Cutting the GRASS: Threshold GRoup Action Signature Schemes

Abstract

Group actions are fundamental mathematical tools, with a long history of use in cryptography. Indeed, the action of finite groups at the basis of the discrete logarithm problem is behind a very large portion of modern cryptographic systems. With the advent of post-quantum cryptography, however, other group actions, such as isogeny-based ones, received interest from the cryptographic community, attracted by the possibility of translating old discrete logarithm-based functionalities.

Usually, research focuses on abelian group actions; however in this work we show that isomorphism problems which stem from non-abelian cryptographic group actions can be viable building blocks for threshold signature schemes. In particular, we construct a full N-out-of-N threshold signature scheme, and discuss the efficiency issues arising from extending it to the generic T-out-of-N case. To give a practical outlook on our constructions, we instantiate them with two different flavors of code-based cryptographic group actions, respectively at the basis of the LESS and MEDS signature schemes, two of NIST’s candidates in the recent call for post-quantum standardization.

Appendices

A Coding Theory Notions

A linear code \(\mathcal {C}\) is a vector subspace \(\mathcal {C}\subseteq \mathbb {F}_q^n\) of dimension k, and it is usually referred to as an [n, k] linear code. It follows that a basis for \(\mathcal {C}\) is given by a set of k linearly independent vectors in \(\mathbb {F}_q^n\). When these vectors are put as rows of a matrix \(\textbf{G}\), this is known as a generator matrix for the code, as it can generate each vector of \(\mathcal {C}\) (i.e. a codeword) as a linear combination of its rows. Note that such a generator is not unique, and any invertible \(k\times k\) matrix \(\textbf{S}\) yields another generator via a change of basis; however, it is always possible to utilize a “standard” form simply performing a Gaussian elimination on the left-hand side. This is usually called systematic if the result is the identity matrix (i.e. if the leftmost \(k\times k\) block is invertible); we denote this by \(\textrm{SF}\).

Linear codes are traditionally measured with the Hamming metric, which associates a weight to each codeword by simply counting the number of its non-zero entries. It follows, then, that an isometry (i.e. a map preserving the weight) is given by any \(n\times n\) permutation matrix \(\textbf{P}\) acting on each word, or indeed, on the columns of \(\textbf{G}\) (since every codeword can be generated as a linear combination of the rows of \(\textbf{G}\)). Moreover, it is possible to generalize this notion by adding some non-zero scaling factors from \(\mathbb {F}_q\) to each column. Such a matrix is commonly known as a monomial matrix, and we denote it by \(\textbf{Q}\); it can be seen as a product \(\boldsymbol{D}\cdot \textbf{P}\) between a permutation matrix and a diagonal matrix with non-zero components.

The notion of linear codes can be generalized to the case where each codeword is a matrix, instead of a vector; more precisely, \(m \times n\) matrices over \(\mathbb F_q\). We talk then about \([m\times n,k]\) matrix code, which can be seen as a k-dimensional subspace \(\mathcal {C}\) of \(\mathbb F_q^{m\times n}\). These objects are usually measured with a different metric, known as rank metric, where the weight of each codeword corresponds to its rank as a matrix. In this case, then, isometries are maps which preserve the rank of a matrix, and are thus identified by two non-singular matrices \(\textbf{A}\in \textrm{GL}_m\) and \(\textbf{B}\in \textrm{GL}_n\) acting respectively on the left and on the right of each codeword, by multiplication.

In both of the metrics defined above, we are able to formulate a notion of equivalence in the same way, by saying that two codes are equivalent if they are connected by an isometry. In other words, with a slight abuse of notation, we say that two linear codes \(\mathcal {C}\) and \(\mathcal {C}'\) are linearly equivalent if \(\mathcal {C}'=\mathcal {C}\textbf{Q}\), and two matrix codes \(\mathcal {C}\) and \(\mathcal {C}'\) are matrix equivalent if \(\mathcal {C}'=\textbf{A}\mathcal {C}\textbf{B}\). Note that the notion of permutation equivalence is just a special case of linear equivalence (with the diagonal matrix \(\boldsymbol{D}\) being the identity matrix), yet is often treated separately for a variety of reasons of both historical and practical nature (for instance, certain solvers behave quite differently).

