LegRoast: Efficient Post-quantum Signatures from the Legendre PRF

Abstract

We introduce an efficient post-quantum signature scheme that relies on the one-wayness of the Legendre PRF. This “LEGendRe One-wAyness SignaTure” (LegRoast) builds upon the MPC-in-the-head technique to construct an efficient zero-knowledge proof, which is then turned into a signature scheme with the Fiat-Shamir transform. Unlike many other Fiat-Shamir signatures, the security of LegRoast can be proven without using the forking lemma, and this leads to a tight (classical) ROM proof. We also introduce a generalization that relies on the one-wayness of higher-power residue characters; the “POwer Residue ChaRacter One-wAyness SignaTure” (PorcRoast).

LegRoast outperforms existing MPC-in-the-head-based signatures (most notably Picnic/Picnic2) in terms of signature size and speed. Moreover, PorcRoast outperforms LegRoast by a factor of 2 in both signature size and signing time. For example, one of our parameter sets targeting NIST security level I results in a signature size of 7.2 KB and a signing time of 2.8ms. This makes PorcRoast the most efficient signature scheme based on symmetric primitives in terms of signature size and signing time.

This work was supported in part by the Research Council KU Leuven grants C14/18/067 and STG/17/019, by CyberSecurity Research Flanders with reference number VR20192203, by the ERC Advanced Grant ERC-2015-AdG-IMPaCT and by the Defense Advanced Research Projects Agency (DARPA) and Space and Naval Warfare Systems Center, Pacific (SSC Pacific) under contract No. N66001-15-C-4070. Ward Beullens is funded by an FWO fellowship.

Appendices

A Proof of Theorem 1

We will use the following version of the Weil bound for character sums [18].

Theorem 3

Let p be a prime and \(\chi \) a non-trivial multiplicative character of \(\mathbb {F}_p^\times \) of order \(d > 1\). If \(f \in \mathbb {F}_p[X]\) has m distinct roots and is not a d-th power, then

$$ \left| \sum _{x\in \mathbb {F}_p} \chi \left( f(x)\right) \right| \le (m-1) \sqrt{p}\, . $$

The following lemma immediately follows:

Lemma 1

Let p be a prime and \(k \, | \, p-1\). For any \(K \not = K' \in \mathbb {F}_p\) and \(a \in \mathbb {Z}_k\), let \(I_{K,K',a}\) be the set of indices i such that \(\mathcal {L}^{k}(K+i) = \mathcal {L}^{k}(K'+i) + a\). Then we have

$$ \frac{p}{k}-\sqrt{p}-1 \le \#I_{K,K',a} \le \frac{p}{k} + \sqrt{p}+2 \, . $$

Proof

Let \(\chi :\mathbb {F}_p^\times \rightarrow \mathbb {Z}_p\) be the restriction of \(\mathcal {L}^{k}\) to \(\mathbb {F}^\times \). Note that (unlike \(\mathcal {L}^{k}\)) \(\chi \) is a group homomorphism. Define \(f(i) = (i+K)(i+K')^{k-1}\) and let \(\phi (a)\) be the number of i such that \(i+K\) and \(i+K'\) are non-zero and \(\chi (f(i)) = a\). Clearly we have \(\phi (a) \le \#I_{K,K',a} \le \phi (a)+2\). Let \(\hat{\phi } : \hat{\mathbb {Z}}_k \rightarrow \mathbb {C}\) be the Fourier transform of \(\phi \). Then we have

$$\begin{aligned} \hat{\phi } (\rho ) = \sum _{a \in \mathbb {Z}_k} \rho (a) \phi (a) {}&= \sum _{a \in \mathbb {Z}_k} \rho (a) \sum _{i\in \mathbb {F}_p, i \not = K, i \not = K'} {\left\{ \begin{array}{ll} 1 \text { if } \chi (f(i)) = a \\ 0 \text { otherwise } \end{array}\right. } \\&= \sum _{i\in \mathbb {F}_p, i \not = K, i \not = K'} \rho \circ \chi (f(i)) \end{aligned}$$

Observe that \(\rho \circ \chi \) is a multiplicative character of \(\mathbb {F}_p^\times \), and that \(\rho \circ \chi \) is trivial if and only if \(\rho \) is trivial. Clearly \(\hat{\phi }(1) = p-2\), and for non-trivial \(\rho \), the Weil bound says that \(|\hat{\phi }(\rho )| \le \sqrt{p}\). Therefore, if follows from the inverse Fourier transform formula that

$$\begin{aligned} \phi (a)&= \frac{1}{|\mathbb {Z}_k|} \sum _{\rho \in \hat{\mathbb {Z}}_k} \rho (a) \hat{\phi }(\rho ) {} \le \frac{p-2}{k} + \frac{k-1}{k}\sqrt{p} \le \frac{p}{k} + \sqrt{p} \, . \end{aligned}$$

and similarly that \( \frac{p}{k} -\sqrt{p} - 1 \le \phi (a) \).    \(\square \)

Now we can prove Theorem 1.

