BLIND SIGNATURE SYSTEM AND METHOD USING LATTICE-BASED CRYPTOGRAPHY

Description

TECHNICAL FIELD

The disclosure relates to a system and a method for generating a blind signature using lattice-based cryptography.

BACKGROUND

Blind signatures are interactive protocols between a user and a signer enabling the user to obtain a signature for a message from the signer without the revealing the message to the signer. At the end of the protocol, the user obtains a valid signature for the message under the secret key of the signer. To be secure, the blind signature scheme is such that the signer does not know the message and the secret key is confidential to the signer. Applications of blind signatures include e-cash, anonymous credentials and e-voting.

A digital signature scheme generally involves three functions:

- Skeygen which generates a signing key sk and a verification key vk;
- Sign which generates a signature using the signing key sk; and
- Verify which allows the signature to be verified using the verification key vk.

A blind signature scheme may make use of commitments and Non-Interactive-Zero-Knowledge (NIZK) proofs of knowledge.

A commitment scheme generally involves a tuple of three functions:

- Ckeygen which generates public parameters;
- Com(m,r) which outputs a commitment c to a message m using random data r; and
- Open(c,r) which uses the random data r to open the commitment c to the message m.

The commitment scheme has a binding property that ensures that the commitment c=com(m,r) cannot be opened to any message other than m, and a hiding property that ensures that the commitment c appears completely random even if the message m corresponding to the commitment c is known.

An NIZK proof of knowledge is a non-interactive proof of knowledge that can be used to prove knowledge of a secret without revealing the secret. For security purposes, an NIZK proof of knowledge scheme must be zero-knowledge in that the scheme does not leak any information about the secret, and sound in that only a prover knowing the secret can output a valid proof.

By way of example, a blind signature scheme is set out below:

Π_BS:

(sk)

(vk, m)

σ ← Sign(sk, c)

\overset{c}{⟵} \overset{σ}{⟶}

r, u ← {0, 1}ⁿ c := Com(m, r)

Verify (vk, c, σ)

ct := Enc(pk, c||σ); u)

π ← Π((ct, m), (r, u, σ))

return (ct, π)

The user U knows a message m and the verification key vk and the signer S knows the signing key sk. The user U randomly samples random data r and random data u. The user then generates a commitment c using Com(m,r) and sends the commitment to the signer S. Following receipt of the commitment c, the signer S signs the commitment c using the signing key sk to generate a signature σ. The signer S then sends the signature σ to the user U. The user U then verifies the signature is a valid signature for the commitment c using Verify(vk,c,σ), and following successful validation encrypts the commitment c, the signature σ and the random data u using a public key pk to generate a ciphertext c. The user U then generates a proof π that allows anyone knowing the message, the ciphertext ct and the proof π to establish that the user U has knowledge of a valid signature σ for a commitment of the message m.

Lattice-based cryptography denotes a family of cryptographic schemes whose security is based on the hardness of mathematical problems over lattices. Most lattice-based cryptographic schemes are considered to be post-quantum through being conjectured to be resistant to attacks by malicious parties having access to a hypothetical large-scale quantum computer. Accordingly, lattice-based cryptographic schemes are attracting increasing interest to prepare for when such large-scale quantum computers become a reality.

In this specification, the following notation will be used:

- a vector is represented in lowercase bold font (e.g. t);
- a matrix is represented in uppercase bold font (e.g. A);
- R_qis the base ring, which is commutative: it may for example be a quotient ring of the form _q[x]/(xⁿ+1), where _q=/q is the ring of integers modulo q;
- the notation x←S means that x is sampled uniformly at random from the set S.

Lattice-based cryptographic schemes generally entail computing matrix-vector products A·x, where x is subject to some constraints. The short integer solution (SIS) problem and the learning with errors (LWE) problem are staples of lattice-based cryptography. In brief:

- Given A, t, the SIS problem consists of finding a short secret vector s such that A·s=t;
- Given A, t, the LWE problem consists of finding vectors s and e such that A·s+e=t, with the error vector e being short and the secret vector s being unconstrained (uniform secret LWE) or required to be short (short secret LWE).

