Masking the GLP Lattice-Based Signature Scheme at Any Order

Abstract

Recently, numerous physical attacks have been demonstrated against lattice-based schemes, often exploiting their unique properties such as the reliance on Gaussian distributions, rejection sampling and FFT-based polynomial multiplication. As the call for concrete implementations and deployment of postquantum cryptography becomes more pressing, protecting against those attacks is an important problem. However, few countermeasures have been proposed so far. In particular, masking has been applied to the decryption procedure of some lattice-based encryption schemes, but the much more difficult case of signatures (which are highly nonlinear and typically involve randomness) has not been considered until now. In this paper, we describe the first masked implementation of a lattice-based signature scheme. Since masking Gaussian sampling and other procedures involving contrived probability distributions would be prohibitively inefficient, we focus on the GLP scheme of Güneysu, Lyubashevsky and Pöppelmann (CHES 2012). We show how to provably mask it in the Ishai–Sahai–Wagner model (CRYPTO 2003) at any order in a relatively efficient manner, using extensions of the techniques of Coron et al. for converting between arithmetic and Boolean masking. Our proof relies on a mild generalization of probing security that supports the notion of public outputs. We also provide a proof-of-concept implementation to assess the efficiency of the proposed countermeasure.

Appendices

Security Proof for rGLP and rGLP with commitment

1.1 Mathematical preliminaries

Let us delay the security proof for a bit to expose useful probabilistic tools we are going to use.

1.2 Concentration bounds for inner product of uniform vectors.

Proposition 1

Let \(u = (u_1, \ldots , u_n)^T \in \mathbb {R}^n\) a fixed vector and \(x= (x_1, \ldots , x_n)^T\) a random uniform vector of \(\{-1,0,1\}^n\). Then \(\langle u, x\rangle \) satisfies

$$\begin{aligned} \textbf{E}\left[ e^{s\langle {x},{u}\rangle }\right] \le e^{\frac{\Vert u\Vert _2^2s^2}{2}}, \end{aligned}$$

for any \(s\in \mathbb {R}\)

This first concentration inequality is classical in the probability literature and asserts that the scalar product between a random uniform vector and a fixed vector yields a subgaussian variable. For completeness purpose we expose a short proof of this claim.

Proof

Let choose \(s\in \mathbb {R}\), then we have by linearity and independence:

$$\begin{aligned} \textbf{E}\left[ e^{\langle u, x\rangle }\right]&= \textbf{E}\left[ e^{\sum _{i=1}^n u_i x_i}\right]&\\&= \prod _{i=1}^n \textbf{E}\left[ e^{sx_iu_i}\right]&(\text {Independence of the} x_i)\\&\le \prod _{i=1}^n e^{\frac{s^2|u_i|^2}{2}}&\text {(Hoeffding Lemma)} \\&= e^{\frac{\Vert u\Vert _2^2s^2}{2}}. \end{aligned}$$

\(\square \)

Proposition 2

Let \(u = (u_1, \ldots , u_n)^T \in \mathbb {R}^n\) a fixed vector and \(x= (x_1, \ldots , x_n)^T\) a uniformly random vector of \(\{-1,0,1\}^n\), with Hamming weight at most \(\alpha \),

$$\begin{aligned} \Pr \left[ |\langle u,x\rangle | \ge \sqrt{4\alpha /3}\cdot \Vert u\Vert _{\infty } \right] \le \frac{1}{2}. \end{aligned}$$

This second concentration bound gives a more precise result in the case where the fixed vector is sparse.

Proof

Denote by I the support of x. By symmetry of the distribution of x, \(\textbf{E}(\langle u,x\rangle ) = 0\), but by linearity and independence:

$$\begin{aligned} \textbf{E}\left[ {\langle u, x\rangle }^2\right] = \sum _{i\ne j \in I}u_iu_j\textbf{E}\left[ x_i\right] \textbf{E}\left[ x_j\right] + \sum _{i\in I}u_i^2\textbf{E}\left[ x_i^2\right] \le \frac{2\alpha }{3}\Vert u\Vert _{\infty }^2. \end{aligned}$$

We then conclude by Bienaymé–Tchebychev inequality. \(\square \)

A reduction from a variant of DCK. In all of the following, for any finite set S, we denote generically by \(\mathcal {U}(S)\) the uniform distribution over S. Let us fix \(\gamma \) a positive integer. Let now \(\mathfrak {u}_\gamma \) be the convolution \(\mathcal {U}(\{-1,0,1\})\star \mathcal {U}(\{-\gamma ,\ldots ,\gamma \})\), that is the distribution obtained when summing two independent random variables U and V, drawn respectively under \(\mathcal {U}(\{-1,0,1\})\) and \(\mathcal {U}(\{-\gamma ,\ldots ,\gamma \})\) We extend this distribution to \(\mathcal {R}_\gamma \) by sampling independently the n coefficients from the distribution \(\mathfrak {u}_\gamma \), and call it \(\widetilde{\mathcal {U}}_\gamma \)

Lemma 10

The statistical distance between \(\widetilde{\mathcal {U}}_\gamma \) and \(\mathcal {U}(\mathcal {R}_\gamma )\), is bounded by \(\frac{n}{2\gamma }+\frac{n}{\gamma ^2}\).

Proof

Let U and V be two independent random variables, drawn respectively under \(\mathcal {U}(\{1-\gamma , \ldots , \gamma -1\})\) and \(\mathcal {U}(\{-1, 0, 1\})\). We then have directly:

$$\begin{aligned} \Delta (\widetilde{\mathcal {U}}_\gamma , \mathcal {U}(\mathcal {R}_\gamma ))&\le n \Delta (\mathfrak {u}_\gamma , \mathcal {U}(\{-\gamma , \ldots , \gamma \})))\\&\le n \sum _{t\in \{-\gamma , \ldots , \gamma \}} \left| \Pr _{U,V}\left[ {U}+{V} = t\right] - (2\gamma +1)^{-1}\right| \\&= n\sum _{t\in \{-\gamma , \ldots ,\gamma \}} \left| \sum _{v\in \{-1,0,1\}}\frac{1}{3}\Pr _U\left[ U = t-v\right] - (2\gamma +1)^{-1}\right| \\&= n \sum _{t\in \{1-\gamma , \ldots ,\gamma -1\}} \left| \sum _{v\in \{-1,0,1\}} \frac{1}{3}\Pr _U\left[ U = t-v\right] - (2\gamma +1)^{-1}\right| \\&\quad + n\left| \frac{1}{3}\Pr _U\left[ U =1-\gamma \right] - (2\gamma +1)^{-1}\right| \\&\quad + n\left| \frac{1}{3}\Pr _U\left[ U = \gamma -1\right] - (2\gamma +1)^{-1}\right| \\&=n\hspace{-1em} \sum _{t\in \{1-\gamma , \ldots ,\gamma -1\}} \left| (2\gamma -1)^{-1} - (2\gamma +1)^{-1}\right| \\&\quad + 2n \left| \frac{1}{3}(2\gamma -1)^{-1} - (2\gamma +1)^{-1}\right| \\&\le n (2\gamma +1) \left| (2\gamma -1)^{-1} - (2\gamma +1)^{-1}\right| \\&=n\left| \frac{2\gamma +1}{2\gamma -1} - 1\right| \\&< \frac{n}{2\gamma }+ \frac{n}{\gamma ^2}, \end{aligned}$$

the final domination being obtained by looking at the Laurent development of \(\frac{2\gamma +1}{2\gamma -1}\). \(\square \)

We now introduce a variant of the DCK\(_{p,n}\) problem where the terms \(\textbf{s}_1, \textbf{s}_2\) are now sampled from the distribution \(\widetilde{\mathcal {U}}_\gamma \).

Definition 8

The S-DCK\(_{p,n,\gamma }\) problem (Summed-Decisional Compact Knapsack problem) is the problem of distinguishing between the uniform distribution over \(\mathcal {R} \times \mathcal {R}\) and the distribution \((\textbf{a},\textbf{as}_1+\textbf{s}_2)\) with \(\textbf{s}_1\),\(\textbf{s}_2\) independently drawn under \(\widetilde{\mathcal {U}}_\gamma \).

