Two-Round n-out-of-n and Multi-Signatures and Trapdoor Commitment from Lattices

Although they have been studied for a long time, distributed signature protocols have garnered renewed interest in recent years in view of novel applications to topics like blockchains. Most recent works have focused on distributed versions of ECDSA and over variants of Schnorr signatures, however, and in particular, little attention has been given to constructions based on postquantum secure assumptions like the hardness of lattice problems. A few lattice-based threshold signature and multi-signature schemes have been proposed in the literature, but they either rely on hash-and-sign lattice signatures (which tend to be comparatively inefficient), use expensive generic transformations, or only come with incomplete security proofs. In this paper, we construct several lattice-based distributed signing protocols with low round complexity following the Fiat–Shamir with Aborts paradigm of Lyubashevsky (Asiacrypt 2009). Our protocols can be seen as distributed variants of the fast Dilithium-G signature scheme. A key step to achieve security (unexplained in some earlier papers) is to prevent the leakage that can occur when parties abort after their first message—which can inevitably happen in the Fiat–Shamir with Aborts setting. We manage to do so using lattice-based homomorphic commitments as constructed by Baum et al. (SCN 2018). We first propose a three-round n-out-of-n signature from Module-LWE with full security proof using ideas from lossy identification schemes. Then, we further reduce the complexity to two rounds, at the cost of relying on Module-SIS as an additional assumption, with a larger security loss due to the forking lemma, and requiring somewhat more expensive trapdoor commitments. The construction of suitable trapdoor commitments from lattices is a side contribution of this paper. Finally, we also obtain a two-round multi-signature scheme as a variant of our two-round n-out-of-n protocol.

[1]  Léo Ducas,et al.  Improved Short Lattice Signatures in the Standard Model , 2014, CRYPTO.

[2]  Ian Goldberg,et al.  FROST: Flexible Round-Optimized Schnorr Threshold Signatures , 2020, IACR Cryptol. ePrint Arch..

[3]  Yi-Fan Tseng,et al.  Identity-Based Blind Multisignature From Lattices , 2019, IEEE Access.

[4]  Zekeriya Erkin,et al.  Post-Quantum Adaptor Signatures and Payment Channel Networks , 2020, IACR Cryptol. ePrint Arch..

[5]  Mehdi Tibouchi,et al.  Tightly Secure Signatures From Lossy Identification Schemes , 2015, Journal of Cryptology.

[6]  Robert H. Deng,et al.  Efficient discrete logarithm based multi-signature scheme in the plain public key model , 2010, Des. Codes Cryptogr..

[7]  Vadim Lyubashevsky,et al.  Short, Invertible Elements in Partially Splitting Cyclotomic Rings and Applications to Lattice-Based Zero-Knowledge Proofs , 2018, EUROCRYPT.

[8]  Ran Canetti,et al.  UC Non-Interactive, Proactive, Threshold ECDSA , 2020, IACR Cryptol. ePrint Arch..

[9]  Chris Peikert,et al.  How to Share a Lattice Trapdoor: Threshold Protocols for Signatures and (H)IBE , 2013, ACNS.

[10]  Tim Güneysu,et al.  Practical Lattice-Based Cryptography: A Signature Scheme for Embedded Systems , 2012, CHES.

[11]  David Cash,et al.  Bonsai Trees, or How to Delegate a Lattice Basis , 2010, Journal of Cryptology.

[12]  Rafael Pass,et al.  On Deniability in the Common Reference String and Random Oracle Model , 2003, CRYPTO.

[13]  Daniel Wichs,et al.  Leveled Fully Homomorphic Signatures from Standard Lattices , 2015, IACR Cryptol. ePrint Arch..

[14]  Rosario Gennaro,et al.  Fast Multiparty Threshold ECDSA with Fast Trustless Setup , 2018, CCS.

[15]  Douglas R. Stinson,et al.  Provably Secure Distributed Schnorr Signatures and a (t, n) Threshold Scheme for Implicit Certificates , 2001, ACISP.

[16]  David Wolinsky,et al.  Keeping Authorities "Honest or Bust" with Decentralized Witness Cosigning , 2015, 2016 IEEE Symposium on Security and Privacy (SP).

[17]  Rafail Ostrovsky,et al.  Edinburgh Research Explorer Four-Round Concurrent Non-Malleable Commitments from One-Way Functions , 2016 .

[18]  Antoine Joux,et al.  New Generic Algorithms for Hard Knapsacks , 2010, EUROCRYPT.

[19]  Nigel P. Smart,et al.  Sharing the LUOV: Threshold Post-Quantum Signatures , 2019, IACR Cryptol. ePrint Arch..