There are various problems associated with using a lattice-based cryptographic scheme in a blind signature scheme such as the one described above. In particular, the proof of knowledge needed is specific and has to prove a complex relation, a problem which is exacerbated by the fact that all efficient lattice-based signature schemes first generate a hash of the message before signing so that the relation that is being proven is no longer that σ=sign(sk,c) but instead that σ=sign(sk,H(c)). This implies that the security of the scheme is not formally provable because security requires the hash function H to be modelled as a random oracle but the NIZK proof of knowledge requires an explicit description of the hash function. In addition, and perhaps more importantly, proving properties of hash functions in zero knowledge is very complicated and this results in very inefficient schemes.

SUMMARY

According to a first aspect of the present invention, there is provided a computer-implemented method of generating a signature for a message. A user device processes the message and random data to generate a commitment for the message, and transmits the commitment to a signer device. The signer device derives a target vector from the commitment and samples, using a secret trapdoor function, a short vector that solves a lattice problem involving the target vector. The signer device then sends the short vector to the user device, which verifies that the short vector solves the lattice problem. Following successful verification of the short vector, the user device generates a signature establishing knowledge of the short vector based on the message and public data.

According to a second aspect of the invention, there is provided a user device comprising a processor to process a message and random data to generate a commitment for the message. The user device further comprises a transmitter to transmit the commitment to a signer device and a receiver to receive, in response to the transmission of the commitment, a short vector from the signer device. The processor is then configured to verify that the short vector solves a lattice problem and following successful verification of the short vector, generate a signature establishing knowledge of the short vector based on the message and public data.

According to a third aspect of the invention, there is provided a device for signing a message, the device having access to a secret trapdoor function. The device comprises a receiver to receive a commitment from a user device, the commitment corresponding to a message to be signed, and a processor configured to derive a target vector from the commitment and sample, using the secret trapdoor function, a short vector that solves a lattice problem involving the target vector. The device further comprises a transmitter to transmit the short vector to the user device.

Further features and advantages of the invention will become apparent from the following description of preferred embodiments of the invention, given by way of example only, which is made with reference to the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 schematically shows an overview of the messages in a blind signature scheme according to an example;

FIG. 2 is a flow chart schematically showing the operations performed to generate a blind signature in the blind signature scheme of FIG. 1.

DETAILED DESCRIPTION

FIG. 1 shows computing system including a user device 1, a recipient device 3 and a signer device 5. FIG. 1 also shows the messaging performed to send a message m from the user device 1 to the recipient device 3 with a blind signature provided by the signer device 5.

The user device 1 includes a processor 7 configured to perform cryptographic functions, a transmitter 9 and a receiver 11. Similarly, the signer device 5 includes a processor 13 configured to perform cryptographic functions, a transmitter 15 and a receiver 17. The signer device 5 also has access to a secret trapdoor function 19.

As shown, the user device 1 sends, using the transmitter 9, a first message M1 conveying a commitment c for the message m and a first Non-Interactive-Zero-Knowledge (NIZK) proof π₁to the receiver 17 of the signer device 5. As will be discussed below, the commitment c is generated by the user device 1 based on the message m, a publicly available gadget vector g and some random data r, and the user device 1 also generates the first NIZK proof π₁which establishes that the commitment c opens to the message m.

The commitment c is a trapdoor sampling compatible commitment and the signer device 5. In this way, the signer device 5 is able to use the secret trapdoor function 19 to solve a lattice problem that would otherwise be hard to solve. The lattice problem is difficult to solve without knowledge of the secret trapdoor function 19, and therefore the blind signature scheme works on the assumption that a valid solution of the lattice problem must have been generated using the secret trapdoor function 7. In this regard, it is noted that the lattice problem is resistant to attacks using either or both of classical computing systems and quantum computing systems. As such, the solution to the lattice problem is resistant even to an attack by a malicious party having access to a large-scale quantum computer. This property allows the blind signature scheme of this example to be considered “post-quantum”.

