Quantum-Resistant 1-out-of-N Oblivious Signatures from Lattices

Abstract

As business activities and information exchange increasingly move online, digital signatures, among other cryptographic techniques, have been developed to help authenticate the source and integrity of digital information when transferred. Various types of signature primitives, such as ring signatures and blind signatures, have been introduced to satisfy privacy protection needs spanning from ensuring anonymity of a signer to maintaining secrecy of the content to be signed from a signer. Among different signature schemes, the 1-out-of-N oblivious signature scheme, which was introduced by Chen (ESORICS’ 94) and later formalized by Tso et al. (ISPEC’ 08), provides a further basis of trust while preserving the signature requestor’s privacy as blind signatures do. In this scheme, a recipient first selects a set of messages, one of which being the message he or she intends to obtain a signature for. After interacting with a signer, while the recipient will be able to obtain a signature on the predetermined message, the signer only knows that he or she signed one of the messages but remains oblivious to exactly which message was signed. However, all existing oblivious signature schemes are built upon the hardness of number-theoretic problems, which, as Shor demonstrated in 1994, cannot withstand attacks from quantum adversaries. To address this problem, this work proposes a novel quantum-resistant 1-out-of-N oblivious signature scheme based on SIS hard assumption. We also provide security proofs to demonstrate that the security requirements of ambiguity and strong unforgeability are satisfied under the random oracle model. To the best of our knowledge, the proposed scheme is the first 1-out-of-N oblivious signature that is secure against quantum adversaries.

J.-S. You and Z.-Y. Liu—Equal contributions.

Appendices

A Proof of Lemma 2

Proof

For the view of \(\mathcal {D}\), the only difference between the proposed signing algorithm and Hybrid 1 is the method of generating \(\hat{\mathbf {e}}_{i,j}\). More specifically, \(\hat{\mathbf {e}}_{i,j}\) are generated from the hash function \(\mathsf {H}\) in our proposed signing algorithm; while in Hybrid 1, \(\hat{\mathbf {e}}_{i,j}\) is chosen randomly from the set \(\{-1,0,1\}^k\) and then programmed as the answer of \(\mathsf {H}(\mathbf {P}\hat{\mathbf {e}}_{i,j} + \mathbf {A}\hat{\mathbf {s}}_{i,j} , m_{i,j}) = \mathsf {H}(\mathbf {Ay}_{i,j} + \mathbf {At}_i - \mathbf {Bv}_{i,j} , m_{i,j}) = \hat{\mathbf {e}}_{i,j}\) without checking whether \((\mathbf {Ay}_{i,j} + \mathbf {At}_i - \mathbf {Bv}_{i,j}, m_{i,j})\) were already set. Here \(\mathbf {t}_i\) is a random vector picked by the forger \(\mathcal {R}^*\) in the ith signing query. Therefore, the ability of \(\mathcal {D}\) to distinguish between the original signing oracle and the Hybrid 1 depends on the probability of occurring collisions.

From the proposed signing algorithm, we have

$$\begin{aligned} \hat{\mathbf {e}}_{i,j}&= \mathsf {H}(\mathbf {P}\hat{\mathbf {e}}_{i,j} + \mathbf {A}\hat{\mathbf {s}}_{i,j} , m_{i,j}) = \mathsf {H}(\mathbf {Ay}_{i,j} + \mathbf {At}_i - \mathbf {Bv}_{i,j} , m_{i,j}). \end{aligned}$$

Since there are \(q^n\) elements in \(\mathbb {Z}^n_q\), the probability of generating a \(\mathbf {z}\) such that \(\mathbf {z}= \mathbf {Ay}_{i,j} + \mathbf {At} - \mathbf {Bv}_{i,j}\) equals to one of the preceding values queried in Hybrid 1 is \(\frac{1}{q^n}\). That is, for any \(\mathbf {z} \in \mathbb {Z}^n_q\), we have

$$\begin{aligned} \Pr [\mathbf {z}= \mathbf {Ay}_{i,j} + \mathbf {At}_i - \mathbf {Bv}_{i,j} \mid \mathbf {z} \xleftarrow {\$} \mathbb {Z}^n_q ] = \frac{1}{q^n}. \end{aligned}$$

