Efficient post-quantum secure deterministic wallet scheme

Since the advent of Bitcoin, cryptocurrencies have gained substantial popularity, and crypto wallets have evolved into the predominant tool for safeguarding and managing cryptographic keys to access cryptocurrency funds. Deterministic wallets are proposed as an advanced wallet mechanism to provide benefits such as low-maintenance, easy backup and recovery, and support for functionalities required by cryptocurrencies. Alkeilani Alkadri et al. (ACM CCS’20) presented the first post-quantum secure deterministic wallet scheme, but it exhibits a gap to bridge before achieving practical applicability, as reflected in both their concrete parameters size and computational efficiency. In this paper, we propose an efficient post-quantum secure deterministic wallet scheme. In particular, we present a new construction method for deterministic wallets, prove the security in the quantum random oracle model, and provide an efficient instantiation. The comparison result, with the work of Alkeilani Alkadri et al. (ACM CCS’20), shows our work has a comprehensive improvement on efficiency, e.g., the pk size is ≈ 40.7 times shorter, sk is ≈ 9.2 times shorter, and the signing time is ≈ 3.1 times faster.


Introduction
Since the introduction of Bitcoin Nakamoto (2009), cryptocurrencies have developed tremendously as they provide a revolutionary payment paradigm.In most cryptocurrencies, balance updates are executed via transactions between coin-addresses, and digital signature (NIST 2021;Rivest et al. 1978) is employed to enable users to own and spend their coins.Specifically, each coin is assigned to a coin-address that technically is represented by a public key of a digital signature scheme, implying that the coin belongs to the owner of the public key.If a coin owner wants to spend the coin on a public key pk, it needs to generate a transaction tx and a signature σ such that (tx, σ ) constitutes a valid (message, sig- nature) pair w.r.t.pk, authenticating the spending of the coin by this transaction.In this setting, the secret keys naturally became a highly attractive target for attacks since the users control funds through secret keys.Therefore, key management plays a crucial role in cryptocurrencies and it needs to work like a wallet for the coins.
Deterministic wallets (Buterin 2013) has been accepted as one of the most prominent solutions in the community for safeguarding the security of the keys in cryptocurrency.At a high level, a deterministic wallet consists of two components: a hot wallet and a cold wallet, along with a deterministic key derivation mechanism.The hot wallet is permanently connected to the network, while the cold wallet stores the secret key and comes online only rarely (e.g., when a large amount of money needs The main contribution of this paper is presenting an efficient deterministic wallet scheme in the quantum random oracle model.Particularly, we provide a new construction method for post-quantum secure deterministic wallet schemes, which enables efficient instantiation.To demonstrate that, we present an efficient instantiation from the NTRU lattice-based signature scheme Falcon, and show an implementation.By a comparison with the state-of-the-art deterministic wallet under the same security level, our work has a comprehensive improvement.*Correspondence: Zhen Liu liuzhen@sjtu.edu.cn 1 Department of Computer Science and Engineering, Shanghai Jiao Tong University, 3-509 SEIEE Building, No. 800 Dongchuan Road, Minhang District, Shanghai 200240, China to be transferred).This effectively reduces the exposure chance of secret keys and achieves enhanced safety of the coins.More concretely, after an initialization phase, a master key pair (mpk, msk) is generated, where the master secret key msk is stored in the cold wallet, while the hot wallet retains the corresponding master public key mpk.The deterministic key derivation mechanism enables both the cold and hot wallets to derive matching secret and public session keys without any interaction.As the name deterministic wallet implies, the deterministic property means that all keys in a wallet are deterministically generated from a 'seed' , which allows the wallet owner to recover all keys from the seed when necessary (e.g., when the device hosting the wallet crashes).As formalized by Das et al. (2019), deterministic wallets provide two security guarantees.The first is wallet unforgeability, which states that once coins have been sent to the cold wallet, they must remain secure even if the hot wallet was compromised.The second is wallet unlinkability, which guarantees that session public keys generated from the same master public key mpk are computationally indistinguishable from freshly generated session public keys.
There is an evident need to design quantum-secure alternatives of currently deployed cryptocurrency protocols since most cryptographic primitives used by cryptocurrencies today can be broken by quantum adversaries.Most notably, the ECDSA signature scheme that is implemented by nearly all popular cryptocurrencies relies on the hardness of computing discrete logarithms, which can be broken by the Shor algorithm (Shor 1994).Among the available options, lattice-based cryptography has emerged as one of the most promising branches of post-quantum secure cryptography, as it enables elegant and practical schemes that come with strong security guarantees against quantum attackers (Li et al. 2023;Alkim et al. 2020).Alkeilani Alkadri et al. (2020) presented the first post-quantum secure deterministic wallet scheme from the Fiat-Shamir with aborts lattice-based signature framework, but their concrete parameters size (e.g., the public verification key size and the secret signing key size) and computational efficiency still exhibits a gap to bridge for practical applicability.There are essentially two paradigms for lattice-based signatures: the Fiat-Shamir with aborts framework (Lyubashevsky 2009(Lyubashevsky , 2012) ) and the hash-and-sign GPV framework (Gentry et al. 2008).However, as far as we know, no post-quantum secure deterministic wallet that adopts the hash-and-sign GPV framework has been introduced so far.As evidenced by Espitau et al. (2022, Abstract), lattice-based digital signature schemes following the hash-and-sign GPV framework offer an attractive level of efficiency, particularly when instantiated with structured compact lattices.In this work, we fill this theoretical gap and analyze the efficiency improvement when instantiated with structured compact NTRU lattices.

Contributions
In this work, the main contribution is presenting an efficient post-quantum secure deterministic wallet scheme, which is threefold: A new construction method for post-quantum secure deterministic wallet schemes; A provably secure deterministic wallet construction in the quantum random oracle model; An efficient instantiation from compact NTRU lattice.
A new construction method for post-quantum secure deterministic wallet scheme.On the construction, similar to Alkeilani Alkadri et al. (2020), our deterministic wallet scheme is also constructed based on a signature scheme with rerandomizable public keys (RKS), but the difference is that our RKS scheme is based on a lattice-based signature scheme from hash-andsign GPV framework (LHS), while Alkeilani Alkadri et al. 's RKS scheme is based on the lattice-based signature scheme Fiat-Shamir with aborts framework.In addition, we give a new formalization for deterministic wallets, specifically, we expand upon the prior syntax (Alkeilani Alkadri et al. 2020;Das et al. 2019) by introducing a randomness generation algorithm DW.RandGen.It enables a more natural key derivation since it only requires the input of the master public/ secret key and a randomness ρ ID from DW.RandGen, that is rather than (pk ID , St i ) ← DW.PKDer(mpk, ID, St i−1 ) as in prior works (Alkeilani Alkadri et al. 2020;Das et al. 2019) that need to input an identifier ID and an original state St i−1 .Accordingly, we also augment the underly- ing signature scheme RKS with a randomness generation algorithm RKS.RandGen (cf.Definition 3).This mode is also beneficial for practical implementation because in this way randomness can be generated offline, enabling offline-online mode support for key derivation.
The key derivation mechanism plays a key role in wallets.In our construction, since the underlying hash-and-sign GPV framework is trapdoor enabled, we could introduce the lattice basis delegation algorithm to realize the session keys derivation mechanism.Therefore, we believe our work not only fills the theoretical gap that no post-quantum secure deterministic wallet that adopts the hash-and-sign GPV framework, but also could be taken as a stepping stone for further research on the trapdoor enabled deterministic wallets, as there is a flourish of researches being conducted on techniques related to lattice trapdoor (Agrawal et al. 2010a, b;Cash et al. 2010;Micciancio and Peikert 2012).However, although we can instantiate our construction efficiently in this mode, the degradation of lattice basis/trapdoor quality 1 caused by the lattice basis delegation algorithms leads to a larger signature size.Therefore, how to further reduce the signature size (e.g., employ or design a new lattice basis delegation algorithm) will be worth studying as future work.
Provably secure in the quantum random oracle model.We note that our construction has three levels, from bottom to top they are the lattice-based signature scheme from hash-and-sign GPV framework (LHS), the signature scheme with rerandomizable public keys (RKS), and the deterministic wallet scheme (DW).Therefore, for the security proof, we first need to reduce the security of the LHS to the security of the intermediate RKS (cf.Theorem 3).Then we need to further reduce the security of the RKS to the security of the DW (cf.Theorem 2).The security of the LHS scheme in QROM was analyzed in several works (Boneh et al. 2011;Chailloux and Debris-Alazard 2020;Fouque et al. 2018).We prove the Theorem 2, i.e., the security reduction from RKS to DW, in a similar manner with Alkeilani Alkadri et al. (2020) at an additive polynomial reduction loss.We prove the Theorem 3, i.e., the security reduction from LHS to RKS, by showing a perfect simulation with the leveraging of the simulation tool SampleRwithBasis (Agrawal et al. 2010b).In addition, we conducted a quantitative analysis of the reduction loss incurred by our security reductions and considered it in our experiments (cf."Parameters setting" section).
Efficient instantiation from compact NTRU lattice.In cryptocurrencies, transaction throughput is important, which is dominated by the public key size and the signature size of the wallet scheme.Furthermore, in signature-based cryptographic schemes, the overall efficiency performance of the scheme (such as signature size, signing time, etc.) is often closely related to the secret signing key size.In this regard, Alkeilani Alkadri et al. (2020) posed the construction of an efficient postquantum secure deterministic wallet scheme as an open problem.As we mentioned earlier, there are essentially two lattice-based signature paradigms: the Fiat-Shamir with aborts framework (Lyubashevsky 2009(Lyubashevsky , 2012) ) (that the work of Alkeilani Alkadri et al. (2020) based) and the hash-and-sign GPV framework (Gentry et al. 2008) (that our work based).We present an efficient instantiation from the NTRU lattice-based signature scheme Falcon (Fouque et al. 2018), and provide an implementation.Finally, we compare our work with the state-of-the-art deterministic wallet proposed by Alkeilani Alkadri et al. (2020) under the same security level.Our comparison result shows that our work has a comprehensive improvement on efficiency (cf."Implementation" section).

