[orcid = 0000-0002-8959-636X, inst = 1, email = ramses.fernandez@fairgate.io, surname = Fernandez, ]Ramses Fernandez \addaffiliation[country = ]Fairgate Labs
Withdrawability in Fiat–Shamir with aborts constructions
Abstract
This article presents an extension of the work performed by Liu, Baek and Susilo [liu2023] on withdrawable signatures to the Fiat–Shamir with aborts paradigm. We introduce an abstract construction, and provide security proofs for this proposal. As an instantiation, we provide a concrete withdrawable signature scheme based on a no-hint, full- Dilithium-style Fiat–Shamir-with-aborts construction [ducas2017]; adapting to production ML-DSA (with hints) introduces a small term.
keywords:
[Withdrawability, Digital signatures, Module Learning with Errors]Withdrawability, Digital signatures, Module Learning with Errors @@@1 Introduction
Digital signatures serve as a fundamental cryptographic mechanism that enables entities to bind their identities to pieces of information. The essential purpose of a digital signature is to allow a signer, who has established a public key , to sign messages using their private key in a way that enables anyone knowing to verify both the message’s origin and its integrity during transit.
An important paradigm for the creation of digital signatures is the Fiat–Shamir transform, which converts interactive identification protocols into non-interactive digital signature schemes. Starting with a three-move identification protocol, where a prover demonstrates knowledge to a verifier through commitment, challenge, and response steps, the transform replaces the verifier’s random challenge with a hash function applied to both the commitment and the message. This creates a digital signature scheme where the signing algorithm computes a commitment, generates a challenge by hashing the commitment with the message, and produces a response using the secret key.
The Schnorr signature scheme is perhaps the most well-known application of the Fiat–Shamir transform, which has gained particular attention due to its security characteristics and its valuable properties, such as signature aggregation. These advantages make Schnorr signatures especially attractive for blockchain applications where transaction size reduction and privacy enhancement are crucial considerations.
The impact of digital signatures is particularly important in blockchain technology, where this primitive extends beyond basic transaction authentication, enabling sophisticated smart contract interactions, multi-signature schemes for enhanced security, and threshold signature systems for distributed key management. Furthermore, innovations in signature aggregation and batch verification techniques have contributed significantly to blockchain scalability solutions.
Current public-key cryptographic algorithms serve as the foundation for protecting sensitive electronic information from unauthorized access. These algorithms have successfully withstood attacks from conventional computing systems for decades, due to the hardness of their underlying mathematical problems, prime factorization and the computation of discrete logarithms. However, the emergence of quantum computing presents a significant challenge to this security paradigm, as Shor’s algorithm demonstrates the potential to solve both the prime factorization and the computation of discrete logarithms efficiently. This means that quantum computers possess computational capabilities that could potentially compromise current cryptographic methods, exposing vulnerable data and information.
To address this impending challenge, new cryptographic approaches are being designed to withstand attacks from both traditional computers and future quantum systems. These methods rely on problems, such as lattices, error-correcting codes or isogenies of elliptic curves, which have enhanced mathematical structure, leading to computational problems assumed to be hard both for classical and quantum computers. This framework is known as post-quantum cryptography, which represents a critical advancement in information security, ensuring that digital assets remain protected against evolving technological threats.
The Fiat–Shamir transform can be extended to lattices, leading to the Fiat–Shamir with aborts paradigm due to Lyubashevsky [lyubashevsky2009]. Fiat–Shamir with aborts provides a framework for constructing digital signature schemes with provable security. This methodology addresses the challenge of generating signatures from lattice-based one-way functions by introducing a controlled rejection sampling technique, aborting. When a potential signature might reveal information about the secret key, the signing algorithm simply aborts and restarts the process. This paradigm converts an interactive identification protocol with a non-negligible probability of aborting into a signature scheme through iterative execution until a successful completion occurs, the aborting procedure. This transformation eliminates the need for interaction by substituting the verifier’s challenge with a hash function evaluation, which security analyses treat as a random oracle.
Amongst the main constructions based on the Fiat–Shamir with aborts mechanism, we find Dilithium [ducas2017] and HAETAE [cheon2024]. Dilithium derives its security from the difficulty of solving certain lattice problems, specifically the Module Learning with Errors and Module Short Integer Solution problems. The importance of the scheme comes from the effective balance between security, signature size, and computational efficiency, making it practical for real-world implementations. HAETAE has been specifically designed to produce more compact and efficiently maskable signatures. While built upon the Fiat–Shamir with aborts paradigm underpinning Dilithium, HAETAE introduces design choices that optimize the complexity-to-compactness ratio, which is particularly important in space-constrained implementation scenarios.