Proof

According to lemma 1, For any \(K' \ne K\) and \(a \in \mathbb {Z}_k\), for a uniformly random set of inputs \(\mathcal {I}\), the distance \(d_H (F^k_\mathcal {I}(K') + (a,\dots ,a), s)\) is distributed as \(\mathcal {B}(L,1-\alpha )\), for some \(\alpha \in [ 1/k - \frac{1}{\sqrt{p}} - \frac{1}{p}, 1/k + \frac{1}{\sqrt{p}} + \frac{2}{p} ]\). Therefore, the probability that for a tuple \((K',a)\) we have \(d_H(F^k_\mathcal {I}(K') + (a,\dots ,a), s) \le \beta L\) is at most

$$ \Pr [\mathcal {B}(L,1/k + \frac{1}{\sqrt{p} + 2/p}) > (1-\beta ) L]\, . $$

Since there exists only \((p-1)k\) possibile values for \((K',a)\), the probability that there exists a non-trivial witness for the \(\beta \)-relaxed relation is at most \(\Pr [\mathcal {B}(L,1/k + \frac{1}{\sqrt{p} + 2/p}) > (1-\beta ) L] (p-1)k\).    \(\square \)

B Security Proof

To prove Theorem 2, we first reduce the EUF-KO security to the \( \beta \)-approximate PRF relation (Lemma 2); we then reduce the EUF-CMA security to the EUF-KO security (Lemma 3). For two real random variables A, B, we write \(A \prec B\) if for all \(x \in (-\infty ,+\infty )\) we have \(\Pr [A> x] \le \Pr [B > x]\).

Lemma 2

(EUF-KO security). Let \(\mathcal {H}_\mathsf {sd},\mathcal {H}_1,\mathcal {H}_2\) and \(\mathcal {H}_3\) be modeled as random oracles and fix a constant \(\beta \in [0,1]\). If there exists a PPT adversary \(\mathcal {A}\) that makes \(q_\mathsf {sd},q_1,q_2\) and \(q_3\) queries to the respective oracles, then there exists a PPT \(\mathcal {B}\) which, given \(\mathsf {pk}= F^k_L(K)\) for a random \(K \in \mathbb {F}_p\) outputs a \(\beta \)-approximate witness for \(\mathsf {pk}\) with probability at least \(\mathbf {Adv}^{\text{ EUF-KO }}_{\mathcal {A}}(1^\lambda ) - e(q_\mathsf {sd},q_1,q_2,q_3)\), with

$$ e(q_\mathsf {sd},q_1,q_2,q_3) = \frac{MN(q_\mathsf {sd}+ q_1 + q_2 + q_3)^2}{2^{2\lambda }} + \Pr [X+Y+Z = M] \,, $$

where \(X = \max (X_1,\dots ,X_{q_1}), Y = \max (Y_1,\dots ,Y_{q_2})\) and \(Z = \max (Z_1,\dots ,Z_{q_3})\), the \(X_i\) are i.i.d as \(\mathcal {B}(M,(1-\beta )^B)\), the \(Y_i\) are i.i.d. as \(\mathcal {B}(M-X,\frac{2}{p})\) and the \(Z_i\) are i.i.d. as \(\mathcal {B}(M-X-Y,\frac{1}{N})\).

Proof

The algorithm \(\mathcal {B}\) receives a statement \(s = F^k_L(K)\) and forwards it to \(\mathcal {A}\) as \( \mathsf {pk}\). Then, \(\mathcal {B}\) simulates the random oracles \(\mathcal {H}_\mathsf {sd},\mathcal {H}_1,\mathcal {H}_2\) and \(\mathcal {H}_3\) by maintaining initially empty lists of queries \(\mathcal {Q}_\mathsf {sd},\mathcal {Q}_1,\mathcal {Q}_2,\mathcal {Q}_3\). Moreover, \(\mathcal {B}\) keeps initially empty tables \(\mathcal {T}_{\textit{s}}, \mathcal {T}_{\textit{i}}\) and \(\mathcal {T}_{\textit{o}}\) for shares, inputs, and openings. If \(\mathcal {A}\) queries one of the random oracles on an input that it has queried before, \(\mathcal {B}\) responds as before; otherwise \(\mathcal {B}\) does the following:

• \(\mathcal {H}_\mathsf {sd}\): On new input \((\mathsf {salt},\mathsf {sd})\), \(\mathcal {B}\) samples \(x \xleftarrow {\$}\{ 0, 1\}^{2\lambda }\). If \(x \in \mathsf {Bad}_\mathsf {H}\), then \(\mathcal {B}\) aborts. Otherwise, \(\mathcal {B}\) adds x to \(\mathsf {Bad}_\mathsf {H}\), \(((\mathsf {salt},\mathsf {sd}),x)\) to \(\mathcal {Q}_\mathsf {sd}\) and returns x.