Related work
We provide a further comparison with related work.Prior to the security model for hot/cold wallets formalized by Das et al. (2019), there were also works aimed to present provably secure deterministic wallet schemes.For example, Liu et al. (2019) proposed an 'identity-based signature' like signature scheme, which was later adapted to lattice setting by Liu et al. (2020), however, it was proven in a random oracle rather than a quantum random oracle, and the public key and signature sizes of their construction are too large for practical use (cf.Liu et al. 2020, Section 1.1).More recently, the signature scheme was transformed into a deterministic wallet scheme by Liu et al. (2022) but lacking quantum security.Until recently, Das et al. (2019) first formalized the security model for hot/cold deterministic wallets and provided a construction, however, it was not post-quantum secure.Building upon the framework of Das et al. (2019), Erwig and Riahi (2022) presented a novel deterministic wallet based on a new cryptographic primitive called adaptor signatures, but it was not post-quantum secure.
There are also researches on hierarchical variants, i.e., hierarchical deterministic wallets (Das et al. 2021;Di Luzio et al. 2020;Fan et al. 2020;Gutoski and Stebila 2015;Yin et al. 2022), which can be applied in hierarchical organizations (e.g., large companies and institutions) to support use cases such as treasurers allocating funds to departments.However, to the best of our knowledge, no quantum-secure hierarchical deterministic wallet has been introduced so far.Therefore, it is a promising direction for future research to extend our methods to hierarchical variants.

Definitions
In this section, we introduce the syntax and relevant security notions for signatures and deterministic wallets.

Definitions for signatures
Definition 1 (Signature Scheme) A signature scheme SIG := (SIG.KeyGen, SIG.Sign, SIG.Ver) is a triple of algorithms, SIG.KeyGen, SIG.Sign, and SIG.Ver, where SIG.KeyGen is called a key generation 1 In lattice-based cryptosystems, the lattice basis often plays the role of a trapdoor.The quality of the so-called basis or trapdoor refers to the size of the basis under certain measures (such as the maximal Gram-Schmidt length used in Gentry et al. (2008), Agrawal et al. (2010a, b), Cash et al. (2010) and this paper, or the maximum singular value used in Micciancio and Peikert (2012), Ducas and Micciancio (2014)), and its value is usually smaller, representing better quality.algorithm, SIG.Sign is called a signing algorithm, and SIG.Ver is called a verification algorithm.
• SIG.KeyGen is a probabilistic algorithm that is invoked as (pk, sk) ← SIG.KeyGen(1 n ) , where n is the security parameter, sk is called a secret signing key, and pk is called a public verification key.The algorithm outputs the key pair (pk, sk).• SIG.Sign is a probabilistic algorithm that is invoked as σ ← SIG.Sign(sk, µ) , where sk is a sign- ing key and µ is a message.The algorithm outputs a signature σ. • SIG.Ver is a deterministic algorithm that is invoked as 1/0 ← SIG.Ver(pk, µ, σ ) .The algorithm outputs 1 if signature σ is valid and 0 otherwise.

Correctness:
A signature scheme SIG is correct, let M be the message space, for all n ∈ N , any key pair (pk, sk) ← SIG.KeyGen(1 n ) , any message µ ∈ M , and any signature σ ← SIG.Sign(sk, µ) , we have the follow- ing holds (over all the randomness in the experiment).
In this work we will use the standard security notion of existential unforgeability under adaptive chosenmessage attacks (Goldwasser et al. 1988) (EUF-CMA).
Below we formalize the EUF-CMA security notion for a signature scheme SIG through the following security game between an adversary A and a challenger C.
We refer to such an adversary A as EUF-CMA adver- sary.We define the advantage Adv euf-cma A of A in attack- ing a signature scheme SIG to be the probability that A wins above game, that is Adv euf-cma Definition 2 (EUF-CMA Security) For a security parameter n, let t = t(n) , q s = q s (n) , and ǫ = ǫ(n) .A sig- nature scheme SIG is (t, q s , ǫ) -EUF-CMA secure if for any t time EUF-CMA adversary A that makes at most q s signing queries such that Adv euf-cma We will use the following notion of signature schemes with rerandomizable public keys from Alkeilani Alkadri et al. (2020), Das et al. (2019), which is a relaxed version of the notion of signature schemes with rerandomizable keys from Fleischhacker et al. (2016) since it holds only for the generated public keys, but not in case of secret keys.In our setting, this notion is augmented with an additional algorithm RKS.RandGen.
Definition 3 (Signature Scheme with Rerandomizable Public Keys) A signature scheme with rerandomizable public keys RKS is a tuple of algorithms RKS := (RKS.KeyGen, RKS.RandGen, RKS.RandPK, RKS.RandSK, RKS.Sign, RKS.Ver) where algorithms (RKS.Key-Gen, RKS.Sign, RKS.Ver) satisfy the definition of a standard signature scheme as defined above (cf.Definition of SIG).For randomness space R , (RKS.RandGen, RKS.RandPK, RKS.RandSK) are three polynomialtime algorithms such that • RKS.RandGen is a deterministic algorithm which takes as input a seed γ and outputs randomness ρ ∈ R , i.e., it is invoked as ρ ← RKS.RandGen(γ ).• RKS.RandPK is a deterministic algorithm that is invoked as pk ′ ← RKS.RandPK(pk, ρ) , where pk is a public verification key and ρ ∈ R is a random- ness.The algorithm outputs a randomized public verification key pk ′ .• RKS.RandSK is a deterministic algorithm that is invoked as sk ′ ← RKS.RandSK(sk, ρ) , where sk is a secret signing key and ρ ∈ R is a randomness.The algorithm outputs a randomized secret signing key sk ′ .
The RKS has a property that is the rerandomizability of public keys, which ensures the distributions of the output rerandomized public keys are identical.In our setting, we adopt the relaxed version of that property, the distributions of the output rerandomized public keys are statistically indistinguishable.
• C initializes two empty lists (R, M) and runs (pk, sk) ← RKS.KeyGen(1 n ) .Finally, C sends pk to A. • A is given access to Rand oracle to derive a ran- domness.To respond that, C chooses ρ $ ← − R and sets R := R ∪ {ρ} .Finally, C sends ρ to A.
• A is also given access to the signing oracle Sign.
We refer to such an adversary A as EUF-CMA-HRK adversary.We define the advantage Adv euf-cma-hrk A of A in attacking a signature scheme with rerandomiz- able public keys RKS to be the probability that A wins above game, that is Adv euf-cma-hrk Definition 4 (EUF-CMA-HRK Security) For a security parameter n, let t = t(n) , q s = q s (n) , and ǫ = ǫ(n) .A sig- nature scheme with rerandomizable public keys RKS is (t, q s , ǫ) -EUF-CMA-HRK secure if for any t time EUF- CMA adversary A that makes at most q s signing queries such that Adv euf-cma-hrk A ≤ ǫ.

