Figures
Abstract
In 2009, Lyubashevsky proposed a lattice-based signature scheme using the Schnorr-like identification and the Fiat-Shamir heuristic and proved its security under the collision resistance of a generalized compact knapsack function. However, their security analysis requires the witness indistinguishability property, leading to significant inefficiency and an increase of sizes of public key and signature. To overcome the efficiency issue associated with the WI property, we introduce a new lattice-based assumption, called the target-modified one-wayness problem of the GCK function and show its reduction to well-known lattice-based problems. Additionally, we present a simple and efficient GCK-based signature scheme, GCKSign, whose security is based on the Module GCK-TMO problem in the random oracle model. GCKSign is a natural extension of Lyubashevsky’s scheme in a module setting, but achieves considerable efficiency gains due to eliminating the witness indistinguishability property. As a result, GCKSign achieves approximately 3.4 times shorter signature size and 2.4 times shorter public key size at the same security level.
Citation: Woo J, Lee K, Park JH (2024) GCKSign: Simple and efficient signatures from generalized compact knapsack problems. PLoS ONE 19(9): e0310708. https://doi.org/10.1371/journal.pone.0310708
Editor: Je Sen Teh, Deakin University, AUSTRALIA
Received: January 16, 2024; Accepted: September 5, 2024; Published: September 23, 2024
Copyright: © 2024 Woo et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.
Data Availability: All relevant data are within the manuscript.
Funding: “This work was supported in part by Military Crypto Research Center (UD210027XD) funded by Defense Acquisition Program Administration (DAPA) and Agency for Defense Development (ADD) and in part by Institute of Information & communications Technology Planning & Evaluation (IITP) grant funded by the Korea government (MSIT) under Grant 2021-0-00518, Block chain privacy preserving techniques based on data encryption. The funders had no role in study design, data collection and analysis, decision to publish, or preparation of the manuscript.”
Competing interests: The authors have declared that no competing interests exist.
1 Introduction
The generalized compact knapsack (GCK) function [1] is defined with a ring-Short Integer Solution (SIS) instance over a polynomial-based ring Rn,q for some modulus q. Specifically, for a random ring-SIS instance , the GCK function is computed as for a domain element with short coefficients. In 2002, Micciancio [1] showed that the function Fa is one-way, assuming the worst-case hardness of some shortest independent vector problems (SIVP) on cyclic lattices in a ring. Furthermore, in 2006, researchers [2, 3] proved that the GCK function Fa is collision-resistant, assuming the worst-case hardness of some shortest vector problems (SVP) for ideal lattices in a ring. Additionally, the GCK function has the linearity property, which states that Fa(c1x1 + c2x2) = c1Fa(x1) + c2Fa(x2) for any ring elements c1, c2 ∈ Rn,q and any domain elements .
Based on the aforementioned properties of the GCK function, Lyubashevsky [4] proposed a GCK-based signature scheme in 2009, using the Schnorr-like identification protocol and the Fiat-Shamir transform [5]. The main idea of [4] is to set up a public key as (a, t = Fa(s)) and its corresponding signing key as s, where is a vector of short polynomials. The signing procedure begins by sampling a short vector (from a suitable distribution) and computing v = ay(= Fa(y)). The signer then computes c = H(v, μ), where H is a hash function and μ is a message, and z = y + sc. To ensure that the distribution of z is independent of the secret s, preventing any leakage of information about s, the signer employs a rejection rule on z. Following this rejection sampling, a signature (z, c) is generated only when z is sampled from the (predefined z’s) distribution centered at zero, rather than at sc. Subsequently, the verifier checks whether H(az − tc, μ) is equal to c, and z is sufficiently small.
Although the GCK-based signature proposed by Lyubashevsky has a similar structure with the previous Schnorr signature, their security proof employed in [4] relies on the concept of witness indistinguishability (WI). This notion is essential for proving the security of [4] under the assumption of collusion resistance of the GCK function. WI refers to the property that when choosing an alternative (or multiple) signing key s′ such that t = Fa(s) = Fa(s′), the signature (z = y + sc, c) is (statistically) indistinguishable from (z = y + s′c, c). In the security analysis, all signatures are simulated using s, but due to the WI property, the adversary cannot know the exact secret key s. Thus, with high probability, it is expected that the adversary succeeds in forging a signature with the other s′. In such a case, the rewinding technique [6] enables a reductionist to extract a pair of distinct inputs as a collision of Fa. Since breaking the collision resistance of the GCK function implies the ability to solve a ring-SIS problem, the security of the GCK-based signature scheme [4] eventually relies on the hardness of a ring-SIS problem.