• \(\mathcal {H}_1\): On new input \(Q = (m,\mathsf {salt},\sigma _1)\), with \(\sigma _1 = ( ( \mathsf {C}_{e,i} )_{i\in [N]}, (s_e^{(j)})_{j \in [B]}, \varDelta K_e, \varDelta c_e )_{e \in [M]})\), then \(\mathcal {B}\) adds \(\mathsf {C}_{e,i}\) to \(\mathsf {Bad}_\mathsf {H}\) for all \(e\in [M]\) and \(i\in [N]\). For any \((e,i) \in [M]\times [N]\) for which there exist \(\mathsf {sd}_{e,i}\) such that \(((\mathsf {salt},\mathsf {sd}_{e,i}),\mathsf {C}_{e,i}) \in \mathcal {Q}_\mathsf {sd}\) define

  $$ k_{e,i},a_{e,i},b_{e,i},c_{e,i},r_{e,i}^{(1)},\cdots ,r_{e,i}^{(B)} \leftarrow \mathsf {Expand}(\mathsf {sd}_{e,i}) \text{ for } \text{ all } j\in [N] $$

  and add \(\mathcal {T}_{\textit{s}}[Q,e,i] = (k_{e,i}, a_{e,i}, b_{e,i}, c_{e,i}, r_{e,i}^{(1)}, \dots , r_{e,i}^{(B)})_{j\in [N]}\). If \(\mathcal {T}_{\textit{s}}[Q,e,i]\) is defined for all \(i\in [N]\) for some \(e\in [M]\), then we define

  $$\begin{aligned} (k_e, a_e, b_e, c_e, r_e^{(1)}, \dots ,r_e^{(B)})&\leftarrow \sum _{i \in [N]} (k_{e,i}, a_{e_i}, b_{e,i}, c_{e,i}, r_{e,i}^{(1)}, \dots , r_{e,i}^{(B)}) \\ (k_e, c_e)&\leftarrow (k_e + \varDelta k_e, c_e + \varDelta c_e) \end{aligned}$$

  and add \(\mathcal {T}_{\textit{i}}[Q,e] = (k_{e,i}, a_{e_i}, b_{e,i}, c_{e,i}, r_{e,i}^{(1)}, \dots , r_{e,i}^{(B)})\). Finally, \(\mathcal {B}\) samples \(x \xleftarrow {\$}\{ 0, 1\}^{2\lambda }\). If \(x \in \mathsf {Bad}_\mathsf {H}\) then abort. Otherwise, \(\mathcal {B}\) adds (Q, x) to \(\mathcal {Q}_1\) and x to \(\mathsf {Bad}_\mathsf {H}\) and returns x.

• \(\mathcal {H}_2\): On new input \(Q = (h_1, \sigma _2)\), where \(\sigma _2 = (o_e^{(j)})_{e\in [M],j\in [B]}\), \(\mathcal {B}\) adds \(h_1\) to \(\mathsf {Bad}_\mathsf {H}\) and samples \(x \xleftarrow {\$}\{ 0, 1\}^{2\lambda }\). If \(x \in \mathsf {Bad}_\mathsf {H}\) then abort. Otherwise, \(\mathcal {B}\) adds (Q, x) to \(\mathcal {Q}_2\) and x to \(\mathsf {Bad}_\mathsf {H}\). If there exists \((Q_1,h_1) \in \mathcal {Q}_1\), then \(\mathcal {B}\) does the following: let \((\epsilon _e, \lambda _e^{(1)}, \dots , \lambda _e^{(B)})_{e\in [M]} \leftarrow \mathsf {Expand}(x)\). For each \(e \in [M]\) such that \(\mathcal {T}_{\textit{i}}(Q_1,e)\) is defined, compute

  $$\begin{aligned} \alpha _{e}&= a_e + \epsilon _e k_e, \qquad \qquad \beta _{e} = b_e + \sum _{j\in [B]} \lambda _e^{(j) r_{e}^{(j)}} \text { and } \\ \gamma _{e}&= -c_e + \alpha _e b_e + \beta _e a_e + \epsilon _i \sum _{k\in [B]} \lambda _i^{(k)} ( o_e^{(j)} - I_e^{(j)} r_e^{(j)} ) \end{aligned}$$

  and add \(\mathcal {T}_{\textit{o}}[Q_2,e] = (\alpha _e,\beta _e,\gamma _e)\). Finally \(\mathcal {B}\) returns x.

• \(\mathcal {H}_3\): On new input \(Q = (h_2,\sigma _3)\), \(\mathcal {B}\) adds \(h_2\) to \(\mathsf {Bad}_\mathsf {H}\) and samples \(x \xleftarrow {\$}\{ 0, 1\}^{2\lambda }\). If \(x \in \mathsf {Bad}_\mathsf {H}\) then \( \mathcal {B}\) aborts. Otherwise, \(\mathcal {B}\) adds (Q, x) to \(\mathcal {Q}_3\), x to \(\mathsf {Bad}_\mathsf {H}\) and returns x.

