Practical Lattice-Based Distributed Signatures for a Small Number of Signers

Abstract

n-out-of-n distributed signatures are a special type of threshold t-out-of-n signatures. They are created by a group of n signers, each holding a share of the secret key, in a collaborative way. This kind of signatures has been studied intensively in recent years, motivated by different applications such as reducing the risk of compromising secret keys in cryptocurrencies. Towards maintaining security in the presence of quantum adversaries, Damgård et al. (J Cryptol 35(2), 2022) proposed lattice-based constructions of n-out-of-n distributed signatures and multi-signatures following the Fiat-Shamir with aborts paradigm (ASIACRYPT 2009). Due to the inherent issue of aborts, the protocols either require to increase their parameters by a factor of n, or they suffer from a large number of restarts that grows with n. This has a significant impact on their efficiency, even if n is small. Moreover, the protocols use trapdoor homomorphic commitments as a further cryptographic building block, making their deployment in practice not as easy as standard lattice-based Fiat-Shamir signatures. In this work, we present a new construction of n-out-of-n distributed signatures. It is designed specifically for applications with small number of signers. Our construction follows the Fiat-Shamir with aborts paradigm, but solves the problem of large number of restarts without increasing the parameters by a factor of n and utilizing any further cryptographic primitive. To demonstrate the practicality of our protocol, we provide a software implementation and concrete parameters aiming at 128 bits of security. Furthermore, we select concrete parameters for the construction by Damgård et al. and for the most recent lattice-based multi-signature scheme by Chen (CRYPTO 2023), and show that our approach provides a significant improvement in terms of all efficiency metrics. Our results also show that the multi-signature schemes by Damgård et al. and Chen as well as a multi-signature variant of our protocol produce signatures that are not smaller than a naive multi-signature derived from the concatenation of multiple standard signatures.

Appendices

A More Related Work

Threshold Signatures. Few works proposed lattice-based constructions of t-out-of-n threshold signatures [1, 9, 11, 16]. The first one by Bendlin et al. [9] gives a threshold variant of standard hash-and-sign signatures by Gentry et al. [22]. The main downside of this protocol is that only a priori bounded number of online non-interactive signing operations can be performed before an offline interactive protocol must be performed. This offline protocol includes a threshold Gaussian sampling phase, which is carried out using generic multiparty computation (MPC). Cozzo and Smart [16] show that the lattice-based signature schemes that have been submitted to the NIST post-quantum standardization process have significant issues when converting them into threshold ones using relatively generic MPC techniques. The main issue is the need to carry out the rejection sampling procedure, which requires to keep intermediate values secret until after performing rejection sampling and comparing them with given constants. Moreover, they require several rounds of communication and a mixture of linear and non-linear operations that incur costly transformations between both representations. Boneh et al. [11] propose a generic framework that requires several other cryptographic primitives as building blocks, including deterministic signatures, threshold fully homomorphic encryption, and a homomorphic signature scheme. Due to the involvement of heavy cryptographic primitives, it is not clear if their construction can be adapted in practical applications. Agrawal et al. [1] improve the construction by Boneh et al. [11] bringing it closer to practice.

B Additional Background

The next lemma is for the tail bound of Gaussian vectors.

Lemma 1

([26, Lemma 4.4]). Let \(\sigma ,t,\gamma \in \mathbb {R}_{>0}\) and \(m\in \mathbb {N}_{>0}\). Then we have:

1. 1.

   .

2. 2.

   .

We rely on the following lemma, which is a certain regularity theorem.

Lemma 2

([27, Corollary 7.5]). Let and \(\bar{\textbf{A}}=[\textbf{I}_{k} | \textbf{A}]\in R_q^{k\times (k+\ell )}\). Let \(\sigma >\frac{2N\cdot q^{\frac{k}{k+\ell }+\frac{2}{N(k+\ell )}}}{\sqrt{2\pi }}\) and . Then, the distribution of \(\bar{\textbf{A}}\cdot \textbf{x}\pmod q\) is within statistical distance \(2^{-\Omega (N)}\) of the uniform distribution over \(R_q^{k}\).

The next lemma is a variant of the rejection sampling lemma specified for \(D_{\mathbb {Z}^{m},\sigma }\).

