arXiv is now an independent nonprofit! Learn more
License: CC BY 4.0
arXiv:2607.05831v1 [cs.CR] 07 Jul 2026
\addauthor

[orcid = 0000-0002-8959-636X, inst = 1, email = ramses.fernandez@fairgate.io, surname = Fernandez, ]Ramses Fernandez \addaffiliation[country = ]Fairgate Labs

Withdrawability in Fiat–Shamir with aborts constructions

Abstract

This article presents an extension of the work performed by Liu, Baek and Susilo [liu2023] on withdrawable signatures to the Fiat–Shamir with aborts paradigm. We introduce an abstract construction, and provide security proofs for this proposal. As an instantiation, we provide a concrete withdrawable signature scheme based on a no-hint, full-𝐭\mathbf{t} Dilithium-style Fiat–Shamir-with-aborts construction [ducas2017]; adapting to production ML-DSA (with hints) introduces a small εzk\varepsilon_{\mathrm{zk}} term.

keywords:
[Withdrawability, Digital signatures, Module Learning with Errors]Withdrawability, Digital signatures, Module Learning with Errors @@@

1 Introduction

Digital signatures serve as a fundamental cryptographic mechanism that enables entities to bind their identities to pieces of information. The essential purpose of a digital signature is to allow a signer, who has established a public key pkpk, to sign messages using their private key sksk in a way that enables anyone knowing pkpk to verify both the message’s origin and its integrity during transit.

An important paradigm for the creation of digital signatures is the Fiat–Shamir transform, which converts interactive identification protocols into non-interactive digital signature schemes. Starting with a three-move identification protocol, where a prover demonstrates knowledge to a verifier through commitment, challenge, and response steps, the transform replaces the verifier’s random challenge with a hash function applied to both the commitment and the message. This creates a digital signature scheme where the signing algorithm computes a commitment, generates a challenge by hashing the commitment with the message, and produces a response using the secret key.

The Schnorr signature scheme is perhaps the most well-known application of the Fiat–Shamir transform, which has gained particular attention due to its security characteristics and its valuable properties, such as signature aggregation. These advantages make Schnorr signatures especially attractive for blockchain applications where transaction size reduction and privacy enhancement are crucial considerations.

The impact of digital signatures is particularly important in blockchain technology, where this primitive extends beyond basic transaction authentication, enabling sophisticated smart contract interactions, multi-signature schemes for enhanced security, and threshold signature systems for distributed key management. Furthermore, innovations in signature aggregation and batch verification techniques have contributed significantly to blockchain scalability solutions.

Current public-key cryptographic algorithms serve as the foundation for protecting sensitive electronic information from unauthorized access. These algorithms have successfully withstood attacks from conventional computing systems for decades, due to the hardness of their underlying mathematical problems, prime factorization and the computation of discrete logarithms. However, the emergence of quantum computing presents a significant challenge to this security paradigm, as Shor’s algorithm demonstrates the potential to solve both the prime factorization and the computation of discrete logarithms efficiently. This means that quantum computers possess computational capabilities that could potentially compromise current cryptographic methods, exposing vulnerable data and information.

To address this impending challenge, new cryptographic approaches are being designed to withstand attacks from both traditional computers and future quantum systems. These methods rely on problems, such as lattices, error-correcting codes or isogenies of elliptic curves, which have enhanced mathematical structure, leading to computational problems assumed to be hard both for classical and quantum computers. This framework is known as post-quantum cryptography, which represents a critical advancement in information security, ensuring that digital assets remain protected against evolving technological threats.

The Fiat–Shamir transform can be extended to lattices, leading to the Fiat–Shamir with aborts paradigm due to Lyubashevsky [lyubashevsky2009]. Fiat–Shamir with aborts provides a framework for constructing digital signature schemes with provable security. This methodology addresses the challenge of generating signatures from lattice-based one-way functions by introducing a controlled rejection sampling technique, aborting. When a potential signature might reveal information about the secret key, the signing algorithm simply aborts and restarts the process. This paradigm converts an interactive identification protocol with a non-negligible probability of aborting into a signature scheme through iterative execution until a successful completion occurs, the aborting procedure. This transformation eliminates the need for interaction by substituting the verifier’s challenge with a hash function evaluation, which security analyses treat as a random oracle.

Amongst the main constructions based on the Fiat–Shamir with aborts mechanism, we find Dilithium [ducas2017] and HAETAE [cheon2024]. Dilithium derives its security from the difficulty of solving certain lattice problems, specifically the Module Learning with Errors and Module Short Integer Solution problems. The importance of the scheme comes from the effective balance between security, signature size, and computational efficiency, making it practical for real-world implementations. HAETAE has been specifically designed to produce more compact and efficiently maskable signatures. While built upon the Fiat–Shamir with aborts paradigm underpinning Dilithium, HAETAE introduces design choices that optimize the complexity-to-compactness ratio, which is particularly important in space-constrained implementation scenarios.

Digital signatures are designed to provide authenticity, integrity, and non-repudiation for signed messages. Once a signature is created, it remains valid indefinitely, and the signer cannot rescind it. This permanence, while typically considered a feature, raises an important question: is it possible for signers to efficiently revoke their signatures without compromising their private keys or affecting the validity of their other signatures? Liu, Baek, and Susilo address this challenge by introducing the concept of withdrawable signatures [liu2023], offering a practical and secure mechanism for signature revocation in situations where this capability is desirable.

The practical applications of withdrawable signatures span multiple domains where signature revocation capability is essential without compromising the signer’s private key. In blockchain-based smart contracts, these signatures enable participants to commit to contract conditions while maintaining the ability to revoke their commitment, particularly valuable when contract fulfillment depends on multiple parties or external conditions. Within decentralized e-voting systems, withdrawable signatures provide voters the security to cast their votes while retaining the flexibility to modify their choices before final vote tabulation, allowing voters to respond to new information or developments during the voting period. Additionally, in decentralized escrow services, these signatures facilitate multi-party transactions by allowing participants to revoke their signatures if circumstances change or disputes arise, without compromising the security of other parties’ signatures.

1.1 Contributions

This paper builds upon the research conducted by Liu, Baek, and Susilo on withdrawable signatures [liu2023] to present a general methodology for constructing post-quantum withdrawable signatures based on Lyubashevsky’s Fiat–Shamir with aborts paradigm [lyubashevsky2009].

The work first introduces a comprehensive abstract construction that takes a mechanism based on the Fiat–Shamir with aborts paradigm as its starting point and extends it to incorporate withdrawability features. To demonstrate the practical applications of this abstract framework, the paper presents a concrete withdrawable construction from a no-hint, full-𝐭\mathbf{t} Dilithium-style variant [ducas2017]; the no-hint variant keeps the naHVZK proof exact (perfect, εzk=0\varepsilon_{\mathrm{zk}}=0), whereas production ML-DSA requires handling hints and incurs a small εzk\varepsilon_{\mathrm{zk}}.

The integration of withdrawability features with post-quantum cryptography addresses two crucial challenges in modern cryptographic systems. First, it provides the flexibility to revoke signatures when needed, a capability increasingly important in dynamic digital environments. Second, it ensures this functionality remains secure against quantum computing threats.

1.2 Related work

The research in this paper revolves around three gravity centres, namely: the work done by Lyubashevsky, the construction of Liu, Baek and Susilo, and the digital scheme Dilithium.

The Fiat–Shamir heuristic [fiat2000] provides a method for transforming public-coin interactive proof systems into digital signatures. This transformation works by substituting the verifier’s public coin tosses with hash function evaluations. In the random oracle model (ROM), these hash functions are treated as uniform functions that adversaries can access through classical computing methods.

Schnorr’s signature scheme stands as a prominent implementation of the Fiat–Shamir heuristic, with its security fundamentally based on the discrete logarithm problem. However, the emergence of quantum computing necessitates two critical adaptations to this framework. First, the discrete logarithm hardness assumption must be replaced with quantum-resistant alternatives. Second, the security model must account for quantum access to the random oracle (QROM), as quantum adversaries can query the hash function in superposition.

Lyubashevsky’s work [lyubashevsky2009] introduced an innovative lattice-based signature scheme that builds upon Schnorr’s design while incorporating abortion as a crucial modification. The abort mechanism ensures that the signature distribution remains independent of the signing key, preventing potential attacks against the signature scheme. The protocol manages these aborts through a loop structure, continuing iterations until a successful execution occurs without an abort.

This modified approach, known as Fiat–Shamir with aborts, maintains the fundamental concept of replacing non-final verifier steps with hash function evaluations while adapting to the requirements of lattice-based cryptography. The integration of the abort mechanism represents a significant advancement in developing quantum-resistant signature schemes, providing a robust framework for cryptographic security in the post-quantum era.

On the other hand, Liu, Baek and Susilo propose a designated-verifier signature scheme that introduces withdrawability to digital signatures. Their construction generates a withdrawable signature σ\sigma for a message μ\mu, distinct from conventional signature schemes.

The scheme’s construction centers on a transformation mechanism. When a signer generates a withdrawable signature, it remains verifiable only by the designated verifier. The signature can then follow two paths: it either remains in its withdrawable state through signer inaction, effectively withdrawing the signature, or undergoes transformation through a “Confirm” algorithm. This algorithm converts the withdrawable signature σ\sigma into a confirmed signature σ~\tilde{\sigma}, which becomes verifiable through both parties’ public keys while maintaining a deterministic relationship to σ\sigma.

The formal construction involves two entities, signer and verifier, with their public keys comprising a set π={pks,pkv}\pi=\{pk_{s},pk_{v}\}, respectively. The scheme utilizes the underlying signature structure to construct a withdrawable signature σ\sigma specifically designated for the verifier. Subsequently, using the secret key skssk_{s} and σ\sigma, the signer can generate a verifiable signature for μ\mu through the public key set π\pi. This confirmed signature σ~\tilde{\sigma} maintains a cryptographic link to the original withdrawable signature σ\sigma via the public key set π\pi, ensuring the signature transformation’s verifiability and traceability.

Finally, we find Dilithium [ducas2017], which builds upon the Fiat–Shamir with aborts paradigm. The scheme operates over module lattices, specifically using the module learning with errors (MLWE) and the module short integer solution (MSIS) problems as its primary security foundations. Its construction employs a ring Rq=q[x]/(xn+1)R_{q}=\mathbb{Z}_{q}[x]/(x^{n}+1) with carefully chosen parameters nn and qq. The signature scheme utilizes matrices and vectors over this ring, with dimensions selected to balance security and efficiency.

The key generation in Dilithium produces a public key containing a matrix 𝐀Rqk×l\mathbf{A}\in R_{q}^{k\times l} and a vector 𝐭=𝐀𝐬1+𝐬2\mathbf{t}=\mathbf{A}\mathbf{s}_{1}+\mathbf{s}_{2}, where 𝐬1\mathbf{s}_{1} and 𝐬2\mathbf{s}_{2} are secret vectors with small coefficients. The signing process involves generating a masking vector 𝐲\mathbf{y}, computing 𝐰=𝐀𝐲\mathbf{w}=\mathbf{A}\mathbf{y}, and using a challenge value cc derived from the message and 𝐰\mathbf{w} to produce the signature. The scheme incorporates rejection sampling to ensure signature security, leading to probabilistic signature generation.

2 Preliminaries

2.1 Notation

We write RR and RqR_{q} to denote the rings [x]/(xn+1)\mathbb{Z}[x]/(x^{n}+1) and q[x]/(xn+1)\mathbb{Z}_{q}[x]/(x^{n}+1) respectively, where qq is an integer. We will denote vectors by bold letters, and regular font letters denote elements in RR or RqR_{q}. Unless otherwise specified, all vectors are assumed to be column vectors. Bold upper-case letters denote matrices.

If SS is a set, then a$Sa\xleftarrow{\mathdollar}S means that aa is chosen uniformly at random from SS. All logarithms are assumed to be base 22, and the hash function H(,)H(\cdot,\cdot) will operate on the concatenation of its arguments.

For any even positive integer α\alpha, we define r=rmod±αr^{\prime}=r\mathbin{\mathrm{mod}^{\pm}}\alpha to be the unique element rr^{\prime} in the range α2<rα2-\tfrac{\alpha}{2}<r^{\prime}\leq\tfrac{\alpha}{2} such that rrmodαr^{\prime}\equiv r\bmod\alpha. For any odd positive integer α\alpha, we define r=rmod±αr^{\prime}=r\mathbin{\mathrm{mod}^{\pm}}\alpha to be the unique element rr^{\prime} in the range α12rα12-\tfrac{\alpha-1}{2}\leq r^{\prime}\leq\tfrac{\alpha-1}{2} such that rrmodαr^{\prime}\equiv r\bmod\alpha. We refer to these operations as centered reductions modulo α\alpha.

For any positive integer α\alpha, we define r=rmod+αr^{\prime}=r\bmod^{+}\alpha to be the unique element rr^{\prime} in the range 0r<α0\leq r^{\prime}<\alpha such that rrmodαr^{\prime}\equiv r\bmod\alpha. When the specific representation is not significant, we simply write rmodαr\bmod\alpha.

For an element wqw\in\mathbb{Z}_{q}, we denote w\lVert w\rVert_{\infty} to mean |wmod±q||w\mathbin{\mathrm{mod}^{\pm}}q|. For w=i=0n1wixiRw=\sum_{i=0}^{n-1}w_{i}x^{i}\in R, we define w=maxiwi\lVert w\rVert_{\infty}=\max_{i}\lVert w_{i}\rVert_{\infty} and w=w02++wn12\lVert w\rVert=\sqrt{\lVert w_{0}\rVert_{\infty}^{2}+\dots+\lVert w_{n-1}\rVert_{\infty}^{2}}. For 𝐰=(w1,,wk)Rk\mathbf{w}=(w_{1},\dots,w_{k})\in R^{k}: 𝐰=maxiwi\lVert\mathbf{w}\rVert_{\infty}=\max_{i}\lVert w_{i}\rVert_{\infty} and 𝐰=w12++wk2\lVert\mathbf{w}\rVert=\sqrt{\lVert w_{1}\rVert^{2}+\dots+\lVert w_{k}\rVert^{2}}. We denote by SαS_{\alpha} the set of all elements wRw\in R such that wα\lVert w\rVert_{\infty}\leq\alpha for αR\alpha\in R. There will be an abuse of notation: we write SS, with no subindex, to indicate that bounds in this case are given by the underlying scheme.

From [ducas2017] we set β\beta as the maximum possible coefficient of c𝐬ic\mathbf{s}_{i}, γ1\gamma_{1} is large enough so the signature does not reveal the secret key and small enough so that the signature is not forged, γ2\gamma_{2} is the low-order rounding bound with 2γ2q12\gamma_{2}\mid q-1 (concretely γ2=(q1)/88\gamma_{2}=(q-1)/88 for level 2 and (q1)/32(q-1)/32 for levels 3 and 5, so γ2γ1/2\gamma_{2}\neq\gamma_{1}/2 in general), and η\eta is a small integer. We write 𝒞=Bτ\mathcal{C}=B_{\tau} for the challenge set of weight τ\tau (Definition LABEL:def:stmsis); the concrete weights are τ{39,49,60}\tau\in\{39,49,60\} for the three parameter sets, and M=|𝒞|=2τ(nτ)M=|\mathcal{C}|=2^{\tau}\binom{n}{\tau}. Fix an efficiently invertible bijection ι:M𝒞\iota:\mathbb{Z}_{M}\to\mathcal{C} (for instance the indexing underlying SampleInBall), with inverse ι1:𝒞M\iota^{-1}:\mathcal{C}\to\mathbb{Z}_{M}. We use a challenge hash HM:{0,1}MH_{M}:\{0,1\}^{*}\to\mathbb{Z}_{M}. Let 𝖧𝖡()\mathsf{HB}(\cdot) denote the recoverable (high-order) part of a commitment, i.e. for every accepted transcript 𝖧𝖡(𝐀𝐳c𝐭)=𝖧𝖡(𝐀𝐲)\mathsf{HB}(\mathbf{A}\mathbf{z}-c\mathbf{t})=\mathsf{HB}(\mathbf{A}\mathbf{y}); in Dilithium 𝖧𝖡()=𝖧𝗂𝗀𝗁𝖡𝗂𝗍𝗌(,2γ2)\mathsf{HB}(\cdot)=\mathsf{HighBits}(\cdot,2\gamma_{2}).

Let 𝖯𝖪𝖤=(𝖪𝖦𝖾𝗇e,𝖤𝗇𝖼,𝖣𝖾𝖼)\mathsf{PKE}=(\mathsf{KGen}_{e},\mathsf{Enc},\mathsf{Dec}) be a public-key encryption scheme satisfying ciphertext pseudorandomness: for honestly generated ekek and any message KK, 𝖤𝗇𝖼(ek,K)\mathsf{Enc}(ek,K) is computationally indistinguishable from a uniform element of the ciphertext space given ekek (but not dkdk); we write its advantage 𝖠𝖽𝗏𝖯𝖪𝖤pr\mathsf{Adv}^{\mathrm{pr}}_{\mathsf{PKE}}. Ciphertext pseudorandomness implies both IND- CPA and key-privacy (anonymity), but neither of those implies it. We use 𝖯𝖪𝖤\mathsf{PKE} to encrypt a chosen symmetric key KK. The CPA-secure module-LWE encryption underlying ML-KEM (Kyber) is a candidate instantiation: its ciphertext components are pseudorandom under decisional MLWE, and pseudorandomness is understood with respect to the actual (compressed) ciphertext encoding space, up to the standard compression/statistical terms. Let G:{0,1}κ{0,1}G:\{0,1\}^{\kappa}\to\{0,1\}^{*} be a pseudorandom generator (XOF). Each party holds, in addition to its lattice keys, an encryption key pair (ek,dk)𝖪𝖦𝖾𝗇e(1κ)(ek,dk)\leftarrow\mathsf{KGen}_{e}(1^{\kappa}); for a key set π={pks,pkv}\pi=\{pk_{s},pk_{v}\} we write eks,ekvek_{s},ek_{v} (resp. dks,dkvdk_{s},dk_{v}) for the signer’s and verifier’s encryption keys.

