Two-Round n-out-of-n and Multi-Signatures and Trapdoor Commitment from Lattices

Abstract

Although they have been studied for a long time, distributed signature protocols have garnered renewed interest in recent years in view of novel applications to topics like blockchains. Most recent works have focused on distributed versions of ECDSA or variants of Schnorr signatures; however, and in particular, little attention has been given to constructions based on post-quantum secure assumptions like the hardness of lattice problems. A few lattice-based threshold signature and multi-signature schemes have been proposed in the literature, but they either rely on hash-and-sign lattice signatures (which tend to be comparatively inefficient), use expensive generic transformations, or only come with incomplete security proofs. In this paper, we construct several lattice-based distributed signing protocols with low round complexity following the Fiat–Shamir with Aborts (FSwA) paradigm of Lyubashevsky (Asiacrypt 2009). Our protocols can be seen as distributed variants of the fast Dilithium-G signature scheme and the full security proof can be made assuming the hardness of module SIS and LWE problems. A key step to achieving security (unexplained in some earlier papers) is to prevent the leakage that can occur when parties abort after their first message—which can inevitably happen in the Fiat–Shamir with Aborts setting. We manage to do so using homomorphic commitments. Exploiting the similarities between FSwA and Schnorr-style signatures, our approach makes the most of observations from recent advancements in the discrete log setting, such as Drijvers et al.’s seminal work on two-round multi-signatures (S&P 2019). In particular, we observe that the use of commitment not only resolves the subtle issue with aborts, but also makes it possible to realize secure two-round n-out-of-n distributed signing and multi-signature in the plain public key model, by equipping the commitment with a trapdoor feature. The construction of suitable trapdoor commitment from lattices is a side contribution of this paper.

Appendices

Potential Wagner-like Attack on Naïve Two-round Protocols

      Below we sketch a variant of the concurrent attack originally described by Drijvers et al. [31]. The original attack was against two-round discrete log-based multi-signatures including \(\mathsf {CoSi}\) [86] and \(\mathsf {BCJ}\) [7], but due to the very similar structure of FSwA lattice signatures an attack would become feasible against naïve two-round instantiations (albeit with sub-exponential computational costs due to reliance on a K-list sum algorithm). Since such naïve FSwA-based constructions do not exist in the literature, we do not go into details of the efficiency analysis of the concurrent attack. The attack sketched here should be treated as a motivating discussion about why our two-round protocols rely on a message-dependent commitment key in Figs. 6 and 13.

Attack on a naïve construction from Sect. 1.2. For simplicity we consider the attack on two-party signing, but the same strategy also works similarly in a general n-party setting. Let \(\tilde{\mathbf {s}}_1\) and \(\mathbf {s}_2\) be the key shares of adversary and honest party, respectively, and let \(\mathbf {t} = {\bar{\mathbf {A}}} (\tilde{\mathbf {s}}_1+\mathbf {s}_2)\) be the combined public key. The adversary initiates \(K-1\) concurrent signing sessions on the same message \(\mu \). Then for each session \(i\in [K-1]\), the honest party submits \(\mathbf {w}_2^{(i)} = {\bar{\mathbf {A}}} \mathbf {y}_2^{(i)}\). Here the adversary does not immediately send back its own commitment share. Instead, by only interacting with the random oracle \({\mathsf {H}}_0\) the adversary tries to find a message \(\mu ^*\) and \(\tilde{\mathbf {w}}_1^{(1)},\ldots ,\tilde{\mathbf {w}}_1^{(K-1)}\in R_q^{k}\) such that the following holds.

$$\begin{aligned} c^* {:}{=}{\mathsf {H}}_0(\mathbf {w}^*, \mu ^*, pk ) = {\mathsf {H}}_0 (\tilde{\mathbf {w}}_1^{(1)} + \mathbf {w}_2^{(1)}, \mu , pk ) + ... + {\mathsf {H}}_0 (\tilde{\mathbf {w}}_1^{(K-1)} + \mathbf {w}_2^{(K-1)}, \mu , pk ) \end{aligned}$$

where the adversary defines \(\mathbf {w}^* {:}{=}\mathbf {w}_2^{(1)} + \ldots + \mathbf {w}_2^{(K-1)}\). Because the random oracle outputs consist of \(C=\{c\in \mathbb {Z}^N: \Vert c\Vert _1 = \kappa \wedge \Vert c\Vert _\infty = 1\}\), finding such inputs amounts to solving a variant of Wagner’s generalized birthday problem (GBP) [56, 90] instantiated over \((C, +)\), when K is chosen to be a power of two. (Note that in the discrete log setting GBP is instantiated over a group \((\mathbb {Z}_q, +)\).) Then the adversary resumes the pending sessions by sending back such \(\tilde{\mathbf {w}}_1^{(i)}\) for \(i\in [K-1]\). The honest signer for each session returns its signature share