In this example, the lattice problem is to sample a vector e∈R^k(2+k)such that:

$[a_{1} ❘ a_{2} + t ❘ b_{1} ❘ \dots ❘ b_{k}] e^{⊤} = u \land  e  \leq B$

where a₁, a₂, b₁. . . b_kare publicly available vectors that are uniform in custom-character _q^k, t is a target vector derived from the commitment c using a publicly available function ParseCom(c), u is a publicly available value randomly sampled from _qand B is a publicly available bounding value. Given the constraint on the length of the vector e, the vector e will hereafter be referred to as the short vector e. The secret trapdoor function 19 is associated with the public vector a₁(and will accordingly hereafter be referred to sometimes as the trapdoor function T_a1), and has the property that for any n>0, any v∈ custom-character _qⁿ, and any u∈_q, the signer device 5 can sample e∈R_q^k+nsuch that [a₁|v]·e=u and ∥e∥<B.

The signer device 5 then uses the transmitter 15 to send a second message M2 to receiver 11 of the user device 1 conveying the short vector e. The user device 1 can then verify that the short vector e is a valid solution to the lattice problem, given that the user device 1 can determine the target vector t using the function ParseCom(c) and the remaining data in the lattice problem is publicly available. After the user device 1 has verified that the short vector e is valid, knowledge of the short vector e by the user device 1 can be used as evidence that a short vector e for the commitment c was determined by the signer device 5.

In this example, the signer device 5 then generates a second NIZK proof π₂that will act as the blind signature for the message m. In this regard, it is important for security purposes that the second NIZK proof π₂requires only publicly available information such that the second NIZK proof π₂does not depend on any information that is specific to this execution of the protocol so that the information cannot be linked to the protocol when revealed. Accordingly, the second NIZK proof π₂should not disclose information about the random data used to generate the commitment or the target vector used to generate the short vector e. To achieve this, the signer device 5 reformulates the lattice problem into the form ã·{tilde over (e)}=u, where:

$\begin{matrix} {\tilde{a} \cdot {\tilde{e}}^{⊤} = [a_{1} ❘ a_{2} + hg ❘ b_{1} ❘ \dots ❘ b_{k}] \cdot [e_{1} ❘ e_{2} ❘ e_{2, 1} r_{1} + e_{3, 1} ❘ \dots ❘ e_{2, k} r_{k} + e_{3, k}]}^{⊤} \\ = a_{1} \cdot e_{1}^{⊤} + (a_{2} + hg) \cdot e_{2}^{⊤} + b_{1} \cdot e_{3, 1}^{⊤} + \dots b_{k} \cdot e_{3, k}^{⊤} + \\ e_{2, 1} b_{1} \cdot r_{1}^{⊤} + \dots + e_{2, k} b_{k} \cdot r_{r}^{⊤} \\ = a_{1} \cdot e_{1}^{⊤} + a_{2} \cdot e_{2}^{⊤} + ([\begin{matrix} b_{1} & 0 \\ ⋮ \\ 0 & b_{k} \end{matrix}] \cdot [\begin{matrix} r_{1}^{⊤} \\ ⋮ \\ r_{k}^{⊤} \end{matrix}] + hg) \cdot e_{2}^{⊤} + \\ b_{1} \cdot e_{3, 1}^{⊤} + \dots b_{k} \cdot e_{3, k}^{⊤} \\ = a_{1} \cdot e_{1}^{⊤} + a_{2} \cdot e_{2}^{⊤} + t \cdot e_{2}^{⊤} + b_{1} \cdot e_{3, 1}^{⊤} + \dots b_{k} \cdot e_{3, k}^{⊤} \\ = [a_{1} ❘ a_{2} + t ❘ b_{1} ❘ \dots ❘ b_{k}] e^{⊤} \end{matrix}$