However, the WI property results in a significant efficiency drawback in [4]. This stems from the fact that the public key t = Fa(s) and the corresponding secret key s are generated in such a way as to guarantee collisions in Fa. Specifically, s needs to be parametrized so that there exists another valid secret key s′ such that Fa(s) = Fa(s′). This requirement mandates that each coefficient of the secret key s be sampled from a relatively large range, for example, [−2047, 2047], resulting in large size of the signature (z, c). To overcome the efficiency issue associated with the WI property and the large bound on s, Lyubashevsky [7] presented an alternative proof technique based on the decisional ring-SIS problem, where t = Fa(s) with a small bound on s is indistinguishable from a uniformly random t in Rq. Consequently, a (real) GCK-based signature scheme is constructed using s with small coefficients, while a simulated signature scheme in the security proof is provided to the adversary using s′ with large coefficients. Although the WI property with a small bound on s enables a more efficient GCK-based signature scheme, no known quantum reduction exists from worst-case lattice problems to the decisional ring-SIS problem in ideal lattices [7].
Another approach to circumvent the WI property with large coefficients of s is to construct the public key t using the Learning with Errors (LWE) problem. In this approach, t is computed as t = Fa(s) + e, where e is a polynomial sampled from a narrow distribution. Based on the decisional ring-LWE problem, which is to distinguish between a ring-LWE instance and a uniformly random one, the security proof of a ring-LWE-based signature scheme can be established using a similar argument as that of the decisional ring-SIS problem. Importantly, this approach provides improved security against quantum adversaries because there is a reduction from worst-case lattice problems to the decisional ring-LWE problems [8]. Leveraging this idea, Güneysu et al. [9] proposed a ring-LWE-based signature scheme where a signature consists of three components (c, z1, z2), where z1 = y1 + cs and z2 = y2 + ce. Bai and Galbraith [10] reduced the signature size of [9] by omitting z2 and introducing a compression technique to compensate for the correctness error resulted from e. In 2018, Ducas et al. [11] proposed a signature scheme called Dilithium, which can be viewed as a generalization of [10] based on Module-LWE problems. Additionally, [11] presented a distinct proof technique that does not rely on the WI property used previously. They employed two signature forgeries (by rewinding an adversary) to directly solve a ring-SIS problem concerning (A||t||1) rather than (A||1). Many other signatures based on [4] were proposed [12, 13] recently and their security proof also follow the way of Dilithium.
1.1 Our contribution
From what has been shown so far, while significant progress has been made in creating efficient lattice-based signatures, the following question still arises:
Can we prove the security of GCK-based signature without using the WI property?
The goal of this paper is to give a positive answer to the above problem. To achieve this, we define a relaxed version of the one-wayness problem of the GCK function, called the target-modified one-wayness (TMO) problem. In essence, the TMO problem is to solve the one-wayness problem of the GCK function approximately rather than exactly: given and t = Fa(s) ∈ Rn,q for some , find short polynomials such that Fa(x) = ct. To provide confidence in the TMO problem, we show that the TMO problem is reduced to both the one-wayness and the collision-resistance problems of the GCK function.
Instead of proving the original GCK-based signature scheme [4], we present a more efficient GCK-based signature scheme called GCKSign, which is a natural extension of [4] to the Module-GCK function. We adopt a matrix form of and and define a Module-GCK function as . Similar to the TMO problem, we establish a Module GCK-TMO problem, and show its reduction to Module-SIS, LWE problems. Notably, we prove that GCKSign is secure in the random oracle model under the Module GCK-TMO problem without relying on the WI property. By eliminating this property, we achieve significant efficiency improvements. In detail, GCKSign achieves a signature size that is about 3.4 times shorter and a public-key size that is about 2.4 times shorter at the same security level, compared to [4]. In Section 5, we provide a concrete security and efficiency comparison between [4] and GCKSign.
2 Preliminaries
We begin by defining the syntax and security of digital signature. We also define two computational hardness problems related to the GCK function.
2.1 Notation
For a modulus , denotes a quotient group with respect to addition modulo q. Let Rn and Rn,q respectively be the rings and , where n is a power of two. Vectors with entries in Rn,q are denoted by bold lowercase letters, for example, where a1, …, am ∈ Rn,q for some positive integer m. denotes a subset of Rn,q, consisting of polynomials with coefficients of which only a fixed number of h is −1 and 1, and all other coefficients are zero. We notice that . For a positive integer x, R[−x,x] denotes a set of Rn,q, consisting of polynomials with coefficients between [−x, x]. The notation ‖⋅‖∞ refers to the infinity norm.