Definitions for deterministic wallets
In this section, we introduce the syntax and relevant security notions for deterministic wallets.
The definitions are essentially same as prior works (Alkeilani Alkadri et al. 2020;Das et al. 2019) except some modifications to make the definitions more concise: We augment the existing syntax (Alkeilani Alkadri et al. 2020;Das et al. 2019) by introducing a randomness generation algorithm DW.RandGen which acts the same role as the RandG algorithm of Alkeilani Alkadri et al. (2020) (cf. Alkeilani Alkadri et al. 2020, Section 4.1).At a high level, a deterministic wallet consists of two components: a cold wallet and a hot wallet, along with a deterministic key derivation mechanism.Specifically, upon initialization of the scheme, the cold wallet generates a master key pair (mpk, msk) and a chaincode ch and forwards (mpk, ch) to the hot wallet.Then the cold wallet and the hot wallet can use the key derivation algorithms SKDer and PKDer, respectively, to derive an arbitrary number of session key pairs, without further interaction, from the (mpk, msk) and an identifier set.The correctness requires that if the cold wallet and the hot wallet derive session key pairs on the same set of identifiers ID 0 , . . ., ID N −1 ∈ {0, 1} * and in the same order, then any signature created under one of the signing keys derived from the cold wallet should be correctly verified under the corresponding verification key derived from the hot wallet.
Definition 5 A deterministic wallet scheme is a tuple of algorithms DW := (DW.KeyGen, DW.RandGen, DW.PKDer, DW.SKDer, DW.Sign, DW.Ver) , where DW.KeyGen is a master key generation algorithm, DW.RandGen is a randomness generation algorithm, DW.PKDer is a session public key derivation algorithm, DW.SKDer is a session secret key derivation algorithm, and DW.Ver is a verification algorithm.
• DW.KeyGen is a probabilistic algorithm that is invoked as (mpk, msk) ← DW.KeyGen(1 n ) , where n is the security parameter.The algorithm outputs a master public key mpk, a master secret key msk, and a chaincode ch.• DW.RandGen is a deterministic algorithm that is invoked as ρ ID ← DW.RandGen(ch, ID) , where ch is a chaincode and ID is an identifier.The algorithm outputs a randomness ρ ID .• DW.PKDer is a deterministic algorithm that is invoked as pk ID ← DW.PKDer(mpk, ρ ID ) , where mpk is the master public key and ρ ID is a randomness with respect to ID .The algorithm outputs a session public key pk ID .
• DW.SKDer is a deterministic algorithm that is invoked as sk ID ← DW.SKDer(msk, ρ ID ) , where msk is the master secret key and ρ ID is a randomness with respect to ID .The algorithm outputs a session secret key sk ID .• DW.Sign is a probabilistic algorithm that is invoked as σ ← DW.Sign(sk ID , µ) , where sk ID is a session secret key and µ is a message.The algo- rithm outputs a signature σ. • DW.Ver is a deterministic algorithm that is invoked as 1/0 ← DW.Ver(pk ID , µ, σ ) , where pk ID is a session public key, µ is a message, and σ is a sig- nature.The outputs 1 if σ is a valid signature for µ under public key pk ID .It outputs 0 otherwise.

and any randomness
A deterministic wallet scheme DW should satisfy the following two security properties -wallet unlinkability and wallet unforgeability.

Wallet unlinkability
The unlinkability property guarantees that different public session keys that are derived from the same master public key should be unlinkable.Formally, it requires that, given the master public key, the distribution of the session public keys is computationally indistinguishable from session public keys that are generated from a fresh master public key and a fresh chain code.The unlinkability game for deterministic wallets DWUNL is presented in Fig. 1.Initially, the adversary A = (A 1 , A 2 ) runs its subproc- edure A 1 on input a master public key mpk generated by DW.KeyGen(1 n ) and subsequently interacts with the ora- cles PK and Sign .These oracles represent the adversary's capability to observe signatures with corresponding session public keys of the wallet on the ledger.The oracle PK takes a ID as input and checks if there is a record of the ses- sion public key pk ID .If there is no record, the oracle gener- ates a randomness ρ ID and uses it as input in DW.PKDer to derive pk ID .After that, it stores pk ID and ρ ID in an array Keys [ID] .The oracle Sign takes as input a message µ and a ID , and outputs the corresponding signature with the con- dition that ID has been previously queried on PK.After the query phase of A 1 , a challenge ID * is provided.Note that we use the array Keys[ID] to store session public key pk ID and randomness ρ ID w.r.t. the key value ID .If there is no record for ID * , the game proceeds to the challenge phase, otherwise return 0. Then the adversary A 2 will be given a challenge public key pk b ID * which is either real or random, namely, it depends on either the tuple (mpk, msk, ch) or a Fig. 1 Unlinkability game DWUNL for deterministic wallets fresh and independent tuple ( mpk, msk, ch) .A 2 's goal is to distinguish these two scenarios.
Definition 7 A deterministic wallet scheme DW is postquantum unlinkable if for any quantum adversary A , the advantage Pr[b ′ = b] − 1 2 in game DWUNL (cf.Fig. 1) is negligible.

Wallet unforgeability
The unforgeability guarantees that once funds are transferred to the cold wallet they remain secure even if the hot wallet is compromised, and the adversary can observe transfers of coins that are sent from the cold wallet.Figure 2 presents the unforgeability game for deterministic wallets DWUF.Initially, the adversary A obtains a master public key mpk and the chain code ch as input.Then A can access two oracles PK and Sign .These oracles are defined in the same way as in the game DWUNL, except that Sign now addition- ally keeps track of all queried messages by using an array Msg [ID] .Finally, A outputs a forgery tuple (µ * , σ * , ID * ) .We say A wins the DWUF game if (1) µ * has not been que- ried on oracle Sign , (2) ID * has been queried on oracle PK , and (3) σ * is a valid signature for µ * w.r.t.pk ID * .
Definition 8 A deterministic wallet scheme DW is postquantum unforgeable if for any quantum adversary A , the advantage Pr DWUF A DW = 1 in game DWUF (cf.Fig. 2) is negligible.

Preliminaries
Notation We denote vectors with lower-case bold letters (e.g.x ) and matrices with upper-case bold letters (e.g.A ).
We denote e $ ← − S as the uniform sampling of the variable e from the set S .We say that a function in n is negligible , written negl(n), if it vanishes faster than the inverse of any polynomial in n.We say probability p(n) is overwhelming if 1 − p(n) is negligible.We always denote the security parameter by n, and o(n) denotes a linear function in n.We always use a 'randomized-rounding parameter' r that we let be a fixed function r(n) = ω( log n) growing asymp- totically faster than log n .We denote the horizontal con- catenation of two matrices A and B as A | B .For any set S = {s 1 , . . ., s m } ⊂ R m of linearly independent vectors, we use S denotes the ℓ 2 -norm of A that is �S� := max i �s i � , and use S gs denotes Gram-Schmidt norm of S that is �S� gs := max i �s i � gs for i ∈ [m] .Unless otherwise stated, all algorithms are probabilistic, we use y ← A(x) to denote that algorithm A outputs y when running on input x, and write y ← A(x, ρ) to denote algorithm A outputs y when running on input x and randomness ρ .In this way, algo- rithm A becomes a deterministic algorithm.We use A(x) to denote the set of all possible outputs of (probabilistic) algorithm A on input x.We model hash functions as classical random oracles (Bellare and Rogaway 1993) or quantum random oracles (Boneh et al. 2011).We denote the classical random oracle by the symbol H and the quantum random oracle by the notation |H� .In our proofs, we will consider reprogrammed random oracles.For a (quantum) random

Quantum random oracle model
We review the quantum random oracle model and the existing results that we will use.The quantum random oracle model (QROM) is introduced by Boneh et al. (2011) which is motivated by the observation that the random oracle model (ROM) is not appropriate in the post-quantum setting.In the real world, an adversary equipped with a quantum computer is able to implement the hash function and evaluate it in superposition.In QROM, parties with quantum computing power get access to the oracle |H� where |H� : |x, y� � → |x, y ⊕ H(x)� .Below we describe a result for quantum random oracles that are required for our proofs.As mentioned in Alkeilani Alkadri et al. (2020), the one-way to hiding (O2H) lemma (Unruh 2015) is an important tool for security proofs in the QROM.It provides bounds on the advantage of an adversary in distinguishing between different random oracles when the adversary is allowed to query them in superposition.Below we state the O2H lemma using the reformulation by Ambainis et al. (2019).
Lemma 1 (One-Way to Hiding (O2H) (Ambainis et al. 2019)) Let G, H : X → Y be random functions, let z be a random value, and let S ⊂ X be a random set such that ∀x / ∈ S , G(x) = H(x) . (G, H, S, z) may have arbitrary joint distribution.Furthermore, let A |H� be a quantum oracle algorithm which queries |H� at most q H times.Let Ev be an arbitrary classical event.Define an oracle algorithm B |H� as follows: Choose i $ ← − [q H ] and run A |H� (z) until just before its i-th round of queries to |H� .Measure the query in the computational basis, and output the measurement outcome.It holds that We also use the following small-range distributions presented by Zhandry's (2021).These are distributions where the set of possible outputs is limited.
Definition 9 (Small-Range Distributions (Zhandry 2021)) Let X , Y be sets, r be an integer, D be a dis- tribution on Y , P be a random function from X to [r], and y = (y 1 , . . ., y r ) be r samples of D. Define a func- tion H : X → Y by H(x) → y P(x) .The distribution of H , induced by P and y , is called a small-range distribution with r samples of D.
The following lemma provides a bound on the distinguishing advantage between a random oracle and an oracle drawn from a small-range distribution when superposition access is granted.
Lemma 2 (Zhandry 2021) There is a universal constant C such that, for any set X and Y , distribution D on Y , integer l, and any quantum algorithm A making q H que- ries to an oracle H : X → Y , the following two cases are indistinguishable, except with probability less than • H is drawn from the small-range distribution with l samples of D.

