Abstract
Digital signatures following the methodology of “Fiat-Shamir with Aborts”, proposed by Lyubashevsky, are capable of achieving the smallest public-key and signature sizes among all the existing lattice signature schemes based on the hardness of the Ring-SIS and Ring-LWE problems. Since its introduction, several variants and optimizations have been proposed, and two of them (i.e., Dilithium and qTESLA) entered the second round of the NIST post-quantum cryptography standardization. This method of designing signatures relies on rejection sampling during the signing process. Rejection sampling is crucial for ensuring both the correctness and security of these signature schemes.
In this paper, we investigate the possibility of removing the two rejection conditions used both in Dilithium and qTESLA. First, we show that removing one of the rejection conditions is possible, and provide a variant of Lyubashevsky’s signature with comparable parameters with Dilithium and qTESLA. Second, we give evidence on the difficulty of removing the other rejection condition, by showing that two very general approaches do not yield a signature scheme with correctness or security.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: STOC, pp. 99–108 (1996)
Albrecht, M.R., et al.: Estimate all the LWE, NTRU schemes! In: Catalano, D., De Prisco, R. (eds.) SCN 2018. LNCS, vol. 11035, pp. 351–367. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98113-0_19
Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9(3), 169–203 (2015)
Alkim, E., et al.: The lattice-based digital signature scheme qtesla. IACR Cryptology ePrint Archive, vol. 85 (2019)
Bai, S., Galbraith, S.D.: An improved compression technique for signatures based on learning with errors. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 28–47. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-04852-9_2
Boyd, C.: Digital multisignatures. Cryptography and Coding, pp. 241–246 (1986)
Chaum, D.: Blind signatures for untraceable payments. In: Chaum, D., Rivest, R.L., Sherman, A.T. (eds.) Advances in Cryptology, pp. 199–203. Springer, Boston, MA (1983). https://doi.org/10.1007/978-1-4757-0602-4_18
Desmedt, Y.: Society and group oriented cryptography: a new concept. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 120–127. Springer, Heidelberg (1988). https://doi.org/10.1007/3-540-48184-2_8
Desmedt, Y., Frankel, Y.: Threshold cryptosystems. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 307–315. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_28
Ding, J., Fluhrer, S., Rv, S.: Complete attack on RLWE key exchange with reused keys, without signal leakage. In: Susilo, W., Yang, G. (eds.) ACISP 2018. LNCS, vol. 10946, pp. 467–486. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93638-3_27
Ding, J., Xie, X., Lin, X.: A simple provably secure key exchange scheme based on the learning with errors problem. Cryptology ePrint Archive, Report 2012/688 (2012)
Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 40–56. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_3
Ducas, L., et al.: Crystals-dilithium: a lattice-based digital signature scheme. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(1), 238–268 (2018)
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
Fluhrer, S.R.: Cryptanalysis of ring-LWE based key exchange with key share reuse. IACR Cryptology ePrint Arch. vol. 85 (2016)
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC, pp. 197–206 (2008)
Gentry, C., Szydlo, M.: Cryptanalysis of the revised NTRU signature scheme. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 299–320. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_20
Goldreich, O., Goldwasser, S., Halevi, S.: Public-key cryptosystems from lattice reduction problems. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 112–131. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052231
Güneysu, T., Lyubashevsky, V., Pöppelmann, T.: Practical lattice-based cryptography: a signature scheme for embedded systems. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 530–547. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33027-8_31
Guo, S., Kamath, P., Rosen, A., Sotiraki, K.: Limits on the efficiency of (Ring) LWE based non-interactive key exchange. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020. LNCS, vol. 12110, pp. 374–395. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45374-9_13
Hoffstein, J., Howgrave-Graham, N., Pipher, J., Silverman, J.H., Whyte, W.: NTRUSign: digital signatures using the NTRU lattice. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 122–140. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36563-X_9
Kiltz, E., Lyubashevsky, V., Schaffner, C.: A concrete treatment of Fiat-Shamir signatures in the quantum random-oracle model. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 552–586. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_18
Lyubashevsky, V.: Fiat-Shamir with aborts: applications to lattice and factoring-based signatures. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 598–616. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_35
Lyubashevsky, V.: Lattice signatures without trapdoors. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 738–755. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_43
Migliore, V., Benoît Gérard, Tibouchi, M., Fouque, P.-A.: Masking dilithium - efficient implementation and side-channel evaluation. In: Applied Cryptography and Network Security - 17th International Conference, ACNS 2019, Bogota, Colombia, 5–7 June 2019, Proceedings, pp. 344–362 (2019)
Nguyen, P.Q., Regev, O.: Learning a parallelepiped: cryptanalysis of GGH and NTRU signatures. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 271–288. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_17
Peikert, C.: Lattice cryptography for the internet. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 197–219. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11659-4_12
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 40 (2009)
Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_22
Unruh, D.: Post-quantum security of Fiat-Shamir. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 65–95. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_3
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Standard Definitions
1.1 A.1 Digital Signatures
The following presents syntax and security definition of a digital signature scheme.
