MPSign: A Signature from Small-Secret Middle-Product Learning with Errors

Abstract

We describe a digital signature scheme \(\mathsf {MPSign}\), whose security relies on the conjectured hardness of the Polynomial Learning With Errors problem (\(\mathsf {PLWE}\)) for at least one defining polynomial within an exponential-size family (as a function of the security parameter). The proposed signature scheme follows the Fiat-Shamir framework and can be viewed as the Learning With Errors counterpart of the signature scheme described by Lyubashevsky at Asiacrypt 2016, whose security relies on the conjectured hardness of the Polynomial Short Integer Solution (\(\mathsf {PSIS}\)) problem for at least one defining polynomial within an exponential-size family. As opposed to the latter, \(\mathsf {MPSign}\) enjoys a security proof from \(\mathsf {PLWE}\) that is tight in the quantum-access random oracle model.

The main ingredient is a reduction from \(\mathsf {PLWE}\) for an arbitrary defining polynomial among exponentially many, to a variant of the Middle-Product Learning with Errors problem (\(\mathsf {MPLWE}\)) that allows for secrets that are small compared to the working modulus. We present concrete parameters for \(\mathsf {MPSign}\) using such small secrets, and show that they lead to significant savings in signature length over Lyubashevsky’s Asiacrypt 2016 scheme (which uses larger secrets) at typical security levels. As an additional small contribution, and in contrast to \(\mathsf {MPSign}\) (or \(\mathsf {MPLWE}\)), we present an efficient key-recovery attack against Lyubashevsky’s scheme (or the inhomogeneous \(\mathsf {PSIS}\) problem), when it is used with sufficiently small secrets, showing the necessity of a lower bound on secret size for the security of that scheme.

1 Introduction

The Polynomial Short Integer Solution (\(\mathsf {PSIS}\)) and Polynomial Learning With Errors (\(\mathsf {PLWE}\)) were introduced as variants of the \(\mathsf {SIS}\) and \(\mathsf {LWE}\) problems leading to more efficient cryptographic constructions [LM06, PR06, SSTX09]. Let \(n, m, q \ge 2\) and \(f \in \mathbb {Z}[x]\) monic of degree n. A \(\mathsf {PSIS}_{q,m}^{(f)}\) instance consists in m uniformly chosen elements \(a_1,\ldots , a_m \in \mathbb {Z}_q[x]/f\), and the goal is to find \(z_1,\ldots ,z_m \in \mathbb {Z}[x]/f\) not all zero and with entries of small magnitudes such that \(z_1 a_1+\cdots + z_m a_m = 0 \bmod q\). A \(\mathsf {PLWE}_{q}^{(f)}\) instance consists of oracle access to the uniform distribution over \(\mathbb {Z}_q[x]/f \times \mathbb {Z}_q[x]/f\); or to oracle access to the distribution of \((a_i, a_i \cdot s + e_i)\), where \(a_i\) is uniform in \(\mathbb {Z}_q[x]/f\), \(e_i \in \mathbb {Z}[x]/f\) has random coefficients of small magnitudes, and the so-called secret \(s\in \mathbb {Z}_q[x]/f\) is uniformly sampled but identical across all oracle calls. The goal is to distinguish between the two types of oracles.

For any fixed f, the hardness of \(\mathsf {PSIS}^{(f)}\) and \(\mathsf {PLWE}^{(f)}\) has been less investigated than that of \(\mathsf {SIS}\) and \(\mathsf {LWE}\). In particular, it could be that \(\mathsf {PSIS}^{(f)}\) and \(\mathsf {PLWE}^{(f)}\) are easy, or easier, to solve for some defining polynomials f than for others. To mitigate such a risk, Lyubashevsky [Lyu16] introduced a variant of \(\mathsf {PSIS}\) that is not parametrized by a specific polynomial f but only a degree n, and is at least as hard as \(\mathsf {PSIS}^{(f)}\) for exponentially many polynomials f of degree n. We will let it be denoted by \(\mathsf {PSIS}^\emptyset \). Further, Lyubashevsky designed a signature scheme whose security relies on the hardness of this new problem, and hence on the hardness of \(\mathsf {PSIS}^{(f)}\) for at least one f among exponentially many. This signature scheme enjoys asymptotic efficiency, similar (up to a constant factor) to those based on \(\mathsf {PSIS}^{(f)}\) for a fixed f. Later on, Rosca et al. [RSSS17] introduced an \(\mathsf {LWE}\) counterpart of \(\mathsf {PSIS}^\emptyset \): the Middle-Product Learning with Errors problem (\(\mathsf {MPLWE}\)). Similarly to \(\mathsf {PSIS}^\emptyset \), \(\mathsf {MPLWE}\) is not parametrized by a specific polynomial f but only a degree n, and is at least as hard as \(\mathsf {PLWE}^{(f)}\) for exponentially many polynomials f of degree n. To illustrate the cryptographic usefulness of \(\mathsf {MPLWE}\), Rosca et al. built a public-key encryption scheme whose IND-CPA security relies on the \(\mathsf {MPLWE}\) hardness assumption. A more efficient encryption scheme and a key encapsulation mechanism [SSZ17, SSZ19] were later proposed as a submission to the NIST standardization process for post-quantum cryptography [NIS].

In [RSSS17], it was observed that several \(\mathsf {LWE}\)/\(\mathsf {PLWE}^{(f)}\) techniques leading to more cryptographic functionalities do not easily extend to \(\mathsf {MPLWE}\), possibly limiting its cryptographic expressiveness. These include a polynomial leftover hash lemma, the construction of trapdoors for \(\mathsf {MPLWE}\) that allow to recover the secret s, and the “HNF-ization” technique of [ACPS09] which would allow to prove hardness of \(\mathsf {MPLWE}\) with small-magnitude secrets. The leftover hash lemma and trapdoor sampling questions were recently studied in [LVV19], with an application to identity-based encryption, though only for security against an adversary whose distinguishing advantage is non-negligible (as opposed to exponentially small). On the HNF-ization front, the main result of [RSSS17] was mis-interpreted in [Hir18] (see Theorem 1 within this reference), in that the latter work assumed that the hardness result of [RSSS17] was for secrets whose coefficients were distributed as those of noise terms (and hence of small magnitudes). The main result from [Hir18] was a signature scheme with security relying on \(\mathsf {MPLWE}\).

1.1 Contributions

In this work, we give a reduction from \(\mathsf {PLWE}^{(f)}\) to a variant of \(\mathsf {MPLWE}\) in which the secret has small-magnitude coefficients. The reduction works for a family of defining polynomials f that grows with the security parameter.

We then build an identification scheme which follows Schnorr’s general framework [Sch89] and which can be upgraded to a signature scheme that is tightly secure in the quantum-access random oracle model (QROM), using [KLS18]. We show that \(\mathsf {MPSign}\) is unforgeable against chosen message attacks (\(\mathsf {UF}\text {-}\mathsf {CMA}\)), which means that no adversary may forge a signature on a message for which it has not seen a signature before. We did not manage to prove that there is no adversary who may forge a new signature on a previously signed message, i.e., that the scheme is strongly unforgeable against chosen message attacks (\(\mathsf {UF}\text {-}\mathsf {sCMA}\)). Nevertheless, any \(\mathsf {UF}\text {-}\mathsf {CMA}\) secure signature can be upgraded to a \(\mathsf {UF}\text {-}\mathsf {sCMA}\) secure signature using a one-time \(\mathsf {UF}\text {-}\mathsf {sCMA}\) secure signature [Kat10]. Such a one-time signature can be achieved easily by a universal one-way hash function (by Lamport’s one-time signature) [Kat10] or key collision resistant pseudo-random function (by Winternitz one-time signature) [BDE+11].

We provide concrete parameters for \(\mathsf {MPSign}\) corresponding to level 1 security of the NIST post-quantum standardization process (via the SVP core hardness methodology from [ADPS16]), which take into account our tight QROM security proof with respect to small secret \(\mathsf {MPLWE}\) (rather than just taking in account the classical ROM security proof as, e.g., in the Dilithium scheme parameter selection [DKL+18]). We also provide parameters that achieve similar security to those from [Lyu16], to allow for a reasonably fair comparison. The \(\mathsf {MPSign}\) verification key is larger but its signature size is twice smaller.

Our \(\mathsf {MPSign}\) signature length savings over the scheme of [Lyu16] arise mainly due to our use of much smaller secret key coordinates. Therefore, one could wonder the reducing the size of the secret key coordinates in the scheme of [Lyu16] would also give a secure signature scheme. As an additional small contribution, we show that the answer is negative by presenting a simple efficient key recovery attack on Lyubashevsky’s scheme with sufficiently small secret coordinates. Our attack works (heuristically) when the underlying inhomogeneous variant of \(\mathsf {PSIS}^\emptyset \) has a unique solution, and shows that a lower bound similar to that shown sufficient in the security proof of [Lyu16] is also necessary for the security of Lyubashevsky’s scheme (and the underlying inhomogeneous \(\mathsf {PSIS}^\emptyset \) problem) with small secret coordinates.

Finally, we provide a proof-of-concept implementation in Sage, publicly available at https://github.com/pqc-ntrust/middle-product-LWE-signature.

1.2 Comparison with Prior Works

Our signature construction is similar to the one in [Hir18]. However, the proof of the latter is incorrect: in its proof of high min-entropy of commitments (see [Hir18, Lemma 7]), it is assumed that the middle n coefficients of the product between a uniform \(a \in \mathbb {Z}_q[x]\) of degree \(<n\) and a fixed polynomial y of degree \(\le 2n\), are uniform. In fact, this distribution depends on the rank of a Hankel matrix associated to y and encoding the linear function from a to the considered coefficients of the product. This Hankel matrix can be of low rank and, when it is the case, the resulting distribution is uniform on a very small subset of the range. Interestingly, the distribution of these Hankel matrices (for a uniform y) was recently studied in [BBD+19], in the context of proving hardness of an \(\mathsf {MPLWE}\) variant with deterministic noise. We do not know how to fix the error from [Hir18]. As a result, we use a different identification scheme to be able to make our proofs go through. Concretely, the identification scheme from [Hir18] used the Bai-Galbraith [BG14] compression technique to decrease the signature size. We circumvent the difficulty by not using the Bai-Galbraith compression technique.

Lyubashevsky’s signature from [Lyu16] can also be viewed as secure under the assumption that \(\mathsf {PLWE}^{(f)}\) is hard for at least one f among exponentially many defining polynomials f, like ours. Indeed, it was proved secure under the assumption that \(\mathsf {PSIS}^\emptyset \) is hard, it was proved that \(\mathsf {PSIS}^{(f)}\) reduces to \(\mathsf {PSIS}^\emptyset \) for exponentially many defining polynomials f, and \(\mathsf {PLWE}^{(f)}\) (directly) reduces to \(\mathsf {PSIS}^{(f)}\). Furthermore, \(\mathsf {MPLWE}\) (both with small-magnitude secrets and uniform secrets) reduces to \(\mathsf {PSIS}^\emptyset \), whereas the converse is unknown. Hence it seems that in terms of assumptions, Lyubashevsky’s signature outperforms ours. However, the security proof from [Lyu16] only holds in the random oracle model, as opposed to ours which is tight in the quantum-access random oracle model (QROM). Recent techniques on Fiat-Shamir in the QROM [LZ19, DFMS19] might be applicable to [Lyu16], but they are not tight.