Since the support of \(\widetilde{\mathcal {U}}_\gamma \) is larger than the support originally used in the DCK\(_{p,n}\) problem, it seems natural to suppose that the DCK\(_{p,n}\) is somewhat easier to solve than the introduced S-DCK\(_{p,n,\gamma }\). This intuition is formalized in Proposition 3.

Proposition 3

The DCK\(_{p,n}\) problem is at most as hard as the S-DCK\(_{p,n,\gamma }\) problem.

Proof

Any challenge \((\textbf{a},\textbf{u})\) of the DCK\(_{p,n}\) problem can be transformed in a challenge for \((\textbf{a},\textbf{u}')\) for the S-DCK\(_{p,n,\gamma }\) problem by letting \(\textbf{u}' = \textbf{u}+\textbf{a}\textbf{u}_1+\textbf{u}_2\) with \(\textbf{u}_1\),\(\textbf{u}_2\) independently drawn under the uniform distribution over \(\mathcal {R}_{\gamma -1}\), by definition of \(\widetilde{\mathcal {U}}_\gamma \). Indeed, if \(\textbf{u}\) is of the form \(\textbf{a}\textbf{s}_1+\textbf{s}_2\) for \(\textbf{s}_1,\textbf{s}_2\) drawn independently and uniformly in \(\mathcal {R}_\gamma \), then \(\textbf{u}' = \textbf{a}(\textbf{s}_1+\textbf{u}_1)+(\textbf{s}_2+\textbf{u}_2)\), with the \((\textbf{s}_i+\textbf{u}_i)\) independently drawn under \(\widetilde{\mathcal {U}}_\gamma \). If \(\textbf{u}\) is uniform in \(\mathcal {R}\), then \(\textbf{u}'\) remains uniform in \(\mathcal {R}\). \(\square \)

1.3 Collision probability for linear hashing over \(\mathcal {R}\).

Lemma 11

Let \(0<\gamma <p\) and \(\textbf{a}\in \mathcal {R}\), then for any \(\textbf{s}_1, \textbf{s}_2\in \mathcal {R}_\gamma ^2\) drawn under \(\widetilde{\mathcal {U}}_\gamma \), there exists another pair \(\textbf{s}'_1, \textbf{s}'_2\in \mathcal {R}_\gamma ^2\) such that \(\textbf{as}_1 + \textbf{s}_2 = \textbf{as}'_1+\textbf{s}'_2 \) with probability at least \(1-\frac{p^n}{(2\gamma +1)^{2n}}-\frac{2n}{\gamma }-\frac{2n}{\gamma ^2}\).

Proof

Let \(\textbf{a}\in \mathcal {R}\) and define the linear function \(\phi _\textbf{a}:(\textbf{x},\textbf{y}) \mapsto \textbf{ax}+\textbf{y}\). This function maps a set of \(p^{2n}\) elements to a set of \(p^n\) elements and so any vector in the image of \(\phi _\textbf{a}\) admits at most \(p^n\) preimages. Then there exists at most \(p^n\) pairs \((\textbf{x}, \textbf{y})\) in \(\mathcal {R}_\gamma ^{2}\) such that \(\phi _a(\textbf{x}, \textbf{y})\ne \phi _a(\textbf{x}', \mathbf {y'})\) for every other \((\mathbf {x'}, \textbf{y}') \in \mathcal {R}_\gamma ^{2}\). Hence the probability of uniformly drawn vector not to have a second preimage through \(\phi _\textbf{a}\) is at most

$$\begin{aligned} \frac{p^n}{(2\gamma +1)^{2n}}. \end{aligned}$$

We then conclude with using the statistical distance between the uniform distribution and \(\widetilde{\mathcal {U}}_\gamma \). \(\square \)

1.4 Security Proof for the \(\textbf{r}\)-GLP Signature Scheme

In this section, we present a security proof for our \(\textbf{r}\)-GLP signature scheme. The unforgeability property of the scheme under the hardness of both the DCK and R-DCK problems, is captured by the following theorem:

Theorem 5

The probability that an adversary \(\mathcal {A}\), who makes at most \(q_h\) queries to the random oracle H and runs in time T succeeds in forging a signature for the oracle \({\textbf {S}}_0\) is upper bounded by:

$$\begin{aligned} \delta \le \sqrt{\frac{\epsilon _{\textbf {DCK}}(T)}{C}} + \epsilon _{\textbf {R-DCK}}(T)+ (1-p_r)\frac{q_h}{p^n}+ p_r\frac{q_h}{(2k+1)^n}+ 2\epsilon _\text {{\textbf {DCK}}}(T) \end{aligned}$$

with:

$$\begin{aligned} C = \frac{A_\gamma }{32}\left( 1-\left( \frac{n}{2\gamma }\right) ^2\right) \left( 1-\left( \frac{\sqrt{p}}{(2\gamma )}\right) ^{-2n}-\frac{n}{(2\gamma )} \right) , \end{aligned}$$

and

$$\begin{aligned} A_\gamma = \sup _x \left[ 1-2e^{-x}-4\sqrt{2}(2k+\gamma \sqrt{16x/3})\sqrt{x+\log {n}}/p\right] , p_r = \left( 1-\frac{2\alpha }{2k+1}\right) ^{2n}, \end{aligned}$$

for \(1\le \gamma \le p\).

1.5 Description of the Hybrid Games Involved in the Security Proof.

Algorithm 21

Signature oracle \({\textbf {S}}_0\)

Algorithm 22

Signature oracle \({\textbf {S}}_1\)

Game \({\textbf {G}}_0\).:

This game is the security game of the existential unforgeability under chosen message attack [34].

1. 1.

   \((\textbf{s}_1, \textbf{s}_2), (\textbf{a},\textbf{t}) \leftarrow \textsc {KeyGen}()\)

2. 2.

   \((m^*, \sigma ^*) \leftarrow \mathcal {A}^{H, S_0(\textbf{s}_1,\textbf{s}_2)}(\textbf{a},\textbf{t})\)

3. 3.

   return 1 if (\(\textsc {Verify}(\textbf{a,t},m^*,\sigma ^*)=1\) and \((m^*,\sigma ^*)\) has not been returned by the oracle S\(_0\)) 0 otherwise.

The signing oracle \({\textbf {S}}_0\) is described in Algorithm 21.

Game \({\textbf {G}}_1\).:

This game is the same one as in G\(_0\) except that the Signing oracle is replaced by the oracle \({\textbf {S}}_1\) described in Algorithm 22:

1. 1.

   \((\textbf{s}_1, \textbf{s}_2), (\textbf{a},\textbf{t}) \leftarrow \textsc {KeyGen}()\)

2. 2.

   \((m^*, \sigma ^*) \leftarrow \mathcal {A}^{H, S_1(\textbf{s}_1,\textbf{s}_2)}(\textbf{a},\textbf{t})\)

3. 3.

   return 1 if (\(\textsc {Verify}(\textbf{a,t},m^*,\sigma ^*)=1\) and \((m^*,\sigma ^*)\) has not been returned by the oracle S\(_1\)) 0 otherwise.

The only difference between the actual signing algorithm and the algorithm in \({\textbf {S}}_1\) is that in this oracle, when the rejection sampling fails, a fresh commitment value \(\textbf{r}\) is generated from the random oracle, independently of the values taken by \(\textbf{y}_1\) and \(\textbf{y}_2\).

Game \({\textbf {G}}_2\).:

This game is the same one as in G\(_1\) except that the Signing oracle is replaced by the oracle \({\textbf {S}}_2\) described in Algorithm 23:

1. 1.

   \((\textbf{s}_1, \textbf{s}_2), (\textbf{a},\textbf{t}) \leftarrow \textsc {KeyGen}()\)

2. 2.

   \((m^*, \sigma ^*) \leftarrow \mathcal {A}^{H, S}_2(\textbf{a},\textbf{t})\)

3. 3.

   return 1 if (\(\textsc {Verify}(\textbf{a,t},m^*,\sigma ^*)=1\) and \((m^*,\sigma ^*)\) has not been returned by the oracle S\(_1\)) 0 otherwise.

The difference between G\(_1\) and G\(_2\) is that the returned values of the random oracle H is now chosen at random from the set \(\mathcal {D}_{\alpha }^n\), so that this oracle does not use the secret key anymore.