Public parameters pp𝖲𝖾𝗍𝗎𝗉(1κ)pp\leftarrow\mathsf{Setup}(1^{\kappa}) fix the common matrix 𝐀Rqk×l\mathbf{A}\in R_{q}^{k\times l} (with the 𝖯𝖪𝖤\mathsf{PKE} and PRG descriptions); every key pair is generated as (pk,sk)𝖪𝖾𝗒𝖦𝖾𝗇(pp)(pk,sk)\leftarrow\mathsf{KeyGen}(pp) relative to the same 𝐀\mathbf{A}, so the two OR-proof branches share a module matrix.

2.2 Basic definitions

A withdrawable signature scheme involves two participating parties: signers and verifiers. The scheme operates in two primary stages: first, the generation of a withdrawable signature, and second, its transformation into a confirmed signature. Both stages are executed by the signer. Concerning the security of a withdrawable signature scheme WSWS, it is established through three properties, namely: correctness, unforgeability under insider corruption, and withdrawability.

  1. 1.

    Correctness establishes a strong relation between the verification algorithms: if a withdrawable signature σ\sigma is successfully verified through the 𝖶𝖲𝖵𝖾𝗋𝗂𝖿𝗒\mathsf{WSVerify} algorithm, then its corresponding confirmed signature σ~\tilde{\sigma} must also be verifiable through the 𝖢𝖵𝖾𝗋𝗂𝖿𝗒\mathsf{CVerify} algorithm.

  2. 2.

    Unforgeability under insider corruption ensures that only the original signer possesses the capability to transform a verifiable withdrawable signature σ\sigma (generated using skssk_{s} for verifier pkvpk_{v}) into its corresponding confirmed signature σ~\tilde{\sigma}. This requirement holds even when an adversary has obtained the verifier’s secret key skvsk_{v}, maintaining the exclusive control of the signer over the confirmation process.

  3. 3.

    Finally, withdrawability establishes the indistinguishability of signature origin. Specifically, given a verifiable withdrawable signature σ\sigma, no PPT adversary 𝒜\mathcal{A} should be able to determine whether the signature was generated by the signer or the verifier, provided that the 𝖢𝗈𝗇𝖿𝗂𝗋𝗆\mathsf{Confirm} algorithm has not been executed on σ\sigma. This property effectively ensures that both the signer and the designated verifier possess equivalent capabilities in generating withdrawable signatures.

Threat model.

All results are in the (quantum) random-oracle model, stated for the classical ROM with the QROM variant noted in Remark LABEL:rem:qrom. Keys are honestly generated unless stated otherwise: withdrawability is proved for honest keys (Theorem LABEL:thm:withdraw), and Remark LABEL:rem:wd treats an adversarially chosen verifier key at the cost of a decisional-MLWE term. Unforgeability (Theorem LABEL:thm:unforge) is under insider corruption, i.e. the adversary may hold the designated verifier’s secret key. For withdrawability we distinguish third-party adversaries (holding no secret key), defeated by the encryption layer of Section LABEL:sec:sdvs, from the designated verifier (holding dkvdk_{v}), defeated by the origin ambiguity of the public core.

Definition 2.1 ([liu2023], Section LABEL:subsec:instantiation).

wbsphack @@writeaux\newlabeldef:wswcurrentlabel1wesphack A withdrawable signature scheme is composed of five polynomial-time algorithms 𝖪𝖾𝗒𝖦𝖾𝗇,𝖶𝖲𝗂𝗀𝗇,𝖶𝖲𝖵𝖾𝗋𝗂𝖿𝗒,𝖢𝗈𝗇𝖿𝗂𝗋𝗆,𝖢𝖵𝖾𝗋𝗂𝖿𝗒\mathsf{KeyGen},\mathsf{WSign},\mathsf{WSVerify},\mathsf{Confirm},\mathsf{CVerify}, defined as follows:

  • pp𝖲𝖾𝗍𝗎𝗉(1κ)pp\leftarrow\mathsf{Setup}(1^{\kappa}), (pk,sk)𝖪𝖾𝗒𝖦𝖾𝗇(pp)(pk,sk)\leftarrow\mathsf{KeyGen}(pp): 𝖲𝖾𝗍𝗎𝗉\mathsf{Setup} fixes public parameters pppp, in particular the common matrix 𝐀\mathbf{A} shared by all users, and 𝖪𝖾𝗒𝖦𝖾𝗇(pp)\mathsf{KeyGen}(pp) outputs one key pair. The signer and verifier keys (pks,sks)(pk_{s},sk_{s}), (pkv,skv)(pk_{v},sk_{v}) are two independent invocations of 𝖪𝖾𝗒𝖦𝖾𝗇(pp)\mathsf{KeyGen}(pp) and thus share 𝐀\mathbf{A}; by convention each secret key embeds its own public key, i.e. sk=(pk,𝐬1,𝐬2,dk)sk=(pk,\mathbf{s}_{1},\mathbf{s}_{2},dk), so that a party can reconstruct π\pi from its own sksk.

  • σ𝖶𝖲𝗂𝗀𝗇(μ,sks,π)\sigma\leftarrow\mathsf{WSign}(\mu,sk_{s},\pi): given a message μ\mu, a signer’s secret key skssk_{s}, and a tuple π={pks,pkv}\pi=\{pk_{s},pk_{v}\} containing both the signer’s public key pkspk_{s} and a designated verifier’s public key pkvpk_{v} from the set of all public keys PKPK (those output by 𝖪𝖾𝗒𝖦𝖾𝗇\mathsf{KeyGen}), the withdrawable signing algorithm generates a withdrawable signature σ\sigma. This signature is specifically bound to message μ\mu under the signer’s identity and can only be verified by the designated verifier pkvpk_{v}.

  • 1/0𝖶𝖲𝖵𝖾𝗋𝗂𝖿𝗒(μ,skv,pks,σ)1/0\leftarrow\mathsf{WSVerify}(\mu,sk_{v},pk_{s},\sigma): the withdrawable signature verification algorithm uses the designated verifier’s secret key skvsk_{v} (which includes dkvdk_{v}) to return 11 iff σ\sigma is a valid withdrawable signature on μ\mu under π={pks,pkv}\pi=\{pk_{s},pk_{v}\}, and 0 otherwise. Among third parties only the designated verifier can run it; the signer may also recover the public core (via dksdk_{s}) for confirmation. The signature is not publicly verifiable.

  • σ~𝖢𝗈𝗇𝖿𝗂𝗋𝗆(μ,sks,π,σ)\tilde{\sigma}\leftarrow\mathsf{Confirm}(\mu,sk_{s},\pi,\sigma): the confirmation algorithm transforms a withdrawable signature σ\sigma into a confirmed signature σ~\tilde{\sigma}. It takes as input the original message μ\mu, the signer’s secret key skssk_{s}, the public key set π\pi, and the withdrawable signature σ\sigma. The resulting confirmed signature σ~\tilde{\sigma} serves as a publicly verifiable signature with respect to the key set π\pi.

  • 1/0𝖢𝖵𝖾𝗋𝗂𝖿𝗒(μ,π,σ,σ~)1/0\leftarrow\mathsf{CVerify}(\mu,\pi,\sigma,\tilde{\sigma}): the confirmed signature verification algorithm validates the authenticity of a confirmed signature σ~\tilde{\sigma} on message μ\mu with respect to the public key set π\pi. It takes as additional input the original withdrawable signature σ\sigma from which the confirmed signature was derived. The algorithm outputs 11 if the confirmed signature is valid and 0 otherwise.

Definition 2.2.

wbsphack @@writeaux\newlabeldef:correctwcurrentlabel1wesphack A withdrawable signature scheme WSWS is correct if, for any security parameter κ\kappa, any public key set π\pi, and any message μ{0,1}\mu\in\{0,1\}^{*}, when executing the sequence 𝖪𝖾𝗒𝖦𝖾𝗇,𝖶𝖲𝗂𝗀𝗇\mathsf{KeyGen},\mathsf{WSign}, and 𝖢𝗈𝗇𝖿𝗂𝗋𝗆\mathsf{Confirm}, then the corresponding verification algorithms satisfy:

𝖶𝖲𝖵𝖾𝗋𝗂𝖿𝗒(μ,skv,pks,σ)=1and𝖢𝖵𝖾𝗋𝗂𝖿𝗒(μ,π,σ,σ~)=1\mathsf{WSVerify}(\mu,sk_{v},pk_{s},\sigma)=1\quad\text{and}\quad\mathsf{CVerify}(\mu,\pi,\sigma,\tilde{\sigma})=1

with overwhelming probability (in the security parameter κ\kappa).

Definition 2.3.

wbsphack @@writeaux\newlabeldef:eufwcurrentlabel1wesphack For a PPT adversary 𝒜\mathcal{A} and security parameter κ\kappa, we define the unforgeability under insider corruption experiment 𝖤𝗑𝗉WS,𝒜EUF-CMA(1κ)\mathsf{Exp}^{\text{EUF-CMA}}_{WS,\mathcal{A}}(1^{\kappa}) using the three oracles in Algorithms LABEL:alg:corruptLABEL:alg:confirm-oracle.

Algorithm 1 Corruption oracle 𝒪i𝖢𝗈𝗋𝗋𝗎𝗉𝗍()\mathcal{O}^{\mathsf{Corrupt}}_{i}(\cdot)wbsphack @@writeaux\newlabelalg:corruptwcurrentlabel1wesphack
1:if isi\neq s then COCO{i}CO\leftarrow CO\cup\{i\}
2:  return skisk_{i}
3:else return \bot
4:end if
Algorithm 2 Withdrawable signing oracle 𝒪sks,π𝖶𝖲𝗂𝗀𝗇(μ)\mathcal{O}^{\mathsf{WSign}}_{sk_{s},\pi}(\mu)wbsphack @@writeaux\newlabelalg:wsign-oraclewcurrentlabel1wesphack
1:if (pksπ)(sCO)(pk_{s}\in\pi)\wedge(s\notin CO) then
2:  σ𝖶𝖲𝗂𝗀𝗇(μ,sks,π)\sigma\leftarrow\mathsf{WSign}(\mu,sk_{s},\pi)
3:  WW{σ}W\leftarrow W\cup\{\sigma\}
4:  return σ\sigma
5:else return \bot
6:end if
Algorithm 3 Confirmation oracle 𝒪sks,π𝖢𝗈𝗇𝖿𝗂𝗋𝗆(μ,σ)\mathcal{O}^{\mathsf{Confirm}}_{sk_{s},\pi}(\mu,\sigma)wbsphack @@writeaux\newlabelalg:confirm-oraclewcurrentlabel1wesphack
1:if σW\sigma\in W then
2:  MM{μ}M\leftarrow M\cup\{\mu\}
3:  σ~𝖢𝗈𝗇𝖿𝗂𝗋𝗆(μ,sks,π,σ)\tilde{\sigma}\leftarrow\mathsf{Confirm}(\mu,sk_{s},\pi,\sigma)
4:  return σ~\tilde{\sigma}
5:else return \bot
6:end if

Using these three oracles, we define the unforgeability experiment 𝖤𝗑𝗉WS,𝒜EUF-CMA(1κ)\mathsf{Exp}^{\text{EUF-CMA}}_{WS,\mathcal{A}}(1^{\kappa}) as follows:

Algorithm 4 Unforgeability experiment 𝖤𝗑𝗉WS,𝒜EUF-CMA(1κ)\mathsf{Exp}^{\text{EUF-CMA}}_{WS,\mathcal{A}}(1^{\kappa})wbsphack @@writeaux\newlabelalg:euf-expwcurrentlabel1wesphack
1:pp𝖲𝖾𝗍𝗎𝗉(1κ)pp\leftarrow\mathsf{Setup}(1^{\kappa})
2:for i=1i=1 to mm do (pki,ski)𝖪𝖾𝗒𝖦𝖾𝗇(pp)(pk_{i},sk_{i})\leftarrow\mathsf{KeyGen}(pp)
3:end for
4:Select s,v{1,,m}s,v\in\{1,\dots,m\} where vsv\neq s
5:Initialize empty sets CO,W,MCO\leftarrow\emptyset,\ W\leftarrow\emptyset,\ M\leftarrow\emptyset
6:(μ,σ,σ~)𝒜𝒪i𝖢𝗈𝗋𝗋𝗎𝗉𝗍(),𝒪sks,π𝖶𝖲𝗂𝗀𝗇(),𝒪sks,π𝖢𝗈𝗇𝖿𝗂𝗋𝗆(,)(1κ,π)(\mu^{*},\sigma^{*},\tilde{\sigma}^{*})\leftarrow\mathcal{A}^{\mathcal{O}^{\mathsf{Corrupt}}_{i}(\cdot),\,\mathcal{O}^{\mathsf{WSign}}_{sk_{s},\pi}(\cdot),\,\mathcal{O}^{\mathsf{Confirm}}_{sk_{s},\pi}(\cdot,\cdot)}(1^{\kappa},\pi^{*})
7:if (π={pks,pkv})(vCO)(μM)(\pi^{*}=\{pk_{s},pk_{v}\})\wedge(v\in CO)\wedge(\mu^{*}\notin M) then
8:  if (𝖶𝖲𝖵𝖾𝗋𝗂𝖿𝗒(μ,skv,pks,σ)=1)(𝖢𝖵𝖾𝗋𝗂𝖿𝗒(μ,π,σ,σ~)=1)(\mathsf{WSVerify}(\mu^{*},sk_{v},pk_{s},\sigma^{*})=1)\wedge(\mathsf{CVerify}(\mu^{*},\pi^{*},\sigma^{*},\tilde{\sigma}^{*})=1) then return 11
9:  end if
10:end if
11:return 0

A withdrawable signature scheme WSWS is considered unforgeable under insider corruption with EUF-CMA security if, for all PPT adversaries 𝒜\mathcal{A}, there exists a negligible function 𝗇𝖾𝗀𝗅\mathsf{negl} such that:

Pr[𝖤𝗑𝗉WS,𝒜EUF-CMA(1κ)=1]𝗇𝖾𝗀𝗅(1κ).\Pr[\mathsf{Exp}^{\text{EUF-CMA}}_{WS,\mathcal{A}}(1^{\kappa})=1]\leq\mathsf{negl}(1^{\kappa}).
Definition 2.4.

wbsphack @@writeaux\newlabeldef:withdrawwcurrentlabel1wesphack Let (pk0,sk0),(pk1,sk1)𝖪𝖾𝗒𝖦𝖾𝗇(pp)(pk_{0},sk_{0}),(pk_{1},sk_{1})\leftarrow\mathsf{KeyGen}(pp) be two generated public/secret key pairs, and let π={pk0,pk1}\pi=\{pk_{0},pk_{1}\}. For a randomly selected bit b${0,1}b\xleftarrow{\mathdollar}\{0,1\}, a security parameter κ\kappa, and a PPT adversary 𝒜\mathcal{A}, we build the withdrawability experiment 𝖤𝗑𝗉WS,𝒜Withdraw(1κ)\mathsf{Exp}^{\text{Withdraw}}_{WS,\mathcal{A}}(1^{\kappa}) with the oracle of Algorithm LABEL:alg:withdraw-oracle.

Algorithm 5 Signing oracle 𝒪skb,π𝖶𝖲𝗂𝗀𝗇()\mathcal{O}^{\mathsf{WSign}}_{sk_{b},\pi}(\cdot) for the withdrawability experimentwbsphack @@writeaux\newlabelalg:withdraw-oraclewcurrentlabel1wesphack
1:if π={pk0,pk1}\pi=\{pk_{0},pk_{1}\} then
2:  σb𝖶𝖲𝗂𝗀𝗇(μ,skb,π)\sigma_{b}\leftarrow\mathsf{WSign}(\mu,sk_{b},\pi)
3:  MM{μ}M\leftarrow M\cup\{\mu\}
4:  return σb\sigma_{b}
5:else return \bot
6:end if

With this signing oracle, we have the following experiment:

Algorithm 6 Withdrawability experiment 𝖤𝗑𝗉WS,𝒜Withdraw(1κ)\mathsf{Exp}^{\text{Withdraw}}_{WS,\mathcal{A}}(1^{\kappa})wbsphack @@writeaux\newlabelalg:withdraw-expwcurrentlabel1wesphack
1:pp𝖲𝖾𝗍𝗎𝗉(1κ)pp\leftarrow\mathsf{Setup}(1^{\kappa}); for i=0,1i=0,1: (pki,ski)𝖪𝖾𝗒𝖦𝖾𝗇(pp)(pk_{i},sk_{i})\leftarrow\mathsf{KeyGen}(pp)
2:π{pk0,pk1};b${0,1};M\pi\leftarrow\{pk_{0},pk_{1}\};\ b\xleftarrow{\mathdollar}\{0,1\};\ M\leftarrow\emptyset
3:(μ,𝑠𝑡)𝒜𝒪skb,π𝖶𝖲𝗂𝗀𝗇(pp,π)(\mu^{*},\mathit{st})\leftarrow\mathcal{A}^{\mathcal{O}^{\mathsf{WSign}}_{sk_{b},\pi}}(pp,\pi) \triangleright stage 1: choose challenge message
4:σb𝖶𝖲𝗂𝗀𝗇(μ,skb,π)\sigma_{b}\leftarrow\mathsf{WSign}(\mu^{*},sk_{b},\pi)
5:b𝒜𝒪skb,π𝖶𝖲𝗂𝗀𝗇(𝑠𝑡,σb)b^{\prime}\leftarrow\mathcal{A}^{\mathcal{O}^{\mathsf{WSign}}_{sk_{b},\pi}}(\mathit{st},\sigma_{b}) \triangleright stage 2: guess
6:if (b=b)(μM)(b=b^{\prime})\wedge(\mu^{*}\notin M) then return 11
7:end if
8:return 0

A withdrawable signature scheme WSWS is withdrawable if, for any PPT adversary 𝒜\mathcal{A}, and in the absence of the execution of the 𝖢𝗈𝗇𝖿𝗂𝗋𝗆\mathsf{Confirm} algorithm, there exists a negligible function 𝗇𝖾𝗀𝗅\mathsf{negl} such that:

Pr[𝖤𝗑𝗉WS,𝒜Withdraw(1κ)=1]12+𝗇𝖾𝗀𝗅(1κ).\Pr[\mathsf{Exp}^{\text{Withdraw}}_{WS,\mathcal{A}}(1^{\kappa})=1]\leq\tfrac{1}{2}+\mathsf{negl}(1^{\kappa}).