When \(\mathcal {A}\) terminates, \(\mathcal {B}\) goes through \(\mathcal {T}_{\textit{i}}\) and for each \((K_e, \dots ) \in \mathcal {T}_{\textit{i}}\), \(\mathcal {B}\) checks if \(K_e\) is a \(\beta \)-approximate witness. If it is, then \(\mathcal {B}\) outputs \(K_e\). If no entry in \(\mathcal {T}_{\textit{i}}\) contains a witness, \(\mathcal {B}\) outputs \(\bot \). Clearly, if \(\mathcal {A}\) runs in time T, then \(\mathcal {B}\) runs in time \(T + O(q_\mathsf {sd}+ q_1 + q_2 + q_3 )\).

In the rest of the proof, we show that if \(\mathcal {A}\) wins the EUF-KO game with probability \(\epsilon \), then \(\mathcal {B}\) outputs a \( \beta \)-approximate witness with probability at least \(\epsilon - e(q_\mathsf {sd}, q_1, q_2, q_3)\) as defined in the statement of Lemma 2.

Cheating in the First Phase. Let \((Q_{\mathsf {best}_1}, h_{\mathsf {best}_1}) \in \mathcal {Q}_1\) be the “best” query-response pair that \(\mathcal {A}\) received from \(\mathcal {H}_1\), by which we mean the pair that maximizes \(\#\mathsf {G}_1((Q,h))\) over all \((Q,h) \in \mathcal {Q}_1\), where \(\mathsf {G}_1(Q,h = \{I_e^{(j)}\}_{e\in [M],j\in [B]})\) is defined as the set of “good executions” \(e\in [M]\) such that \(\mathcal {T}_{\textit{i}}(Q,e)\) is defined and

$$\begin{aligned} \mathcal {L}^{k}( (K_e + I_e^{(j)}) r_e^{(j)}) = s_e^{(j)} + \mathsf {pk}_{I_e^{(j)}} \text { for all } j \in [B]. \end{aligned}$$

(2)

We show that, if \(\mathcal {B}\) outputs \(\bot \), then the number of good indices is bounded. More precisely, we prove that \( \#\mathsf {G}_1(\sigma _{\mathsf {best}_1}, h_{\mathsf {best}_1}) |_\bot \prec X, \) where X is as defined in the statement of Lemma 2.

Indeed, for each distinct query to \(\mathcal {H}_1\) of the form \(Q = (m, \mathsf {salt}, \sigma _1)\), with \(\sigma _1 = ( ( \mathsf {C}_{e,i} )_{i\in [N]}, (s_e^{(j)})_{j \in [B]}, \varDelta K_e, \varDelta c_e )_{e \in [M]})\) and for all \(e\in [M]\), let \(\beta _e^{(j)}(Q) = d_H(F_L^{k}(K_e) + (\mathcal {L}^{k}(r_e^{(j)}), \dots , \mathcal {L}^{k}(r_e^{(j)})), s_i^{(j)} + \mathsf {pk})\) if \(\mathcal {T}_{\textit{i}}(Q,e)\) is defined and \(\beta _e^{(j)}(Q) = 1\) otherwise. The event \(\bot \) implies that none of the \(K_e\) in \(\mathcal {T}_{\textit{i}}\) is a \(\beta \)-approximate witness, which means that \(\beta _e^{(j)}(Q) > \beta \) for all \(Q \in \mathcal {Q}_1, e \in [M]\) and \(j\in [B]\).

Since the response \(h = \{I_e^{(j)} \}_{e \in [M], j\in [B]}\) is uniform, the probability that for a certain e, Eq. (2) holds is \(\prod _{k\in [B]} (1-\beta _{i}^{(k)}) \le (1-\beta )^B\). Therefore, we have that \( \#\mathsf {G}_1(Q,h)|_\bot \prec X_Q, \) where \(X_Q \sim \mathcal {B}(M,(1-\beta )^B)\). Finally, since \(\mathsf {G}_1(Q_{\mathsf {best}_1},h_{\mathsf {best}_1})\) is the maximum over at most \(q_1\) values of \(\mathsf {G}_1(Q,h)\), it follows that \( \#\mathsf {G}_1(Q_{\mathsf {best}_1}, h_{\mathsf {best}_1})|_\bot \prec X, \) with X as in the statement of Lemma 2.

Cheating in the Second Round. We now look at the best query-response pair \((Q_{\mathsf {best}_2}, h_{\mathsf {best}_2})\) that \(\mathcal {A}\) received from \(\mathcal {H}_2\). This is the pair for which \(\#\mathsf {G}_2 (Q_2, h_2)\) is maximum, where \(\mathsf {G}_2( Q_2 = (h_1, ( o_e^{(j)} )_{e\in [M],j\in [B]}), h_2)\) is the set of “good” executions defined as follows: if there exists no \(Q_1\), such that \((Q_1,h_1) \in \mathcal {Q}_1\), then all indices are bad (because this query can not lead to a valid signature). Otherwise, let \(Q_1 = (m, \mathsf {salt}, ( ( \mathsf {C}_{e,i} )_{i\in [N]}, (s_e^{(j)})_{j \in [B]}, \varDelta K_e, \varDelta c_e )_{e \in [M]}))\). If there exist \((e,j) \in [M]\times [B]\) such that

$$\begin{aligned} \mathcal {L}^{k}(o_e^{(j)}) \not = s_{s}^{(j)} + \mathsf {pk}_{I_{e}^{(j)}}, \end{aligned}$$