Game \({\textbf {G}}_3\).:

The game is now slightly different from the previous one, but the oracle used in this game is still the same, that is \({\textbf {S}}_2\), described in Algorithm 23. The difference between the these two games mainly lies in the fact that the domain from which the keys are drawn is extended to \(\mathcal {R}_\gamma \), under the distribution \(\widetilde{\mathcal {U}}_\gamma \). We ultimately want to show that a forger against this game can be used to solve an instance of the DCK problem.

input: \((\textbf{a},\textbf{t}_0)\) challenge of \(\textsc {DCK}_{p,n}\)

1. 1.

   \((s_1, s_2) \leftarrow ^{\$} \widetilde{\mathcal {U}}_{\gamma }^2\)

2. 2.

   \(\textbf{a} \leftarrow ^{\$} \mathcal {R}\)

3. 3.

   \(\textbf{t} \leftarrow \textbf{a}\textbf{s}_1+\textbf{s}_2\)

4. 4.

   \((m^*, \sigma ^*) \leftarrow \mathcal {A}^{H, S_2}(\textbf{a},\textbf{t})\)

5. 5.

   return 1 if (\(\textsc {Verify}(\textbf{a,t},m^*,\sigma ^*)=1\) and \((m^*,\sigma ^*)\) has not been returned by the oracle S\(_1\)) 0 otherwise.

Algorithm 23

Signature oracle \({\textbf {S}}_2\)

Proof of Theorem 5. Firstly we establish indistinguishability results between the games \({\textbf {G}}_0\) and \({\textbf {G}}_1\), then between \({\textbf {G}}_1\) and \({\textbf {G}}_2\) and eventually between \({\textbf {G}}_2\) and \({\textbf {G}}_3\). These results are formalized in Lemma 12, Lemma 13 and Lemma 14. In a second time we show in Lemma 15 how we can construct a distinguisher for the \({\textbf {DCK}}\) problem from an adversary that is able to win the game \({\textbf {S}}_3\) with non-negligible probability. The result of Theorem 5 is then a direct consequence of the triangular inequality.

Before going into the details of these lemmas and since this result will be used multiple time in the proof, we recall that the probability \(p_r\) of getting accepted by the rejection sampling in the signature (or equivalently in the oracle \({\textbf {S}}_0\).

$$\begin{aligned} p_r = \left( 1-\frac{2\alpha }{2k+1}\right) ^{2n} \end{aligned}$$

Lemma 12

(Computational indistinguishability of \({\textbf {G}}_0\) and \({\textbf {G}}_1\)) Let \(\mathcal {A}\) be an adversary of time complexity bounded by T, having access to either the signing algorithm \({\textbf {S}}_0\) or the oracle \({\textbf {S}}_1\), and limited to perform at most \(q_h\) queries to the H oracle (this count includes the calls that can be performed while calling the signing oracles too). Its computational advantage in distinguishing the signing algorithm \({\textbf {S}}_0\) from \({\textbf {S}}_1\) is bounded by:

$$\begin{aligned} \epsilon _{\textbf {R-DCK}}(T)+ (1-p_r)\frac{q_h}{p^n}. \end{aligned}$$

Proof

Remark that:

1. 1.

   There is no statistical difference between the output distribution of the two oracles that are accepted by the rejection sampling (that is so that \({\textbf {z}}_1\) or \({\textbf {z}}_2\) do not lie in the set \(\mathcal {R}_{k-\alpha }\)).

2. 2.

   On the one hand, the distribution of outputs of \({\textbf {S}}_0\) that are rejected by the rejection sampling is by construction the distribution of \((\textbf{a}\textbf{y}_1+\textbf{y}_2)\) where \((\textbf{a},\textbf{c},\textbf{y}_1,\textbf{y}_2)\) is uniformly sampled in \(\mathcal {R}\times \mathcal {D}^{n}_{\alpha }\times \mathcal {R}_{k}^{2}\), conditioned by the event \(\textbf{s}_1\textbf{c}+\textbf{y}_1\notin \mathcal {R}_{k-\alpha }\) or \(\textbf{s}_2\textbf{c}+\textbf{y}_2\notin \mathcal {R}_{k-\alpha }\). Such a vector along with \(\textbf{a}\) and \(\textbf{c}\) constitutes a sample of the distribution of \({\textbf {R-DCK}}\) by definition.

3. 3.

   On the other hand the distribution of outputs of \({\textbf {S}}_1\) that are rejected by the rejection sampling is by construction the uniform distribution over \(\mathcal {R}\) conditioned by the event the simulation by the random oracle is perfect and remains coherent. Indeed after yielding the commitment \(\textbf{r}\), the random oracle H is programmed so that \(H(\textbf{r}, m) = \textbf{c}\) without checking whether the value \(\textbf{r}\) has been already set. But the adversary calls at most \(q_h\) times the oracle H, at most \(q_h\) values can be set by the adversary. Hence this distribution is at distance at most:

   $$\begin{aligned} q_h\left\{ \Pr _{\textbf{r}\xleftarrow {\$} \mathcal {R}}\left[ \textbf{r} \text { already set by } H \right] \right\} = q_h p^{-n} \end{aligned}$$

   from uniform.

Therefore the advantage of \(\mathcal {A}\) in distinguishing the two oracle \({\textbf {S}}_0\) and \({\textbf {S}}_1\) satisfies by the law of total probability:

$$\begin{aligned} \begin{aligned} \bigg |\Pr {\left[ \mathcal {A} \text { wins } {\textbf {G}}_1\right] } -&\Pr {\left[ \mathcal {A} \text { wins } {\textbf {G}}_0\right] }\bigg | \\&\le \epsilon _{\textbf {R-DCK}}(T)+ (1-p_r)q_h\left\{ \Pr _{\textbf{r}\xleftarrow {\$} \mathcal {R}}\left[ \textbf{r} \text { already set by }H\right] \right\} \\&\le \epsilon _{\textbf {R-DCK}}(T)+ (1-p_r)q_h\max _{\textbf{r}' \in \mathcal {R}} \left\{ \Pr _{\textbf{r}\xleftarrow {\$} \mathcal {R}}\left[ \textbf{r} = \textbf{r}'\right] \right\} \\&= \epsilon _{\textbf {R-DCK}}(T)+(1-p_r)\frac{q_h}{p^n}, \end{aligned} \end{aligned}$$

where \(\epsilon _{\textbf {R-DCK}}(T)\) is an upper bound on the \({\textbf {R-DCK}}\)-advantage of any adversary running in time T (and hence negligible under the \({\textbf {R-DCK}}\) hardness assumption for polynomial T). \(\square \)

Lemma 13

(Computational indistinguishability of \({\textbf {G}}_1\) and \({\textbf {G}}_2\)) Let \(\mathcal {A}\) be an adversary of time complexity bounded by T, having access to either the signing algorithms \({\textbf {S}}_1\) or \({\textbf {S}}_2\), and limited to perform at most \(q_h\) queries to the H oracle (this count includes the calls that can be performed while calling the signing oracles too). Its computational advantage of distinguishing the two oracles of hybrid \({\textbf {G}}_1\) or \({\textbf {G}}_2\) is bounded by

$$\begin{aligned} p_r\frac{q_h}{(2k+1)^n}. \end{aligned}$$

Proof

First remark that the parameter chosen for the Bernoulli is exactly the probability of getting a valid signature when signing honestly with the secret key that is \(p_r = \left( 1-\frac{2\alpha }{2k+1}\right) ^{2n}\). Let us then perform a case analysis, depending on the conditioning by the value taken by the variable B.

• Case \(B=0\): Let consider the output distribution of \({\textbf {S}}_2\), conditioned by the event \(B=0\) (that is only considering the executions where the Bernoulli variable B is set to 0). This distribution is by construction statistically indistinguishable from the distribution of the game \({\textbf {S}}_1\) conditioned by the rejection of the computed signature.

