On Removing Rejection Conditions in Practical Lattice-Based Signatures

Abstract

Digital signatures following the methodology of “Fiat-Shamir with Aborts”, proposed by Lyubashevsky, are capable of achieving the smallest public-key and signature sizes among all the existing lattice signature schemes based on the hardness of the Ring-SIS and Ring-LWE problems. Since its introduction, several variants and optimizations have been proposed, and two of them (i.e., Dilithium and qTESLA) entered the second round of the NIST post-quantum cryptography standardization. This method of designing signatures relies on rejection sampling during the signing process. Rejection sampling is crucial for ensuring both the correctness and security of these signature schemes.

In this paper, we investigate the possibility of removing the two rejection conditions used both in Dilithium and qTESLA. First, we show that removing one of the rejection conditions is possible, and provide a variant of Lyubashevsky’s signature with comparable parameters with Dilithium and qTESLA. Second, we give evidence on the difficulty of removing the other rejection condition, by showing that two very general approaches do not yield a signature scheme with correctness or security.

Appendices

A Standard Definitions

1.1 A.1 Digital Signatures

The following presents syntax and security definition of a digital signature scheme.

Definition 4 (Digital Signatures)

A digital signature scheme for a messages space \(\mathsf {M} \) is a triplet of ppt algorithms \((\mathsf {KGen},\mathsf {Sign},\mathsf {Verify})\) with the following syntax

• \(\mathsf {KGen}\) : Takes as input \(1^\kappa \) and outputs a key pair \((\mathsf {pk},\mathsf {sk})\).

• \(\mathsf {Sign}\) : Takes as input \(\mathsf {sk}\), a message \(\mathsf {m} \in \mathsf {M} \) and outputs a signature \(\sigma \).

• \(\mathsf {Verify}\) : Takes as input \(\mathsf {pk}\), a message \(\mathsf {m} \in \mathsf {M} \), a signature \(\sigma \) and outputs 1 if \(\sigma \) is a valid signature under \(\mathsf {pk}\) for message \(\mathsf {m}\). Otherwise, it outputs 0.

For correctness, for any \(\mathsf {m} \in \mathsf {M} \), we require that \(\mathsf {Verify} (\mathsf {pk},\mathsf {m},\sigma )=1\), where \((\mathsf {pk},\mathsf {sk})\leftarrow \mathsf {KGen} (1^\kappa )\), \(\sigma \leftarrow \mathsf {Sign} (\mathsf {sk}, \mathsf {m})\).

Definition 5

(Existential Unforgeability under Chosen Message Attacks ( \(\mathsf {UF}\text {-}\mathsf {CMA}\) ) Security). A signature scheme \(\mathsf {SGN} \) is \((t,\epsilon ,q_S,q_H)\)-\(\mathsf {UF}\text {-}\mathsf {CMA}\) secure (existentially unforgeable under chosen message attacks) if for all algorithms \(\mathcal {A} \) running in time at most t and making at most \(q_S\) queries to the signing oracle and \(q_H\) queries to the random oracle,

$$\begin{aligned} \Pr \left[ \begin{array}{l} \mathsf {Verify} (\mathsf {pk},\mathsf {m} ^*,\sigma ^*)=1 \\ \wedge \; \mathsf {m} ^* \notin \{ \mathsf {m} _i \mid i \in [q_S]\} \end{array} \left| \begin{array}{l} (\mathsf {pk},\mathsf {sk})\leftarrow \mathsf {KGen} (1^\kappa ) \\ (\mathsf {m} ^*,\sigma ^*) \leftarrow \mathcal {A} ^{\mathcal {O}_H;\mathsf {Sign} (\mathsf {sk},\cdot )}(\mathsf {pk}) \end{array} \right. \right] \le \epsilon , \end{aligned}$$

where for \(i \in [q_S]\), on the i-th query \(\mathsf {m} _i\) the signing oracle \(\mathsf {Sign} (\mathsf {sk},\cdot )\) returns \(\sigma _i \leftarrow \mathsf {Sign} (\mathsf {sk},\mathsf {m} _i)\) to \(\mathcal {A} \) and \(\mathcal {O}_H \) denotes query access to a random oracle.

B Correctness and Security Analysis

Lemma 1 (Correctness and Termination)

The signature scheme in Fig. 1 is perfectly correct and has a heuristic acceptance rate of

$$ \rho _r:=\left( \frac{b_r-2b_e-1}{b_r}\right) ^{dk}, $$

where \(b_r:=\lfloor \frac{q}{p}\rfloor -1\).

