A Lattice-Based Blind Signature Using BLISS

1. Introduction

Blind signature, first proposed by Chaum in [1] involves the interaction between the user and the signer. The user first blinds the signed message to the signer, the signer signs the processed message and returns it to the user. The signer cannot get any information about the user-signed message while the user can get the signature of any signed message. David and Stern [2] defined the concept of blind signature security in 1996. They showed that blind signatures need to satisfy Blindness and Onemore-Unforgeability. Lyubashevsky designed a provably secure lattice-based one-time signature scheme in [3], and then designed lattice-based standard digital signature schemes in [4] . The schemes in [4] are based on the Fiat-Shamir framework. The overall scheme is efficient.In addition, Gentry, Peikert, and Vaikuntanathan designed a digital signature scheme [5], called GPV signature. The security of GPV signature relies on one-way trapdoor functions on lattices, which are also used by many later public-key cryptographic algorithms.

In this paper, we present an efficient lattice-based blind signature scheme that generates the signature after two rounds, providing protection against quantum attacks and ensuring user anonymity. On the other hand, we improve the bimodal signature (BLISS) into a blind version [6], so that we can use it in some other scenarios such as blockchain. We refer to [7,8,9] to understand the blind technology used. Besides, we provide a blind scheme from group users’ vision. Currently, there has been no exploration of group blind signatures in the lattice context. By far there are only a few group blind signature schemes without lattice. Group signature provides anonymity to group members who sign messages. A group of users jointly create a public key that is used to verify signatures. Each user has a secret key that is used to generate signatures on behalf of the group. We utilized the lattice problem to provide another version of our scheme. This means that we can allow multiple blind signature users to be organized into a group and appoint a manager for administration. This new technology is rare in previous schemes and primarily addresses the needs of distributed systems. The earliest proposal was introduced by C. Popescu et al. in [10], though the scheme’s security is at risk of being compromised in the future, concerning quantum attacks. W. Kong et al. in [11] applied group blind signatures to privacy protection in smart grids. R. Xu et al. presented a Quantum group blind signature scheme in [12], but it is not resistant to quantum attacks. Our scheme, however, is the first group blind signature scheme on the lattice by far.

The main contributions of our paper are as follows:

• We change the form of the bimodal signature into a lattice blind signature. Our scheme is round-optimal and based on Module-LWE and Module-SIS problems. We use a rejection sampling technique on it. The scheme satisfies blindness and one-more unforgeability, which ensures the signature is unique. To prove the blindness, we proved the blinding description satisfies CPA-security first.
• Compared with other schemes, our scheme is more efficient and provides a more stabilized signature size. However, the scheme is more complex in the user-signer interaction process.

2. Preliminaries and Techniques

In this paper, we use lowercase bold letters to represent vectors and uppercase bold letters to represent matrices. The ${\ell }_q$-norm of a vector is defined as ${∥\mathbf{a}∥}_q=\sqrt[q]{{\sum }_i{\left|a_i\right|}^q}$and the ${\ell }_{\infty }={max}_i\parallel {\mathbf{a}}_i\parallel$, where q is a small prime. In a matrix, for $\mathbf{A}\in {\mathbb{Z}}^{n\times m}$, ${∥\mathbf{A}∥}_{\infty }=\underset{1\le i\le m}{max}\sum _{j=1}^n\left|a_{ij}\right|$. By default, we use $\parallel ·\parallel$ for the ${\ell }_2$-norm.

We denote ${\mathbb{Z}}_p$ to be the ring of integers modulo p.

We use polynomial rings $\mathcal{R}:=\mathbb{Z}\left[x\right]/(X^n+1)$ and ${\mathcal{R}}_q:=\mathbb{Z}{\left[x\right]}_q/(X^n+1)$, where each coefficient is taken modulo q. ${\mathbf{I}}_n$ represents n-dimension identity matrix.