Lemma 3

([26, Theorem 4.6]). Define \(V:=\{\textbf{v}\in \mathbb {Z}^{m}:\Vert \textbf{v}\Vert \le T\}\), where \(T>0\). Let \(\sigma =\alpha T\) for some \(\alpha >0\), and \(h:V\rightarrow \mathbb {R}\) be a probability distribution. Then, there exists a constant \(M>0\) such that \(\exp (\frac{12}{\alpha }+\frac{1}{2\alpha ^2})\le M\), and the following two algorithms are within statistical distance of at most \(2^{-100}/M\):

1. 1.

   ; output \((\textbf{z},\textbf{v})\) with probability \(\frac{1-2^{-100}}{M}\).

2. 2.

   ; output \((\textbf{z},\textbf{v})\) with probability 1/M.

We let \(\textsf{RejSamp}\) denote an algorithm that carries out rejection sampling on \(\textbf{z}\), where , \(\Vert \textbf{v}\Vert \le T\), and \(\sigma =\alpha T\). That is, on input \((\textbf{z},\textbf{v})\), \(\textsf{RejSamp}\) returns 1 if \(\textbf{z}\) is accepted and 0 if rejected. By Lemma 3, the output 1 indicates that the distribution of \(\textbf{z}\) is within statistical distance of at most \(2^{-100}/M\) from \(D_{\mathbb {Z}^{m},\sigma }\), where \(\exp (\frac{12}{\alpha }+\frac{1}{2\alpha ^2})\le M\). \(\textsf{RejSamp}\) returns 1 with probability \(\approx 1/M\), and hence the expected number of restarts necessary to return 1 is given by M.

Fig. 7.

Definition of experiments \(\textrm{Exp}^{\textrm{Acc}}_{\textsf{IGen},\mathcal {C},\textsf{A}}\), \(\textrm{Exp}^{\textrm{Frk}}_{\textsf{IGen},\mathcal {C},\textsf{A}}\), and forking algorithm \(\textsf{Frk}_\mathcal{{C},\textsf{A}}\).

1.1 B.1 Forking Lemma

Let \(\mathcal {C}\) be some finite set and \(\mathcal {R}\) be some randomness space. Let \(\textsf{IGen}\) be a PPT algorithm, and consider an algorithm \(\textsf{A}\) that, on input an instance \(x\in \textsf{IGen}\) and random values \(h_1,\dots ,h_q\in \mathcal {C}\), returns a pair \(( idx , out )\), where \(0\le idx \le q\) and \( out \) is a side output related to \(h_{ idx }\). The index \( idx =0\) indicates that \(\textsf{A}\) has failed to compute a side output \( out \) related to any of the values \(h_1,\dots ,h_q\). The general forking lemma [7] gives a lower bound on the probability of the forking experiment in which \(\textsf{A}\), if run twice on the same instance x and randomness \(r\in \mathcal {R}\), but partially different values from \(\mathcal {C}\), will return the same index \( idx \) and two side outputs \( out \) and \( out '\), which are related to the values \(h_{ idx }\) and \(h'_{ idx }\), respectively. The experiment fails if both runs of \(\textsf{A}\) return two different indices, or if \(h_{ idx }=h'_{ idx }\). For the security proof of our n-out-of-n distributed signature protocol we need a minor version of the general forking lemma. This version was given in [4]. It considers an algorithm \(\textsf{A}\) that further returns a second index as part of the output, i.e., \(\textsf{A}\) returns a tuple \(( idx _1, idx _2, out )\), where \( idx _1\) and \( out \) are as before, and \(0\le idx _2<\omega \) for \(\omega \in \mathbb {N}_{>0}\). The forking experiment succeeds only if both runs of \(\textsf{A}\) return the same pair of indices \(( idx _1, idx _2)\) and \(h_{ idx _1}\ne h'_{ idx _1}\).

Lemma 4

Let \(q,\omega \in \mathbb {N}_{>0}\), \(\mathcal {C}\) be a finite set of size \(|\mathcal {C}|\ge 2\), and \(\mathcal {R}\) be a randomness space. Let \(\textsf{IGen}\) be a PPT algorithm, and \(\textsf{A}\) be a PPT algorithm that, on input \(x\in \textsf{IGen}\) and \(h_1,\dots ,h_q\in \mathcal {C}\), outputs a tuple \(( idx _1, idx _2, out )\), where \(0\le idx _1\le q\) and \(0\le idx _2<\omega \). Define the accepting probability and the forking probability of \(\textsf{A}\) by