Definition 4 (Digital Signatures)
A digital signature scheme for a messages space \(\mathsf {M} \) is a triplet of ppt algorithms \((\mathsf {KGen},\mathsf {Sign},\mathsf {Verify})\) with the following syntax
-
\(\mathsf {KGen}\) : Takes as input \(1^\kappa \) and outputs a key pair \((\mathsf {pk},\mathsf {sk})\).
-
\(\mathsf {Sign}\) : Takes as input \(\mathsf {sk}\), a message \(\mathsf {m} \in \mathsf {M} \) and outputs a signature \(\sigma \).
-
\(\mathsf {Verify}\) : Takes as input \(\mathsf {pk}\), a message \(\mathsf {m} \in \mathsf {M} \), a signature \(\sigma \) and outputs 1 if \(\sigma \) is a valid signature under \(\mathsf {pk}\) for message \(\mathsf {m}\). Otherwise, it outputs 0.
For correctness, for any \(\mathsf {m} \in \mathsf {M} \), we require that \(\mathsf {Verify} (\mathsf {pk},\mathsf {m},\sigma )=1\), where \((\mathsf {pk},\mathsf {sk})\leftarrow \mathsf {KGen} (1^\kappa )\), \(\sigma \leftarrow \mathsf {Sign} (\mathsf {sk}, \mathsf {m})\).
Definition 5
(Existential Unforgeability under Chosen Message Attacks ( \(\mathsf {UF}\text {-}\mathsf {CMA}\) ) Security). A signature scheme \(\mathsf {SGN} \) is \((t,\epsilon ,q_S,q_H)\)-\(\mathsf {UF}\text {-}\mathsf {CMA}\) secure (existentially unforgeable under chosen message attacks) if for all algorithms \(\mathcal {A} \) running in time at most t and making at most \(q_S\) queries to the signing oracle and \(q_H\) queries to the random oracle,
where for \(i \in [q_S]\), on the i-th query \(\mathsf {m} _i\) the signing oracle \(\mathsf {Sign} (\mathsf {sk},\cdot )\) returns \(\sigma _i \leftarrow \mathsf {Sign} (\mathsf {sk},\mathsf {m} _i)\) to \(\mathcal {A} \) and \(\mathcal {O}_H \) denotes query access to a random oracle.
B Correctness and Security Analysis
Lemma 1 (Correctness and Termination)
The signature scheme in Fig. 1 is perfectly correct and has a heuristic acceptance rate of
where \(b_r:=\lfloor \frac{q}{p}\rfloor -1\).
Proof
Let \(( \mathbf {z} , c)\) be the output of \(\mathsf {Sign} (\mathsf {sk},\mathsf {m})\) for \(\mathsf {m} \in \mathsf {M} \) and \((\mathsf {sk},\mathsf {pk})\leftarrow \mathsf {KGen} (1^\kappa )\). By the acceptance condition, \( \mathbf {r} ^t \mathbf {A} - c \mathbf {e} ^t \in \mathsf {Good} \) always holds. By the definition of set \(\mathsf {Good} \), the coefficient of each entry of \( \mathbf {r} ^t \mathbf {A} - c \mathbf {e} ^t\) have a distance larger than \(b_e \) from the rounding borders (namely, \(\left\lfloor \frac{\ell q}{p}\right\rfloor \) for \(\ell = -\lfloor p/2\rfloor , ..., \lfloor p/2\rfloor \)) caused by rounding function \(\lfloor \cdot \rfloor _p \). Hence, \( \mathbf {r} ^t \mathbf {A} \) rounds to the same value as \( \mathbf {r} ^t \mathbf {A} - c \mathbf {e} ^t\), i.e. \(\lfloor \mathbf {r} ^t \mathbf {A} - c \mathbf {e} ^t\rfloor _p =\lfloor \mathbf {r} ^t \mathbf {A} \rfloor _p \).
