Abstract
As business activities and information exchange increasingly move online, digital signatures, among other cryptographic techniques, have been developed to help authenticate the source and integrity of digital information when transferred. Various types of signature primitives, such as ring signatures and blind signatures, have been introduced to satisfy privacy protection needs spanning from ensuring anonymity of a signer to maintaining secrecy of the content to be signed from a signer. Among different signature schemes, the 1-out-of-N oblivious signature scheme, which was introduced by Chen (ESORICS’ 94) and later formalized by Tso et al. (ISPEC’ 08), provides a further basis of trust while preserving the signature requestor’s privacy as blind signatures do. In this scheme, a recipient first selects a set of messages, one of which being the message he or she intends to obtain a signature for. After interacting with a signer, while the recipient will be able to obtain a signature on the predetermined message, the signer only knows that he or she signed one of the messages but remains oblivious to exactly which message was signed. However, all existing oblivious signature schemes are built upon the hardness of number-theoretic problems, which, as Shor demonstrated in 1994, cannot withstand attacks from quantum adversaries. To address this problem, this work proposes a novel quantum-resistant 1-out-of-N oblivious signature scheme based on SIS hard assumption. We also provide security proofs to demonstrate that the security requirements of ambiguity and strong unforgeability are satisfied under the random oracle model. To the best of our knowledge, the proposed scheme is the first 1-out-of-N oblivious signature that is secure against quantum adversaries.
J.-S. You and Z.-Y. Liu—Equal contributions.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The solution \(\mathbf {v}\) exists only when \(\beta \ge \sqrt{m}q^{n/m}\).
- 2.
Since the signer has obtained all messages from the recipient, if he or she is allowed to obtain the signature, there is an inevitable attack. He or she will be able to verify which message the signature corresponds to and find out which message was pre-selected by the recipient.
- 3.
References
Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: STOC 1996, pp. 99–108. ACM (1996)
Banaszczyk, W.: New bounds in some transference theorems in the geometry of numbers. Mathematische Annalen 296(1), 625–635 (1993)
Baum, C., Lin, H., Oechsner, S.: Towards practical lattice-based one-time linkable ring signatures. In: Naccache, D., Xu, S., Qing, S., Samarati, P., Blanc, G., Lu, R., Zhang, Z., Meddahi, A. (eds.) ICICS 2018. LNCS, vol. 11149, pp. 303–322. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-01950-1_18
Bellare, M., Neven, G.: Multi-signatures in the plain public-key model and a general forking lemma. In: CCS 2006, pp. 390–399. ACM (2006)
Bellini, E., Caullery, F., Hasikos, A., Manzano, M., Mateu, V.: Code-based signature schemes from identification protocols in the rank metric. In: Camenisch, J., Papadimitratos, P. (eds.) CANS 2018. LNCS, vol. 11124, pp. 277–298. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00434-7_14
Bernstein, D.J., Hülsing, A., Kölbl, S., Niederhagen, R., Rijneveld, J., Schwabe, P.: The SPHINCS\(^{\text{+}}\) signature framework. In: CCS 2019, pp. 2129–2146. ACM (2019)
Beullens, W., Kleinjung, T., Vercauteren, F.: CSI-FiSh: efficient isogeny based signatures through class group computations. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019, Part I. LNCS, vol. 11921, pp. 227–247. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_9