Lattices and Gaussian distributions
Let m ∈ Z be a positive integer and ⊂ R m be an m-dimensional full-rank lattice formed by the set of all integral combinations of m linearly independent basis vectors B = (b 1 , . . ., b m ) ⊂ Z m .For positive integers n, q, a matrix A ∈ Z n×m q , and a vector u ∈ Z m q , the m-dimensional integer lattice ⊥ q (A) and its coset u q (A) are defined as For a vector c ∈ R m and a positive parameter σ ∈ R , the Gaussian functions for any x ∈ R m and any x ∈ with center c and parameter σ are defined as Define the discrete Gaussian distribution as D ,σ ,c (x) = ρ σ ,c (x)/ρ σ ,c ( ) .For simplicity, D ,σ ,0 is abbreviated as D ,σ when the center vector c = 0.
Properties of Gaussian Distributions: The following lemma captures some properties of Gaussian distributions.Property-1 gives a norm bound on the Gaussian sampled preimage vector.Property-2 will be used to make our RKS scheme satisfy the rerandomizability of public keys (cf."Lattice-based signatures with rerandomizable PK" section).Property-3, i.e., SampleGaussian algorithm is the basic algorithm which is called by several algorithms such as SampleR, SamplePre, and Rand-Basis that will be given later.Property-4, i.e., Sam-plePre algorithm will be mainly used in the signing algorithm of LHS scheme (cf."Lattice-based hash-andsign signatures" section).
Lemma 3 (Gentry et al. 2008) Let q ≥ 2 be a prime and let A be a matrix in Z n×m q with m > n .Let B be a basis of � ⊥ q (A) and standard deviation s ≥ �B� gs • ω( log m) .Then for c ∈ R m and u ∈ Z n q , we have the following properties: 2. For e ← D Z m ,s , the distribution of u = Ae ∈ Z n q is within negligible statistical distance of uniform over Z n q .3. There is a PPT algorithm SampleGaussian( A, B, s, c) that outputs e ∈ � ⊥ q (A) drawn from a distribution statistically close to D ,s,c .4. There is a PPT algorithm SamplePre(A, B, u, s) that outputs e ∈ � u q (A) drawn from a distribution statisti- cally close to D � u q (A),s,c .
The following lemma shows how to sample an essentially uniform matrix A ∈ Z n×m q with an associated basis B of � ⊥ q (A) with low Gram-Schmidt norm.The Basis- Gen algorithm will be used in the sampling of the master public key mpk and master secret key msk, i.e., master key pair (mpk, msk) in the key generation phase of our wallet scheme.
Lemma 4 (Lattice Basis Generation Algorithm (Alwen and Peikert 2009;Micciancio and Peikert 2012)) There is a fixed constant C > 1 and a PPT algo- rithm BasisGen(1 n , q) that, for polynomial bounded m ≥ Cn log q , the algorithm outputs A ∈ Z n×m q and B ∈ Z m×m such that B is a basis of � ⊥ q (A) , the distribu- tion of A is within negligible statistical distance of uni- form, and �B� gs ≤ L tg for L tg = O( n log q) where we let L tg be the Gram-Schmidt norm bound on the generated basis B.

Lattice basis delegation
We now review the lattice basis delegation algorithm BasisDel by Agrawal et al. (2010b) which is the core procedure of the key derivation algorithm of our wallet scheme.The main inputs of the algorithm are a matrix A in Z n×m q , a basis B of � ⊥ q (A) , and an invert- ible matrix R in Z m×m .The goal is to generate a matrix A ′ that is within negligible statistical distance of uni- form, and generate a basis B ′ of lattice � ⊥ q (A ′ ) .At a high level, let A ′ = AR , let B ′ := R −1 B , we can observe that B ′ ∈ � ⊥ q (A ′ ) since A ′ B ′ = 0 (mod q) .The resulting basis B ′ will be a short basis when the input matrix R is sampled from a certain distribution.And B ′ is distrib- uted statistically independent with the original basis B by a basis randomization algorithm.
The BasisDel algorithm consists of three parts: an invertible matrix R in Z m×m where all the columns of R are low-norm, ToBasis algorithm, and RandBasis algorithm.Define s r := L tg • ω( log m) .Define D m×m , the distribution on matrices in Z m×m , as (D Z m ,s r ) m con- ditioned on the resulting matrix being invertible.The following algorithm shows how to sample the desired R.
Lemma 5 (SampleR Algorithm (Agrawal et al. 2010b)) Let T be the canonical basis of the lattice Z m .There is a PPT algorithm SampleR(1 m ) which outputs an invertible matrix R ∈ D m×m by calling SampleGaussian(Z m , T, s r , 0).
The following algorithm shows that a full-rank set of lattice vectors S of a lattice can be converted into a basis T for with an equally low Gram-Schmidt norm.
Lemma 6 (To Basis Algorithm (Micciancio and Goldwasser 2002)) Let be an m-dimensional lattice with basis B .There is a deterministic polynomial time algo- rithm ToBasis(S, B) which takes as input the basis B and a full-rank set (not necessarily a basis) S of lattice vectors in , outputs a basis T of such that �t i � gs ≤ �s i � gs for all i.
We use the following algorithm to randomize a lattice basis, which is used for our wallet scheme to delegate the control on asset to another entity securely.The resulting basis remains short and is essentially statistically independent of the original basis.
Lemma 7 (RandBasis Algorithm (Cash et al. 2010)) There is a PPT basis randomization algorithm RandBasis(B, s) which takes as input a basis B of � ⊥ q (A) and a standard deviation s ≥ �B� gs • ω( log m) , outputs a new basis B ′ of � ⊥ q (A) such that �B ′ � gs ≤ s √ m holds with overwhelming probability.Furthermore, the distribution of B ′ is statistically independent with the original basis B.
Next, we introduce the lattice basis delegation algorithm BasisDel which is composed of the aboveintroduced matrix R and algorithms ToBasis and RandBasis.
Lattice Basis Delegation Algorithm: BasisDel(A, B, R, s) , a basis B of � ⊥ q (A) , an invertible matrix R generated by SampleR algorithm, and a standard deviation s.
Outputs: Let A ′ = AR .It outputs a basis B ′ of � ⊥ q (A ′ ).The BasisDel algorithm runs as follows: , R is invertible, and A ′ S = 0 (mod q) , therefore, S is a set of independent vectors in � ⊥ q (A ′ ). 2. Call ToBasis by taking as input the S and an arbitrary basis of � ⊥ q (A ′ ) and outputs a basis B whose Gram- Schmidt norm is no more than that of S. 3.Call RandBasis by taking as input B and standard deviation s then outputs the resulting basis B ′ of � ⊥ q (A ′ ).
Lemma 8 (BasisDel Algorithm (Agrawal et al. 2010b)) There is a PPT basis delegation algorithm BasisDel(A, B, R, s) which takes as input a matrix A in Z n×m q , a basis B of � ⊥ q (A) , an invert- ible matrix R ∈ D m×m , and a standard deviation s > �B� gs nm log q • ω(log 2 m) .Let A ′ = AR .The algorithm outputs a basis B ′ of � ⊥ q (A ′ ) such that �B ′ � gs /�B� gs ≤ m 3/2 ω(log 2 m) .
Furthermore, the distribution of B ′ is statistically close to the distribution RandBasis(T, s) where T is an arbitrary basis of � ⊥ q (A ′ ) satisfying �T� gs ≤ s/ω( log m).
Our proof of the security of the RKS scheme employs the algorithm SampleRwithBasis that takes as input a random matrix A ∈ Z n×m q , it outputs a low-norm and invertible matrix R ∈ D m×m as well as a short basis B for � ⊥ q (AR).
Lemma 9 (SampleRwithBasis Algorithm (Agrawal et al. 2010b)) There is a PPT algorithm SampleRwithBasis(A, s) which takes as input a matrix A ∈ Z n×m q whose columns generate Z n q and a Gaussian parameter s, the algorithm outputs a matrix R ∈ D m×m,s and an invertible basis B for � ⊥ q (AR) such that �B� gs ≤ s r /ω( log q).