$$\begin{aligned} acc :=\textrm{Pr}[\textrm{Exp}^{\textrm{Acc}}_{\textsf{IGen},\mathcal {C},\textsf{A}}=1]\ \text { and }\ frk :=\textrm{Pr}[\textrm{Exp}^{\textrm{Frk}}_{\textsf{IGen},\mathcal {C},\textsf{A}}=1], \end{aligned}$$

where the experiments \(\textrm{Exp}^{\textrm{Acc}}_{\textsf{IGen},\mathcal {C},\textsf{A}}\) and \(\textrm{Exp}^{\textrm{Frk}}_{\textsf{IGen},\mathcal {C},\textsf{A}}\) are depicted in Fig. 7. Then, we have \( frk \ge acc \cdot \Big (\frac{ acc }{q\cdot \omega }-\frac{1}{|\mathcal {C}|}\Big ). \) Alternatively, \( acc \le \frac{q\cdot \omega }{|\mathcal {C}|}+\sqrt{q\cdot \omega \cdot frk }. \)

C Hardness Estimation of MLWE and MSIS

In this section, we explain the methodology that we follow in this work to estimate the hardness of \(\textsf{MLWE}\) and \(\textsf{MSIS}\). First, we remark that all known algorithms solving \(\textsf{MLWE}\) and \(\textsf{MSIS}\) do not exploit their algebraic structure.

Estimating the hardness of \(\textsf{MLWE}\) w.r.t. \( pp =(N,k,\ell ,q,\eta )\) is carried out by using the \(\textsf{LWE}\)-Estimator⁴ presented by Albrecht et al. [2].

Given \( pp =(N,k,\ell ,q,\beta )\) and \(\textbf{A}=[a_{i,j}]_{1\le i\le k,1\le j\le \ell }\in R_q^{k\times \ell }\), the hardness of \(\textsf{MSIS}\) w.r.t. \( pp \) is equivalent to solving the Shortest Vector Problem (\(\textsf{SVP}\)), i.e., finding a non-trivial vector, whose \(\ell _2\)-norm is bounded by \(\beta \), in the lattice \(\{\textbf{x}\in \mathbb {Z}^m:\textbf{0}=[\textbf{I}_{d}|\textbf{A}']\cdot \textbf{x}\pmod {q}\}\), where \(d=kN\), \(m=(k+\ell )N\), and \(\textbf{A}'\) is the matrix obtained by computing the rotation matrix of each entry of \(\textbf{A}\), i.e.,

$$\begin{aligned} \textbf{A}' = \begin{bmatrix} \textsf{Rot}(a_{1,1}) &{} \ldots &{} \textsf{Rot}(a_{1,\ell })\\ \vdots &{} \ddots &{} \vdots \\ \textsf{Rot}(a_{k,1}) &{} \ldots &{} \textsf{Rot}(a_{k,\ell }) \end{bmatrix} \in \mathbb {Z}_q^{kN\times \ell N}. \end{aligned}$$

We recall that the rotation matrix of any \(a=\sum _{i=0}^{N-1} a_{i} X^{i}\in R\) is defined by

$$\begin{aligned} \textsf{Rot}(a):=(\textbf{a},\textsf{rot}(a),\textsf{rot}^2(a),\ldots ,\textsf{rot}^{N-1}(a))\in \mathbb {Z}^{N\times N}, \end{aligned}$$

where \(\textbf{a}=(a_0,\ldots ,a_{N-1})^\top \), \(\textsf{rot}(a):=(-a_{N-1},a_0,\ldots ,a_{N-2})^\top \), and for all other \(k\in \{2,\ldots ,N-1\}:\textsf{rot}^k(a):=\textsf{rot}(\textsf{rot}^{k-1}(a))\) .

The best known algorithm for finding short non-trivial vectors is due to Schnorr and Euchner [30]. It is called the Block-Korkine-Zolotarev algorithm \((\textsf{BKZ})\), and was improved in practice by Chen and Nguyen [15]. As a subroutine, \(\textsf{BKZ}\) uses an \(\textsf{SVP}\) solver in lattices of dimension b, where b is called the block size. The best known classical algorithm for \(\textsf{SVP}\) with no memory restrictions is due to Becker et al. [5], and it takes time \(\approx 2^{0.292\, b}\). The time required by \(\textsf{BKZ}\) to run with block size b on an m-dimensional lattice \(\mathcal {L}\) is given by (see, e.g. [5])

$$\begin{aligned} 8m\, 2^{0.292\, b+16.4}. \end{aligned}$$

(1)