Digital signatures are designed to provide authenticity, integrity, and non-repudiation for signed messages. Once a signature is created, it remains valid indefinitely, and the signer cannot rescind it. This permanence, while typically considered a feature, raises an important question: is it possible for signers to efficiently revoke their signatures without compromising their private keys or affecting the validity of their other signatures? Liu, Baek, and Susilo address this challenge by introducing the concept of withdrawable signatures [liu2023], offering a practical and secure mechanism for signature revocation in situations where this capability is desirable.
The practical applications of withdrawable signatures span multiple domains where signature revocation capability is essential without compromising the signer’s private key. In blockchain-based smart contracts, these signatures enable participants to commit to contract conditions while maintaining the ability to revoke their commitment, particularly valuable when contract fulfillment depends on multiple parties or external conditions. Within decentralized e-voting systems, withdrawable signatures provide voters the security to cast their votes while retaining the flexibility to modify their choices before final vote tabulation, allowing voters to respond to new information or developments during the voting period. Additionally, in decentralized escrow services, these signatures facilitate multi-party transactions by allowing participants to revoke their signatures if circumstances change or disputes arise, without compromising the security of other parties’ signatures.
1.1 Contributions
This paper builds upon the research conducted by Liu, Baek, and Susilo on withdrawable signatures [liu2023] to present a general methodology for constructing post-quantum withdrawable signatures based on Lyubashevsky’s Fiat–Shamir with aborts paradigm [lyubashevsky2009].
The work first introduces a comprehensive abstract construction that takes a mechanism based on the Fiat–Shamir with aborts paradigm as its starting point and extends it to incorporate withdrawability features. To demonstrate the practical applications of this abstract framework, the paper presents a concrete withdrawable construction from a no-hint, full- Dilithium-style variant [ducas2017]; the no-hint variant keeps the naHVZK proof exact (perfect, ), whereas production ML-DSA requires handling hints and incurs a small .
The integration of withdrawability features with post-quantum cryptography addresses two crucial challenges in modern cryptographic systems. First, it provides the flexibility to revoke signatures when needed, a capability increasingly important in dynamic digital environments. Second, it ensures this functionality remains secure against quantum computing threats.
1.2 Related work
The research in this paper revolves around three gravity centres, namely: the work done by Lyubashevsky, the construction of Liu, Baek and Susilo, and the digital scheme Dilithium.
The Fiat–Shamir heuristic [fiat2000] provides a method for transforming public-coin interactive proof systems into digital signatures. This transformation works by substituting the verifier’s public coin tosses with hash function evaluations. In the random oracle model (ROM), these hash functions are treated as uniform functions that adversaries can access through classical computing methods.
Schnorr’s signature scheme stands as a prominent implementation of the Fiat–Shamir heuristic, with its security fundamentally based on the discrete logarithm problem. However, the emergence of quantum computing necessitates two critical adaptations to this framework. First, the discrete logarithm hardness assumption must be replaced with quantum-resistant alternatives. Second, the security model must account for quantum access to the random oracle (QROM), as quantum adversaries can query the hash function in superposition.
Lyubashevsky’s work [lyubashevsky2009] introduced an innovative lattice-based signature scheme that builds upon Schnorr’s design while incorporating abortion as a crucial modification. The abort mechanism ensures that the signature distribution remains independent of the signing key, preventing potential attacks against the signature scheme. The protocol manages these aborts through a loop structure, continuing iterations until a successful execution occurs without an abort.
This modified approach, known as Fiat–Shamir with aborts, maintains the fundamental concept of replacing non-final verifier steps with hash function evaluations while adapting to the requirements of lattice-based cryptography. The integration of the abort mechanism represents a significant advancement in developing quantum-resistant signature schemes, providing a robust framework for cryptographic security in the post-quantum era.
On the other hand, Liu, Baek and Susilo propose a designated-verifier signature scheme that introduces withdrawability to digital signatures. Their construction generates a withdrawable signature for a message , distinct from conventional signature schemes.
The scheme’s construction centers on a transformation mechanism. When a signer generates a withdrawable signature, it remains verifiable only by the designated verifier. The signature can then follow two paths: it either remains in its withdrawable state through signer inaction, effectively withdrawing the signature, or undergoes transformation through a “Confirm” algorithm. This algorithm converts the withdrawable signature into a confirmed signature , which becomes verifiable through both parties’ public keys while maintaining a deterministic relationship to .