Lattice-based hash-and-sign signatures
Our construction is based on the Hash-and-Sign signature paradigm, rather than the Fiat-Shamir paradigm as in prior work (Alkeilani Alkadri et al. 2020).We review a generic construction of latticebased hash-and-sign (LHS) signatures.The scheme LHS:=(LHS.KeyGen, LHS.Sign, LHS.Ver) is formally described in Fig. 3.The key generation algorithm LHS.KeyGen generates an instance of a computationally hard lattice problem called the short integer solution (SIS) (Ajtai 1996).In essence, the LHS.KeyGen algorithm is a lattice basis generation algorithm BasisGen (cf.Lemma 4) which out- puts A ∈ Z n×m q and B ∈ Z m×m such that B is a lattice basis of � ⊥ q (A) , the distribution of A is within negli- gible statistical distance of uniform, and B has a low Gram-Schmidt norm.The LHS.Sign algorithm mainly consists of two components, a hash function H : {0, 1} * → Z n q which is modeled as a random oracle, and a Gaussian preimage sampling algorithm Sam-plePre (cf.item 4 of Lemma 3).The SamplePre algorithm is able to sample a low-norm preimage A signature consists of two items (e, r) , a Gaussian sampled preimage e and a random vector r .The veri- fication algorithm LHS.Ver checks if Ae = H(µ, r) , r ∈ {0, 1} o(n) , and if e ∈ D s where we let the distribu- tion D s = {e ∈ Z m : �e� ≤ s √ m} for a specified Gauss- ian parameter (standard deviation) s, otherwise another e ′ is easy to find such that Ae ′ = H(µ, r) and hence the unforgeability is broken.For the correctness, by the property of SamplePre (cf.Item 4 of Lemma 3), e ∈ D s and Ae = H(µ, r) holds with overwhelming probability.The EUF-CMA security of lattice-based hash-and-sign signatures in QROM was analyzed in several works (Boneh et al. 2011;Chailloux and Debris-Alazard 2020;Fouque et al. 2018).
On input a master secret key msk and a randomness ρ ID , compute sk ID ← RKS.RandSK(msk, ρ ID ) .Output the session secret key sk ID .

Security proofs
The correctness of the DW scheme directly follows from the correctness of the RKS scheme.Below we prove that the DW scheme achieves both unlinkability and unforgeability against quantum adversaries.
Theorem 1 The deterministic wallet scheme DW depicted in Fig. 4 is DWUNL secure in the QROM if the DW is built from the signature scheme with rerandomizable public keys RKS (depicted in Fig. 5).
In our setting, all the wallet public keys are derived from a parameter that is the chaincode ch, so the adversary's winning probability is reduced significantly.Therefore, the point is to check whether a query made by the adversary is problematic, i.e., whether it coincides with the chaincode.However, we cannot check the problematic query by a simple comparison as classic ROM setting (cf.Das et al. 2019), since in the QROM, the adversary is able to query the random oracle in superposition.Instead, we consider a game hop in which we can bound the adversary's advantage in distinguishing two random oracles, which in turn can be bound by the one-way to hiding lemma (cf.Lemma 1).For the remained games, we argue the adversary only has negligible advantage in winning the game by the rerandomizable property of the underlying signature schemes.
Proof Let A = (A 1 , A 2 ) be an adversary which makes q H queries to its oracles |H� .We prove the theorem via the following two games.Game G 0 : This game behaves exactly as the game DWUNL (cf.Fig. 1) instantiated with DW.
Game G 1 : This game is the same as G 0 , except that the randomness seed γ ID is sampled at random, i.e., independ- ent of the random oracle.In this way, the only difference between two games G 0 and G 1 lies in the random oracle, since the randomness seed γ ID in both games is distrib- uted identically.From the point of view of A = (A 1 , A 2 ) , the random oracle in game G 1 is |H S→$ � , i.e., the random oracle that is reprogrammed the chain codes in S to ran- dom value.Hence, we can bound the advantage in distinguishing G 0 and G 1 by the advantage in distinguishing the random oracles |H� and |H S→$ � .Applying the O2H Lemma (cf.Lemma 1) yields where B is the adversary specified in Lemma 1, S is a set that contains all chaincodes used in the experiment, and ch ′ is the chain code that output by B .In our set- ting, |S| = 2 since there are only two chaincodes (ch, ch) throughout the system.This yields Combining the above equations yields that the advantage in distinguishing G 0 and G 1 is negligible in the security parameter n.It remains to bound the advantage of A in game G 1 , where the same argument from the classical proof applies.In G 1 , the challenge public key pk b ID * given to A 2 is independent of the random oracle (as the ran- dom oracle is not used in G 1 anymore for deriving keys).Hence, it is irrelevant whether the adversary makes any query (classical or quantum) to the random oracle.By the rerandomizability of public keys, the property of RKS scheme, the challenge public keys pk 0 ID * and pk 1 ID * are statistically indistinguishable, which yields that the adversarial advantage is negligible.
Theorem 2 The deterministic wallet scheme DW depicted in Fig. 4 is DWUF secure in the QROM if the signature scheme with rerandomizable public keys RKS (depicted in Fig. 5) is EUF-CMA-HRK secure in the QROM.
As the unlinkability proof, the unforgeability proof should also be careful of the adversary's ability to access the quantum random oracle |H� .That is, while the adver- sary is able to query |H� in superposition of exponential amounts of inputs, the reduction can only respond it in a classical way as its challenger does not provide a quantum random oracle to let the simulator forwards and responses the query in superposition.In other words, the reduction will be useless since it cannot efficiently response the adversary's query, unless it can be resolved in a classical way.To resolve that, we consider a game hop in which exponential amounts of queries are replied by the samples from a small-range distribution.This method, by the fact of the small-range distribution (cf.Lemma 2), only affects the negligible advantage of the adversary, which allows us to construct a reduction to simulate the quantum random oracle for the adversary.
Proof Let A be an adversary which makes q H queries to |H� .The proof proceeds via the following games.
Game G 0 : This game behaves exactly as the game DWUF (cf.Fig. 2) instantiated with DW (cf.Fig. 4).Assume that A has non-negligible advantage ǫ = ǫ(n) in winning G 0 .This means that there exists a polynomial p = p(n) such that p(n) > 1 ǫ(n) .
Game G 1 : This game behaves as G 0 but aborts when there is a collision of keys for different identifiers.Note that the access to the oracle PK remains classical even for a quantum adversary.Therefore, the bound from Das et al. ( 2019) is applicable, which is a simple counting argument over the number of queries to PK.This yields that the Game G 2 : In this game, the adversaries queries to |H� is simulated using Definition 9 and Lemma 2. Let l = 2Cq 3 H p with C being the constant from Lemma 2 and p being the polynomial described in G 0 .At the start of the game, the challenger will generate l random values and draw the randomness seed γ ID from a small-range distribution using these l samples.According to Lemma 2, A can only distinguish this game from the previous one with a probability less than 1 2p .Therefore, Lemma 2 yields that the advantage of A in this game is at least ǫ − negl(n) − 1 2p .
Bounding the advantage.We now show how to transform an adversary A playing G 1 into an adversary B play- ing EUF-CMA-RK B RKS (where the underlying signature scheme is RKS).At the start, B receives a public key pk, let mpk := pk , then it samples a chain code ch $ ← − {0, 1} n and l = 2Cq 3 H p samples from a small-range distribution.A is invoked on input (mpk, ch).
Simulation of Quantum Random Oracle |H� .B simulates the output (the randomness seed γ ID ) of the quantum ran- dom oracle |H� by using the l samples from Rand drawn from a small-range distribution.
Simulation of PK Oracle.When A queries the oracle PK on ID , B computes γ ID ← H(ch, ID) , ρ ID ← RKS.RandGen(γ ID ) , and pk ID ← RKS.RandPK(pk, ρ ID ) .Then B adds the (pk ID , ρ ID ) into the array Keys[ID] that B initialized in prior.Finally, B sends pk ID to A.
Simulation of Sign Oracle.When A makes a query (µ, ID) to the oracle Sign , B checks if the ID had been queried on the oracle PK, otherwise aborts.B computes pk ID ← DW.PKDer(mpk, ρ ID ) then sets µ ′ = (pk ID , µ) , and queries its own oracle Sign rks on µ ′ and obtains the response σ .Then B adds the µ to an array Msg [ID] that B initialized in prior, then sends σ to A .When A out- puts a forgery (µ * , σ * , ID * ) , B checks if µ * / ∈ Msg [ID * ] and Keys[ID * ] � =⊥ , otherwise aborts.Then B gets the (pk ID * , ρ ID * ) ← Keys[ID * ] , and sets μ * = (pk ID * , µ * ) .Finally, B outputs ( μ * , σ * , ρ ID * ) .In this process, observe that B can complete the signing oracle simulation through relaying A and the challenger's response, so they have the same total running time.
We now show that the output of B is a valid for- gery whenever the output of A is. Namely, if A 's for- gery (µ * , σ * , ID * ) is valid in Game G 1 , then B 's for- gery ( μ * , σ * , ρ ID * ) is also valid in EUF-CMA-RK.Since (µ * , σ * , ID * ) is a valid forgery by A , we know that A never queried (µ * , ID * ) to Sign.Recall that, for every query to Sign by A on any (µ, ID) , B queries the oracle Sign rks on the public key prefixed message µ ′ = (pk ID , µ) .Since A never queried Sign on input (µ * , ID * ) , B never que- ried ( μ * , ρ ID * ) to oracle Sign rks , where μ * = (pk ID * , µ * ) .Therefore, if µ * / ∈ Msg [ID] , then μ * / ∈ M where M is the set that was initialized by the challenger (cf.Definition 3).Second, it holds that ρ ID * ∈ R .This follows from the sim- ulation of the quantum random oracle where, for every possible output γ ID , γ ID is in R .Therefore, the validity of the forgery by A yields the validity of the forgery by B.
Recall that l = 2Cq 3 H p and as discussed at the beginning of this game, according to Lemma 2, the advantage of the adversary in this game is equal to ǫ − negl(n) − 1 2p .Assuming the security of the underlying signature scheme RKS, we have that this advantage be negligible.Combined with ǫ > 1 p (see description of G 0 ), this yields that 1 2p is negligible, resulting in a contradiction.Hence, we can conclude that ǫ , the advantage of A , is negligible.

