}(\mu , \sigma )\): Parse \(\sigma =(w,z)\), and return \(\mathsf {V}(\mathsf {pk}, w, c, z)\in \{0,1\}\) for \(c:=H(w\Vert \mu )\).

In [16], Kiltz et al. showed quantum security of the signatures obtained from the (deterministic) Fiat-Shamir transformation for a lossy identification scheme.

Theorem 2

(Adapted from Theorem 3.1 of [16]). Assume the identification scheme \(\mathsf {ID}\) is lossy key indistinguishable, \(\epsilon _{\mathsf {ls}}\)-lossy sound, \(\epsilon _{\mathsf {ZK}}\)-perfect \(\mathsf {naHVZK}\), and has an \(\alpha \)-bits of min entropy. For any quantum \(\mathsf {EUF}\text {-}\mathsf {CMA}\) adversary \(\mathcal {F}\) that issues at most \(q_{\mathsf {H}}\) queries to the quantum random oracle \(|H\rangle \), and \(q_{\mathsf {S}}\) classical queries to the signing oracle, there exists a quantum adversary \(\mathcal {A}\) against \(\mathsf {ID}\) and a quantum adversary \(\mathcal {D}\) against \(\mathsf {PRF}\) such that

$$ \mathsf {Adv}_{\Sigma _{\mathsf {DFS}}, \mathcal {F}}^{\mathsf {EUF}\text {-}\mathsf {CMA}}(\lambda ) \!\le \!\mathsf {Adv}_{\mathsf {ID}, \mathcal {A}}^{\mathsf {LOSSY}-\mathsf {IND}}(\lambda )+8(q_{\mathsf {H}}+1)^{2}\cdot \epsilon _{\mathsf {ls}} +\mathsf {Adv}_{\mathsf {PRF}, \mathcal {D}}^{\mathsf {PR}}(\lambda )+2^{-\alpha +1}+\kappa _{m}q_{\mathsf {S}}\epsilon _{\mathsf {ZK}}. $$

1.2 A.2 Fiat-Shamir Transformed Signatures from \(\mathsf {ID}_{\mathsf {MPLWE}}\)

We here give a construction of the signatures from our identification scheme \(\mathsf {ID}_{\mathsf {MPLWE}}\) described in Sect. 3.2. The signatures are obtained by applying the transformation of [16] to \(\mathsf {ID}_{\mathsf {MPLWE}}\). The resulting signature scheme can be seen as an \(\mathsf {MPLWE}\) variant of Dilithium-QROM [16].

The (deterministic) Fiat-Shamir transformed signature scheme \(\Sigma _{\mathsf {MPLWE}}\) consists of the following three algorithms:

• \(\mathsf {KeyGen}(1^{\lambda })\): Generate \((\mathsf {pk}, \mathsf {sk})(1^{\lambda })\).

• \(\mathsf {Sign}_{\mathsf {sk}, K}(\mu \in \{0,1\}^{*})\): Parse \(\mathsf {sk}=(\rho , s_{1}, s_{2}, t_{0})\), set \(\kappa :=0\), and recover \(a:=\mathsf {Sam}(\rho )\). Repeat the followings while \((z, h)=(\bot , \bot )\) and \(\kappa \le \kappa _{m}\): set \(\kappa :=\kappa +1\); compute \(y:=\mathsf {PRF}_{K}(\mu \parallel \kappa )\); compute \(w:=a\odot _{d}y\in R^{<d}_{q}\) and \(w_{1}:=\mathsf {HighBits}_{q}(w, 2\beta ')\); set \(c:=H(w_{1}\parallel \mu )\); compute \(z:=c\odot _{n+d-1}s_{1}+y\in R^{<n+d-1}\); if \(\Vert z\Vert _{\infty }\ge \gamma \) or \(\Vert \mathsf {LowBits}_{q}(w-c\odot _{d}s_{2}, 2\beta ')\Vert _{\infty }\ge \gamma '\) then set \((z, h):=(\bot , \bot )\), else set \(h:=\mathsf {MakeHint}_{q}(-c\odot _{d}t_{0}, w-c\odot _{d}s_{2}+c\odot _{d}t_{0}, 2\beta ')\). Output \(\sigma :=(h, z, c)\).

• \(\mathsf {Verify}_{\mathsf {pk}}(\mu , \sigma )\): Parse \(\sigma = (h, z, c)\). Generate \(a=\mathsf {Sam}(\rho )\) and compute \(w_{1}':=\mathsf {UseHint}_{q}(h, a\odot _{d}z-c\odot _{d}t_{1}\cdot 2^{\delta }, 2\beta ')\). Output 1 if \(\Vert z\Vert _{\infty }<\gamma \) and \(c = H(w_{1}'\parallel \mu )\) holds, 0 otherwise.

From Theorem 2 and the lemmas proven in Sect. 3, the Fiat-Shamir Transformed signatures from our identification scheme \(\mathsf {ID}_{\mathsf {MPLWE}}\) is \(\mathsf {EUF}\text {-}\mathsf {CMA}\) secure in the QROM.

Corollary 3

If the decision \(\mathsf {MPLWE}\) assumption holds, and the function \(\mathsf {PRF}\) is pseudorandom against quantum adversaries, then the signature scheme \(\Sigma _{\mathsf {MPLWE}}\) is \(\mathsf {EUF}\text {-}\mathsf {CMA}\) secure in the QROM. In particular, for any quantum adversary \(\mathcal {F}\) against \(\mathsf {EUF}\text {-}\mathsf {CMA}\) security for the signature scheme \(\Sigma _{\mathsf {MPLWE}}\) that issues at most \(q_{\mathsf {H}}\) queries to the quantum random oracle \(|H\rangle \), and \(q_{\mathsf {S}}\) classical queries to the signing oracle, there exists a quantum adversary \(\mathcal {A}\) of \(\mathsf {MPLWE}\) assumption and a quantum adversary \(\mathcal {D}\) against \(\mathsf {PRF}\) such that

$$ \mathsf {Adv}_{\Sigma _{\mathsf {MPLWE}}, \mathcal {F}}^{\mathsf {EUF}\text {-}\mathsf {CMA}}(\lambda )\le \mathsf {Adv}^{\mathsf {MPLWE}}_{\mathcal {A}}(\lambda ) +8(q_{\mathsf {H}}+1)^{2}\cdot \epsilon _{\mathsf {ls}}+\mathsf {Adv}_{\mathsf {PRF}, \mathcal {D}}^{\mathsf {PR}}(\lambda )+2^{-\alpha +1}. $$