International Association for Cryptologic Research

International Association
for Cryptologic Research

IACR News item: 15 September 2020

Ivan Damgård, Claudio Orlandi, Akira Takahashi, Mehdi Tibouchi
ePrint Report ePrint Report
Although they have been studied for a long time, distributed signature protocols have garnered renewed interest in recent years in view of novel applications to topics like blockchains. Most recent works have focused on distributed versions of ECDSA and over variants of Schnorr signatures, however, and in particular, little attention has been given to constructions based on post-quantum secure assumptions like the hardness of lattice problems. A few lattice-based threshold signature and multi-signature schemes have been proposed in the literature, but they either rely on hash-and-sign lattice signatures (which tend to be comparatively inefficient), use expensive generic transformations, or contain subtle issues in their security proofs.

In this paper, we construct several lattice-based distributed signing protocols with low round complexity following the Fiat--Shamir with Aborts paradigm of Lyubashevsky (Asiacrypt 2009). Our protocols can be seen as distributed variants of the fast Dilithium-G signature scheme. A key step to achieve security (overlooked in some earlier papers) is to prevent the leakage that can occur when parties abort after their first message---which can inevitably happen in the Fiat--Shamir with Aborts setting. We manage to do so using lattice-based homomorphic commitments as constructed by Baum et al. (SCN 2018).

We first propose a three-round $n$-out-of-$n$ signature from Module-LWE with tight security (using ideas from lossy identification schemes). Then, we further reduce the complexity to two rounds, at the cost of relying on Module-SIS as an additional assumption, losing tightness due to the forking lemma, and requiring somewhat more expensive trapdoor commitments. The construction of suitable trapdoor commitments from lattices is a side contribution of this paper. Finally, we also obtain a two-round multi-signature scheme as a variant of our two-round $n$-out-of-$n$ protocol.

Additional news items may be found on the IACR news page.