• Case \(B=1\): Let now consider the output distribution of \({\textbf {S}}_2\), conditioned by the event \(B=1\). This distribution is then by construction statistically indistinguishable from the distribution of the game \({\textbf {S}}_1\) conditioned this time by the acceptance of the computed signature as long as the simulation by the random oracle is perfect and remains coherent. Indeed once \(\textbf{z}_1, \textbf{z}_2\) are sampled, the value of the commitment is set a posteriori to fulfill the equation \(\textbf{r} = \textbf{a}\textbf{z}_1+\textbf{z}_2-\textbf{tc}\) and the random oracle is programmed to the answer to \(H(\textbf{a}\textbf{z}_1+\textbf{z}_2-\textbf{tc}, m) = H(\textbf{a}\textbf{y}_1+\textbf{y}_2, m)\). If the value for \((\textbf{a}\textbf{y}_1+\textbf{y}_2, m)\) was already set, we abort the simulation. Thus one needs to evaluate the probability that \(\textbf{a}\textbf{y}_1+\textbf{y}_2 = \textbf{r}\) for a given \(\textbf{r}\in \mathcal {R}\) when \(\textbf{y}_1\) and \(\textbf{y}_2\) are sampled uniformly and independently in \(\mathcal {R}_k\):

  $$\begin{aligned} \begin{aligned} \max _{{ \begin{array}{cc} \textbf{r} = \textbf{a}\textbf{u}+\textbf{v}\\ \textbf{u}, \textbf{v} \in \mathcal {R}_ k \end{array} }} \Pr _{\textbf{y}_1,\textbf{y}_2} \left[ \textbf{a}\textbf{y}_1+\textbf{y}_2 = \textbf{r}\right]&\le \max _{\mathbf {\textbf{r}\in \mathcal {R}}}\Pr _{\textbf{y}_1,\textbf{y}_2} \left[ \textbf{a}\textbf{y}_1+\textbf{y}_2 = \textbf{r}\right] \\&= \max _{\textbf{r}\in \mathcal {R}}\Pr _{\textbf{y}_1,\textbf{y}_2} \left[ \textbf{y}_2= \textbf{r}-\textbf{a}\textbf{y}_1\right] \\&= \max _{\textbf{r}'\in \mathcal {R}}\Pr _{\textbf{y}_2}\left[ \textbf{y}_2= \textbf{r}'\right] = (2k+1)^{-n}. \end{aligned} \end{aligned}$$

We eventually conclude by the law of total probability:

$$\begin{aligned} \begin{aligned} \bigg |\Pr {\left[ \mathcal {A} \text { wins } {\textbf {G}}_2\right] } - \Pr {\left[ \mathcal {A} \text { wins } {\textbf {G}}_1\right] }\bigg |&\le \left( 1-\frac{2\alpha }{2k+1}\right) ^{2n}\frac{q_h}{(2k+1)^n}. \end{aligned} \end{aligned}$$

\(\square \)

Lemma 14

(Computational indistinguishability of \({\textbf {G}}_2\) and \({\textbf {G}}_3\)) Let \(\mathcal {A}\) be an adversary of time complexity bounded by T, having access to either the signing algorithms \({\textbf {S}}_2\) or \({\textbf {S}}_3\),. Its computational advantage of distinguishing the two oracles of hybrid \({\textbf {G}}_2\) or \({\textbf {G}}_3\) is bounded by

$$\begin{aligned} 2\epsilon _\text {{\textbf {DCK}}}(T) \end{aligned}$$

where \(\epsilon _{\textbf {DCK}}(T)\) is an upper bound on the \({\textbf {DCK}}(T)\)-advantage of any adversary running in time T.

Proof

The difference between the games \({\textbf {G}}_2\) and \({\textbf {G}}_3\) lies in the distribution from which the keys \(\mathbf {s_1}, \mathbf {s_2}\) are sampled. In \({\textbf {G}}_2\) they are drawn under \(\mathcal {U}(\mathcal {R}_1)\), whereas in \({\textbf {G}}_3\) they are drawn under the \(\widetilde{\mathcal {U}}_\gamma \). Hence the advantage of the adversary \(\mathcal {A}\) to distinguish these two games when knowing the values of \((\textbf{a}, \textbf{a}\textbf{s}_1+\textbf{s}_2\) is bounded by the advantage it has to distinguish \((\textbf{a}, \textbf{a}\textbf{s}_1+\textbf{s}_2)\) from the uniform distribution, that is its advantage in solving either the DCK problem or the S-DCK problem. Since using Proposition 3 the advantage in solving the DCK problem is smaller than the advantage in solving the S-DCK problem, its advantage in distinguishing the two games is bounded by \(2\epsilon _\text {{\textbf {DCK}}}(T)\). \(\square \)

Lemma 15

(Applying the Forking Lemma to construct a distinguisher for \(\text {{\textbf {DCK}}}\)) Suppose there exists a forger \(\mathcal {F}\), that succeeds in forging with probability \(\delta \), who is given the verification key and access to the signing oracle \({\textbf {S}}_3\) in the Hybrid \({\textbf {G}}_3\), is limited to at most \(q_h\) queries to the random oracle H. Then there exists a probabilistic algorithm \(\mathfrak {A}\) of same time complexity as \(\mathcal {F}\), which, for a given pair \((\textbf{a},\textbf{t}) \in \mathcal {R}^2\) is able to decide whether \((\textbf{a},\textbf{t})\) follows the R-DCK distribution or is made from two independent random samples, with probability at least \(\frac{1}{32} \left( 1-\left( \frac{n+1}{2\gamma +1}\right) ^2\right) \left( \delta -3^n\right) \left( \frac{\delta -\epsilon _\alpha }{q_h}-3^n\right) \Big (1-(\sqrt{p}(2\gamma +1))^{-2n} -n(2\gamma )^{-1} - n\gamma ^{-2}\Big )A_\gamma \), where

$$\begin{aligned} A_\gamma = \sup _x \left[ 1-2e^{-x}-4\sqrt{2}(2k+\gamma \sqrt{16x/3})\sqrt{x+\log {n}}/p\right] . \end{aligned}$$

Proof

Let us take \(\textbf{a}, \textbf{t}_0 \in \mathcal {R}\) the instance of the \({\textbf {DCK}}\) problem we want to solve.

Let us generate \(\textbf{s}_1, \textbf{s}_2\in \mathcal {R}_{\gamma }^2\) and the corresponding \(\textbf{t}= \textbf{a} \vec {s}_1+\textbf{s}_2\) public key (note that this key is constructed with the challenge element \(\textbf{a}\)).

We now choose random coins \(\phi \) and \(\psi \) which will be used respectively by the forger and the signer. We also pick the values that will correspond to the responses of the random oracle \(\textbf{c}_1, \ldots , \textbf{c}_{q_h}\). Let define the algorithm \(\mathfrak {a}\):

input:  \((\textbf{a}, \textbf{t}, \phi , \psi , \textbf{c}_1, \ldots , \textbf{c}_{q_h})\)

output:  A couple message, signature \((m, \textbf{z}_1, \textbf{z}_2, \textbf{c})\)

1. Initialize \(\mathfrak {a}\) with \(\textbf{a}, \textbf{t}, \phi \).

2. Run \(\mathcal {F}\).

3. Each time \(\mathcal {F}\) requires a signature, \(\mathfrak {a}\) intercepts the call and runs \({\textbf {S}}_2\), using the random coins

\(\psi \) as entropy to produce a signature.

− During this process, some queries to the random oracle H are performed (by the signature oracle or

by \(\mathcal {F}\) itself).

− In such cases the response of H will be the first \(\textbf{c}_i\) in the list \((\textbf{c}_1,\ldots ,\textbf{c}_{q_h})\) that has not been used yet.

3.As soon as \(\mathcal {F}\) finishes running return the forged signature \((m, \textbf{z}_1, \textbf{z}_2, \textbf{c})\).

Let \(\epsilon _\alpha = 3^{-\alpha }\) be the probability of sampling a particular element uniformly at random in the range of the random oracle H.