By the definition of \( \mathbf {z} \) and public key (\( \mathbf {A} , \mathbf {y} \)), \( \mathbf {z} ^t \mathbf {A} - c \mathbf {y} ^t= \mathbf {r} ^t \mathbf {A} - c \mathbf {e} ^t\). Further, by the definition of c, \(c=H(\lfloor \mathbf {r} ^t \mathbf {A} \rfloor _p,\mathsf {pk},\mathsf {m})\). Thus, the verification check \(c=H(\lfloor \mathbf {z} ^t \mathbf {A} - c \mathbf {y} ^t\rfloor _p,\mathsf {pk},\mathsf {m})\) passes and \(\mathsf {Verify} \) returns 1.
For the acceptance rate \(\rho _r \), we need to compute the probability over and that \( \mathbf {r} ^t \mathbf {A} - c \mathbf {e} ^t \in \mathsf {Good} \). With overwhelming probability, \(\Vert c \mathbf {e} \Vert _\infty \le b_e \). The probability that a random element u in \(\mathbb {Z}_q\) falls in the bad region excluded in \(\mathsf {Good}\) is
For the claimed heuristic bound in the lemma statement, we use the heuristic that the coefficients of \( \mathbf {r} ^t \mathbf {A} -c \mathbf {e} ^t\) fall independently in the bad region. \(\square \)
In Theorem 2 below, we prove that our signature scheme is EU-CMA in the ROM.
Theorem 2
Let LWE be \((t_{\mathsf {LWE}},\epsilon _{\mathsf {LWE}})\)-hard, \(\mathsf {ABDD}\) be \((t_{\mathsf {ABDD}},\epsilon _{\mathsf {ABDD}})\)-hard and \(H_\infty (\lfloor \mathbf {r} ^t \mathbf {A} \rfloor _p \mid \mathbf {A} )\ge \xi \). Then, the signature scheme in Fig. 1 is (\( t_\mathcal {A}, \epsilon _\mathcal {A}, q_S,q_H\))-\(\mathsf {UF}\text {-}\mathsf {CMA}\) secure in the programmable random oracle model, where \( t_\mathcal {A} \approx t_{\mathsf {LWE}}+t_{\mathsf {ABDD}}\) and \( \epsilon _\mathcal {A} \le \epsilon _{\mathsf {LWE}}+q_H\epsilon _{\mathsf {ABDD}}+q_S2^{-\kappa }+\kappa ^2\rho _r ^{-2}q_S^22^{-\xi }+2\kappa \rho _r ^{-1}q_Sq_H2^{-\xi }\).
Proof
On a high level, we prove this theorem in two hybrids. In the first hybrid, we exploit the programmability of the random oracle to respond to signature queries without knowing the secret key. This step of faithfully simulating signatures without knowing the secret key crucially relies on the rejection sampling condition.
During the second hybrid, the public key of our signature scheme is replaced with uniform randomness. In this hybrid, there will be no secret key that allows to sign messages and, furthermore, it is infeasible for an adversary who cannot program the random oracle to forge signatures.
In the following, we define the two hybrids and show that: 1) by a statistical argument, simulated signatures are identically distributed as signatures created by the signing algorithm with access to the secret key, i.e. every algorithm has the same advantage in the \(\mathsf {UF}\text {-}\mathsf {CMA}\) game and hybrid 1; 2) there is no algorithm that has a different advantage in hybrid 1 and hybrid 2, unless it implicitly breaks the LWE assumption; 3) there is no algorithm that can forge a signature in hybrid 2, unless it implicitly breaks the \(\mathsf {ABDD}\) assumption.
To summarize, this proves the theorem statement. The detailed description of the hybrids and the \(\mathsf {UF}\text {-}\mathsf {CMA}\) game are depicted in Fig. 2.