2.3 Security definitions and computational assumptions

Definition 2.5.

wbsphack @@writeaux\newlabeldef:ds-eufwcurrentlabel1wesphack For a signature scheme DS=(𝖪𝖾𝗒𝖦𝖾𝗇,𝖲𝗂𝗀𝗇,𝖵𝖾𝗋𝗂𝖿𝗒)DS=(\mathsf{KeyGen},\mathsf{Sign},\mathsf{Verify}) and a PPT adversary 𝒜\mathcal{A}, consider the following experiment 𝖤𝗑𝗉𝒜EUF-CMA\mathsf{Exp}^{\text{EUF-CMA}}_{\mathcal{A}}:

  1. 1.

    The challenger \mathcal{B} generates a key pair (pks,sks)𝖪𝖾𝗒𝖦𝖾𝗇(pp)(pk_{s},sk_{s})\leftarrow\mathsf{KeyGen}(pp) using the system parameters SPSP. It provides pkspk_{s} to 𝒜\mathcal{A} while retaining skssk_{s} to handle signature queries.

  2. 2.

    𝒜\mathcal{A} receives access to the signing oracle 𝒪sks𝖲𝗂𝗀𝗇()\mathcal{O}^{\mathsf{Sign}}_{sk_{s}}(\cdot) that computes σ𝖲𝗂𝗀𝗇(μ,sks)\sigma\leftarrow\mathsf{Sign}(\mu,sk_{s}) upon request.

  3. 3.

    Eventually, 𝒜\mathcal{A} outputs a forgery attempt (μ,σ)(\mu^{*},\sigma^{*}).

  4. 4.

    𝒜\mathcal{A} succeeds if 𝖵𝖾𝗋𝗂𝖿𝗒(μ,pks,σ)=1\mathsf{Verify}(\mu^{*},pk_{s},\sigma^{*})=1 and μ\mu^{*} was not previously queried to 𝒪sks𝖲𝗂𝗀𝗇()\mathcal{O}^{\mathsf{Sign}}_{sk_{s}}(\cdot).

We say that DSDS is (t,qs,ε)(t,q_{s},\varepsilon)-secure under EUF-CMA if no adversary running in time tt and making at most qsq_{s} signing queries can succeed with probability greater than ε\varepsilon.

Definition 2.6.

wbsphack @@writeaux\newlabeldef:dvswcurrentlabel1wesphack A designated-verifier signature scheme DVSDVS consists of four probabilistic polynomial-time algorithms operating on key pairs (pks,sks)(pk_{s},sk_{s}) for signers and (pkd,skd)(pk_{d},sk_{d}) for designated verifiers:

DVS={(pk,sk)𝖪𝖾𝗒𝖦𝖾𝗇(pp)σ𝖲𝗂𝗀𝗇(μ,pkd,sks)σ𝖲𝗂𝗆𝗎𝗅(μ,pks,skd)0/1𝖵𝖾𝗋𝗂𝖿𝗒(μ,pks,skd,σ)}DVS=\left\{\begin{aligned} &(pk,sk)\leftarrow\mathsf{KeyGen}(pp)\\ &\sigma\leftarrow\mathsf{Sign}(\mu,pk_{d},sk_{s})\\ &\sigma\leftarrow\mathsf{Simul}(\mu,pk_{s},sk_{d})\\ &0/1\leftarrow\mathsf{Verify}(\mu,pk_{s},sk_{d},\sigma)\end{aligned}\right\}

The key security property of DVSDVS schemes is non-transferability, which states that for any message-signature pair (μ,σ)(\mu,\sigma) that validates under 𝖵𝖾𝗋𝗂𝖿𝗒\mathsf{Verify}, it should be computationally infeasible to determine whether σ\sigma was produced by the signer using 𝖲𝗂𝗀𝗇\mathsf{Sign} or simulated by the designated verifier using 𝖲𝗂𝗆𝗎𝗅\mathsf{Simul}, without access to the signer’s secret key skssk_{s}. The formal definition of this property follows:

Definition 2.7 (Non-transferability).

wbsphack @@writeaux\newlabeldef:nontranswcurrentlabel1wesphack For a designated-verifier signature scheme and a PPT adversary 𝒜\mathcal{A}, consider the non-transferability experiment 𝖤𝗑𝗉NonTrans,DV,𝒜𝖲𝗂𝗀𝗇\mathsf{Exp}^{\mathsf{Sign}}_{\text{NonTrans},DV,\mathcal{A}}:

Algorithm 7 Non-transferability experiment 𝖤𝗑𝗉NonTrans,DV,𝒜𝖲𝗂𝗀𝗇(1κ)\mathsf{Exp}^{\mathsf{Sign}}_{\text{NonTrans},DV,\mathcal{A}}(1^{\kappa})wbsphack @@writeaux\newlabelalg:nontranswcurrentlabel1wesphack
1:(pks,sks),(pkd,skd)𝖪𝖾𝗒𝖦𝖾𝗇(pp)(pk_{s},sk_{s}),(pk_{d},sk_{d})\leftarrow\mathsf{KeyGen}(pp)
2:Provide 𝒜\mathcal{A} access to oracles:
3:𝒪sks,pkd𝖲𝗂𝗀𝗇():σ0𝖲𝗂𝗀𝗇(μ,sks,pkd)\mathcal{O}^{\mathsf{Sign}}_{sk_{s},pk_{d}}(\cdot):\ \sigma_{0}\leftarrow\mathsf{Sign}(\mu,sk_{s},pk_{d})
4:𝒪skd,pks𝖲𝗂𝗆𝗎𝗅():σ1𝖲𝗂𝗆𝗎𝗅(μ,pks,skd)\mathcal{O}^{\mathsf{Simul}}_{sk_{d},pk_{s}}(\cdot):\ \sigma_{1}\leftarrow\mathsf{Simul}(\mu,pk_{s},sk_{d})
5:𝒜\mathcal{A} outputs message μ\mu^{*}
6:σ0𝖲𝗂𝗀𝗇(μ,pkd,sks);σ1𝖲𝗂𝗆𝗎𝗅(μ,pks,skd)\sigma^{*}_{0}\leftarrow\mathsf{Sign}(\mu^{*},pk_{d},sk_{s});\quad\sigma^{*}_{1}\leftarrow\mathsf{Simul}(\mu^{*},pk_{s},sk_{d})
7:b${0,1}b\xleftarrow{\mathdollar}\{0,1\}
8:Provide 𝒜\mathcal{A} with signature σb\sigma^{*}_{b}
9:𝒜\mathcal{A} outputs bit bb^{\prime}
10:if b=bb^{\prime}=b then return 11
11:else return 0
12:end if

A DVSDVS achieves non-transferability if for any PPT adversary 𝒜\mathcal{A}, there exists a negligible function 𝗇𝖾𝗀𝗅\mathsf{negl} such that:

Pr[𝖤𝗑𝗉NonTrans,DV,𝒜𝖲𝗂𝗀𝗇(1κ)=1]12+𝗇𝖾𝗀𝗅(1κ).\Pr[\mathsf{Exp}^{\mathsf{Sign}}_{\text{NonTrans},DV,\mathcal{A}}(1^{\kappa})=1]\leq\tfrac{1}{2}+\mathsf{negl}(1^{\kappa}).

The security of our scheme rests upon three fundamental lattice-based hardness assumptions. The Module Learning With Errors (MLWE) assumption provides protection against key-recovery attacks, ensuring the confidentiality of secret keys. The SelfTargetMSIS assumption establishes the security foundation against new message forgery attempts, preventing adversaries from generating valid signatures for previously unsigned messages. Finally, the MSIS assumption is essential for achieving strong unforgeability, which prevents even slight modifications of existing signatures.

Definition 2.8 (Module Learning With Errors (MLWE)).

wbsphack @@writeaux\newlabeldef:mlwewcurrentlabel1wesphack For integers m,km,k and a probability distribution D:Rq[0,1]D:R_{q}\to[0,1], the advantage of an algorithm 𝒜\mathcal{A} in solving the decisional MLWEm,k,D\text{MLWE}_{m,k,D} problem over the ring RqR_{q} is defined as:

𝖠𝖽𝗏m,k,DMLWE:=|\displaystyle\mathsf{Adv}^{\text{MLWE}}_{m,k,D}:=\big| Pr[b=1𝐀Rqm×k;𝐭Rqm;b𝒜(𝐀,𝐭)]\displaystyle\Pr[b=1\mid\mathbf{A}\leftarrow R_{q}^{m\times k};\ \mathbf{t}\leftarrow R_{q}^{m};\ b\leftarrow\mathcal{A}(\mathbf{A},\mathbf{t})]
\displaystyle- Pr[b=1𝐀Rqm×k;𝐬1Dk;𝐬2Dm;b𝒜(𝐀,𝐀𝐬1+𝐬2)]|.\displaystyle\Pr[b=1\mid\mathbf{A}\leftarrow R_{q}^{m\times k};\ \mathbf{s}_{1}\leftarrow D^{k};\ \mathbf{s}_{2}\leftarrow D^{m};\ b\leftarrow\mathcal{A}(\mathbf{A},\mathbf{A}\mathbf{s}_{1}+\mathbf{s}_{2})]\big|.
Definition 2.9 (Module Short Integer Solution (MSIS)).

wbsphack @@writeaux\newlabeldef:msiswcurrentlabel1wesphack For an algorithm 𝒜\mathcal{A}, we define its advantage function 𝖠𝖽𝗏m,k,γMSIS\mathsf{Adv}^{\text{MSIS}}_{m,k,\gamma} in solving the (Hermite Normal Form) MSISm,k,γ\text{MSIS}_{m,k,\gamma} problem over the ring RqR_{q} as:

𝖠𝖽𝗏m,k,γMSIS(𝒜):=Pr[0<𝐲γ[𝐈𝐀]𝐲=0|𝐀Rqm×k;𝐲𝒜(𝐀)].\mathsf{Adv}^{\text{MSIS}}_{m,k,\gamma}(\mathcal{A}):=\Pr\!\left[0<\lVert\mathbf{y}\rVert_{\infty}\leq\gamma\ \wedge\ [\,\mathbf{I}\mid\mathbf{A}\,]\cdot\mathbf{y}=0\ \middle|\ \mathbf{A}\leftarrow R_{q}^{m\times k};\ \mathbf{y}\leftarrow\mathcal{A}(\mathbf{A})\right].

Let BhB_{h} denote the subset of elements in RR that have exactly hh coefficients equal to either 1-1 or 11, with all remaining coefficients being 0. The cardinality of this set is given by |Bh|=2h(nh)|B_{h}|=2^{h}\cdot\binom{n}{h}.

Definition 2.10 (SelfTargetMSIS).

wbsphack @@writeaux\newlabeldef:stmsiswcurrentlabel1wesphack Let H:{0,1}BhH:\{0,1\}^{*}\to B_{h} be a cryptographic hash function. For an algorithm 𝒜\mathcal{A}, we define its advantage function as:

𝖠𝖽𝗏H,m,k,γ1SelfTargetMSIS(𝒜):=Pr[0𝐲γ1H([𝐈𝐀]𝐲M)=c|𝐀Rqm×k;(𝐲:=(𝐫,c),M)𝒜H()(𝐀)].\mathsf{Adv}^{\text{SelfTargetMSIS}}_{H,m,k,\gamma_{1}}(\mathcal{A}):=\Pr\!\left[\begin{aligned} &0\leq\lVert\mathbf{y}\rVert_{\infty}\leq\gamma_{1}\ \wedge\ H\big([\,\mathbf{I}\mid\mathbf{A}\,]\cdot\mathbf{y}\,\big\|\,M\big)=c\\ &\ \big|\ \mathbf{A}\leftarrow R_{q}^{m\times k};\ (\mathbf{y}:=(\mathbf{r},c),M)\leftarrow\mathcal{A}^{\langle H(\cdot)\rangle}(\mathbf{A})\end{aligned}\right].

The above problems are hard if, for any PPT adversary 𝒜\mathcal{A}, the respective advantages are negligible.

The intuition is that the MLWE assumption protects against key-recovery attacks, the SelfTargetMSIS is the assumption upon which new message forgery is based, and the MSIS assumption is needed for strong unforgeability. The decisional MLWE will be used to prove withdrawability.

3 Withdrawable signature schemes

3.1 The abstract construction

wbsphack @@writeaux\newlabelsec:abstractwcurrentlabel1wesphack In this section we provide a global construction for withdrawable signatures based on the Fiat–Shamir with aborts paradigm and prove the unforgeability and withdrawability as described in Definition LABEL:def:ws. This construction follows the paradigm described in [lyubashevsky2009] combined with ideas in [liu2023]. Let 𝒞=Bh\mathcal{C}=B_{h} be the (bounded) challenge set and H:{0,1}𝒞H:\{0,1\}^{*}\to\mathcal{C} a random oracle. Sampling uniformly from RR is not well defined, and the challenge must be small enough that 𝐳=𝐲+c𝐬1Sl\mathbf{z}=\mathbf{y}+c\mathbf{s}_{1}\in S^{l}.

Algorithm 8 Fiat–Shamir with aborts signaturewbsphack @@writeaux\newlabelalg:fswawcurrentlabel1wesphack
1:procedure KeyGen(1κ1^{\kappa})
2:  𝐀Rqk×l,𝐬1Sl,𝐬2Sk\mathbf{A}\leftarrow R_{q}^{k\times l},\ \mathbf{s}_{1}\leftarrow S^{l},\ \mathbf{s}_{2}\leftarrow S^{k}
3:  𝐭=𝐀𝐬1+𝐬2\mathbf{t}=\mathbf{A}\mathbf{s}_{1}+\mathbf{s}_{2}
4:  return pk=(𝐀,𝐭),sk=(𝐬1,𝐬2)pk=(\mathbf{A},\mathbf{t}),\ sk=(\mathbf{s}_{1},\mathbf{s}_{2})
5:end procedure
6:procedure Sign(μ,sk,𝐭\mu,sk,\mathbf{t})
7:  repeat 𝐲Sl,𝐰=𝖧𝖡(𝐀𝐲),c=H(μ,𝐰),𝐳=𝐲+c𝐬1\mathbf{y}\leftarrow S^{l},\ \mathbf{w}=\mathsf{HB}(\mathbf{A}\mathbf{y}),\ c=H(\mu,\mathbf{w}),\ \mathbf{z}=\mathbf{y}+c\mathbf{s}_{1}
8:  until 𝐳Sl\mathbf{z}\in S^{l} and the recoverability bound holds
9:  return σ=(𝐳,c)\sigma=(\mathbf{z},c)
10:end procedure
11:procedure Verify(μ,σ,pk\mu,\sigma,pk)
12:  𝐰=𝖧𝖡(𝐀𝐳c𝐭)\mathbf{w}^{\prime}=\mathsf{HB}(\mathbf{A}\mathbf{z}-c\mathbf{t})
13:  if (𝐳Sl)(c=H(μ,𝐰))(\mathbf{z}\in S^{l})\wedge(c=H(\mu,\mathbf{w}^{\prime})) then return 11
14:  end if
15:end procedure
Theorem 3.1 ([lyubashevsky2009], Theorem 2).

wbsphack @@writeaux\newlabelthm:lyuwcurrentlabel1wesphack Let nn be an integer which is a power of 22. If the above signature scheme is not strongly unforgeable, then there is a polynomial-time algorithm that can solve SVPε(Λ)\operatorname{SVP}_{\varepsilon}(\Lambda), for ε=O~(n2)\varepsilon=\tilde{O}(n^{2}) and for every lattice Λ\Lambda corresponding to an ideal in the ring [x]/(xn+1)\mathbb{Z}[x]/(x^{n}+1).