Brickell, J., Porter, D.E., Shmatikov, V., Witchel, E.: Privacy-preserving remote diagnostics. In: CCS 2007, pp. 498–507. ACM (2007)
Chaum, D.: Blind signatures for untraceable payments. In: CRYPTO 1982, pp. 199–203. Plenum Press, New York (1982)
Chaum, D., van Heyst, E.: Group signatures. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 257–265. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-46416-6_22
Chen, L.: Oblivious signatures. In: Gollmann, D. (ed.) ESORICS 1994. LNCS, vol. 875, pp. 161–172. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-58618-0_62
Chu, C.-K., Tzeng, W.-G.: Efficient k-out-of-n oblivious transfer schemes with adaptive and non-adaptive queries. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 172–183. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30580-4_12
Decru, T., Panny, L., Vercauteren, F.: Faster SeaSign signatures through improved rejection sampling. In: Ding, J., Steinwandt, R. (eds.) PQCrypto 2019. LNCS, vol. 11505, pp. 271–285. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25510-7_15
Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal Gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 40–56. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_3
Ducas, L., et al.: Crystals-Dilithium: a lattice-based digital signature scheme. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(1), 238–268 (2018)
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
Gibson, J.P., Krimmer, R., Teague, V., Pomares, J.: A review of E-voting: the past, present and future. Ann. Telecommun. 71(7), 279–286 (2016). https://doi.org/10.1007/s12243-016-0525-8
Han, F., Qin, J., Hu, J.: Secure searches in the cloud: a survey. Future Gener. Comput. Syst. 62, 66–75 (2016)
Hauck, E., Kiltz, E., Loss, J., Nguyen, N.K.: Lattice-based blind signatures, revisited. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020, Part II. LNCS, vol. 12171, pp. 500–529. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56880-1_18
He, D., Zeadally, S., Kumar, N., Lee, J.H.: Anonymous authentication for wireless body area networks with provable security. IEEE Syst. J. 11(4), 2590–2601 (2017)
Hülsing, A.: W-OTS+ – shorter signatures for hash-based signature schemes. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) AFRICACRYPT 2013. LNCS, vol. 7918, pp. 173–188. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38553-7_10
Impagliazzo, R., Naor, M.: Efficient cryptographic schemes provably as secure as subset sum. J. Cryptol. 9(4), 199–216 (1996). https://doi.org/10.1007/BF00189260
Kaim, G., Canard, S., Roux-Langlois, A., Traoré, J.: Post-quantum online voting scheme. In: Bernhard, M., et al. (eds.) FC 2021. LNCS, vol. 12676, pp. 290–305. Springer, Heidelberg (2021). https://doi.org/10.1007/978-3-662-63958-0_25
Khan, K.M., Arshad, J., Khan, M.M.: Empirical analysis of transaction malleability within blockchain-based E-voting. Comput. Secur. 100, 102081 (2021)
Kiltz, E., Lyubashevsky, V., Schaffner, C.: A concrete treatment of Fiat-Shamir signatures in the quantum random-oracle model. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part III. LNCS, vol. 10822, pp. 552–586. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_18
Lyubashevsky, V.: Lattice signatures without trapdoors. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 738–755. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_43