$$\begin{aligned} \mathbf {z}_2^{(i)} = \mathbf {y}_2^{(i)} + c^{(i)} \mathbf {s}_2 \end{aligned}$$

where \(c^{(i)} = {\mathsf {H}}_0 (\tilde{\mathbf {w}}_1^{(i)} + \mathbf {w}_2^{(i)}, \mu , pk ) \). Finally the adversary outputs

$$\begin{aligned} \mathbf {z}^*&= \mathbf {z}_2^{(1)} + ... + \mathbf {z}_2^{(K-1)} + c^* \tilde{\mathbf {s}}_1 = \mathbf {y}_2^{(1)} + ... + \mathbf {y}_2^{(K-1)} + c^* (\tilde{\mathbf {s}}_1 + \mathbf {s}_2) \end{aligned}$$

as a forgery on \(\mu ^*\) together with \(\mathbf {w}^*\). Now let us check that \((\mathbf {w}^*, \mathbf {z}^*)\) satisfies the verification condition. Thanks to the collision found by a GBP solver, and by construction of \(\mathbf {w}^*\) and \(\mathbf {z}^*\), it holds that \(\bar{\mathbf {A}}\mathbf {z}^* - c^*\mathbf {t} = \mathbf {w}^*\). Note that the adversary should take extra care of the norm of \(\mathbf {z}^*\) by bounding the number of sessions \(K-1\); the small \(\Vert \mathbf {z}^*\Vert \) is part of the verification condition, while \(\Vert \mathbf {z}^*\Vert \) grows for large K. For this reason there should be some trade-offs for K, since the larger the K is, the lower the complexity of GBP algorithm becomes. This means that, since the norm bound in verification has to be increased according to n (see Sect. 3.2), the attack also becomes efficient in an n-party setting, which allows to choose larger K when \(n-1\) parties are corrupt.

We also remark that the attack can be completed only when the honest party passes the rejection sampling simultaneously in all \(K-1\) concurrent sessions, because otherwise the attacker does not receive all \(\mathbf {z}_2^{(i)}\) values required for forgery. Hence, there is another trade-off here: If the success rate of rejection sampling is set low then the protocol has more round complexity, while it mitigates the concurrent attack, and vice versa.

Attack on a variant of \(\mathsf {DS}_2\) with fixed commitment key. When a single commitment key \( ck \) is reused for all signing attempts in \(\mathsf {DS}_2\) (Fig. 6) then a similar concurrent attack becomes applicable. This time for each session \(i\in [K-1]\), the honest party submits \( com _2^{(i)} = \mathsf {Commit}_ ck (\mathbf {w}_2^{(i)}; r_2^{(i)})\) where \(\mathbf {w}_2^{(i)} = {\bar{\mathbf {A}}} \mathbf {y}_2^{(i)}\). Then the adversary interacts with the random oracle \({\mathsf {H}}_0\) to find a message \(\mu ^*\) and \({\tilde{ com }}_1^{(1)},\ldots ,{\tilde{ com }}_1^{(K-1)}\in S_ com \) such that the following holds (with a GBP solver).

$$\begin{aligned}&c^* {:}{=}{\mathsf {H}}_0( com ^*, \mu ^*, pk ) \\&\quad = {\mathsf {H}}_0 ({\tilde{ com }}_1^{(1)} + com _2^{(1)}, \mu , pk ) + ... + {\mathsf {H}}_0 ({\tilde{ com }}_1^{(K-1)} + com _2^{(K-1)}, \mu , pk ) \end{aligned}$$

where the adversary defines \( com ^* {:}{=} com _2^{(1)} + \ldots + com _2^{(K-1)}\).

Then the adversary resumes the pending sessions by sending back such \({\tilde{ com }}_1^{(i)}\) for \(i\in [K-1]\). The honest signer for each session returns its signature share together with commitment opening \(r_2^{(i)}\)

$$\begin{aligned} \mathbf {z}_2^{(i)} = \mathbf {y}_2^{(i)} + c^{(i)} \mathbf {s}_2 \end{aligned}$$

where \(c^{(i)} = {\mathsf {H}}_0 ({\tilde{ com }}_1^{(i)} + com _2^{(i)}, \mu , pk ) \). Finally the adversary outputs

$$\begin{aligned} \mathbf {z}^*&= \mathbf {z}_2^{(1)} + ... + \mathbf {z}_2^{(K-1)} + c^* \tilde{\mathbf {s}}_1 = \mathbf {y}_2^{(1)} + ... + \mathbf {y}_2^{(K-1)} + c^* (\tilde{\mathbf {s}}_1 + \mathbf {s}_2)\\ r^*&= r_2^{(1)} + ... + r_2^{(K-1)} \end{aligned}$$

as a forgery on \(\mu ^*\) together with \( com ^*\). Thanks to the collision found by a GBP solver and due to the additive homomorphism of commitment, it holds that \(\mathsf {Open}_ ck ( com ^*,r^*,\bar{\mathbf {A}}\mathbf {z}^* - c^*\mathbf {t}) =1\).