Taking the above scheme as starting point, we define a withdrawable lattice-based scheme as follows:

Algorithm 9 𝖪𝖾𝗒𝖦𝖾𝗇(pp)\mathsf{KeyGen}(pp)wbsphack @@writeaux\newlabelalg:abs-keygenwcurrentlabel1wesphack
1:parse 𝐀\mathbf{A} from pppp
2:𝐬1Sl,𝐬2Sk\mathbf{s}_{1}\leftarrow S^{l},\ \mathbf{s}_{2}\leftarrow S^{k}
3:𝐭=𝐀𝐬1+𝐬2\mathbf{t}=\mathbf{A}\mathbf{s}_{1}+\mathbf{s}_{2}
4:(ek,dk)𝖪𝖦𝖾𝗇e(1κ)(ek,dk)\leftarrow\mathsf{KGen}_{e}(1^{\kappa})
5:return pk=(𝐀,𝐭,ek),sk=(pk,𝐬1,𝐬2,dk)pk=(\mathbf{A},\mathbf{t},ek),\ sk=(pk,\mathbf{s}_{1},\mathbf{s}_{2},dk)
Algorithm 10 𝖶𝖲𝗂𝗀𝗇𝗉𝗎𝖻(μ,sks,π)\mathsf{WSign}^{\mathsf{pub}}(\mu,sk_{s},\pi)wbsphack @@writeaux\newlabelalg:abs-wsignwcurrentlabel1wesphack
1:π={pks,pkv}\pi=\{pk_{s},pk_{v}\}
2:repeat\triangleright simulate verifier branch from the accepted distribution
3:  cv$𝒞;𝐳v$Sl;wv=𝖧𝖡(𝐀𝐳vcv𝐭v)c_{v}\xleftarrow{\mathdollar}\mathcal{C};\ \mathbf{z}_{v}\xleftarrow{\mathdollar}S^{l};\ w_{v}=\mathsf{HB}(\mathbf{A}\mathbf{z}_{v}-c_{v}\mathbf{t}_{v})
4:until the low-order recoverability test on 𝐀𝐳vcv𝐭v\mathbf{A}\mathbf{z}_{v}-c_{v}\mathbf{t}_{v} holds
5:repeat
6:  𝐲$Sl;ws=𝖧𝖡(𝐀𝐲)\mathbf{y}\xleftarrow{\mathdollar}S^{l};\ w_{s}=\mathsf{HB}(\mathbf{A}\mathbf{y})
7:  g=HM(μ,ws,wv,π);cs=ι((gι1(cv))modM)g=H_{M}(\mu,w_{s},w_{v},\pi);\ c_{s}=\iota\big((g-\iota^{-1}(c_{v}))\bmod M\big)
8:  𝐳s=𝐲+cs𝐬1\mathbf{z}_{s}=\mathbf{y}+c_{s}\mathbf{s}_{1} \triangleright sks=(pks,𝐬1,𝐬2,dks)sk_{s}=(pk_{s},\mathbf{s}_{1},\mathbf{s}_{2},dk_{s})
9:until 𝐳sSl\mathbf{z}_{s}\in S^{l} and the recoverability bound holds
10:return σ=(cs,cv,𝐳s,𝐳v)\sigma=(c_{s},c_{v},\mathbf{z}_{s},\mathbf{z}_{v})
Algorithm 11 𝖶𝖲𝖵𝖾𝗋𝗂𝖿𝗒𝗉𝗎𝖻(μ,π,σ)\mathsf{WSVerify}^{\mathsf{pub}}(\mu,\pi,\sigma)wbsphack @@writeaux\newlabelalg:abs-wsverifywcurrentlabel1wesphack
1:σ=(cs,cv,𝐳s,𝐳v)\sigma=(c_{s},c_{v},\mathbf{z}_{s},\mathbf{z}_{v})
2:ws=𝖧𝖡(𝐀𝐳scs𝐭s);wv=𝖧𝖡(𝐀𝐳vcv𝐭v)w_{s}^{\prime}=\mathsf{HB}(\mathbf{A}\mathbf{z}_{s}-c_{s}\mathbf{t}_{s});\ w_{v}^{\prime}=\mathsf{HB}(\mathbf{A}\mathbf{z}_{v}-c_{v}\mathbf{t}_{v})
3:g=HM(μ,ws,wv,π)g=H_{M}(\mu,w_{s}^{\prime},w_{v}^{\prime},\pi)
4:if (ι1(cs)+ι1(cv)g(modM))(𝐳s,𝐳vSl)(\iota^{-1}(c_{s})+\iota^{-1}(c_{v})\equiv g\!\!\pmod{M})\wedge(\mathbf{z}_{s},\mathbf{z}_{v}\in S^{l}) then return 11
5:end if
Algorithm 12 𝖢𝗈𝗇𝖿𝗂𝗋𝗆𝗉𝗎𝖻(μ,sks,π,σ)\mathsf{Confirm}^{\mathsf{pub}}(\mu,sk_{s},\pi,\sigma)wbsphack @@writeaux\newlabelalg:abs-confirmwcurrentlabel1wesphack
1:return σ~𝖲𝗂𝗀𝗇sks(μπσ)\tilde{\sigma}\leftarrow\mathsf{Sign}_{sk_{s}}(\mu\,\|\,\pi\,\|\,\sigma)
Algorithm 13 𝖢𝖵𝖾𝗋𝗂𝖿𝗒𝗉𝗎𝖻(μ,π,σ,σ~)\mathsf{CVerify}^{\mathsf{pub}}(\mu,\pi,\sigma,\tilde{\sigma})wbsphack @@writeaux\newlabelalg:abs-cverifywcurrentlabel1wesphack
1:if 𝖶𝖲𝖵𝖾𝗋𝗂𝖿𝗒𝗉𝗎𝖻(μ,π,σ)=1𝖵𝖾𝗋𝗂𝖿𝗒pks(μπσ,σ~)=1\mathsf{WSVerify}^{\mathsf{pub}}(\mu,\pi,\sigma)=1\ \wedge\ \mathsf{Verify}_{pk_{s}}(\mu\,\|\,\pi\,\|\,\sigma,\ \tilde{\sigma})=1 then return 11
2:end if

The proofs for Theorem LABEL:thm:unforge and Theorem LABEL:thm:withdraw below closely follow the structure of their analogous Theorems 12 and 13 in [liu2023]. The fundamental arguments remain valid when adapting the security assumptions to our context, with the primary distinction being the underlying signature scheme.

Assumption 1 (Commitment min-entropy).

wbsphack @@writeaux\newlabelass:entropywcurrentlabel1wesphack The commitment pair (ws,wv)(w_{s},w_{v}) produced by an accepted run of 𝖶𝖲𝗂𝗀𝗇\mathsf{WSign} has min-entropy at least α\alpha; for the concrete Dilithium parameter sets α1024\alpha\geq 1024 (and α1397\alpha\geq 1397 at level 2), so 2α210242^{-\alpha}\leq 2^{-1024}.

Remark 3.2 (Heuristic support for Assumption LABEL:ass:entropy).

Let ws[1]=𝐚1𝐲w_{s}[1]=\mathbf{a}_{1}\!\cdot\!\mathbf{y} be one output coordinate (𝐚1Rql\mathbf{a}_{1}\in R_{q}^{\,l} the first row of 𝐀\mathbf{A}). The input min-entropy H(𝐲)=lnlog2(2γ1)H_{\infty}(\mathbf{y})=l\,n\log_{2}(2\gamma_{1}) exceeds log2|Rq|=nlog2q\log_{2}|R_{q}|=n\log_{2}q by 12544\geq 12544 (level 2), 1971219712 (level 3), 2995229952 (level 5) bits, so under the module regularity of the SIS map (𝐚1,𝐚1𝐲)(\mathbf{a}_{1},\mathbf{a}_{1}\!\cdot\!\mathbf{y}) is statistically close to (𝐚1,𝒰(Rq))(\mathbf{a}_{1},\mathcal{U}(R_{q})), and 𝖧𝗂𝗀𝗁𝖡𝗂𝗍𝗌(ws[1],2γ2)\mathsf{HighBits}(w_{s}[1],2\gamma_{2}) has min-entropy nlog2((q1)/2γ2)1024\approx n\log_{2}((q-1)/2\gamma_{2})\geq 1024. Conditioning on the constant-probability rejection event lowers this by O(1)O(1) bits. A fully rigorous bound needs a regularity lemma over RqR_{q} with exact conditions for a completely split qq and the rejection-conditioned law of 𝐲\mathbf{y}; we therefore record the value as Assumption LABEL:ass:entropy.

Lemma 3.3 (Witness-free simulatability / naHVZK).

wbsphack @@writeaux\newlabellem:zkwcurrentlabel1wesphack There is a PPT algorithm 𝖲𝗂𝗆(μ,π)\mathsf{Sim}(\mu,\pi), taking no secret key and fixing HMH_{M} at a single point, such that for all honestly generated π={pks,pkv}\pi=\{pk_{s},pk_{v}\} and all μ\mu, the output of 𝖲𝗂𝗆(μ,π)\mathsf{Sim}(\mu,\pi) together with its induced HMH_{M}-entry is within statistical distance εzk\varepsilon_{\mathrm{zk}} of a genuine pair (𝖶𝖲𝗂𝗀𝗇(μ,sks,π),HM-entry)(\mathsf{WSign}(\mu,sk_{s},\pi),H_{M}\text{-entry}), conditioned on the programmed point being fresh. Concretely 𝖲𝗂𝗆\mathsf{Sim} repeatedly samples cs,cv$𝒞c_{s},c_{v}\xleftarrow{\mathdollar}\mathcal{C} and 𝐳s,𝐳v$Sγ1β1l\mathbf{z}_{s},\mathbf{z}_{v}\xleftarrow{\mathdollar}S_{\gamma_{1}-\beta-1}^{l} until both 𝖫𝗈𝗐𝖡𝗂𝗍𝗌(𝐀𝐳scs𝐭s,2γ2)<γ2β\lVert\mathsf{LowBits}(\mathbf{A}\mathbf{z}_{s}-c_{s}\mathbf{t}_{s},2\gamma_{2})\rVert_{\infty}<\gamma_{2}-\beta and 𝖫𝗈𝗐𝖡𝗂𝗍𝗌(𝐀𝐳vcv𝐭v,2γ2)<γ2β\lVert\mathsf{LowBits}(\mathbf{A}\mathbf{z}_{v}-c_{v}\mathbf{t}_{v},2\gamma_{2})\rVert_{\infty}<\gamma_{2}-\beta (the same low-order test as 𝖶𝖲𝗂𝗀𝗇\mathsf{WSign}); it then sets ws=𝖧𝗂𝗀𝗁𝖡𝗂𝗍𝗌(𝐀𝐳scs𝐭s,2γ2)w_{s}=\mathsf{HighBits}(\mathbf{A}\mathbf{z}_{s}-c_{s}\mathbf{t}_{s},2\gamma_{2}), wv=𝖧𝗂𝗀𝗁𝖡𝗂𝗍𝗌(𝐀𝐳vcv𝐭v,2γ2)w_{v}=\mathsf{HighBits}(\mathbf{A}\mathbf{z}_{v}-c_{v}\mathbf{t}_{v},2\gamma_{2}), programs HM(μ,ws,wv,π):=(ι1(cs)+ι1(cv))modMH_{M}(\mu,w_{s},w_{v},\pi):=(\iota^{-1}(c_{s})+\iota^{-1}(c_{v}))\bmod M, and returns (cs,cv,𝐳s,𝐳v)(c_{s},c_{v},\mathbf{z}_{s},\mathbf{z}_{v}).

Proof 3.4.

The verifier branch is produced by exactly this simulation already in 𝖶𝖲𝗂𝗀𝗇\mathsf{WSign}, so it is identical in both distributions. The signer branch is one FS-with-aborts transcript; by the non-abort honest-verifier zero-knowledge of the base scheme its accepted output (cs,𝐳s)(c_{s},\mathbf{z}_{s}) is within statistical distance εzk\varepsilon_{\mathrm{zk}} of (cs$𝒞,𝐳sshort,ws=𝖧𝗂𝗀𝗁𝖡𝗂𝗍𝗌(𝐀𝐳scs𝐭s,2γ2))(c_{s}\xleftarrow{\mathdollar}\mathcal{C},\ \mathbf{z}_{s}\ \text{short},\ w_{s}=\mathsf{HighBits}(\mathbf{A}\mathbf{z}_{s}-c_{s}\mathbf{t}_{s},2\gamma_{2})). Finally the law of (cs,cv,g)(c_{s},c_{v},g) agrees: in the real scheme cvc_{v} and g=HM()g=H_{M}(\cdots) are uniform and independent and cs=ι((gι1(cv))modM)c_{s}=\iota((g-\iota^{-1}(c_{v}))\bmod M); in 𝖲𝗂𝗆\mathsf{Sim} both cs,cvc_{s},c_{v} are uniform and gg is set to ι1(cs)+ι1(cv)\iota^{-1}(c_{s})+\iota^{-1}(c_{v}). Both yield (cs,cv)𝒰(𝒞)2(c_{s},c_{v})\sim\mathcal{U}(\mathcal{C})^{2} with gg determined by the constraint.

Theorem 3.5.

wbsphack @@writeaux\newlabelthm:unforgewcurrentlabel1wesphack If the underlying signature scheme 𝖲𝗂𝗀𝗇\mathsf{Sign} is EUF-CMA secure, then the publicly-verifiable core of Algorithms LABEL:alg:abs-keygenLABEL:alg:abs-cverify is unforgeable under insider corruption in the (Q)ROM (the full designated scheme of Section LABEL:sec:sdvs inherits this via Proposition LABEL:prop:sdvs). For any adversary 𝒜\mathcal{A} making qWq_{W} signing, qCq_{C} confirmation and qHMq_{H_{M}} random-oracle queries, there is an adversary \mathcal{B} such that, in the random-oracle model,

𝖠𝖽𝗏WSEUF-CMA-ic(𝒜)𝖠𝖽𝗏𝖲𝗂𝗀𝗇EUF-CMA()+qWεzk+qW(qHM+qW)2α,\mathsf{Adv}^{\mathrm{EUF\text{-}CMA\text{-}ic}}_{WS}(\mathcal{A})\ \leq\ \mathsf{Adv}^{\mathrm{EUF\text{-}CMA}}_{\mathsf{Sign}}(\mathcal{B})\ +\ q_{W}\,\varepsilon_{\mathrm{zk}}\ +\ \frac{q_{W}(q_{H_{M}}+q_{W})}{2^{\alpha}},

where εzk\varepsilon_{\mathrm{zk}} is the per-proof simulation error of Lemma LABEL:lem:zk and α\alpha the commitment min-entropy (Assumption LABEL:ass:entropy). The last term is the random-oracle programming loss; in the quantum random-oracle model it is replaced by the adaptive-reprogramming term of Remark LABEL:rem:qrom. The reduction incurs no multiplicative qHq_{H} factor.

Remark 3.6.

Algorithms LABEL:alg:abs-keygenLABEL:alg:abs-cverify form the publicly-verifiable core: Theorem LABEL:thm:withdraw establishes its origin ambiguity and Theorem LABEL:thm:unforge the unforgeability of its confirmation. The designated withdrawable signature of Definition LABEL:def:ws is the strong designated-verifier scheme of Section LABEL:sec:sdvs, which wraps this core and inherits both properties (Proposition LABEL:prop:sdvs).

Proof 3.7.

We use a short sequence of games; Pr[𝖦i]\Pr[\mathsf{G}_{i}] is the probability that game 𝖦i\mathsf{G}_{i} outputs 11. Throughout, HMH_{M} (the OR-proof challenge oracle) is domain-separated from the random oracle of the underlying scheme DSDS of Definition LABEL:def:ds-euf; recall 𝖢𝗈𝗇𝖿𝗂𝗋𝗆(μ,sks,π,σ)=𝖲𝗂𝗀𝗇sks(μπσ)\mathsf{Confirm}(\mu,sk_{s},\pi,\sigma)=\mathsf{Sign}_{sk_{s}}(\mu\|\pi\|\sigma) and 𝖢𝖵𝖾𝗋𝗂𝖿𝗒(μ,π,σ,σ~)=1\mathsf{CVerify}(\mu,\pi,\sigma,\tilde{\sigma})=1 iff 𝖶𝖲𝖵𝖾𝗋𝗂𝖿𝗒𝗉𝗎𝖻(μ,π,σ)=1\mathsf{WSVerify}^{\mathsf{pub}}(\mu,\pi,\sigma)=1 and 𝖵𝖾𝗋𝗂𝖿𝗒pks(μπσ,σ~)=1\mathsf{Verify}_{pk_{s}}(\mu\|\pi\|\sigma,\tilde{\sigma})=1, with \langle\cdot\rangle an injective encoding.

Game 𝖦0\mathsf{G}_{0}. The experiment 𝖤𝗑𝗉WS,𝒜EUF-CMA-ic(1κ)\mathsf{Exp}^{\mathrm{EUF\text{-}CMA\text{-}ic}}_{WS,\mathcal{A}}(1^{\kappa}) of Definition LABEL:def:euf (Algorithm LABEL:alg:euf-exp). Thus Pr[𝖦0]=𝖠𝖽𝗏WSEUF-CMA-ic(𝒜)\Pr[\mathsf{G}_{0}]=\mathsf{Adv}^{\mathrm{EUF\text{-}CMA\text{-}ic}}_{WS}(\mathcal{A}).

Game 𝖦1\mathsf{G}_{1}. As 𝖦0\mathsf{G}_{0}, but 𝒪𝖶𝖲𝗂𝗀𝗇\mathcal{O}^{\mathsf{WSign}} is answered by 𝖲𝗂𝗆(μ,π)\mathsf{Sim}(\mu,\pi) of Lemma LABEL:lem:zk, programming the one induced HMH_{M}-entry; if that entry is already defined the game raises 𝖻𝖺𝖽\mathsf{bad} and aborts. By a hybrid over the qWq_{W} signing queries, each replacement changes 𝒜\mathcal{A}’s view by at most εzk\varepsilon_{\mathrm{zk}} (Lemma LABEL:lem:zk) unless the programmed point (μ,ws,wv,π)(\mu,w_{s},w_{v},\pi) already occurs in the HMH_{M}-table; at that moment the table has at most qHM+qWq_{H_{M}}+q_{W} entries and, by Definition LABEL:ass:entropy, (ws,wv)(w_{s},w_{v}) is unpredictable with min-entropy α\geq\alpha, so a collision occurs with probability at most (qHM+qW)/2α(q_{H_{M}}+q_{W})/2^{\alpha}. Hence

|Pr[𝖦0]Pr[𝖦1]|qWεzk+qW(qHM+qW)2α.\big|\Pr[\mathsf{G}_{0}]-\Pr[\mathsf{G}_{1}]\big|\leq q_{W}\,\varepsilon_{\mathrm{zk}}+\frac{q_{W}(q_{H_{M}}+q_{W})}{2^{\alpha}}.

In 𝖦1\mathsf{G}_{1} the signer key skssk_{s} is used only inside 𝒪𝖢𝗈𝗇𝖿𝗂𝗋𝗆\mathcal{O}^{\mathsf{Confirm}}, via 𝖲𝗂𝗀𝗇sks(μ,π,σ)\mathsf{Sign}_{sk_{s}}(\langle\mu,\pi,\sigma\rangle): 𝒪𝖢𝗈𝗋𝗋𝗎𝗉𝗍\mathcal{O}^{\mathsf{Corrupt}} never returns skssk_{s}; 𝒪𝖶𝖲𝗂𝗀𝗇\mathcal{O}^{\mathsf{WSign}} now runs 𝖲𝗂𝗆\mathsf{Sim} (no secret key); the oracles H,HMH,H_{M} are key-independent; and the keys of parties isi\neq s are independent of skssk_{s}.