Lyubashevsky, V., Nguyen, N.K., Seiler, G.: SMILE: set membership from ideal lattices with applications to ring signatures and confidential transactions. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021, Part II. LNCS, vol. 12826, pp. 611–640. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84245-1_21
Micciancio, D., Mol, P.: Pseudorandom knapsacks and the sample complexity of LWE search-to-decision reductions. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 465–484. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_26
Naor, M., Pinkas, B.: Computationally secure oblivious transfer. J. Cryptol. 18(1), 1–35 (2005). https://doi.org/10.1007/s00145-004-0102-6
Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Cryptol. 13(3), 361–396 (2000). https://doi.org/10.1007/s001450010003
Rivest, R.L., Shamir, A., Tauman, Y.: How to leak a secret. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 552–565. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_32
Schemer, C., Masur, P.K., Geiß, S., Müller, P., Schäfer, S.: The impact of Internet and social media use on well-being: a longitudinal analysis of adolescents across nine years. J. Comput. Mediat. Commun. 26(1), 1–21 (2021)
Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: FOCS 1994, pp. 124–134. IEEE (1994)
Song, Y., Huang, X., Mu, Y., Wu, W., Wang, H.: A code-based signature scheme from the Lyubashevsky framework. Theor. Comput. Sci. 835, 15–30 (2020)
Tso, R.: Two-in-one oblivious signatures secure in the random oracle model. In: Chen, J., Piuri, V., Su, C., Yung, M. (eds.) NSS 2016. LNCS, vol. 9955, pp. 143–155. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-46298-1_10
Tso, R.: Two-in-one oblivious signatures. Future Gener. Comput. Syst. 101, 467–475 (2019)
Tso, R., Okamoto, T., Okamoto, E.: 1-out-of-n oblivious signatures. In: Chen, L., Mu, Y., Susilo, W. (eds.) ISPEC 2008. LNCS, vol. 4991, pp. 45–55. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-79104-1_4
Zhang, Z., Gupta, B.B.: Social media security and trustworthiness: Overview and new direction. Future Gener. Comput. Syst. 86, 914–925 (2018)
Acknowledgments
This research was supported by the Ministry of Science and Technology, Taiwan (ROC), under project numbers MOST 109-2221-E-004-011-MY3, MOST 110-2221-E-004-003-, MOST 110-2622-8-004-001-, and MOST 111-2218-E-004-001-MBK.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Proof of Lemma 2
Proof
For the view of \(\mathcal {D}\), the only difference between the proposed signing algorithm and Hybrid 1 is the method of generating \(\hat{\mathbf {e}}_{i,j}\). More specifically, \(\hat{\mathbf {e}}_{i,j}\) are generated from the hash function \(\mathsf {H}\) in our proposed signing algorithm; while in Hybrid 1, \(\hat{\mathbf {e}}_{i,j}\) is chosen randomly from the set \(\{-1,0,1\}^k\) and then programmed as the answer of \(\mathsf {H}(\mathbf {P}\hat{\mathbf {e}}_{i,j} + \mathbf {A}\hat{\mathbf {s}}_{i,j} , m_{i,j}) = \mathsf {H}(\mathbf {Ay}_{i,j} + \mathbf {At}_i - \mathbf {Bv}_{i,j} , m_{i,j}) = \hat{\mathbf {e}}_{i,j}\) without checking whether \((\mathbf {Ay}_{i,j} + \mathbf {At}_i - \mathbf {Bv}_{i,j}, m_{i,j})\) were already set. Here \(\mathbf {t}_i\) is a random vector picked by the forger \(\mathcal {R}^*\) in the ith signing query. Therefore, the ability of \(\mathcal {D}\) to distinguish between the original signing oracle and the Hybrid 1 depends on the probability of occurring collisions.
From the proposed signing algorithm, we have