Note that $\mathbf{b}\leftarrow \mathbf{B}$, where $\mathbf{b}$ is a column vector, denotes $\mathbf{b}$ is randomly taken from matrix $\mathbf{B}$. $U[c,d]$ represents a uniform distribution over the interval $[c,d]$.] $\mathbf{a}$ is another vector, $\langle \mathbf{a},\mathbf{b}\rangle$ and $\mathbf{a}·\mathbf{b}$ mean $\mathbf{a}$ inner product $\mathbf{b}$.

2.1. Lattices

Given a set of n linearly independent vectors ${\mathbf{b}}_1$,${\mathbf{b}}_2$,…,${\mathbf{b}}_n$ in ${\mathbb{Z}}^n$, the lattice $\Lambda$ generated by these vectors is defined as:

$$\Lambda =\left\{\sum _{i=1}^n{a}_i{b}_i\right|{\mathbf{a}}_i\in \mathbb{Z}\}$$

Given $\mathbf{A}\in {\mathbb{Z}}^{\mathit{n}}$, a vector $\mathbf{u}\in {\mathbb{Z}}_{\mathit{q}}^{\mathit{n}}$ and a prime number q , we define two types of lattices:

$${\Lambda }_q^{\perp }\left(\mathbf{A}\right)=\{\mathbf{e}\in {\mathbb{Z}}^{\mathit{n}}|\mathbf{Ae}=\mathbf{0}modq\}$$

$${\Lambda }_q^{\mathbf{u}}\left(\mathbf{A}\right)=\{\mathbf{e}\in {\mathbb{Z}}^{\mathit{n}}|\mathbf{Ae}=\mathbf{u}modq\}$$

2.2. Discrete Bimodal Gaussian Distribution

For a d-dimensional lattice, a center point $\mathbf{c}\in {\mathbb{R}}^d$, and a standard deviation parameter $\sigma >0$, a probability distribution $\rho$ over ${\Lambda }_{\mathbf{c}}$, where ${\Lambda }_{\mathbf{c}}=\left\{{\mathbf{x}\in \Lambda |\parallel \mathbf{x}-\mathbf{c}\parallel }_2\le \alpha \sigma \right\}$ is the set of discrete lattice points within a d-dimensional sphere of radius $\alpha \sigma$ centered at $\mathbf{c}$, and $\alpha$ is a constant. The discrete Gaussian distribution is often used in lattice-based cryptography to define encryption schemes and security parameters. The discrete Gaussian distribution on a lattice with center point $\mathbf{c}$ and deviation $\sigma$ is given by:

$${\rho }_{\mathrm{c},\sigma }\left(x\right)={\displaystyle \frac{1}{Z_{\sigma }}}exp\left(-{\displaystyle \frac{{\pi \parallel \mathbf{x}-\mathbf{c}\parallel }^2}{2{\sigma }^2}}\right),$$

where $Z_{\sigma }$ is the normalization constant, defined as:

$$Z_{\sigma }=\sum _{x\in \Lambda }exp\left(-{\displaystyle \frac{{\pi \parallel \mathbf{x}-\mathbf{c}\parallel }^2}{2{\sigma }^2}}\right).$$

Here, $\Lambda$ is the lattice over which the distribution is defined, and $\mathbf{x}$ is a lattice point.

Next, we give the following definition for transforming a discrete Gaussian distribution into a bimodal Gaussian distribution through processing.

We set two variance parameters ${\sigma }_1$ and ${\sigma }_2$ and a $\Lambda \subseteq {\mathbb{Z}}^d$, a center point $\mathbf{c}\in {\mathbb{R}}^d$, and variance parameters ${\sigma }_1,{\sigma }_2>0$. The lattice fits the double-sided Gaussian distribution.