The routine \(\mathfrak {a}\) outputs, with probability \(\delta \), a message m and its signature \((\textbf{z}_1, \textbf{z}_2, \textbf{c})\), which by construction satisfies: \(\textbf{c} = H ((\textbf{a}\textbf{z}_1+\textbf{z}_2 - \textbf{tc}), m)\). If the random oracle H was neither queried nor programmed with the specific input \(\textbf{r} = \textbf{a}\textbf{z}_1+\textbf{z}_2\), then, by choosing at random in the range of H, the forger has probability exactly \(\epsilon _\alpha \) of generating \(\textbf{c}\) satisfying the relation \(\textbf{c} = H (\textbf{r}, m)\). This implies that with probability \(1-\epsilon _\alpha \), \(\textbf{c}\) belongs to the list \((\textbf{c}_i)_i\). Hence the probability that \(\mathfrak {a}\) succeeds in forging a signature \((\textbf{z}_1, \textbf{z}_2, \textbf{c})\) so that \(\textbf{c}\) is one of the \((\textbf{c}_i)_i\) is at least \(\delta -\epsilon _\alpha \). Suppose from now on that this is case, and without loss of generality we can assume that this returned values is \(\textbf{c}_1\), by simply reordering the \((\textbf{c}_i)_i\) beforehand. Following the execution flow of the procedure \(\mathfrak {a}\), one can remark that two cases can occur:

1. [R1

   ] Either \(\textbf{c}\) was programmed directly by \(\mathcal {F}\) to be the output of H on a certain pair \((\textbf{r}', m') = (\textbf{a}\textbf{z}'_1 +\mathbf {z'}_2,m')\) when signing the message \(m'\). Since \((\textbf{z}_1, \textbf{z}_2, \textbf{c})\) is a valid signature returned by the forger, we have:

   $$\begin{aligned} H(\textbf{a}\textbf{z}_1+\textbf{z}_2 - \textbf{tc},{m}) = H(\textbf{a}\textbf{z}'_1+\mathbf {z'}_2 - \textbf{tc},{m'}). \end{aligned}$$

   If \(m\ne m'\) or \(\textbf{a}\textbf{z}_1+\textbf{z}_2 - \textbf{tc} \ne \textbf{a}\textbf{z}'_1+\mathbf {z'}_2 - \textbf{tc} \) then the forger has found a preimage of \(\textbf{c}_1\) for H. This event occurs with probability exactly \(\epsilon _\alpha \). One can thus suppose that \(\textbf{a}\textbf{z}_1+\textbf{z}_2 - \textbf{tc} = \textbf{a}\textbf{z}'_1+\mathbf {z'}_2 - \textbf{tc} \) with probability \(1-\epsilon _\alpha \). Hence by setting \(\textbf{u}_1 = \textbf{z}_1-\textbf{z}_1'\) and \(\textbf{u}_2 = \textbf{z}_2'-\textbf{z}_2\), we have found two elements of norm bounded by 2k such that \(\textbf{a}\textbf{u}_1+\textbf{u}_2=0\), which are non-zero otherwise \((\textbf{z}_1, \textbf{z}_2, m)\) would be exactly the same as the signature \((\textbf{z}'_1, \textbf{z}'_2, m)\).

2. [R2

   ] Either \(\textbf{c}_1\) results from a call to the signature oracle, we store the forged signature \(\textbf{z}_1, \textbf{z}_2, \textbf{c}_1\). Then replay the algorithm \(\mathfrak {a}\) with the same coins but different and fresh \(\textbf{c}'_1, \ldots , \mathbf {c'}_{q_h}\). By the general Forking Lemma [9] the probability so that \(\textbf{c}'_1 \ne \mathbf {c'}_1\) and the forger uses the random oracle response \(\textbf{c}_1\) (and the query associated to it) in the forgery is at least

   $$\begin{aligned} \left( \delta -\epsilon _\alpha \right) \left( \frac{\delta -\epsilon _\alpha }{q_h}-\epsilon _\alpha \right) . \end{aligned}$$

   Eventually, we can produce two signatures for the message m, denoted by \((\textbf{z}_1, \textbf{z}_2, \textbf{c})\) and \((\textbf{z}'_1, \mathbf {z'}_2, \mathbf {c'})\), so that the commitment coincides:

   $$\begin{aligned} \textbf{a}(\textbf{z}_1 - \textbf{s}_1\textbf{c})+\textbf{z}_2 -\textbf{s}_2\textbf{c} = \textbf{a}(\textbf{z}'_1 - \textbf{s}_1\textbf{c}')+\mathbf {z'}_2 -\textbf{s}_2\mathbf {c'}, \end{aligned}$$

   that is:

   $$\begin{aligned} \textbf{a}(\textbf{z}_1 - \textbf{s}_1\textbf{c}-\textbf{z}'_1 + \textbf{s}_1\textbf{c}')+(\textbf{z}_2 -\textbf{s}_2\textbf{c}-\mathbf {z'}_2 +\textbf{s}_2\textbf{c}') = 0. \end{aligned}$$

   Let us set

   $$\begin{aligned} \left\{ \begin{aligned} \textbf{u}_1&= \textbf{z}_1 - \textbf{s}_1\textbf{c}- \textbf{z}'_1 + \textbf{s}_1\textbf{c}'\\ \textbf{u}_2&=\textbf{z}_2-\textbf{s}_2\textbf{c}- \mathbf {z'}_2 +\textbf{s}_2\textbf{c}' \end{aligned} \right. . \end{aligned}$$

   The probability of having \((\textbf{u}_1, \textbf{u}_2) \ne (\textbf{0}, \textbf{0})\) is at least

   $$\begin{aligned} \frac{1}{2} p_c\left( 1-\left( \frac{n+1}{2\gamma +1}\right) ^2\right) \end{aligned}$$

   with

   $$\begin{aligned} p_c = 1-(\sqrt{p}(2\gamma +1))^{-2n}-n(2\gamma )^{-1} - n\gamma ^{-2}\approx 1-n(2\gamma )^{-1}. \end{aligned}$$

   Indeed, by Lemma 11, with probability at least \(p_c\) there exists another pair \((\textbf{s}'_1, \mathbf {s'}_2)\) such that \(\textbf{as}_1 + \textbf{s}_2 = \textbf{as}'_1+\textbf{s}'_2 \). Suppose that \((\textbf{u}_1, \textbf{u}_2) = (\textbf{0}, \textbf{0})\). Then playing the previous argument (and so using the same randomness) with the \(\textbf{s}_{i}'\) instead of the \(\textbf{s}_i\) yields another pair \((\textbf{u}'_1, \textbf{u}'_2)\). Suppose that this pair is also (0, 0). Then we have:

   $$\begin{aligned} \begin{aligned}&\textbf{s}_1(\textbf{c}-\textbf{c}') = \textbf{s}'_1(\textbf{c}-\textbf{c}')\\&\textbf{s}_2(\textbf{c}-\textbf{c}') = \textbf{s}'_2(\textbf{c}-\textbf{c}'), \end{aligned} \end{aligned}$$

   meaning that \(\textbf{s}_1\mathcal {R} =\textbf{s}_2\mathcal {R} =\textbf{s}'_1\mathcal {R} =\textbf{s}'_2\mathcal {R} = (\textbf{c}-\textbf{c}')\mathcal {R} \ne \{0\}, \mathcal {R}\) (indeed, the \(\textbf{s}_i\) can not be all zero by construction and if (\(\textbf{c}-\textbf{c}')\) is invertible then we would have \(\textbf{s}_1 = \textbf{s}'_1\) and \(\textbf{s}_2 = \textbf{s}'_2\)). Hence this event can occurs with probability dominated by

   $$\begin{aligned} \begin{aligned}&\Pr _{\textbf{s}_1, \textbf{s}_2} \left[ \textbf{s}_1\mathcal {R} =\textbf{s}_2\mathcal {R} = (\textbf{c}-\textbf{c}')\mathcal {R} \right] \\&\quad \le \max _{\mathcal {I} \ne \{0\}, \mathcal {R}}\Pr _{\textbf{s}_1, \textbf{s}_2} \left[ \textbf{s}_1\mathcal {R} =\textbf{s}_2\mathcal {R} = \mathcal {I}\right] \\&\quad \le \max _{\mathcal {I} \ne \{0\}, \mathcal {R}} \Pr _{\textbf{s}\textsf {Sim}\widetilde{\mathcal {U}_\gamma }} \left[ \textbf{s}\mathcal {R} = \mathcal {I}\right] ^2 \\&\quad \le \max _{\mathcal {I} \ne \{0\}, \mathcal {R}} \left( n(2\gamma )^{-1}+n\gamma ^{-2}+\Pr _{\textbf{s}\in \mathcal {U}(\mathcal {R}_\gamma )} \left[ \textbf{s}\mathcal {R} \in \mathcal {I}\right] \right) ^2 \\&\quad =\left( n(2\gamma )^{-1}+n\gamma ^{-2}+\max _{\mathcal {I} \ne \{0\}, \mathcal {R}}\Pr _{\textbf{s}\in \mathcal {U}(\mathcal {R}_\gamma )} \left[ \textbf{s}\mathcal {R} \in \mathcal {I}\right] \right) ^2 \\ \end{aligned} \end{aligned}$$