where g is the publicly available gadget vector, r₁. . . r_kare vectors derived from the random data r and e_2,1refers to the i-th co-efficient of e₂. By this formulation, the vector ã consists of publicly available information whereas the vector e, hereafter referred to as the modified short vector {tilde over (e)}, includes information from the short vector e and the random data. In this example, the second NIZK proof π₂establishes from the vector ã and the value u that the signer has the short vector e. In this way, given that the vector ã is derived using the hash h of the message m, the second NIZK proof π₂acts as a signature.

A person skilled in the art will appreciate that form of the second NIZK proof π₂is straightforward and does not require information regarding the manner in which the hash function generates the hash h of the message m. Indeed, there are known proofs for establishing, based on knowledge of a public vector (e.g. the vector ã) and a polynomial (e.g. the random data u), knowledge of a secret vector (e.g. the modified short vector {tilde over (e)}).

The user device 1 then sends a third message M3 to the recipient device 3 conveying the message and the second NIZK proof π₂. The recipient can then verify the second NIZK proof π₂to validate the message m.

The blind signature scheme described above with reference to FIG. 1 involves a single message M1 sent from the user device 1 to the signer device 5 and a single message M2 sent from the signer device 5 to the user device 1. As such, the blind signature scheme can be termed “round optimal” as it involves the minimum number of messages between the user device 1 and the signer device 5.

Another advantage of the blind signature scheme described above with reference to FIG. 1 is that the signature size is around 100 KB and supports unbounded many signatures.

Further details of the blind signature scheme described above with reference to FIG. 1 will now be provided with reference to FIG. 2.

As shown in FIG. 1, in order to generate a blind signature for the message m the user device 1 first calculates, at S1, a cryptographic hash h of the message m using a hash function H and uniformly samples random data r. The user device 1 then generates, at S3, a commitment based on the hash h and the random data r. In particular, the commitment is generated using the function Com(m,r) using the publicly available parameters a₁, a₂, b₁. . . b_k, the publicly available gadget vector g, and the publicly available parameter b₀that is uniform in custom-character _z^k². The gadget vector g is usually taken to be g:=[1|b|b²| . . . |b^k−1] with b=L log_k(q)┘, but can be any vector in _q^kif we only consider correctness.

The Com(m,r) function can be represented as follows:

Com (m ∈

_q^k, r ∈ {0, 1}ⁿ)

r₁, . . . , r_k← Expand(r)

A := [\begin{matrix} b_{0} \\ b_{1} & 0 \\ ⋱ \\ 0 & b_{k} \end{matrix}] \in q_{(k + 1) \times k^{2}}

c := A \cdot {[\begin{matrix} r_{1} & ❘ & \dots & ❘ & r_{k} \end{matrix}]}^{⊤} + [\begin{matrix} 0 \\ m^{⊤} \end{matrix}] \in q_{k + 1}

Return c

where the function Expand(r) takes the n-bit random data r as input and outputs k uniform vectors r₁, . . . , r_kin custom-character

_q^k.

The user device 1 then determines, at S5, the first NIZK proof π₁using a zero-knowledge protocol Π₁which, for a polynomial h∈ custom-character _qsuch that μh∥≤B_h, and the commitment c proves knowledge of h and r. In this example, the zero-knowledge protocol Π₁is a straight line extractable proof.

The user device 1 then sends, at S7, the commitment c and the first NIZK proof π₁to the signer device 5 (c.f, message M1 in FIG. 1).

Following receipt, at S9, of the commitment c and the first NIZK proof π₁, the signer device 5 verifies, at S11, the first NIZK proof π 1 to validate the commitment c. If the verification fails no further action is taken. If the verification passes, the signer device 5 samples, at S13, the short vector e satisfying the lattice problem discussed above. This involves using the function ParseCom (c) to generate the target vector t and then using the secret trapdoor function 19 to determine the short vector e as discussed above.