We build \mathcal{B} against the EUF-CMA\mathrm{EUF\text{-}CMA}-security of DSDS (Definition LABEL:def:ds-euf). \mathcal{B} gets a challenge key pkpk^{\ast}, a signing oracle 𝖲𝗂𝗀𝗇sk()\mathsf{Sign}_{sk^{\ast}}(\cdot) and access to DSDS’s random oracle HH. It generates a fresh encryption key pair (eks,dks)𝖪𝖦𝖾𝗇e(1κ)(ek_{s},dk_{s})\leftarrow\mathsf{KGen}_{e}(1^{\kappa}) itself and sets pks:=(pk,eks)pk_{s}:=(pk^{\ast},ek_{s}), so that 𝖵𝖾𝗋𝗂𝖿𝗒pks\mathsf{Verify}_{pk_{s}} parses and uses only the signing component pkpk^{\ast} while eksek_{s} enters π\pi exactly as in an honest key; it never uses dksdk_{s}. It runs (pki,ski)𝖪𝖾𝗒𝖦𝖾𝗇(pp)(pk_{i},sk_{i})\leftarrow\mathsf{KeyGen}(pp) for all isi\neq s (so it holds skvsk_{v}), sets π:={pks,pkv}\pi:=\{pk_{s},pk_{v}\}, and runs 𝒜\mathcal{A}, answering: 𝒪𝖢𝗈𝗋𝗋𝗎𝗉𝗍(i)\mathcal{O}^{\mathsf{Corrupt}}(i) by \bot if i=si=s and by skisk_{i} otherwise (in particular it can deliver skvsk_{v}); HMH_{M} by lazy sampling consistent with programming; HH by relaying to its own oracle (it never programs HH); 𝒪𝖶𝖲𝗂𝗀𝗇(μ)\mathcal{O}^{\mathsf{WSign}}(\mu) by 𝖲𝗂𝗆(μ,π)\mathsf{Sim}(\mu,\pi) (aborting on 𝖻𝖺𝖽\mathsf{bad}); and 𝒪𝖢𝗈𝗇𝖿𝗂𝗋𝗆(μ,σ)\mathcal{O}^{\mathsf{Confirm}}(\mu,\sigma), for (μ,σ)W(\mu,\sigma)\in W, by setting MM{μ}M\leftarrow M\cup\{\mu\} and returning σ~𝖲𝗂𝗀𝗇sk(μ,π,σ)\tilde{\sigma}\leftarrow\mathsf{Sign}_{sk^{\ast}}(\langle\mu,\pi,\sigma\rangle). This is a perfect emulation of 𝖦1\mathsf{G}_{1}. When 𝒜\mathcal{A} outputs (μ,σ,σ~)(\mu^{\ast},\sigma^{\ast},\tilde{\sigma}^{\ast}), \mathcal{B} outputs (μ,π,σ,σ~)(\langle\mu^{\ast},\pi,\sigma^{\ast}\rangle,\tilde{\sigma}^{\ast}).

If 𝒜\mathcal{A} wins 𝖦1\mathsf{G}_{1} then 𝖢𝖵𝖾𝗋𝗂𝖿𝗒(μ,π,σ,σ~)=1\mathsf{CVerify}(\mu^{\ast},\pi,\sigma^{\ast},\tilde{\sigma}^{\ast})=1, hence 𝖵𝖾𝗋𝗂𝖿𝗒pk(μ,π,σ,σ~)=1\mathsf{Verify}_{pk^{\ast}}(\langle\mu^{\ast},\pi,\sigma^{\ast}\rangle,\tilde{\sigma}^{\ast})=1. The only messages \mathcal{B} sent to its signing oracle are μj,π,σj\langle\mu_{j},\pi,\sigma_{j}\rangle for the confirmation queries jj, each of which placed μj\mu_{j} into MM. Since μM\mu^{\ast}\notin M, we have μμj\mu^{\ast}\neq\mu_{j} for all jj, so by injectivity of \langle\cdot\rangle the forgery message μ,π,σ\langle\mu^{\ast},\pi,\sigma^{\ast}\rangle is new. Thus \mathcal{B} wins, giving Pr[𝖦1]𝖠𝖽𝗏DSEUF-CMA()\Pr[\mathsf{G}_{1}]\leq\mathsf{Adv}^{\mathrm{EUF\text{-}CMA}}_{DS}(\mathcal{B}); \mathcal{B} makes at most qCq_{C} signing queries. Combining,

𝖠𝖽𝗏WSEUF-CMA-ic(𝒜)𝖠𝖽𝗏DSEUF-CMA()+qWεzk+qW(qHM+qW)2α.\mathsf{Adv}^{\mathrm{EUF\text{-}CMA\text{-}ic}}_{WS}(\mathcal{A})\leq\mathsf{Adv}^{\mathrm{EUF\text{-}CMA}}_{DS}(\mathcal{B})+q_{W}\,\varepsilon_{\mathrm{zk}}+\frac{q_{W}(q_{H_{M}}+q_{W})}{2^{\alpha}}.

The reduction never rewinds 𝒜\mathcal{A} and never extracts from the OR-proof (only its simulatability is used), so there is no multiplicative qHq_{H} loss. Insider corruption is captured: \mathcal{B} holds skvsk_{v} and may hand it to 𝒜\mathcal{A}, yet confirmation still needs sks=sksk_{s}=sk^{\ast}, which \mathcal{B} never knows.

Remark 3.8 (QROM).

wbsphack @@writeaux\newlabelrem:qromwcurrentlabel1wesphack In the QROM the only changes are: (i) the simulation of 𝒪𝖶𝖲𝗂𝗀𝗇\mathcal{O}^{\mathsf{WSign}} programs HMH_{M} at an adaptively chosen, high-min-entropy point under superposition queries, which is handled by the adaptive reprogramming lemma of Grilo–Hövelmanns–Hülsing–Majenz [grilo2021], turning the term qW(qHM+qW)/2αq_{W}(q_{H_{M}}+q_{W})/2^{\alpha} into 32qW(qHM+qW+1)/2α\tfrac{3}{2}q_{W}\sqrt{(q_{H_{M}}+q_{W}+1)/2^{\alpha}}; and (ii) Definition LABEL:def:ds-euf is taken in the QROM, which for Dilithium follows from SelfTargetMSIS\mathrm{SelfTargetMSIS} and MSIS\mathrm{MSIS} [ducas2017, kiltz2018]. The reduction \mathcal{B} is unchanged, as it relays HH to the (quantum) DSDS challenger and never programs it.

Theorem 3.9.

wbsphack @@writeaux\newlabelthm:withdrawwcurrentlabel1wesphack The scheme of Algorithms LABEL:alg:abs-keygenLABEL:alg:abs-cverify is withdrawable. For any computationally unbounded adversary 𝒜\mathcal{A} making at most qWq_{W} signing and qHMq_{H_{M}} random-oracle queries,

𝖠𝖽𝗏WSWithdraw(𝒜):=Pr[𝖤𝗑𝗉WS,𝒜Withdraw(1κ)=1]12+(qW+1)εzk+(qW+1)(qHM+qW+1)2α,\mathsf{Adv}^{\mathrm{Withdraw}}_{WS}(\mathcal{A}):=\Pr\!\big[\mathsf{Exp}^{\mathrm{Withdraw}}_{WS,\mathcal{A}}(1^{\kappa})=1\big]\ \leq\ \tfrac{1}{2}+(q_{W}{+}1)\,\varepsilon_{\mathrm{zk}}+\frac{(q_{W}{+}1)(q_{H_{M}}{+}q_{W}{+}1)}{2^{\alpha}},

where qWq_{W} is the number of signing-oracle queries, qHMq_{H_{M}} the number of queries to HMH_{M}, and εzk,α\varepsilon_{\mathrm{zk}},\alpha are as in Lemma LABEL:lem:zk and Definition LABEL:ass:entropy. The bound is statistical, so it holds against computationally unbounded adversaries making at most qHMq_{H_{M}} random-oracle queries (assuming both key pairs are generated honestly by the experiment, as in Definition LABEL:def:withdraw). If instead pkvpk_{v} may be chosen by 𝒜\mathcal{A}, the bound gains an additive 𝖠𝖽𝗏MLWE\mathsf{Adv}^{\mathrm{MLWE}} term (Definition LABEL:def:mlwe), see Remark LABEL:rem:wd.

Proof 3.10.

We bound Pr[𝖤𝗑𝗉WS,𝒜Withdraw(1κ)=1]\Pr[\mathsf{Exp}^{\mathrm{Withdraw}}_{WS,\mathcal{A}}(1^{\kappa})=1] of Definition LABEL:def:withdraw (Algorithm LABEL:alg:withdraw-exp). The experiment generates both key pairs honestly, sets π={pk0,pk1}\pi=\{pk_{0},pk_{1}\}, draws b${0,1}b\xleftarrow{\mathdollar}\{0,1\}, and gives 𝒜\mathcal{A} the challenge σb=𝖶𝖲𝗂𝗀𝗇(μ,skb,π)\sigma_{b}=\mathsf{WSign}(\mu^{*},sk_{b},\pi) together with the signing oracle 𝒪skb,π𝖶𝖲𝗂𝗀𝗇\mathcal{O}^{\mathsf{WSign}}_{sk_{b},\pi} of Algorithm LABEL:alg:withdraw-oracle; finally 𝒜\mathcal{A} outputs a guess bb^{\prime} and wins iff b=bb^{\prime}=b. Let 𝖲𝗂𝗆(μ,π)\mathsf{Sim}(\mu,\pi) be the witness-free simulator of Lemma LABEL:lem:zk; crucially 𝖲𝗂𝗆\mathsf{Sim} depends only on the set π\pi (it simulates both branches), not on which party is the prover.

The whole view of 𝒜\mathcal{A} consists of N:=qW+1N:=q_{W}+1 withdrawable signatures, all produced under the witness skbsk_{b} (the challenge and the qWq_{W} oracle replies), plus 𝒜\mathcal{A}’s qHMq_{H_{M}} queries to HMH_{M}.

Game 𝖲\mathsf{S} (witness-free). Modify the experiment so that each of these NN signatures is produced by 𝖲𝗂𝗆(,π)\mathsf{Sim}(\cdot,\pi), programming the single induced HMH_{M}-entry (and aborting on a clash). Since 𝖲𝗂𝗆\mathsf{Sim} uses neither sk0sk_{0} nor sk1sk_{1}, the entire experiment 𝖲\mathsf{S} – and hence the joint distribution of 𝒜\mathcal{A}’s view and output bb^{\prime} – is independent of bb. Writing p𝖲:=Pr[b=1𝖲]p_{\mathsf{S}}:=\Pr[b^{\prime}=1\mid\mathsf{S}], independence gives Pr[b=b𝖲]=12((1p𝖲)+p𝖲)=12\Pr[b^{\prime}=b\mid\mathsf{S}]=\tfrac{1}{2}\big((1-p_{\mathsf{S}})+p_{\mathsf{S}}\big)=\tfrac{1}{2}.

For b{0,1}b\in\{0,1\} let GbG_{b} be the real experiment conditioned on that bit, and pb:=Pr[b=1Gb]p_{b}:=\Pr[b^{\prime}=1\mid G_{b}]. We pass from GbG_{b} to 𝖲\mathsf{S} by replacing the NN signatures one at a time. Each step turns one 𝖶𝖲𝗂𝗀𝗇(,skb,π)\mathsf{WSign}(\cdot,sk_{b},\pi) into one 𝖲𝗂𝗆(,π)\mathsf{Sim}(\cdot,\pi); by Lemma LABEL:lem:zk, applied with party bb as the real prover (valid because pkbpk_{b} is honest, so skbsk_{b} is a genuine witness), the two are within statistical distance εzk\varepsilon_{\mathrm{zk}}, provided the programmed point (μ,ws,wv,π)(\mu,w_{s},w_{v},\pi) is fresh. By Definition LABEL:ass:entropy the commitment pair has min-entropy α\geq\alpha, so at any step the freshness fails with probability at most (qHM+N)/2α(q_{H_{M}}+N)/2^{\alpha} (the HMH_{M}-table holds at most qHM+Nq_{H_{M}}+N points). Summing over the NN hybrids,

|pbp𝖲|δ:=Nεzk+N(qHM+N)2α,b{0,1}.\big|p_{b}-p_{\mathsf{S}}\big|\ \leq\ \delta:=N\varepsilon_{\mathrm{zk}}+\frac{N(q_{H_{M}}+N)}{2^{\alpha}},\qquad b\in\{0,1\}.

Using Pr[b=0G0]=1p0\Pr[b^{\prime}=0\mid G_{0}]=1-p_{0},

Pr[𝖤𝗑𝗉WS,𝒜Withdraw=1]=12(Pr[b=0G0]+Pr[b=1G1])=12+12(p1p0).\Pr[\mathsf{Exp}^{\mathrm{Withdraw}}_{WS,\mathcal{A}}=1]=\tfrac{1}{2}\big(\Pr[b^{\prime}=0\mid G_{0}]+\Pr[b^{\prime}=1\mid G_{1}]\big)=\tfrac{1}{2}+\tfrac{1}{2}\,(p_{1}-p_{0}).

By the triangle inequality |p1p0||p1p𝖲|+|p𝖲p0|2δ|p_{1}-p_{0}|\leq|p_{1}-p_{\mathsf{S}}|+|p_{\mathsf{S}}-p_{0}|\leq 2\delta, hence

Pr[𝖤𝗑𝗉WS,𝒜Withdraw=1]12+δ=12+(qW+1)εzk+(qW+1)(qHM+qW+1)2α.\Pr[\mathsf{Exp}^{\mathrm{Withdraw}}_{WS,\mathcal{A}}=1]\ \leq\ \tfrac{1}{2}+\delta=\tfrac{1}{2}+(q_{W}+1)\varepsilon_{\mathrm{zk}}+\frac{(q_{W}+1)(q_{H_{M}}+q_{W}+1)}{2^{\alpha}}.

Every step is information-theoretic, so the bound holds against computationally unbounded adversaries that make at most qHMq_{H_{M}} random-oracle queries.

Remark 3.11 (Theorem LABEL:thm:withdraw in the QROM).

wbsphack @@writeaux\newlabelrem:qrom-wdwcurrentlabel1wesphack Theorem LABEL:thm:withdraw is stated in the classical ROM. Its only use of the random oracle is the witness-free simulation of 𝖶𝖲𝗂𝗀𝗇\mathsf{WSign}, which programs HMH_{M} at the adaptively chosen, high- min-entropy point (μ,ws,wv,π)(\mu,w_{s},w_{v},\pi) (Assumption LABEL:ass:entropy). In the QROM the adaptive-reprogramming lemma of Grilo–Hövelmanns–Hülsing–Majenz [grilo2021] applies exactly as in Remark LABEL:rem:qrom, replacing the classical freshness term (qW+1)(qHM+qW+1)2α\tfrac{(q_{W}{+}1)(q_{H_{M}}{+}q_{W}{+}1)}{2^{\alpha}} by 32(qW+1)(qHM+qW+1)/2α\tfrac{3}{2}(q_{W}{+}1)\sqrt{(q_{H_{M}}{+}q_{W}{+}1)/2^{\alpha}}; the statistical, information-theoretic core of the argument is unchanged. For the no-hint instantiation the two real signing distributions are identical (Lemma LABEL:lem:perfectzk), so the dkvdk_{v}/skvsk_{v} bound of Proposition LABEL:prop:sdvs is exact in both models and incurs no reprogramming term.

Remark 3.12 (Adversarial pkvpk_{v}; strong-DV variant).

wbsphack @@writeaux\newlabelrem:wdwcurrentlabel1wesphack Definition LABEL:def:withdraw generates both keys honestly, so the proof is statistical. In the stronger model where 𝒜\mathcal{A} chooses pkvpk_{v}, 𝖲𝗂𝗆\mathsf{Sim} still simulates for any pkvpk_{v}, but the two real provers require both statements to admit short witnesses; bridging an honestly generated pkvpk_{v} to an adversarial one costs one decisional-MLWE step (Definition LABEL:def:mlwe), adding 𝖠𝖽𝗏MLWE\mathsf{Adv}^{\mathrm{MLWE}} to the bound. For the strong designated-verifier scheme of Section LABEL:sec:sdvs, the same hybrid first replaces every signature by a simulated one and then replaces the two ciphertexts and the one-time pad by uniform strings; this yields Pr[𝖤𝗑𝗉Withdraw=1]12+(qW+1)εzk+qW(2𝖠𝖽𝗏𝖯𝖪𝖤pr+𝖠𝖽𝗏Gprg)+(qW+1)(qHM+qW+1)2α\Pr[\mathsf{Exp}^{\mathrm{Withdraw}}=1]\leq\tfrac{1}{2}+(q_{W}{+}1)\varepsilon_{\mathrm{zk}}+q_{W}\big(2\,\mathsf{Adv}^{\mathrm{pr}}_{\mathsf{PKE}}+\mathsf{Adv}^{\mathrm{prg}}_{G}\big)+\tfrac{(q_{W}{+}1)(q_{H_{M}}{+}q_{W}{+}1)}{2^{\alpha}}, i.e. withdrawability against third parties as in Proposition LABEL:prop:sdvs, now made quantitative; non-transferability against the designated verifier is exactly the statistical statement proved above.

3.2 An instantiation

wbsphack @@writeaux\newlabelsubsec:instantiationwcurrentlabel1wesphack The general construction of Section LABEL:sec:abstract for a withdrawable digital signature scheme whose underlying scheme is built using the Fiat–Shamir with aborts paradigm was proven to be unforgeable under insider corruption and withdrawable. As a direct application of this proposal, in this section we present a withdrawable signature scheme based on a no-hint, full-𝐭\mathbf{t} Dilithium-style Fiat–Shamir-with-aborts signature [ducas2017]; adapting to production ML-DSA (with hints, and a nonzero εzk\varepsilon_{\mathrm{zk}}) is discussed after Corollary LABEL:cor:concrete. The verification algorithm below is public; it serves as a building block (𝖶𝖲𝖵𝖾𝗋𝗂𝖿𝗒𝗉𝗎𝖻\mathsf{WSVerify}^{\mathsf{pub}}) that Section LABEL:sec:sdvs encrypts to the designated verifier to obtain the strong designated-verifier withdrawable signature of Definition LABEL:def:ws.