Proof

Let \(( \mathbf {z} , c)\) be the output of \(\mathsf {Sign} (\mathsf {sk},\mathsf {m})\) for \(\mathsf {m} \in \mathsf {M} \) and \((\mathsf {sk},\mathsf {pk})\leftarrow \mathsf {KGen} (1^\kappa )\). By the acceptance condition, \( \mathbf {r} ^t \mathbf {A} - c \mathbf {e} ^t \in \mathsf {Good} \) always holds. By the definition of set \(\mathsf {Good} \), the coefficient of each entry of \( \mathbf {r} ^t \mathbf {A} - c \mathbf {e} ^t\) have a distance larger than \(b_e \) from the rounding borders (namely, \(\left\lfloor \frac{\ell q}{p}\right\rfloor \) for \(\ell = -\lfloor p/2\rfloor , ..., \lfloor p/2\rfloor \)) caused by rounding function \(\lfloor \cdot \rfloor _p \). Hence, \( \mathbf {r} ^t \mathbf {A} \) rounds to the same value as \( \mathbf {r} ^t \mathbf {A} - c \mathbf {e} ^t\), i.e. \(\lfloor \mathbf {r} ^t \mathbf {A} - c \mathbf {e} ^t\rfloor _p =\lfloor \mathbf {r} ^t \mathbf {A} \rfloor _p \).

By the definition of \( \mathbf {z} \) and public key (\( \mathbf {A} , \mathbf {y} \)), \( \mathbf {z} ^t \mathbf {A} - c \mathbf {y} ^t= \mathbf {r} ^t \mathbf {A} - c \mathbf {e} ^t\). Further, by the definition of c, \(c=H(\lfloor \mathbf {r} ^t \mathbf {A} \rfloor _p,\mathsf {pk},\mathsf {m})\). Thus, the verification check \(c=H(\lfloor \mathbf {z} ^t \mathbf {A} - c \mathbf {y} ^t\rfloor _p,\mathsf {pk},\mathsf {m})\) passes and \(\mathsf {Verify} \) returns 1.

For the acceptance rate \(\rho _r \), we need to compute the probability over and that \( \mathbf {r} ^t \mathbf {A} - c \mathbf {e} ^t \in \mathsf {Good} \). With overwhelming probability, \(\Vert c \mathbf {e} \Vert _\infty \le b_e \). The probability that a random element u in \(\mathbb {Z}_q\) falls in the bad region excluded in \(\mathsf {Good}\) is

For the claimed heuristic bound in the lemma statement, we use the heuristic that the coefficients of \( \mathbf {r} ^t \mathbf {A} -c \mathbf {e} ^t\) fall independently in the bad region.    \(\square \)

In Theorem 2 below, we prove that our signature scheme is EU-CMA in the ROM.

Theorem 2

Let LWE be \((t_{\mathsf {LWE}},\epsilon _{\mathsf {LWE}})\)-hard, \(\mathsf {ABDD}\) be \((t_{\mathsf {ABDD}},\epsilon _{\mathsf {ABDD}})\)-hard and \(H_\infty (\lfloor \mathbf {r} ^t \mathbf {A} \rfloor _p \mid \mathbf {A} )\ge \xi \). Then, the signature scheme in Fig. 1 is (\( t_\mathcal {A}, \epsilon _\mathcal {A}, q_S,q_H\))-\(\mathsf {UF}\text {-}\mathsf {CMA}\) secure in the programmable random oracle model, where \( t_\mathcal {A} \approx t_{\mathsf {LWE}}+t_{\mathsf {ABDD}}\) and \( \epsilon _\mathcal {A} \le \epsilon _{\mathsf {LWE}}+q_H\epsilon _{\mathsf {ABDD}}+q_S2^{-\kappa }+\kappa ^2\rho _r ^{-2}q_S^22^{-\xi }+2\kappa \rho _r ^{-1}q_Sq_H2^{-\xi }\).

Proof

On a high level, we prove this theorem in two hybrids. In the first hybrid, we exploit the programmability of the random oracle to respond to signature queries without knowing the secret key. This step of faithfully simulating signatures without knowing the secret key crucially relies on the rejection sampling condition.

During the second hybrid, the public key of our signature scheme is replaced with uniform randomness. In this hybrid, there will be no secret key that allows to sign messages and, furthermore, it is infeasible for an adversary who cannot program the random oracle to forge signatures.