2.2 Digital signature
Definition 1. A digital signature (DS) scheme for a message space consists of three algorithms: , , and such that:
- KeyGen(λ): The key generation algorithm takes as input a security parameter λ and outputs a pair of keys (pk, sk). These keys are called the public key and the private key.
- Sign(sk, μ): The signing algorithm takes as input the private key sk and a message , and then outputs a signature σ.
- Verify(pk, μ, σ): The verification algorithm takes as input the public key pk, a message μ and a signature σ, and then outputs 1 if the signature is valid or 0 otherwise.
Definition 2 (Existential unforgeability). Let be a digital signature scheme. The existential unforgeability against chosen-message attacks (UF-CMA) is defined via the following experiment between a challenger and an adversary :
- runs the key generation algorithm to get (pk, sk) and gives pk to .
- queries a signing oracle with a message μ. Let denote the set of all queries that queried.
- Finally, outputs a signature σ* and a message μ*. returns 1 if (1) Verify(pk, μ*, σ*) = 1 and (2) , and otherwise returns 0 as the output of the game.
The advantage of for breaking the UF-CMA security of DS is defined as . We say that a DS scheme is UF-CMA secure if for any polynomial-time adversary , we have , where ϵ is a negligible function for the security parameter λ.
2.3 GCK hardness problems
Definition 3 (GCK Function [1]). For a ring Rn,q, a subset S ⊂ Rn,q, an integer m ≥ 1, and a randomly and independently chosen , the GCK function Fa: Sm → Rn,q is defined as follows: (1) for , where is computed using the ring multiplication and addition operations.
In this paper, we specify the subset S as S = R[−β,β] for some integer β.
Definition 4 (One-Wayness of GCK function [1]). A GCK function is one-way (OW) if for any probabilistic polynomial-time (PPT) algorithm , it is easy to compute, but computationally hard to invert the GCK function: given a pair (a, t = Fa(x)) for a randomly chosen and , find x in the domain such that Fa(x) = t. For integers , we define to be the advantage of an algorithm in solving the OW problem of a GCK function over the ring Rn,q.
Definition 5 (Collision-Resistance of GCK function [2, 3]). A GCK function is collision-resistant (CR) if for any probabilistic polynomial-time (PPT) algorithm , it is computationally hard to find a collision of a GCK function: given a randomly chosen , find distinct such that Fa(x) = Fa(x′). For integers , we define to be the advantage of an algorithm in solving the CR problem of a GCK function over the ring Rn,q.
3 Main results
3.1 GCK-TMO problem
Now, we define a new GCK-related problem, called TMO problem of the GCK function.
Definition 6 (Target-Modified One-wayness of GCK function). For integers , the TMO problem is defined as follows: given and t ∈ Rn,q, find and c ∈ Rn,q such that ‖c‖∞ ≤ α, ‖x‖∞ ≤ β satisfying (2)
The TMO problem is a modified OW problem of a GCK function, obtained by changing the original target t into a new ct. The important point is that c ∈ Rq should be short, meaning that ‖c‖∞ ≤ α for a small integer α, and can also be chosen by a solver as desired. Intuitively, the TMO problem becomes trivial if c is chosen freely in Rq, because for a short x such that ‖x‖∞ ≤ β, Fa(x) = t′ is firstly computed and then c is obtained via c = t′t−1 (if t−1 exists). Also, the OW problem of a GCK function can be viewed as a special case of the TMO problem by issuing (x, c = 1) as a solution. For integers , we define to be the advantage of an algorithm solving the TMO problem over the ring Rn,q.
3.1.1 Computational hardness of the TMO problem.
By deriving an upper bound on from the following reduction, we demonstrate that the TMO problem is at least as hard as the CR and OW problems of a GCK function. For our reduction, we require a special form of (n, q) that determines a ring , in order to guarantee that a short c ∈ Rq has an inverse. More precisely, we require that n and ρ are power-of-2 integers such that n ≥ ρ, and q is a prime such that q ≡ 2ρ + 1 (mod 4ρ). We then use the result [14, Corollary 1.2.] that, for any short c ∈ Rq such that , c has an inverse in Rq with probability 1.
Theorem 1. Let n and ρ be power-of-2 integers such that n ≥ ρ, and q is a prime such that q ≡ 2ρ + 1 (mod 4ρ). For integers satisfying , (2β + 1)mn ≫ qn and nαγ ≤ β, it holds that .