      If the protocol derives a per-message commitment key via random oracle \({\mathsf {H}}_3:\){0,1}\(^*\rightarrow S_ ck \) as our protocols (as well as \(\mathsf {mBCJ}\)) do, the attack becomes nontrivial; now the tuple \(( com ^*, r^*, {\bar{\mathbf {A}}}\mathbf {z}^* - c^* \mathbf {t})\) has to be verified with respect to the message-dependent key \( ck ^*\leftarrow {\mathsf {H}}_3(\mu ^*, pk )\), which of course should not collide with \( ck \leftarrow {\mathsf {H}}_3(\mu , pk )\) thanks to the random oracle.

\(\mathsf {DS}_3\): Three-round Distributed Signature Protocol from Module-LWE

1.1 Protocol Specification and Overview

As an important stepping stone toward our main two-round constructions, we give a detailed description of provably secure three-round, n-out-of-n distributed signature protocol \(\mathsf {DS}_3=(\mathsf {Setup}, (\mathsf {Gen}_j)_{j\in [n]},(\mathsf {Sign})_{j\in [n]},\mathsf {Ver})\), formally specified in Fig. 16. Key generation and verification are identical to \(\mathsf {DS}_2\) (see Fig. 6). The protocol is built on top of additively homomorphic commitment scheme \(\mathsf {COM}=(\mathsf {CSetup},\mathsf {CGen},\mathsf {Commit},\mathsf {Open})\) with uniform keys (see Sect. 2 for the formal definition), and we describe concrete instances of \(\mathsf {COM}\) in Sect. 5.

      The only difference from \(\mathsf {DS}_2\) is that the signing protocol now involves an extra round where participants exchange a hash of \( com _j\), and later check that everyone knows the correct preimage. This is a standard technique used in Bellare and Neven [16] (or its GLP-based variant [41]) The intuition behind this seemingly redundant step is analogous to the rogue key attack; without this step the adversary might be able to adaptively choose a malicious \({\widetilde{ com }}\) after seeing the honest party’s share. However, this extra round can be indeed dropped by instantiating the protocol with a trapdoor commitment scheme (see Sect. 3). We remark that generating a per-message commitment key as in 3 is not necessary for the three-round protocol and one could alternatively use a single fixed \( ck \leftarrow \mathsf {CGen}( cpp )\) generated by the trusted party. However, this step becomes crucial for the two-round protocols to be secure.

1.2 Security

We give a security proof for \(\mathsf {DS}_3\) by instantiating the protocol with an unconditionally binding commitment scheme and by setting the parameters so that the underlying SIS problem becomes vacuously hard. Here we give a sketch of our proof. First, thanks to the computational hiding of \(\mathsf {COM}\), the oracle simulator can replace the commitment share \( com _n\) of honest party \(P_n\) with a commitment to some random vector in \(R_q^k\) in case it wants to abort. For non-abort executions we can essentially invoke the special HVZK simulator of Algorithm 5 to answer the oracle queries from the adversary. Hence, we can indeed simulate the honest execution of \(P_n\).

      The core idea for proving the soundness essentially follows the lossy identification technique by Abdalla et al. [3]; since the public key share of the honest signer \(\mathbf {t}_n\) is indistinguishable from the vector sampled from \(R_q^k\) uniformly at random due to the LWE assumption, the oracle simulator can replace \(\mathbf {t}_n\) with such a vector (i.e. a lossy key). Moreover, thanks to the programmability and extractability of random oracle commitments in the key generation phase, the oracle simulator can even sample the resulting combined public key \(\mathbf {t}\) from the uniform distribution in advance and set its share \(\mathbf {t}_n\) a posteriori depending on the other shares. Now, the unconditional binding of \(\mathsf {COM}\) guarantees that there cannot exist commitments having two openings except a negligible fraction on the random choice of \( ck \). (See Definition 4. Also recall that we defined a uniform key in Definition 5, so the keys given by the random oracle are perfectly indistinguishable from the ones from \(\mathsf {CGen}\).) Finally, we argue that on the random choice of joint public key \((\mathbf {A},\mathbf {t})\) there cannot exist two valid transcripts that share the first message of the underlying \(\varSigma \)-protocol (i.e. \(\mathbf {w}\in R_q^k\)) except a negligible fraction. In that case, the only way for an adversary to come up with a forgery is to luckily receive a specific challenge \(c\in C\) from the random oracle \({\mathsf {H}}_0\), which can only happen with probability 1/|C|.