In addition, the probability of obtaining a collision each time is at most \(\frac{(h+s)}{q^n}\) because at most \((h+s)\) values of \(\hat{\mathbf {e}}_{i,j}\) have been set. Consequently, after querying s times of signing oracle, the probability of a collision appearing is at most \(\frac{s(h+s)}{q^n}\).    \(\square \)

B Proof of Lemma 3

Proof

This lemma is almost identical to Theorem 3, the output of Theorem 3 is \((\hat{\mathbf {s}}_{i,j}, \mathbf {v}_{i,j}=\mathbf {S}\hat{\mathbf {e}}_{i,j})\), whereas the outputs of both Hybrid 1 and Hybrid 2 are \((\hat{\mathbf {e}}_{i,j},\hat{\mathbf {s}}_{i,j})\). For any \(\mathbf {v}_{i,j}\), there always exists a \(\hat{\mathbf {e}}_{i,j} \in \{-1,0,1\}^k \) such that \(\mathbf {S}\hat{\mathbf {e}}_{i,j} = \mathbf {v}_{i,j}\), where \(\Vert \hat{\mathbf {e}}_{i,j} \Vert _1 \le \rho \). Therefore, the distribution is almost the same as that of \(\hat{\mathbf {e}}_{i,j}\) in both hybrids from the distinguisher’s perspective.    \(\square \)

C Proof of Lemma 4

Proof

Let \(D_\mathsf {H} = \{ \hat{\mathbf {e}}_{i,\ell } \mid \hat{\mathbf {e}}_{i,\ell } \in \{-1,0,1\}^k\), \(\Vert \hat{\mathbf {e}}_{i,\ell }\Vert _1 \le \rho \}\) represent the range of the random oracle \(\mathsf {H}\), and let \(t=h+s\) denote the scope on the number of times that the random oracle \(\mathsf {H}\) is queried or programmed during \(\mathcal {R}^*\)’s attack. The oracle can be queried by \(\mathcal {R}^*\) directly, or can be programmed by the signing algorithm when \(\mathcal {A}\) inquires about the signature of a set of messages.

Given \( \mathbf {A}\xleftarrow {\$} \mathbb {Z}^{n \times m}_q \), we pick \(\mathbf {S} \xleftarrow {\$}\{-d, \cdots ,d\}^{m\times k}\), \(\mathbf {r}_1,\cdots ,\mathbf {r}_t \xleftarrow {\$} D_\mathsf {H}\), a random coin \(\phi \) for the forger \(\mathcal {R}^*\); another random coin \(\psi \) for the signer \(\mathcal {S}\); and finally compute the corresponding \(pk = (\mathbf {A} , \mathbf {P} = \mathbf {AS}\)). Now, we use \((\mathbf {A}, \mathbf {P} ,\phi , \psi , \mathbf {r}_1, \cdots ,\mathbf {r}_t)\) as the input for the algorithm \(\mathcal {A}\). \(\mathcal {A}\) initializes the forger \(\mathcal {R}^*\) by providing the \(pk = (\mathbf {A},\mathbf {P})\) and the random coin \(\phi \). \(\mathcal {A}\) executes the signing algorithm in Hybrid 2 and uses the random coin \(\psi \) for signer to generate a signature whenever \(\mathcal {R}^*\) queries messages to be signed. The random oracle \(\mathsf {H}\) is programmed during signing, and the reply from \(\mathsf {H}\) is assigned to the first unused \(\mathbf {r}_i\) in \((\mathbf {r}_1,\cdots ,\mathbf {r}_t)\). \(\mathcal {A}\) maintains a list recording all the results of queries to \(\mathsf {H}\); thus, a query may receive a previous \(\mathbf {r}_i\) as a response if the same query was performed multiple times. Moreover, the forger \(\mathcal {R}^*\) can query the random oracle \(\mathsf {H}\) directly to obtain a reply of an unused \(\mathbf {r}_i\) in \((\mathbf {r}_1,\cdots ,\mathbf {r}_t)\), except for the query that had previously been performed. After \(\mathcal {R}^*\) completes these queries and outputs a counterfeit signature with probability \(\zeta \), \(\mathcal {A}\) simply outputs the output of \(\mathcal {R}^*\).

