Adaptively Secure 5 Round Threshold Signatures from MLWE/MSIS and DL with Rewinding

Shuichi Katsumata; Michael Reichle; Kaoru Takemure

Paper 2024/1033

Adaptively Secure 5 Round Threshold Signatures from MLWE/MSIS and DL with Rewinding

Shuichi Katsumata

, PQShield, National Institute of Advanced Industrial Science and Technology

Michael Reichle

, ETH Zurich

Kaoru Takemure

, PQShield, National Institute of Advanced Industrial Science and Technology

Abstract

T-out-of-N threshold signatures have recently seen a renewed interest, with various types now available, each offering different tradeoffs. However, one property that has remained elusive is adaptive security. When we target thresholdizing existing efficient signatures schemes based on the Fiat-Shamir paradigm such as Schnorr, the elusive nature becomes clear. This class of signature schemes typically rely on the forking lemma to prove unforgeability. That is, an adversary is rewound and run twice within the security game. Such a proof is at odds with adaptive security, as the reduction must be ready to answer 2(T-1) secret key shares in total, implying that it can reconstruct the full secret key. Indeed, prior works either assumed strong idealized models such as the algebraic group model (AGM) or modified the underlying signature scheme so as not to rely on rewinding based proofs. In this work, we propose a new proof technique to construct adaptively secure threshold signatures for existing rewinding-based Fiat-Shamir signatures. As a result, we obtain the following: 1. The first adaptively secure 5 round lattice-based threshold signature under the MLWE and MSIS assumptions in the ROM. The resulting signature is a standard signature of Raccoon, a lattice-based signature scheme by del Pino et al., submitted to the additional NIST call for proposals. 2. The first adaptively secure 5 round threshold signature under the DL assumption in the ROM. The resulting signature is a standard Schnorr signature. To the best of our knowledge, this is the first adaptively secure threshold signature based on DL even assuming stronger models like AGM. Our work is inspired by the recent statically secure lattice-based 3 round threshold signature by del Pino et al. (Eurocrypt~2024) based on Raccoon. While they relied on so-called one-time additive masks to solve lattice specific issues, we notice that these masks can also be a useful tool to achieve adaptive security. At a very high level, we use these masks throughout the signing protocol to carefully control the information the adversary can learn from the signing transcripts. Intuitively, this allows the reduction to return a total of 2(T-1) randomly sampled secret key shares to the adversary consistently and without being detected, resolving the above paradoxical situation. Lastly, by allowing the parties to maintain a simple state, we can compress our 5 round schemes into 4 rounds.

Metadata

Available format(s): PDF
Category: Cryptographic protocols
Publication info: A major revision of an IACR publication in CRYPTO 2024
Keywords: Threshold signature Adaptive security Lattice Raccoon Schnorr signature
Contact author(s): shuichi katsumata @ pqshield com
michael reichle @ inf ethz ch
kaoru takemure @ pqshield com
History: 2024-06-28: approved; 2024-06-26: received; See all versions
Short URL: https://ia.cr/2024/1033
License: CC BY

BibTeX

@misc{cryptoeprint:2024/1033,
      author = {Shuichi Katsumata and Michael Reichle and Kaoru Takemure},
      title = {Adaptively Secure 5 Round Threshold Signatures from {MLWE}/{MSIS} and {DL} with Rewinding},
      howpublished = {Cryptology ePrint Archive, Paper 2024/1033},
      year = {2024},
      note = {\url{https://eprint.iacr.org/2024/1033}},
      url = {https://eprint.iacr.org/2024/1033}
}