The distribution $\Lambda$ on a lattice has properties where a random point in $\Lambda$ moves in two random directions with ${\sigma }_1$ and ${\sigma }_2$ variance, respectively, and arrives at a random point following a double-sided Gaussian distribution. In an n-dimensional Euclidean space, given two points ${\mathbf{c}}_1,{\mathbf{c}}_2$ and variance parameters ${\sigma }_1,{\sigma }_2$, the bimodal Gaussian distribution function on the lattice is defined as:

$${\mathcal{D}}_{\Lambda ,{\mathbf{c}}_1,{\mathbf{c}}_2,{\sigma }_1,{\sigma }_2}\left(x\right)={\displaystyle \frac{1}{Z}}\left(e^{-{\displaystyle \frac{\parallel \mathbf{x}-{\mathbf{c}}_1{\parallel }^2}{2{\sigma }_1^2}}}+e^{-{\displaystyle \frac{\parallel \mathbf{x}-{\mathbf{c}}_2{\parallel }^2}{2{\sigma }_2^2}}}\right),$$

where $\mathbf{x}\in {\Lambda }_{c_1,c_2},\parallel \mathbf{x}-{\mathbf{c}}_1{\parallel }_{\infty }\le \sqrt{n}{\sigma }_1$,$\parallel \mathbf{x}-{\mathbf{c}}_2{\parallel }_{\infty }\le \sqrt{n}{\sigma }_2$ and Z is the normalization constant[6].

${\mathcal{D}}_{\Lambda ,{\mathbf{c}}_1,{\mathbf{c}}_2,{\sigma }_1,{\sigma }_2}\left(x\right)$ shares some properties with the discrete Gaussian distribution, for example, its contour can be seen as the lattice points on the level curves of $\mathcal{D}\left({\Lambda }_{c_1,c_2}\right)$ on ${\Lambda }_{c_1,c_2}$. Moreover, it also satisfies classical Gaussian distribution properties such as the 3$\sigma$ rule.

2.3. Rejection Sampling

Suppose we want to generate samples from a target probability density function $f\left(x\right)$. Let $g\left(x\right)$ be another probability density function such that $f\left(x\right)\le Mg\left(x\right)$ for all x, where M is a known constant. We sample x according to Algorithm 1:

Algorithm 1 Rejection Sampling

Input: Target probability density function $f\left(x\right)$, bimodal Gaussian proposal distribution $g\left(x\right)$, constant M such that $f\left(x\right)\le Mg\left(x\right)$ for all x Output: Sample x from $f\left(x\right)$ 1: repeat 2:    Sample $x_0$ from $g\left(x\right)$ 3:    Sample u from $U[0,1]$ 4:    if $u\le {\displaystyle \frac{f\left(x_0\right)}{Mg\left(x_0\right)}}$ then 5:      Accept $x_0$ as a sample and exit loop 6:    end if 7: until sample is accepted

2.4. Blind Signatures

A general form of blind signature model typically consists of the following four entities:

−

Message owner (User) $\mathcal{U}$: possesses the message to be signed and desires to obtain the signature.

−

Signer $\mathcal{S}$: holds the signing key and can sign the message.

−

Random number generator: used to generate random numbers to ensure the security of the protocol.

−

Verifier: verifies the validity of the signature.

We use four steps to describe the interaction among these entities:

−

Key Generation ($1^n$) given the security parameter n, then generate a key pair ($pk$,$sk$), which represents the public key and secret key.

−

Signature Protocol The message owner $\mathcal{U}$ uses a random number generator to generate a blinding factor that blinds the message e∈$\mathcal{M}$, where $\mathcal{M}$ is the message space. Then the owner sends the blinded message $e^{*}$ to the signer. Then, the signer $\mathcal{S}$ signs the blinded message with the signing key $sk$ and sends the signed message $z^{*}$ back to the message owner. Upon receiving $z^{*}$, the user $\mathcal{U}$ unblinding the signature z, then outputs an ordered pair (z, e) as the final signature.

−

Verification The verifier could use the public key $pk$ to verify the validity of the signature.