B Signatures from Generic Group Actions

We summarize here briefly how to design a signature scheme from generic group actions. To begin, we formulate the Sigma protocol described in Fig. 3.

Fig. 3.

Identification protocol for the knowledge of the private key.

The protocol above intuitively provides a soundness error of 1/2; it is in fact trivial to prove that an adversary who could solve answer both challenges simultaneuosly, would be able to recover a solution to GAIP. It is then necessary to amplify soundness, in order to reach the desired authentication level. This is accomplished, in the simplest way, by parallel repetition; in practice, several optimizations can be applied, as we will see in Sect. 5, without impacting security. At this point, a signature scheme can be obtained using the Fiat-Shamir transformation [41], which guarantees EUF-CMA security in the (Quantum) Random Oracle Model. The next result is intentionally a little vague, since it is well-known in literature, and we do not want to overly expand this section. Proofs tailored to the specific instantiations can be found, for example, in [8, 34]. For further discussions on Fiat-Shamir, and its security in the ROM and QROM, we point instead the reader to [1, 38, 41, 52].

Proposition 2

Let \(\textsf{I}\) be the identification protocol described above, and \(\textbf{S}\) be the signature scheme obtained by iterating \(\textsf{I}\) and then applying Fiat-Shamir. Then \(\textbf{S}\) is existentially unforgeable against chosen-message attacks, based on the hardness of GAIP.

Note that the protocol does not require any specific property from the group action in use, except those connected to efficient sampling and computation. Indeed, even though the action could in principle be non-transitive, as is the case for code-based group actions, the construction makes it so that we operate on a single orbit (i.e. it is transitive by design in this specific use case). It is however advisable to utilize a free group action, since this could have an impact on the difficulty of GAIP.

C Code-Based Group Actions

We now present the group action associated to code equivalence, according to the definitions given in the previous sections. First, consider the set \(X\subseteq \mathbb {F}_q^{k\times n}\) of all full-rank \(k\times n\) matrices, i.e. the set of generator matrices of [n, k]-linear codes. We then set \(G=\textsf{M}_{n}\), by which we denote the group of monomial matrices. Note that this group is isomorphic to \((\mathbb {F}_q^*)^n\rtimes \textsf{S}_n\) if we decompose each monomial matrix \(\textbf{Q}\in \textsf{M}_{n}\) into a product \(\boldsymbol{D}\cdot \textbf{P}\). The group operation can be then seen simply as multiplication, and the group action is given by

$$\begin{aligned} \star : G \times {X} & \rightarrow {X} \\ (\textbf{G},\textbf{Q}) & \rightarrow \textrm{SF}(\textbf{G}\textbf{Q}) \end{aligned}$$

It is easy to see that the action is well-formed, with the identity element being \(\textbf{I}_n\), and compatible with respect to (right) multiplication.

Remark 2

The definition above considers a standardized choice of representative by utilizing the systematic form \(\textrm{SF}\). This simplifies the definition and makes sure to avoid cases where multiple generators for the same code could be chosen. Indeed, since the systematic form uniquely identifies linear codes, this allows us to see our group action as effectively acting on linear codes, rather than on their representatives (generator matrices).

The case of matrix code equivalence can be framed analogously. In this case, the set X is formed by the k-dimensional matrix codes of size \(m \times n\) over some base field \(\mathbb {F}_q\); similarly to linear codes, matrix codes can be represented via generator matrices \(\textbf{G}\in \mathbb {F}_q^{k\times mn}\). Then, the action of the group \(G = \textrm{GL}_m \times \textrm{GL}_n\) on this set can be described compactly as follows:

$$\begin{aligned} \star : G \times {X} & \rightarrow {X} \\ ((\textbf{A},\textbf{B}),\textbf{G}) & \rightarrow \textrm{SF}(\textbf{G}(\textbf{A}^\top \otimes \textbf{B})) \end{aligned}$$

Note that this is equivalent to applying the matrices \(\textbf{A}\) and \(\textbf{B}\) to each codeword \(\textbf{C}\) in the matrix code as \(\textbf{A}\textbf{C}\textbf{B}\); indeed this is often the most convenient notation.