We now compare \(\mathsf {MPSign}\) with \(\mathsf {LWE}\)-based signature schemes and efficient lattice-based signature schemes such as those at Round 2 of the NIST post-quantum standardization process [NIS]: Dilithium [DKL+18], Falcon [PFH+19] and Tesla [BAA+19]. Compared to \(\mathsf {LWE}\)-based signatures, our proposal results in much smaller values for the sum of sizes of a signature and a public key, with much stronger security guarantees than the efficient schemes based on polynomial rings. For example, scaling Dilithium with NIST security level 1 parameters to \(\mathsf {LWE}\) requires multiplying the public key size by the challenge dimension \(n = 256\), since for an \(\mathsf {LWE}\) adaptation of Dilithium, the public key would be a matrix with n columns instead of 1. For NIST security level 1, the public key and signature sizes sum would be above 300 KB for an \(\mathsf {LWE}\) adaptation of Dilithium, whereas the same quantity is 47 KB for MPSign (see Table 2). Now, compared to the Dilithium, Falcon and Tesla NIST candidates, security guarantees are different. The security of Dilithium and Tesla relies on the module variants of \(\mathsf {PLWE}\) and \(\mathsf {PSIS}\) for a fixed polynomial [LS15]. In the case of Dilithium, the known security proof in the QROM is quite loose [LZ19], unless one relies on an ad hoc assumption like SelfTargetMSIS [KLS18]. Moreover, in the case of Dilithium, the \(\mathsf {SIS}\) instance is in an extreme regime: the maximum infinity norm of the vectors to be found are below q/2, but their Euclidean norms may be above q. Currently, no reduction backs the assumption that \(\mathsf {SIS}\) is intractable in that parameter regime. In Falcon, the public key is assumed pseudo-random, which is an adhoc version of the NTRU hardness assumption [HPS98]. Oppositely, the security of \(\mathsf {MPSign}\) relies on the assumed \(\mathsf {PLWE}\) hardness for at least one polynomial among exponentially many. Overall, \(\mathsf {MPSign}\) is an intermediate risk-performance tradeoff between fixed-ring and \(\mathsf {LWE}\)-based schemes.

2 Preliminaries

The notations in this paper are almost verbatim from [RSSS17] to maintain consistency and facilitate comparison.

Let \(q>1\) be an integer. We let \(\mathbb {Z}_q\) denote the ring of integers modulo q and by \(\mathbb {Z}_{\le q}\) the set \(\{-q,\ldots ,q\}\) of integers of absolute value less or equal to q. We will write \(\mathbb {R}_q\) to denote the group \(\mathbb {R}/q \mathbb {Z}\).

Let \(n>0\). For a ring R, we will use the notation \(R^{<n}[x]\) to denote the set of all polynomials in R[x] with degree less than n. This notation may be extended to any unstructured set S.

For any vector \(a=(a_0,a_1,\dots ,a_{n-1})^T\in \mathbb {Z}^{n}\), we let \(\overline{a}\) denote the reversed vector \((a_{n-1},a_{n-2},\dots ,a_0)^T\in \mathbb {Z}^{n}\) and we write \(\Vert a\Vert _\infty :=\max _i |a_i|\). When there is no ambiguity, we identify a polynomial with its vector of coefficients.

For any matrix \(M\in \mathbb {R}^{m\times n}\), we let \(\sigma _1(M)\ge \sigma _2(M)\ge \cdots \ge \sigma _n(M)\) denote its singular values. We use the notation \(\Vert M\Vert \) to denote its largest singular value \(\sigma _1(M)\) and we denote by \(\mathbf {I}_m\) the \(m\times m\) identity matrix.

For a distribution D on a set X, we denote by the choice of an element x according to D. For simplicity, when D is the uniform distribution on X, we use the notation .

All logarithms used in this paper are in base 2.

2.1 Polynomials and Matrices

For a polynomial \(f \in \mathbb {Z}[x]\) of degree \(m \ge 1\) and a polynomial \(a \in \mathbb {Z}^{<k}[x]\), we make use of the following matrices:

• \(\mathsf {Rot}^{d}_f(a)\): the \(d \times m\) matrix whose i-th row is given by the coefficients of the polynomial \(x^{i-1} \cdot a \bmod f\);

• \(M_f\): the \(m \times m\) matrix whose (i, j)-th element is the constant coefficient of the polynomial \(x^{i+j-2} \bmod f\);

• \(M_f^d\): the \(d\times m\) matrix obtained by keeping only the first d rows of \(M_f\);

• \(\mathsf {Toep}^{d,k}(a)\): the \(d \times (k\,+\,d\,-\,1)\) matrix whose i-th row is given by the coefficients of the polynomial \(x^{i-1} \cdot a\).

Note that \(\mathsf {Rot}^d_f(a)=\mathsf {Toep}^{d,k}(a) \cdot \mathsf {Rot}^{k+d-1}_f(1)\). Also, for any \(a'\in \mathbb {Z}[x]\) such that \(a'=a \bmod f\), we have that \(\mathsf {Rot}^d_f(a)=\mathsf {Rot}^d_f(a')\).

The expansion factor of a polynomial \(f\in \mathbb {Z}[x]\) of degree m is defined as:

$$\begin{aligned} \mathrm {EF}(f)=\max \left( \frac{\Vert g\bmod f \Vert _\infty }{ \Vert g\Vert _\infty }: g \in \mathbb {Z}^{<2m-1}[x] \setminus \{{0\}}\right) . \end{aligned}$$

The following lemma provides bounds on the norms of the matrices \(M_f\) and \(\mathsf {Rot}^d_f(1)\), in terms of \(\mathrm {EF}(f)\). A bound on \(\Vert M_f\Vert \) was first proved in [RSSS17, Le. 2.8] and improved later in [LVV19, Le. 9]. The bound on \(\Vert \mathsf {Rot}^k_f(1)\Vert \) can be obtained by noticing that \(\mathsf {Rot}^k_f(1)\) contains \(\mathbf {I}_{\deg (f)}\) as a submatrix and all its other entries are bounded by \(\mathrm {EF}(f)\).

Lemma 1

Let \(f \in \mathbb {Z}[x]\) and \(k\ge \deg (f)\ge d\). Then

1. 1.

   \(\Vert M_f^d\Vert \le \sqrt{d} \cdot \mathrm {EF}(f)\)

2. 2.

   \(\Vert \mathsf {Rot}^k_f(1)\Vert ^2 \le \deg (f)+(k-\deg (f)) \cdot \deg (f) \cdot \mathrm {EF}(f)^2\).

We now recall the middle-product of two polynomials and some of its elementary properties. Let us consider a pair of polynomials \((a,b) \in \mathbb {Z}^{<d_a}[x] \times \mathbb {Z}^{<d_b}[x]\). Multiplying the two polynomials, we get a polynomial in \(\mathbb {Z}^{<d_a+d_b-1}[x]\). If \(d_a+d_b-1=d+2k\) for some integers d and k, then the middle-product of size d of a and b is obtained by multiplying a and b, then deleting the coefficients of \(x^i\) for \(i\le k-1\) and \(i\ge k+d\) and dividing the remaining by \(x^k\). Note that the middle-product is an additive homomorphism when either of its inputs is fixed.

Definition 1 (Middle-Product)

Let \(d_a,d_b,d,k\) be integers such that \(d_a+d_b-1=d+2k\). The middle-product \(\odot _{d}\) is the map from \(\mathbb {Z}^{<d_a}[x] \times \mathbb {Z}^{<d_b}[x]\) to \(\mathbb {Z}^{<d}[x]\) defined as: \((a,b) \rightarrow a \odot _{d} b = \lfloor \frac{a \cdot b \mod x^{k+d}}{x^k} \rfloor \).

Lemma 2

([RSSS17, Le. 3.2]). Let \(d,k>0\). For all \(r \in \mathbb {Z}^{<k+1}[x]\), \(a \in \mathbb {Z}^{<k+d}[x]\) and \(b=r \odot _{d} a\), we have \(\overline{b}=\mathsf {Toep}^{d,k+1}(r) \cdot \overline{a}\).

Lemma 3

([RSSS17, Le. 3.3]). Let \(d,k,n>0\). For all \(r \in \mathbb {Z}^{<k+1}[x], a \in \mathbb {Z}^{<n}[x]\) and \(s \in \mathbb {Z}^{<n+d+k-1}[x]\), we have \(r \odot _{d}(a \odot _{d+k} s)=(r \cdot a) \odot _{d}s\).

2.2 Gaussian Distributions

A symmetric matrix \(\varSigma \in \mathbb {R}^{n\times n}\) is positive definite if \(x^t\varSigma x>0\) for every non-zero vector \(x\in \mathbb {R}^n\). For any non-singular matrix \(B\in \mathbb {R}^{n\times n}\), the matrix \(\varSigma =BB^t\) is positive definite and we say that \(B=\sqrt{\varSigma }\). Every positive definite matrix \(\varSigma \) has a square root \(B=QD\), where \(\varSigma =QD^2Q^t\) is the spectral decomposition of \(\varSigma \). Note that the square root of a positive definite matrix is not unique (\(B'=BH\) is also a square root of \(\varSigma \) for every orthogonal matrix \(H\in \mathbb {R}^{n\times n}\)). If \(\varSigma \in \mathbb {R}^{n\times n}\) is a positive definite matrix, its inverse is also positive definite and, moreover, the set of positive definite matrices is closed under addition.

For a positive definite matrix \(\varSigma \in \mathbb {R}^{n\times n}\), we define the Gaussian function on \(\mathbb {R}^n\) of covariance matrix \(\varSigma \) as \(\rho _\varSigma (x)=\exp (-\pi x^t \varSigma ^{-1} x)\) for every \(x\in \mathbb {R}^n\). The probability distribution whose density is proportional to \(\rho _\varSigma \) is called the Gaussian distribution and is denoted \(D_\varSigma \). When \(\varSigma =s^2 \cdot \mathbf{I} _n\), we use the notations \(\rho _s\) and \(D_s\) instead of \(\rho _\varSigma \) and \(D_\varSigma \), respectively.