Proof. Suppose there is an algorithm that solves the TMO problem with advantage for any α such that . Recall that takes (a, t) as input and tries to find a pair (x, c) such that Fa(x) = ct, satisfying the condition that ‖c‖∞ ≤ α, ‖x‖∞ ≤ β. According to [14, Corollary 1.2.], any c ∈ Rn,q that satisfies has an inverse in Rn,q. Since α is less than , the short polynomial c always has an inverse in Rn,q. With (x, c) that outputs, we set z = xc−1 by considering c−1 as a scalar. Since the GCK function Fa is linear, we see that Fa(z) = Fa(xc−1) = c−1Fa(x) = c−1ct = t. For the integer satisfying γ ≤ β/nα, we consider two cases as follows:
Case 1: ‖xc−1‖∞ > γ.
Case 2: ‖xc−1‖∞ ≤ γ.
Obviously, ’s output (x, c) belongs to either case 1 or case 2. In case 1, we show that an algorithm uses to solve the CR problem of a GCK function. The assumption that (2β + 1)mn ≫ qn guarantees that it is presumably feasible to find a pair of collision with respect to any element in Rq. Given as input, does as follows:
- Choose a random .
- Compute .
- Run on input (a, t) and get (x, c) from .
- Compute x′ = cz′ and output (x, x′) as a solution.
For (x, x′) to be a solution of the CR problem, we need to show that Fa(x) = Fa(x′), ‖x‖∞ ≤ β, ‖x′‖∞ ≤ β, and x ≠ x′. First, since (x, c) is a solution for the TMO problem, it means that Fa(x) = ct. Also, we set t = Fa(z′) in step 2. By the linearity property of GCK function, it holds that ct = cFa(z′) = Fa(cz′) = Fa(x′). Thus, Fa(x) = ct = Fa(x′). Secondly, it holds that ‖x‖∞ ≤ β because x is the solution of the TMO problem, and also ‖x′‖∞ ≤ β because (1) γ ≤ β/nα (by assumption) and (2) ‖x′‖∞ ≤ n × ‖c‖∞ × ‖z′‖∞ ≤ nαγ ≤ β. Lastly, we can see that x ≠ x′. Note that in case 1 where z is computed as xc−1, we see that z ≠ z′ because of the fact that ‖z‖∞ > γ (in case 1) and ‖z′‖∞ ≤ γ (in step 1). This inequality means that xc−1 ≠ x′c−1, resulting in x ≠ x′.
Next, in case 2, we show that there is another algorithm that uses to solve the OW problem of a GCK function. Given (a, t) as input, does as follows:
- Run on input (a, t) and get (x, c) from .
- Output z = c−1x as a solution.
The reason why z is a solution for the OW problem is that it holds that Fa(z) = t and ‖z‖ ≤ γ by the condition of case 2.
As a result, the ability for to solve the TMO problem is transferred to that of solving the CR or OW problem of a GCK function. We see that and in case 2. This completes the proof.
3.1.2 Extension to module GCK-TMO problem.
The GCK function can be extended to a module setting where FA(x) = A x for and . Accordingly, the previous OW, CR, and TMO problems of GCK function can each be addressed with similarly defined problems in a module setting. In particular, we define a module version of TMO problem as below.
Definition 7 (Module GCK-TMO Problem). For integers , the Module GCK-TMO problem is defined as follows: given and , find such that ‖c‖∞ ≤ α, ‖x‖∞ ≤ β satisfying (3)
Similarly, we define to be the advantage of an algorithm solving the TMO problem of Module-GCK function over the ring Rn,q. With two newly defined advantages and (for some positive integer γ) regarding Module-GCK function, we can prove the following theorem.
Theorem 2. Let n and ρ be power-of-2 integers such that n ≥ ρ, and q is a prime such that q ≡ 2ρ + 1 (mod 4ρ). For integers satisfying , (2β + 1)nℓ ≫ qnk and nαγ ≤ β, it holds that .
The proof can be done by the same argument as in the proof of Theorem 1 so we omit the proof in this paper.
3.2 Proposed GCKSign scheme
3.2.1 Construction.
For the security parameter λ, GCKSign generates the public parameters, params, as follows: choose an integer n such that n = 2a for an integer (indeed, we set n = 256 for all parameter sets), and choose a prime modulus q and positive integers k, ℓ, B, h, Ls and η. Then, params is given by (n, q, k, ℓ, B, h, Ls, η). Also, GCKSign requires a hash functions and an encoding function . It is assumed that params and two functions (H, Encode) are used for all algorithms in GCKSign.