We start the formal argument with showing that any adversary that is successful in the \(\mathsf {UF}\text {-}\mathsf {CMA}\) game is also successful in hybrid 1.
Lemma 2
Let there be an algorithm that \((t,\epsilon ,q_S,q_H)\) breaks the \(\mathsf {UF}\text {-}\mathsf {CMA}\) security and \(H_\infty (\lfloor \mathbf {r} ^t \mathbf {A} \rfloor _p \mid \mathbf {A} )\ge \xi \). Then, there is also an algorithm that \((t',\epsilon ',q_S',q_H')\) forges a signature in hybrid 1 for \(t'\approx t\), \(\epsilon '\ge \epsilon -q_S2^{-\kappa }-\kappa ^2\rho _r ^{-2}q_S^22^{-\xi }-2\kappa \rho _r ^{-1}q_Sq_H2^{-\xi }\), \(q_S'=q_S\), and \(q_H'=q_H\).
Proof
The difference between the \(\mathsf {UF}\text {-}\mathsf {CMA}\) game and hybrid 1 is how signing queries are answered. In the \(\mathsf {UF}\text {-}\mathsf {CMA}\) game, one first samples , computes \({c}=H(\lfloor \mathbf {r} ^t \mathbf {A} \rfloor _p,\mathsf {pk},\mathsf {m})\), rejects if \( \mathbf {r} ^t \mathbf {A} -c \mathbf {e} ^t\not \in \mathsf {Good} \) and then computes \( \mathbf {z} = \mathbf {r} +c \mathbf {s} \). In hybrid 1, one samples first , , rejects if \( \mathbf {z} ^t \mathbf {A} -c \mathbf {y} ^t\not \in \mathsf {Good} \) and finally programs the random oracle H on point \((\lfloor \mathbf {z} ^t \mathbf {A} -c \mathbf {y} ^t\rfloor _p,( \mathbf {A} , \mathbf {y} ),\mathsf {m})\) to be equal to c. In the following, we show that created signatures \(( \mathbf {z} ,c)\) have the same distribution.
As a first intermediate step, we want to show that the generated signatures \(( \mathbf {z} ,c)\) before the rejection have the same distribution in game \(\mathsf {UF}\text {-}\mathsf {CMA}\) and hybrid 1. This can only be the case if the reprogramming step of the oracle does not fail. Except with probability \(q_S2^{-\kappa }\), there are at most \(\kappa /\rho _r \) many reprogrammings per signature for all signature queries. The amount of defined points of the random oracle within hybrid 1 is upper bounded by \(\kappa \rho _r ^{-1}q_S+q_H\). At each reprogramming step, \(\lfloor \mathbf {r} ^t \mathbf {A} \rfloor _p \) has at least min-entropy \(\xi \) given \( \mathbf {A} \). Hence the probability that the random oracle is already defined for partial input \(\lfloor \mathbf {r} ^t \mathbf {A} \rfloor _p \) is at most \((\kappa \rho _r ^{-1}q_S+q_H)2^{-\xi }\). Since there are at most \(\kappa \rho _r ^{-1}q_S\) reprogramming steps, the probability that reprogramming the random oracle fails in hybrid 1 is upper bounded by \(q_S2^{-\kappa }+\kappa \rho _r ^{-1}q_S(\kappa \rho _r ^{-1}q_S+q_H)2^{-\xi }\). For the remaining parts of the proof, we assume that the reprogramming does not fail.
The challenge c in game \(\mathsf {UF}\text {-}\mathsf {CMA}\) is the output of the random oracle on input \(\lfloor \mathbf {r} ^t \mathbf {A} \rfloor _p,( \mathbf {A} , \mathbf {y} ),\mathsf {m} \) and therefore uniformly distributed. In hybrid 1, c is sampled uniformly at random and it is programmed to be the output of the oracle on input \(\lfloor \mathbf {z} ^t \mathbf {A} -c \mathbf {y} ^t\rfloor _p,( \mathbf {A} , \mathbf {y} ),\mathsf {m} \). Under the premise that \(\lfloor \mathbf {z} ^t \mathbf {A} -c \mathbf {y} ^t\rfloor _p =\lfloor \mathbf {r} ^t \mathbf {A} \rfloor _p \), c has the same distriubtion in game \(\mathsf {UF}\text {-}\mathsf {CMA}\) and hybrid 1.