Note that, in both cases, the action is not commutative and in general neither transitive nor free. It is however possible to restrict the set X to a single well-chosen orbit to make the group action both transitive and free. In fact, picking any orbit generated from some starting code ensures transitivity, and the group action is free if the chosen code has a trivial automorphism group, where trivial means up to scalars in \(\mathbb {F}_q\). The non-commutativity is both a positive and negative feature: although it limits the cryptographical design possibilities, e.g. key exchange becomes hard, it prevents quantum attacks to which commutative cryptographic group actions are vulnerable, such as Kuperberg’s algorithm for the dihedral Hidden Subgroup Problem [50].

The vectorization problems for the code-based group actions are well-known problems in coding theory. We report them below.

Problem 4

(Linear Equivalence (LEP)). Given two k-dimensional linear codes \(\mathcal {C}, \mathcal {C}'\subseteq \mathbb F_q^n\), find, if any, \(\textbf{Q}\in M_n\) such that \(\mathcal {C}'= \mathcal {C}\textbf{Q}\).

We have not defined explicitly here the Permutation Equivalence Problem (PEP), since we will not use it directly; this can be seen as just a special case of LEP, where the monomial matrix \(\textbf{Q}\) is a permutation.

Problem 5

(Matrix Code Equivalence (MCE)). Given two k-dimensional matrix codes \(\mathcal {C},\mathcal {C}'\), find, if any, \(\textbf{A} \in \textrm{GL}_m,\textbf{B} \in \textrm{GL}_n\) such that \(\mathcal {C}'=\textbf{A}\mathcal {C}\textbf{B}\).

Note that both of the above problems are traditionally formulated as decisional problems. Extensive discussion of their hardness is given, for instance, in [9, 29].

D Zero-Knowledge Proof for Action Equality

In the Distributed Key Generation given in Algorithm 1, we need a proof for the knowledge of a set element \(g_i\) such that the following relation holds:

$$ y_i = g_i \star x \wedge x_i = g_i \star x_{i-1} \ . $$

The protocol presented below is a straightforward generalization of the one presented in Sect. 3.1 of [32], for a general group action.

Fig. 4.

One round of the identification protocol prove that the Private Key is used for the calculation.

For completeness we report here the proof of security for the non interactive version of the protocol, contained in [32] and [16].

Proposition 3

The protocol in Fig. 4 can be rendered to a non interactive computationally zero-knowledge quantum proof of knowledge for a free 2-weakly pseudorandom group actions in the QROM.

Proof

First we prove that the underlying protocol is complete, sound and computationally zero-knowledge. The completeness is straightforward. We need to prove soundness and zero knowledge.

• Soundness: suppose that the Prover is able to answer both the challenges with \(u_0\) and \(u_1\), by the collision resistance of the hash function at this point we would retrieve g as \(u_1^{-1} u_0\) against the one wayness of the group action (thus also against 2-weakly pseudorandomness) and having that the public keys are generated by the same group elements.

• Zero Knowledge: to simulate the protocol without knowing the secret g and for any pairs of elements \((x_a,y_a)\), \((x_b,y_b)\) the Prover flips a coin c. If \(c=0\), the Prover follows the protocol normally and is able to answer the challenge if \(b=0\). If \(c=1\), it computes \(\bar{x}_a = \bar{g} y_a\) and \(\bar{x}_b = \bar{g}y_b\) and sends them in place of \(\tilde{x}_a\) and \(\tilde{x}_b\). In this way it is able to answer to the challenge \(b=1\). Thus, if \(c=b\) the prover can convince the verifier, otherwise it rewind the verifier and try again. Since at every iteration the prover has probability \(\frac{1}{2}\) of guessing the correct c the simulation ends in expected polynomial time. Note that this transcript is indistinguishable from the honestly-obtained one, because a distinguisher between the honestly generated transcripts and the simulated one can be used to distinguish pairs \((\bar{x},g\star \bar{a})\) from random ones, against the 2-weakly pseudorandomness.

For the quantum resistance we can observe that since the automorphisms are all trivial the sigma protocol has perfect unique responses (see [20, Lemma 1]) then by [38, Theorem 25] the protocol is a quantum proof of knowledge. Then the protocol has completeness, high min entropy³ and HVZK and is zero-knowledge against quantum adversaries thanks to [59].   \(\square \)