In the following, we define the two hybrids and show that: 1) by a statistical argument, simulated signatures are identically distributed as signatures created by the signing algorithm with access to the secret key, i.e. every algorithm has the same advantage in the \(\mathsf {UF}\text {-}\mathsf {CMA}\) game and hybrid 1; 2) there is no algorithm that has a different advantage in hybrid 1 and hybrid 2, unless it implicitly breaks the LWE assumption; 3) there is no algorithm that can forge a signature in hybrid 2, unless it implicitly breaks the \(\mathsf {ABDD}\) assumption.

To summarize, this proves the theorem statement. The detailed description of the hybrids and the \(\mathsf {UF}\text {-}\mathsf {CMA}\) game are depicted in Fig. 2.

Fig. 2.

\(\mathsf {UF}\text {-}\mathsf {CMA}\) security game and hybrids to prove Theorem 2

We start the formal argument with showing that any adversary that is successful in the \(\mathsf {UF}\text {-}\mathsf {CMA}\) game is also successful in hybrid 1.

Lemma 2

Let there be an algorithm that \((t,\epsilon ,q_S,q_H)\) breaks the \(\mathsf {UF}\text {-}\mathsf {CMA}\) security and \(H_\infty (\lfloor \mathbf {r} ^t \mathbf {A} \rfloor _p \mid \mathbf {A} )\ge \xi \). Then, there is also an algorithm that \((t',\epsilon ',q_S',q_H')\) forges a signature in hybrid 1 for \(t'\approx t\), \(\epsilon '\ge \epsilon -q_S2^{-\kappa }-\kappa ^2\rho _r ^{-2}q_S^22^{-\xi }-2\kappa \rho _r ^{-1}q_Sq_H2^{-\xi }\), \(q_S'=q_S\), and \(q_H'=q_H\).

Proof

The difference between the \(\mathsf {UF}\text {-}\mathsf {CMA}\) game and hybrid 1 is how signing queries are answered. In the \(\mathsf {UF}\text {-}\mathsf {CMA}\) game, one first samples , computes \({c}=H(\lfloor \mathbf {r} ^t \mathbf {A} \rfloor _p,\mathsf {pk},\mathsf {m})\), rejects if \( \mathbf {r} ^t \mathbf {A} -c \mathbf {e} ^t\not \in \mathsf {Good} \) and then computes \( \mathbf {z} = \mathbf {r} +c \mathbf {s} \). In hybrid 1, one samples first , , rejects if \( \mathbf {z} ^t \mathbf {A} -c \mathbf {y} ^t\not \in \mathsf {Good} \) and finally programs the random oracle H on point \((\lfloor \mathbf {z} ^t \mathbf {A} -c \mathbf {y} ^t\rfloor _p,( \mathbf {A} , \mathbf {y} ),\mathsf {m})\) to be equal to c. In the following, we show that created signatures \(( \mathbf {z} ,c)\) have the same distribution.

As a first intermediate step, we want to show that the generated signatures \(( \mathbf {z} ,c)\) before the rejection have the same distribution in game \(\mathsf {UF}\text {-}\mathsf {CMA}\) and hybrid 1. This can only be the case if the reprogramming step of the oracle does not fail. Except with probability \(q_S2^{-\kappa }\), there are at most \(\kappa /\rho _r \) many reprogrammings per signature for all signature queries. The amount of defined points of the random oracle within hybrid 1 is upper bounded by \(\kappa \rho _r ^{-1}q_S+q_H\). At each reprogramming step, \(\lfloor \mathbf {r} ^t \mathbf {A} \rfloor _p \) has at least min-entropy \(\xi \) given \( \mathbf {A} \). Hence the probability that the random oracle is already defined for partial input \(\lfloor \mathbf {r} ^t \mathbf {A} \rfloor _p \) is at most \((\kappa \rho _r ^{-1}q_S+q_H)2^{-\xi }\). Since there are at most \(\kappa \rho _r ^{-1}q_S\) reprogramming steps, the probability that reprogramming the random oracle fails in hybrid 1 is upper bounded by \(q_S2^{-\kappa }+\kappa \rho _r ^{-1}q_S(\kappa \rho _r ^{-1}q_S+q_H)2^{-\xi }\). For the remaining parts of the proof, we assume that the reprogramming does not fail.