We focus now on showing that \( \mathbf {z} \) has the same distribution. In game \(\mathsf {UF}\text {-}\mathsf {CMA}\), \( \mathbf {z} := \mathbf {r} +c \mathbf {s} \), where . In hybrid 1, and we can define \( \mathbf {r} := \mathbf {z} -c \mathbf {s} \). Therefore in hybrid 1, \( \mathbf {r} \) is also uniform and \( \mathbf {z} \) is determined by \( \mathbf {r} \), \( \mathbf {s} \) and \( \mathbf {c} \) as in \(\mathsf {UF}\text {-}\mathsf {CMA}\).
It is left to show that the premise \(\lfloor \mathbf {z} ^t \mathbf {A} -c \mathbf {y} ^t\rfloor _p =\lfloor \mathbf {r} ^t \mathbf {A} \rfloor _p \) is implied by the rejection condition and that the rejection condition does not introduce any difference between the signature disitribution in game \(\mathsf {UF}\text {-}\mathsf {CMA}\) and hybrid 1. The latter is easy to show. \( \mathbf {r} ^t \mathbf {A} - c \mathbf {e} ^t \in \mathsf {Good} \) is identical with \( \mathbf {z} ^t \mathbf {A} - c \mathbf {y} ^t \in \mathsf {Good} \), because \( \mathbf {r} ^t \mathbf {A} - c \mathbf {e} ^t= \mathbf {z} ^t \mathbf {A} - c \mathbf {y} ^t\). Obviously, we could replace the rejection condition in the orignial scheme with the publicly verifiable condition \( \mathbf {z} ^t \mathbf {A} - c \mathbf {y} ^t \in \mathsf {Good} \) that we need in hybrid 1. The only reason against it is a slight performance gain due to the fact that \( \mathbf {r} ^t \mathbf {A} \) has already been computed when evaluating the random oracle.
By the same argument as used for correctness (see Lemma 1), \( \mathbf {r} ^t \mathbf {A} - c \mathbf {e} ^t \in \mathsf {Good} \) implies \(\lfloor \mathbf {z} ^t \mathbf {A} -c \mathbf {y} ^t\rfloor _p =\lfloor \mathbf {r} ^t \mathbf {A} \rfloor _p \). Therefore all signatures obtained by the adversary, i.e. that pass the rejection condition, have the same distribution in hybrid 1 and game \(\mathsf {UF}\text {-}\mathsf {CMA}\).
All other signatures, i.e. the once that trigger the rejection condition, remain hidden and an adversary could at most observe a reprogrammed challenge. This might be a problem, because there could be a slight bias in the random oracle since the partial input \(\lfloor \mathbf {z} ^t \mathbf {A} -c \mathbf {y} ^t\rfloor _p \) might be biased with the output c (which disappears for not rejected signatures where \(\lfloor \mathbf {z} ^t \mathbf {A} -c \mathbf {y} ^t\rfloor _p =\lfloor \mathbf {r} ^t \mathbf {A} \rfloor _p \)). But in order to detect this bias, he would need to guess \(\lfloor \mathbf {z} ^t \mathbf {A} -c \mathbf {y} ^t\rfloor _p \) which has at least min-entropy \(\xi \) for the same reason why \(\lfloor \mathbf {r} ^t \mathbf {A} \rfloor _p \) has at least min-entropy \(\xi \). The ability of an adversary to detect this bias is upper bounded by \(\kappa \rho _r ^{-1}q_Sq_H2^{-\xi }\). \(\square \)
Lemma 3
Let there be an algorithm that \((t,\epsilon ,q_S,q_H)\) forges a signature in hybrid 1 and let LWE be \((t_{\mathsf {LWE}},\epsilon _{\mathsf {LWE}})\)-secure. Then, there is also an algorithm that \((t',\epsilon ',q_S',q_H')\) forges a signature in hybrid 2 for \(t'\approx t+t_{\mathsf {LWE}}\), \(\epsilon '\ge \epsilon -\epsilon _{\mathsf {LWE}}\), \(q_S'=q_S\), and \(q_H'=q_H\).