      The last step of the security proof essentially follows the one for Dilithium-QROM given by Kiltz, Lyubashevsky and Schaffner [59], and we impose an additional condition on the modulus q so that the polynomials of small norm are invertible in the ring \(R_q\) [65]⁵. We also remark that Fukumitsu and Hasegawa [44] also attempted a tight security reduction for their Dilithium-like three-round multi-signature scheme, although the proof disregards the simulation of rejected transcripts. Since the rest of their proof seems sound, by applying an additively homomorphic commitment as we do one could patch the proof, while losing the reduction tightness due to the use of computational hiding of commitment scheme.

Theorem 4

Suppose the commitment scheme \(\mathsf {COM}\) is unconditionally binding, computationally hiding, uniform, additively homomorphic, and the output of committing algorithm \(\mathsf {Commit}\) has \(\xi \)-bit min-entropy. Assume the modulus q satisfies \(q=5\mod 8\), \(2B_n < \sqrt{q/2}\) and \(2\kappa <\sqrt{q/2}\). For any probabilistic polynomial-time adversary \(\mathcal {A}\) that initiates a single key generation protocol by querying \({\mathcal {O}}_n^{\mathsf {DS}_3}\) with \( sid = 0\), initiates \(Q_s\) signature generation protocols by querying \({\mathcal {O}}_n^{\mathsf {DS}_3}\) with \( sid \ne 0\), and makes \(Q_h\) queries to the random oracle \({\mathsf {H}}_0,{\mathsf {H}}_1,{\mathsf {H}}_2,{\mathsf {H}}_3,{\mathsf {H}}_4\), the protocol \(\mathsf {DS}_3=(\mathsf {Setup}, (\mathsf {Gen}_j)_{j\in [n]},(\mathsf {Sign})_{j\in [n]},\mathsf {Ver})\) is \(\mathsf {DS}\text {-}\mathsf {UF}\text {-}\mathsf {CMA}\) secure under \(\mathsf {MLWE}_{q,k,\ell ,\eta }\) assumption.

Proof

Suppose we are given \(\mathcal {A}\) that breaks \(\mathsf {DS}_3\) with advantage \(\mathbf {Adv}^{\mathsf {DS}\text {-}\mathsf {UF}\text {-}\mathsf {CMA}}_{\mathsf {DS}_3}(\mathcal {A})\). Without loss of generality we assume that \(P_n\) is an honest party. Our first goal is to construct an algorithm \(\mathcal {B}\) around \(\mathcal {A}\) that simulates the behaviors of \(P_n\) without using honestly generated key pairs. In Fig. 17 we present the resulting oracle simulator \(\mathsf {Sim}\mathsf {Sign}_n\) which are eventually invoked by \(\mathcal {B}\). The simulation of key generation is done just as in the proof for \(\mathsf {DS}_2\) (see Fig. 11). Below we discuss how these are derived via several intermediate hybrid games.

\({\mathbf {G}}_{0}\):

Random Oracle simulation. The random oracles \({\mathsf {H}}_0:\){0,1}\(^*\rightarrow C\), \({\mathsf {H}}_1:\){0,1}\(^*\rightarrow \){0,1}\(^{l_1}\), \({\mathsf {H}}_2:\){0,1}\(^*\rightarrow \){0,1}\(^{l_2}\), \({\mathsf {H}}_3:\){0,1}\(^*\rightarrow S_ ck \) and \({\mathsf {H}}_4:\){0,1}\(^*\rightarrow \){0,1}\(^{l_4}\) are simulated as follows.

• \({\mathsf {H}}_i(x)\) The table \(\mathrm {HT}_i\) is initially empty. When queried with x, if \(\mathrm {HT}_i[x]\) is set then return \(\mathrm {HT}_i[x]\). Otherwise sample y from \({\mathsf {H}}_i\)’s image uniformly at random and return \(\mathrm {HT}_i[x]{:}{=}y\).

Honest party oracle simulation. In this game \(\mathcal {B}\) behaves exactly like a single honest party in \(\mathsf {DS}_3\); concretely, it simulates an oracle \({\mathcal {O}}_n^{\mathsf {DS}_3}\) (Fig. 3) which internally invokes instructions of \(\mathsf {Gen}_n\) and \(\mathsf {Sign}_n\) according to Fig. 6 and Fig. 16, respectively.

Forgery. When \(\mathcal {A}\) outputs a forgery \((\mu ^*, com ,\mathbf {z},r)\) at the end \(\mathcal {B}\) first generates a commitment key \( ck \leftarrow {\mathsf {H}}_3(\mu ^*, pk )\), derives a challenge \(c\leftarrow {\mathsf {H}}_0( com ,\mu ^*, pk )\) and reconstructs \(\mathbf {w}={\bar{\mathbf {A}}}\mathbf {z}-c\mathbf {t}\). Then \(\mathcal {B}\) checks \(\mu ^*\notin Mset \) and the verification condition

$$\begin{aligned} \Vert \mathbf {z}\Vert _2\le B_n \quad \text {and}\quad \mathsf {Open}_ ck ( com ,r,\mathbf {w})=1. \end{aligned}$$