The challenge c in game \(\mathsf {UF}\text {-}\mathsf {CMA}\) is the output of the random oracle on input \(\lfloor \mathbf {r} ^t \mathbf {A} \rfloor _p,( \mathbf {A} , \mathbf {y} ),\mathsf {m} \) and therefore uniformly distributed. In hybrid 1, c is sampled uniformly at random and it is programmed to be the output of the oracle on input \(\lfloor \mathbf {z} ^t \mathbf {A} -c \mathbf {y} ^t\rfloor _p,( \mathbf {A} , \mathbf {y} ),\mathsf {m} \). Under the premise that \(\lfloor \mathbf {z} ^t \mathbf {A} -c \mathbf {y} ^t\rfloor _p =\lfloor \mathbf {r} ^t \mathbf {A} \rfloor _p \), c has the same distriubtion in game \(\mathsf {UF}\text {-}\mathsf {CMA}\) and hybrid 1.

We focus now on showing that \( \mathbf {z} \) has the same distribution. In game \(\mathsf {UF}\text {-}\mathsf {CMA}\), \( \mathbf {z} := \mathbf {r} +c \mathbf {s} \), where . In hybrid 1, and we can define \( \mathbf {r} := \mathbf {z} -c \mathbf {s} \). Therefore in hybrid 1, \( \mathbf {r} \) is also uniform and \( \mathbf {z} \) is determined by \( \mathbf {r} \), \( \mathbf {s} \) and \( \mathbf {c} \) as in \(\mathsf {UF}\text {-}\mathsf {CMA}\).

It is left to show that the premise \(\lfloor \mathbf {z} ^t \mathbf {A} -c \mathbf {y} ^t\rfloor _p =\lfloor \mathbf {r} ^t \mathbf {A} \rfloor _p \) is implied by the rejection condition and that the rejection condition does not introduce any difference between the signature disitribution in game \(\mathsf {UF}\text {-}\mathsf {CMA}\) and hybrid 1. The latter is easy to show. \( \mathbf {r} ^t \mathbf {A} - c \mathbf {e} ^t \in \mathsf {Good} \) is identical with \( \mathbf {z} ^t \mathbf {A} - c \mathbf {y} ^t \in \mathsf {Good} \), because \( \mathbf {r} ^t \mathbf {A} - c \mathbf {e} ^t= \mathbf {z} ^t \mathbf {A} - c \mathbf {y} ^t\). Obviously, we could replace the rejection condition in the orignial scheme with the publicly verifiable condition \( \mathbf {z} ^t \mathbf {A} - c \mathbf {y} ^t \in \mathsf {Good} \) that we need in hybrid 1. The only reason against it is a slight performance gain due to the fact that \( \mathbf {r} ^t \mathbf {A} \) has already been computed when evaluating the random oracle.

By the same argument as used for correctness (see Lemma 1), \( \mathbf {r} ^t \mathbf {A} - c \mathbf {e} ^t \in \mathsf {Good} \) implies \(\lfloor \mathbf {z} ^t \mathbf {A} -c \mathbf {y} ^t\rfloor _p =\lfloor \mathbf {r} ^t \mathbf {A} \rfloor _p \). Therefore all signatures obtained by the adversary, i.e. that pass the rejection condition, have the same distribution in hybrid 1 and game \(\mathsf {UF}\text {-}\mathsf {CMA}\).

All other signatures, i.e. the once that trigger the rejection condition, remain hidden and an adversary could at most observe a reprogrammed challenge. This might be a problem, because there could be a slight bias in the random oracle since the partial input \(\lfloor \mathbf {z} ^t \mathbf {A} -c \mathbf {y} ^t\rfloor _p \) might be biased with the output c (which disappears for not rejected signatures where \(\lfloor \mathbf {z} ^t \mathbf {A} -c \mathbf {y} ^t\rfloor _p =\lfloor \mathbf {r} ^t \mathbf {A} \rfloor _p \)). But in order to detect this bias, he would need to guess \(\lfloor \mathbf {z} ^t \mathbf {A} -c \mathbf {y} ^t\rfloor _p \) which has at least min-entropy \(\xi \) for the same reason why \(\lfloor \mathbf {r} ^t \mathbf {A} \rfloor _p \) has at least min-entropy \(\xi \). The ability of an adversary to detect this bias is upper bounded by \(\kappa \rho _r ^{-1}q_Sq_H2^{-\xi }\).    \(\square \)

Lemma 3

Let there be an algorithm that \((t,\epsilon ,q_S,q_H)\) forges a signature in hybrid 1 and let LWE be \((t_{\mathsf {LWE}},\epsilon _{\mathsf {LWE}})\)-secure. Then, there is also an algorithm that \((t',\epsilon ',q_S',q_H')\) forges a signature in hybrid 2 for \(t'\approx t+t_{\mathsf {LWE}}\), \(\epsilon '\ge \epsilon -\epsilon _{\mathsf {LWE}}\), \(q_S'=q_S\), and \(q_H'=q_H\).

