Abstract
We describe an adaptation of Schnorr’s signature to the lattice setting, which relies on Gaussian convolution rather than flooding or rejection sampling as previous approaches. It does not involve any abort, can be proved secure in the ROM and QROM using existing analyses of the Fiat-Shamir transform, and enjoys smaller signature sizes (both asymptotically and for concrete security levels).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
As our key generation algorithm outputs a \(\textbf{A}\) with \(2\textbf{I}_m\), what we cut is cyclically bit-shifted.
References
Agrawal, S., Stehlé, D., Yadav, A.: Round-optimal lattice-based threshold signatures, revisited. In: ICALP (2022)
Barbosa, M., et al.: Fixing and mechanizing the security proof of Fiat-Shamir with aborts and Dilithium. In: CRYPTO (2023)
Behnia, R., Chen, Y., Masny, D.: On removing rejection conditions in practical lattice-based signatures. In: Cheon, J.H., Tillich, J.-P. (eds.) PQCrypto 2021 2021. LNCS, vol. 12841, pp. 380–398. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-81293-5_20
Boneh, D., Freeman, D.M.: Linearly homomorphic signatures over binary fields and new tools for lattice-based signatures. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 1–16. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19379-8_1
Bai, S., Galbraith, S.D.: An improved compression technique for signatures based on learning with errors. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 28–47. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-04852-9_2
Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. In: ITCS (2012)
Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: STOC (2013)
Mera, J.M.B., Karmakar, A., Marc, T., Soleimanian, A.: Efficient lattice-based inner-product functional encryption. In: Hanaoka, G., Shikata, J., Watanabe, Y. (eds.) PKC 2022. LNCS, vol. 13178, pp. 163–193. Springer, Cham (2022). https://doi.org/10.1007/978-3-030-97131-1_6
Bellare, M., Palacio, A.: GQ and Schnorr identification schemes: proofs of security against impersonation under active and concurrent attacks. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 162–177. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_11
Cheon, J.H., et al.: HAETAE: shorter lattice-based Fiat-Shamir signatures. Cryptology ePrint Archive (2023). https://ia.cr/2023/624
Chen, Y., Lombardi, A., Ma, F., Quach, W.: Does Fiat-Shamir require a cryptographic hash function? In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12828, pp. 334–363. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84259-8_12
Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 40–56. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_3
Devevey, J., Fawzi, O., Passelègue, A., Stehlé, D.: On rejection sampling in Lyubashevsky’s signature scheme. In: Agrawal, S., Lin, D. (eds.) ASIACRYPT 2022. LNCS, vol. 13794, pp. 34–64. Springer, Cham (2022)
Devevey, J., Fallahpour, P., Passelègue, A., Stehlé, D.: A detailed analysis of Fiat-Shamir with aborts. In: CRYPTO (2023)
Ducas, L., et al.: Crystals-Dilithium: a lattice-based digital signature scheme. IACR TCHES (2018)
Damgård, I., Pastro, V., Smart, N., Zakarias, S.: Multiparty computation from somewhat homomorphic encryption. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 643–662. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_38
Ducas, L.: Accelerating Bliss: the geometry of ternary polynomials. Cryptology ePrint Archive (2014). https://ia.cr/2014/874
Espitau, T., Tibouchi, M., Wallet, A., Yu, Y.: Shorter hash-and-sign lattice-based signatures. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022. LNCS, vol. 13508, pp. 245–275. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-15979-4_9
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
Grilo, A.B., Hövelmanns, K., Hülsing, A., Majenz, C.: Tight adaptive reprogramming in the QROM. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13090, pp. 637–667. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92062-3_22
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC (2008)
Klein, P.N.: Finding the closest lattice vector when it’s unusually close. In: SODA (2000)
Kiltz, E., Lyubashevsky, V., Schaffner, C.: A concrete treatment of Fiat-Shamir signatures in the quantum random-oracle model. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 552–586. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_18
Langlois, A., Stehlé, D.: Worst-case to average-case reductions for module lattices. Designs, Codes and Cryptography (2015)
Lyubashevsky, V.: Fiat-Shamir with aborts: applications to lattice and factoring-based signatures. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 598–616. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_35
Lyubashevsky, V.: Lattice signatures without trapdoors. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 738–755. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_43
Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measures. SIAM J. Comput. 37(1), 267–302 (2007)
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 1–40 (2009)
Schnorr, C.-P.: Efficient Signature Generation by Smart Cards. J. Cryptol. 4, 161–174 (1991)
van Erven, T., Harremos, P.: Rényi divergence and Kullback-Leibler divergence. IEEE T. Inform. Theory 60(7), 3797–3820 (2014)
Yu, Y., Jia, H., Wang, X.: Compact lattice gadget and its applications to hash-and-sign signatures. In: CRYPTO (2023)
Zheng, Z., Xu, G., Zhao, C.: Discrete Gaussian measures and new bounds of the smoothing parameter for lattices. Cryptology ePrint Archive (2018). https://ia.cr/2018/786
Acknowledgment
This work was supported by the France 2030 ANR Project ANR-22-PECY-003 SecureCompute, the France 2030 ANR Project ANR-22-PETQ-0008 PQ-TLS and the AMIRAL ANR grant (ANR-21-ASTR-0016),
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A The Fiat-Shamir Transform
In this section, we recall the Fiat-Shamir transform, which allows to transform an identification scheme into a digital signature. It removes interaction by sampling the challenge as a hash function evaluation \(H(w,\mu )\) with w being the prover’s commitment and \(\mu \) the signed message. The hash function is then modeled as a random oracle in the analysis. The signature is the pair (w, z), which is verified by checking validity of the transcript \((w,H(w,\mu ),z)\).