If the forgery is verified then \(\mathcal {B}\) outputs 1. Otherwise \(\mathcal {B}\) outputs 0. Let \(\Pr [{\mathbf {G}}_{i}]\) denote a probability that \(\mathcal {B}\) returns 1 at the game \({\mathbf {G}}_{i}\). Then we have

$$\begin{aligned} \Pr [{\mathbf {G}}_{0}]=\mathbf {Adv}^{\mathsf {DS}\text {-}\mathsf {UF}\text {-}\mathsf {CMA}}_{\mathsf {DS}_3}(\mathcal {A}). \end{aligned}$$

\({\mathbf {G}}_{1}\):

In this game we modify \(\mathcal {B}\) from the prior game so that it first picks a random challenge \(c\leftarrow _\$C\) and computes its own signature share \(\mathbf {z}_n\) without interacting with adversary. Then the oracle proceeds as in the previous game and sends out hash commitment \(h_n\). Upon receiving \(h_1, \ldots ,h_{n-1}\), the oracle searches the hash table \(\mathrm {HT}_0\) to check if there exists the corresponding preimages \( com _1,\ldots , com _{n-1}\). If it is successful, then let \( com =\sum _{j} com _j\) and program the random oracle so that \(\mathrm {HT}_0[ com ,\mu , pk ]{:}{=}c\). Otherwise simulation fails. Since \({\mathbf {G}}_{1}\) is identical to \({\mathbf {G}}_{0}\) from adversary \(\mathcal {A}\)’s point of view except at the \( bad \) events marked in Fig. 17, we have

$$\begin{aligned} |\Pr [{\mathbf {G}}_{1}] - \Pr [{\mathbf {G}}_{0}]|&\le \Pr [ bad _4] + \Pr [ bad _5] + \Pr [ bad _6] \\&\le \frac{(Q_h+nQ_s+1)^2}{2^{l_4+1}}+Q_s\left( \frac{Q_h+nQ_s}{2^\xi }+\frac{Q_h+Q_s}{2^\xi }+\frac{n}{2^{l_4}}\right) \end{aligned}$$

where \(\Pr [ bad _4]\) corresponds to the probability that at least one collision occurs during at most \(Q_h+nQ_s\) queries to \({\mathsf {H}}_4\) made by \(\mathcal {A}\) or \(\mathcal {B}\); \(\Pr [ bad _5]\) is the probability that programming the random oracle \({\mathsf {H}}_0\) fails at least once during \(Q_s\) trials due to either of two cases: 1) \({\mathsf {H}}_4( com _n)\) has been asked by \(\mathcal {A}\) during at most \(Q_h+nQ_s\) queries to \({\mathsf {H}}_4\) (and therefore \(\mathcal {A}\) knows \( com \) and could query \({\mathsf {H}}_0( com ,\mu , pk )\) deliberately), which could succeed with probability at most \(1/2^\xi \) for each query, or 2) \(\mathrm {HT}_0[ com ,\mu , pk ]\) has been set by \(\mathcal {A}\) or \(\mathcal {B}\) by chance during at most \(Q_h+Q_s\) prior queries to \({\mathsf {H}}_0\), which could happen with probability at most \((Q_h+Q_s)/2^\xi \); \(\Pr [ bad _6]\) is the probability that \(\mathcal {A}\) has predicted one of the \(n-1\) outputs of random oracle \({\mathsf {H}}_4\) without making a query to it, which could only happen with probability at most \(n/2^{l_4}\) for each sign query. We remark that the above probability bound is essentially a special case of the one given by [16].

\({\mathbf {G}}_{2}\):

In this game we modify \(\mathcal {B}\) from the prior game so that if \(\mathbf {z}_n\) gets rejected then it commits to some uniformly random vector \(\mathbf {w}_n\in R_q^{k}\) and sends out hash of corresponding commitment \(h_n={\mathsf {H}}_4( com _n)\), where \( com _n\leftarrow \mathsf {Commit}_ ck (\mathbf {w}_n;r_n)\) and \(r_n\leftarrow _\$D(S_r)\). Note that the adversary cannot distinguish this simulated \( com _n\) from the real one due to the hiding property of commitment. In other words, we have

$$\begin{aligned} |\Pr [{\mathbf {G}}_{2}] - \Pr [{\mathbf {G}}_{1}]| \le Q_s\cdot \epsilon _\text {hide} . \end{aligned}$$

\({\mathbf {G}}_{3}\):

In this game \(\mathcal {B}\) does not honestly generate \(\mathbf {z}_n\) anymore and instead simulates the rejection sampling as follows. With probability \(1-1/M\) (i.e., simulation of rejection), it generates commitment \( com _n\) to \(\mathbf {w}_n\leftarrow _\$R_q^{k}\) as before. Otherwise it samples \(\mathbf {z}_n\) from \(D_s^{\ell +k}\) and computes \(\mathbf {w}_n={\bar{\mathbf {A}}} \mathbf {z}_n-c\mathbf {t}_n\). The signature share \(\mathbf {z}_n\) generated this way is indistinguishable from the real one because of the special HVZK property of the underlying identification scheme. In other words, we can directly apply the result of Lemmas 3 and 4. Hence, we have

$$\begin{aligned} |\Pr [{\mathbf {G}}_{3}] - \Pr [{\mathbf {G}}_{2}]| \le Q_s\cdot \frac{2e^{-t^2/2}}{M}. \end{aligned}$$

At this point \(\mathcal {B}\) simulates the honest party’s behavior during signature generation by following \(\mathsf {Sim}\mathsf {Sign}_n\) in Fig. 17.