Proof

The lemma follows from a straightforward reduction to LWE. The only difference between hybrid 1 and hybrid 2 is the distribution of the public key (\( \mathbf {A} , \mathbf {y} \)). In hybrid 1, it is LWE distributed, while uniform in hybrid 2. If there is an algorithm that \(\epsilon \) forges in hybrid 1 and \(\epsilon '\) forges in hybrid 2, then LWE can be told apart from uniform with advantage \(|\epsilon -\epsilon '|\), i.e. \(\epsilon _{\mathsf {LWE}}\ge |\epsilon -\epsilon '|\).    \(\square \)

Lemma 4

Let there be an algorithm that \((t,\epsilon ,q_S,q_H)\) forges a signature in hybrid 2. Then, there is also an algorithm that \((t_{\mathsf {ABDD}},\epsilon _{\mathsf {ABDD}})\) solves \(\mathsf {ABDD}\) for \(t_{\mathsf {ABDD}}\approx t\), \(\epsilon _{\mathsf {ABDD}}\ge \frac{1}{q_H}\epsilon \).

Proof

We prove the lemma by embedding an \(\mathsf {ABDD}\) challenge in hybrid 2 such that if an algorithm forges successfully, it solves the \(\mathsf {ABDD}\) problem. This is straight forward. We use the \(\mathsf {ABDD}\) challenge (\( \mathbf {A} , \mathbf {y} \)) as a public key in hybrid 2. We guess a random oracle query for point \(( \mathbf {w} ,( \mathbf {A} , \mathbf {y} ),\mathsf {m} ^*)\) to request a challenge c for query \( \mathbf {w} ^*= \mathbf {w} \) from the \(\mathsf {ABDD}\) challenger. We program the random oracle by setting \(H( \mathbf {w} ,( \mathbf {A} , \mathbf {y} ),\mathsf {m} ^*)={c}\). With a probability of \(\frac{1}{q_H}\), the forgery will be for this c and message \(\mathsf {m} ^*\) thereby a valid signature \(( \mathbf {z} ,{c})\) contains a valid \(\mathsf {ABDD}\) solution \( \mathbf {z} \).    \(\square \)

For applicability of Theorem 2, we need to show that \(\xi \le H_\infty (\lfloor \mathbf {r} ^t \mathbf {A} \rfloor _p \mid \mathbf {A} )\) is sufficiently large. Technically, it would be sufficient to show that it is hard for any efficient adversary to compute \(\lfloor \mathbf {r} ^t \mathbf {A} \rfloor _p \), given \( \mathbf {A} \). This would be sufficient, since it only needs to be hard for an efficient adversary to guess the points where the random oracle is going to be programmed during the simulation. Though, using computational intractability is not necessary.

Instead, we use a similar approach as used by Bai and Galbraith [5, Lemma 3], relying on the fact that the public key component \( \mathbf {A} \) has at least one invertible ring element. Unlike [5], we do not need to rely on a Gaussian heuristic, since in our case \( \mathbf {r} \) is chosen uniformly at random, which leads to a very simple analysis.

Lemma 5

For any \( \mathbf {A} \in R^{l\times k}_q\) with an invertible entry \(a_{i,j}\in R_q\),

$$ H_\infty (\lfloor \mathbf {r} ^t \mathbf {A} \rfloor _p \mid \mathbf {A} )\ge d\log p, $$

where \(\lfloor \mathbf {r} ^t \mathbf {A} \rfloor _p \in \mathbb {Z}_{p}^m\).

Proof

Since \(a_{i,j}\) is invertible,

$$ H_\infty (r_i a_{i,j}\mid \mathbf {A} )=H_\infty (r_i)=d\log {q}. $$

The rounding function causes to lose \(\log (q/p)\) entropy at each of the d coefficients of \(r_i\in R _q\) with respect to the coefficient embedding.    \(\square \)