[20]  Masayuki Fukumitsu,et al.  A Tightly-Secure Lattice-Based Multisignature , 2019, APKC@AsiaCCS.

[21]  Abhi Shelat,et al.  Threshold ECDSA from ECDSA Assumptions: The Multiparty Case , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[22]  Eike Kiltz,et al.  A Concrete Treatment of Fiat-Shamir Signatures in the Quantum Random-Oracle Model , 2018, IACR Cryptol. ePrint Arch..

[23]  Vadim Lyubashevsky,et al.  Algebraic Techniques for Short(er) Exact Lattice-Based Zero-Knowledge Proofs , 2019, IACR Cryptol. ePrint Arch..

[24]  Jacques Stern,et al.  Security Proofs for Signature Schemes , 1996, EUROCRYPT.

[25]  Pierre-Louis Cayrel,et al.  A Lattice-Based Threshold Ring Signature Scheme , 2010, LATINCRYPT.

[26]  Yehuda Lindell,et al.  Fast Secure Multiparty ECDSA with Practical Distributed Key Generation and Applications to Cryptocurrency Custody , 2018, CCS.

[27]  Ivan Visconti,et al.  Improved OR Composition of Sigma-Protocols , 2016, IACR Cryptol. ePrint Arch..

[28]  Julien Schrek,et al.  Improved Lattice-Based Threshold Ring Signature Scheme , 2013, PQCrypto.

[29]  Yannick Seurin,et al.  Simple Schnorr multi-signatures with applications to Bitcoin , 2019, Designs, Codes and Cryptography.

[30]  David A. Wagner,et al.  A Generalized Birthday Problem , 2002, CRYPTO.

[31]  Mihir Bellare,et al.  Multi-signatures in the plain public-Key model and a general forking lemma , 2006, CCS '06.

[32]  Brent Waters,et al.  Homomorphic Encryption from Learning with Errors: Conceptually-Simpler, Asymptotically-Faster, Attribute-Based , 2013, CRYPTO.

[33]  Mihir Bellare,et al.  Separate Your Domains: NIST PQC KEMs, Oracle Cloning and Read-Only Indifferentiability , 2020, IACR Cryptol. ePrint Arch..

[34]  Rafail Ostrovsky,et al.  Delayed-Input Non-Malleable Zero Knowledge and Multi-Party Coin Tossing in Four Rounds , 2017, IACR Cryptol. ePrint Arch..

[35]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[36]  Eike Kiltz,et al.  On the Security of Two-Round Multi-Signatures , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[37]  Huaxiong Wang,et al.  Zero-Knowledge Elementary Databases with More Expressive Queries , 2019, Public Key Cryptography.

[38]  Dan Boneh,et al.  Threshold Cryptosystems From Threshold Fully Homomorphic Encryption , 2018, IACR Cryptol. ePrint Arch..

[39]  Berk Sunar,et al.  MMSAT: A Scheme for Multimessage Multiuser Signature Aggregation , 2020, IACR Cryptol. ePrint Arch..

[40]  Léo Ducas,et al.  Lattice Signatures and Bimodal Gaussians , 2013, IACR Cryptol. ePrint Arch..

[41]  Serge Fehr,et al.  Adaptively Secure Feldman VSS and Applications to Universally-Composable Threshold Cryptography , 2004, CRYPTO.

[42]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[43]  Ratna Dutta,et al.  Round Optimal Secure Multisignature Schemes from Lattice with Public Key Aggregation and Signature Compression , 2020, AFRICACRYPT.

[44]  Man Ho Au,et al.  Efficient Lattice-Based Zero-Knowledge Arguments with Standard Soundness: Construction and Applications , 2019, IACR Cryptol. ePrint Arch..

[45]  Fabien Laguillaumie,et al.  Bandwidth-efficient threshold EC-DSA , 2020, IACR Cryptol. ePrint Arch..

[46]  Ivan Damgård,et al.  Efficient Concurrent Zero-Knowledge in the Auxiliary String Model , 2000, EUROCRYPT.

[47]  Taraneh Eghlidos,et al.  An efficient and secure ID-based multi-proxy multi-signature scheme based on lattice , 2019, IACR Cryptol. ePrint Arch..

[48]  Rosario Gennaro,et al.  One Round Threshold ECDSA with Identifiable Abort , 2020, IACR Cryptol. ePrint Arch..

[49]  Fabien Laguillaumie,et al.  Two-Party ECDSA from Hash Proof Systems and Efficient Instantiations , 2019, IACR Cryptol. ePrint Arch..

[50]  Rachid El Bansarkhani,et al.  An Efficient Lattice-Based Multisignature Scheme with Applications to Bitcoins , 2016, CANS.