The key generation, signing, and verification algorithms of GCKSign are described as follows:
KeyGen. This algorithm first chooses random 256-bit seeds seedA and seeds. It samples public polynomials A uniformly at random over by expanding seedA and secret polynomials s1, …, sℓ uniformly at random over R[−η,η] by expanding seeds. Next, it computes a polynomial t = FA(s) = A ⋅ s). Finally, it outputs a public key pk = (t, seedA) and a secret key sk = (s, seedA).
Algorithm 1: KeyGen
Input :security parameter λ
Output: public key pk = (t, seedA), and secret key sk = (s, seedA)
1 seedA, seeds ← {0, 1}256;
2 ;
3 ;
4 ;
5 pk ← (t, seedA);
6 sk ← (s, seedA);
7 return (pk, sk);
Sign. This algorithms first regenerates the public polynomials A from seedA. It chooses a random 256-bit seed seedy. It samples polynomials y uniformly at random over by using seedy. Next, it computes . It obtains by computing the hash function H(v, μ) together with the message μ. It obtains a sparse polynomial by running and computes z = y + c ⋅ s. If , then it goes to the step that samples y and repeats the subsequent steps. Finally, it outputs a signature .
Algorithm 2: Sign
Input : message μ, and secret key sk = (s, seedA)
Output: signature
1
2 seedy ← {0, 1}256;
3 ;
4 ;
5 ;
6 ;
7 z ← y + s ⋅ c;
8 if then
9 goto step 2;
10 end if
11 return ;
Verify. This algorithm first derives a polynomial c from in the signature. It regenerates the public polynomials A from the seed seedA. Next, it computes . The value v is used to compute the hash value H(v, μ) together with the message μ. It accepts the signature if the hash value matches the signature and .
Algorithm 3: Verify
Input : messasge μ, signature , and public key pk = (t, seedA)
Output: {1, 0} // accept or reject signature
1 ;
2 ;
3 ;
4 if then
5 return 0;
6 end if
7 return 1;
3.2.2 Correctness.
The way that GCKSign works is almost the same as Schnorr signature scheme, except for (1) rejection sampling in the Sign algorithm and (2) the usage of the encoding function. For a correctly generated , the first condition such that ‖z‖∞ < B − Ls holds, because it is the same as in the Sign algorithm, and the second condition is also guaranteed by the following equation (4)
3.3 Security proof
Theorem 3. Assume that ‖cs‖∞ ≤ Ls and H is modeled as a random oracle. GCKSign is UF-CMA secure in the random oracle model if the TMO problem of the Module-GCK function is hard. That is, for any PPT adversary with , making at most qh hash queries and at most qs signature queries, there exists a PPT algorithm that solves the TMO problem with , where (5)
Proof. In order to prove the security of GCKSign, we define a sequence of hybrid games G0, G1, G2, where G0 is the original UF-CMA security game defined in Chapter 2.2 and G2 is the final game in which the success probability of can be easily bounded by the hardness of the TMO problem. For each game Gi, we define an event δi where successfully outputs a forgery in the game Gi.
Game G0. In this game, a challenger runs the key generation algorithm to get (pk, sk) and gives pk to . Whenever asks a hash query (v, μ), gives the same answer to if the query has been asked before. If not, chooses a random and gives it to . Whenever asks a signature query μ, runs the signing algorithm to get a signature σ and gives to . Finally, outputs (μ*, σ*) with the condition that μ* was not queried. returns Verify(pk, μ*, σ*) as the output of the experiment. Thus, we get .
Game G1. G1 is the same as G0 except that the signing queries are replaced by the MidSign algorithm (see Algorithm 4 below). Since two games G0 and G1 are the same except that the random hash value is programmed before receiving the input (v, μ). can not tell if the signing oracle was answered by the Sign algorithm or the MidSign algorithm.
Algorithm 4: MidSign
Input : message μ, public key (A, t)
Output: signature
1 Choose y uniformly at random from ;
2 Choose uniformly at random;
3 Compute ;
4 Compute z = y + cs. If ‖z‖∞ > B − Ls, then
5 retry at step 1;
6 Compute v = Ay;
7 Re-program the hash oracle H(⋅) so that
8 ;
9 Return ;
Let inconsistency be the event that any is previously assigned to an input value (v, μ) queried by . This event occurs when v (computed by ) becomes one of values queried by , assuming that μ is the same message. Since and y is chosen uniformly at random from , the total number of v is (2B + 1)nℓ. For qh number of hash queries, the probability that any becomes one of queried v values is at most qh/(2B + 1)nℓ. Also, since issues at most qs number of signature queries, the probability that inconsistency happens is at most qhqs/(2B + 1)nℓ. Obviously, unless inconsistency happens, G1 is the same as G0. Thus, we see that |Pr[δ1] − Pr[δ0]| ≤ qhqs/(2B + 1)nℓ.
