G+G: A Fiat-Shamir Lattice Signature Based on Convolved Gaussians

Abstract

We describe an adaptation of Schnorr’s signature to the lattice setting, which relies on Gaussian convolution rather than flooding or rejection sampling as previous approaches. It does not involve any abort, can be proved secure in the ROM and QROM using existing analyses of the Fiat-Shamir transform, and enjoys smaller signature sizes (both asymptotically and for concrete security levels).

Appendices

A The Fiat-Shamir Transform

In this section, we recall the Fiat-Shamir transform, which allows to transform an identification scheme into a digital signature. It removes interaction by sampling the challenge as a hash function evaluation \(H(w,\mu )\) with w being the prover’s commitment and \(\mu \) the signed message. The hash function is then modeled as a random oracle in the analysis. The signature is the pair (w, z), which is verified by checking validity of the transcript \((w,H(w,\mu ),z)\).

As the challenge c being typically much shorter than w, it is desirable to replace w by c in the signature. This is possible if the underlying identification scheme is commitment-recoverable (see Definition 2). Verification simply starts by recovering \(w \leftarrow \textsf{Rec}(\textsf{vk},c,z)\). Our protocol satisfies this property, thus we describe the signature obtained applying this version of the Fiat-Shamir transform. See Fig. 6.

Fig. 6.

Fiat-Shamir Signature \(\textsf{FS}[\textsf{ID},H]\).

For the sake of completeness, we state the following lemma arguing correctness of the signature scheme \(\textsf{FS}[\textsf{ID},H]\), which immediately follows from the completeness and commitment-recoverability of the underlying identification scheme.

Lemma 8

Let \(\textsf{ID}= (\textsf{IGen},\textsf{P},\textsf{V})\) denote an identification scheme. Further assume that \(\textsf{ID}\) is \(\varepsilon \)-complete and commitment-recoverable. Then the signature scheme \(\textsf{FS}[\textsf{ID},H]\) described in Fig. 6 is \(\varepsilon \)-correct in the ROM.

Security of \(\textsf{FS}[\textsf{ID},H]\) can be proven by successive claims. First, one can reduce EU-CMA security of \(\textsf{FS}[\textsf{ID},H]\) to its EU-NMA security assuming \(\textsf{ID}\) has large commitment min-entropy and is honest-verifier zero-knowledge (see Definition 3). This can be shown by relying on the following theorem.

Theorem 6

(Adapted from [GHHM21], Theorem 3). Let \(\textsf{ID}\) be an identification scheme which has \(\alpha \)-min-entropy and satisfies \(\varepsilon \)-statistical HVZK. Let H a hash function modeled as a random oracle. Then, for any (possibly quantum) adversary \(\mathcal {A}\) against the EU-CMA security of \(\textsf{FS}[\textsf{ID},H]\) making at most \(Q_S\) (classical) sign queries and at most \(Q_H\) (possibly quantum) hash queries, there exists an adversary \(\mathcal {B}\) against the EU-NMA security of \(\textsf{FS}[\textsf{ID},H]\) such that:

$$ \textsf{Adv}^{\mathsf {EU-CMA}}(\mathcal {A})\le \textsf{Adv}^{\mathsf {EU-NMA}}(\mathcal {B})+ Q_S\varepsilon +3\frac{Q_S}{2}\cdot \sqrt{(Q_H+Q_S+1)\cdot 2^{-\alpha }} . $$

Furthermore, if \(\textsf{ID}\) is \((1+\varepsilon )\)-divergence HVZK, the following bound applies:

$$ \textsf{Adv}^{\mathsf {EU-CMA}}(\mathcal {A})\le (1+\varepsilon )^{Q_S}\textsf{Adv}^{\mathsf {EU-NMA}}(\mathcal {B})+3Q_S/2\cdot \sqrt{(Q_H+Q_S+1)\cdot 2^{-\alpha }} . $$

The result can be adapted to sEU-CMA security by adding \(Q_S2^{-\alpha }\) to the bounds.