Given a (full-rank) lattice \(\varLambda \subset \mathbb {R}^n\) we define \(\rho _\varSigma (\varLambda ):=\sum _{x\in \varLambda }\rho _\varSigma (x)\). Using this, we can now define the discrete Gaussian distribution over \(\varLambda \) of covariance parameter \(\varSigma \) as \(D_{\varLambda ,\varSigma }(x)=\rho _\varSigma (x)/\rho _\varSigma (\varLambda )\) for every \(x\in \varLambda \). The dual of a lattice \(\varLambda \subset \mathbb {R}^n\) is \(\varLambda ^*:=\{y\in \mathbb {R}^n:\langle y,x \rangle \in \mathbb {Z}\) for every \(x\in \varLambda \}\). For \(\varepsilon > 0\), we define the smoothing parameter \(\eta _\varepsilon (\varLambda )\) as the smallest \(r > 0\) such that \(\rho _{1/r}(\varLambda ^*\setminus \{ 0\} ) \le \varepsilon \). If \(\varLambda _1\subseteq \varLambda _2\) are two lattices, we have that \(\eta _\varepsilon (\varLambda _2)\le \eta _\varepsilon (\varLambda _1)\). We will use the following standard results.

Lemma 4

([MR04, Le. 3.3]). For any full-rank lattice \(\varLambda \subset \mathbb {R}^n\) and \(\varepsilon >0\), we have \(\eta _\varepsilon (\varLambda )\le \lambda _n(\varLambda )\cdot \sqrt{\ln (2n(1+1/\varepsilon ))/\pi }\).

Lemma 5

([LPSS14, Le. 5]). Let \(\varSigma _1,\varSigma _2\in \mathbb {R}^{n\times n}\) two covariance matrices and \(\varLambda _1,\varLambda _2\) full-rank lattices in \(\mathbb {R}^n\) such that \(1\ge \eta _\varepsilon ((\varSigma _1^{-1}+\varSigma _2^{-1})^{1/2}\cdot (\varLambda _1\cap \varLambda _2))\) for some \(\varepsilon \in (0,1/2)\). If and , then the statistical distance between the distribution of \(x_1+x_2\) and \(D_{\varLambda _1+\varLambda _2,\varSigma _1+\varSigma _2}\) is less than \(4\varepsilon \).

Lemma 6

([Ban95, Le. 2.10]). For any full-rank lattice \(\varLambda \subset \mathbb {R}^n\) and \(\sigma >0\), we have \(\Pr _{x\leftarrow D_{\varLambda ,\sigma }} (\Vert x\Vert _\infty >\sigma \cdot t)\le 2n\cdot \exp (-\pi \cdot t^2)\).

2.3 Polynomial and Middle-Product Learning with Errors

In this section we recall the formal definitions of \(\mathsf {PLWE}\) and \(\mathsf {MPLWE}\) and of the distributions they make use of.

Definition 2

(\(\mathsf {PLWE}\) distribution). Let f be a polynomial of degree m and \(q\ge 2\). Let \(\chi \) be a distribution over \(\mathbb {Z}[x]/(f)\) and s a fixed element in \(\mathbb {Z}_q[x]/(f)\). We define \(\mathsf {P}_{q,\chi }(s)\) as the distribution obtained by sampling , and returning \((a,b=a \cdot s+e)\in \mathbb {Z}_q[x]/(f) \times \mathbb {Z}_q[x]/(f)\).

Definition 3

(\(\mathsf {PLWE}\)). Let f be a polynomial of degree m and \(q\ge 2\). Let \(\chi _1\) and \(\chi _2\) be distributions over \(\mathbb {Z}_q[x]/(f)\). The decision \(\mathsf {PLWE}^{(f)}_{q,\chi _1,\chi _2}\) problem consists in distinguishing between arbitrarily many samples from \(\mathsf {P}_{q,\chi _1}(s)\) and the same number of uniform samples in \(\mathbb {Z}_q[x]/(f) \times \mathbb {Z}_q[x]/(f)\), with non-negligible probability over the choice of .

The hardness of \(\mathsf {PLWE}\) was investigated in [SSTX09, LPR13, PRS17, RSW18], among others. Of particular importance to the present work, it was observed in [LPR13] that the reduction from uniform secret to small secret described in [ACPS09] in the context of \(\mathsf {LWE}\) also applies to \(\mathsf {PLWE}\).

Lemma 7

Let f be a polynomial of degree m and \(q\ge m\) such that the factors of f modulo q are distinct. Let \(\chi _1\) and \(\chi _2\) be distributions over \(\mathbb {Z}_q[x]/(f)\). Then there is a \(\mathrm {ppt}\) reduction from \(\mathsf {PLWE}^{(f)}_{q,\chi _1,\chi _2}\) to \(\mathsf {PLWE}^{(f)}_{q,\chi _1,\chi _1}\).

The condition on q ensures that a uniform element in \(\mathbb {Z}_q/(f)\) is invertible with non-negligible probability.

Definition 4

(\(\mathsf {MPLWE}\) distribution). Let \(n,d>0\). Let \(\chi \) be a distribution over \(\mathbb {Z}^{<d}[x]\) and \(s \in \mathbb {Z}^{n+d-1}_q[x]\). We define \(\mathsf {MP}_{q,n,d,\chi }(s)\) as the distribution obtained by sampling , and returning \((a,b=a \odot _{d} s\,+\,e)\in \mathbb {Z}_q^{<n}[x]\,\times \, \mathbb {Z}_q^{<d}[x]\).

Definition 5

(\(\mathsf {MPLWE}\)). Let \(n,d>0\). Let \(\chi _1\) and \(\chi _2\) be distributions over \(\mathbb {Z}_q^{<d}[x]\) and \(\mathbb {Z}_q^{n+d-1}[x]\), respectively. The decision \(\mathsf {MPLWE}_{q,n,d,\chi _1,\chi _2}\) problem consists in distinguishing between arbitrarily many samples from \(\mathsf {MP}_{q,n,d,\chi _1}(s)\) and the same number of uniform samples in \(\mathbb {Z}_q^{<n}[x] \times \mathbb {Z}_q^{<d}[x]\), with non-negligible probability over the choice of .

The \(\mathsf {PLWE}\) (resp. \(\mathsf {MPLWE}\)) assumption states that the advantage of any polynomial time algorithm trying to solve the \(\mathsf {PLWE}\) (resp. \(\mathsf {MPLWE}\)) problem is negligible. The main result in [RSSS17] is a reduction from a variant of \(\mathsf {PLWE}^{(f)}\) (for exponentially many f’s with respect to parameter n) for which the noise is drawn from a continuous distribution and the secret is uniformly distributed, to a variant of the \(\mathsf {MPLWE}\) problem for which the noise distribution is also continuous and the secret is also uniformly distributed. In this work, we will be interested in discrete noise distributions and secret distributions taking small values compared to the modulus q. Compared to [RSSS17], discretizing the noise distribution can be achieved via routine techniques and is more convenient both for our proofs and application. Oppositely, having the secret distribution take small values compared to q requires a new idea.

2.4 Cryptographic Definitions

Pseudorandom Functions. We will use a pseudorandom function to transform an identification scheme to a deterministic signature scheme.

Definition 6

A pseudorandom function \(\mathsf {PRF}\) is an efficiently computable map \(\mathsf {PRF}:\mathcal {K} \times \{0,1\}^n \rightarrow \{0, 1\}\) where \(\mathcal {K}\) is a finite key space and n, k are integers. For any quantum adversary A trying to distinguish the output of the \(\mathsf {PRF}\) from a uniform output, we associate the advantage function

$$\mathrm {Adv}^{\mathsf {PR}}_{\mathsf {PRF}}(A) :=|\Pr (A^{\mathsf {PRF}(K,\cdot )}=1|K\leftarrow \mathcal {K})-\Pr (A^{\mathsf {RF}(\cdot )}=1)|$$

where \(\mathsf {RF}:\{0,1\}^n \rightarrow \{0, 1\}\) is a uniformly sampled function and A has only classical access to the oracles \(\mathsf {PRF}(K,\cdot )\) and \(\mathsf {RF}(\cdot )\).

Identification Schemes. We recall some basic security properties of particular identification schemes. We closely follow the notations used in [KLS18].

A canonical identification scheme is a protocol between two parties: a prover \(\mathsf {P}\) and a verifier \(\mathsf {V}\). The prover sends a commitment W and the verifier selects a uniform challenge c and sends it to \(\mathsf {P}\). Upon receiving c, the prover sends back a response Z to the verifier. After it receives Z, the verifier makes a deterministic decision.

Definition 7 (Canonical identification scheme)

A canonical identification scheme is a tuple of classical \(\mathrm {ppt}\) algorithms \(\mathsf {ID}:= (\mathsf {IGen}, \mathsf {P}, \mathsf {V})\).

• The key generation algorithm \(\mathsf {IGen}\) takes as input a security parameter \(\lambda \) (in unary) and returns the public and secret keys (\(\mathsf {pk}\), \(\mathsf {sk}\)). The public key defines the set of challenges \(\mathsf {ChSet}\), the set of commitments \(\mathsf {WSet}\), and the set of responses \(\mathsf {ZSet}\).

• The prover algorithm \(\mathsf {P}\) consists of two sub-algorithms: \(\mathsf {P}_1\) takes as input the secret key \(\mathsf {sk}\) and returns a commitment \(W\in \mathsf {WSet}\) and a state St; \(\mathsf {P}_2\) takes as inputs the secret key \(\mathsf {sk}\), a commitment W, a challenge c, and a state St and returns a response \(Z\in \mathsf {ZSet}\cup \{\perp \}\), where \(\perp \notin \mathsf {ZSet}\) is a special symbol indicating failure.

• The verifier algorithm \(\mathsf {V}\) takes as inputs the public key \(\mathsf {pk}\) and the conversation transcript (W, c, Z) and outputs 1 (acceptance) or 0 (rejection).

If \(Z=\perp \), then we set \((W,c,Z)=(\perp ,\perp ,\perp )\). The triple \((W, c, Z)\in \mathsf {WSet}\times \mathsf {ChSet}\times \mathsf {ZSet}\cup \{(\perp ,\perp ,\perp )\}\) generated in this way is called a transcript. Given the public key \(\mathsf {pk}\), the transcript is valid if \(V(pk,W, c, Z) = 1\).

We say that \(\mathsf {ID}\) has correctness error \(\delta \) if for all public and secret keys generated by \(\mathsf {IGen}\), all possible transcripts in \(\mathsf {WSet}\times \mathsf {ChSet}\times \mathsf {ZSet}\) with \(Z\ne \perp \) are valid and the probability that a honestly generated transcript is \((\perp ,\perp ,\perp )\) is less than \(\delta \).

We say that the canonical identification scheme \(\mathsf {ID}\) has \(\alpha \) bits of min-entropy if

$$\begin{aligned} \mathop {\Pr }\limits _{(\mathsf {pk},\mathsf {sk})\leftarrow \mathsf {IGen}(\lambda )} \left( H_\infty (W |(W,St)\leftarrow P_1(\mathsf {sk}))\ge \alpha \right) \ge 1-2^{-\alpha }. \end{aligned}$$

We are interested in the following security properties.