Since there are \(q^n\) elements in \(\mathbb {Z}^n_q\), the probability of generating a \(\mathbf {z}\) such that \(\mathbf {z}= \mathbf {Ay}_{i,j} + \mathbf {At} - \mathbf {Bv}_{i,j}\) equals to one of the preceding values queried in Hybrid 1 is \(\frac{1}{q^n}\). That is, for any \(\mathbf {z} \in \mathbb {Z}^n_q\), we have
In addition, the probability of obtaining a collision each time is at most \(\frac{(h+s)}{q^n}\) because at most \((h+s)\) values of \(\hat{\mathbf {e}}_{i,j}\) have been set. Consequently, after querying s times of signing oracle, the probability of a collision appearing is at most \(\frac{s(h+s)}{q^n}\). \(\square \)
B Proof of Lemma 3
Proof
This lemma is almost identical to Theorem 3, the output of Theorem 3 is \((\hat{\mathbf {s}}_{i,j}, \mathbf {v}_{i,j}=\mathbf {S}\hat{\mathbf {e}}_{i,j})\), whereas the outputs of both Hybrid 1 and Hybrid 2 are \((\hat{\mathbf {e}}_{i,j},\hat{\mathbf {s}}_{i,j})\). For any \(\mathbf {v}_{i,j}\), there always exists a \(\hat{\mathbf {e}}_{i,j} \in \{-1,0,1\}^k \) such that \(\mathbf {S}\hat{\mathbf {e}}_{i,j} = \mathbf {v}_{i,j}\), where \(\Vert \hat{\mathbf {e}}_{i,j} \Vert _1 \le \rho \). Therefore, the distribution is almost the same as that of \(\hat{\mathbf {e}}_{i,j}\) in both hybrids from the distinguisher’s perspective. \(\square \)
C Proof of Lemma 4
Proof
Let \(D_\mathsf {H} = \{ \hat{\mathbf {e}}_{i,\ell } \mid \hat{\mathbf {e}}_{i,\ell } \in \{-1,0,1\}^k\), \(\Vert \hat{\mathbf {e}}_{i,\ell }\Vert _1 \le \rho \}\) represent the range of the random oracle \(\mathsf {H}\), and let \(t=h+s\) denote the scope on the number of times that the random oracle \(\mathsf {H}\) is queried or programmed during \(\mathcal {R}^*\)’s attack. The oracle can be queried by \(\mathcal {R}^*\) directly, or can be programmed by the signing algorithm when \(\mathcal {A}\) inquires about the signature of a set of messages.
Given \( \mathbf {A}\xleftarrow {\$} \mathbb {Z}^{n \times m}_q \), we pick \(\mathbf {S} \xleftarrow {\$}\{-d, \cdots ,d\}^{m\times k}\), \(\mathbf {r}_1,\cdots ,\mathbf {r}_t \xleftarrow {\$} D_\mathsf {H}\), a random coin \(\phi \) for the forger \(\mathcal {R}^*\); another random coin \(\psi \) for the signer \(\mathcal {S}\); and finally compute the corresponding \(pk = (\mathbf {A} , \mathbf {P} = \mathbf {AS}\)). Now, we use \((\mathbf {A}, \mathbf {P} ,\phi , \psi , \mathbf {r}_1, \cdots ,\mathbf {r}_t)\) as the input for the algorithm \(\mathcal {A}\). \(\mathcal {A}\) initializes the forger \(\mathcal {R}^*\) by providing the \(pk = (\mathbf {A},\mathbf {P})\) and the random coin \(\phi \). \(\mathcal {A}\) executes the signing algorithm in Hybrid 2 and uses the random coin \(\psi \) for signer to generate a signature whenever \(\mathcal {R}^*\) queries messages to be signed. The random oracle \(\mathsf {H}\) is programmed during signing, and the reply from \(\mathsf {H}\) is assigned to the first unused \(\mathbf {r}_i\) in \((\mathbf {r}_1,\cdots ,\mathbf {r}_t)\). \(\mathcal {A}\) maintains a list recording all the results of queries to \(\mathsf {H}\); thus, a query may receive a previous \(\mathbf {r}_i\) as a response if the same query was performed multiple times. Moreover, the forger \(\mathcal {R}^*\) can query the random oracle \(\mathsf {H}\) directly to obtain a reply of an unused \(\mathbf {r}_i\) in \((\mathbf {r}_1,\cdots ,\mathbf {r}_t)\), except for the query that had previously been performed. After \(\mathcal {R}^*\) completes these queries and outputs a counterfeit signature with probability \(\zeta \), \(\mathcal {A}\) simply outputs the output of \(\mathcal {R}^*\).