Game G2. G2 is the same as G1 except that the signature queries are replaced by the SimSign algorithm (see Algorithm 5 below). G2 is the same as G1 except the way that z and v are generated. Though is generated in G2 without using sk = s, it is infeasible for to differentiate between G1 and G2 because of the zero-knowledge property of the relevant identification protocol.
Algorithm 5: SimSign
Input : message μ, public key (A, t)
Output: signature
1 Choose z uniformly at random from ;
2 Choose uniformly at random;
3 Compute ;
4 Compute v = Az − ct;
5 Re-program the hash oracle H(⋅) so that
6 ;
7 Return ;
The remaining part is to check if can distinguish between the two distributions of in G1 and G2, especially in terms of v. In G1, v is computed as v = Ay for some , whereas in G2 v is computed as v = Az − ct for some . what needs to be checked here is that v = Az − ct in G2 can be expressed as v = Ar for some (unknown) . If so, the two distribution of in G1 and G2 are identical from the ’s point of view. To guarantee this, we can set r = z − cs for some (unknown) secret key such that t = As. Then, we see that Ar = A(z − cs) = Az − ct = v. Since ‖cs‖∞ ≤ Ls (by assumption) and ‖z‖∞ ≤ B − Ls (by choosing z), we get ‖r‖∞ ≤ ‖z‖∞ + ‖cs‖∞ ≤ B − Ls + Ls = B, which is the same distribution as G1. As a result, we have that Pr[δ2] = Pr[δ1].
We now apply the generalized forking lemma of Bellare and Neven [6] to G2. With the probability at least where Pr[δ2] = ϵ′, we obtain two signatures and for such that then simply sets x = z ‒ z′, , and outputs as the solution of the TMO problem, satisfying . We can check that ‖x‖∞ ≤ 2(B − Ls) and . Thus, we have that , which is further simplified as . This completes the proof.
3.4 Parameter settings
Table 1 presents several conditions necessary for choosing the parameters for GCKSign. The proof of Theorem 3 indicates that the TMO problem of the Module-GCK function is specified by the parameters as α = 2 and β = 2(B − Ls). Also, because the number of non-zero coefficients of c is h, for any , it holds that ‖cs‖∞ ≤ hη, allowing for setting Ls = hη. Based on these requirements, Table 2 proposes three sets of parameters for GCKSign. We set η = 1 as the bound for the secret key polynomial s, and set ρ = 8 for all parameter sets in order to choose q that meets the requirement (2) in Table 1.
3.5 Concrete security analysis
As shown above, the security of GCKSign relies on the TMO problem of Module-GCK function relative to . By Theorem 2, the security is further reduced to the CR and OW problems of Module-GCK function relative to and where γ is determined by the requirement (3) γ ≤ β/(nα) in Table 1. Also, we use the fact the CR problem of Module-GCK function is reduced to Module-SIS problem relative to , and (using the Hermite normal form) the OW problem of Module-GCK function is reduced to Module-LWE problem relative to . Strictly speaking, 4(B − Ls) is more correct than 2(B − Ls), but we follow the same analysis as Dilithium [11] to analyze the security of Module-SIS. Regarding the choice of γ, especially, γ can be chosen from any positive integer satisfying γ ≤ 2(B − Ls)/(28 × 2), but we set γ = 1 for the Module-LWE problem. This is because a smaller ratio of q/γ (i.e., modulus-to-noise) generally provides stronger concrete security against known lattice attacks [15], and thus decreasing γ is more advantageous for an adversary solving Module-LWE problem when q is fixed. Eventually, the concrete security of GCKSign is estimated by the best-known lattice attacks against Module- {SIS, LWE} problems relative to and , respectively. The existence of a solution with respect to γ = 1 is guaranteed by the key generation such that t = As with A ∈ Rk×ℓ and .
To analyze the concrete security of the above Module- {SIS, LWE} problems, we use the BKZ lattice reduction algorithm [16] as the best-known lattice attacks. There are a variety of approaches to measure the running time of BKZ [16–18]. In general, an SVP (Shortest Vector Problem) solver is the main building block of the BKZ algorithm. Regarding the number of SVP oracle calls that the BKZ algorithm makes, the Core-SVP model [18] assumes that an SVP oracle is required only once in a conservative model. The best known classical SVP solver runs in time ≈ 20.292×b and the best known quantum SVP solver runs in time ≈ 20.265×b. Therefore, we decide to adopt the BKZ cost model of 0.292b for the classical model and the BKZ cost model of 0.265b for the quantum model where b is the BKZ block size. Table 2 shows the concrete security level of GCKSign, according to each parameter set. To estimate the hardness of the parametrized Module- {SIS, LWE} problems, we make use of the SIS and LWE estimators in [11] that reflect the above-mentioned BKZ algorithm.