   Hence to estimate \(\max _{\mathcal {I} \ne \{0\}, \mathcal {R}} \Pr _{\textbf{s}} \left[ \textbf{s}\mathcal {R} \in \mathcal {I}\right] \), we fall back to describing the ideals of \(\mathcal {R}\). Classically, since \(\mathcal {R} \cong (\mathbb {Z}[X]/(X^n+1))/p\) its ideals are in (antitone) bijection with the divisors of \(X^n+1 \mod p\). Let then P be a divisor of \(X^n+1 \mod p\), then the ideal generated by P in \(\mathcal {R}\) has cardinality \(p^{n-\deg P}\) and the probability that \(\textbf{s}\in (P)\) is at most \((2\gamma +1)^{-\deg P}\). Indeed, the probability of this event is equal to \(\Pr \left[ \textbf{s} = 0\mod P\right] \), yielding the announced increase since the reduction \(\mod P\) acts as a bijection when fixing the \(n-\deg P\) coefficients of highest degrees. Therefore we get the estimate:

   $$\begin{aligned} \begin{aligned} \max _{\mathcal {I} \ne \{0\}, \mathcal {R}} \Pr _{\textbf{s}} \left[ \textbf{s}\mathcal {R} \in \mathcal {I}\right]&\le \max _{d \in \{1,\ldots , n-1\}} (2\gamma +1)^{-d}\\&= \max _{d \in \{1,\ldots , n-1\}} (2\gamma +1)^{-2d} = (2\gamma +1)^{-1}. \end{aligned} \end{aligned}$$

   The probability of getting once again zero elements \(\textbf{u}_i\) is then dominated by \(((n+1)(2\gamma +1))^{-2}\). The forger \(\mathcal {F}\) does not get access to these functionally equivalent secret keys. Since it does not use them for simulating the signing oracle, we will get a non-zero answer with probability at least 1/2, since each key has an equal probability of being chosen by uniformity of the generation. We then need to estimate the norm of the vectors \(\textbf{u}_1, \textbf{u}_2\), which with a certain probability is not too big. Indeed, remark that Proposition 2 and union bound ensures that with probability at least \(\frac{1}{16}\), the elements \(\textbf{s}_1\textbf{c}\), \(\textbf{s}'_1\textbf{c}\), \(\textbf{s}_2\textbf{c}\) and \(\textbf{s}'_2\textbf{c}\) have their \(\ell _\infty \)-norm bounded by \(\gamma \sqrt{\frac{4\alpha }{3}}\), meaning that \(\Vert \textbf{u}_i\Vert _{\infty } \le 2k+\gamma \sqrt{\frac{16\alpha }{3}}\), for \(i=1,2\).

All in all, in the case [E1], we can find a couple \((\textbf{u}_1, \textbf{u}_2) \ne (\textbf{0},\textbf{0})\) of norm bounded by 2k such that \(\textbf{a}\textbf{u}_1+ \textbf{u}_2=0\) with probability at least \((1-\epsilon _\alpha )\) anf in the case [E2], we can find two \(\textbf{u}_1, \textbf{u}_2\) of norm bounded by \(2k+\gamma \sqrt{\frac{16\alpha }{3}}\) such that \(\textbf{a}\textbf{u}_1+ \textbf{u}_2=0\) with probability at least

$$\begin{aligned} p_0 = \frac{1}{2} p_c\left( 1-\left( \frac{n+1}{2\gamma +1}\right) ^2\right) \left( \delta -\epsilon _\alpha \right) \left( \frac{\delta -\epsilon _\alpha }{q_h}-\epsilon _\alpha \right) <1-\epsilon _\alpha \end{aligned}$$

Hence, in any cases, with probability at least \(p_0\) one can find such vectors. Now allows us to get a non-negligible advantage in solving the DCK instance, acting as a trapdoor for this problem. Indeed, for the trial \((\textbf{a}, \textbf{t}_0)\), given as input, two cases can occur:

1. 1.

   Either the element \(\textbf{t}\) of \(\mathcal {R}\) is taken uniformly at random, the probability of \(\textbf{u}_1\textbf{t}\) to be inside the \(\ell _\infty \) ball of radius \(2\tau \) is crudely upper bounded by \((4\tau -1)/(p-1)\) (indeed, at most \(p^{n-1}\) elements can vanish under the action of \(x\mapsto u_1 x\), and for the remaining ones, at most \((4\tau -1)/(p-1)\) elements per space of dimension 1 minus zero intersects the ball).

2. 2.

   Either it is of the form \((\textbf{a}, \textbf{a}\textbf{s}_3+\textbf{s}_4)\), the multiplication of the latter pair by \(\textbf{u}_1\) yields:

   $$\begin{aligned} (\textbf{au}_1, \textbf{au}_1\textbf{s}_3+\textbf{u}_1\textbf{s}_4) = (\textbf{au}_1, -\textbf{u}_2\textbf{s}_3+\textbf{u}_1\textbf{s}_4). \end{aligned}$$

   We can notice that \(-\textbf{u}_2\textbf{s}_3+\textbf{u}_1\textbf{s}_4\) has infinity norm bounded by \(2\tau = 2\sqrt{2} \Vert \textbf{u}_i\Vert _2 \sqrt{x+\log {n}}\) with probability at least \(1-2e^{-x}\), for a free parameter x which will be used for later optimization. To see this, remark that

   $$\begin{aligned} \Pr \left[ \textbf{u}_1 \textbf{s}_2 + \textbf{u}_2\textbf{s}_1 \ge 2\tau \right] \le \Pr \left[ \textbf{u}_1 \textbf{s}_2 \ge \tau \right] +\Pr \left[ \textbf{u}_2 s_1 \ge \tau \right] \end{aligned}$$

   by the union bound. But we have for \(i=1,2\), \(j = 1,2\) and \(s>0\):

   $$\begin{aligned} \Pr \left[ \textbf{u}_i\textbf{s}_j \ge \tau \right]&\le \Pr \left[ \bigvee _{k=1}^n \left\{ [\textbf{u}_i \textbf{s}_j]_k \ge \tau \right\} \right] \quad \text {Coefficient extraction}\\ {}&\le n\Pr \left[ [\textbf{u}_i \textbf{s}_j]_1 \ge \tau \right] \quad \text {Union bound}\\&\le n\Pr \left[ s[ \textbf{u}_i \textbf{s}_j]_1 \ge s\tau \right] \quad \text {Positivity of}\, s\\&\le n\Pr \left[ \text {exp}\left( s[\textbf{u}_i \textbf{s}_j]_1\right) ) \ge \text {exp}(s\tau ) \right] \quad \text {Monotony of exponential}\\&\le n\frac{\textbf{E}\left[ \text {exp}\left( s[\textbf{u}_i \textbf{s}_j]_1\right) \right] }{\text {exp}(s\tau )} \quad \text {Markov's Inequality}\\&\le \text {exp}\left( \frac{s^2\Vert \textbf{u}_i\Vert _2^2}{2}-s\tau +\log n\right) \quad \text {Proposition} 1\\&\le \text {exp}\left( -\frac{\tau ^2}{2\Vert \textbf{u}_i\Vert ^2}+\log n\right) \\&= \text {exp}\left( -\frac{(\sqrt{2} \Vert \textbf{u}_i\Vert _2 \sqrt{x+\log {n}})^2}{2\Vert \textbf{u}_i\Vert ^2}+\log n\right) \\&= \text {exp}\left( -(x+\log {n})+\log n\right) \\&= \text {exp}(-x)\\ \end{aligned}$$

Therefore the distinguisher constructed by testing if the element \(\textbf{t}\textbf{u}_1\) lies inside the ball of radius \(2\tau \) has advantage

$$\begin{aligned} A_x = \sup _x \left[ 1-2e^{-x}-4\sqrt{2}(2k+\gamma \sqrt{16x/3})\sqrt{x+\log {n}}/p\right] . \end{aligned}$$

We define the algorithm \(\mathfrak {A}\) to be the algorithm that find the trapdoors elements \(\textbf{u}_1, \textbf{u}_2\) from the forgery of a valid signature by \(\mathcal {F}\) and which answer the DCK challenge with the distinguisher above-mentioned. Its running time is at most twice the running time of the forger \(\mathcal {F}\) and its success probability is at least \(A_xp_0\), by construction. \(\square \)

Remark 8

(Practical considerations) Assuming the computational hardness of both DCK and R-DCK problems, choosing \(\gamma =1664 \approx 2^{10.70}\) (resp. \(\gamma =2504\)) for the small (resp. large) security parameters set ensures a security level of 100 (resp 256) bits.