Any vector a₁for which there exists a small (hidden) basis for the lattice orthogonal to a₁can be used as a trapdoored vector by using a preimage sampling algorithm such as that disclosed in the article “Trapdoors for hard lattices and new cryptographic constructions” by Gentry et al, 40^thACM STOC, pp. 197-206. In this example, the so-called NTRU trapdoor is used. For this trapdoor, the matrix a₁is of the form [1|h] where h∈ custom-character _qis the quotient of two small polynomials h=g/f with typically f and g having co-efficients in {−1,0,1}. Such a matrix has a smaller trapdoor than the one proposed in the Gentry et al article referred to above.

The signer device 5 then sends the short vector e to the user device 1 (c.f. message M2 in FIG. 1).

Following receipt, at S17, of the short vector e, the user device 1 verifies, at S19, that the short vector e satisfies the lattice problem. Then, as discussed in detail above, the user device 1 modifies, at S21, the short vector e to generate the modified short vector {tilde over (e)} and determines the second NIZK proof π₂. The user device 1 then outputs the second NZIK proof π₂, for example along with the message m to the recipient device 3 (c.f. message M3 in FIG. 1).

The blind signature algorithm described with reference to FIGS. 1 and 2 can be represented by the following pseudocode:

Π_Bs:

)

(m)

\underset{\leftarrow}{c, π_{1}}

h := H(m) r ← {0, 1}ⁿ c := Com(hg, r) π₁← text missing or illegible when filed

₁(c, (h, r))

Verify(π₁) t := ParseCom(c) Sample e ∈ R^k(2+k) such that: [a₁| a₂+ t | b₁| . . . | b_k] e^T= u ∧∥e∥ ≤ B

\underset{⟶}{e}

(t, (r_l, . . . , r_k)) :=

(ParseCom(c), ParseRand(r))

Check : [a₁| a₂+ t | b₁| . . . | b_k] e^T= u

∧∥e∥ ≤ B

text missing or illegible when filed

:= [e₁| e₂| e_2,1r₁+ e_3,1| . . . | e_2,kr_k+ e_3,k]

text missing or illegible when filed

:= [a₁| a₂ + hg | b₁| . . . | b_k]

π₂← Π₂( text missing or illegible when filed

,u),ē)

return π₂

text missing or illegible when filed

indicates data missing or illegible when filed

In this pseudocode, the function ParseRand determines the vectors r₁, . . . , r_kusing the function Expand(r) discussed above.

Modifications and Further Embodiments

In the example described above, the user device 1 uses a straight-line extractable proof to determine the first NIZK proof custom-character ₁. Compared, for example, with the Fiat-Shamir with Abort proof, the straight-line extractable proof is comparatively complicated and gives a larger proof size but also provides an improved security. For applications where loss of security is not an important issue, other protocols such as those based on the Fiat-Shamir with Abort proof, could be used, or the first NIZK proof π₁could even be dispensed with completely.

Lattice-based proofs are known to have a “slack” in that the secret proven is larger than the actual known secret, but recently lattice-based proofs have been developed that remove this slack at the expense of increased proof size. Accordingly, there is an interplay between desired security, proof size and processing complexity to be taken into account when selecting the zero-knowledge protocol Π₁for the first NIZK proof ₁. In contrast, for the second NIZK proof π₂, the only concern is proof size and any NIZK protocol Π₂could be used.

The blind signature scheme described above with reference to FIGS. 1 and 2 can easily be converted into a partially blind signature scheme. Partially blind signatures are an extension of blind signatures in which a signer device 5 can include information in the message m, such as for example an expiration date or a revocation of old signatures. To bind the signature to a specific message u, the righthand side of the lattice problem simply needs to be modified from u to u−H(μ).