Definition 8 (No-abort honest-verifier zero-knowledge)

A canonical identification scheme \(\mathsf {ID}\) is \(\varepsilon _{zk}\)-perfect no-abort honest-verifier zero-knowledge (\(\varepsilon _{zk}\)-perfect \(\mathsf {na}\text {-}\mathsf {HVZK}\)) if there exists a \(\mathrm {ppt}\) algorithm \(\mathsf {Sim}\) which given only the public key \(\mathsf {pk}\) outputs (W, c, Z) such that the statistical distance between \((W,c,Z)\leftarrow \mathsf {Sim}(\mathsf {pk})\) and \((W,c,Z)\leftarrow \mathsf {Trans}(\mathsf {pk})\) is at most \(\varepsilon _{zk}\) and the element c from \((W,c,Z)\leftarrow \mathsf {Sim}(\mathsf {pk})\) follows a uniform distribution conditioned on \(c\ne \perp \).

Definition 9 (Lossiness)

A canonical identification scheme is lossy (and we call it \(\mathsf {LID}\)) if there exists a lossy key generation algorithm \(\mathsf {LossyIGen}\) that takes as input \(\lambda \) and returns a public key \(\mathsf {pk}_{ls}\) and no secret key such that the public keys generated by \(\mathsf {IGen}\) and \(\mathsf {LossyIGen}\) are indistinguishable. In other words, for any quantum adversary A, the following quantity is negligible:

$$\begin{aligned} \mathrm {Adv}^{loss}_{\mathsf {ID}}(A)\,:=\,&|\Pr (A(\mathsf {pk}_{ls})=1 | \mathsf {pk}_{ls}\leftarrow \mathsf {LossyIGen}(\lambda ))\\&-\Pr (A(\mathsf {pk})=1 | (\mathsf {pk},\mathsf {sk})\leftarrow \mathsf {IGen}(\lambda ))|. \end{aligned}$$

Definition 10 (Lossy soundness)

A canonical identification scheme is \(\varepsilon _{ls}\)-lossy-sound if, for every quantum adversary A, the following probability that A could impersonate the prover is less than \(\varepsilon _{ls}\):

$$\begin{aligned} \Pr \left[ \mathsf {V}(\mathsf {pk}_{ls},W^*,c^*,Z^*)=1 \left| \ \begin{array}{l} \mathsf {pk}_{ls}\leftarrow \mathsf {LossyIGen}(\lambda );\\ (W^*,St)\leftarrow A(\mathsf {pk}_{ls});\\ c^*\leftarrow \mathsf {ChSet};Z^*\leftarrow A(St,c^*)\end{array}\right. \right] . \end{aligned}$$

Digital Signatures. We recall the definition of a digital signature.

Definition 11 (Digital signature)

A digital signature scheme \(\mathsf {SIG}\) with correctness error \(\delta \ge 0\) consists of a triple of \(\mathrm {ppt}\) classical algorithms \((\mathsf {G}, \mathsf {S}, \mathsf {V})\) such that for every pair of outputs \((\mathsf {sk}, \mathsf {vk})\) of \(\mathsf { G}(1^\lambda )\) and any message M,

$$\begin{aligned} \Pr [\mathsf {V}(\mathsf {vk}, M, \mathsf {S}(\mathsf {sk}, M)) = 0] \le \delta \end{aligned}$$

where the probability is taken over the randomness of algorithms \(\mathsf {S}\) and \(\mathsf {V}\).

The algorithm \(\mathsf {G}\) is called the key-generation algorithm, \(\mathsf {S}\) is called the signing algorithm, \(\mathsf {V}\) is called is the verification algorithm. The elements \(\mathsf {sk}\) and \(\mathsf {vk}\) are the signing and verification keys.

Definition 12 (Unforgeability)

A signature scheme \(\mathsf {SIG}:=(\mathsf {G},\mathsf {S},\mathsf {V})\) is said to be unforgeable against one-per-message chosen message attack (\(\mathsf {UF}\text {-}\mathsf {CMA}_1\)) in the quantum random oracle model if for every \(\mathrm {ppt}\) quantum forger \(\mathcal {F}\) having quantum access to the random oracle and classical access to the signing oracle, the probability that after seeing the public key and

$$\begin{aligned} \{(M_1,\mathsf {S}(\mathsf {sk},M_1)), \ldots , (M_Q, \mathsf {S}(\mathsf {sk}, M_Q))\} \end{aligned}$$

for any Q (\(Q=\mathsf {poly}(n)\)) adaptively chosen distinct messages \(M_i\) of its choice, forger \(\mathcal {F}\) can produce \(M^* \notin \{ M_i \}\) and \(\sigma ^*\) such that \(\mathsf {V} (\mathsf {vk}, M^*, \sigma ^*)=1\), is negligibly small. The probability is taken over the randomness of \(\mathsf {G}, \mathsf {S}, \mathsf {V}\) and \(\mathcal {F}\), and is denoted by \(\mathrm {Adv}_{\mathsf {SIG}}^{\mathsf {UF}\text {-}\mathsf {CMA}_1}(\mathcal {F})\).

One can extend this definition to the scenario where the attacker may have access to more than one signature for any of \(\mathsf {poly}(n)\) adaptively chosen messages \(\{M_i\}\). In that case, if no quantum adversary \(\mathcal {F}\) can produce a valid signature for a message \(M^*\notin \{M_i\}\), we say that the signature scheme is unforgeable against chosen message attack (\(\mathsf {UF}\text {-}\mathsf {CMA}\)).

In the \( strong \) corresponding \(\mathsf {UF}\text {-}\mathsf {CMA}\)/\(\mathsf {UF}\text {-}\mathsf {CMA}_1\) experiments, the adversary may return a forgery for a message which has already been queried to the signing oracle, but with a different signature.

As showed in [BPS16], a \(\mathsf {UF}\text {-}\mathsf {CMA}_1\) signature scheme can be combined with a pseudo-random function to obtain a signature scheme that is \(\mathsf {UF}\text {-}\mathsf {CMA}\), and the conversion is tight (further, the upgrade preserves strongness). As observed in [KLS18], this transformation still applies when the attacker is quantum and is given quantum access to the random oracle.

From Identification Schemes to Digital Signatures: Fiat-Shamir. The Fiat-Shamir heuristic is a technique to convert an identification scheme \(\mathsf {ID}:= (\mathsf {IGen}, \mathsf {P}, \mathsf {V})\) to a digital signature scheme \(\mathsf {SIG}:=(\mathsf {G}=\mathsf {IGen}, \mathsf {S}, \mathsf {\overline{V}})\) in the random oracle model (ROM).

Fig. 1.

The signature \(\mathsf {SIG}\) obtained via Fiat-Shamir transform

The main result in [KLS18] is a security statement of the signature scheme obtained via the Fiat-Shamir transformation in the setup where the adversary has quantum access to the random oracle, but classical access to the signing oracle.

Theorem 1

([KLS18, Th. 3.1]). Consider an identification scheme \(\mathsf {ID}\) which is lossy, \(\varepsilon _{zk}\)-perfect \(\mathsf {na}\text {-}\mathsf {HVZK}\), has \(\alpha \) bits of entropy and is \(\varepsilon _{ls}\)-lossy sound and the signature scheme \(\mathsf {SIG}\) obtained by applying the Fiat-Shamir transform to the identification scheme \(\mathsf {ID}\), as in Fig. 1.

For any quantum adversary A against \(\mathsf {UF}\text {-}\mathsf {CMA}_1\) security that issues at most \(Q_H\) quantum queries to the random oracle and \(Q_S\) classical signing queries, there exists a quantum adversary B against \(\mathsf {ID}\) such that

$$\begin{aligned} \mathrm {Adv}_{\mathsf {SIG}}^{\mathsf {UF}\text {-}\mathsf {CMA}_1}(A)\le \mathrm {Adv}_{\mathsf {ID}}^{loss}(B)+8(Q_H+1)^2\cdot \varepsilon _{ls}+k_mQ_S\cdot \varepsilon _{zk}+2^{-\alpha +1}. \end{aligned}$$

and Time(B)=Time(A) + \(k_mQ_H\).

Moreover, if we de-randomize the signature scheme in Fig. 1 by using a pseudo-random function \(\mathsf {PRF}\), then for any quantum adversary A against \(\mathsf {UF}\text {-}\mathsf {CMA}\) security that issues at most \(Q_H\) quantum queries to the random oracle and \(Q_S\) classical signing queries, there exists a quantum adversary B against \(\mathsf {ID}\) and a quantum adversary C against the \(\mathsf {PRF}\) such that

$$\begin{aligned} \mathrm {Adv}_{\mathsf {DSIG}}^{\mathsf {UF}\text {-}\mathsf {CMA}}(A)\le \mathrm {Adv}_{\mathsf {ID}}^{loss}(B)+8(Q_H+1)^2\cdot \varepsilon _{ls}+k_mQ_S\cdot \varepsilon _{zk}+2^{-\alpha +1}+\mathrm {Adv}_{\mathsf {PRF}}^{\mathsf {PR}}(C). \end{aligned}$$

The de-randomized version of the signature scheme \(\mathsf {DSIG}:=(\mathsf {IGen}, \mathsf {DS}, \mathsf {\overline{V}})\) obtained from Fiat-Shamir transformation is given in Fig. 2. Here, the \(\mathsf {PRF}\) key K is also a part of the secret key in the signature scheme.

Fig. 2.

The de-randomized signature \(\mathsf {DSIG}\) obtained via Fiat-Shamir transform

3 Hardness of Middle-Product LWE with Small Secrets

As mentioned earlier, a main obstacle towards building a signature scheme directly from \(\mathsf {MPLWE}\) with the Fiat-Shamir with aborts methodology is the need of smaller secrets. In this section, we show that \(\mathsf {MPLWE}\) remains at least as hard as \(\mathsf {PLWE}\) for numerous parametrizing polynomials f, when the secret s is sampled from a specific distribution \(\chi _s\) that produces small secrets with overwhelming probability.

Let \(q\ge 2\), \(n\ge d> 0\), \(T>0\) and \(k:=n+d-1\). By \(J_i\in \mathbb {Z}^{i \times i}\) we denote the matrix with 1’s on the anti-diagonal and 0’s everywhere else. Let \(\mathcal {E}(T,d,n)\) denote the set of all monic polynomials \(g(x)\in \mathbb {Z}[x]\) with constant coefficient coprime to q, degree \(m \in [d,n]\), and \(\sigma _m(M_f)\ge T\).

Theorem 2

For any polynomial \(f\in \mathcal {E}(T,d,n)\) and \(1\ge \alpha \ge \frac{2\sqrt{n}}{q T}\), there is a \(\mathrm {ppt}\) reduction from \(\mathsf {PLWE}^{(f)}_{q,D_{\mathbb {Z}^m,\alpha q},D_{\mathbb {Z}^m,\alpha q}}\) to \(\mathsf {MPLWE}_{q,n,d,D_{\mathbb {Z}^d,\alpha '' q}, D_{\mathbb {Z}^k,\alpha ' q}}\), where \(\alpha '=\alpha n\sqrt{2n}\cdot \mathrm {EF}(f)^2\) and \(\alpha ''=\alpha \sqrt{2d}\cdot \mathrm {EF}(f)\).