Algorithm 14 Dilithium signature [ducas2017]wbsphack @@writeaux\newlabelalg:dilithiumwcurrentlabel1wesphack
1:procedure KeyGen(1κ1^{\kappa})
2:  𝐀$Rqk×l,(𝐬1,𝐬2)$Sηl×Sηk\mathbf{A}\xleftarrow{\mathdollar}R_{q}^{k\times l},\ (\mathbf{s}_{1},\mathbf{s}_{2})\xleftarrow{\mathdollar}S_{\eta}^{l}\times S_{\eta}^{k}
3:  𝐭=𝐀𝐬1+𝐬2\mathbf{t}=\mathbf{A}\mathbf{s}_{1}+\mathbf{s}_{2}
4:  return (pk=(𝐀,𝐭),sk=(𝐀,𝐭,𝐬1,𝐬2))(pk=(\mathbf{A},\mathbf{t}),\ sk=(\mathbf{A},\mathbf{t},\mathbf{s}_{1},\mathbf{s}_{2}))
5:end procedure
6:procedure Sign(μ,sk\mu,sk)
7:  repeat
8:   𝐲$Sγ11l\mathbf{y}\xleftarrow{\mathdollar}S_{\gamma_{1}-1}^{l}
9:   𝐰=𝖧𝗂𝗀𝗁𝖡𝗂𝗍𝗌(𝐀𝐲,2γ2)\mathbf{w}=\mathsf{HighBits}(\mathbf{A}\mathbf{y},2\gamma_{2})
10:   c𝒞=H(μ,𝐰)c\in\mathcal{C}=H(\mu,\mathbf{w})
11:   𝐳=𝐲+c𝐬1\mathbf{z}=\mathbf{y}+c\mathbf{s}_{1}
12:  until (𝐳<γ1β)(𝖫𝗈𝗐𝖡𝗂𝗍𝗌(𝐀𝐲c𝐬2,2γ2)<γ2β)(\lVert\mathbf{z}\rVert_{\infty}<\gamma_{1}-\beta)\wedge(\lVert\mathsf{LowBits}(\mathbf{A}\mathbf{y}-c\mathbf{s}_{2},2\gamma_{2})\rVert_{\infty}<\gamma_{2}-\beta)
13:  return σ=(𝐳,c)\sigma=(\mathbf{z},c)
14:end procedure
15:procedure Verify(μ,pk,σ\mu,pk,\sigma)
16:  𝐰=𝖧𝗂𝗀𝗁𝖡𝗂𝗍𝗌(𝐀𝐳c𝐭,2γ2)\mathbf{w}^{\prime}=\mathsf{HighBits}(\mathbf{A}\mathbf{z}-c\mathbf{t},2\gamma_{2})
17:  if 𝐳<γ1β\lVert\mathbf{z}\rVert_{\infty}<\gamma_{1}-\beta and c=H(μ,𝐰)c=H(\mu,\mathbf{w}^{\prime}) then return 11
18:  end if
19:end procedure

Taking the above algorithm as starting point and following the general construction in Section LABEL:sec:abstract, it is straightforward to set a withdrawable digital signature based on Dilithium.

Since Dilithium relies on the hardness of MSIS, Theorem LABEL:thm:unforge applies to prove that the proposal below is unforgeable under insider corruption. Theorem LABEL:thm:withdraw then proves withdrawability of the honest-key public core statistically, under Assumption LABEL:ass:entropy and perfect naHVZK; the hardness of the decisional MLWE problem is used only for adversarially chosen verifier keys (Remark LABEL:rem:wd) and for the privacy of the encryption layer in Section LABEL:sec:sdvs.

Below follows the withdrawable signature based on Dilithium:

Algorithm 15 𝖪𝖾𝗒𝖦𝖾𝗇(pp)\mathsf{KeyGen}(pp)wbsphack @@writeaux\newlabelalg:dil-keygenwcurrentlabel1wesphack
1:parse 𝐀\mathbf{A} from pppp
2:(𝐬1,𝐬2)$Sηl×Sηk(\mathbf{s}_{1},\mathbf{s}_{2})\xleftarrow{\mathdollar}S_{\eta}^{l}\times S_{\eta}^{k}
3:𝐭=𝐀𝐬1+𝐬2\mathbf{t}=\mathbf{A}\mathbf{s}_{1}+\mathbf{s}_{2}
4:(ek,dk)𝖪𝖦𝖾𝗇e(1κ)(ek,dk)\leftarrow\mathsf{KGen}_{e}(1^{\kappa})
5:return pk=(𝐀,𝐭,ek),sk=(pk,𝐬1,𝐬2,dk)pk=(\mathbf{A},\mathbf{t},ek),\ sk=(pk,\mathbf{s}_{1},\mathbf{s}_{2},dk)
Algorithm 16 𝖶𝖲𝗂𝗀𝗇𝗉𝗎𝖻(μ,sks,π)\mathsf{WSign}^{\mathsf{pub}}(\mu,sk_{s},\pi)wbsphack @@writeaux\newlabelalg:dil-wsignwcurrentlabel1wesphack
1:π=(pks,pkv)\pi=(pk_{s},pk_{v})
2:repeat\triangleright simulate verifier branch from the accepted distribution
3:  cv$𝒞;𝐳v$Sγ1β1l;wv=𝖧𝗂𝗀𝗁𝖡𝗂𝗍𝗌(𝐀𝐳vcv𝐭v,2γ2)c_{v}\xleftarrow{\mathdollar}\mathcal{C};\ \mathbf{z}_{v}\xleftarrow{\mathdollar}S_{\gamma_{1}-\beta-1}^{l};\ w_{v}=\mathsf{HighBits}(\mathbf{A}\mathbf{z}_{v}-c_{v}\mathbf{t}_{v},2\gamma_{2})
4:until 𝖫𝗈𝗐𝖡𝗂𝗍𝗌(𝐀𝐳vcv𝐭v,2γ2)<γ2β\lVert\mathsf{LowBits}(\mathbf{A}\mathbf{z}_{v}-c_{v}\mathbf{t}_{v},2\gamma_{2})\rVert_{\infty}<\gamma_{2}-\beta
5:repeat
6:  𝐲$Sγ11l;ws=𝖧𝗂𝗀𝗁𝖡𝗂𝗍𝗌(𝐀𝐲,2γ2)\mathbf{y}\xleftarrow{\mathdollar}S_{\gamma_{1}-1}^{l};\ w_{s}=\mathsf{HighBits}(\mathbf{A}\mathbf{y},2\gamma_{2})
7:  g=HM(μ,ws,wv,π);cs=ι((gι1(cv))modM)g=H_{M}(\mu,w_{s},w_{v},\pi);\ c_{s}=\iota\big((g-\iota^{-1}(c_{v}))\bmod M\big)
8:  𝐳s=𝐲+cs𝐬1\mathbf{z}_{s}=\mathbf{y}+c_{s}\mathbf{s}_{1}^{\prime}
9:until (𝐳s<γ1β)(𝖫𝗈𝗐𝖡𝗂𝗍𝗌(𝐀𝐲cs𝐬2,2γ2)<γ2β)(\lVert\mathbf{z}_{s}\rVert_{\infty}<\gamma_{1}-\beta)\wedge(\lVert\mathsf{LowBits}(\mathbf{A}\mathbf{y}-c_{s}\mathbf{s}_{2}^{\prime},2\gamma_{2})\rVert_{\infty}<\gamma_{2}-\beta)
10:return σ=(cs,cv,𝐳s,𝐳v)\sigma=(c_{s},c_{v},\mathbf{z}_{s},\mathbf{z}_{v})

Throughout, the signer instance of a key pair is written sks=(pks,𝐬1,𝐬2,dks)sk_{s}=(pk_{s},\mathbf{s}_{1}^{\prime},\mathbf{s}_{2}^{\prime},dk_{s}) with pks=(𝐀,𝐭s,eks)pk_{s}=(\mathbf{A},\mathbf{t}_{s},ek_{s}), and the verifier instance skv=(pkv,𝐬1′′,𝐬2′′,dkv)sk_{v}=(pk_{v},\mathbf{s}_{1}^{\prime\prime},\mathbf{s}_{2}^{\prime\prime},dk_{v}); the primes are the per-party renaming of the generic (𝐬1,𝐬2)(\mathbf{s}_{1},\mathbf{s}_{2}) output by 𝖪𝖾𝗒𝖦𝖾𝗇(pp)\mathsf{KeyGen}(pp).

Remark 3.13.

wbsphack @@writeaux\newlabelrem:symwcurrentlabel1wesphack 𝖶𝖲𝗂𝗀𝗇𝗉𝗎𝖻\mathsf{WSign}^{\mathsf{pub}} is invoked by either party: the caller runs its own branch for real (with the rejection loop) and simulates the other from the accepted distribution above. A verifier signs by swapping the roles of ss and vv. Because both branches are now drawn from the accepted low-order distribution, the two invocations produce identically distributed σ\sigma (Lemma LABEL:lem:perfectzk, εzk=0\varepsilon_{\mathrm{zk}}=0), and the public predicates 𝖫𝗈𝗐𝖡𝗂𝗍𝗌(𝐀𝐳scs𝐭s,2γ2)<γ2β\lVert\mathsf{LowBits}(\mathbf{A}\mathbf{z}_{s}-c_{s}\mathbf{t}_{s},2\gamma_{2})\rVert_{\infty}<\gamma_{2}-\beta and 𝖫𝗈𝗐𝖡𝗂𝗍𝗌(𝐀𝐳vcv𝐭v,2γ2)<γ2β\lVert\mathsf{LowBits}(\mathbf{A}\mathbf{z}_{v}-c_{v}\mathbf{t}_{v},2\gamma_{2})\rVert_{\infty}<\gamma_{2}-\beta hold simultaneously, revealing nothing about the origin.

Algorithm 17 𝖶𝖲𝖵𝖾𝗋𝗂𝖿𝗒𝗉𝗎𝖻(μ,π,σ)\mathsf{WSVerify}^{\mathsf{pub}}(\mu,\pi,\sigma)wbsphack @@writeaux\newlabelalg:dil-wsverifywcurrentlabel1wesphack
1:σ=(cs,cv,𝐳s,𝐳v)\sigma=(c_{s},c_{v},\mathbf{z}_{s},\mathbf{z}_{v})
2:ws=𝖧𝗂𝗀𝗁𝖡𝗂𝗍𝗌(𝐀𝐳scs𝐭s,2γ2);wv=𝖧𝗂𝗀𝗁𝖡𝗂𝗍𝗌(𝐀𝐳vcv𝐭v,2γ2)w_{s}^{\prime}=\mathsf{HighBits}(\mathbf{A}\mathbf{z}_{s}-c_{s}\mathbf{t}_{s},2\gamma_{2});\ w_{v}^{\prime}=\mathsf{HighBits}(\mathbf{A}\mathbf{z}_{v}-c_{v}\mathbf{t}_{v},2\gamma_{2})
3:g=HM(μ,ws,wv,π)g=H_{M}(\mu,w_{s}^{\prime},w_{v}^{\prime},\pi)
4:if (ι1(cs)+ι1(cv)g(modM))(𝐳s<γ1β)(𝐳v<γ1β)(\iota^{-1}(c_{s})+\iota^{-1}(c_{v})\equiv g\!\!\pmod{M})\wedge(\lVert\mathbf{z}_{s}\rVert_{\infty}<\gamma_{1}-\beta)\wedge(\lVert\mathbf{z}_{v}\rVert_{\infty}<\gamma_{1}-\beta) then return 11
5:end if
Algorithm 18 𝖢𝗈𝗇𝖿𝗂𝗋𝗆𝗉𝗎𝖻(μ,sks,π,σ)\mathsf{Confirm}^{\mathsf{pub}}(\mu,sk_{s},\pi,\sigma)wbsphack @@writeaux\newlabelalg:dil-confirmwcurrentlabel1wesphack
1:return σ~𝖲𝗂𝗀𝗇sks(μπσ)\tilde{\sigma}\leftarrow\mathsf{Sign}_{sk_{s}}(\mu\,\|\,\pi\,\|\,\sigma) \triangleright ordinary Dilithium signature, Alg. LABEL:alg:dilithium
Algorithm 19 𝖢𝖵𝖾𝗋𝗂𝖿𝗒𝗉𝗎𝖻(μ,π,σ,σ~)\mathsf{CVerify}^{\mathsf{pub}}(\mu,\pi,\sigma,\tilde{\sigma})wbsphack @@writeaux\newlabelalg:dil-cverifywcurrentlabel1wesphack
1:σ=(cs,cv,𝐳s,𝐳v)\sigma=(c_{s},c_{v},\mathbf{z}_{s},\mathbf{z}_{v})
2:if 𝖶𝖲𝖵𝖾𝗋𝗂𝖿𝗒𝗉𝗎𝖻(μ,π,σ)=1𝖵𝖾𝗋𝗂𝖿𝗒pks(μπσ,σ~)=1\mathsf{WSVerify}^{\mathsf{pub}}(\mu,\pi,\sigma)=1\ \wedge\ \mathsf{Verify}_{pk_{s}}(\mu\,\|\,\pi\,\|\,\sigma,\ \tilde{\sigma})=1 then return 11
3:end if
Remark 3.14 (Correctness).

wbsphack @@writeaux\newlabelrem:rrwcurrentlabel1wesphack For the real branch, the rejection condition 𝖫𝗈𝗐𝖡𝗂𝗍𝗌(𝐀𝐲cs𝐬2,2γ2)<γ2β\lVert\mathsf{LowBits}(\mathbf{A}\mathbf{y}-c_{s}\mathbf{s}_{2}^{\prime},2\gamma_{2})\rVert_{\infty}<\gamma_{2}-\beta yields 𝖧𝗂𝗀𝗁𝖡𝗂𝗍𝗌(𝐀𝐳scs𝐭s,2γ2)=𝖧𝗂𝗀𝗁𝖡𝗂𝗍𝗌(𝐀𝐲,2γ2)=ws\mathsf{HighBits}(\mathbf{A}\mathbf{z}_{s}-c_{s}\mathbf{t}_{s},2\gamma_{2})=\mathsf{HighBits}(\mathbf{A}\mathbf{y},2\gamma_{2})=w_{s}; the simulated branch matches by construction; and ι1(cs)+ι1(cv)g\iota^{-1}(c_{s})+\iota^{-1}(c_{v})\equiv g by definition of csc_{s}. Hence 𝖶𝖲𝖵𝖾𝗋𝗂𝖿𝗒\mathsf{WSVerify} accepts honest signatures, and 𝖢𝖵𝖾𝗋𝗂𝖿𝗒\mathsf{CVerify} accepts by correctness of 𝖲𝗂𝗀𝗇\mathsf{Sign}. The quantity rr of the original construction is no longer used, so the former r=rr=r^{\prime} identity is unnecessary.

Instantiation of εzk\varepsilon_{\mathrm{zk}} and α\alpha.

Our scheme uses the no-hint identification scheme: verification recomputes w=𝖧𝗂𝗀𝗁𝖡𝗂𝗍𝗌(𝐀𝐳c𝐭,2γ2)w^{\prime}=\mathsf{HighBits}(\mathbf{A}\mathbf{z}-c\mathbf{t},2\gamma_{2}) from the full 𝐭\mathbf{t} (no 𝐭0/𝐭1\mathbf{t}_{0}/\mathbf{t}_{1} split, no hint). For this scheme the simulator of Lemma LABEL:lem:zk is perfect.

Lemma 3.15 (Perfect naHVZK).

wbsphack @@writeaux\newlabellem:perfectzkwcurrentlabel1wesphack Conditioned on the programmed HMH_{M}-point being fresh, the simulator 𝖲𝗂𝗆(μ,π)\mathsf{Sim}(\mu,\pi) of Lemma LABEL:lem:zk produces a transcript identically distributed to a genuine 𝖶𝖲𝗂𝗀𝗇(μ,sks,π)\mathsf{WSign}(\mu,sk_{s},\pi); that is, εzk=0\varepsilon_{\mathrm{zk}}=0.

Proof 3.16.

Fix the challenge cc (uniform in the real game as HMH_{M} is a random oracle, and uniform in the simulation by programming a fresh point). In 𝖶𝖲𝗂𝗀𝗇\mathsf{WSign}, 𝐲\mathbf{y} is uniform over Sγ11lS_{\gamma_{1}-1}^{l} and 𝐳=𝐲+c𝐬1\mathbf{z}=\mathbf{y}+c\mathbf{s}_{1}^{\prime}; conditioned on 𝐳<γ1β\lVert\mathbf{z}\rVert_{\infty}<\gamma_{1}-\beta, 𝐳\mathbf{z} is uniform over Sγ1β1lS_{\gamma_{1}-\beta-1}^{l}, because each target 𝐳\mathbf{z} in that box has a unique in-range preimage 𝐲=𝐳c𝐬1\mathbf{y}=\mathbf{z}-c\mathbf{s}_{1}^{\prime} (as c𝐬1β\lVert c\mathbf{s}_{1}^{\prime}\rVert_{\infty}\leq\beta). The further test 𝖫𝗈𝗐𝖡𝗂𝗍𝗌(𝐀𝐲c𝐬2,2γ2)<γ2β\lVert\mathsf{LowBits}(\mathbf{A}\mathbf{y}-c\mathbf{s}_{2}^{\prime},2\gamma_{2})\rVert_{\infty}<\gamma_{2}-\beta equals 𝖫𝗈𝗐𝖡𝗂𝗍𝗌(𝐀𝐳c𝐭s,2γ2)<γ2β\lVert\mathsf{LowBits}(\mathbf{A}\mathbf{z}-c\mathbf{t}_{s},2\gamma_{2})\rVert_{\infty}<\gamma_{2}-\beta (since 𝐀𝐳c𝐭s=𝐀𝐲c𝐬2\mathbf{A}\mathbf{z}-c\mathbf{t}_{s}=\mathbf{A}\mathbf{y}-c\mathbf{s}_{2}^{\prime}), a function of (c,𝐳)(c,\mathbf{z}) and the public 𝐭s\mathbf{t}_{s} only; and the recomputed commitment is 𝖧𝗂𝗀𝗁𝖡𝗂𝗍𝗌(𝐀𝐳c𝐭s,2γ2)=ws\mathsf{HighBits}(\mathbf{A}\mathbf{z}-c\mathbf{t}_{s},2\gamma_{2})=w_{s}. The corrected simulator (Lemma LABEL:lem:zk) draws 𝐳\mathbf{z} uniformly over Sγ1β1lS_{\gamma_{1}-\beta-1}^{l} with the identical low-order test and sets ws=𝖧𝗂𝗀𝗁𝖡𝗂𝗍𝗌(𝐀𝐳c𝐭s,2γ2)w_{s}=\mathsf{HighBits}(\mathbf{A}\mathbf{z}-c\mathbf{t}_{s},2\gamma_{2}). Hence the conditional law of (c,𝐳,ws)(c,\mathbf{z},w_{s}) is identical in both, and the verifier branch is produced by the same simulation on both sides. The transcripts therefore coincide.