[51]  Vadim Lyubashevsky,et al.  Fiat-Shamir with Aborts: Applications to Lattice and Factoring-Based Signatures , 2009, ASIACRYPT.

[53]  Dongxi Liu,et al.  Lattice-based Zero-Knowledge Proofs: New Techniques for Shorter and Faster Constructions and Applications , 2019, IACR Cryptol. ePrint Arch..

[54]  C. P. Schnorr,et al.  Efficient Identification and Signatures for Smart Cards (Abstract) , 1989, EUROCRYPT.

[55]  Michael K. Reiter,et al.  Two-party generation of DSA signatures , 2001, International Journal of Information Security.

[56]  David Mazières,et al.  Proactive Two-Party Signatures for User Authentication , 2003, NDSS.

[57]  Chris Peikert,et al.  A Toolkit for Ring-LWE Cryptography , 2013, IACR Cryptol. ePrint Arch..

[58]  Abhi Shelat,et al.  Secure Two-party Threshold ECDSA from ECDSA Assumptions , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[59]  Ngoc Khanh Nguyen On the Non-Existence of Short Vectors in Random Module Lattices , 2019, IACR Cryptol. ePrint Arch..

[60]  Jung Hee Cheon,et al.  Multisignatures secure under the discrete logarithm assumption and a generalized forking lemma , 2008, CCS.

[61]  Chris Peikert,et al.  Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller , 2012, IACR Cryptol. ePrint Arch..

[62]  Ivan Damgård,et al.  More Efficient Commitments from Structured Lattice Assumptions , 2018, SCN.

[63]  Ivan Damgård,et al.  Fast Threshold ECDSA with Honest Majority , 2020, IACR Cryptol. ePrint Arch..

[64]  Mehdi Tibouchi,et al.  GALACTICS: Gaussian Sampling for Lattice-Based Constant- Time Implementation of Cryptographic Signatures, Revisited , 2019, IACR Cryptol. ePrint Arch..

[65]  Stephan Krenn,et al.  Efficient Zero-Knowledge Proofs for Commitments from Learning with Errors over Rings , 2015, ESORICS.

[66]  Chris Peikert,et al.  Hardness of SIS and LWE with Small Parameters , 2013, CRYPTO.

[67]  M. Robshaw,et al.  Faster Gaussian Sampling for Trapdoor Lattices with Arbitrary Modulus , 2018, IACR Cryptol. ePrint Arch..

[68]  Yehuda Lindell,et al.  Fast Secure Two-Party ECDSA Signing , 2017, Journal of Cryptology.

[69]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[70]  Hugo Krawczyk,et al.  Secure Distributed Key Generation for Discrete-Log Based Cryptosystems , 1999, Journal of Cryptology.

[71]  Damien Stehlé,et al.  CRYSTALS - Dilithium: Digital Signatures from Module Lattices , 2017, IACR Cryptol. ePrint Arch..

[72]  Adam Gagol,et al.  Threshold ECDSA for Decentralized Asset Custody , 2020, IACR Cryptol. ePrint Arch..

[73]  Vadim Lyubashevsky,et al.  Lattice Signatures Without Trapdoors , 2012, IACR Cryptol. ePrint Arch..

[74]  Arvind Narayanan,et al.  Threshold-Optimal DSA/ECDSA Signatures and an Application to Bitcoin Wallet Security , 2016, ACNS.

[75]  Yannick Seurin,et al.  MuSig-DN: Schnorr Multi-Signatures with Verifiably Deterministic Nonces , 2020, IACR Cryptol. ePrint Arch..

[76]  Vadim Lyubashevsky,et al.  Lattice-Based Group Signatures and Zero-Knowledge Proofs of Automorphism Stability , 2018, IACR Cryptol. ePrint Arch..

[77]  Mehdi Tibouchi,et al.  Masking the GLP Lattice-Based Signature Scheme at Any Order , 2018, EUROCRYPT.

[78]  Marcel Keller,et al.  Securing DNSSEC Keys via Threshold ECDSA From Generic MPC , 2020, IACR Cryptol. ePrint Arch..

[79]  Silvio Micali,et al.  Accountable-subgroup multisignatures: extended abstract , 2001, CCS '01.

[80]  Dongxi Liu,et al.  Short Lattice-based One-out-of-Many Proofs and Applications to Ring Signatures , 2019, IACR Cryptol. ePrint Arch..

[81]  Jan Camenisch,et al.  Better Zero-Knowledge Proofs for Lattice Encryption and Their Application to Group Signatures , 2014, ASIACRYPT.

[82]  Changshe Ma,et al.  Practical Lattice-Based Multisignature Schemes for Blockchains , 2019, IEEE Access.