Proof

We first reduce \(\mathsf {PLWE}^{(f)}\) to a variant of \(\mathsf {MPLWE}\) where the dependence on f lies both in the secret and error distributions. Using the same idea as in [RSSS17, Le. 3.7] except for the fact that now we do not rerandomize the secret to make it uniform, we know that there is a \(\mathrm {ppt}\) reduction from \(\mathsf {PLWE}_{q,\chi _e,\chi _s}^{(f)}\) to \(\mathsf {MPLWE}_{q,n,d,\chi _e',\chi _s'}\) where \(\chi _e' = J_{d} \cdot M^{d}_f \cdot \chi _e\) and \(\chi _s' = J_{n+d-1} \cdot \mathsf {Rot}_f^{d+n-1}(1) \cdot M_f \cdot \chi _s\). We now make the following notations: \(B_s:=J_{k}\cdot \mathsf {Rot}^{k}_f(1)\cdot M_f\cdot \alpha q\mathbf{I} _m\) and \(B_e:=J_d\cdot M_f^d\cdot \alpha q\mathbf{I} _m\), and \(\varSigma _s:=B_s \cdot B_s^{t}\in \mathbb {R}^{k \times k}\) and \(\varSigma _e:=B_e\cdot B_e^t\in \mathbb {R}^{d \times d}\), respectively. This means that there is a \(\mathrm {ppt}\) reduction from \(\mathsf {PLWE}^{(f)}_{q,D_{\mathbb {Z}^m,\alpha q},D_{\mathbb {Z}^m,\alpha q}}\) to \(\mathsf {MPLWE}_{q,n,d,D_{\mathbb {Z}^d,\varSigma _e},D_{\mathbb {Z}^k,\varSigma _s}}\). We now have, using Lemma 1, that

$$\begin{aligned} \Vert \varSigma _s\Vert&\le (\alpha q)^2 \cdot \Vert \mathsf {Rot}^{d+n-1}_f(1)\Vert ^2\cdot \Vert M_f\Vert ^2\\&\le (\alpha q)^2 \cdot \left( m+(d+n-1-m)\cdot m \cdot \mathrm {EF}(f)^2\right) m \cdot \mathrm {EF}(f)^2 \\&\le (\alpha q)^2\cdot (n+(n-1)\cdot n\cdot \mathrm {EF}(f)^2)n\cdot \mathrm {EF}(f)^2\\ {}&\le (\alpha q)^2\cdot n^3\cdot \mathrm {EF}(f)^4 <(\alpha 'q)^2 \end{aligned}$$

and

$$\begin{aligned} \Vert \varSigma _e\Vert&\le (\alpha q)^2 \cdot \Vert M^d_f\Vert ^2 \le d\cdot (\alpha q\cdot \mathrm {EF}(f))^2 <(\alpha ''q)^2. \end{aligned}$$

Since \(\Vert \varSigma _s\Vert < (\alpha 'q)^2\) and \(\Vert \varSigma _e\Vert < (\alpha ''q)^2\), there exist two symmetric positive definite matrices \(\varSigma _s'\) and \(\varSigma _e'\) such that \(\varSigma _s+\varSigma _s'=(\alpha 'q)^2\mathbf{I} _{k}\) and \(\varSigma _e+\varSigma _e'=(\alpha ''q)^2\mathbf{I} _d\). We now replace the rerandomization to uniform of the reduction of [RSSS17, Le. 3.7] by a rerandomization to a Gaussian distribution. We first sample . For any \(\mathsf {MPLWE}_{q,n,d,D_{\mathbb {Z}^d,\varSigma _e},D_{\mathbb {Z}^k, \varSigma _s}}\) sample \((a_i,b_i)\), we sample and output \((a'_i,b'_i)=(a_i,b_i+a_i \odot _{d} t+e'_i)\). If \((a_i,b_i)\) is uniform, so is \((a'_i,b'_i)\). If \(b_i=a_i \odot _{d} s+e_i\), then

$$\begin{aligned} b'_i=a_i \odot _{d} s+e_i+a_i \odot _{d} t+e'_i=a_i \odot _{d} (s+t)+(e_i+e'_i). \end{aligned}$$

The matrices \(\varSigma _s\), \(\varSigma _s'\), \(\varSigma _e\) and \(\varSigma _e'\) are all symmetric, so they are in particular orthogonally diagonalizable. Moreover, since \(\varSigma _s\) and \(\varSigma _s'\) (resp. \(\varSigma _e\) and \(\varSigma _e'\)) commute, it means that \(\varSigma _s\) and \(\varSigma _s'\) (resp. \(\varSigma _e\) and \(\varSigma _e'\)) are simultaneously diagonalizable. We can hence write \(\varSigma _s=UD_sU^{t}\) and \(\varSigma _s'=UD_s'U^{t}\) for two diagonal matrices \(D_s\) and \(D_s'\) such that \((\alpha 'q)^2\mathbf{I} _k=D_s+D_s'\) and an orthogonal matrix \(U\in \mathbb {R}^{k\times k}\). Similarly, we can write \(\varSigma _e=VD_eV^t\) and \(\varSigma _e'=VD_e'V^t\), where \(D_e\) and \(D_e'\) are diagonal, \(D_e+D_e'=(\alpha ''q)^2\mathbf{I} _d\) and \(V\in \mathbb {R}^{d\times d}\) is orthogonal. Since the smoothing parameter is invariant to rotations, we can write

$$\begin{aligned} \eta _{2^{-k}}(\sqrt{\varSigma _s^{-1}+\varSigma _s'^{-1}}\cdot \mathbb {Z}^k)&=\eta _{2^{-k}}(\sqrt{U(D_s^{-1}+D_s'^{-1})U^t}\cdot \mathbb {Z}^k)\\&=\eta _{2^{-k}}(U\sqrt{D_s^{-1}+D_s'^{-1}}\cdot \mathbb {Z}^k)\\&=\eta _{2^{-k}}(\sqrt{D_s^{-1}+D_s'^{-1}}\cdot \mathbb {Z}^k). \end{aligned}$$

Using Lemma 4, we have that

$$\begin{aligned} \eta _{2^{-k}}(\sqrt{D_s^{-1}+D_s'^{-1}}\cdot \mathbb {Z}^k)\le \max _{i}\sqrt{1/\sigma _i(\varSigma _s)+1/{((\alpha 'q)^2-\sigma _i(\varSigma _s)}})\cdot \sqrt{k+1}. \end{aligned}$$

We showed that \(\sigma _1(\varSigma _s)\le (\alpha q)^2\sigma _1(M_f)^2\sigma _1(\mathsf {Rot}_f^{d+n-1}(1))^2\le (\alpha 'q)^2/2\), which means that \((\alpha 'q)^2-\sigma _i(\varSigma _s)\ge \sigma _i(\varSigma _s)\) for any \(i\le k\) and thus \(1/\sigma _i(\varSigma _s)+1/{(\alpha 'q)^2-\sigma _i(\varSigma _s)}\le 2/\sigma _i(\varSigma _s)\le 2/\sigma _k(\varSigma _s)\) for any \(i \le k\).

Using the bound on the smallest singular value of \(M_f\), we now get that \(\sigma _k(\varSigma _s)\ge (\alpha q)^2\sigma _m(M_f)^2\sigma _{m}(\mathsf {Rot}_f^{n+d-1}(1))^2\ge (\alpha q)^2\cdot T^2\), which guarantees that

$$\begin{aligned} \eta _{2^{-k}}(\sqrt{D_s^{-1}+D_s'^{-1}}\cdot \mathbb {Z}^k)\le \sqrt{\frac{2}{(\alpha q)^2\cdot T^2}}\cdot \sqrt{k+1}\le 1 \end{aligned}$$

for \(\alpha \ge \frac{2\sqrt{n}}{q\cdot T}\). As a consequence, using Lemma 5, the statistical distance between the distribution of \(s+t\) and \(D_{\mathbb {Z}^k,\alpha 'q}\) is \(< 4 \cdot 2^{-d} = 4 \varepsilon \) as \(k > d\).

Similarly, we have \(\eta _{2^{-d}}(\sqrt{\varSigma _e^{-1}+\varSigma _e'^{-1}}\cdot \mathbb {Z}^d)\le 1\) and the statistical distance between the distribution of \(e_i+e_i'\) and \(D_{\mathbb {Z}^d,\alpha ''q}\) is also \(\le 4\varepsilon \). This completes the proof.    \(\square \)

We notice that in contrast with the reduction from [RSSS17], the above reduction requires a lower bound on the noise parameter \(\alpha \) which is used in order to approximate the distribution of the sum of two random discrete variables as in Lemma 5. The following result provides a concrete exponentially large family of polynomials f for which we manage to bound from below the smallest singular value of the matrix \(M_f\).

Lemma 8

Let \(f = x^m + P(x)\in \mathbb {Z}[x]\) with \(m \ge 2\) and \(\deg (P) \le m/2\). Then \(\sigma _m(M_f)\ge \frac{1}{2\,+\,\sqrt{m} \cdot \mathrm {EF}(f)}\).

Proof

By reordering the rows of \(M_f\), the singular values stay the same and we can view \(M_f\) as a block of four matrices \(D_1\in \mathbb {Z}^{\lfloor {m/2}\rfloor \times \lfloor {m/2}\rfloor }\), \(D_2\in \mathbb {Z}^{\lceil {m/2}\rceil \times \lceil {m/2}\rceil }\), \(\mathbf {0}\in \mathbb {Z}^{\lceil {m/2}\rceil \times \lfloor {m/2}\rfloor }\) and \(T\in \mathbb {Z}^{\lfloor {m/2}\rfloor \times \lceil {m/2}\rceil }\) in the following way:

The matrices \(D_1\) and \(D_2\) are diagonal, \(\mathbf {0}\) is the all-0 matrix and T is an upper triangular matrix. We now use the definition \(\sigma _m(M_f)=\min (\Vert M_f\cdot y\Vert _2 : y\in \mathbb {R}^m, \Vert y\Vert _2=1)\). Let \(y\in \mathbb {R}^m\) such that \(\sigma _m(M_f)=\Vert M_f\cdot y\Vert _2\) and \(\Vert y\Vert _2=1\). The vector y can be written as \(y=(y_0^t | y_1^t)^t\), with \(y_0\in \mathbb {R}^{\lfloor {m/2}\rfloor }\) and \(y_1\in \mathbb {R}^{\lceil {m/2}\rceil }\). On the one hand, we have:

$$\begin{aligned} \Vert M_f\cdot y\Vert _2 \ge \Vert D_1\cdot y_0+T \cdot y_1\Vert _2\ge & {} \Vert D_1\cdot y_0\Vert _2 -\Vert T\cdot y_1\Vert _2 \\\ge & {} \Vert y_0\Vert _2-\Vert T\Vert \cdot \Vert y_1\Vert _2\\\ge & {} \Vert y\Vert _2 - \Vert y_1\Vert _2 -\Vert M_f\Vert \cdot \Vert y_1\Vert _2 \\\ge & {} 1 - (1+\sqrt{m} \cdot \mathrm {EF}(f)) \cdot \Vert y_1\Vert _2, \end{aligned}$$

where the last inequality is by Lemma 1. On the other hand, we also have

$$\begin{aligned} \Vert M_f\cdot y\Vert _2\ge \Vert D_2\cdot y_1\Vert _2 \ge \Vert y_1\Vert _2. \end{aligned}$$

This provides the bound

$$\begin{aligned} \sigma _m(M_f)\ge \max \left( 1 - (1+\sqrt{m} \cdot \mathrm {EF}(f)) \cdot \Vert y_1\Vert _2,\Vert y_1\Vert _2 \right) \ge \frac{1}{2+\sqrt{m} \cdot \mathrm {EF}(f)}. \end{aligned}$$

   \(\square \)

An elementary computation shows that for any polynomial as in the above Lemma 8, we have \(\mathrm {EF}(f)\le \frac{3}{4} m^2 \Vert P\Vert _\infty ^2\) (see also [LM06, Se. 3.1] for a similar but more general statement). This implies the following corollary of Theorem 2.