Lattice-based signatures with rerandomizable PK
In this section, we propose a lattice-based construction of a signature scheme with rerandomizable public keys RKS (cf.Definition 3) in "Construction" section, set the parameters in "Parameters" section, and prove the security in "Security proof " section.

Construction
In the following, we describe the signature scheme with rerandomizable public keys RKS.The scheme extends the generic construction of lattice-based hash-and-sign signatures LHS.In addition, we define the following algorithms: • GenR is an algorithm that on input (dim, s, rnd) , then outputs an invertible matrix s by using a ran- domness rnd.As mentioned in Agrawal et al. (2010b), GenR algorithm in practice can be built from a "standard" random function h : {0, 1} * → {0, 1} t by using h as a coin generator and rnd as the randomness seed for the sampling process in SampleR algorithm (cf.Lemma 5).• As prior works (Alkeilani Alkadri et al. 2020;Das et al. 2019), we also adopt the public key prefixing method which is the common counter measure to against the related key attacks (Das et al. 2019;Morita et al. 2015), i.e., a signature on a message µ is computed as Sign(sk, (hpk, µ)) where hpk := F(pk) and F : {0, 1} * → {0, 1} o(n) is a collision-resistant hash function.
Let R r := D m×m and R l := D n×n be the random- ness spaces.
The matrices (R l , R r ) ∈ R l × R r , output from GenR, play the role in the keys randomization.Specifically, given a valid LHS key pair (pk := A, sk := B) , the randomized key pair is com- puted as (pk ′ := R l AR r , sk ′ := R −1 r B) such that pk ′ • sk ′ = 0 (mod q) .By the item 2 of Lemma 3, the distribution of pk ′ is statistically indistinguishable from pk.By the basis randomization algorithm RandBasis that is called by BasisDel algorithm (cf.Lemma 8), the delegation cannot be inverted, i.e., the secret key B can- not be revealed from the randomized key B ′ .Below we formally describe the RKS scheme.The respective algorithms are formalized in Fig. 5.

RKS.KeyGen:
The key generation algorithm RKS.KeyGen takes as input a security parameter and then invokes the algorithm LHS.KeyGen to obtain a key pair (pk, sk) where pk := A ∈ Z n×m q and sk := B ∈ Z m×m .Then, it computes hpk := F(pk) , and prepends hpk to sk.Finally, it outputs (pk, sk).
RKS.RandPK: On input a public key pk = A and the randomness ρ := (R l , R r ) ∈ R l × R r , the public key randomization algorithm RKS.RandPK computes A ′ = R l AR r and sets pk ′ := A ′ .Finally, it outputs pk ′ .
RKS.RandSK: On input a secret key sk = (hpk, B) and the randomness ρ := (R l , R r ) ∈ R l × R r , the secret key randomization algorithm RKS.RandSK computes the randomized basis B ′ in two steps: let Ā = R l A , it first computes a basis B of � ⊥ q ( Ā) by ToBasis(B, B e ) where B e is an arbitrary ephemeral basis of � ⊥ q ( Ā) .Then it computes B ′ by the basis delegation algorithm BasisDel( Ā, B, R r , s) , then it computes A ′ = R l AR r and hpk ′ ← F(A ′ ) .Finally, set sk ′ := (B ′ , hpk ′ ) and outputs sk ′ .

Parameters
The correctness of the RKS scheme directly follows from the correctness of the LHS scheme.We explain how to set the parameters.Let n be the security parameter.To ensure that hard lattices with short bases can be generated by BasisGen, we need to set m = 6n 1+c where c > 0 is a constant such that n c > O(log n) .To guarantee that the distribution on the output of SamplePre statis- tically indistinguishable between the real and simulated world, we need to set the Gaussian parameter s sufficiently large s = O(nm log q) • ω(log 2.5 m) (cf. the security proof below.) To ensure the preimage vectors sampled by SamplePre are not trivial to find (otherwise, the unforgeability is broken), we to set a norm bound, i.e., the parameter β on those preimage vectors β = O((nm 4/3 log q) 3/2 ) • ω(log 3 m) (cf. the security proof below.) To ensure our construction has a worst-case lattice reduction, by the result that is given by Gentry et al. (2008), it is required to set q = β • ω( n log n) (at least).

Security proof
In this section, we analyze the EUF-CMA-HRK security of the scheme RKS in the QROM.More precisely, we reduce its EUF-CMA-HRK security to the EUF-CMA security of the lattice-based hash-and-sign signature scheme LHS described in "Lattice-based hash-and-sign signatures" section.Note that rerandomizability of public keys (cf.Definition 3) follows from the property of Gaussian distribution that is item 2 of Lemma 3.That is, for any public key A ∈ Z n×m q which is within negligible statistical distance of uniform over Z n×m q since it is generated by BasisGen algorithm, any randomness ρ := (R l , R r ) ∈ R l × R r , then by the item 2 of Lemma 3, the distribution of A ′ = R l AR r is within negligible statis- tical distance of uniform over Z n×m q .Therefore, the public key pk := A and its randomized public key pk ′ := A ′ are statistically indistinguishable.Theorem 3 Set s = O(nm log q) • ω(log 2.5 m) and If the signature scheme LHS described in Fig. 3 is (t lhs , q s,lhs , ǫ lhs )-EUF-CMA secure in the QROM, the signature scheme with rerandomizable public keys RKS depicted in Fig. 5 is (t rks , q s,rks , ǫ rks )-EUF-CMA-HRK secure in the QROM.
Proof Let A be an adversary that is able to gener- ate valid forgeries under RKS scheme, i.e., A is able to win the unforgeability game of EUF-CMA-HRK A RKS (cf.Definition 4).We construct an algorithm B (depicted in Fig. 6) that runs A as subroutine in order to win the game EUF-CMA B LHS (cf.Definition 2) against the LHS scheme.In the QROM setting, A has quantum access to a random oracle H and classical access to signing oracle Sign .And the reduction B has quantum access to the random ora- cle H lhs and classical access to signing oracle Sign lhs .B obtains as input a public key pk lhs := A , then simulates to A as described in the following.Setup.B uses the public key pk lhs from the EUF- CMA game as the public key pk rks in its simulation of EUF-CMA-HRK.In other words, it runs A on input pk rks := pk lhs in EUF-CMA-HRK.
Simulation of Random Oracle Queries.When A queries on random oracle H , B forwards the queries to H lhs and then forwards the response from H lhs as the response of H to A.
Simulation of Randomness Queries.When A queries on the oracle Rand, let R := I n×n × R r , B randomly sample ρ from R , sets R := R ∪ {ρ} , and finally returns ρ .Under this setting, by the item 2 of Lemma 3, the randomized public keys pk ′ are statistically close to those in the real scheme.
Simulation of Signing Queries.When A queries signing oracle Sign on input (pk rks , µ, ρ) , after set Q := Q ∪ {µ} , B first parses ρ := (R l , R r ) and checks if ρ ∈ R otherwise aborts.Then, B computes the randomized public key pk ′ rks and hpk ′ ← F(pk ′ rks ) , sets µ ′ = (hpk ′ , µ) and then obtain (e, r) ← Sign lhs (µ ′ ) by querying its own challenge signing oracle.We note that here B cannot direct output (R r e, r) as the resulting signature to A .The reason is that the Gaussian parameter should be set carefully so that the resulting signature has a correct distribution.We elaborate that as below.
Let (e r , s r ) and (e s , s s ) be the (preimage e , Gaussian parameter s) of the RKS in real world and simulation, respectively.Let s lhs be the Gaussian parameter of the LHS scheme.Let s BDel be the Gaussian parameter used in the BasisDel algorithm.We first bound the preimage e r and the Gaussian parameter s r .In the real scheme, e r is sampled by the SamplePre algorithm with the input s r and a basis B ′ generated by BasisDel algorithm (in which the RandBasis algorithm is called).By the facts related to these algorithms, we bound (e r , s r ) as follows.
• By Lemma 7, the randomized basis Therefore, we can conclude that the Gaussian parameter s r and ℓ 2 -norm of e r have the following bounds We next bound the preimage e s and the Gaussian param- eter s s .In the simulation, e s = Re where R is sampled with Gaussian parameter s r while e with s lhs , so we have the following.
• By Lemma 3, s lhs ≥ �B� gs • ω( log m) .Then by Lemma 3 (item 1 and 4), �e� ≤ s lhs • √ m. • By Lemma 5, we know R r ∈ D m×m , then by item 1 of Lemma 3, the ℓ 2 -norm of each column r i of R r is bounded as �r i � ≤ s r √ m .Then we can compute the ℓ 2 -norm bound on the vector e s = R r e is s lhs s r m , i.e., �e s � ≤ s lhs s r m.
• As we defined s r = O( n log q) • ω( log m) , we have • As e s = R r e , we have s s = s r s lhs ≥ O(n log q) • ω(log m).s r ≥ O(nm log q) • ω(log 2.5 m), �e r � ≤ O(nm 1.5 log q) • ω(log 2.5 m) Observe that the Gaussian parameter in simulation (i.e., s s ) is smaller than it in the real scheme (i.e., s r ).To make the distribution of the signature tuple (e, r) response from oracle Sign statistically close to those in real scheme, by Lemma 3, it is required to set s = max{s r , s s } , therefore, the Gaussian parameter of the RKS scheme should be set (at least) s = O(nm log q) • ω(log 2.5 m).
Then we analyze how to set the parameter s .Recall that R ∈ D m×m is sampled with an ephemeral basis B of lattice Exploiting the Forgery.When A provides the forgery (µ, (e, r)), ρ) , B parses ρ := (R l , R r ) and computes the randomized public key A ′ = R l AR r .B aborts if the for- gery with respect to a queried message, i.e., µ ∈ M , or the randomness ρ is illegal, i.e., ρ / ∈ R .B also aborts if the forgery is not valid by checking as Line 7 of Fig. 6.Otherwise B outputs (R r e, r) as the forgery under LHS.
We note that the environment of A is perfectly simulated, and whenever A wins the game EUF-CMA-HRK A RKS , B wins the game EUF-CMA B LHS , hence ǫ lhs = ǫ rks .Let T srb , T s , T bd , and T toB be the maximum running time of SampleRwithBasis, SamplePre, BasisDel, and ToBasis, respectively.To answer each query within {q s } , B 's running time is bounded by O(T srb + T s ) .So the total running time of B in the simulation is bounded by O(q s (T srb + T s )) .In the real scheme, the total running time is O(q s (T toB + T bd + T s )) .By Theo- rem 15 of (Agrawal et al. 2010b, full version), we know T srb = T toB + T bd .Therefore, t lhs = t rks .
Below we argue that the (R r e, r) that B finally outputs is a valid forgery for LHS scheme.After the check at Line 7 of Fig. 6, we know ' R r ' , ' e ' , and ' r ' are well-formed, so the remained explanation is to show R r e is sufficiently short and give a concrete bound.