(k,l)(k,l) η,τ,β\eta,\tau,\beta γ1,γ2\gamma_{1},\gamma_{2} q12γ2\tfrac{q-1}{2\gamma_{2}} α()\alpha\ (\geq)
Dilithium2 / ML-DSA-44 (4,4)(4,4) 2,39,782,39,78 217, 952322^{17},\,95232 4444 13971397
Dilithium3 / ML-DSA-65 (6,5)(6,5) 4,49,1964,49,196 219, 2618882^{19},\,261888 1616 10241024
Dilithium5 / ML-DSA-87 (8,7)(8,7) 2,60,1202,60,120 219, 2618882^{19},\,261888 1616 10241024
Table 1: Parameters (n=256n=256, q=8380417q=8380417) and the resulting commitment min-entropy lower bound α\alpha (bits). Challenge entropies log2|Bτ|=192.8,225.3,257.0\log_{2}|B_{\tau}|=192.8,225.3,257.0.
Corollary 3.17 (Concrete security).

wbsphack @@writeaux\newlabelcor:concretewcurrentlabel1wesphack Instantiated with no-hint Dilithium, the scheme has εzk=0\varepsilon_{\mathrm{zk}}=0 (Lemma LABEL:lem:perfectzk) and α1024\alpha\geq 1024 (Assumption LABEL:ass:entropy). Hence, for any adversary making qWq_{W} signing and qHMq_{H_{M}} random-oracle queries, Theorems LABEL:thm:unforge and LABEL:thm:withdraw give

𝖠𝖽𝗏WSEUF-CMA-ic(𝒜)\displaystyle\mathsf{Adv}^{\mathrm{EUF\text{-}CMA\text{-}ic}}_{WS}(\mathcal{A}) 𝖠𝖽𝗏DSEUF-CMA()+qW(qHM+qW) 21024,\displaystyle\leq\mathsf{Adv}^{\mathrm{EUF\text{-}CMA}}_{DS}(\mathcal{B})+q_{W}(q_{H_{M}}+q_{W})\,2^{-1024},
𝖠𝖽𝗏WSWithdraw(𝒜)\displaystyle\mathsf{Adv}^{\mathrm{Withdraw}}_{WS}(\mathcal{A}) 12+(qW+1)(qHM+qW+1) 21024.\displaystyle\leq\tfrac{1}{2}+(q_{W}{+}1)(q_{H_{M}}{+}q_{W}{+}1)\,2^{-1024}.

Unforgeability reduces to the EUF-CMA security of the underlying no-hint Dilithium-style signature (up to the 210242^{-1024} programming term), whereas withdrawability follows statistically from perfect naHVZK (εzk=0\varepsilon_{\mathrm{zk}}=0) and Assumption LABEL:ass:entropy, up to the same 210242^{-1024} programming term; it does not reduce to EUF-CMA.

Remark 3.18 (Hint-optimised Dilithium).

Production Dilithium publishes 𝐭1\mathbf{t}_{1} (not 𝐭\mathbf{t}) plus a hint 𝐡\mathbf{h}, which trades the exact recovery 𝖧𝗂𝗀𝗁𝖡𝗂𝗍𝗌(𝐀𝐳c𝐭)=ws\mathsf{HighBits}(\mathbf{A}\mathbf{z}-c\mathbf{t})=w_{s} for 𝖴𝗌𝖾𝖧𝗂𝗇𝗍\mathsf{UseHint}. That variant has a small, standard naHVZK defect in place of εzk=0\varepsilon_{\mathrm{zk}}=0 and slightly smaller signatures; our no-hint choice keeps the proofs clean (perfect naHVZK) at a modest size cost. Either way the asymptotic and concrete security are governed by the same 𝖠𝖽𝗏DSEUF-CMA\mathsf{Adv}^{\mathrm{EUF\text{-}CMA}}_{DS} and 2α2^{-\alpha} terms.

3.3 Strong designated-verifier variant

wbsphack @@writeaux\newlabelsec:sdvswcurrentlabel1wesphack

The scheme of Sections LABEL:sec:abstract and 3.2 is publicly verifiable. To match the Liu–Baek–Susilo model [liu2023], where a withdrawable signature is verifiable only by the designated verifier, we upgrade it to a strong designated-verifier (SDVS) scheme: we hybrid-encrypt the publicly-verifiable signature to the verifier (and to the signer, so that 𝖢𝗈𝗇𝖿𝗂𝗋𝗆\mathsf{Confirm} stays stateless). Write (𝖶𝖲𝗂𝗀𝗇𝗉𝗎𝖻,𝖶𝖲𝖵𝖾𝗋𝗂𝖿𝗒𝗉𝗎𝖻,𝖢𝗈𝗇𝖿𝗂𝗋𝗆𝗉𝗎𝖻,𝖢𝖵𝖾𝗋𝗂𝖿𝗒𝗉𝗎𝖻)(\mathsf{WSign}^{\mathsf{pub}},\mathsf{WSVerify}^{\mathsf{pub}},\mathsf{Confirm}^{\mathsf{pub}},\mathsf{CVerify}^{\mathsf{pub}}) for the scheme of Section LABEL:subsec:instantiation (Algorithms LABEL:alg:dil-wsignLABEL:alg:dil-cverify), where 𝖶𝖲𝖵𝖾𝗋𝗂𝖿𝗒𝗉𝗎𝖻(μ,π,ρ)\mathsf{WSVerify}^{\mathsf{pub}}(\mu,\pi,\rho) is public; 𝖪𝖾𝗒𝖦𝖾𝗇\mathsf{KeyGen} is as amended (each party holds (ek,dk)(ek,dk)). Let ρ\rho denote a public ring signature and ρ\|\rho\| its bit length.

Algorithm 20 𝖶𝖲𝗂𝗀𝗇(μ,sks,π)\mathsf{WSign}(\mu,sk_{s},\pi) (strong DVS)wbsphack @@writeaux\newlabelalg:sdvs-wsignwcurrentlabel1wesphack
1:ρ𝖶𝖲𝗂𝗀𝗇𝗉𝗎𝖻(μ,sks,π)\rho\leftarrow\mathsf{WSign}^{\mathsf{pub}}(\mu,sk_{s},\pi) \triangleright public OR-proof ring signature
2:K${0,1}κK\xleftarrow{\mathdollar}\{0,1\}^{\kappa}
3:cts𝖤𝗇𝖼(eks,K);ctv𝖤𝗇𝖼(ekv,K)ct_{s}\leftarrow\mathsf{Enc}(ek_{s},K);\quad ct_{v}\leftarrow\mathsf{Enc}(ek_{v},K)
4:CρG(K)C\leftarrow\rho\oplus G(K) \triangleright G(K)G(K) truncated to ρ\|\rho\| bits
5:return σ=(cts,ctv,C)\sigma=(ct_{s},ct_{v},C)
Algorithm 21 𝖶𝖲𝖵𝖾𝗋𝗂𝖿𝗒(μ,skv,pks,σ)\mathsf{WSVerify}(\mu,sk_{v},pk_{s},\sigma) (strong DVS; designated)wbsphack @@writeaux\newlabelalg:sdvs-wsverifywcurrentlabel1wesphack
1:parse pkvpk_{v} from skvsk_{v}; π={pks,pkv}\pi=\{pk_{s},pk_{v}\}; parse σ=(cts,ctv,C)\sigma=(ct_{s},ct_{v},C)
2:K𝖣𝖾𝖼(dkv,ctv);ρCG(K)K\leftarrow\mathsf{Dec}(dk_{v},ct_{v});\quad\rho\leftarrow C\oplus G(K)
3:return 𝖶𝖲𝖵𝖾𝗋𝗂𝖿𝗒𝗉𝗎𝖻(μ,π,ρ)\mathsf{WSVerify}^{\mathsf{pub}}(\mu,\pi,\rho)
Algorithm 22 𝖢𝗈𝗇𝖿𝗂𝗋𝗆(μ,sks,π,σ)\mathsf{Confirm}(\mu,sk_{s},\pi,\sigma) (strong DVS)wbsphack @@writeaux\newlabelalg:sdvs-confirmwcurrentlabel1wesphack
1:parse σ=(cts,ctv,C)\sigma=(ct_{s},ct_{v},C)
2:K𝖣𝖾𝖼(dks,cts);ρCG(K)K\leftarrow\mathsf{Dec}(dk_{s},ct_{s});\quad\rho\leftarrow C\oplus G(K) \triangleright signer recovers ρ\rho via its own dksdk_{s}
3:σ¯𝖲𝗂𝗀𝗇sks(μπσ)\bar{\sigma}\leftarrow\mathsf{Sign}_{sk_{s}}(\mu\,\|\,\pi\,\|\,\sigma)
4:return σ~=(σ¯,ρ,K)\tilde{\sigma}=(\bar{\sigma},\rho,K)
Algorithm 23 𝖢𝖵𝖾𝗋𝗂𝖿𝗒(μ,π,σ,σ~)\mathsf{CVerify}(\mu,\pi,\sigma,\tilde{\sigma}) (strong DVS; public)wbsphack @@writeaux\newlabelalg:sdvs-cverifywcurrentlabel1wesphack
1:parse σ=(cts,ctv,C),σ~=(σ¯,ρ,K)\sigma=(ct_{s},ct_{v},C),\ \tilde{\sigma}=(\bar{\sigma},\rho,K)
2:if (C=ρG(K))(𝖶𝖲𝖵𝖾𝗋𝗂𝖿𝗒𝗉𝗎𝖻(μ,π,ρ)=1)(𝖵𝖾𝗋𝗂𝖿𝗒pks(μπσ,σ¯)=1)\big(C=\rho\oplus G(K)\big)\wedge\big(\mathsf{WSVerify}^{\mathsf{pub}}(\mu,\pi,\rho)=1\big)\wedge\big(\mathsf{Verify}_{pk_{s}}(\mu\,\|\,\pi\,\|\,\sigma,\bar{\sigma})=1\big) then return 11
3:end if
Remark 3.19 (Scope of confirmed verification).

wbsphack @@writeaux\newlabelrem:cverify-scopewcurrentlabel1wesphack 𝖢𝖵𝖾𝗋𝗂𝖿𝗒\mathsf{CVerify} certifies that the signer authenticated the outer object σ\sigma (via σ¯=𝖲𝗂𝗀𝗇sks(μπσ)\bar{\sigma}=\mathsf{Sign}_{sk_{s}}(\mu\|\pi\|\sigma)) and that the revealed pad opens CC to a public core ρ\rho that passes 𝖶𝖲𝖵𝖾𝗋𝗂𝖿𝗒𝗉𝗎𝖻\mathsf{WSVerify}^{\mathsf{pub}}. It does not publicly certify ciphertext consistency, i.e. that ctsct_{s} and ctvct_{v} encrypt the same KK: for randomised 𝖯𝖪𝖤\mathsf{PKE} this cannot be checked without opening the encryption randomness. Confirmation is therefore a signer-authenticated opening of σ\sigma to a valid ambiguous core, which is all correctness (Definition LABEL:def:correct) and unforgeability (Theorem LABEL:thm:unforge) require; it does not retroactively attest that the designated verifier could decrypt σ\sigma prior to confirmation. For honestly generated σ\sigma the two ciphertexts do share KK, so 𝖶𝖲𝖵𝖾𝗋𝗂𝖿𝗒=1𝖢𝖵𝖾𝗋𝗂𝖿𝗒=1\mathsf{WSVerify}=1\Rightarrow\mathsf{CVerify}=1 as stated.

Proposition 3.20 (SDVS variant).

wbsphack @@writeaux\newlabelprop:sdvswcurrentlabel1wesphack Assume 𝖯𝖪𝖤\mathsf{PKE} has ciphertext pseudorandomness (advantage 𝖠𝖽𝗏𝖯𝖪𝖤pr\mathsf{Adv}^{\mathrm{pr}}_{\mathsf{PKE}}) and GG is a secure PRG. Then Algorithms LABEL:alg:sdvs-wsignLABEL:alg:sdvs-cverify form a correct withdrawable signature (Definitions LABEL:def:wsLABEL:def:withdraw) with designated verification, and:

  • (Designated verification / privacy.) Without dksdk_{s} or dkvdk_{v}, σ\sigma is pseudorandom; in particular third parties cannot publicly verify σ\sigma; recovering ρ\rho (and hence verifying) requires a decryption key, so both the designated verifier (via dkvdk_{v}) and the signer (via dksdk_{s}) can verify.

  • (Withdrawability.) For any PPT third-party adversary making qWq_{W} signing and qHMq_{H_{M}} random-oracle queries, 𝖠𝖽𝗏Withdraw:=Pr[𝖤𝗑𝗉WS,𝒜Withdraw=1]12+(qW+1)(2𝖠𝖽𝗏𝖯𝖪𝖤pr+𝖠𝖽𝗏Gprg)\mathsf{Adv}^{\mathrm{Withdraw}}:=\Pr[\mathsf{Exp}^{\mathrm{Withdraw}}_{WS,\mathcal{A}}=1]\leq\tfrac{1}{2}+(q_{W}{+}1)\big(2\,\mathsf{Adv}^{\mathrm{pr}}_{\mathsf{PKE}}+\mathsf{Adv}^{\mathrm{prg}}_{G}\big), where 𝖠𝖽𝗏𝖯𝖪𝖤pr\mathsf{Adv}^{\mathrm{pr}}_{\mathsf{PKE}} is the ciphertext-pseudorandomness advantage of 𝖯𝖪𝖤\mathsf{PKE}. Against an adversary holding the full verifier secret key skv=(pkv,𝐬1′′,𝐬2′′,dkv)sk_{v}=(pk_{v},\mathbf{s}_{1}^{\prime\prime},\mathbf{s}_{2}^{\prime\prime},dk_{v}) the bound is 12+(qW+1)εzk\tfrac{1}{2}+(q_{W}{+}1)\,\varepsilon_{\mathrm{zk}}: by the perfect naHVZK of Lemma LABEL:lem:perfectzk the verifier branch is identically distributed whether produced for real or simulated, so the witness confers no distinguishing power. This equals exactly 12\tfrac{1}{2} for the no-hint Dilithium instantiation.

  • (Unforgeability under insider corruption.) Reduces to the EUF-CMA security of 𝖲𝗂𝗀𝗇\mathsf{Sign} exactly as in Theorem LABEL:thm:unforge; the reduction chooses KK and the ciphertexts itself, hence needs no secret key.

Proof 3.21.

The strong-DV algorithms (Algorithms LABEL:alg:sdvs-wsignLABEL:alg:sdvs-cverify) are built on the public core

(𝖶𝖲𝗂𝗀𝗇𝗉𝗎𝖻,𝖶𝖲𝖵𝖾𝗋𝗂𝖿𝗒𝗉𝗎𝖻,𝖢𝗈𝗇𝖿𝗂𝗋𝗆𝗉𝗎𝖻,𝖢𝖵𝖾𝗋𝗂𝖿𝗒𝗉𝗎𝖻)(\mathsf{WSign}^{\mathsf{pub}},\mathsf{WSVerify}^{\mathsf{pub}},\mathsf{Confirm}^{\mathsf{pub}},\mathsf{CVerify}^{\mathsf{pub}})

of Section LABEL:subsec:instantiation, a public-key encryption scheme 𝖯𝖪𝖤=(𝖪𝖦𝖾𝗇e,𝖤𝗇𝖼,𝖣𝖾𝖼)\mathsf{PKE}=(\mathsf{KGen}_{e},\mathsf{Enc},\mathsf{Dec}) with decryption-failure probability δ𝖯𝖪𝖤\delta_{\mathsf{PKE}} and ciphertext-pseudorandomness advantage 𝖠𝖽𝗏𝖯𝖪𝖤pr\mathsf{Adv}^{\mathrm{pr}}_{\mathsf{PKE}} (i.e. for any message mm, 𝖤𝗇𝖼(ek,m)\mathsf{Enc}(ek,m) is indistinguishable from a uniform ciphertext given ekek but not dkdk; this implies IND-CPA and key-privacy), and a PRG GG with advantage 𝖠𝖽𝗏Gprg\mathsf{Adv}^{\mathrm{prg}}_{G}. Recall σ=(cts,ctv,C)\sigma=(ct_{s},ct_{v},C), cts=𝖤𝗇𝖼(eks,K)ct_{s}=\mathsf{Enc}(ek_{s},K), ctv=𝖤𝗇𝖼(ekv,K)ct_{v}=\mathsf{Enc}(ek_{v},K), C=ρG(K)C=\rho\oplus G(K), ρ=𝖶𝖲𝗂𝗀𝗇𝗉𝗎𝖻(μ,sks,π)\rho=\mathsf{WSign}^{\mathsf{pub}}(\mu,sk_{s},\pi), K${0,1}κK\xleftarrow{\mathdollar}\{0,1\}^{\kappa}.

The verifier recovers K=𝖣𝖾𝖼(dkv,ctv)K=\mathsf{Dec}(dk_{v},ct_{v}) and ρ=CG(K)\rho=C\oplus G(K), so

𝖶𝖲𝖵𝖾𝗋𝗂𝖿𝗒=𝖶𝖲𝖵𝖾𝗋𝗂𝖿𝗒𝗉𝗎𝖻(μ,π,ρ)=1\mathsf{WSVerify}=\mathsf{WSVerify}^{\mathsf{pub}}(\mu,\pi,\rho)=1

by correctness of the core. 𝖢𝗈𝗇𝖿𝗂𝗋𝗆\mathsf{Confirm} recovers the same (ρ,K)(\rho,K) via dksdk_{s} and outputs σ~=(σ¯,ρ,K)\tilde{\sigma}=(\bar{\sigma},\rho,K), σ¯=𝖲𝗂𝗀𝗇sks(μπσ)\bar{\sigma}=\mathsf{Sign}_{sk_{s}}(\mu\|\pi\|\sigma); then 𝖢𝖵𝖾𝗋𝗂𝖿𝗒\mathsf{CVerify} makes the following verifications: C=ρG(K)C=\rho\oplus G(K) (true), 𝖶𝖲𝖵𝖾𝗋𝗂𝖿𝗒𝗉𝗎𝖻(μ,π,ρ)=1\mathsf{WSVerify}^{\mathsf{pub}}(\mu,\pi,\rho)=1, and 𝖵𝖾𝗋𝗂𝖿𝗒pks(μπσ,σ¯)=1\mathsf{Verify}_{pk_{s}}(\mu\|\pi\|\sigma,\bar{\sigma})=1, all of which hold. The error is at most 2δ𝖯𝖪𝖤2\delta_{\mathsf{PKE}} plus the negligible correctness errors of the core and of 𝖲𝗂𝗀𝗇\mathsf{Sign}.