It remains to prove EU-NMA-security to conclude the security analysis, which can be argued via the following statement for lossy identification schemes (see Definition 4).

Theorem 7

([KLS18], Theorem 3.4). Let \(\textsf{ID}\) be a lossy identification scheme satisfying \(\varepsilon _{\textsf{ls}}\)-lossy soundness for some \(\varepsilon _\textsf{ls}>0\). Let H a hash function modeled as a random oracle. For any (possibly quantum) adversary \(\mathcal {A}\) against the EU-NMA security of \(\textsf{FS}[\textsf{ID},H]\) making at most \(Q_H\) (possibly quantum) hash queries, there exists a quantum adversary \(\mathcal {B}\) against the lossiness of \(\textsf{ID}\) such that

$$\begin{aligned} \textsf{Adv}^{\mathsf {EU-NMA}}(\mathcal {A})\le \textsf{Adv}^{\textsf{lossiness}}(\mathcal {B})+8(Q_H+1)^2\cdot \varepsilon _{\textsf{ls}} . \end{aligned}$$

Finally, we describe a reduction in the (classical) ROM which relies on weaker properties compared to the above QROM reduction. Various folklore reductions are known in this setting, and we consider a variant based on special soundness (see Definition 5), which is first reduced to the soundness as recalled below.

Definition 11

(Soundness). Let \(\textsf{ID}= (\textsf{Igen},\textsf{P},\textsf{V})\) be an identification scheme. It is sound if for any PPT adversary \(\mathcal {A}\), the quantity

$$\begin{aligned} \Pr \Big [\textsf{V}(\textsf{vk},(w,c,z)) = 1~|~(w,c,z)\leftarrow \mathcal {A}(\textsf{vk})\Big ] \end{aligned}$$

is \(\textsf{negl}(\lambda )\), where the probability is over the choice of \(\textsf{vk}\) and the coins of \(\mathcal {A}\).

We recall the Reset Lemma, which is a standard reduction between soundness and special soundness.

Lemma 9

(Reset Lemma [BP02]). Let \(\textsf{ID}= (\textsf{Igen},\textsf{P},\textsf{V})\) be an identification scheme. Given any adversary \(\mathcal {A}\) against the soundness of \(\textsf{ID}\), there exists an adversary \(\mathcal {B}\) against the special soundness of \(\textsf{ID}\) such that

$$\begin{aligned} \textsf{Adv}^{\mathsf {special-sound}}(\mathcal {B})\ge \left( \textsf{Adv}^{\textsf{sound}}(\mathcal {A})-\frac{1}{| \mathcal {C} |}\right) ^2. \end{aligned}$$

While this result is folklore, we finally show that special soundness implies EU-NMA security in the ROM.

Lemma 10

Let \(\textsf{ID}\) be an identification scheme and H a hash function modeled as a random oracle. For any adversary \(\mathcal {A}\) against the EU-NMA security of \(\textsf{FS}[\textsf{ID},H]\) making \(Q_H\) classical hash queries, there exists an adversary \(\mathcal {B}\) against the special soundness of \(\textsf{ID}\) such that:

$$\begin{aligned} \textsf{Adv}^{\mathsf {EU-NMA}}(\mathcal {A})\le Q_H \cdot \left( \sqrt{\textsf{Adv}^{\mathsf {special-sound}}(\mathcal {B})}+\frac{2}{| \mathcal {C} |}\right) . \end{aligned}$$

Proof

We first reduce the soundness of \(\textsf{ID}\) to the EU-NMA security of \(\textsf{FS}[\textsf{ID},H]\). First, if \(\mathcal {A}\) outputs a forgery \((\mu ^*,(c^*,z^*))\) such that \(H(\textsf{Rec}(\textsf{vk},c^*,z^*),\mu ^*)\) was never queried, it has probability at most \(1/| \mathcal {C} |\) of outputting a valid forgery.

