Secure Stern Signatures in Quantum Random Oracle Model

Abstract

The Stern signatures are a class of lattice-based signatures constructed from Stern protocols, a special class of sigma protocols, admitting diverse functionalities with good asymptotic efficiency. However, the post-quantum security of existing Stern signatures is unclear, since they are built via the Fiat-Shamir transformation, which has not been proved to be secure in the quantum random oracle model (QROM). The goal of this paper is to find an alternative transformation for constructing post-quantum secure Stern signatures.

The Unruh transformation (Eurocrypt 2015) is an alternative that can build secure signatures in QROM from post-quantum secure sigma protocols. Unfortunately, its proof relies on the 2-special soundness of the underlying sigma protocol, while Stern protocols are 3-special sound. We fill this gap by providing an extended proof for the Unruh transformation. Specifically, we prove that it is still secure in the QROM even if the underlying sigma protocols are k-special sound, where \(k>2\) could be an arbitrary integer. Observing that Stern protocols are post-quantum secure sigma protocols with 3-special soundness, our proof implies a generic method to obtain secure Stern signatures in the QROM.

A Stern Protocols

Let \(\text {COM}\) be the string commitment scheme from [13], which is statistically hiding and computational binding and based on the SIS assumptions [1]. Assuming there is an ESP \(\mathbb {E}_S=\{\varPhi _{\varphi }|\varphi \in \mathbb {S}\}\) for the set \(\mathbb {V}\) of the Stern relation \(R_{S}\), there is a sigma protocol as in Fig. 3 for \(R_{S}\).

Fig. 3.

The general Stern protocol

In a high level, this protocol is derived by two main techniques, permutation and masking.

• permutation: to prove the witness \(\mathbf {x}\in \mathbb {V}\), the prover randomly samples \(\varphi \leftarrow \mathbb {S}\) that is associated with a permutation \(\varPhi _{\varphi }\), and computes \(\varPhi _{\varphi }(\mathbf {x})\). The prover can convince the verifier that \(\mathbf {x}\in \mathbb {V}\) in zero-knowledge by leaking \(\varPhi _{\varphi }(\mathbf {x})\), since from the properties of \(\varPhi _{\varphi }\) as in Definition 8, we have

  $$\begin{aligned} \varPhi _{\varphi }(\mathbf {x})\in \mathbb {V}\Longleftrightarrow \mathbf {x}\in \mathbb {V}. \end{aligned}$$

• masking: to prove the knowledge of \(\mathbf {x}\) s.t. \(\mathbf {M}\cdot \mathbf {x}=\mathbf {v}\bmod q\), the prover samples \(\mathbf {r}\leftarrow \mathbb {Z}_{q}^{d}\), and demonstrates \(\mathbf {M}\cdot (\mathbf {r}+\mathbf {x})=\mathbf {M}\cdot \mathbf {r}+\mathbf {v}\bmod q\) instead.

The two techniques give an intuitive reason why the Stern protocol has HVZK property. The 3-special soundness can be easily checked by computing a witness from three tuples with the same commitment. We refer interested readers to [19] for a detailed proof.