After s times of queries, \(\mathcal {R}^*\) outputs a signature corresponding a message \(m_{i,\ell }\), that includes \((\hat{\mathbf {e}}_{i,\ell }, \hat{\mathbf {s}}_{i,\ell })\) such that \(\Vert \hat{\mathbf {s}}_{i,\ell }\Vert \le \eta \sigma \sqrt{m}\) and \(\hat{\mathbf {e}}_{i,\ell } = ( (\mathbf {P}\hat{\mathbf {e}}_{i,\ell } + \mathbf {A}\hat{\mathbf {s}}_{i,\ell }), m_{i,\ell })\) with probability \(\zeta \). If \(( \mathbf {P}\hat{\mathbf {e}}_{i,\ell } + \mathbf {A}\hat{\mathbf {s}}_{i,\ell })\) was not generated by calling the random oracle \(\mathsf {H}\) or was not programmed by the signing algorithm, then the probability \(\mathcal {R}^*\) produces a \(\hat{\mathbf {e}}_{i,\ell }\) such that \(\hat{\mathbf {e}}_{i,\ell } \leftarrow \mathsf {H}( (\mathbf {P}\hat{\mathbf {e}}_{i,\ell } + \mathbf {A}\hat{\mathbf {s}}_{i,\ell }), m_{i,\ell })\) is only has \(1/|D_\mathsf {H}|\). Thus, \(\hat{\mathbf {e}}_{i,\ell }\) is equal to an \(\mathbf {r}_i\)’s with probability of \(1 - 1/|D_\mathsf {H}|\). Therefore, the probability that \(\mathcal {R}^*\) succeeds in forging and that \((\mathbf {P}\hat{\mathbf {e}}_{i,\ell } + \mathbf {A}\hat{\mathbf {s}}_{i,\ell })\) is one of the \(\mathbf {r}_i\)’s is at least \(\zeta - 1/|D_\mathsf {H}|\). Let such \(\hat{\mathbf {e}}_{i,\ell } = \mathbf {r}_i\); then, \(\mathbf {r}_i\) may have been obtained in two ways: either it was programmed during signing, or it was a reply from the random oracle queried by \(\mathcal {R}^*\).
In the first case, suppose that \(\mathcal {A}\) programmed the random oracle \(\mathsf {H}( (\mathbf {P}\hat{\mathbf {e}}_{i,\ell } + \mathbf {A}\hat{\mathbf {s}}'_{i,\ell }, m'_{i,\ell }) = \hat{\mathbf {e}}_{i,\ell }\) when it was signing a message \(m'_{i,\ell }\) in the ith query. After the forger \(\mathcal {R}^*\) outputs an effective forged “semi-signature” \((\hat{\mathbf {e}}_{i,\ell }, \hat{\mathbf {s}}_{i,\ell })\) for some (possibly different) messages \(m_{i,\ell }\), we have \(\mathsf {H}((\mathbf {P}\hat{\mathbf {e}}_{i,\ell } + \mathbf {A}\hat{\mathbf {s}}'_{i,\ell }), m'_{i,\ell }) = \mathsf {H}((\mathbf {P}\hat{\mathbf {e}}_{i,\ell } + \mathbf {A}\hat{\mathbf {s}}_{i,\ell }), m_{i,\ell })\). If \(m_{i,\ell } \ne m'_{i,\ell }\) or \((\mathbf {P}\hat{\mathbf {e}}_{i,\ell } + \mathbf {A}\hat{\mathbf {s}}'_{i,\ell }) \ne (\mathbf {P}\hat{\mathbf {e}}_{i,\ell } + \mathbf {A}\hat{\mathbf {s}}_{i,\ell })\), then \(\mathcal {R}^*\) has found a preimage of \(\mathbf {r}_i\). However, this cannot occur because the hash fuction \(\mathsf {H}\) is collision resistant. If \(m_{i,\ell } = m'_{i,\ell }\) and \((\mathbf {P}\hat{\mathbf {e}}_{i,\ell } + \mathbf {A}\hat{\mathbf {s}}'_{i,\ell }) = (\mathbf {P}\hat{\mathbf {e}}_{i,\ell } + \mathbf {A}\hat{\mathbf {s}}_{i,\ell })\), we obtain \( \mathbf {A}(\hat{\mathbf {s}}_{i,\ell }-\hat{\mathbf {s}}'_{i,\ell }) = \mathbf {0}\). We know that \(\hat{\mathbf {s}}_{i,\ell } \ne \hat{\mathbf {s}}'_{i,\ell }\), otherwise \((\hat{\mathbf {e}}_{i,\ell }, \hat{\mathbf {s}}_{i,\ell })\) would be identical to the previous “semi-signature” \((\hat{\mathbf {e}}'_{i,\ell }, \hat{\mathbf {s}}'_{i,\ell })\). Because \(\Vert \hat{\mathbf {s}}_{i,\ell }\Vert , \Vert \hat{\mathbf {s}}'_{i,\ell }\Vert \le \eta \sigma \sqrt{m}\), we obtain \(\Vert \hat{\mathbf {s}}_{i,\ell }-\hat{\mathbf {s}}'_{i,\ell }\Vert \le 2\eta \sigma \sqrt{m}\).