After s times of queries, \(\mathcal {R}^*\) outputs a signature corresponding a message \(m_{i,\ell }\), that includes \((\hat{\mathbf {e}}_{i,\ell }, \hat{\mathbf {s}}_{i,\ell })\) such that \(\Vert \hat{\mathbf {s}}_{i,\ell }\Vert \le \eta \sigma \sqrt{m}\) and \(\hat{\mathbf {e}}_{i,\ell } = ( (\mathbf {P}\hat{\mathbf {e}}_{i,\ell } + \mathbf {A}\hat{\mathbf {s}}_{i,\ell }), m_{i,\ell })\) with probability \(\zeta \). If \(( \mathbf {P}\hat{\mathbf {e}}_{i,\ell } + \mathbf {A}\hat{\mathbf {s}}_{i,\ell })\) was not generated by calling the random oracle \(\mathsf {H}\) or was not programmed by the signing algorithm, then the probability \(\mathcal {R}^*\) produces a \(\hat{\mathbf {e}}_{i,\ell }\) such that \(\hat{\mathbf {e}}_{i,\ell } \leftarrow \mathsf {H}( (\mathbf {P}\hat{\mathbf {e}}_{i,\ell } + \mathbf {A}\hat{\mathbf {s}}_{i,\ell }), m_{i,\ell })\) is only has \(1/|D_\mathsf {H}|\). Thus, \(\hat{\mathbf {e}}_{i,\ell }\) is equal to an \(\mathbf {r}_i\)’s with probability of \(1 - 1/|D_\mathsf {H}|\). Therefore, the probability that \(\mathcal {R}^*\) succeeds in forging and that \((\mathbf {P}\hat{\mathbf {e}}_{i,\ell } + \mathbf {A}\hat{\mathbf {s}}_{i,\ell })\) is one of the \(\mathbf {r}_i\)’s is at least \(\zeta - 1/|D_\mathsf {H}|\). Let such \(\hat{\mathbf {e}}_{i,\ell } = \mathbf {r}_i\); then, \(\mathbf {r}_i\) may have been obtained in two ways: either it was programmed during signing, or it was a reply from the random oracle queried by \(\mathcal {R}^*\).

In the first case, suppose that \(\mathcal {A}\) programmed the random oracle \(\mathsf {H}( (\mathbf {P}\hat{\mathbf {e}}_{i,\ell } + \mathbf {A}\hat{\mathbf {s}}'_{i,\ell }, m'_{i,\ell }) = \hat{\mathbf {e}}_{i,\ell }\) when it was signing a message \(m'_{i,\ell }\) in the ith query. After the forger \(\mathcal {R}^*\) outputs an effective forged “semi-signature” \((\hat{\mathbf {e}}_{i,\ell }, \hat{\mathbf {s}}_{i,\ell })\) for some (possibly different) messages \(m_{i,\ell }\), we have \(\mathsf {H}((\mathbf {P}\hat{\mathbf {e}}_{i,\ell } + \mathbf {A}\hat{\mathbf {s}}'_{i,\ell }), m'_{i,\ell }) = \mathsf {H}((\mathbf {P}\hat{\mathbf {e}}_{i,\ell } + \mathbf {A}\hat{\mathbf {s}}_{i,\ell }), m_{i,\ell })\). If \(m_{i,\ell } \ne m'_{i,\ell }\) or \((\mathbf {P}\hat{\mathbf {e}}_{i,\ell } + \mathbf {A}\hat{\mathbf {s}}'_{i,\ell }) \ne (\mathbf {P}\hat{\mathbf {e}}_{i,\ell } + \mathbf {A}\hat{\mathbf {s}}_{i,\ell })\), then \(\mathcal {R}^*\) has found a preimage of \(\mathbf {r}_i\). However, this cannot occur because the hash fuction \(\mathsf {H}\) is collision resistant. If \(m_{i,\ell } = m'_{i,\ell }\) and \((\mathbf {P}\hat{\mathbf {e}}_{i,\ell } + \mathbf {A}\hat{\mathbf {s}}'_{i,\ell }) = (\mathbf {P}\hat{\mathbf {e}}_{i,\ell } + \mathbf {A}\hat{\mathbf {s}}_{i,\ell })\), we obtain \( \mathbf {A}(\hat{\mathbf {s}}_{i,\ell }-\hat{\mathbf {s}}'_{i,\ell }) = \mathbf {0}\). We know that \(\hat{\mathbf {s}}_{i,\ell } \ne \hat{\mathbf {s}}'_{i,\ell }\), otherwise \((\hat{\mathbf {e}}_{i,\ell }, \hat{\mathbf {s}}_{i,\ell })\) would be identical to the previous “semi-signature” \((\hat{\mathbf {e}}'_{i,\ell }, \hat{\mathbf {s}}'_{i,\ell })\). Because \(\Vert \hat{\mathbf {s}}_{i,\ell }\Vert , \Vert \hat{\mathbf {s}}'_{i,\ell }\Vert \le \eta \sigma \sqrt{m}\), we obtain \(\Vert \hat{\mathbf {s}}_{i,\ell }-\hat{\mathbf {s}}'_{i,\ell }\Vert \le 2\eta \sigma \sqrt{m}\).