The public parameters b₁, . . . , b_kcan be selected such that b₁=b₂= . . . =b_k. This allows the signer device 5 simply to sample a short vector e such that:

$❘ a_{1} ❘ a_{2} + t ❘ b_{1}] \cdot e = u .$

Doing so reduces the signature size, at the expense of increasing the complexity of the zero-knowledge protocol Π₂.

Further modifications to the lattice problem are possible. For example, the public parameters b₁, . . . , b_kare only included for security reduction and may be omitted from the lattice problem such that the signer device 5 samples a pre-image for [a₁|a₂+t]. Even the public parameter a₂could be omitted such that the signer device 5 samples a pre-image for [a₁|t], although this would potentially make the blind signature scheme vulnerable to attack.

In order to further simplify the blind signature scheme, the NIZK protocol Π₂could be replaced by, for example, a signature conveying ã and {tilde over (e)} allowing the recipient device 3 to verify that ã·{tilde over (e)}=u, although this potentially breaks the unlinkability of the blind signature scheme given the similarity between the short vector e and the modified short vector {tilde over (e)}. Alternatively, the user device may sample a small vector f∈ custom-character _q^2k+kand send u′=[a₁|a₂+t|b₁| . . . |b_k]f^Tto the signer device together with the commitment c and possibly the first NIZK proof π₁. The user device can subsequently output {tilde over (e)}+f as the signature. Depending on whether rejection sampling is used and the size of f, this technique can hide the modified short vector {tilde over (e)}. This technique can be further refined by sampling multiple vectors f and storing the multiple vectors f in a hash tree to make rejection sampling succeed with overwhelming probability.

In the blind signature schemes described above, the public parameters a₁, a₂, b₁, . . . , b_kare all vectors in custom-character _q^k. Alternatively, the blind signature scheme can accommodate the public parameters as matrices instead of vectors and use different column dimensions for each matrix. For example: instead of the vector a₁, a matrix

$A_{1} \in ℛ_{q}^{n \times k_{A_{1}}}$

could be used; instead of the vector a₂and the target vector t, matrices

$T \in ℛ_{q}^{n \times k_{A_{2}}}$

could be used; instead of the vectors b₁, . . . , b_k, matrices B_iin

$ℛ_{q}^{n \times k_{B_{i}}}$

could be used. Using matrices instead of the vectors for the public parameters can provide better granularity.

The cryptographic functions discussed above may be implemented in software, hardware or a combination of software of hardware. Accordingly, the operations of the user device 1 and the signer device 5 discussed above could be implemented as processor-implementable instructions which, when executed by a processor, perform their respective functions. Alternatively, the functions of the user device 1 and the signer device 5 discussed above could be implemented by a hardware circuit, for example an FPGA or an ASIC, which performs their respective functions, or a combination of processor-implementable instructions and hardware. Whether the functions are implemented by software, a hardware device or a mixture of software and a hardware device, the functions can be said to be implemented by modules of the user device 1 and the signer device 5.

The above embodiments are to be understood as illustrative examples of the invention. Further embodiments of the invention are envisaged. It is to be understood that any feature described in relation to any one embodiment may be used alone, or in combination with other features described, and may also be used in combination with one or more features of any other of the embodiments, or any combination of any other of the embodiments. Furthermore, equivalents and modifications not described above may also be employed without departing from the scope of the invention, which is defined in the accompanying claims.