(3)

then this query can also not result in a valid signature, so we define \(\mathsf {G}_2(Q_2, h_2) = \{\}\). Otherwise, we say \(\mathsf {G}_2(Q_2,h_2)\) is the set of executions \(e\in [M]\) for which \(\mathcal {T}_{\textit{o}}[Q_2,e] = (\alpha _e,\beta _e,\gamma _e)\) is defined and such that \(\alpha _e \beta _e = \gamma _e\).

Again, we prove that in the case that \(\mathcal {B}\) outputs \(\bot \), the number of good indices is bounded: \( \#\mathsf {G}_2(Q_{best_2},h_{best_2})|_\bot \prec X+Y, \) where Y is defined as in the statement of Lemma 2.

Note that for fixed \(a_e, b_e, c_e, K_e, r_e^{(1)}, \dots , r_e^{(B)}\) and \(o_e^{(1)}, \dots , o_e^{(B)}\) the function \(\alpha _e(\epsilon _e) \beta _e(\lambda _e^{(j)}) - \gamma _e(\epsilon _e,\lambda _e^{(j)})\) is a quadratic polynomial in \(\epsilon _e, \lambda _e^{(1)}, \dots , \lambda _e^{(B)}\). Moreover, this is the zero-polynomial if and only if \(c_e = a_e b_e\) and \(o_e^{(j)} = (K_e+I_{e}^{(j)})r_e^{(j)}\) for all \(j\in [B]\).

Let \(Q = (h_1, \{o_e^{(j)}\}_{e\in [M],j\in [B]})\) be a query to \(\mathcal {H}_2\). If there exists no \((Q_1,h_1) \in \mathcal {Q}_1\) then \(\mathsf {G}_2(Q,h_2) = \{\}\) with probability 1. Otherwise, either \(e \not \in \mathsf {G}_1(\sigma _1,h_1)\), then either \(o_e^{(j)} = (K_e+I_{e}^{(j)})r_e^{(j)}\) for all \((e,j) \in [M]\times [B]\), in which case Eq. (3) does not hold, so \(\mathsf {G}_2(Q,h_2) = \{\}\) with probability 1, or \(o_e^{(j)} \not = (K_e+I_{e}^{(j)})r_e^{(j)}\) for some \(j\in [B]\) in which case \(\alpha _e \beta _e - \gamma _e\) is a non-zero quadratic polynomial in \(\epsilon _e\) and \(\lambda _e^{(j)}\), so the Schwartz-Zippel lemma says that for a uniformly random choice of \(h_2 = \{ \epsilon _e, \lambda _e^{(j)} \}_{e\in [M],j\in [B]} \in \mathbb {F}_p^{M(1+B)}\) the probability that \(e \in \mathsf {G}_2(Q_2,h_2)\) is at most 2/p. Therefore, we have that \( \#\mathsf {G}_2(\sigma _2,h_2)|_{\#\mathsf {G}_1(\sigma _1,h_1)=M'_1} \prec M_1 + Y'_Q, \) where \(Y'_q \sim \mathcal {B}(M - M'_1, 2/p)\). Since for integers \(a \le b\) and \(p \in [0,1]\) we have \( \mathcal {B}(b,p) \prec a + \mathcal {B}(b-a,p) \), this implies that \( \#\mathsf {G}_2 (\sigma _2, h_2)|_{\#\mathsf {G}_1(\mathsf {state}_{\mathsf {best},1})=M_1} \prec M_1 + Y_Q, \) where \(Y_Q \sim \mathcal {B}(M - M_1, 2/p)\). Since \(\#\mathsf {G}_2(\mathsf {state}_{\mathsf {best},2})\) is the maximum over at most \(q_{2}\) values of \(\#\mathsf {G}_2(\mathsf {state})\) it follows that \( \#\mathsf {G}_2(\mathsf {state}_{\mathsf {best},2})|_{M_1 = \#\mathsf {G}_1(\mathsf {state}_{\mathsf {best},1})} \prec M_1+Y . \) Finally, by conditioning on \(\bot \) and summing over all \(M_1\), we get

$$\begin{aligned} \#\mathsf {G}_2(\mathsf {state}_{best,2})|_\bot \prec \#\mathsf {G}_1(\mathsf {state}_{best,1})|_\bot +Y \prec X+Y. \end{aligned}$$