The reduction \(\mathcal {B}'\) guesses the hash query \(H(w^*,\mu ^*)\) made by \(\mathcal {A}\) which is used in \(\mathcal {A}\)’s forgery. When this query is made, \(\mathcal {B}'\) answers it by running sending \(w^*\) as commitments to its challenger. The latter replies with a challenge \(c^*\) and \(\mathcal {B}'\) programs \(H(w^*,\mu ^*)\) as \(c^*\). With probability \(1/Q_H\), \(\mathcal {B}'\)’s guess is correct and the adversary \(\mathcal {A}\) halts with a forgery \((\mu ^*,(c^*,z^*))\) with \(\textsf{Rec}(\textsf{vk},c^*,z^*) = w^*\). We then have

$$ \textsf{Adv}^{\textsf{sound}}(\mathcal {B}')\ge \frac{1}{Q_H} \cdot \textsf{Adv}^{\mathsf {EU-NMA}}(\mathcal {A})-1/| \mathcal {C} | . $$

Finally, Lemma 9 gives an adversary \(\mathcal {B}\) against the special soundness such that

$$\begin{aligned} \textsf{Adv}^{\mathsf {special-sound}}(\mathcal {B})\ge \left( \textsf{Adv}^{\textsf{sound}}(\mathcal {B}')-\frac{1}{| \mathcal {C} |}\right) ^2, \end{aligned}$$

which completes the proof.    \(\square \)

B Related Work

In Fig. 7, we give a simplified version of the Eagle signature scheme described in [YJW23] (with our notations from Sect. 4 and an extra parameter \(\gamma '>0\)). Minor differences with the scheme from Fig. 4 include the facts that Eagle works in the ring setting as opposed to the module setting, that a parameterizable integer p is considered while we work with \(p=2\), and that the RLWE sample from Eagle is computed modulo \(Q=pq\), while we use MLWE samples computed modulo q. The exact signing algorithm from [YJW23] is omitting some elements of the final vector \(\textbf{z}\) to optimize compactness, but we do not consider this optimization to better illustrate the relationship with \(\mathsf {G+G}\). Moreover, as usual in hash-and-sign schemes, the message is padded using some salt, chosen as a uniform 320-bit long bitstring.

Fig. 7.

Simplified Eagle Signature Scheme.

We now explain how to decompose Eagle as an instance of \(\mathsf {G+G}\) with a specific hash function, as well as the differences that arise during verification due to this hash function, following the steps of [CLMQ21]. The instance of the hash function H that turns the signing algorithm of \(\mathsf {G+G}\) into a simplified version of Eagle is described in Steps 3, 4 and 5 of the signing algorithm from Fig. 7. It proceeds as follows. On input \(w\in \mathcal {R}\), \(\mu \) and \(\textsf{salt}\), the function H computes a target \(u=H'(\mu ,\textsf{salt})\) using another hash function \(H'\) and sets \(u'=u-w\). The challenge is then \(\lfloor u'\rceil _q\), i.e., a rounding of \(u'\) to the \(q\mathcal {R}\) lattice.

The verification algorithm differs substantially due to the fact that \(\textsf{Verify}\) is aware of the inner workings of the hash function. It knows in particular that \(\textbf{Az} = \textbf{Ay} + qc\bmod Q\approx u\). However, the challenge c is omitted from the signature and instead of checking that \(H(\textbf{Az}-qc,\mu ,\textsf{salt})=c\), it checks that \(u-\textbf{Az}\) is sufficiently short, i.e., has norm smaller than \(\gamma '\). While this check is less accurate than recomputing the hash value, it allows one to omit c in the signature, hence reducing its size. Finally, the verification algorithm also checks that \(\textbf{z}\) has norm \(\le \gamma \), as in Fig. 4.