3. New Blind Signature

3.1. Overview

In this section, we will introduce our blind signature scheme, which has the advantage of being provably secure while avoiding using zero-knowledge proof technology. Additionally, it utilizes a bimodal Gaussian distribution to enhance parameter security. Our main innovation lies in upgrading the BLISS scheme into a blind signature scheme. The first step is to construct a scheme with a trapdoor x to be a blinding and unblinding technique. Then encrypt the message $\mu$ with b sending to the signer ($\mathbf{v}$,$v^{\prime }$). The reason for resulting two vectors rather than one is because of the encrypting algorithm we use. Recieving a message pair ($\mathbf{v}$,$v^{\prime }$), the signer using his secret key $\mathbf{S}$ to sign the blinding message,computes $\mathbf{G}=\mathbf{D}p+\mathbf{v}$ and $\mathbf{g}=\mathbf{d}p+v^{\prime }$, where p is a prim. We set $\mathbf{d}=\mathbf{Dx}mod2q$ in the begining.

The signer then uses G, g, and the signing algorithm to compute ${\lambda }_1$ and ${\lambda }_2$. The algorithm includes a bimodal Gaussian. Upon receiving ${\lambda }_1$ and ${\lambda }_2$, the user uses $sk$$\mathbf{x}$ to get one part of the signature $\mathbf{z}$, and $\mathbf{H}$ to compute $\mathbf{c}=\mathbf{H}(\mathbf{Ay}mod2q,\mu )$, $\mathbf{H}$ is a hash function based on the lattice, we will introduce it in detail later. After publishing the signature pair ($z,c$), the public could verify the signature using the public key $\mathbf{A}$. Then if ${\mathbf{z}}^{\prime }=(\mathbf{Az}+q\mathbf{c}mod2q,\mu )$ and ${\mathbf{z}}^{\prime }=\mathbf{c}$, the signature is then proven to be trustworthy.

Our scheme requires only a 20KB public key size, a 99KB private key size, and a 120KB signature size.

The way we use it in the group vision is that we set different private keys for each user. In more detail, our main aim is to ensure that each Group User possesses distinct ${\mathbf{D}}_i,{\mathbf{d}}_i,{\mathbf{x}}_i$ and ${\mathbf{y}}_i$. The Group Manager’s method for tracking user trapdoors is ${\mathbf{y}}_i$. If the algorithm succeeds, it indicates that the user possesses the corresponding ${\mathbf{y}}_i$. Furthermore, we have also computed the potential space requirements for this scheme. The space needed for the manager to store is 1889KB, and it increases linearly with the number of users in the group. This is because each user has a fixed-size key to store, and as the number of users increases, the total number of keys required also increases.

3.2. New Blind Signature and Verification Algorithms

In this subsection, we denote integers n and m, and a large prime q. Additionally, we model the hash function H as a random oracle.

Key Generation: We sample a matrix $\mathbf{S}\leftarrow {\mathbb{Z}}_{2q}^{m\times n}$, and the public key is made of $\mathbf{A}\leftarrow {\mathbb{Z}}_{2q}^{n\times m}$ such that $\mathbf{AS}\equiv q{\mathbf{I}}_n(mod2q)$. This implies that $\mathbf{AS}=\mathbf{A}(-\mathbf{S})\equiv q{\mathbf{I}}_n(mod2q)$. The detailed steps are shown in Algorithm 2

Algorithm 2 Key Generation

1: $\mathbf{S}\leftarrow {\mathbb{Z}}_{2q}^{m\times n}$ 2: $\mathbf{A}\leftarrow {\mathbb{Z}}_{2q}^{n\times m}$ 3: $\mathbf{AS}\equiv q{\mathbf{I}}_n(mod2q)$ 4: $\mathbf{x}\leftarrow {\{-\gamma ,\dots ,\gamma \}}^n$, $\gamma \leftarrow \{-2,-1,0,1,2\}$ 5: $\mathbf{D}\leftarrow {\mathbb{Z}}_q^{n\times m}$ 6: $\mathbf{d}\equiv {\mathbf{x}}^T·\mathbf{D}(mod{q}_1)$ 7: $pk=(\mathbf{D},\mathbf{d})$, $sk=\mathbf{x}$ 8: $PK=\mathbf{A}$, $SK=\mathbf{S}$return$(pk,sk)$, $(PK,SK)$

Blinding algorithm: The user needs to blind the message before sending it to the signer. The user chooses a random vector $\mathbf{r}\in {\mathbb{Z}}^n$ and blinds the message to produce $(\mathbf{v},v^{\prime })$ and $\mathbf{D},\mathbf{d}$, which will be sent to the signer. The detailed steps are shown in Algorithm 3.