Cheating in the Third Round. Finally, we can bound the probability that \(\mathcal {A}\) wins the EUF-KO game, conditioned on \(\mathcal {B}\) outputting \(\bot \). Without loss of generality, we can assume that \(\mathcal {A}\) outputs a signature \(\sigma \) such that, if \(Q_1, Q_2\) and \(Q_3\) are the queries that the verifier makes to \(\mathcal {H}_1, \mathcal {H}_2 \) and \(\mathcal {H}_3\) to verify \(\sigma \), then \(\mathcal {A}\) has made these queries as well. (If this is not the case, then we can define \(\mathcal {A}'\) that only outputs a signature after running the verification algorithm on \( \mathcal {A}\)’s output.) Now, for each query \(Q = (h_2, (\{\alpha _e,\beta _e\}_{e \in M}, \{\alpha _{e,i}, \beta _{e,i},\gamma _{e,i}\}_{e \in [M],i\in [N]}))\) that \(\mathcal {A}\) makes to \(\mathcal {H}_3\), we study the probability that this leads \( \mathcal {A}\) to win the EUF-KO game. If there does not exist \(Q' = ( o_e^{(j)} )_{e\in [M],j\in [B]}\) such that \((Q',h_2) \in \mathcal {Q}_2\) then this query cannot result in a win for \(\mathcal {A}\), because \(\mathcal {A}\) would need to find such a \(Q'\) at a later point, and \(\mathcal {B}\) would abort if this happens. Take \(e \in [M] \setminus \mathsf {G}_2(Q',h_2)\), then either \(e \not \in \mathsf {G}_2(Q',h_2)\) because there exists \((e',j) \in [M]\times [B]\) such that \( \ell ^{k}{o_{e'}^{(j)}} \not = s_{e'}^{(j)} + \mathsf {pk}_{I_{e'}^{(j)}}, \) in which case, independent of \(h_3,\sigma _4\), we have that \(\mathsf {Vf}(\sigma ) = 0\). Or otherwise \(e \not \in \mathsf {G}_2(Q',h_2)\) because \(\alpha _e,\beta _e\) and \(\gamma _e\) are not defined or \(\alpha _e \beta _e \not = \gamma _e\). In this case, the query can only result in a win if exactly \(N-1\) of the parties “behave honestly” in the MPC protocol. By this we mean that for exactly \(N-1\) values of \(i \in [N]\) we have that there exists \(\mathsf {sd}_{e,i}\) such that \((\mathsf {sd}_{e,i}, \mathsf {C}_{e,i}) \in \mathcal {Q}_\mathsf {sd}\) and, if we put \(K_{e,i}, a_{e,i}, b_{e,i}, c_{e,i}, \{ r_{e,i}^{(j)}\}_{j \in [B]} = \mathsf {Expand}(\mathsf {sd}_{e,i})\), then

$$\begin{aligned} \alpha _{e,i}&= a_{e,i} + \epsilon _e K_{e,i}, \qquad \qquad \beta _{e,i} = b_{e,i} + \sum _k \lambda _e^{(j)} r_{e,i}^{(j)}, \\ \gamma _{e,i}&= - c_{e,i} + \alpha _e b_{e,i} + \beta _e a_{e,i} + \epsilon _e \sum _{j\in [B]} \lambda _e^{(j)} ( o_e^{(j)} - I_e^{(j)} r_{e,i}^{(j)} ). \end{aligned}$$

Indeed, if there are less than \(N-1\) honest parties, \(\sigma _4\) cannot reveal \(N-1\) honest views. In contrast if all the N parties act honestly, then we have \(\gamma _e \not = \alpha _e \beta _e\), so the signature verification will also fail. The state \((\sigma _1,h_1,\sigma _2,h_2,\sigma _3)\) can only result in a win if \(h_3 = \{ \overline{i}_e \}_{e \in N}\) is such that \(\overline{i}_e\) is the index of the dishonest party. Since \(h_3 \in [N]^M\) is chosen uniformly at random, the probability that this happens for all the \(e \not \in \mathsf {G}_2(Q,h_3)\) is

$$ \left( \frac{1}{N}\right) ^{M- \#\mathsf {G}_2(Q',h_2)} \le \left( \frac{1}{N}\right) ^{M- \#\mathsf {G}_2(Q_{\mathsf {best},2},h_{\mathsf {best},2})}\, .$$

The probability that this happens for at least one of the at most \(q_3\) queries is

$$ \Pr [ \mathcal {A}\, \mathsf {Wins} | \#\mathsf {G}_2(\mathsf {state}_{best,2}) = M_2 ] \le 1-\left( 1-\left( \frac{1}{N}\right) ^{M-M_2}\right) ^{q_3} \, . $$

Conditioning on \(\mathcal {B}\) outputting \(\bot \) and summing over all values of \(M_2\) yields

$$ \Pr [\mathcal {A}\, \mathsf {Wins} \, | \, {\bot }] \le \Pr [ X+Y+Z = M ] \, . $$