Proof
The lemma follows from a straightforward reduction to LWE. The only difference between hybrid 1 and hybrid 2 is the distribution of the public key (\( \mathbf {A} , \mathbf {y} \)). In hybrid 1, it is LWE distributed, while uniform in hybrid 2. If there is an algorithm that \(\epsilon \) forges in hybrid 1 and \(\epsilon '\) forges in hybrid 2, then LWE can be told apart from uniform with advantage \(|\epsilon -\epsilon '|\), i.e. \(\epsilon _{\mathsf {LWE}}\ge |\epsilon -\epsilon '|\). \(\square \)
Lemma 4
Let there be an algorithm that \((t,\epsilon ,q_S,q_H)\) forges a signature in hybrid 2. Then, there is also an algorithm that \((t_{\mathsf {ABDD}},\epsilon _{\mathsf {ABDD}})\) solves \(\mathsf {ABDD}\) for \(t_{\mathsf {ABDD}}\approx t\), \(\epsilon _{\mathsf {ABDD}}\ge \frac{1}{q_H}\epsilon \).
Proof
We prove the lemma by embedding an \(\mathsf {ABDD}\) challenge in hybrid 2 such that if an algorithm forges successfully, it solves the \(\mathsf {ABDD}\) problem. This is straight forward. We use the \(\mathsf {ABDD}\) challenge (\( \mathbf {A} , \mathbf {y} \)) as a public key in hybrid 2. We guess a random oracle query for point \(( \mathbf {w} ,( \mathbf {A} , \mathbf {y} ),\mathsf {m} ^*)\) to request a challenge c for query \( \mathbf {w} ^*= \mathbf {w} \) from the \(\mathsf {ABDD}\) challenger. We program the random oracle by setting \(H( \mathbf {w} ,( \mathbf {A} , \mathbf {y} ),\mathsf {m} ^*)={c}\). With a probability of \(\frac{1}{q_H}\), the forgery will be for this c and message \(\mathsf {m} ^*\) thereby a valid signature \(( \mathbf {z} ,{c})\) contains a valid \(\mathsf {ABDD}\) solution \( \mathbf {z} \). \(\square \)
For applicability of Theorem 2, we need to show that \(\xi \le H_\infty (\lfloor \mathbf {r} ^t \mathbf {A} \rfloor _p \mid \mathbf {A} )\) is sufficiently large. Technically, it would be sufficient to show that it is hard for any efficient adversary to compute \(\lfloor \mathbf {r} ^t \mathbf {A} \rfloor _p \), given \( \mathbf {A} \). This would be sufficient, since it only needs to be hard for an efficient adversary to guess the points where the random oracle is going to be programmed during the simulation. Though, using computational intractability is not necessary.
Instead, we use a similar approach as used by Bai and Galbraith [5, Lemma 3], relying on the fact that the public key component \( \mathbf {A} \) has at least one invertible ring element. Unlike [5], we do not need to rely on a Gaussian heuristic, since in our case \( \mathbf {r} \) is chosen uniformly at random, which leads to a very simple analysis.
Lemma 5
For any \( \mathbf {A} \in R^{l\times k}_q\) with an invertible entry \(a_{i,j}\in R_q\),
where \(\lfloor \mathbf {r} ^t \mathbf {A} \rfloor _p \in \mathbb {Z}_{p}^m\).
Proof
Since \(a_{i,j}\) is invertible,
The rounding function causes to lose \(\log (q/p)\) entropy at each of the d coefficients of \(r_i\in R _q\) with respect to the coefficient embedding. \(\square \)
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Behnia, R., Chen, Y., Masny, D. (2021). On Removing Rejection Conditions in Practical Lattice-Based Signatures. In: Cheon, J.H., Tillich, JP. (eds) Post-Quantum Cryptography. PQCrypto 2021. Lecture Notes in Computer Science(), vol 12841. Springer, Cham. https://doi.org/10.1007/978-3-030-81293-5_20
Download citation
DOI: https://doi.org/10.1007/978-3-030-81293-5_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-81292-8
Online ISBN: 978-3-030-81293-5
eBook Packages: Computer ScienceComputer Science (R0)