\({\mathbf {G}}_{4}\):

Now notice that signing phase does not rely on the actual secret key share \(\mathbf {s}_n\) anymore. So the next step is to simulate the key generation phase without using \(\mathbf {s}_n\). This can be done just as in Fig. 11 used for the security proof of two-round protocol, and hence

$$\begin{aligned} |\Pr [{\mathbf {G}}_{4}] - \Pr [{\mathbf {G}}_{3}]|&\le \mathbf {Adv}^{}_{\mathsf {MLWE}_{q,k,\ell ,\eta }} + \frac{(Q_h+1)Q_h}{2^{l_1+1}} + \frac{Q_h}{q^{k\ell N}} + \frac{n}{2^{l_1}} \\&\quad + \frac{(Q_h+1)Q_h}{2^{l_2+1}} + \frac{Q_h}{q^{kN}} + \frac{n}{2^{l_2}}. \end{aligned}$$

Now \(\mathcal {B}\) entirely simulates the behaviors of honest party by invoking \(\mathsf {Sim}\mathsf {Gen}_n\) (Fig. 11) and \(\mathsf {Sim}\mathsf {Sign}_n\) (Fig. 17), which do not rely on the secret key share \(\mathbf {s}_n\). We would like to evaluate the upper bound of \(\Pr [{\mathbf {G}}_{4}]\). We first argue that the following probability is negligible.

$$\begin{aligned}&\underset{\mathbf {A}\leftarrow _\$R_q^{k\times \ell },\mathbf {t}\leftarrow _\$R_q^k, ck \leftarrow _\$S_ ck }{\Pr }\left[ \exists ( com , c, \mathbf {z}, r, c',\mathbf {z}',r'): \begin{array}{ll} &{}c\ne c' \wedge \Vert \mathbf {z}\Vert _2\le B_n \wedge \Vert \mathbf {z}'\Vert _2\le B_n \\ \wedge &{}\mathsf {Open}_ ck ( com ,r,{\bar{\mathbf {A}}}\mathbf {z}-c\mathbf {t})\\ =&{}\mathsf {Open}_ ck ( com ,r',{\bar{\mathbf {A}}}\mathbf {z}'-c'\mathbf {t})=1 \\ \end{array} \right] \end{aligned}$$

(2)

Case 1: \({\bar{\mathbf {A}}}\mathbf {z}-c\mathbf {t}\ne {\bar{\mathbf {A}}}\mathbf {z}'-c'\mathbf {t}\). In this case, (2) is bounded by the probability that there exists some commitment having two openings over random choice of \( ck \), which should be bounded by negligible \(\epsilon _\text {ubind}\) if the commitment key is uniform (and hence \( ck \leftarrow _\$S_ ck \) can be regarded as if it was generated from \(\mathsf {CGen}\)) and if unconditionally binding holds (see Definition 4).

Case 2: \({\bar{\mathbf {A}}}\mathbf {z}-c\mathbf {t}={\bar{\mathbf {A}}}\mathbf {z}'-c'\mathbf {t}\). Let \(\mathbf {z}_1\in R_q^\ell ,\mathbf {z}_2\in R_q^k, \mathbf {z}_1'\in R_q^\ell , \mathbf {z}_2'\in R_q^k\) be such that \(\mathbf {z}=\begin{bmatrix}\mathbf {z}_1\\ \mathbf {z}_2\end{bmatrix}\) and \(\mathbf {z}'=\begin{bmatrix}\mathbf {z}_1'\\ \mathbf {z}_2'\end{bmatrix}\), we have

$$\begin{aligned} \mathbf {A}(\mathbf {z}_1-\mathbf {z}_1') + \mathbf {z}_2 - \mathbf {z}_2' = (c-c')\mathbf {t} \end{aligned}$$

where we used the fact that \({\bar{\mathbf {A}}}=[\mathbf {A}|\mathbf {I}]\). Hence, the probability (2) in this case is bounded by

$$\begin{aligned} 2 \cdot |\bar{C}|\cdot \frac{\left( 4 B_n+1\right) ^{(\ell +k)N}}{q^{kN}} \end{aligned}$$

by applying Lemma 6 with \({\bar{\mathbf {z}}}=\mathbf {z}-\mathbf {z}'\), \(\bar{c}=c-c'\), \(\beta =2 B_n\), and

$$\begin{aligned} \bar{C}=\{\bar{c}\in R : \bar{c}=c-c' \wedge c\in C \wedge c'\in C \wedge c\ne c'\}. \end{aligned}$$

If the event for (2) does not occur, then it means that for given \( com \in S_ com \) there exists at most one transcript that verifies. In that case \(\mathcal {A}\) has at most a 1/|C| chance of obtaining the correct challenge for each query to \({\mathsf {H}}_0\) with input \(( com , \mu ^*, pk )\) if \(\mu ^*\notin Mset \).