Claims

1. A computer-implemented method of generating a signature for a message comprising: at a user device: processing the message m and random data r to generate a commitment c for the message and transmitting the commitment c to a signer device;at the signer device: deriving a target vector t from the commitment c;sampling, using a secret trapdoor function, a short vector e that solves a lattice problem A·eT=u, wherein: A is a matrix of the form [a1|v] where a1 is a public parameter and v is dependent on the target vector t;u is a polynomial; andthe secret trapdoor function is associated with the public parameter a1 such that for any v∈Rqn, the signer device can sample a short vector e∈Rqn+k for which ∥e∥ is smaller than a bounding value B and [a1|v]eT=u; andtransmitting the short vector e to the user device,and at the user device: verifying that the short vector e solves the lattice problem; andgenerating a signature establishing knowledge of the short vector e based on the message and public data.
2. The computer-implemented method of claim 1, wherein the generation of the commitment c comprises: generating a hash h of the message; andgenerating a commitment c based on the hash h and the random data r.
3. The computer-implemented method of claim 2, wherein the commitment c is of the form:
4. The computer-implemented method of claim 2, further comprising generating a first non-interactive-zero-knowledge proof establishing knowledge of the hash h and the random data r.
5. The method of claim 3, wherein the target vector t corresponds to the lowest k rows of the commitment.
6. The method of claim 1, wherein the lattice problem is of the form:
7. The method of claim 6, wherein the signer device provides information μ for to accompany the message m, and for the righthand side of the lattice problem u=u′−H(μ) where u′ is a polynomial.
8. The method of claim 1, wherein establishing knowledge of the short vector e based on the message m and public data comprises generating a second non-interactive-zero-knowledge proof.
9. The method of claim 8, wherein establishing the non-interactive-zero-knowledge proof comprises recasting the lattice problem equation into the form:
10. A user device configured to: process a message m and random data r to generate a commitment c for the message m;transmit the commitment c to a signer device;in response to the transmission of the commitment c, receive a short vector e from the signer device;verify that the short vector e solves a lattice problem; andgenerate a signature establishing knowledge of the short vector e based on the message m and public data.
11. A user device according to claim 10, wherein the generation of the commitment comprises: generating a hash (h) of the message; andgenerating a commitment based on the hash and random data, wherein the commitment is of the form:
12. The user device of claim 11, wherein the lattice problem is of the form:
13. The user device of claim 10, wherein generating the signature comprises establishing a non-interactive-zero-knowledge proof establishing knowledge of the short vector based on the message and public data.
14. The user device of claim 13, wherein establishing the non-interactive-zero-knowledge proof comprises recasting the lattice problem equation into the form:
15. A device for signing a message, the device having access to a secret trapdoor function and being configured to: receive a commitment c from a user device, the commitment c corresponding to a message m to be signed;derive a target vector t from the commitment c;sample, using the secret trapdoor function, a short vector e that solves a lattice problem A·eT=u, wherein: A is a matrix of the form [a1|v] where a1 is a public parameter and v is dependent on the target vector t;u is a polynomial; andthe secret trapdoor function is associated with the public parameter a1 such that for any v∈Rqn, the signer device can sample a short vector e∈Rqn+k for which |e∥ is smaller than a bounding value B and [a1|v]eT=u; andtransmit the short vector to the user device.
16. The device of claim 15, wherein the device is configured to provide information μ to accompany the message m, and the righthand side of the lattice problem is of the form u−H(μ).

Priority Claims (1)

Number	Date	Country	Kind
22305843.9	Jun 2022	EP	regional

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation under 35 U.S.C. § 120 of International Application No. PCT/GB2023/051508, filed Jun. 9, 2023 which claims priority to European Application No. 22305843.9, filed Jun. 9, 2022, under 35 U.S.C. § 119 (a). Each of the above-referenced patent applications is incorporated by reference in its entirety.

Continuations (1)

	Number	Date	Country
Parent	PCT/GB2023/051508	Jun 2023	WO
Child	18972271		US

BLIND SIGNATURE SYSTEM AND METHOD USING LATTICE-BASED CRYPTOGRAPHY

Information

Publication Number

Date Filed

Date Published

Inventors

Original Assignees

CPC

International Classifications

Abstract

Description

Claims

Priority Claims (1)

CROSS-REFERENCE TO RELATED APPLICATIONS

Continuations (1)