Algorithm 3 Blinding algorithm

1: Input: Message $\mu$, $pk=(\mathbf{D},\mathbf{d})$, $\mathbf{r}\in {\mathbb{Z}}^m$, $\mathbf{e}{\{-\gamma ,\dots ,\gamma \}}^n\times {\{-\gamma ,\dots ,\gamma \}}^m,e^{\prime }\leftarrow \{-\gamma ,\dots ,\gamma \}$ 2: Output:$(\mathbf{v},v^{\prime })$ and $\mathbf{D},\mathbf{d}$ to be sent to the signer. 3: $(\mathbf{v},v^{\prime })=\mathrm{enc}(pk,\mu )=(\mathbf{D}\mathbf{r}+\mathbf{e},\mathbf{d}\mathbf{r}+e^{\prime }+\mu )$return$(\mathbf{v},v^{\prime })$ and $\mathbf{D},\mathbf{d}$

Signing algorithm: In this phase, when the signer recieves $(\mathbf{v},v^{\prime })$ and $\mathbf{D},\mathbf{d}$ , he gengerates $({\lambda }_1,{\lambda }_2)$ as the blinding signature. Before sending it back, the signer needs to do a rejection sampling algorithm to protect the secret key S with the accept advantage $p_{\lambda }$. We set $M_1$ which is defined as follows, as the possibility of rejection sampling.

$$M_1={\displaystyle \frac{1}{M}}exp{\left(-{\displaystyle \frac{\parallel \mathbf{Sg}\parallel }{2{\sigma }^2}}\right)}^{2}cosh\left({\displaystyle \frac{\langle {\lambda }_1,\mathbf{Sg}\rangle }{{\sigma }^2}}\right)$$

The detailed steps are shown in Algorithm 4.

Algorithm 4 Signing algorithm

1: Input:$\mathbf{D},\mathbf{d}$, $SK$, $PK$ and $(\mathbf{v},v^{\prime })$ 2: Output:$({\lambda }_1,{\lambda }_2)$ 3: $\mathbf{y}\leftarrow {\{-\gamma ,\dots ,\gamma \}}^m\times {\{-\gamma ,\dots ,\gamma \}}^n,y^{\prime }\{-\gamma ,\dots ,\gamma \}$, p is an arbitrary prime. $b_1,b_2\leftarrow \{0,1\}$ 4: $\mathbf{G}=\mathbf{D}p+\mathbf{v},\mathbf{g}=\mathbf{d}p+v^{\prime }$ 5: ${\lambda }_1={(-1)}^{b_1}\mathbf{SG}mod2q$, ${\lambda }_2={(-1)}^{b_2}\mathbf{Sg}+y^{\prime }mod2q$ 6: continue with posibility $M_1$. return $({\lambda }_1,{\lambda }_2)$

Unblinding algorithm: In this phase, the user implements the unblinding algorithm to generate the signature $\langle \mathbf{z},\mathbf{c}\rangle$ with the probability of rejection sampling. We set $M_2$ as the possibility of rejection sampling.

$$M_2={\displaystyle \frac{1}{M}}exp{\left(-{\displaystyle \frac{\parallel \mu \mathbf{S}\parallel }{2{\sigma }^2}}\right)}^{2}cosh\left({\displaystyle \frac{\langle \mathbf{z},\mu \mathbf{S}\rangle }{{\sigma }^2}}\right)$$

The detailed steps are shown in Algorithm 5.