Corollary 1

Fix \(S>0\). For any degree \(m\ge 2\) polynomial \(f = x^m + P(x)\in \mathbb {Z}[x]\) with constant coefficient coprime with q such that \(\deg (P) \le m/2\) and \(\Vert P\Vert _\infty ^2\le 4S/3\) and any \(1\ge \alpha \ge 2\sqrt{n}\cdot (2+\sqrt{n}S)/q\) there is a \(\mathrm {ppt}\) reduction from \(\mathsf {PLWE}^{(f)}_{q,D_{\mathbb {Z}^m,\alpha q},D_{\mathbb {Z}^m,\alpha q}}\) to \(\mathsf {MPLWE}_{q,n,d,D_{\mathbb {Z}^d,\alpha '' q}, D_{\mathbb {Z}^k,\alpha ' q}}\), where \(\alpha '=\alpha n\sqrt{2n}\cdot S^2\) and \(\alpha ''=\alpha \sqrt{2d}\cdot S\).

4 An Attack on Inhomogeneous \(\mathsf {PSIS}^\emptyset \) with Small Secrets

In contrast to our hardness result for \(\mathsf {MPLWE}\) with small secret coordinates shown in the previous section, here we show a simple efficient attack on the Inhomogeneous \(\mathsf {PSIS}^\emptyset \) problem from [Lyu16] with sufficiently small secret coordinates (such that it has a unique solution). Our algorithm gives a key recovery attack against a small secret variant of the signature scheme of [Lyu16], and shows that a lower bound on the size of the secret key coordinates similar to that in the security proof of [Lyu16] is necessary for the security of that signature scheme. \(\mathsf {MPSign}\) achieves lower signature size than [Lyu16], by using small secret coordinates. The attack presented below shows that a similar improvement in signature size cannot be securely achieved in [Lyu16], stressing an \(\mathsf {MPSign}\) advantage over the approach of [Lyu16].

We recall the definition of the Inhomogeneous \(\mathsf {PSIS}^\emptyset \) problem (which we denote by I-\(\mathsf {PSIS}^{\emptyset }\)) from [Lyu16]. The hardness of that problem underlies the security of the key generation algorithm in the signature scheme of [Lyu16]. We note that our definition below is the ‘exact’ case of the ‘approximate’ definition in [Lyu16] (with the parameters of [Lyu16, Def. 3.3] set as \(c=1\), \(s=\beta \) and \(d_1=d_2=d\)). This restriction makes our attack even stronger since a solution to the exact problem is also a solution to the ‘approximate’ problem.

Definition 13

(I-\(\mathsf {PSIS}^{\emptyset }\)). Let \(n,d>0\). An instance of the I-\(\mathsf {PSIS}^{\emptyset }_{q,n,d,k,\beta }\) problem consists of \((a_1,\ldots ,a_k, t)\), where for \(i=1,\ldots ,k\) and \(t = \sum ^k_{i=1} a_i \cdot s_i \in \mathbb {Z}_q^{<n+d-1}[x]\), where for \(i=1,\ldots ,k\). A solution to the problem is k elements \((s'_1,\ldots ,s'_k)\) with \(s'_i \in [-\beta ,\beta ]^{<d}[x]\) for \(i=1,\ldots ,k\) such that

$$\begin{aligned} \sum ^k_{i=1} a_i \cdot s'_i = t. \end{aligned}$$

Note that the public key of the signature scheme of [Lyu16] consists of an instance of I-\(\mathsf {PSIS}^{\emptyset }\), and a solution is a valid secret key.

Our attack on I-\(\mathsf {PSIS}^{\emptyset }\) works in the case where \(s_1,\ldots ,s_k\) is the unique solution, and consists of a simple greedy algorithm that exploits the zero triangles in the Toeplitz matrices associated with the polynomials \(a_i\), to reduce the problem to a sequence of k-dimensional knapsack subproblems: for each \(r < d\), we recover the k-tuple of coefficients of \(x^r\) in the polynomials \(s_i(x)\) for \(i=1,\ldots ,k\). When k is small (as is the case for efficient parameter sets), the attack is efficient.

In more detail, let \(t(x) = \sum ^k_{i=1} a_i (x)\cdot s_i(x) \in \mathbb {Z}_q^{<n+d-1}[x]\) be the target polynomial in an instance of I-\(\mathsf {PSIS}^{\emptyset }\). We denote by \(t_r\), \(a_{i,r}\) and \(s_{i,r}\) the coefficient of \(x^r\) in the polynomials \(t(x), a_i(x), s_i(x)\), respectively. We observe that for any \(r = 0,\ldots , d-1\), the coefficient \(t_r\) depends only on the coefficients of \(x^j\) for \(j \le r\) of the \(s_i\)’s, namely we have

$$\begin{aligned} t_r = \sum ^k_{i=1} \sum ^r_{j=0} a_{i,j} \cdot s_{i,r-j} = \sum ^k_{i=1} a_{i,0} \cdot s_{i,r} + \sum ^k_{i=1} \sum ^r_{j=1} a_{i,j} \cdot s_{i,r-j}. \end{aligned}$$

(1)

Given an instance \((a_1,\ldots ,a_k, t)\) of the I-\(\mathsf {PSIS}^{\emptyset }_{q,n,d,k,\beta }\) problem, our algorithm works as follows:

1. 1.

   For \(r=0,\ldots ,d-1\):

   1. (a)

      Find some vector \(s'_{*,r} :=(s'_{1,r},\ldots ,s'_{k,r}) \in [-\beta ,\beta ]^k\) such that

      $$\begin{aligned} t_r = \sum ^k_{i=1} a_{i,0} \cdot s'_{i,r} + \sum ^k_{i=1} \sum ^r_{j=1} a_{i,j} \cdot s'_{i,r-j}. \end{aligned}$$

      (2)
   2. (b)

      If no such vector \(s'_{*,r}\) exists, return \(\bot \).

2. 2.

   Return \((s'_1,\ldots s'_k)\), where \(s'_i = \sum ^{d-1}_{j=0} s'_{i,j} x^j\) for \(i=1,\ldots ,k\).

Lemma 9

Suppose q is prime. With probability \(\ge 1-(4\beta +1)^k/q\) over the choice of \(a_1,\ldots ,a_k\), the solution \((s'_1,\ldots ,s'_k)=(s_1,\ldots ,s_k)\) to the I-\(\mathsf {PSIS}^{\emptyset }_{q,n,d,k,\beta }\) problem is unique, and the above algorithm returns this solution in time \((2\beta +1)^k \cdot \mathsf {poly}(n,d,\log q)\).

Proof

It follows from (1) that the solution \((s'_1,\ldots ,s'_k)=(s_1,\ldots ,s_k)\) satisfies (2) for each r and hence can be output by the algorithm. Now suppose, towards a contradiction, that the algorithm outputs \(\bot \) or a different solution \((s'_1,\ldots ,s'_k) \ne (s_1,\ldots ,s_k)\). Then let \(r^* \ge 0\) denote the least iteration r of the algorithm where the solution \(s'_{*,r^*} :=(s'_{1,r^*},\ldots ,s'_{k,r^*})\) to (2) for \(r=r^*\) is not equal to \(s_{*,r^*} :=(s_{1,r^*},\ldots ,s_{k,r})\). From (2), we have

$$\begin{aligned} t_{r^*} = \sum ^k_{i=1} a_{i,0} \cdot s'_{i,r^*} + \sum ^k_{i=1} \sum ^r_{j=1} a_{i,j} \cdot s_{i,r^*-j} = \sum ^k_{i=1} a_{i,0} \cdot s_{i,r^*} + \sum ^k_{i=1} \sum ^r_{j=1} a_{i,j} \cdot s_{i,r^*-j}, \end{aligned}$$

and hence

$$\begin{aligned} \sum ^k_{i=1} a_{i,0} \cdot (s_{i,r^*} - s'_{i,r^*}) = 0. \end{aligned}$$

As a consequence, the vector \(v^* :=(s_{1,r^*}-s'_{1,r^*},\ldots ,s_{k,r^*}-s'_{k,r^*}) \ne 0\) satisfies \(\sum ^k_{i=1} a_{i,0} v^*_{i} = 0\), and \(v^* \in [-2\beta ,2\beta ]^k\). We claim that such a non-zero vector \(v^*\) exists with probability at most \((4\beta +1)^k/q\) over the uniform choice of the \(a_{i,0}\)’s. Indeed, since q is prime, the probability that a fixed non-zero vector \(v \in [-2\beta ,2\beta ]^k\) satisfies \(\sum ^k_{i=1} a_{i,0} v_{i} = 0\) is 1/q. A union bound over all \(\le (4\beta \,+\,1)^k\) non-zero vectors in \([-2\beta ,2\beta ]^k\) provides the claim. Therefore, the algorithm outputs the unique solution \((s'_1,\ldots ,s'_k)=(s_1,\ldots ,s_k)\) with probability at least \(1-(4\beta +1)^k/q\). The run-time follows since Step 1(a) in the algorithm can be implemented by an exhaustive search through all \((2\beta +1)^k\) possible values for \(s'_{*,r}\).    \(\square \)

We observe that the run-time can be reduced to \(2^{O(k)} \cdot \mathsf {poly}(n,d,\log q)\) using a lattice closest vector algorithm to solve the k-dimensional knapsack problems.

