A Compact Digital Signature Scheme Based on the Module-LWR Problem

Abstract

We propose a new lattice-based digital signature scheme \(\textsf {MLWRSign} \) by modifying \(\textsf {Dilithium} \), which is one of the second-round candidates of NIST’s call for post-quantum cryptographic standards. To the best of our knowledge, our scheme MLWRSign is the first signature scheme whose security is based on the (module) learning with rounding (LWR) problem. Due to the simplicity of the LWR, the secret key size is reduced by approximately 30% in our scheme compared to Dilithium, while achieving the same level of security. Moreover, we implemented MLWRSign and observed that the running time of our scheme is comparable to that of Dilithium.

A. Takayasu—During a part of this work, the author was affiliated with the University of Tokyo.

Appendices

A Proofs for Rejection Rate Analysis

We prove the Lemmas 3 to 7 of Sect. 3.3 in the following.

Proof

of Lemma 3. \(P_1\) can be computed by considering each coefficient separately. For each coefficient \(\sigma \) of \(c\varvec{\mathbf {s}}_1\), the corresponding coefficient of \(\varvec{\mathbf {z}}\) will be in \((-\gamma _1 + \beta _1 + 1, \gamma _1 - \beta _1 -1]\) whenever the corresponding coefficient of \(\varvec{\mathbf {y}}_i\) is in \((-\gamma _1 +\beta _1 +1 - \sigma ,\gamma _1 - \beta _1 - 1 -\sigma )\). The size of this range is \(2(\gamma _1 -\beta _1)-1\), and the coefficients of \(\varvec{\mathbf {y}}\) have \(2\gamma _1 - 1\) possibilities since \(\varvec{\mathbf {y}} \in S_{\gamma _1-1}^l\). Thus, we obtain \(P_1= \left( \frac{2(\gamma _1-\beta _1)-1}{2\gamma _1-1}\right) ^{nl} = \left( 1- \frac{\beta _1}{\gamma _1-1/2}\right) ^{nl}\). When \(\gamma _1\) is large enough, we can estimate the above as \(e^{-nl\beta _1/\gamma _1}\).    \(\square \)

Proof

of Lemma 4. Similar to the proof of Lemma 3, we obtain \( P_2= \left( \frac{2(\overline{\gamma }_2-\beta _2)-1}{2\overline{\gamma }_2}\right) ^{nk} = \left( 1- \frac{\beta _2 + 1/2}{\overline{\gamma }_2}\right) ^{nk}, \) and we can estimate this as \(e^{-nk\beta _2/\overline{\gamma }_2}\) when \(\overline{\gamma }_2\) is large enough.    \(\square \)

Proof

of Lemma 5. Let \(X_i\) be the i-th coefficient of an element of the vector \(\varvec{\mathbf {s}}_2\), and let Y be a coefficient of an element of the vector \(c\varvec{\mathbf {s}}_2\). Then, since \(\varvec{\mathbf {s}}_2 \in S_{\frac{1}{2}}^k\), if we assume that \(X_1\dots X_n\) are i.i.d. and \(X_i \sim \mathcal {U}(-\frac{1}{2},\frac{1}{2})\), we obtain \(Y \sim \mathcal {N}(0,60\sigma _X^2)\) by the central limit theorem, where \(\sigma _X^2=\mathrm {Var}(X_i) = 1/12\). Thus, we obtain \(\mathrm {Pr}[{\mid }{Y}{\mid }<\beta _2']= 1-2F_{\mathcal {N}(0,5)}(-\beta _2')\), and (4).    \(\square \)

Proof

of Lemma 6. By construction, \(\varvec{\mathbf {t}} = \varvec{\mathbf {t}}_1 \cdot 2^d + \varvec{\mathbf {t}}_0\) and \(\Vert \varvec{\mathbf {t}}_0\Vert _{\infty } \le 2^{d-1}\). Let \(X_i\) be i-th coefficient of an element of the vector \(\varvec{\mathbf {t}}_0\), and let Y be a coefficient of an element of the vector \(c\varvec{\mathbf {t}}_0\). Note that \(c\in B_{60}\) so Y is the sum of the random 60 elements of \(\{X_i\}_{i=1}^{n}\). If we (heuristically) assume that \(X_1\dots X_n\) are i.i.d. and \(X_i \sim \mathcal {U}(-2^{d-1},2^{d-1})\), we obtain \(Y \sim \mathcal {N}(0,\sigma _Y^2)\) by the central limit theorem, where \(\sigma _Y^2:=60\sigma _X^2\) and \(\sigma _X^2=\mathrm {Var}(X_i) = (2\cdot 2^{d-1})^2/12 = 2^{2d}/12\). Thus, we obtain \(\mathrm {Pr}[{\mid }{Y}{\mid }<\overline{\gamma }_2]= 1-2F_{\mathcal {N}(0,\sigma _Y^2)}(-\overline{\gamma }_2)\), where \(F_{\mathcal {N}(0,\sigma _Y^2)}\) is the c. d. f. of \(\mathcal {N}(0,\sigma _Y^2)\). Since Y is a coefficient of an element of the vector in \(R^k_p\), we obtain (5).    \(\square \)