Since \(\mathcal {A}\) makes at most \(Q_h\) queries to \({\mathsf {H}}_0\) and \({\mathsf {H}}_3\) in total and \(\mathcal {B}\) makes a single query to \({\mathsf {H}}_0\) and \({\mathsf {H}}_3\) at the forgery phase, we have

$$\begin{aligned} \Pr [{\mathbf {G}}_{4}] \le (Q_h + 1) \left( \epsilon _\text {ubind}+ 2 \cdot |\bar{C}|\cdot \frac{\left( 4 B_n+1\right) ^{(\ell +k)N}}{q^{kN}} + \frac{1}{|C|}\right) . \end{aligned}$$

\(\square \)

The following lemma is a slightly modified version of Lemma 4.6 of [59]. The main difference is that we use the Euclidean norm instead of \(\infty \)-norm.

Lemma 6

Let \(\beta \) be a positive integer less than \(\sqrt{q/2}\) and \(\bar{C}\) be a set of elements in \(R\setminus \{\mathbf {0}\}\) with coefficients less than \(\sqrt{q/2}\). If \(q=5\mod 8\) then

$$\begin{aligned}&\underset{\mathbf {A}\leftarrow _\$R_q^{k\times \ell },\mathbf {t}\leftarrow _\$R_q^k}{\Pr }[\exists ({\bar{\mathbf {z}}}_1, {\bar{\mathbf {z}}}_2, \bar{c})\in R_q^\ell \times R_q^k \times \bar{C}: \mathbf {A}{\bar{\mathbf {z}}}_1 + {\bar{\mathbf {z}}}_2 \\&\quad = \bar{c}\mathbf {t} \wedge \Vert {\bar{\mathbf {z}}}\Vert _2\le \beta ]\le 2 \cdot |\bar{C}|\cdot \frac{(2\beta +1)^{(\ell +k)N}}{q^{kN}} \end{aligned}$$

where \({\bar{\mathbf {z}}}=\begin{bmatrix}{\bar{\mathbf {z}}}_1\\ {\bar{\mathbf {z}}}_2\end{bmatrix}\).

Proof

Case \({\bar{\mathbf {z}}}_1 = \mathbf {0}\). Since \(0\le \Vert \bar{c}\Vert _\infty \le \sqrt{q/2}\) and \(q=5 \mod 8\), Lemma 2.2 by Lyubashevsky and Seiler [65] guarantees that \(\bar{c}\) is invertible in \(R_q\). In this case the probability is upper-bounded by

$$\begin{aligned}&\underset{\mathbf {t}\leftarrow _\$R_q^k}{\Pr }[\exists ({\bar{\mathbf {z}}}_2, \bar{c})\in R_q^k\times \bar{C}: {\bar{\mathbf {z}}}_2 = \bar{c}\mathbf {t} \wedge \Vert {\bar{\mathbf {z}}}_2\Vert _2\le \beta ]\\&\quad =\underset{\mathbf {t}\leftarrow _\$R_q^k}{\Pr }[\exists ({\bar{\mathbf {z}}}_2, \bar{c})\in R_q^k\times \bar{C}: \bar{c}^{-1}{\bar{\mathbf {z}}}_2 = \mathbf {t} \wedge \Vert {\bar{\mathbf {z}}}_2\Vert _2\le \beta ]\\&\quad \le \sum _{{\bar{\mathbf {z}}}_2\in R_q^k, \bar{c}\in \bar{C}} \underset{\mathbf {t}\leftarrow _\$R_q^k}{\Pr }[\bar{c}^{-1}{\bar{\mathbf {z}}}_2 = \mathbf {t} \wedge \Vert {\bar{\mathbf {z}}}_2\Vert _2\le \beta ]\\&\quad \le \sum _{{\bar{\mathbf {z}}}_2\in R_q^k, \bar{c}\in \bar{C}} \underset{\mathbf {t}\leftarrow _\$R_q^k}{\Pr }[\bar{c}^{-1}{\bar{\mathbf {z}}}_2 = \mathbf {t} \wedge \Vert {\bar{\mathbf {z}}}_2\Vert _\infty \le \beta ]\\&\quad =|\bar{C}|\cdot \left( \frac{2\beta +1}{q}\right) ^{kN} \end{aligned}$$