4 Discussion
4.1 Comparison
Table 3 presents the comparison between the two GCK-based signatures, [4] and GCKSign. In terms of security, [4] is based on the collision-resistance of GCK function, whereas GCKSign is based on the TMO problem of Module-GCK function. Because of the collision resistance in [4], their GCK function must be set to guarantee the WI property, which requires to satisfy the condition (at least) (2η + 1)nℓ ≥ qnk × 2128 for the coefficient bound η of a secret key polynomial. [4] sets η = 2047, which turns out to increase the sizes of public/secret keys and signatures. On the other hand, GCKSign removes the WI property by proving their security under the TMO problem of GCK function, and importantly is able to relax to the condition (at least) (2β + 1)nℓ ≥ qnk × 2128 for β = 2(B − Ls). Because of this relaxation, GCKSign can set much smaller values of q and η, and obtain a significant increase in efficiency compared to [4]. For instance, Table 3 shows that at the (almost) same 132-bit security level, the signature size of GCKSign is about 3.4 (≈ 14875/4384) times shorter and the public-key size of GCKSign is about 2.4 (≈ 6125/2528) times shorter, compared to [4].
However, the sizes of public key and signature of GCKSign are about 1.8 (≈ 2528/1312) times and 1.9 (≈ 4384/2420) times larger, compared to [11] at the (almost) same 132-bit security level. This is caused by the key recovery attack. An adversary may try to recover the secret key s from the public key pk = (A, t), where t = As in case of GCKSign. Because s is sampled from and η = 1, this amounts to solving the OW problem of Module-GCK function, which is reduced to the Module-LWE problem relative to , and the dimension is reduced to ℓ − k instead of ℓ itself. Therefore, We need to increase the dimension for our scheme by k to maintain the security level which the LWE-based signature sets like Dilithium [11], and this leads to increase of the sizes of public key and signature at the end.
4.2 Performance analysis
In Table 2, we evaluate the performance of our implementations on a 3.7GHz Intel Core i7-8700k running Ubuntu 20.04 LTS. The table shows the key generation, signing, and verification algorithms of our scheme. Our implementation codes are publicly available at https://github.com/KU-Cryptographic-Protocol-Lab/GCKS.
A polynomial multiplication is the most costly operation in implementing a cryptosystem. We choose the modulus q satisfying the condition q ≡ 2ρ + 1 mod 4ρ for some ρ|n to satisfy the security requirement. As a result, we can not use the “fully-splitting” NTT algorithm for the multiplication operation. Instead, we choose to follow the approach of [14], using “partially-splitting” NTT algorithm with a Karatsuba multiplication [19] and Toom-Cook polynomial multiplication method [20] to efficiently multiply in a partially-splitting ring.
5 Conclusion
In this paper, we have addressed the challenge of proving the security of GCK-based signature schemes without relying on the WI property. By introducing the TMO problem and showing its reduction to the one-wayness and collision-resistance problems of the GCK function, we have provided a solution to overcome the limitations imposed by the WI property in GCK-based signatures. Additionally, we have presented a more efficient GCK-based signature scheme, GCKSign, which extends the original scheme [4] by incorporating the Module-GCK function. Through the analysis of the Module GCK-TMO problem and its reduction to Module-{SIS, LWE} problems, we prove the security of GCKSign in the random oracle model without relying on the WI property.
One notable result of our work is the significant reduction in signature size and public key size compared to Lyubashevsky’s signature scheme [4]. GCKSign achieves approximately 3.4 times shorter signature size and 2.4 times shorter public key size at the same security level. This efficiency improvement directly stems from the elimination of the WI property.
Even though our scheme still has larger sizes than Dilithium [11], our findings not only contribute to the advancement of GCK-based signature scheme [4] but also provide insights into the design and analysis of cryptographic primitives based on structured lattice problems. The TMO problem introduces a novel perspective on approximate one-wayness, and its connections to existing hardness assumptions offer new avenues for future research. In future work, it would be interesting to explore the applicability of the TMO problem in other cryptographic protocols and settings.
References
- 1. Micciancio D. Generalized compact knapsacks, cyclic lattices, and efficient one-way functions. computational complexity. 2007;16(4):365–411.
- 2.