For the second case, suppose \(\mathbf {r}_k\) is a reply from random oracle queried by \(\mathcal {R}^*\) for some kth query. We record the signature \((\mathbf {r}_k, \hat{\mathbf {s}}_{k,\ell })\) on the message \(m_{k,\ell }\) and generate fresh items \(\mathbf {r}'_k,\cdots ,\mathbf {r}'_t \xleftarrow {\$} D_\mathsf {H}\). We next return the algorithm \(\mathcal {A}\) with the refreshed inputs \((\mathbf {A}, \mathbf {P} ,\phi , \psi , \mathbf {r}_1, \cdots ,\mathbf {r}_{k-1},\mathbf {r}'_k,\cdots ,\mathbf {r}'_t)\). By Definition 9, the probability that \(\mathbf {r}'_k \ne \mathbf {r}_k\) and that the answer of this random oracle \(\mathbf {r}'_k\) was applied in \(\mathcal {R}^*\)’s counterfeit, is at least
A signature \((\mathbf {r}'_k, \hat{\mathbf {s}}'_{k,\ell })\) for message \(m_{k,\ell }\) with the aforementioned probability was output by \(\mathcal {R}^*\) such that \((\mathbf {P}\hat{\mathbf {e}}'_{k,\ell } + \mathbf {A}\hat{\mathbf {s}}'_{k,\ell }) = (\mathbf {P}\hat{\mathbf {e}}_{k,\ell } + \mathbf {A}\hat{\mathbf {s}}_{k,\ell })\), where \(\hat{\mathbf {e}}'_{k,\ell } = \mathbf {r}'_k\) and \(\hat{\mathbf {e}}_{k,\ell } = \mathbf {r}_k\). Let \(\mathbf {P} = \mathbf {AS}\), we have \( \mathbf {A}(\hat{\mathbf {s}}_{k,\ell }-\hat{\mathbf {s}}'_{k,\ell }+\mathbf {S}\hat{\mathbf {e}}_{k,\ell }-\mathbf {S}\hat{\mathbf {e}}'_{k,\ell }) = \mathbf {0}\). In addition, since \(\Vert \mathbf {S}\hat{\mathbf {e}}_{k,\ell }\Vert , \Vert \mathbf {S}\hat{\mathbf {e}}'_{k,\ell }\Vert \le d\rho \sqrt{m}\), we have \(\Vert \hat{\mathbf {s}}_{k,\ell }-\hat{\mathbf {s}}'_{k,\ell }+\mathbf {S}\hat{\mathbf {e}}_{k,\ell }-\mathbf {S}\hat{\mathbf {e}}'_{k,\ell }\Vert \le (2\eta \sigma + 2d\rho )\sqrt{m}\).
Now, we require to show that \((\hat{\mathbf {s}}_{k,\ell }-\hat{\mathbf {s}}'_{k,\ell }+\mathbf {S}\hat{\mathbf {e}}_{k,\ell }-\mathbf {S}\hat{\mathbf {e}}'_{k,\ell }) \ne \mathbf {0}\). Before proving this part, we must provide Lemma 5 first.