By Lemma 9, our algorithm for I-\(\mathsf {PSIS}^{\emptyset }_{q,n,d,k,\beta }\) succeeds with high probability when \(\beta \) is at least slightly smaller than \(q^{1/k}/4\), and runs in polynomial time when \(k=O(1)\), even for very high degrees n and d. In comparison, the hardness reduction for I-\(\mathsf {PSIS}^{\emptyset }_{q,n,d,k,\beta }\) in [Lyu16, Le. 3.4] requires the lower bound \(\beta > 2^{\lambda /(kd)-1} \cdot q^{1/k \cdot (1+n/d)}\) (where \(\lambda \) denotes the security parameter and is such that the success probability of the I-\(\mathsf {PSIS}^{\emptyset }\) attacker handled by the reduction is \({>}2^{-\lambda }\)). Our attack gives an efficient key recovery attack against the signature scheme of [Lyu16] with small secrets \(\beta \). For instance, the recommended parameters of the latter scheme have \(k=6\) and \(q \approx 2^{30}\) and \(\beta \approx 2^{11.5}\), but \(\beta < 2^3\) will suffice for our attack to succeed. Moreover, heuristically, we expect that our algorithm will succeed with even larger \(\beta \) corresponding to a unique solution. The run-time is likely in practice to be in the order of minutes on a typical laptop¹, using LLL lattice reduction for solving the 6-dimensional knapsack instances; even a brute-force search of each knapsack instance would take in the order of only \((2\beta )^{k} < 2^{30}\) arithmetic operations. For the above parameters, our LLL-based implementation solved 7 out of 10 (resp. 2 out of 10) instances with \(\beta =7\) (resp. \(\beta =8\)), taking about 3 min on a 3.1 GHz Intel Core i5 CPU.

5 A Signature Scheme Based on Small Secrets \(\mathsf {MPLWE}\)

In this section, we build an identification scheme based on the middle-product learning with errors with small secrets assumption. Then, we show that Theorem 1 is applicable to our construction by checking all the theorem assumptions, as in [KLS18]. As a consequence, by the Fiat-Shamir transformation, we obtain a digital signature scheme that is secure under the middle-product learning with errors with small secrets assumption in the quantum random oracle model.

5.1 The Identification Scheme

We first present in Fig. 3 an identification scheme which makes use of the middle-product of polynomials.

We use an extendable output function Sam, i.e., a function on bit strings in which the output can be extended to any required length. If we want the deterministic output y of Sam on input x to be uniformly distributed on the set S, we write .

The key generation starts by choosing a random string \(\rho \) and expanding it into a uniform polynomial \(a\in \mathbb {Z}_q^{<n}[x]\) using the function Sam. The public key consists of a sample (a, b) drawn from the \(\mathsf {MP}_{q,n,d+k,\chi }(s)\) distribution, where both the secret s and the error e follow a Gaussian distribution of parameter \(\alpha 'q\), respectively \(\alpha ''q\).

In the first step of the protocol, the prover chooses two polynomials \(y_1\) and \(y_2\) whose coefficients are bounded in absolute value by \(a'\), respectively \(a''\), and sends to the verifier the polynomial \(w=a\odot _d y_1+y_2\). The verifier chooses a random challenge from the challenge space

$$\begin{aligned} D_H:=\{{c \in \{0,1,-1\}^{<k+1}[x] \, \text {with} \, \Vert c\Vert _1= \kappa \}} \end{aligned}$$

and sends it back to the prover. The challenge space consists of polynomials of small norms and the parameter \(\kappa \) is chosen such that the cardinality of the challenge space is large. The prover now applies rejection in order to make sure that his answer doesn’t leak information about the secret key. Concretely, the prover computes \(z_1=c \odot _{n+d-1} s+y_1\) and \(z_2=c \odot _{d} e+y_1\) and checks if \(\Vert z_1\Vert _\infty \le A'\) and \(\Vert z_2\Vert _\infty \le A''\). If so, it accepts to send his answer \((z_1,z_2)\) to the verifier. Otherwise, it aborts. We provide concrete parameters with which our scheme can be instantiated in practice in the next section.

Fig. 3.

The identification scheme \((\mathsf {IGen},\mathsf {V},\mathsf {P}=(\mathsf {P}_1,\mathsf {P}_2))\)

Lemma 10

If \(A'+\Vert c\odot _{n+d-1}s\Vert _\infty \le a'\) and \(A''+\Vert c\odot _{d}e\Vert _\infty \le a''\), then the identification scheme is perfectly \(\mathsf {na}\text {-}\mathsf {HVZK}\), i.e., its transcripts are publicly simulatable and \(\varepsilon _{zk}=0\).

Proof

Figure 4 (left) shows how to generate a real transcript using the secret key \(\mathsf {sk}\), and Fig. 4 (right) shows how to simulate a transcript using only the public key \(\mathsf {pk}\). The identification scheme is perfectly \(\mathsf {na}\text {-}\mathsf {HVZK}\) if every pair of polynomials \((z_1,z_2)\in \mathbb {Z}_{\le A'}^{<n+d-1}[x]\times \mathbb {Z}_{\le A''}^{<d}[x]\) has the same probability to be generated in the \(\mathsf {Trans}\) algorithm as in the \(\mathsf {Sim}\) algorithm. This is indeed the case: our choice of parameters guarantees that \(z_1-c \odot _{n+d-1} s \in \mathbb {Z}_{\le a'}^{<n+d-1}[x]\) and \(z_2-c \odot _d e\in \mathbb {Z}_{\le a''}^{<d}[x]\) and moreover, for any secret key (s, e) and any pair \((z_1,z_2)\), we have that

and

As a consequence, the probability of producing \(z_1\) and \(z_2\) in \(\mathsf {Trans}\) such that \(\Vert z_1\Vert _\infty \le A'\) and \(\Vert z_2\Vert _\infty \le A''\) and not returning \(\perp \) is \((\frac{2A'\,+\,1}{2a'\,+\,1})^{n+d-1}(\frac{2A''\,+\,1}{2a''\,+\,1})^{d}\), which means that the outputs of \(\mathsf {Trans}\) and \(\mathsf {Sim}\) have the same distribution.    \(\square \)

Fig. 4.

The transcript \(\mathsf {Trans}\) and the simulation \(\mathsf {Sim}\) algorithms

Lemma 11

The scheme has correctness error \(\delta =1-(\frac{2A'\,+\,1}{2a'\,+\,1})^{n+d-1}(\frac{2A''\,+\,1}{2a''\,+\,1})^{d}\).

Proof

First, we show that the verification procedure always accepts a honest transcript if \((z_1,z_2)\ne \perp \). Assume that \((z_1,z_2)\ne \perp \). It means that \(\Vert z_1\Vert _\infty \le A'\) and \(\Vert z_2\Vert _\infty \le A''\). Now we prove that

$$\begin{aligned} a \odot _{d} z_1+z_2-c \odot _{d} b=a \odot _{d} y_1+y_2. \end{aligned}$$

Because of Lemma 3, we have that

$$\begin{aligned} a \odot _{d} z_1\,=\,&a \odot _{d}(c \odot _{n+d-1}s+y_1)\\ =\,&a \odot _{d}(c \odot _{n+d-1}s)+a \odot _{d} y_1\\ =\,&(a \cdot c) \odot _{d} s + a \odot _{d} y_1 \end{aligned}$$

and

$$\begin{aligned} c \odot _{d} b\,=\,&c \odot _{d}(a \odot _{d+k}s+e)\\ =\,&c \odot _{d}(a \odot _{d+k} s)+c \odot _{d} e\\ =\,&(c \cdot a) \odot _{d} s + c \odot _{d} e. \end{aligned}$$

Overall, we obtain:

$$\begin{aligned} \quad&a \odot _{d} z_1+z_2-c \odot _{d} b\\ {}&= ((a \cdot c) \odot _{d} s + a \odot _{d} y_1)+(c \odot _{d} e+y_2)-((c \cdot a) \odot _{d} s + c \odot _{d} e)\\&= a \odot _{d} y_1+y_2. \end{aligned}$$

Since \(\mathsf {Sim}\) outputs \(\perp \) with the same probability as \(\mathsf {Trans}\), we know that the probability to have \((z_1,z_2)=\perp \) is exactly \(\delta \).    \(\square \)

Lemma 12

The identification scheme \(\mathsf {ID}\) is lossy.

Proof

In the lossy key generation algorithm \(\mathsf {LossyIGen}\) (Fig. 5), we generate the public key (a, b) uniformly. The public keys generated by \(\mathsf {IGen}\) and \(\mathsf {LossyIGen}\) are indistinguishable by the \(\mathsf {MPLWE}\) assumption. Indeed, for any quantum adversary A against \(\mathsf {ID}\), there exists an adversary B trying to distinguish \(\mathsf {MPLWE}\) samples from uniform ones such that the loss advantage \(\mathrm {Adv}_{\mathsf {ID}}^{loss}(A)\) is equal to the advantage of B.    \(\square \)

Lemma 13

The identification scheme \(\mathsf {ID}\) has \(d\cdot \log (2a''\,+\,1)\) bits of min-entropy.

Proof

Indeed, for every commitment \(\omega \), we have that:

$$\begin{aligned} \Pr _{a,y_1,y_2}(a\odot _d {y_1}+y_2=\omega )\le \max _{a,y_1}\Pr _{y_2}(y_2=\omega -a\odot _d {y_1}) \le \frac{1}{(2a''+1)^{d}}, \end{aligned}$$

where the first probability is taken over the uniform choice of \(a\in \mathbb {Z}_q^{<n}[x]\), \(y_1\in \mathbb {Z}^{< n+d-1}_{\le a'}[x]\) and \(y_2\in \mathbb {Z}^{< d}_{\le a''}[x]\). In the second one, the probability is taken over the uniform choice of \(y_2\in \mathbb {Z}^{< d}_{\le a''}[x]\) and the maximum is taken over all \(a\in \mathbb {Z}_q^{<n}[x]\) and \(y_1\in \mathbb {Z}^{< n+d-1}_{\le a'}[x]\).    \(\square \)

Lemma 14

The identification scheme \(\mathsf {ID}\) is \(\varepsilon _{ls}\)-lossy-sound, where

$$\begin{aligned} \varepsilon _{ls}\le \frac{1}{|D_H|}+(4 A'+1)^{n+d-1}\cdot (4 A''+1)^{d}\cdot |D_H|^2\cdot q^{-d}. \end{aligned}$$

Fig. 5.