The formal construction involves two entities, signer and verifier, with their public keys comprising a set , respectively. The scheme utilizes the underlying signature structure to construct a withdrawable signature specifically designated for the verifier. Subsequently, using the secret key and , the signer can generate a verifiable signature for through the public key set . This confirmed signature maintains a cryptographic link to the original withdrawable signature via the public key set , ensuring the signature transformation’s verifiability and traceability.
Finally, we find Dilithium [ducas2017], which builds upon the Fiat–Shamir with aborts paradigm. The scheme operates over module lattices, specifically using the module learning with errors (MLWE) and the module short integer solution (MSIS) problems as its primary security foundations. Its construction employs a ring with carefully chosen parameters and . The signature scheme utilizes matrices and vectors over this ring, with dimensions selected to balance security and efficiency.
The key generation in Dilithium produces a public key containing a matrix and a vector , where and are secret vectors with small coefficients. The signing process involves generating a masking vector , computing , and using a challenge value derived from the message and to produce the signature. The scheme incorporates rejection sampling to ensure signature security, leading to probabilistic signature generation.
2 Preliminaries
2.1 Notation
We write and to denote the rings and respectively, where is an integer. We will denote vectors by bold letters, and regular font letters denote elements in or . Unless otherwise specified, all vectors are assumed to be column vectors. Bold upper-case letters denote matrices.
If is a set, then means that is chosen uniformly at random from . All logarithms are assumed to be base , and the hash function will operate on the concatenation of its arguments.
For any even positive integer , we define to be the unique element in the range such that . For any odd positive integer , we define to be the unique element in the range such that . We refer to these operations as centered reductions modulo .
For any positive integer , we define to be the unique element in the range such that . When the specific representation is not significant, we simply write .
For an element , we denote to mean . For , we define and . For : and . We denote by the set of all elements such that for . There will be an abuse of notation: we write , with no subindex, to indicate that bounds in this case are given by the underlying scheme.
From [ducas2017] we set as the maximum possible coefficient of , is large enough so the signature does not reveal the secret key and small enough so that the signature is not forged, is the low-order rounding bound with (concretely for level 2 and for levels 3 and 5, so in general), and is a small integer. We write for the challenge set of weight (Definition LABEL:def:stmsis); the concrete weights are for the three parameter sets, and . Fix an efficiently invertible bijection (for instance the indexing underlying SampleInBall), with inverse . We use a challenge hash . Let denote the recoverable (high-order) part of a commitment, i.e. for every accepted transcript ; in Dilithium .
Let be a public-key encryption scheme satisfying ciphertext pseudorandomness: for honestly generated and any message , is computationally indistinguishable from a uniform element of the ciphertext space given (but not ); we write its advantage . Ciphertext pseudorandomness implies both IND- CPA and key-privacy (anonymity), but neither of those implies it. We use to encrypt a chosen symmetric key . The CPA-secure module-LWE encryption underlying ML-KEM (Kyber) is a candidate instantiation: its ciphertext components are pseudorandom under decisional MLWE, and pseudorandomness is understood with respect to the actual (compressed) ciphertext encoding space, up to the standard compression/statistical terms. Let be a pseudorandom generator (XOF). Each party holds, in addition to its lattice keys, an encryption key pair ; for a key set we write (resp. ) for the signer’s and verifier’s encryption keys.
Public parameters fix the common matrix (with the and PRG descriptions); every key pair is generated as relative to the same , so the two OR-proof branches share a module matrix.
2.2 Basic definitions
A withdrawable signature scheme involves two participating parties: signers and verifiers. The scheme operates in two primary stages: first, the generation of a withdrawable signature, and second, its transformation into a confirmed signature. Both stages are executed by the signer. Concerning the security of a withdrawable signature scheme , it is established through three properties, namely: correctness, unforgeability under insider corruption, and withdrawability.
-
1.
Correctness establishes a strong relation between the verification algorithms: if a withdrawable signature is successfully verified through the algorithm, then its corresponding confirmed signature must also be verifiable through the algorithm.
-
2.
Unforgeability under insider corruption ensures that only the original signer possesses the capability to transform a verifiable withdrawable signature (generated using for verifier ) into its corresponding confirmed signature . This requirement holds even when an adversary has obtained the verifier’s secret key , maintaining the exclusive control of the signer over the confirmation process.