For the second case, suppose \(\mathbf {r}_k\) is a reply from random oracle queried by \(\mathcal {R}^*\) for some kth query. We record the signature \((\mathbf {r}_k, \hat{\mathbf {s}}_{k,\ell })\) on the message \(m_{k,\ell }\) and generate fresh items \(\mathbf {r}'_k,\cdots ,\mathbf {r}'_t \xleftarrow {\$} D_\mathsf {H}\). We next return the algorithm \(\mathcal {A}\) with the refreshed inputs \((\mathbf {A}, \mathbf {P} ,\phi , \psi , \mathbf {r}_1, \cdots ,\mathbf {r}_{k-1},\mathbf {r}'_k,\cdots ,\mathbf {r}'_t)\). By Definition 9, the probability that \(\mathbf {r}'_k \ne \mathbf {r}_k\) and that the answer of this random oracle \(\mathbf {r}'_k\) was applied in \(\mathcal {R}^*\)’s counterfeit, is at least

$$\begin{aligned} \left( \zeta - \frac{1}{|D_\mathsf {H}|} \right) \left( \frac{\zeta - 1/|D_\mathsf {H}|}{h+s} - \frac{1}{|D_\mathsf {H}|} \right) . \end{aligned}$$

A signature \((\mathbf {r}'_k, \hat{\mathbf {s}}'_{k,\ell })\) for message \(m_{k,\ell }\) with the aforementioned probability was output by \(\mathcal {R}^*\) such that \((\mathbf {P}\hat{\mathbf {e}}'_{k,\ell } + \mathbf {A}\hat{\mathbf {s}}'_{k,\ell }) = (\mathbf {P}\hat{\mathbf {e}}_{k,\ell } + \mathbf {A}\hat{\mathbf {s}}_{k,\ell })\), where \(\hat{\mathbf {e}}'_{k,\ell } = \mathbf {r}'_k\) and \(\hat{\mathbf {e}}_{k,\ell } = \mathbf {r}_k\). Let \(\mathbf {P} = \mathbf {AS}\), we have \( \mathbf {A}(\hat{\mathbf {s}}_{k,\ell }-\hat{\mathbf {s}}'_{k,\ell }+\mathbf {S}\hat{\mathbf {e}}_{k,\ell }-\mathbf {S}\hat{\mathbf {e}}'_{k,\ell }) = \mathbf {0}\). In addition, since \(\Vert \mathbf {S}\hat{\mathbf {e}}_{k,\ell }\Vert , \Vert \mathbf {S}\hat{\mathbf {e}}'_{k,\ell }\Vert \le d\rho \sqrt{m}\), we have \(\Vert \hat{\mathbf {s}}_{k,\ell }-\hat{\mathbf {s}}'_{k,\ell }+\mathbf {S}\hat{\mathbf {e}}_{k,\ell }-\mathbf {S}\hat{\mathbf {e}}'_{k,\ell }\Vert \le (2\eta \sigma + 2d\rho )\sqrt{m}\).