To Conclude. We now show that if \(\mathcal {A}\) wins the EUF-KO game with probability \(\epsilon \), then \( \mathcal {B}\) outputs a \(\beta \)-approximate witness with probability \(\epsilon - e(q_\mathsf {sd},q_1,q_2,q_3)\). Indeed, \(\mathcal {B}\) either aborts outputs \(\bot \) or outputs a \(\beta \)-approximate witness. The reduction \(\mathcal {B}\) only aborts if one of the random oracles outputs one of the at most \( q_\mathsf {sd}+ MN q_1 + q_2 + q_3\) bad values. Therefore, we have

$$\begin{aligned} \Pr [ \, \mathcal {E}\text { aborts } ]&\le \frac{MN(q_\mathsf {sd}+ q_1 + q_2 + q_3)^2}{2^{2\lambda }}. \end{aligned}$$

By the law of total probability we have

$$\begin{aligned} \Pr [ \mathcal {A}\text { wins}] = {}&\Pr [ \mathcal {A}\text { wins} \wedge \mathcal {B}\text { aborts}] + \Pr [ \mathcal {A}\text { wins} \wedge \bot ] \\&+ \Pr [ \mathcal {A}\text { wins} \wedge \mathcal {B}\text { outputs witness}] \\ {} \le {}&\Pr [ \mathcal {B}\text { aborts}] + \Pr [ \mathcal {A}\text { wins } | \bot ] + \Pr [ \mathcal {B}\text { outputs witness}] \\ {} \le {}&e(q_\mathsf {sd},q_1,q_2,q_3) + \Pr [ \mathcal {B}\text { outputs witness}]. \end{aligned}$$

Lemma 3

Modeling the commitment scheme as a random oracle, if there is an adversary \(\mathcal {A}\) that wins the EUF-CMA security game against LegRoast with advantage \(\epsilon \), then there exists an adversary \(\mathcal {B}\) that, given oracle access to \(\mathcal {A}\), and with a constant overhead factor, wins the EUF-KO security game against LegRoast with probability at least \(\epsilon - \frac{q_s(q_s + q_3)}{2^{2\lambda }} - \frac{q_\mathsf {sd}}{2^\lambda },\) where \(q_s,q_\mathsf {sd}\) and \(q_3\) are the number of queries that \(\mathcal {A}\) makes to the signing oracle, \(\mathcal {H}_\mathsf {sd}\) and \(\mathcal {H}_3\) respectively.

Proof

Let \( \mathcal {A}\) be an adversary against the EUF-CMA security of LegRoast, we construct an adversary \( \mathcal {B}\) against its EUF-KO security. When \( \mathcal {B}\) is run on input \( \mathsf {pk}\), it starts \( \mathcal {A}\) also on input \( \mathsf {pk}\). We first describe how \( \mathcal {B}\) deals with random oracle queries and signature queries, then argue that its signature simulations are indistinguishable from real ones, and finally show that EUF-KO security implies EUF-CMA security.

Simulating Random Oracles. For each random oracle \( \mathcal {B}\) maintains a table of input output pairs. When \( \mathcal {A}\) queries one of the random oracles, \( \mathcal {B}\) first checks if that query has been made before. If this is the case, \( \mathcal {B}\) responds to \( \mathcal {A}\) with the corresponding recorded output. If not, \( \mathcal {B}\) returns a uniformly random output and records the new input-output pair in the table.

Signing Oracle Simulation. When \( \mathcal {A}\) queries the signing oracle, \( \mathcal {B}\) simulates a signature \( \sigma \) by sampling a random witness and cheating in the MPC verification phase to hide the fact it has sampled the witness as random. It then programs the last random oracle to always hide the party for which it has cheated. Formally, \( \mathcal {B}\) simulates the signing oracle as follows:

1. 1.

   To simulate \( \sigma _1 \), \( \mathcal {B}\) follows Phase 1 as in the scheme with one difference: For each \( e \in [M] \), it samples \( \varDelta K_e \) uniformly, effectively sampling \( K_e \) at random. \( \mathcal {B}\) aborts if it picked a salt that was used in one of the earlier simulated signatures.

2. 2.

   \( \mathcal {B}\) simulates the random oracle to obtain \( h_1 \leftarrow \mathcal {H}_1 (m, \mathsf {salt}, \sigma _1) \).

3. 3.

   To simulate \( \sigma _2 \), \( \mathcal {B}\) samples \( o^{(j)}_e \in \mathbb {F}_p^*\) for each \( j \in [B] \) and \( e \in [M] \) in such a way that \( \mathcal {L}^{k}( o^{(j)}_e ) - s^{(j)}_e = \mathsf {pk}_{I^{(j)}_e} \).

4. 4.

   \( \mathcal {B}\) simulates the random oracle to obtain \( h_2 \leftarrow \mathcal {H}_2 (h_1, \sigma _2) \).

5. 5.

   To simulate \( \sigma _3 \), \( \mathcal {B}\) must cheat during the sacrificing protocol to ensure that \( \gamma _e = \alpha _e \beta _e \) for all executions. To do so, for each \( e \in [M] \), \( \mathcal {B}\) first samples \( \bar{i}_e \in [N] \) at random. Then it computes Phase 5 honestly except for \( \gamma _{e,\bar{i}_e} \); for that value, it instead sets \( \gamma _{e,\bar{i}_e} \leftarrow \alpha _e \beta _e - \sum _{i \ne \bar{i}_e} \gamma _{e, i} \). Finally it sets \( \sigma _3 \) as in the scheme using the alternative \( \gamma _{e, \bar{i}_e} \) value.