As the challenge c being typically much shorter than w, it is desirable to replace w by c in the signature. This is possible if the underlying identification scheme is commitment-recoverable (see Definition 2). Verification simply starts by recovering \(w \leftarrow \textsf{Rec}(\textsf{vk},c,z)\). Our protocol satisfies this property, thus we describe the signature obtained applying this version of the Fiat-Shamir transform. See Fig. 6.
For the sake of completeness, we state the following lemma arguing correctness of the signature scheme \(\textsf{FS}[\textsf{ID},H]\), which immediately follows from the completeness and commitment-recoverability of the underlying identification scheme.
Lemma 8
Let \(\textsf{ID}= (\textsf{IGen},\textsf{P},\textsf{V})\) denote an identification scheme. Further assume that \(\textsf{ID}\) is \(\varepsilon \)-complete and commitment-recoverable. Then the signature scheme \(\textsf{FS}[\textsf{ID},H]\) described in Fig. 6 is \(\varepsilon \)-correct in the ROM.
Security of \(\textsf{FS}[\textsf{ID},H]\) can be proven by successive claims. First, one can reduce EU-CMA security of \(\textsf{FS}[\textsf{ID},H]\) to its EU-NMA security assuming \(\textsf{ID}\) has large commitment min-entropy and is honest-verifier zero-knowledge (see Definition 3). This can be shown by relying on the following theorem.
Theorem 6
(Adapted from [GHHM21], Theorem 3). Let \(\textsf{ID}\) be an identification scheme which has \(\alpha \)-min-entropy and satisfies \(\varepsilon \)-statistical HVZK. Let H a hash function modeled as a random oracle. Then, for any (possibly quantum) adversary \(\mathcal {A}\) against the EU-CMA security of \(\textsf{FS}[\textsf{ID},H]\) making at most \(Q_S\) (classical) sign queries and at most \(Q_H\) (possibly quantum) hash queries, there exists an adversary \(\mathcal {B}\) against the EU-NMA security of \(\textsf{FS}[\textsf{ID},H]\) such that:
Furthermore, if \(\textsf{ID}\) is \((1+\varepsilon )\)-divergence HVZK, the following bound applies:
The result can be adapted to sEU-CMA security by adding \(Q_S2^{-\alpha }\) to the bounds.
It remains to prove EU-NMA-security to conclude the security analysis, which can be argued via the following statement for lossy identification schemes (see Definition 4).
Theorem 7
([KLS18], Theorem 3.4). Let \(\textsf{ID}\) be a lossy identification scheme satisfying \(\varepsilon _{\textsf{ls}}\)-lossy soundness for some \(\varepsilon _\textsf{ls}>0\). Let H a hash function modeled as a random oracle. For any (possibly quantum) adversary \(\mathcal {A}\) against the EU-NMA security of \(\textsf{FS}[\textsf{ID},H]\) making at most \(Q_H\) (possibly quantum) hash queries, there exists a quantum adversary \(\mathcal {B}\) against the lossiness of \(\textsf{ID}\) such that
Finally, we describe a reduction in the (classical) ROM which relies on weaker properties compared to the above QROM reduction. Various folklore reductions are known in this setting, and we consider a variant based on special soundness (see Definition 5), which is first reduced to the soundness as recalled below.
Definition 11
(Soundness). Let \(\textsf{ID}= (\textsf{Igen},\textsf{P},\textsf{V})\) be an identification scheme. It is sound if for any PPT adversary \(\mathcal {A}\), the quantity
is \(\textsf{negl}(\lambda )\), where the probability is over the choice of \(\textsf{vk}\) and the coins of \(\mathcal {A}\).
We recall the Reset Lemma, which is a standard reduction between soundness and special soundness.
Lemma 9
(Reset Lemma [BP02]). Let \(\textsf{ID}= (\textsf{Igen},\textsf{P},\textsf{V})\) be an identification scheme. Given any adversary \(\mathcal {A}\) against the soundness of \(\textsf{ID}\), there exists an adversary \(\mathcal {B}\) against the special soundness of \(\textsf{ID}\) such that
While this result is folklore, we finally show that special soundness implies EU-NMA security in the ROM.