Now, we require to show that \((\hat{\mathbf {s}}_{k,\ell }-\hat{\mathbf {s}}'_{k,\ell }+\mathbf {S}\hat{\mathbf {e}}_{k,\ell }-\mathbf {S}\hat{\mathbf {e}}'_{k,\ell }) \ne \mathbf {0}\). Before proving this part, we must provide Lemma 5 first.

Lemma 5

Given any \(\mathbf {A} \in \mathbb {Z}^{n \times m }_q\), where \( m > 64 + n \cdot \log q / \log (2d+1) \), for any randomly chosen \(\mathbf {S} \xleftarrow {\$} \{-d,\cdots ,d \}^{m \times k}\), there exists another \(\mathbf {S}' \in \{-d,\cdots ,d \}^{m \times k}\) such that \(\mathbf {AS} = \mathbf {AS}'\) with probability \(1 - 2^{-100}\).

Proof

Treat \(\mathbf {A}\) as a linear transformation whose range is \(q^n\). At most \(q^n\) elements \(\mathbf {S} \in \{-d,\cdots ,d\}^m\) do not collide with any other item in \(\{-d,\cdots ,d \}^m\). Notice that the set \(\{-d,\cdots ,d \}^m\) comprises \((2d+1)\) elements. Randomly select an element that does not collide; then, the probability is at most

$$\begin{aligned} \frac{q^n}{{(2d+1)}^m}&\le \frac{q^n}{(2d+1)^{64+n\log q/\log (2d+1)}}= \frac{1}{{(2d+1)}^{64}} < 2^{-100}. \end{aligned}$$

   \(\square \)

Let the cth column be the column in which \(\hat{\mathbf {e}}_{k,\ell ,c} \ne \hat{\mathbf {e}}'_{k,\ell ,c}\). By Lemma 5, we know that a different secret key \(\mathbf {S}'\) exists with probability of at least \(1-2^{-100}\) such that all the columns except for column c of \(\mathbf {S}'\) are equal to the columns of \(\mathbf {S}\), such that \(\mathbf {AS}' = \mathbf {AS}\). Clearly, if \(\hat{\mathbf {s}}_{k,\ell ,c}-\hat{\mathbf {s}}'_{k,\ell ,c}+\mathbf {S}(\hat{\mathbf {e}}_{k,\ell ,c}-\hat{\mathbf {e}}'_{k,\ell ,c}) = \mathbf {0}\), then \(\hat{\mathbf {s}}_{k,\ell ,c} - \hat{\mathbf {s}}'_{k,\ell ,c} + \mathbf {S}' (\hat{\mathbf {e}}_{k,\ell ,c} - \hat{\mathbf {e}}'_{k,\ell ,c}) \ne \mathbf {0}\). That is, for every secret key \(\mathbf {S}\) such that \(\hat{\mathbf {s}}_{k,\ell ,c}-\hat{\mathbf {s}}'_{k,\ell ,c}+\mathbf {S}(\hat{\mathbf {e}}_{k,\ell ,c}-\hat{\mathbf {e}}'_{k,\ell ,c}) = \mathbf {0}\), there is a distinct secret key \(\mathbf {S}'\) that only differs from \(\mathbf {S}\) in the ith column that results in \(\hat{\mathbf {s}}_{k,\ell ,c} - \hat{\mathbf {s}}'_{k,\ell ,c} + \mathbf {S}' (\hat{\mathbf {e}}_{k,\ell ,c} - \hat{\mathbf {e}}'_{k,\ell ,c}) \ne \mathbf {0}\). Because \(\mathcal {A}\) did not use these keys as input and did not put them to the signature oracle, \(\mathcal {R}^*\) does not know if we are aware of a secret key such as \(\mathbf {S}\) or \(\mathbf {S}'\). Therefore, each secret key has an equal probability of being selected.    \(\square \)