1.6 \(\textbf{r}\)-GLP signature scheme with commitment

This part describes the GLP signature scheme combined with the commitment procedure introduced in [8]. The public commitment key \(ck =\begin{pmatrix} ck_{1,1} &{} ck_{1,2} &{} ck_{1,3} \\ ck_{2,1} &{} ck_{2,2} &{} ck_{2,3} \\ \end{pmatrix} \) is sampled uniformly at random in \(\mathcal {R}^{2\times 3}\) during the key derivation algorithm. The parameter \(k'\) is set accordingly to the estimation of [8], so greater than \(\frac{2q}{3}\). In this variation of the original signature scheme, the value \(\textbf{r}\) is hidden through the linear commitment. Hence, even if an attacker learn the committed value \(\textbf{f}_1, \textbf{f}_2\) by side-channel, the computational indistinguishability of the commitment with an uniform distribution ensures that no secret-dependent information could possibly be extracted from this trace. To formalize this intuition we prove like in the latter section that one round of the signature scheme with return values even in case of a rejection is EUF-CMA. We now sketch the security proof of this modified scheme.

Algorithm 24

GLP signature with commitment

Algorithm 25

GLP verification with commitment

Algorithm 26

Signature oracle \({\textbf {S}}_0\)

Algorithm 27

Signature oracle \({\textbf {S}}_1\)

Game \({\textbf {G}}_0\).:

This game is the security game of the existential unforgeability under chosen message attack, where the adversary can ask at most \(q_h\) hash queries to the H oracle and \(q_s\) sign queries to the Signing oracle \({\textbf {S}}_0\) given in Algorithm 26. Notice that the signature includes the random values \(\textbf{u}_1,\textbf{u}_2,\textbf{u}_3\) to open the commitment \((\textbf{f}_1, \textbf{f}_2)\) of \(\textbf{r}\).

Game \({\textbf {G}}_1\).:

This game is the same as in G\(_0\) except that the Signing oracle S\(_1\) is given in Algorithm 27. The difference in the signing algorithms is that in the case of a rejection at line 6: the committed variables \(\textbf{f}_1, \textbf{f}_2\) are freshly re-sampled, independently from any previous values. This game is computationally indistinguishable from G\(_0\) under the hiding property of the commitment scheme (see [8]) by choice of the commitment parameters. This property relying on the hardness of the R-LWE problem. Notice that the previous argument remains valid as long as the simulation by the random oracle is perfect and remains coherent. Indeed after yielding the commitment \(\textbf{r}\), the random oracle H is programmed so that \(H(\textbf{y}_1, \textbf{y}_2, m) = \textbf{c}\) without checking whether the value \(\textbf{y}_1, \textbf{y}_2\) has been already set. If an adversary \(\mathcal {A}\) running in time T calls H \(q_h\) times, at most \(q_h\) values can be set by the adversary and we get:

$$\begin{aligned} \bigg |\Pr {\left[ \mathcal {A} \text { wins } {\textbf {G}}_1\right] } - \Pr {\left[ \mathcal {A} \text { wins } {\textbf {G}}_0\right] }\bigg | \le \epsilon _{\textbf {RLWE}}(T)+ (1-p_r)\frac{q_h}{p^{2n}}, \end{aligned}$$

where \(\epsilon _{\textbf {RLWE}}(T)\) is an upper bound on the advantage of any adversary running in time T to solve the \({\textbf {R-LWE}}\) problem. All in all G\(_0\) and G\(_1\) are thus computationally indistinguishable under the hardness Ring-LWE assumption.

Game \({\textbf {G}}_2\).:

In this game, we replace the Signing oracle by S\(_2\) described in Algorithm 29 and take as input a trial of the \(\textsc {DCK}_{p,n}\) problem. input: \((\textbf{a},\textbf{t})\) trials of \(\textsc {DCK}_{p,n}\)

1. 1.

   \((s_1, s_2) \leftarrow \mathcal {R}_{\gamma }^2\)

2. 2.

   \((m^*, \sigma ^*) \leftarrow \mathcal {A}^{H, S_2}(\textbf{a},\textbf{t})\)

3. 3.

   return 1 if (\(\textsc {Verify}(\textbf{a,t},m^*,\sigma ^*)=1\) and \((m^*,\sigma ^*)\) has not been returned by the oracle S\(_1\)) 0 otherwise.

The difference between G\(_1\) and G\(_2\) lies in that the latter don’t use the secret key anymore. Indeed the returned value of the random oracle H is now chosen at random from the set \(\mathcal {D}_{\alpha }^n\), and that the acceptance in the rejection sampling is simulated by a Bernoulli trial of parameter \(p_r\), that is the exact probability of getting a valid signature when signing honestly with the secret key. In the case of simulating an accepted signature, \(\textbf{z}_1, \textbf{z}_2\) are generated at random in the space of accepted signature (i.e., \(\mathcal {R}_{k-\alpha }\)). Then \(\textbf{r}\) is recomputed from \(\textbf{z}_1,\textbf{z}_2,\textbf{t},\textbf{c}\) to satisfy the equation \(\textbf{r}=\textbf{a}\textbf{z}_1+\textbf{z}_2 - \textbf{tc} = \textbf{ay}_1+\textbf{y}_2\). From this value a commitment is constructed as in the real signature and the random oracle is programmed accordingly. Exactly like in Appendix A.2, we can prove that the games \({\textbf {G}}_1\) and \({\textbf {G}}_2\) are then also computationally indistinguishable by the same hybrid argument involving an additional game where the key parameters are stretched. Eventually the exact same forking lemma-based argument concludes the proof by showing how to reduce the adversary to a distinguisher for the DCK problem, concluding the proof.

Under the hardness of both the DCK and R-LWE problems, the advantage of the attacker is therefore negligible. We can indeed show by indistinguishability that the advantage of the attacker in the first game is also negligible and then prove the EUF-CMA property of the signature scheme.

Masked \(\textbf{r}\)-GLP with Commitment

The masking of the key generation remains the same with the additional generation of the public commitment key ck. For the signature, the commitment gadget (Algorithm 30) is added. It is a matrix multiplication as showed in Algorithm 30. The composition is then more complex and have more gadgets. The composition is in Fig. 10. The whole signature is described in Algorithm 28.

Algorithm 28

GLP masked signature with commitment

Algorithm 29

Modified signature oracle \({\textbf {S}}_2\)

Fig. 10

Composition of commitment GLP Sign \({\textbf {S}}_2\)

Algorithm 30

Comm

Lemma 16

The gadget Comm is \(d\)-NI.

Proof

Let \(\delta \le d\) be the number of observations made by the attacker. The proof consists in filling an empty set I with at most \(\delta \) indices in \([0, d]\) such that the distribution of any tuple \((\textbf{v}_1,\ldots ,\textbf{v}_\delta )\) of intermediate variables of the block can be perfectly simulated from the sensitive values

$$\begin{aligned} (\textbf{u}_{1,i},\textbf{u}_{2,i},\textbf{u}_{3,i},\textbf{r}_{i})_{i\in {\textbf {I}}} \end{aligned}$$

(1)

For each observation \(\textbf{v}_h\), (\(h \in [0,\delta ]\)), we add the corresponding index i in I. After having built I, every intermediate value \(\textbf{v}_h\) is simulated by the direct computation from \(\textbf{u}_{1,i},\textbf{u}_{2,i},\textbf{u}_{3,i},\textbf{r}_{i}\) and the public value ck.