Algorithm 5 Unblinding algorithm

1: Input:$({\lambda }_1,{\lambda }_2)$, $sk:x$, $\mathbf{A}$, $\mathbf{y}$ 2: Output:$\langle \mathbf{z},\mathbf{c}\rangle$ 3: $\mathbf{z}=x{\lambda }_2-{\lambda }_1={(-1)}^{b_1+b_2}\mu \mathbf{S}+\mathbf{y}mod2q$ 4: Perform Rejection sampling on $\mathbf{z}$, coutinue with posibility $M_2$. 5: $\mathbf{c}=\mathit{H}(\mathbf{Ay}mod2q,\mu )$return$\langle \mathbf{z},\mathbf{c}\rangle$

${(-1)}^{b_1+b_2}$ indicates an uncertain value that can be either +1 or -1, where $b_3\in \{0,1\}$. However, this does not affect the result because it will be eliminated when we use the rejection sampling algorithm with a bimodal Gaussian distribution. As mentioned earlier, if $b_3$ is -1, it cleverly turns into a positive value through $mod2q$, and the same applies if it is 1.

Verify algorithm: When the signature is published, the verifier can implement the following algorithm to check its validity. We set $\mathbf{T}=q{\mathbf{I}}_n$ as in Section 3 The detailed steps are shown in Algorithm 6.

Algorithm 6 Verify algorithm

1: Input: Message $\mu$, Public Key $PK:\mathbf{A}$, Blind Signature $\langle \mathbf{z},\mathbf{c}\rangle$ 2: Output: Reject or accept 3: if$\parallel \mathbf{z}\parallel >{\displaystyle \frac{q}{4}}$then return Reject; $\parallel \mathbf{z}\parallel >{\mathbf{B}}_2$ return Reject; ${\mathbf{z}}^{\prime }=\mathit{H}(\mathbf{A}\mathbf{z}+\mathbf{T}\mu mod2q,\mu )$ and ${\mathbf{z}}^{\prime }=\mathbf{c}.$ return Accept; 4: end if

The correctness of the proposed scheme needs to be verified. We assume that the verifier receives the signature $\langle \mathbf{z},\mathbf{c}\rangle$. The verifier then runs the Algorithm 6 to determine its legality. We assume $\parallel \mathbf{z}\parallel \le {\displaystyle \frac{q}{4}}$ and $\parallel \mathbf{z}\parallel \le {\mathbf{B}}_2$. If these conditions are not met, the verifier rejects it. The verifier then uses the public key to execute the algorithm, and the detailed steps are as follows:

$$\begin{array}{cc}\hfill {\mathbf{z}}^{\prime }& =\mathit{H}(\mathbf{A}\mathbf{z}+\mathbf{T}\mu mod2q,\mu )\hfill \\ \hfill & =\mathit{H}({(-1)}^{b_3}\mu \mathbf{A}\mathbf{S}+\mathbf{A}\mathbf{y}+\mathbf{T}\mu mod2q,\mu )\hfill \\ \hfill & =\mathit{H}(\mathbf{A}\mathbf{y}mod2q,\mu )\hfill \\ \hfill & =\mathbf{c}\hfill \end{array}$$

(1)

As we know $\mathbf{A}\mathbf{S}=q{\mathbf{I}}_n$, so if we set $b_3=1$, $-\mu \mathbf{A}\mathbf{S}+\mathbf{T}\mu mod2q=\mathbf{0}$. If $b_3=0$, $\mu \mathbf{A}\mathbf{S}+q{\mathbf{I}}_n\mu mod2q=2q\mu mod2q=\mathbf{0}$. Therefore, we can verify the correctness of the scheme.

4. Conclusion

In this work, we proposed a lattice-based blind signature scheme derived from the BLISS framework. By leveraging bimodal Gaussian distributions and rejection sampling techniques, our scheme provides provable security against quantum adversaries while ensuring the essential properties of blindness and one-more unforgeability. A notable advantage of the construction is its round-optimal design, requiring only two communication rounds, which significantly improves efficiency compared to previous lattice-based blind signature schemes.

Our parameter analysis further demonstrates that the scheme achieves a favorable balance between security and practicality. With a public key size of about 20KB and a signature size of 120KB, the scheme is compact enough for real-world deployment. These properties make it a promising candidate for applications in blockchain, electronic voting, and anonymous payment systems, where both privacy protection and post-quantum security are critical.