Lemma 10
Let \(\textsf{ID}\) be an identification scheme and H a hash function modeled as a random oracle. For any adversary \(\mathcal {A}\) against the EU-NMA security of \(\textsf{FS}[\textsf{ID},H]\) making \(Q_H\) classical hash queries, there exists an adversary \(\mathcal {B}\) against the special soundness of \(\textsf{ID}\) such that:
Proof
We first reduce the soundness of \(\textsf{ID}\) to the EU-NMA security of \(\textsf{FS}[\textsf{ID},H]\). First, if \(\mathcal {A}\) outputs a forgery \((\mu ^*,(c^*,z^*))\) such that \(H(\textsf{Rec}(\textsf{vk},c^*,z^*),\mu ^*)\) was never queried, it has probability at most \(1/| \mathcal {C} |\) of outputting a valid forgery.
The reduction \(\mathcal {B}'\) guesses the hash query \(H(w^*,\mu ^*)\) made by \(\mathcal {A}\) which is used in \(\mathcal {A}\)’s forgery. When this query is made, \(\mathcal {B}'\) answers it by running sending \(w^*\) as commitments to its challenger. The latter replies with a challenge \(c^*\) and \(\mathcal {B}'\) programs \(H(w^*,\mu ^*)\) as \(c^*\). With probability \(1/Q_H\), \(\mathcal {B}'\)’s guess is correct and the adversary \(\mathcal {A}\) halts with a forgery \((\mu ^*,(c^*,z^*))\) with \(\textsf{Rec}(\textsf{vk},c^*,z^*) = w^*\). We then have
Finally, Lemma 9 gives an adversary \(\mathcal {B}\) against the special soundness such that
which completes the proof. \(\square \)
B Related Work
In Fig. 7, we give a simplified version of the Eagle signature scheme described in [YJW23] (with our notations from Sect. 4 and an extra parameter \(\gamma '>0\)). Minor differences with the scheme from Fig. 4 include the facts that Eagle works in the ring setting as opposed to the module setting, that a parameterizable integer p is considered while we work with \(p=2\), and that the RLWE sample from Eagle is computed modulo \(Q=pq\), while we use MLWE samples computed modulo q. The exact signing algorithm from [YJW23] is omitting some elements of the final vector \(\textbf{z}\) to optimize compactness, but we do not consider this optimization to better illustrate the relationship with \(\mathsf {G+G}\). Moreover, as usual in hash-and-sign schemes, the message is padded using some salt, chosen as a uniform 320-bit long bitstring.
We now explain how to decompose Eagle as an instance of \(\mathsf {G+G}\) with a specific hash function, as well as the differences that arise during verification due to this hash function, following the steps of [CLMQ21]. The instance of the hash function H that turns the signing algorithm of \(\mathsf {G+G}\) into a simplified version of Eagle is described in Steps 3, 4 and 5 of the signing algorithm from Fig. 7. It proceeds as follows. On input \(w\in \mathcal {R}\), \(\mu \) and \(\textsf{salt}\), the function H computes a target \(u=H'(\mu ,\textsf{salt})\) using another hash function \(H'\) and sets \(u'=u-w\). The challenge is then \(\lfloor u'\rceil _q\), i.e., a rounding of \(u'\) to the \(q\mathcal {R}\) lattice.
The verification algorithm differs substantially due to the fact that \(\textsf{Verify}\) is aware of the inner workings of the hash function. It knows in particular that \(\textbf{Az} = \textbf{Ay} + qc\bmod Q\approx u\). However, the challenge c is omitted from the signature and instead of checking that \(H(\textbf{Az}-qc,\mu ,\textsf{salt})=c\), it checks that \(u-\textbf{Az}\) is sufficiently short, i.e., has norm smaller than \(\gamma '\). While this check is less accurate than recomputing the hash value, it allows one to omit c in the signature, hence reducing its size. Finally, the verification algorithm also checks that \(\textbf{z}\) has norm \(\le \gamma \), as in Fig. 4.
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Devevey, J., Passelègue, A., Stehlé, D. (2023). G+G: A Fiat-Shamir Lattice Signature Based on Convolved Gaussians. In: Guo, J., Steinfeld, R. (eds) Advances in Cryptology – ASIACRYPT 2023. ASIACRYPT 2023. Lecture Notes in Computer Science, vol 14444. Springer, Singapore. https://doi.org/10.1007/978-981-99-8739-9_2
Download citation
DOI: https://doi.org/10.1007/978-981-99-8739-9_2
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-8738-2
Online ISBN: 978-981-99-8739-9
eBook Packages: Computer ScienceComputer Science (R0)