Practical instantiation and implementation
In this section, we present the practical instantiation and implementation of our work.We note that our method is generic which can be applied to a wide range of lattice settings, including the standard lattice given above, the compact lattices defined over polynomial rings (Lyubashevsky et al. 2010) (i.e., number rings) of the form R = Z[X]/(� n (X)) for a cyclotomic polynomial � n (X) = X n + 1 , and the more compact NTRU lat- tices (Hoffstein et al. 1998).Due to the fact that polynomial rings setting can be instantiated directly using the transformation mechanism outlined in (Micciancio and Peikert 2012, Section 4.3, full version) and the concrete instantiation of signature scheme is provided by Ducas and Micciancio (2014), below we will focus on the latter setting, i.e., instantiation from NTRU lattices.
Specifically, we demonstrate an efficient instantiation of our work from Falcon (Fouque et al. 2018), an NTRU lattice-based signature scheme, which is also based on the hash-and-sign GPV paradigm.Below, we provide the concrete instantiation of our work by instantiating the signature schemes LHS and RKS, respectively.

LHS in Falcon setting
For φ = X n + 1 , a set of NTRU secrets consists of four polynomials f , g, F , G ∈ Z[X]/(φ) which verify the NTRU equation fG − gF = q mod φ .Provided that f is invertible modulo q, we can define the polynomial h := g • f −1 (mod q) .Typically, h will be a public key, whereas f, g, F, G will be secret keys.
Recall there are two algorithms are invoked in LHS scheme (cf.Fig. 3), the basis generation algorithm Basis-Gen and the preimage Gaussian sampling algorithm Sam-plePre.In Falcon setting, the basis is composed by the polynomials f, g, F, G in the form , where g, f are coordinate-wise sampled from Gaussian distribution over Z , then the G, F are computed by a NTRU equation solv- ing procedure NTRUSolve (cf.Fouque et al. (2018, Algorithm 6)).Let the polynomial h := g • f −1 (mod q) .The public key is set as A = 1 | h , secret key .We can check that A and B are indeed orthogonal, i.e., A • B ⊤ = 0 (mod q) .Then the signature sampled by fast fourier sampling procedure (ffSampling, cf.(Fouque et al. 2018, Algorithm 11)).Formally, a generic hash-andsign signature scheme instantiated from Falcon is given below (where the optimization details such as fast fourier transform and compress methods are omitted).
• LHS.KeyGen: The key generation algorithm takes as input a security parameter, it samples each coordinate of g, f from D Z,s {g,f } where s {g,f } is specified in "Parameters setting" section, and it will be repeated if the generated polynomial f (mod q) is non-inverti- ble.Then it computes F , G ← NTRUSolve(f , g) .Let h := g • f −1 (mod q) .The public key is set as A = 1 | h , secret key .Finally, it outputs (A, B).
• LHS.Sign: As same as the signing algorithm in Fig. 3 except that the preimage e is sampled by ffSample instead of SamplePre.• LHS.Ver: As same as the verification algorithm in Fig. 3.

RKS in Falcon setting
We now describe how to instantiate the RKS scheme from the LHS scheme that is instantiated by Falcon as shown in "LHS in Falcon setting" section.The key point is how to instantiate the BasisDel algorithm since it is the core of the session key derivation mechanism.By Lemma 8, we know the BasisDel has three sub-algorithms: SampleR, ToBasis, and RandBasis.As we described in Lemma 3, both the SampleR and Rand-Basis take the Gaussian sampling algorithm as the underlying basic algorithm.In SampleR, the Gaussian sampling algorithm provides the benefit that the preimages are sufficiently short and can be invertible under certain conditions.In RandBasis, the Gaussian sampling algorithm provides the benefit that the sampled preimages are distributed statistically independent with the input basis.
• The SampleR is used to generate the randomness, i.e., the short and invertible (R l , R r ) .In Falcon set- ting, R l = [r l ], where r l , r r 1 , r r 2 are coordinate-wise sampled from D Z,s {g,f } (where s {g,f } is set in "Parameters setting" section).As mentioned by Fouque et al. (2018, Algorithm 5), in order to ensure the r l , r r 1 , r r 2 are invertible, they will be coordinate- wise resampled until the number theoretic transform of r l , r r 1 , r r 2 does not contain 0 as a coefficient.
• Let A ′ = R l AR r = [r l r r 1 |r l hr r 2 ] be the randomized public key.There are two ways to delegate the secret key.We can compute the randomized secret key Note that A ′ and B are orthogonal, i.e., A ′ • B = 0 (mod q) .Due to the (r r 1 , r r 2 ) are sampled by SampleR, we know (r −1 r 1 g, r −1 r 1 G, −r −1 r 2 f , −r −1 r 2 F ) are independent.Therefore, by Lemma 6, we can transform the B to the basis B′ of A ′ .The other way is by the standard method introduced in Falcon.As the LHS.KeyGen instantiated above, we can direct compute the desired basis by invoking the NTRU equation solving procedure, i.e., by computing (G ′ , F ′ ) ← NTRUSolve(r r 1 g, r r 2 f ) .As (r r 1 g, r r 2 f ) ∈ Z[X]/(φ) , the valid solution (G ′ , F ′ ) can be found with overwhelming probability (cf.Fouque et al. (2018, Algorithm 11)).Remark: In practice, B′ is computed in cold wallet, the input (R l , R r ) would be required to resample when the NTRUSolve output ⊥ .Therefore, the overwhelming probability for generating the correctdistributed B′ is necessary for wallet systems to deploy in hot/cold setting.
• But we cannot output the derived session secret key B′ directly, as leaking B′ would allow an adversary who knows R to easily reveal the secret information with respect to B .To address this issue, we use the RandBasis algorithm, which is actually realized by Gaussian sampling algorithm SamplePre (cf.(Cash et al. 2010, Lemma 3.3, full version)).In the Falcon setting, we use the fast Fourier sampling algorithm ffSampling instead of the SamplePre algorithm given in Lemma 3. The RandBasis algorithm takes as input the basis B′ and a Gaussian paramemter s Rand (which is specified in "Parameters setting" sec- tion), and outputs a randomized basis B ′ , that is By the property of RandBasis, specifically the property of ffSampling, B ′ is distributed statisti- cally independent with B′ .This means that even if an adversary knows the randomness R , who cannot obtain any useful information about B or B′ from the randomized basis B .Based on the key derivation mechanism instantiated above, below we present the RKS scheme.Since the algorithms of RKS.KeyGen, RKS.Sign, and RKS.Ver directly call the corresponding algorithm from the underlying LHS scheme, we will only focus on the algorithms of RKS.RandGen, RKS.RandPK, and RKS.RandSK.
• RKS.RandGen: As same as the randomness genera- tion algorithm in Fig. 5 except the output R l = [r l ], is constructed by polynomials (r l , r r 1 , r r 2 ) from Z[X]/(φ) instead of a square matrix from Z m×m .
• RKS.RandPK: On input the public key A = 1 | h and the randomness ρ := (R l , R r ) , compute the ran- domized public key Finally, it outputs A ′ .• RKS.RandSK: On input the secret key and a randomness R , compute the randomized secret key B ′ ← BasisDel(A, B, R, s) where the Gaussian parameter s is specified in "Parameters setting" section.Finally, it outputs B ′ .
The security of the instantiated RKS scheme can be proven in the same way as the RKS scheme in "Security proof " section, since the simulation tool Sam-pleRwithBasis can be instantiated directly in the Falcon setting.Specifically, as mentioned in Section 3.2 of Agrawal et al. (2010b), the SampleRwithBasis algorithm actually consists of two sub-algorithms, namely BasisGen and SampleR, which are instantiated as above.