Proof

of Lemma 7. Let X, Y and h be the coefficient of an element of the vector \(\varvec{\mathbf {r}}_0\), \(c\varvec{\mathbf {t}}_0\) and \(\varvec{\mathbf {h}}\), respectively, and define \(Z:=X+Y\). Recall that \(\varvec{\mathbf {h}}= [\![\mathsf {HighBits} _p(\varvec{\mathbf {w}}-\lceil c\varvec{\mathbf {s}}_2 \rfloor -\varvec{\mathbf {\nu }}+c\varvec{\mathbf {t}}_0,2\overline{\gamma }_2) \ne \mathsf {HighBits} _p(\varvec{\mathbf {w}}-\lceil c\varvec{\mathbf {s}}_2 \rfloor -\varvec{\mathbf {\nu }},2\overline{\gamma }_2)]\!]\), and \(h=1\) when the corresponding Z satisfies \({\mid }{Z}{\mid }>\overline{\gamma }_2\), \(h=0\) otherwise. We now calculate \(\mathrm {Pr}[h=1]\). In line 21, the conditions \(\Vert \varvec{\mathbf {r}}_0\Vert _{\infty }<\overline{\gamma }_2-\beta _2\) and \(\Vert c\varvec{\mathbf {t}}_0\Vert _{\infty } \le \overline{\gamma }_2\) are already satisfied. Thus, we assume that \(X \sim \mathcal {U}(-(\overline{\gamma }_2-\beta _2),(\overline{\gamma }_2-\beta _2))\), \(Y \sim \mathcal {N}(0,\sigma _Y^2=5\cdot 2^{2d})\) as we have already derived, then we obtain \( f_Z(z) = \int _{z-(\overline{\gamma }_2-\beta _2)}^{z+(\overline{\gamma }_2-\beta _2)} f_X(z-y)f_Y(y)dy = \frac{1}{2(\overline{\gamma }_2-\beta _2)} \int _{z-(\overline{\gamma }_2-\beta _2)}^{z+(\overline{\gamma }_2-\beta _2)}f_Y(y)dy = \frac{1}{2(\overline{\gamma }_2-\beta _2)}(F_Y(z+(\overline{\gamma }_2-\beta _2))- F_Y(z-(\overline{\gamma }_2-\beta _2)))\), and \( F_Z(z) = \int _{-\infty }^z f_Z(x)dx = \frac{1}{2(\overline{\gamma }_2-\beta _2)}\int _{z-(\overline{\gamma }_2-\beta _2)}^{z+(\overline{\gamma }_2-\beta _2)} F_Y(x)dx, \) where \(f_X\), \(f_Y\) and \(f_Z\) are the p.d.f of the distribution of X, Y and Z, respectively. Then, we obtain \( \mathrm {Pr}[h=1] =\mathrm {Pr}[{\mid }{Z}{\mid }>\overline{\gamma }_2] =2F_Z(-\overline{\gamma }_2) = \frac{1}{\overline{\gamma }_2-\beta _2}\int _{-2(\overline{\gamma }_2-\beta _2)}^{0} F_Y(x)dx, \) and thus we obtain \(\mathrm {Hw}(\varvec{\mathbf {h}}) \sim \mathcal {B}(nk,\mathrm {Pr}[h=1])\) since \(\varvec{\mathbf {h}} \in R_p^k\). Therefore, we obtain (6).    \(\square \)