Lyubashevsky V, Micciancio D. Generalized compact knapsacks are collision resistant. In: International Colloquium on Automata, Languages, and Programming—ICALP 2006. Springer; 2006. p. 144–155.
- 3.
Peikert C, Rosen A. Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In: Theory of Cryptography Conference—TCC 2006. Springer; 2006. p. 145–166.
- 4.
Lyubashevsky V. Fiat-Shamir with Aborts: Applications to Lattice and Factoring-Based Signatures. In: Advances in Cryptology—ASIACRYPT 2009. vol. 5912 of Lecture Notes in Computer Science. Springer; 2009. p. 598–616.
- 5.
Fiat A, Shamir A. How to Prove Yourself: Practical Solutions to Identification and Signature Problems. In: Advances in Cryptology—CRYPTO’86. vol. 263 of Lecture Notes in Computer Science. Springer; 1986. p. 186–194.
- 6.
Bellare M, Neven G. Multi-signatures in the plain public-Key model and a general forking lemma. In: ACM Conference on Computer and Communications Security—CCS 2006. ACM; 2006. p. 390–399.
- 7.
Lyubashevsky V. Lattice Signatures without Trapdoors. In: Advances in Cryptology—EUROCRYPT 2012. vol. 7237 of Lecture Notes in Computer Science. Springer; 2012. p. 738–755.
- 8.
Lyubashevsky V, Peikert C, Regev O. On Ideal Lattices and Learning with Errors over Rings. In: Advances in Cryptology—EUROCRYPT 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Monaco / French Riviera, May 30—June 3, 2010. Proceedings. vol. 6110 of Lecture Notes in Computer Science. Springer; 2010. p. 1–23.
- 9.
Güneysu T, Lyubashevsky V, Pöppelmann T. Practical Lattice-Based Cryptography: A Signature Scheme for Embedded Systems. In: Cryptographic Hardware and Embedded Systems—CHES 2012. vol. 7428 of Lecture Notes in Computer Science. Springer; 2012. p. 530–547.
- 10.
Bai S, Galbraith SD. An Improved Compression Technique for Signatures Based on Learning with Errors. In: Topics in Cryptology—CT-RSA 2014. vol. 8366 of Lecture Notes in Computer Science. Springer; 2014. p. 28–47.
- 11. Ducas L, Kiltz E, Lepoint T, Lyubashevsky V, Schwabe P, Seiler G, et al. CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme. IACR Transactions on Cryptographic Hardware and Embedded Systems. 2018;2018(1):238–268.
- 12.
Devevey J, Passelègue A, Stehlé D. G+G: a Fiat-Shamir lattice signature based on convolved Gaussians. In: Advances in Cryptology—ASIACRYPT 2023. vol. 14444 of Lecture Notes in Computer Science. Springer; 2023. p. 37–64.
- 13. Cheon J H, Choe H, Devevey J, Güneysu T, Hong D, Krausz M, et al. Haetae: Shorter lattice-based fiat-shamir signatures IACR Transactions on Cryptographic Hardware and Embedded Systems. 2024;2024(3):25–75.
- 14.
Lyubashevsky V, Seiler G. Short, invertible elements in partially splitting cyclotomic rings and applications to lattice-based zero-knowledge proofs. In: Advances in Cryptology—EUROCRYPT 2018. Springer; 2018. p. 204–224.
- 15.
Peikert C. Lattice Cryptography for the Internet. In: Post-Quantum Cryptography—6th International Workshop, PQCrypto 2014, Waterloo, ON, Canada, October 1-3, 2014. Proceedings. vol. 8772 of Lecture Notes in Computer Science. Springer; 2014. p. 197–219.
- 16.
Chen Y, Nguyen PQ. BKZ 2.0: Better Lattice Security Estimates. In: Advances in Cryptology—ASIACRYPT 2011. vol. 7073 of Lecture Notes in Computer Science. Springer; 2011. p. 1–20.
- 17. Albrecht MR, Player R, Scott S. On the concrete hardness of Learning with Errors. J Math Cryptol. 2015;9(3):169–203.
- 18.
Alkim E, Ducas L, Pöppelmann T, Schwabe P. Post-quantum Key Exchange—A New Hope. In: 25th USENIX Security Symposium. USENIX Association; 2016. p. 327–343.
- 19.
Bodrato M, Zanoni A. Integer and polynomial multiplication: towards optimal toom-cook matrices. In: Symbolic and Algebraic Computation, International Symposium, ISSAC 2007. ACM; 2007. p. 17–24.
- 20. Cook SA, Stål AO. On the Minimum Computation Time of Functions. Transactions of the American Mathematical Society. 1969;142:291–314.