Parameters setting
We now discuss the parameters setting.Given that we would conduct the concrete experiment to examine the practical effectiveness of our instantiated schemes, we can no longer solely discuss the parameters in the asymptotic sense based on security proofs as in "Parameters" section; we must also quantify the reduction costs induced in the security reduction, and evaluate the impact of the quantified results on our implementation, thereby determining the basic parameter, i.e., the security bit level.
On Security Level.Given that we have selected Alkeilani Alkadri's work (Alkeilani Alkadri et al. 2020) as our baseline for comparison, which is instantiated from the lattice-based signature scheme qTESLA (Alkim et al. 2020) while our work is Falcon.Due to both qTESLA and Falcon stated the bit security level in the same BKZ cost model (Chen and Nguyen 2011), we adopt the latest method (Albrecht et al. 2019) that is 0.265B + 16.4 + log(8n) for the hardness estimation of our parameters, where B is the BKZ block size and n is the ring degree.We estimate the complexity of the best attack as equivalent to a BKZ with block size B = 497 and ring degree n = 512 , then we can compute the bit security level is 160 bits.Therefore, for any algorithm A with running time t and advantage ǫ in breaking the corresponding security, it holds that t/ǫ ≥ 2 160 .
Informally, there are three levels for our schemes, from bottom to top they are LHS, RKS, and DW.The reduction from the EUF-CMA security of LHS to the EUF-CMA-HRK security of RKS in the QROM, as proved in Theorem 3, is perfectly simulated.The reduction from the EUF-CMA-HRK secure of RKS to the DWUF secure of DW in the QROM, as proved in Theorem 2, is at a factor p additive reduction loss.Therefore, there is an additive reduction loss of p in total.From Theorems 2, 3, we compute the bit security level of our wallet schemes, considering an algorithm A with the runtime and advantage (t ′ , ǫ ′ ) in attacking the DWUF security of scheme DW, where t ′ = t and ǫ ′ = ǫ + l for the reduction loss l respect to p, and where (t, ǫ) denote the runtime and advantage of the related adversary in attacking the EUF-CMA security of the LHS scheme.Thus, we obtain As we defined in Theorem 2, p = p(n) such that p(n) > 1/ǫ(n) where ǫ(n) is the adversary's negligible advantage, hence the item 2 160 • l/ǫ is negligible.
On Concrete Parameters.We clarify that we cannot use exactly the same parameters proposed for Falcon due to the randomized operations in our work.Specifically, in the process of BasisDel, the operation of randomizing the B to B by multiplying R r , i.e., B = R −1 r B ⊤ , and the invoked sub-algorithm RandBasis, both of which would enlarge the norm of the final output B ′ .Therefore, in the signing phase, the input Gaussian parameter s would be larger than the one in Falcon.Accordingly, the parameter β that is the norm bound on the preimages would also be larger.To better understand the interplay of the parameters, we recommend the Fouque et al. (2018, Fig. 2.1), and in Table 1 we give a concrete parameters setting and below we give the concrete computation.Concretely, by the parameters summary given in Falcon (cf.Section 2.6 of Fouque et al. 2018), we have the following parameters relations: where w = 1 π • log + 1 ε ))/2 and ε ≤ 1/ √ q S .Recall q S denotes the maximal number of signing queries in our definition, following Falcon, we set q S = 2 64 .To make our implementation be NTT (Number Theoretic Transform) friendly, the modulus q needs to be the form k • 2n + 1 in order to maximize the efficiency of the NTT.We use the smallest prime of this form, that is q = 12 • 1024 + 1 = 12289.
By the parameter relations given above, we have

Implementation
In this section, we analyze the performance that can be achieved in a cryptocurrency system when employing the RKS instantiated from Falcon.Below, we explain how to s {g,f } = 1.17 q/2n, �B� gs ≤ 1.17 √ q, Rand ≥ �B� gs • w analyze the transaction throughput, which is an important measure for the wallet schemes when considering deployment in the practical scenario of cryptocurrency system.As mentioned in Alkeilani Alkadri et al. (2020), a transaction (tx) on blockchains must usually consist of a public key pk and the signature σ that was signed by the sender such that the validity of the transaction can be verified.The raw transaction size (i.e., exclude the size of pk and σ ) of a cryptocurrency system, such as Bitcoin, is roughly 100 Bytes (WIKI 2019).Therefore, the size of a transaction should be estimated as tx's size = 100 Bytes + pk's + σ's When instantiating our wallet scheme with Falcon, the pk size = 897 Bytes and signature size = 23755 Bytes (cf.Table 2) for a post-quantum security level of 160 bits.Therefore, the size of a tx would then result in 100 Bytes + 897 Bytes + 23755 Bytes ≈ 24.07 KB.
To demonstrate the performance of our work, under the concrete parameters given in Table 1, we show a comparison in Tables 2 and 3 (for the clarity of comparison results, the optimal items are presented in bold type) with the state-of-the-art work (Alkeilani Alkadri et al. 2020) that is also instantiated from lattices and proven in the quantum random oracle.To show the comparison comprehensively, we consider the transaction throughput, concrete parameters size (such as public key, etc.), and concrete computation time (on AVX2-optimized implementations).
For the concrete implementation, we implement the work (Alkeilani Alkadri et al. 2020) and ours by using C-language in the environment 3.4GHz Intel(R) Core(TM) i7-6600U CPU, 16GB Memory, and the operating system ubuntu 20.04 LTS.We perform the  basic operations over polynomials via NTT, the analogy of the FFT (Fast Fourier Transform) in the field Z q for a prime q such that q = 1 mod 2n .Under this setting, φ has n roots {τ i } over Z q , and any polynomial f ∈ Z q [x]/φ can be represented by the values f (τ i ) .
The conversion to and from NTT representation can be performed efficiently in O(n log n) operations in Z q .When conducting our experiment in NTT representation, additions, subtractions, multiplications and divisions of polynomials (i.e., modulo φ and q) can be performed coordinate-wise in Z q .

Conclusion and future works
In this paper, we present an efficient deterministic wallet scheme in the quantum random oracle model.Particularly, we provide a new construction method for post-quantum secure deterministic wallet schemes, which enables efficient instantiation.To demonstrate that, we present an efficient instantiation from the NTRU lattice-based signature scheme Falcon, and show an implementation.By comparison with the state-of-theart deterministic wallet under the same security level, our work has a comprehensive improvement.While this is the case, the signature size of our scheme is easily affected by the trapdoor quality degradation caused by lattice basis delegation.That is to say, it is worth investigating how to design a lattice-based derivation algorithm that is suitable for key derivation in wallet schemes, specifically an algorithm that produces trapdoors of higher quality, then the signature size and transaction throughput of the scheme would be further improved.

Fig. 3
Fig.3A formal description of a generic lattice-based hash-and-sign signature scheme

Fig. 4
Fig.4Construction of a deterministic wallet DW from a signature scheme with rerandomizable keys RKS and a random oracle H

Fig. 5
Fig. 5 Construction of lattice-based signature scheme with rerandomizable public keys

Fig. 6
Fig. 6 Reduction from the EUF-CMA security of LHS to the EUF-CMA-HRK security of RKS then sam- ple a preimage ē by where we set s = s s r √ m − s lhs and u := H(µ ′ , r) − A ′ R−1 e .We can check the following equation holds Finally, let e ′ = R−1 (e + ē) and output (e ′ , r) as the signa- ture (instead of (e s , r) ).As we set s = s s r √ m − s lhs , by item 1 of Lemma 3, �ē� ≤ s s r .Since R ∈ D m×m and �e� ≤ s lhs • √ m , so we have �e ′ � ≤ s √ m which is identical with e r .

Table 1
Concrete parameters of the RKS scheme in Falcon setting

Table 2
Comparison of the concrete parameters size and transaction throughput

Table 3
Comparison of the performance (in thousands of.cycles) a In Alkeilani Alkadri et al. (2020), the RandGen algorithm refers to the algorithm RandG (cf.Section 4.1 of Alkeilani Alkadri et al. (2020))