We show σ\sigma is pseudorandom to any party lacking both dks,dkvdk_{s},dk_{v}. Hybrids: 𝖧0=\mathsf{H}_{0}= real σ\sigma; 𝖧1\mathsf{H}_{1} replaces ctsct_{s} by a uniform string; 𝖧2\mathsf{H}_{2} also replaces ctvct_{v} by a uniform string; 𝖧3\mathsf{H}_{3} also replaces G(K)G(K) by a uniform string RR. Each PKE step costs 𝖠𝖽𝗏𝖯𝖪𝖤pr\leq\mathsf{Adv}^{\mathrm{pr}}_{\mathsf{PKE}} (the reduction picks KK, embeds the challenge as ctsct_{s} resp. ctvct_{v}, and computes the rest from the known KK; no decryption key is used); the PRG step costs 𝖠𝖽𝗏Gprg\leq\mathsf{Adv}^{\mathrm{prg}}_{G} (in 𝖧2\mathsf{H}_{2}, KK feeds only GG). In 𝖧3\mathsf{H}_{3}, C=ρRC=\rho\oplus R is uniform and independent of ρ\rho, so σ\sigma is uniform. Hence Δ(σ,𝒰)2𝖠𝖽𝗏𝖯𝖪𝖤pr+𝖠𝖽𝗏Gprg\Delta(\sigma,\mathcal{U})\leq 2\mathsf{Adv}^{\mathrm{pr}}_{\mathsf{PKE}}+\mathsf{Adv}^{\mathrm{prg}}_{G}. Consequently no public procedure can decide validity of σ\sigma (it would distinguish 𝖧0\mathsf{H}_{0} from 𝖧3\mathsf{H}_{3}); verification requires a decryption key, so the designated verifier (via dkvdk_{v}) and the signer (via dksdk_{s}) can verify, while third parties cannot.

In Definition LABEL:def:withdraw the adversary 𝒜\mathcal{A} holds no secret keys and sees N:=qW+1N:=q_{W}+1 signatures (challenge and oracle replies) under the bit bb. Applying the previous hybrid to each, every signature is within 2𝖠𝖽𝗏𝖯𝖪𝖤pr+𝖠𝖽𝗏Gprg2\mathsf{Adv}^{\mathrm{pr}}_{\mathsf{PKE}}+\mathsf{Adv}^{\mathrm{prg}}_{G} of uniform independently of bb (a uniform σ\sigma reveals neither ρ\rho nor which keys were used). Thus each of the two conditional views is within N(2𝖠𝖽𝗏𝖯𝖪𝖤pr+𝖠𝖽𝗏Gprg)N(2\mathsf{Adv}^{\mathrm{pr}}_{\mathsf{PKE}}+\mathsf{Adv}^{\mathrm{prg}}_{G}) of the same bb-independent all-uniform view, whence

Pr[𝖤𝗑𝗉WS,𝒜Withdraw=1]12+(qW+1)(2𝖠𝖽𝗏𝖯𝖪𝖤pr+𝖠𝖽𝗏Gprg).\Pr[\mathsf{Exp}^{\mathrm{Withdraw}}_{WS,\mathcal{A}}=1]\leq\tfrac{1}{2}+(q_{W}{+}1)\big(2\mathsf{Adv}^{\mathrm{pr}}_{\mathsf{PKE}}+\mathsf{Adv}^{\mathrm{prg}}_{G}\big).

If 𝒜\mathcal{A} holds the full verifier secret key skv=(pkv,𝐬1′′,𝐬2′′,dkv)sk_{v}=(pk_{v},\mathbf{s}_{1}^{\prime\prime},\mathbf{s}_{2}^{\prime\prime},dk_{v}) (in particular its dkvdk_{v}), it decrypts and recovers ρ=𝖶𝖲𝗂𝗀𝗇𝗉𝗎𝖻(μ,skb,π)\rho=\mathsf{WSign}^{\mathsf{pub}}(\mu,sk_{b},\pi); the ciphertexts and CC are then determined by (ρ,K)(\rho,K) and carry no further information about bb. Here we do not route through the simulator/programming hybrid of Theorem LABEL:thm:withdraw; instead we compare the two real public-core distributions 𝖶𝖲𝗂𝗀𝗇𝗉𝗎𝖻(,sk0,π)\mathsf{WSign}^{\mathsf{pub}}(\cdot,sk_{0},\pi) and 𝖶𝖲𝗂𝗀𝗇𝗉𝗎𝖻(,sk1,π)\mathsf{WSign}^{\mathsf{pub}}(\cdot,sk_{1},\pi) directly. In each, one branch is produced for real and the other is drawn from the accepted low-order distribution, and in both cases the challenge g=HM(μ,ws,wv,π)g=H_{M}(\mu,w_{s},w_{v},\pi) is read from the honest random oracle. By the per-branch naHVZK of Lemma LABEL:lem:zk, a real accepted branch and a simulated accepted branch are within statistical distance εzk\varepsilon_{\mathrm{zk}} as distributions, with no oracle reprogramming; hence the two real signing distributions are within 2εzk2\varepsilon_{\mathrm{zk}} per signature, and no 2α2^{-\alpha} freshness term is incurred. Summing over the N=qW+1N=q_{W}{+}1 signatures, Pr[𝖤𝗑𝗉Withdraw=1]12+(qW+1)εzk\Pr[\mathsf{Exp}^{\mathrm{Withdraw}}=1]\leq\tfrac{1}{2}+(q_{W}{+}1)\varepsilon_{\mathrm{zk}}. For the no-hint Dilithium instantiation εzk=0\varepsilon_{\mathrm{zk}}=0 (Lemma LABEL:lem:perfectzk), so the two real distributions are identical and the excess advantage Pr[𝖤𝗑𝗉Withdraw=1]12\Pr[\mathsf{Exp}^{\mathrm{Withdraw}}=1]-\tfrac{1}{2} is exactly 0: even the designated verifier cannot tell whether it or the signer produced σ\sigma.

The reduction is that of Theorem LABEL:thm:unforge, with the reduction performing the encryption itself. \mathcal{B} receives the 𝖲𝗂𝗀𝗇\mathsf{Sign}-challenge key pkpk^{\ast}, sets pks:=pkpk_{s}:=pk^{\ast}, \mathcal{B} receives the 𝖲𝗂𝗀𝗇\mathsf{Sign}-challenge key pkpk^{\ast} (the signing component only). It generates a fresh encryption key pair (eks,dks)𝖪𝖦𝖾𝗇e(1κ)(ek_{s},dk_{s})\leftarrow\mathsf{KGen}_{e}(1^{\kappa}) itself and sets pks:=(pk,eks)pk_{s}:=(pk^{\ast},ek_{s}), keeping dksdk_{s} private; it never uses dksdk_{s} (confirmation replies are served from stored (ρ,K)(\rho,K), and signing queries encrypt under the public eksek_{s}). It generates all other keys honestly (so it holds skvsk_{v} and may give it to 𝒜\mathcal{A}). It answers: 𝒪𝖶𝖲𝗂𝗀𝗇(μ)\mathcal{O}^{\mathsf{WSign}}(\mu) by simulating ρ\rho with the witness-free simulator of Lemma LABEL:lem:zk (programming HMH_{M}), drawing KK, setting cts=𝖤𝗇𝖼(eks,K)ct_{s}=\mathsf{Enc}(ek_{s},K), ctv=𝖤𝗇𝖼(ekv,K)ct_{v}=\mathsf{Enc}(ek_{v},K), C=ρG(K)C=\rho\oplus G(K), storing (σ,ρ,K)(\sigma,\rho,K) in WW, and returning σ\sigma; and 𝒪𝖢𝗈𝗇𝖿𝗂𝗋𝗆(μ,σ)\mathcal{O}^{\mathsf{Confirm}}(\mu,\sigma), for σW\sigma\in W, by retrieving the stored (ρ,K)(\rho,K) and returning (𝖲𝗂𝗀𝗇sk(μπσ),ρ,K)(\mathsf{Sign}_{sk^{\ast}}(\mu\|\pi\|\sigma),\rho,K) through the signing oracle. Thus \mathcal{B} uses neither skssk_{s} nor any decryption key. A confirmed forgery (μ,σ,σ~=(σ¯,ρ,K))(\mu^{\ast},\sigma^{\ast},\tilde{\sigma}^{\ast}=(\bar{\sigma}^{\ast},\rho^{\ast},K^{\ast})) with μ\mu^{\ast} never confirmed satisfies 𝖵𝖾𝗋𝗂𝖿𝗒pk(μπσ,σ¯)=1\mathsf{Verify}_{pk^{\ast}}(\mu^{\ast}\|\pi\|\sigma^{\ast},\bar{\sigma}^{\ast})=1 on the fresh message μπσ\mu^{\ast}\|\pi\|\sigma^{\ast}, which \mathcal{B} outputs. As in Theorem LABEL:thm:unforge,

𝖠𝖽𝗏WSEUF-CMA-ic(𝒜)𝖠𝖽𝗏DSEUF-CMA()+qWεzk+qW(qHM+qW)/2α,\mathsf{Adv}^{\mathrm{EUF\text{-}CMA\text{-}ic}}_{WS}(\mathcal{A})\leq\mathsf{Adv}^{\mathrm{EUF\text{-}CMA}}_{DS}(\mathcal{B})+q_{W}\,\varepsilon_{\mathrm{zk}}+q_{W}(q_{H_{M}}+q_{W})/2^{\alpha},

with no contribution from 𝖯𝖪𝖤\mathsf{PKE} or GG (which \mathcal{B} evaluates honestly).

3.4 Comparison with Liu–Baek–Susilo

wbsphack @@writeaux\newlabelsec:comparisonwcurrentlabel1wesphack

Our construction realises the same primitive and the same security model as Liu, Baek and Susilo [liu2023]: the syntax of Definition LABEL:def:ws and the security notions of Definitions LABEL:def:correct, LABEL:def:euf and LABEL:def:withdraw are theirs, and we follow their two-stage “withdraw, then confirm” template. The differences are confined to the construction, and each of them follows from a single structural fact about lattices.

Root cause: the group shared secret has no cheap lattice analogue.

The designation mechanism of [liu2023] is, at its core, a Diffie–Hellman (or pairing) shared secret embedded in the signature. In their Schnorr-based scheme the withdrawable signature contains σ2=pkvzrt\sigma_{2}=pk_{v}^{\,z-rt}, which the designated verifier checks by raising to its secret key skvsk_{v} via (ga)b=(gb)a(g^{a})^{b}=(g^{b})^{a}; the BLS-based scheme uses e(,gskv)e(\cdot,g^{sk_{v}}) in the same way. A single algebraic object thereby delivers both properties required of a withdrawable signature at once: signer/verifier ambiguity — either party can compute σ\sigma from its own secret — and designation — verification requires skvsk_{v} — using nothing but the parties’ ordinary public keys, in effect a non-interactive key agreement (NIKE). This shared secret is essentially free in a group but has no cheap lattice counterpart: the noisy analogue of (ga)b(gb)a(g^{a})^{b}\approx(g^{b})^{a} agrees only approximately, so a literal transcription that blinds the signature by a uniform matrix 𝐁Rqk×k\mathbf{B}\in R_{q}^{k\times k} leaves a residue 𝐁𝐬2′′\mathbf{B}\mathbf{s}_{2}^{\prime\prime} that the verifier cannot cancel (it is given 𝐁𝐀\mathbf{B}\mathbf{A}, never 𝐁\mathbf{B}). Lattice NIKE is in fact possible: after a long line of negative evidence, including information-theoretic efficiency barriers for polynomial-modulus reconciliation [guo2022], the recent SWOOSH scheme [gajland2024] gives the first practical M-LWE NIKE — but at a cost (public keys of hundreds of kilobytes, a super-polynomial modulus-to-noise ratio, and a NIZK for active security) well above what designation needs. Crucially, designation does not require a shared secret at all: it only needs to deliver a key to the designated verifier, which is public-key encryption — a weaker and far cheaper primitive. We therefore keep ambiguity and designation as separate mechanisms, an OR-proof for the former and encryption for the latter; this is the origin of every row of Table LABEL:tab:comparison.

Aspect Liu–Baek–Susilo [liu2023] This work Reason
Designation of σ\sigma skvsk_{v} enters the verification exponent (Diffie–Hellman / pairing) encrypt σ\sigma to pkvpk_{v} via a PKE no free shared secret
Signer/verifier ambiguity algebraic symmetry of σ\sigma two-party FS-with-aborts OR-proof (witness-indist.) no DH symmetry
Confirmation re-derive shared randomness rr; rebuild a linked σ~\tilde{\sigma} ordinary signature 𝖲𝗂𝗀𝗇sks(μπσ)\mathsf{Sign}_{sk_{s}}(\mu\,\|\,\pi\,\|\,\sigma) FS randomness not reusable
Key material one key pair (signing == designation) signing key pair ++ encryption key pair (ek,dk)(ek,dk) signing key cannot designate
Withdrawability from DDH (Schnorr) / DBDH (BLS) decisional MLWE (PKE) ++ statistical WI lattice counterpart
Unforgeability from CDH / DL MSIS / SelfTargetMSIS lattice counterpart
Overall structure monolithic designated-verifier object public ambiguous core ++ encryption layer composition forced
Table 2: Comparison of the Liu–Baek–Susilo withdrawable signature with the lattice construction of this work. Every difference follows from the absence of a free Diffie–Hellman-style shared secret in the lattice setting (Section LABEL:sec:comparison).wbsphack @@writeaux\newlabeltab:comparisonwcurrentlabel1wesphack

Ambiguity and confirmation.

For ambiguity we use a two-clause Fiat–Shamir-with-aborts OR-proof (Algorithm LABEL:alg:dil-wsign): a proof of knowledge of a short witness for 𝐭s\mathbf{t}_{s} or for 𝐭v\mathbf{t}_{v}, which either party can produce by executing its own branch and simulating the other. This is the natural lattice substitute for the group symmetry, and it agrees with the authors’ own description of withdrawable signatures as two-party ring signatures augmented with a transformation stage [liu2023]. For confirmation, where [liu2023] reconstructs the shared randomness rr and rebuilds an algebraically linked σ~\tilde{\sigma}, we let 𝖢𝗈𝗇𝖿𝗂𝗋𝗆\mathsf{Confirm} emit an ordinary signature 𝖲𝗂𝗀𝗇sks(μπσ)\mathsf{Sign}_{sk_{s}}(\mu\,\|\,\pi\,\|\,\sigma) on the entire withdrawable object: the masking randomness of Fiat–Shamir with aborts is not reusable in the way a discrete-logarithm nonce is, and binding by a signature is both simpler and reducible to the unforgeability of the underlying scheme (Theorem LABEL:thm:unforge).

Designation by encryption: a PKE, not a KEM.

Lacking the free shared secret, we transport the designation explicitly: the scheme of Section LABEL:sec:sdvs encrypts the publicly verifiable, ambiguous signature ρ\rho to the verifier, so that only a holder of dkvdk_{v} can recover and check it. This encryption must place the same chosen key KK under two public keys: ekvek_{v}, so that the verifier can decrypt and verify, and eksek_{s}, so that the signer can decrypt and run 𝖢𝗈𝗇𝖿𝗂𝗋𝗆\mathsf{Confirm} statelessly (it is given only σ\sigma). A key-encapsulation mechanism returns a fresh random key for each encapsulation and recipient, so 𝖤𝗇𝖼𝖺𝗉𝗌(ekv)\mathsf{Encaps}(ek_{v}) and 𝖤𝗇𝖼𝖺𝗉𝗌(eks)\mathsf{Encaps}(ek_{s}) would produce two independent keys and the parties could never reconstruct the same ρ=CG(K)\rho=C\oplus G(K); delivering one shared chosen KK to both recipients is exactly encryption of a chosen message, i.e. a public-key encryption scheme. We therefore instantiate 𝖯𝖪𝖤\mathsf{PKE} with the CPA-secure module-LWE encryption underlying ML-KEM (Kyber), and not with the KEM itself. This encryption is precisely what the group construction obtains for nothing: there the shared key is the Diffie–Hellman value that both parties derive from their public keys, so [liu2023] require no encryption at all, whereas we must transport it — and to both parties — which is why a public-key encryption scheme appears in our construction where theirs has none.

Consequences.

The two schemes rest on parallel hardness assumptions: decisional MLWE replaces DDH/DBDH for withdrawability, and MSIS/SelfTargetMSIS replace CDH/DL for unforgeability. The lattice route is less compact — an extra encryption key pair per party, and a withdrawable signature carrying two ciphertexts and a one-time pad rather than three group elements — but it gains two properties: the withdrawable signature is pseudorandom, concealing from outsiders even the existence of a signature, and non-transferability against the designated verifier is perfect (εzk=0\varepsilon_{\mathrm{zk}}=0 for the no-hint instantiation) rather than computational. We regard these as necessary adaptations of the Liu–Baek–Susilo notion to the post-quantum setting rather than departures from it.

4 Conclusion and future research

This work uses the ideas in [liu2023] to extend the Fiat–Shamir with aborts paradigm [lyubashevsky2009] with withdrawability and defines a general construction for withdrawable lattice-based digital signature schemes.

We demonstrated our approach by creating a withdrawable version of Dilithium, though the same principles could be applied to other signature schemes like HAETAE [cheon2024]. Our construction maintains the security properties of the underlying signature scheme while adding the ability to withdraw signatures when needed by the signer.

Several directions remain for future research, including optimizing our construction’s efficiency and exploring additional features such as blindness, multiparty capabilities, or enhancing this construction with extended withdrawability, where rather than limiting verification to a specific entity, we can ensure the universal verifiability of the withdrawable signature by employing any signature scheme that can maintain signer ambiguity (this is work done in [liu2024]).

Another potential line of research is given by practical applications, particularly how these constructions could enhance quantum resistance in blockchain systems. The ability to withdraw signatures could prove valuable in blockchain environments where transaction revocation is desirable but traditionally difficult to implement.

References

uxtagasecondoftwo