-
3.
Finally, withdrawability establishes the indistinguishability of signature origin. Specifically, given a verifiable withdrawable signature , no PPT adversary should be able to determine whether the signature was generated by the signer or the verifier, provided that the algorithm has not been executed on . This property effectively ensures that both the signer and the designated verifier possess equivalent capabilities in generating withdrawable signatures.
Threat model.
All results are in the (quantum) random-oracle model, stated for the classical ROM with the QROM variant noted in Remark LABEL:rem:qrom. Keys are honestly generated unless stated otherwise: withdrawability is proved for honest keys (Theorem LABEL:thm:withdraw), and Remark LABEL:rem:wd treats an adversarially chosen verifier key at the cost of a decisional-MLWE term. Unforgeability (Theorem LABEL:thm:unforge) is under insider corruption, i.e. the adversary may hold the designated verifier’s secret key. For withdrawability we distinguish third-party adversaries (holding no secret key), defeated by the encryption layer of Section LABEL:sec:sdvs, from the designated verifier (holding ), defeated by the origin ambiguity of the public core.
Definition 2.1 ([liu2023], Section LABEL:subsec:instantiation).
wbsphack @@writeaux\newlabeldef:wswcurrentlabel1wesphack A withdrawable signature scheme is composed of five polynomial-time algorithms , defined as follows:
-
•
, : fixes public parameters , in particular the common matrix shared by all users, and outputs one key pair. The signer and verifier keys , are two independent invocations of and thus share ; by convention each secret key embeds its own public key, i.e. , so that a party can reconstruct from its own .
-
•
: given a message , a signer’s secret key , and a tuple containing both the signer’s public key and a designated verifier’s public key from the set of all public keys (those output by ), the withdrawable signing algorithm generates a withdrawable signature . This signature is specifically bound to message under the signer’s identity and can only be verified by the designated verifier .
-
•
: the withdrawable signature verification algorithm uses the designated verifier’s secret key (which includes ) to return iff is a valid withdrawable signature on under , and otherwise. Among third parties only the designated verifier can run it; the signer may also recover the public core (via ) for confirmation. The signature is not publicly verifiable.
-
•
: the confirmation algorithm transforms a withdrawable signature into a confirmed signature . It takes as input the original message , the signer’s secret key , the public key set , and the withdrawable signature . The resulting confirmed signature serves as a publicly verifiable signature with respect to the key set .
-
•
: the confirmed signature verification algorithm validates the authenticity of a confirmed signature on message with respect to the public key set . It takes as additional input the original withdrawable signature from which the confirmed signature was derived. The algorithm outputs if the confirmed signature is valid and otherwise.
Definition 2.2.
wbsphack @@writeaux\newlabeldef:correctwcurrentlabel1wesphack A withdrawable signature scheme is correct if, for any security parameter , any public key set , and any message , when executing the sequence , and , then the corresponding verification algorithms satisfy:
with overwhelming probability (in the security parameter ).
Definition 2.3.
wbsphack @@writeaux\newlabeldef:eufwcurrentlabel1wesphack For a PPT adversary and security parameter , we define the unforgeability under insider corruption experiment using the three oracles in Algorithms LABEL:alg:corrupt–LABEL:alg:confirm-oracle.
Using these three oracles, we define the unforgeability experiment as follows:
A withdrawable signature scheme is considered unforgeable under insider corruption with EUF-CMA security if, for all PPT adversaries , there exists a negligible function such that:
Definition 2.4.
wbsphack @@writeaux\newlabeldef:withdrawwcurrentlabel1wesphack Let be two generated public/secret key pairs, and let . For a randomly selected bit , a security parameter , and a PPT adversary , we build the withdrawability experiment with the oracle of Algorithm LABEL:alg:withdraw-oracle.
With this signing oracle, we have the following experiment:
A withdrawable signature scheme is withdrawable if, for any PPT adversary , and in the absence of the execution of the algorithm, there exists a negligible function such that:
2.3 Security definitions and computational assumptions
Definition 2.5.
wbsphack @@writeaux\newlabeldef:ds-eufwcurrentlabel1wesphack For a signature scheme and a PPT adversary , consider the following experiment :
-
1.
The challenger generates a key pair using the system parameters . It provides to while retaining to handle signature queries.
-
2.
receives access to the signing oracle that computes upon request.
-
3.
Eventually, outputs a forgery attempt .
