In this paper, we construct several lattice-based distributed signing protocols with low round complexity following the Fiat--Shamir with Aborts paradigm of Lyubashevsky (Asiacrypt 2009). Our protocols can be seen as distributed variants of the fast Dilithium-G signature scheme. A key step to achieve security (unexplained in some earlier papers) is to prevent the leakage that can occur when parties abort after their first message---which can inevitably happen in the Fiat--Shamir with Aborts setting. We manage to do so using lattice-based homomorphic commitments as constructed by Baum et al. (SCN 2018).
We first propose a three-round $n$-out-of-$n$ signature from Module-LWE with full security proof using ideas from lossy identification schemes. Then, we further reduce the complexity to two rounds, at the cost of relying on Module-SIS as an additional assumption, with a larger security loss due to the forking lemma, and requiring somewhat more expensive trapdoor commitments. The construction of suitable trapdoor commitments from lattices is a side contribution of this paper. Finally, we also obtain a two-round multi-signature scheme as a variant of our two-round $n$-out-of-$n$ protocol.
Category / Keywords: cryptographic protocols / $n$-out-of-$n$ distributed signatures, multi-signatures, lattice-based cryptography, Fiat--Shamir with aborts, trapdoor commitments Date: received 14 Sep 2020, last revised 18 Sep 2020 Contact author: takahashi at cs au dk, ivan@cs au dk, orlandi@cs au dk, mehdi tibouchi br@hco ntt co jp Available format(s): PDF | BibTeX Citation Version: 20200918:140729 (All versions of this report) Short URL: ia.cr/2020/1110