The output of \(\textsf{BKZ}\) is a vector of length \(\delta ^m\det (\mathcal {L})\) \(^{1/m}\), where \(\delta \) is called the Hermite delta and it is given by (see, e.g. [14, 15])

$$\begin{aligned} \delta =\big (b\, (\pi b)^\frac{1}{b}/(2\pi e)\big )^{\frac{1}{2(b-1)}}, \end{aligned}$$

(2)

and \(\det (\mathcal {L})\) is the determinant of \(\mathcal {L}\). Micciancio and Regev [29] showed that it is better to run algorithm \(\textsf{BKZ}\) with a maximum of \(m=\sqrt{d\log (q)/\log (\delta )}\) columns of the matrix \([\textbf{I}_{d}|\textbf{A}']\). The coefficients of the solution output by \(\textsf{BKZ}\) and correspond to the dropped columns are then set to zero. This allows to find a non-zero vector of length \(\min (q,2^{2\sqrt{d\log (q)\log (\delta )}})\). In other words, when considering \(\delta ^m\det (\mathcal {L})\) \(^{1/m}\) as a function of m, Micciancio and Regev [29] showed that the minimum of this function is given by the value \(2^{2\sqrt{d\log (q)\log (\delta )}}\), and it is obtained when \(m=\sqrt{d\log (q)/\log (\delta )}\). Therefore, in order to compute the time required by \(\textsf{BKZ}\) to solve \(\textsf{MSIS}\) w.r.t. \( pp \), we first determine \(\delta \) by setting \(\beta =2^{2\sqrt{d\log (q)\log (\delta )}}\), where \(d=kN\) and \(m=(k+\ell )N\). After that, we compute the minimum block size b required to achieve \(\delta \) by using (2). The resulted b is put in (1) to obtain the desired time.

Fig. 8.

The algorithms that show the Indistinguishability of hybrids \(H_2\) and \(H_1\) defined in the proof of Theorem 1.

Table 3. Parameters of our distributed signature protocol.

D Indistinguishability of Hybrids \(H_2\) and \(H_1\)

The following lemma establishes the statistical distance between the hybrids \(H_2\) and \(H_1\) defined in the proof of Theorem 1.

Lemma 5

Let \(\sigma \) be as in Lemma 2, M be as in Lemma 3, and \(\delta >0\) such that \((1-\frac{1-2^{-100}}{M})^{\omega }\le \delta \). Let , \(\bar{\textbf{A}}=[\textbf{I}_{k} | \textbf{A}]\in R_q^{k\times (k+\ell )}\), , and \(\textbf{b}=\bar{\textbf{A}}\cdot \textbf{s}\pmod {q}\). Then, the output distributions of the algorithms \(\textsf{A}_0\) and \(\textsf{A}_1\) defined in Fig. 8 are within statistical distance of at most \(2^{-\Omega (N)+1}\cdot 2^{-100}/M\).

Proof

The proof is similar to the one of [12, Lemma B.8], which is performed via standard hybrid arguments. The only difference here is that in algorithm \(\textsf{A}_0\) rejection sampling is carried out at most \(\omega \) times, using Gaussian masking vectors \(\textbf{y}_0,\ldots ,\textbf{y}_{\omega -1}\). The goal is to make sure that the distribution of \(\textbf{z}=\textbf{y}_i+\textbf{s}c\) is independent of \(\textbf{s}c\). The random choice of \(\rho \in [0,1)\) and doing the test in line 13 is a standard implementation of the rejection sampling procedure. By Lemma 3, rejection sampling accepts with probability \((1-2^{-100})/M\), and \(\textbf{z}\) is within statistical distance of \(2^{-100}/M\) from the Gaussian distribution \(D_{\mathbb {Z}^N,\sigma }^{k+\ell }\). When using \(\omega \) masking vectors \(\textbf{y}_0,\ldots ,\textbf{y}_{\omega -1}\), instead of only one, algorithm \(\textsf{A}_0\) returns \((\textbf{z},i)\ne (\bot ,\bot )\) with probability \(1-(1-\frac{1-2^{-100}}{M})^\omega \le 1-\delta \). Lemma 2 is applied twice in order to obtain a statistical distance of \(2^{-\Omega (N)}\) between a vector \(\bar{\textbf{A}}\cdot \textbf{y}\in R_q^{k}\), for , and a uniformly random vector from \(R_q^{k}\). We refer to [12, Lemma B.8] for more details.