The \(\mathsf {LossyIGen}\) algorithm

Proof

We show that relatively to a lossy key \(\mathsf {pk}_{ls}\) generated by the \(\mathsf {LossyIGen}\) algorithm in Fig. 5, not even an unbounded quantum adversary can impersonate the prover. This reduces to the computation of the following probability taken over the uniform choice of \(a\in \mathbb {Z}^{<n}_q[x]\), \(b\in \mathbb {Z}^{<d+k}_q[x]\) and \(c\in D_H\):

$$\begin{aligned} P:=\Pr (\exists \text { } z_1\in \mathbb {Z}_{\le A'}^{<n+d-1}[x],z_2\in \mathbb {Z}_{\le A''}^{<d}[x]: a\odot _d z_1+z_2-c\odot _d b=w). \end{aligned}$$

Let S denote the set of pairs (a, b) such that there exists at most one c for which there exist small \(z_1\), \(z_2\) such that \(a\odot _d z_1+z_2-c\odot _d b=w\). We can write \(P\le P_1+P_2\), where

$$\begin{aligned} P_1=\Pr ((a,b)\in S)\cdot \frac{1}{|D_H|}\le \frac{1}{|D_H|} \end{aligned}$$

and

$$\begin{aligned} P_2&\le \Pr ((a,b)\notin S)\cdot 1\\ {}&\le \Pr (\exists \text { } c\ne c',z_1,z_2,z_1',z_2': a\odot _d (z_1-z_1')+z_2-z_2'-(c-c')\odot _d b=0)\\ {}&=\Pr (\exists \text { } e_c\in D_H-D_H\setminus \{0\},e_1\in \mathbb {Z}^{<n+d-1}_{\le 2A'},e_2\in \mathbb {Z}^{<d}_{\le 2A''}: \\&a\odot _d e_1+e_2-e_c\odot _d b=0), \end{aligned}$$

where a and b are uniformly sampled in \(\mathbb {Z}^{<n}_q[x]\), respectively \(\mathbb {Z}^{<d+k}_q[x]\), \(c,c'\in D_H\), \(z_1,z_1\in \mathbb {Z}_{\le A'}^{<n+d-1}[x]\), and \(z_2,z_2'\in \mathbb {Z}_{\le A''}^{<d}[x]\) and \(D_H-D_H\) denotes the set \(\{d-d'\text { }|\text { }d,d'\in D_H\}\).

Let us fix \((e_c\ne 0, e_1,e_2)\). The rank of \(\mathsf {Toep}(e_c)\) is maximum for \(e_c\ne 0\), which means that the function \(b \mapsto e_c\odot _d b\) maps an element b from the uniform distribution on \(\mathbb {Z}_q^{<d+k}[x]\) to an element \(b'\) from the uniform distribution on \(\mathbb {Z}_q^{<d}[x]\). We can now write:

$$\begin{aligned} \Pr (a\odot _d e_1+e_2-e_c\odot _d b=0)=\Pr (b'=a\odot _d e_1+e_2)=q^{-d}, \end{aligned}$$

where the first probability is taken over the uniform choice of \(a\in \mathbb {Z}^{<n}_q[x]\) and \(b\in \mathbb {Z}^{<d+k}_q[x]\) and the second one is taken over the choice of \(a\in \mathbb {Z}^{<n}_q[x]\) and \(b'\in \mathbb {Z}^{<d}_q[x]\). We conclude that \(P_2\le (4 A'+1)^{n+d-1}\cdot (4 A''+1)^{d}\cdot |D_H|^2\cdot q^{-d}\).    \(\square \)

5.2 The Signature Scheme

In Fig. 6, we present our digital signature scheme which is obtained by the de-randomized Fiat-Shamir transform of the identification scheme \(\mathsf {ID}\). The correctness of the signature scheme follows (see [KLS18, p. 11]) from the correctness of the underlying identification scheme (Lemma 11). The scheme is \(\mathsf {UF}\text {-}\mathsf {CMA}\) secure in the quantum random oracle model, as discussed in Subsect. 2.4.

The signature scheme relies on a hash function \(H:\{{0,1}\}^* \rightarrow D_H\), which outputs elements with small norms and will be modelled by a random oracle in the security proof. We refer to [DDLL13] for an efficient method to construct such a hash function.

Fig. 6.

The signature scheme

The key generation algorithm samples using the extendable function Sam seeded with a 256-bit seed \(\rho \), and then two small secret polynomials and . It outputs \((b=a \odot _{d+k} s+e, \rho )\) as the verification key \(\mathsf {vk}\) and \((s,e,K, \rho )\) as the signing key \(\mathsf {sk}\), K being a random key for the pseudorandom function \(Sam(K\Vert \cdot )\) used in the signature algorithm.

To sign a message M, we first recompute , generate deterministic masking parameters and , where i is the repetition index and compute \(w=a \odot _{d} y_1+y_2\). Then we compute \(c:=H(w\Vert M)\), \(z_1=c \odot _{n+d-1} s+y_1\) and \(z_2=c \odot _{d} e+y_2\). A potential signature is now \((z_1,z_2,c)\). In order to make the signature pair \((z_1,z_2)\) independent of the signing key, we perform rejection sampling on potential signatures before outputting the right one. A potential signature \((z_1,z_2,c)\) is output if both \(\Vert z_1\Vert _\infty \le A'\) and \(\Vert z_2\Vert _\infty \le A''\).

To check if \((z_1,z_2,c)\) is a valid signature for a message M, we first recompute and \(w=a \odot _{d} z_1\,+\,z_2\,-\,c \odot _{d} b\) and we accept if \(\Vert z_1\Vert _\infty \le A'\), \(\Vert z_2\Vert _\infty \le A''\) and \(c:= H(w\Vert M)\).

6 Concrete Parameters

In this section we give sample parameters with which our digital signature scheme can be instantiated. The choice of parameters takes into account the correctness error probability, the security and the efficiency of our scheme.

The signing acceptance probability is set to \(p=1/3\) as in [Lyu16] for a fair comparison.

The security proof of the scheme from [Lyu16] uses the random oracle model, while the security of our scheme, which is based on Theorem 1, holds in the more powerful quantum random oracle model.

In terms of efficiency, we focus on minimizing the size of a signature. Our signature size is \((n+d-1)\left\lceil {\log (A')}\right\rceil +d\left\lceil {\log (A'')}\right\rceil +\kappa (\left\lceil {\log (k+1)}\right\rceil +1)\) bits. The optimal value of d/n for minimizing the signature length is close to 0.5. As d/n reduces below 0.5, the signature dimension drops. Due to the lossiness condition, d/n and \(\log {q}\) are inversely proportional, so we have to increase n to maintain security, which means that overall the signature length will increase. If d/n increases towards 1, \(\log q\) reduces but the signature dimension increases and we cannot reduce the signature length.

The size of our public key (a, b) is \(256+(d+k)\lceil \log (q)\rceil \). Since for our lossiness property in the security proof we need a much larger q than the one used in [Lyu16], our public key becomes larger than the public key used in [Lyu16]. On the other hand, our scheme has significantly shorter signatures. Our savings in \(\mathsf {MPSign}\) signature length over the scheme in [Lyu16] arise largely from the smaller secret key coordinates in \(\mathsf {MPSign}\). As our attack of Sect. 4 shows, such savings are not possible in the scheme of [Lyu16] due to the insecurity of PSIS\(^{\emptyset }\) with sufficiently small secret coordinates.

In order to set concrete parameters for our scheme achieving \(\lambda \) bits of security, we need to bound from above the advantage of any adversary trying to attack the \(\mathsf {UF}\text {-}\mathsf {CMA}\) security of \(\mathsf {MPSign}\) in the quantum random oracle model by \(2^{-\lambda }\). By Theorem 1 and Lemma 12, it is enough to bound \(\mathrm {Adv}\), \(\mathrm {Adv}_{\mathsf {PRF}}^{PR}(C)\) and \(2^{-d\log (2a'+1)+1}\) by \(2^{-\lambda }/5\) and \(8(Q_H+1)^2\cdot \varepsilon _{ls}\) by \(2^{-\lambda +1}/5\), where the notations are those from Sect. 5 and \(\mathrm {Adv}\) stands for the advantage of an adversary trying to solve the \(\mathsf {MPLWE}_{q,n,d+k,\chi _1,\chi _2}\) problem, where both \(\chi _1\) and \(\chi _2\) are discrete Gaussians of parameters \(\alpha ''q\), respectively \(\alpha 'q\). As it is standard in lattice-based cryptography, we further neglect the noise amplification in Theorem 2 and assume that the \(\mathsf {MPLWE}\) problem with very small secret (with \(\Vert s\Vert _\infty \approx 1\)) is concretely as hard as the \(\mathsf {PLWE}^{(f)}\) problem with very small secret. Indeed, there are no known attacks on the \(\mathsf {MPLWE}\) with small secrets problem that exploit the very small secret when generic algebraic attacks on LWE are protected against (see, e.g., [AG11, ACF+15a, ACF+15b]). Since the discrete Gaussian distributions of the error and secret have small standard deviation, we assume that we can safely replace them by a corresponding centered binomial distribution, as has been done in many practical lattice-based encryption schemes (see [ADPS16, SSZ19, BDK+19], among others).

We use [APS15] in order to estimate both the classical and quantum bit complexities of the primal attack against the \(\mathsf {PLWE}^{(f)}\) problem associated to a polynomial f of maximum degree n from the family. The cost models we choose are bkz.sieve for classical security, respectively bkz.qsieve for quantum security.

We present in Table 1 a comparison between the efficiency of \(\mathsf {MPSign}\) and the scheme described in [Lyu16]. For the same Hermite factor \(\delta _0=1.005\) (driving the security level), by choosing \(n=2500\), \(d=1300\), \(k=512\) for our scheme, we manage to shorten the size of a signature by a factor of 2.1 and the size of the secret key by a factor of 11 at the cost of doubling the size of the public key.

Table 1. Efficiency of \(\mathsf {MPSign}\)

In the first column of Table 2, we provide concrete parameters for \(\mathsf {MPSign}\) that satisfy both classical and quantum level 1 NIST requirements. Concretely, they achieve \(\lambda \ge 143\) for classical adversaries and \(\lambda \ge 130\) for quantum adversaries. The second column contains parameters for \(\lambda =89\) bits of quantum security, corresponding to a Hermite factor \(\delta =1.005\).

Table 2. Sample parameters for \(\mathsf {MPSign}\)

7 Implementation

We implemented \(\mathsf {MPSign}\) in Sage (Python) as a proof-of-concept and the source code is publicly available (see footnote 1). For the experiments, we used a MacBook Pro with Intel i7-8559U CPU at 2.7 GHz. Turbo-boost and hyperthreading were both disabled. For a fair comparison, we also implemented the scheme from [Lyu16]. It is expected that both implementations are slower than if they were implemented with a system language (such as C) with an aim for optimization. Nonetheless, since both implementations use the same Gaussian sampler, the same hash to challenge function, and the same polynomial multiplication algorithm, we believe that the comparison is relatively fair.

We instantiate \(\mathsf {MPSign}\) and the scheme from [Lyu16] with corresponding parameters achieving \(\delta =1.005\). (for \(\mathsf {MPSign}\) these parameters may be found in Table 2). In both benchmarks we iterated 1000 times, each time with a different seed and a different message to sign. The results of our comparison may be found in Table 3. The data are for the average cost in milliseconds. Our scheme is almost twice faster than the one from [Lyu16] in key generation and verification, and four times faster in signing. This is mainly due to the fact that the scheme from [Lyu16] requires scalar multiplications over vectors of polynomials, while our scheme involves a single middle-product (over a somewhat longer polynomial).

Table 3. Performance comparison, in ms