B Zero-Knowledge Proof

We will assume that the public key is \(\varvec{\mathbf {t}}\) rather than \(\varvec{\mathbf {t}}_1\) because the security of our scheme does not rely on \(\varvec{\mathbf {t}}_0\) being secret. We first calculate the probability that some particular \((\varvec{\mathbf {z}}, c)\) is generated in line 15 and takes over the randomness of \(\varvec{\mathbf {y}}\) and the random oracle \(\mathsf {H}\) that is modeled as a random function. We have \(\mathrm {Pr}[\varvec{\mathbf {z}},c] =\) \(\mathrm {Pr}[c] \cdot \mathrm {Pr}[ \varvec{\mathbf {y}} = \varvec{\mathbf {z}} -c\varvec{\mathbf {s}}_1 | c]\). Whenever \(\varvec{\mathbf {z}}\) satisfies \(\Vert \varvec{\mathbf {z}}\Vert _{\infty } < \gamma _1 - \beta _1\), the above probability is exactly the same for every such tuple \((\varvec{\mathbf {z}},c)\). This is because \(\Vert c\varvec{\mathbf {s}}_1\Vert _{\infty } \le \beta _1\) (with overwhelming probability), and thus \(\Vert \varvec{\mathbf {z}} - c\varvec{\mathbf {s}}_1\Vert _{\infty } \le \gamma _1 - 1\), which is a valid value of \(\varvec{\mathbf {y}}\). Therefore, if we only output \(\varvec{\mathbf {z}}\) when it satisfies \(\Vert \varvec{\mathbf {z}}\Vert _{\infty } < \gamma _1 - \beta _1\), then the resulting distribution will be uniformly random over \(S^{l}_{\gamma _1-\beta _1-1} \times B_{60}\).

The simulation of the signature follows [14]. The simulator picks \((\varvec{\mathbf {z}}, c)\) \(\overset{\$}{\leftarrow }\) \(S^{l}_{\gamma _1-\beta _1 -1} \times B_{60}\), then it also makes sure that Since we know that \(\varvec{\mathbf {w}} - \lceil c\varvec{\mathbf {s}}_2 \rfloor - \varvec{\mathbf {\nu }}= \lceil \textstyle {\frac{p}{q}}\varvec{\mathbf {A}}\varvec{\mathbf {z}} \rfloor - c\varvec{\mathbf {t}}\) by (1), the simulator can perfectly simulate this as well. If \(\varvec{\mathbf {z}}\) satisfies \(\Vert \mathsf {LowBits} _p(\varvec{\mathbf {w}}-\lceil c\varvec{\mathbf {s}}_2 \rfloor - \varvec{\mathbf {\nu }},2\overline{\gamma }_2)\Vert _{\infty } < \overline{\gamma }_2-\beta \), then as long as \(\Vert \lceil c\varvec{\mathbf {s}}_2 \rfloor \Vert _{\infty } \le \beta _2\), we will have \( \varvec{\mathbf {r}}_1 :=\mathsf {HighBits} _p(\varvec{\mathbf {w}}-\lceil c\varvec{\mathbf {s}}_2 \rfloor -\varvec{\mathbf {\nu }},2\overline{\gamma }_2)=\mathsf {HighBits} _p(\varvec{\mathbf {w}},2\overline{\gamma }_2)=\varvec{\mathbf {w}}_1. \) Since our \(\beta _2\) was selected such that we have \(\Vert \lceil c\varvec{\mathbf {s}}_2 \rfloor \Vert _{\infty } < \beta _2\) with overwhelming probability (over the choice of c, \(\varvec{\mathbf {s}}_2\)), the simulator does not need to check if \(\varvec{\mathbf {r}}_1 = \varvec{\mathbf {w}}_1\) holds and can assume that it always passes. We can then program \(\mathsf {H}(\mu \mathop {\Vert }\varvec{\mathbf {w}}_1) \leftarrow c\). Unless we have already set the value of \(\mathsf {H}(\mu \mathop {\Vert }\varvec{\mathbf {w}}_1)\) to something else, the resulting pair \((\varvec{\mathbf {z}}, c)\) has the same distribution as in a genuine signature of \(\mu \). Over the random choice of \(\varvec{\mathbf {A}}\) and \(\varvec{\mathbf {y}}\), the probability that we have already set the value of \(\mathsf {H}(\mu \mathop {\Vert }\varvec{\mathbf {w}}_1)\) is and we set the parameters \(\overline{\gamma }_1, \overline{\gamma }_2\) such that we have the upper bound of the above as less than \(2^{-255}\). All the other steps after line 19 of the signing algorithm use public information and thus they are simulatable.