-
4.
succeeds if and was not previously queried to .
We say that is -secure under EUF-CMA if no adversary running in time and making at most signing queries can succeed with probability greater than .
Definition 2.6.
wbsphack @@writeaux\newlabeldef:dvswcurrentlabel1wesphack A designated-verifier signature scheme consists of four probabilistic polynomial-time algorithms operating on key pairs for signers and for designated verifiers:
The key security property of schemes is non-transferability, which states that for any message-signature pair that validates under , it should be computationally infeasible to determine whether was produced by the signer using or simulated by the designated verifier using , without access to the signer’s secret key . The formal definition of this property follows:
Definition 2.7 (Non-transferability).
wbsphack @@writeaux\newlabeldef:nontranswcurrentlabel1wesphack For a designated-verifier signature scheme and a PPT adversary , consider the non-transferability experiment :
A achieves non-transferability if for any PPT adversary , there exists a negligible function such that:
The security of our scheme rests upon three fundamental lattice-based hardness assumptions. The Module Learning With Errors (MLWE) assumption provides protection against key-recovery attacks, ensuring the confidentiality of secret keys. The SelfTargetMSIS assumption establishes the security foundation against new message forgery attempts, preventing adversaries from generating valid signatures for previously unsigned messages. Finally, the MSIS assumption is essential for achieving strong unforgeability, which prevents even slight modifications of existing signatures.
Definition 2.8 (Module Learning With Errors (MLWE)).
wbsphack @@writeaux\newlabeldef:mlwewcurrentlabel1wesphack For integers and a probability distribution , the advantage of an algorithm in solving the decisional problem over the ring is defined as:
Definition 2.9 (Module Short Integer Solution (MSIS)).
wbsphack @@writeaux\newlabeldef:msiswcurrentlabel1wesphack For an algorithm , we define its advantage function in solving the (Hermite Normal Form) problem over the ring as:
Let denote the subset of elements in that have exactly coefficients equal to either or , with all remaining coefficients being . The cardinality of this set is given by .
Definition 2.10 (SelfTargetMSIS).
wbsphack @@writeaux\newlabeldef:stmsiswcurrentlabel1wesphack Let be a cryptographic hash function. For an algorithm , we define its advantage function as:
The above problems are hard if, for any PPT adversary , the respective advantages are negligible.
The intuition is that the MLWE assumption protects against key-recovery attacks, the SelfTargetMSIS is the assumption upon which new message forgery is based, and the MSIS assumption is needed for strong unforgeability. The decisional MLWE will be used to prove withdrawability.
3 Withdrawable signature schemes
3.1 The abstract construction
wbsphack @@writeaux\newlabelsec:abstractwcurrentlabel1wesphack In this section we provide a global construction for withdrawable signatures based on the Fiat–Shamir with aborts paradigm and prove the unforgeability and withdrawability as described in Definition LABEL:def:ws. This construction follows the paradigm described in [lyubashevsky2009] combined with ideas in [liu2023]. Let be the (bounded) challenge set and a random oracle. Sampling uniformly from is not well defined, and the challenge must be small enough that .
Theorem 3.1 ([lyubashevsky2009], Theorem 2).
wbsphack @@writeaux\newlabelthm:lyuwcurrentlabel1wesphack Let be an integer which is a power of . If the above signature scheme is not strongly unforgeable, then there is a polynomial-time algorithm that can solve , for and for every lattice corresponding to an ideal in the ring .
Taking the above scheme as starting point, we define a withdrawable lattice-based scheme as follows:
The proofs for Theorem LABEL:thm:unforge and Theorem LABEL:thm:withdraw below closely follow the structure of their analogous Theorems 12 and 13 in [liu2023]. The fundamental arguments remain valid when adapting the security assumptions to our context, with the primary distinction being the underlying signature scheme.
Assumption 1 (Commitment min-entropy).
wbsphack @@writeaux\newlabelass:entropywcurrentlabel1wesphack The commitment pair produced by an accepted run of has min-entropy at least ; for the concrete Dilithium parameter sets (and at level 2), so .
Remark 3.2 (Heuristic support for Assumption LABEL:ass:entropy).
Let be one output coordinate ( the first row of ). The input min-entropy exceeds by (level 2), (level 3), (level 5) bits, so under the module regularity of the SIS map is statistically close to , and has min-entropy . Conditioning on the constant-probability rejection event lowers this by bits. A fully rigorous bound needs a regularity lemma over with exact conditions for a completely split and the rejection-conditioned law of ; we therefore record the value as Assumption LABEL:ass:entropy.