6. 6.

   If \( (h_2, \sigma _3) \) has already been queried to \( \mathcal {H}_3 \), then \( \mathcal {B}\) aborts. If not, \( \mathcal {B}\) sets \( h_3 = (\bar{i}_1, \dots , \bar{i}_M) \) with the values it sampled previously and then programs its own random oracle \( \mathcal {H}_3 \) such that \( h_3 \leftarrow \mathcal {H}_3 (h_2, \sigma _3) \).

7. 7.

   \( \mathcal {B}\) follows the scheme to simulate \( \sigma _4 \) and the final signature \( \sigma \).

Finally, when \( \mathcal {A}\) outputs a forgery for its EUF-CMA game, \( \mathcal {B}\) forwards it as its forgery for the EUF-KO game.

Simulation Indistinguishability. If \( \mathcal {B}\) doesn’t abort, the simulation of the random oracles is perfect. Moreover, if \(\mathcal {B}\) doesn’t abort we show that \(\mathcal {A}\)’s can only distinguish a real signing oracle from the simulated oracle with advantage \(q_\mathsf {sd}/2^\lambda \), where \(q_\mathsf {sd}\) is the number of queries to \(\mathcal {H}_\mathsf {sd}\).

The simulated signatures follow the exact same distribution as genuine signatures, with the only exception that in a genuine signature the \((\mathsf {C}_{e,\overline{i}_e})_{e\in [m]}\) are equal to \(\mathcal {H}_\mathsf {sd}(\mathsf {salt},e,\overline{i}_e,\mathsf {sd}_{e,\overline{i}_e)}\) for a value of \(\mathsf {sd}_{e,\overline{i}_e}\) that expands to a consistent view of a party in the MPC protocol, whereas in the simulated case, \(\mathsf {sd}_{e,\overline{i}_e}\) expands to the view of a cheating party. Since \(\mathcal {H}_\mathsf {sd}\) is modelled as a random oracle, each of the \(q_s \cdot M\) values of \(\mathsf {C}_{e,\overline{i}_e}\) that \(\mathcal {A}\) gets to see is just a random value, uncorrelated with the rest of the view of \(\mathcal {A}\), unless \(\mathcal {A}\) has queried \(\mathcal {H}_\mathsf {sd}\) on \((\mathsf {salt},e,\overline{i}_e,\mathsf {sd}_{e,\overline{i}_e})\). Since the \((\mathsf {salt},e,\overline{i}_e)\) is unique per commitment (\(\mathcal {B}\) aborts if a salt is repeated) and each seed has \(\lambda \) bits of min-entropy each query that \(\mathcal {A}\) makes to \(\mathcal {H}_\mathsf {sd}\) has a probability of at most \(2^{-\lambda }\) of distinguishing the simulated signature oracle form a genuine signing oracle. Therefore, an adversary that makes \(q_\mathsf {sd}\) queries to \(\mathcal {H}_\mathsf {sd}\) has a distinguishing advantage bounded by \(q_\mathsf {sd}/ 2^{\lambda }\).

EUF-KO Security Implies EUF-CMA Security. Finally, we establish \( \mathcal {B}\)’s advantage against the EUF-KO security game. There are two moments at which \( \mathcal {B}\) could abort: In phase 1 if a salt is repeated which happens with probability bounded by \(q_s^2 / 2^{2\lambda }\) (recall that a salt consists of \(2\lambda \) random bits) and in phase 6, if \(\mathcal {B}\) fails to program the oracle \(\mathcal {H}_3\), which happens with probability bounded by \( q_s q_3 / 2^{2\lambda } \), since \(h_2\) has \(2\lambda \) bits of min entropy. Therefore, we have \(\Pr \left[ \mathcal {B}\text { aborts} \right] \le \frac{q_s(q_s + q_3)}{2^{2\lambda }}\), where \( q_s \) and \(q_3\) denotes the number of signing queries and queries to \(\mathcal {H}_3\) made by \( \mathcal {A}\) respectively. Conditional on \(\mathcal {B}\) not aborting, replacing the genuine oracles for the simulated oracles decreases the winning probability of \(\mathcal {A}\) by at most \(q_\mathsf {sd}/2^\lambda \). Therefore, given that the winning conditions for the EUF-KO and EUF-CMA games are identical, we have:

$$\begin{aligned} \mathbf {Adv}^{\text{ EUF-KO }}_{\mathcal {B}}(1^\lambda )&\ge \mathbf {Adv}^{\text{ EUF-CMA }}_{\mathcal {A}}(1^\lambda ) - \frac{q_s(q_s + q_3)}{2^{2\lambda }} - \frac{q_\mathsf {sd}}{2^\lambda } \, . \end{aligned}$$