Case \({\bar{\mathbf {z}}}_1 \ne \mathbf {0}\). Let \(\mathbf {a}\in R_q^k,\mathbf {A}'\in R_q^{k\times (\ell -1)}\) be such that \([\mathbf {a}|\mathbf {A}']=\mathbf {A}\) and \({\bar{z}}\in R_q,{\bar{\mathbf {z}}}_1'\in R_q^{\ell -1}\) be such that \(\begin{bmatrix}{\bar{z}}\\ {\bar{\mathbf {z}}}_1'\end{bmatrix}={\bar{\mathbf {z}}}_1\). Assuming wlog that \(\bar{z}\) is nonzero, it is guaranteed that \(\bar{z}\) is invertible in \(R_q\) since \(\Vert \bar{z}\Vert _\infty \le \Vert \bar{z}\Vert _2\le \beta \le \sqrt{q/2}\). Hence we obtain the following upper-bound.

$$\begin{aligned}&\underset{\mathbf {A}\leftarrow _\$R_q^{k\times \ell },\mathbf {t}\leftarrow _\$R_q^k}{\Pr }[\exists ({\bar{\mathbf {z}}}_1, {\bar{\mathbf {z}}}_2, \bar{c})\in R_q^\ell \times R_q^k \times \bar{C}: \mathbf {A}{\bar{\mathbf {z}}}_1 + {\bar{\mathbf {z}}}_2 = \bar{c}\mathbf {t} \wedge \Vert {\bar{\mathbf {z}}}\Vert _2\le \beta ]\\&\quad =\underset{\mathbf {a}\leftarrow _\$R_q, \mathbf {A}'\leftarrow _\$R_q^{k\times (\ell -1)},\mathbf {t}\leftarrow _\$R_q^k}{\Pr }[\exists ({\bar{z}},{\bar{\mathbf {z}}}_1', {\bar{\mathbf {z}}}_2, \bar{c})\in R_q\times R_q^{\ell -1} \times R_q^k \\&\qquad \times \bar{C}: {\bar{z}}\mathbf {a}+\mathbf {A}'{\bar{\mathbf {z}}}_1' + {\bar{\mathbf {z}}}_2 = \bar{c}\mathbf {t} \wedge \Vert {\bar{\mathbf {z}}}\Vert _2\le \beta ]\\&\quad =\underset{\mathbf {a}\leftarrow _\$R_q}{\Pr }[\exists ({\bar{z}},{\bar{\mathbf {z}}}_1', {\bar{\mathbf {z}}}_2, \bar{c})\in R_q\times R_q^{\ell -1} \times R_q^k \times \bar{C}: \\&\quad \mathbf {a} = {\bar{z}}^{-1}(\bar{c}\mathbf {t}-\mathbf {A}'{\bar{\mathbf {z}}}_1' - {\bar{\mathbf {z}}}_2) \wedge \Vert {\bar{\mathbf {z}}}\Vert _2\le \beta ]\\&\quad \le \sum _{{\bar{\mathbf {z}}}_1\in R_q^\ell \setminus \{\mathbf {0}\}, {\bar{\mathbf {z}}}_2\in R_q^k, \bar{c}\in \bar{C}}\Pr [\mathbf {a} = {\bar{z}}^{-1}(\bar{c}\mathbf {t}-\mathbf {A}'{\bar{\mathbf {z}}}_1' - {\bar{\mathbf {z}}}_2) \wedge \Vert {\bar{\mathbf {z}}}\Vert _2\le \beta ]\\&\quad \le \sum _{{\bar{\mathbf {z}}}_1\in R_q^\ell \setminus \{\mathbf {0}\}, {\bar{\mathbf {z}}}_2\in R_q^k, \bar{c}\in \bar{C}}\Pr [\mathbf {a} = {\bar{z}}^{-1}(\bar{c}\mathbf {t}-\mathbf {A}'{\bar{\mathbf {z}}}_1' - {\bar{\mathbf {z}}}_2) \wedge \Vert {\bar{\mathbf {z}}}\Vert _\infty \le \beta ]\\&\quad \le \sum _{{\bar{\mathbf {z}}}_1\in R_q^\ell \setminus \{\mathbf {0}\}, {\bar{\mathbf {z}}}_2\in R_q^k, \bar{c}\in \bar{C}}\Pr [\mathbf {a} = {\bar{z}}^{-1}(\bar{c}\mathbf {t}-\mathbf {A}'{\bar{\mathbf {z}}}_1' - {\bar{\mathbf {z}}}_2) \wedge \Vert {\bar{\mathbf {z}}}\Vert _\infty \le \beta ]\\&\quad \le |\bar{C}|\cdot \frac{(2\beta +1)^{(\ell +k)N}}{q^{kN}}\\ \end{aligned}$$

Putting the two cases together we obtain the result. \(\square \)