At the end, any set of \(\delta \le d\) intermediate variables can be perfectly simulated with at most \(\delta \) shares of each sensitive input. This is enough to prove that Comm is \(d\)-NI. \(\square \)

Theorem 6

masked-glp sign with commitment is still \(d\)-NIo.

Proof

From Lemmas 6,7, 9 and 16 Algorithms DG, RS, \(\mathrm {H^1}\), \(\mathrm {H^2}\) and Comm are all \(d\)-NI. From Lemma 8, FullAdd is \(d\)-NIo.

Let us assume that an attacker has access to \(\delta \le d\) observations on the whole signature scheme. Then, we want to prove that all these \(\delta \) observations can be perfectly simulated with at most \(\delta \) shares of each secret among \(\textbf{y}_1\), \(\textbf{y}_2\), \(\textbf{s}_1\),\(\textbf{s}_2\),\(\textbf{u}_1\),\(\textbf{u}_2\) and \(\textbf{u}_3\) and the public values. With such a result, the signature scheme is then secure in the \(d\)-probing model since no set of at most \(d\) observations would give information on the secret values.

In the following, we consider this distribution of the attacker’s \(\delta \) observations:

• \(\delta _1\) (resp. \(\delta _2\), \(\delta _3\), \(\delta _4\), \(\delta _5\)) on the instance of DG that produces shares of \(\textbf{y}_1\) (resp. \(\textbf{y}_2\), \(\textbf{u}_1\), \(\textbf{u}_2\), \(\textbf{u}_3\))

• \(\delta _6\) on \(\mathrm {H^1}\),

• \(\delta _7\) on Comm,

• \(\delta _8\) (resp. \(\delta _9\)) on FullAdd of \(\textbf{f}_1\) (resp. \(\textbf{f}_2\)),

• \(\delta _{10}\) (resp. \(\delta _{11}\)) on \(\mathrm {H^1}\)  which produces \(\textbf{z}_1\) (resp. \(\textbf{z}_2)\),

• \(\delta _{12}\) on the instance of RS,

• \(\delta _{13}\) (resp. \(\delta _{14}\),\(\delta _{15}\),\(\delta _{16}\),\(\delta _{17}\)) on \(\mathrm {H^2}\) applied on \(\textbf{z}_1\) (resp. \(\textbf{z}_2\),\(\textbf{u}_1\),\(\textbf{u}_2\),\(\textbf{u}_3\)),

• \(\delta _{18}\) (resp. \(\delta _{19}\),\(\delta _{20}\),\(\delta _{21}\),\(\delta _{22}\)) on FullAdd of \(\textbf{z}_1\) (resp. \(\textbf{z}_2\), \(\textbf{u}_1\),\(\textbf{u}_2\),\(\textbf{u}_3\))

Some other observations can be made on the Hash function, their number won’t matter during the proof. Finally, we have \(\sum _{i=1}^{22} \delta _i \le \sum _{i=1}^{22} + \delta _{Hash} \le \delta \).

Now, we build the proof from right to left as follows.

The five last FullAdd blocks are \(d\)-NI, then all the observations performed during the execution of FullAdd on \(\textbf{z}_1\) (resp. \(\textbf{z}_2\), \(\textbf{u}_1\),\(\textbf{u}_2\),\(\textbf{u}_3\)) can be perfectly simulated with at most \(\delta _{18}\) (resp. \(\delta _{19}\),\(\delta _{20}\),\(\delta _{21}\),\(\delta _{22}\)) shares of \(\textbf{z}_1\) (resp. \(\textbf{z}_2\), \(\textbf{u}_1\),\(\textbf{u}_2\),\(\textbf{u}_3\)).

\(\mathrm {H^2}\) is \(d\)-NI, then all the observations from the call of \(\mathrm {H^2}\) on \(\textbf{z}_1\) (resp. \(\textbf{z}_2\), \(\textbf{u}_1\),\(\textbf{u}_2\),\(\textbf{u}_3\)) can be perfectly simulated with \(\delta _{13}+\delta _{18}\) (resp. \(\delta _{14}+\delta _{19}\), \(\delta _{15}+\delta _{20}\), \(\delta _{16}+\delta _{21}\), \(\delta _{17}+\delta _{22}\)) shares of the sensitive input \(\textbf{z}_1\) (resp. \(\textbf{z}_2\), \(\textbf{u}_1\), \(\textbf{u}_2\), \(\textbf{u}_3\)).

RS is \(d\)-NI and do not return any sensitive element, then all the observations performed in gadget RS can be perfectly simulated with at most \(\delta _{12}\) shares of \(\textbf{z}_1\) and \(\textbf{z}_2\). So, after \(\mathrm {H^1}\), the observations can be simulated with \(\delta _{12}+(\delta _{13}+\delta _{18})\) shares of \(\textbf{z}_1\) and \(\delta _{12}+(\delta _{14}+\delta _{19})\) shares of \(\textbf{z}_2\).

\(\mathrm {H^1}\) is \(d\)-NI as well, thus all the observations from the call of \(\mathrm {H^1}\) on \(\textbf{y}_1\) can be perfectly simulated with \(\delta _{10}+\delta _{12}+\delta _{13}+\delta _{18}\le \delta \) shares of \(\textbf{y}_1\) and \(\textbf{s}_1\). Respectively, on \(\textbf{y}_2\), the observations can be perfectly simulated from \(\delta _{11}+\delta _{12}+\delta _{14}+\delta _{19} \le \delta \) shares of \(\textbf{y}_2\) and \(\textbf{s}_2\).

Both first left FullAdd gadget are \(d\)-NIo and do not return any sensitive element, then all the observations performed from this gadget can be perfectly simulated with at most \(\delta _8\) (resp. \(\delta _9\)) shares of \(\textbf{f}_1\) (resp. \(\textbf{f}_2\)).

The gadget Comm is also \(d\)-NI, then all the observations performed after this gadget can be perfectly simulated with \(\delta _7+\delta _8+\delta _9\) shares of \(\textbf{u}_1\), \(\textbf{u}_2\), \(\textbf{u}_3\) and \(\textbf{r}\).

The left \(\mathrm {H^1}\) gadget is \(d\)-NI, thus all the observations from its call can be perfectly simulated with at most \(\delta _6+\delta _7+\delta _8+\delta _9\) shares of each one of the inputs \(y_1\) and \(y_2\).

DG is also \(d\)-NI, thus we need to ensure that the number of reported observations does not exceed \(\delta \) for \(\textbf{y}_1\), \(\textbf{y}_2\), \(\textbf{u}_1\),\(\textbf{u}_2\) and \(\textbf{u}_3\).

On one hand, at the end of DG for \(\textbf{y}_1\), \(\textbf{y}_2\), the simulation relies on \((\delta _6+\delta _7+\delta _8+\delta _9)+(\delta _{10}+\delta _{12}+\delta _{13}+\delta _{18}) \le \delta \) shares of \(y_1\) and \((\delta _6+\delta _7+\delta _8+\delta _9)+(\delta _{11}+\delta _{12}+\delta _{14}+\delta _{19} ) \le \delta \) shares of \(y_2\). With the additional \(\delta _1\) (resp. \(\delta _2\)) observations performed on the first (resp. the second) instance of DG, the number of observations remains below \(\delta \).

On the other hand, at the end of DG for \(\textbf{u}_1\), \(\textbf{u}_2\) and \(\textbf{u}_2\), the simulation relies on \((\delta _8+\delta _9)+(\delta _{15}+\delta _{20}) \le \delta \) shares of \(u_1\), \((\delta _8+\delta _9)+(\delta _{16}+\delta _{21}) \le \delta \) shares of \(u_2\) and \((\delta _8+\delta _9)+(\delta _{17}+\delta _{22}) \le \delta \) shares of \(u_3\). With the additional \(\delta _3\) (resp. \(\delta _4\), \(\delta _5\)) observations performed on the DG on \(\textbf{u}_1\) (resp. \(\textbf{u}_2\),\(\textbf{u}_2\)), the number of observations remains below \(\delta \) which is sufficient to ensure security of the whole scheme in the \(d\)-probing model. \(\square \)