Lemma 5
Given any \(\mathbf {A} \in \mathbb {Z}^{n \times m }_q\), where \( m > 64 + n \cdot \log q / \log (2d+1) \), for any randomly chosen \(\mathbf {S} \xleftarrow {\$} \{-d,\cdots ,d \}^{m \times k}\), there exists another \(\mathbf {S}' \in \{-d,\cdots ,d \}^{m \times k}\) such that \(\mathbf {AS} = \mathbf {AS}'\) with probability \(1 - 2^{-100}\).
Proof
Treat \(\mathbf {A}\) as a linear transformation whose range is \(q^n\). At most \(q^n\) elements \(\mathbf {S} \in \{-d,\cdots ,d\}^m\) do not collide with any other item in \(\{-d,\cdots ,d \}^m\). Notice that the set \(\{-d,\cdots ,d \}^m\) comprises \((2d+1)\) elements. Randomly select an element that does not collide; then, the probability is at most
\(\square \)
Let the cth column be the column in which \(\hat{\mathbf {e}}_{k,\ell ,c} \ne \hat{\mathbf {e}}'_{k,\ell ,c}\). By Lemma 5, we know that a different secret key \(\mathbf {S}'\) exists with probability of at least \(1-2^{-100}\) such that all the columns except for column c of \(\mathbf {S}'\) are equal to the columns of \(\mathbf {S}\), such that \(\mathbf {AS}' = \mathbf {AS}\). Clearly, if \(\hat{\mathbf {s}}_{k,\ell ,c}-\hat{\mathbf {s}}'_{k,\ell ,c}+\mathbf {S}(\hat{\mathbf {e}}_{k,\ell ,c}-\hat{\mathbf {e}}'_{k,\ell ,c}) = \mathbf {0}\), then \(\hat{\mathbf {s}}_{k,\ell ,c} - \hat{\mathbf {s}}'_{k,\ell ,c} + \mathbf {S}' (\hat{\mathbf {e}}_{k,\ell ,c} - \hat{\mathbf {e}}'_{k,\ell ,c}) \ne \mathbf {0}\). That is, for every secret key \(\mathbf {S}\) such that \(\hat{\mathbf {s}}_{k,\ell ,c}-\hat{\mathbf {s}}'_{k,\ell ,c}+\mathbf {S}(\hat{\mathbf {e}}_{k,\ell ,c}-\hat{\mathbf {e}}'_{k,\ell ,c}) = \mathbf {0}\), there is a distinct secret key \(\mathbf {S}'\) that only differs from \(\mathbf {S}\) in the ith column that results in \(\hat{\mathbf {s}}_{k,\ell ,c} - \hat{\mathbf {s}}'_{k,\ell ,c} + \mathbf {S}' (\hat{\mathbf {e}}_{k,\ell ,c} - \hat{\mathbf {e}}'_{k,\ell ,c}) \ne \mathbf {0}\). Because \(\mathcal {A}\) did not use these keys as input and did not put them to the signature oracle, \(\mathcal {R}^*\) does not know if we are aware of a secret key such as \(\mathbf {S}\) or \(\mathbf {S}'\). Therefore, each secret key has an equal probability of being selected. \(\square \)
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
You, JS., Liu, ZY., Tso, R., Tseng, YF., Mambo, M. (2022). Quantum-Resistant 1-out-of-N Oblivious Signatures from Lattices. In: Cheng, CM., Akiyama, M. (eds) Advances in Information and Computer Security. IWSEC 2022. Lecture Notes in Computer Science, vol 13504. Springer, Cham. https://doi.org/10.1007/978-3-031-15255-9_9
Download citation
DOI: https://doi.org/10.1007/978-3-031-15255-9_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-15254-2
Online ISBN: 978-3-031-15255-9
eBook Packages: Computer ScienceComputer Science (R0)