Lemma 3.3 (Witness-free simulatability / naHVZK).
wbsphack @@writeaux\newlabellem:zkwcurrentlabel1wesphack There is a PPT algorithm , taking no secret key and fixing at a single point, such that for all honestly generated and all , the output of together with its induced -entry is within statistical distance of a genuine pair , conditioned on the programmed point being fresh. Concretely repeatedly samples and until both and (the same low-order test as ); it then sets , , programs , and returns .
Proof 3.4.
The verifier branch is produced by exactly this simulation already in , so it is identical in both distributions. The signer branch is one FS-with-aborts transcript; by the non-abort honest-verifier zero-knowledge of the base scheme its accepted output is within statistical distance of . Finally the law of agrees: in the real scheme and are uniform and independent and ; in both are uniform and is set to . Both yield with determined by the constraint.
Theorem 3.5.
wbsphack @@writeaux\newlabelthm:unforgewcurrentlabel1wesphack If the underlying signature scheme is EUF-CMA secure, then the publicly-verifiable core of Algorithms LABEL:alg:abs-keygen–LABEL:alg:abs-cverify is unforgeable under insider corruption in the (Q)ROM (the full designated scheme of Section LABEL:sec:sdvs inherits this via Proposition LABEL:prop:sdvs). For any adversary making signing, confirmation and random-oracle queries, there is an adversary such that, in the random-oracle model,
where is the per-proof simulation error of Lemma LABEL:lem:zk and the commitment min-entropy (Assumption LABEL:ass:entropy). The last term is the random-oracle programming loss; in the quantum random-oracle model it is replaced by the adaptive-reprogramming term of Remark LABEL:rem:qrom. The reduction incurs no multiplicative factor.
Remark 3.6.
Algorithms LABEL:alg:abs-keygen–LABEL:alg:abs-cverify form the publicly-verifiable core: Theorem LABEL:thm:withdraw establishes its origin ambiguity and Theorem LABEL:thm:unforge the unforgeability of its confirmation. The designated withdrawable signature of Definition LABEL:def:ws is the strong designated-verifier scheme of Section LABEL:sec:sdvs, which wraps this core and inherits both properties (Proposition LABEL:prop:sdvs).
Proof 3.7.
We use a short sequence of games; is the probability that game outputs . Throughout, (the OR-proof challenge oracle) is domain-separated from the random oracle of the underlying scheme of Definition LABEL:def:ds-euf; recall and iff and , with an injective encoding.
Game . The experiment of Definition LABEL:def:euf (Algorithm LABEL:alg:euf-exp). Thus .
Game . As , but is answered by of Lemma LABEL:lem:zk, programming the one induced -entry; if that entry is already defined the game raises and aborts. By a hybrid over the signing queries, each replacement changes ’s view by at most (Lemma LABEL:lem:zk) unless the programmed point already occurs in the -table; at that moment the table has at most entries and, by Definition LABEL:ass:entropy, is unpredictable with min-entropy , so a collision occurs with probability at most . Hence
In the signer key is used only inside , via : never returns ; now runs (no secret key); the oracles are key-independent; and the keys of parties are independent of .
We build against the -security of (Definition LABEL:def:ds-euf). gets a challenge key , a signing oracle and access to ’s random oracle . It generates a fresh encryption key pair itself and sets , so that parses and uses only the signing component while enters exactly as in an honest key; it never uses . It runs for all (so it holds ), sets , and runs , answering: by if and by otherwise (in particular it can deliver ); by lazy sampling consistent with programming; by relaying to its own oracle (it never programs ); by (aborting on ); and , for , by setting and returning . This is a perfect emulation of . When outputs , outputs .
If wins then , hence . The only messages sent to its signing oracle are for the confirmation queries , each of which placed into . Since , we have for all , so by injectivity of the forgery message is new. Thus wins, giving ; makes at most signing queries. Combining,
The reduction never rewinds and never extracts from the OR-proof (only its simulatability is used), so there is no multiplicative loss. Insider corruption is captured: holds and may hand it to , yet confirmation still needs , which never knows.
Remark 3.8 (QROM).
wbsphack @@writeaux\newlabelrem:qromwcurrentlabel1wesphack In the QROM the only changes are: (i) the simulation of programs at an adaptively chosen, high-min-entropy point under superposition queries, which is handled by the adaptive reprogramming lemma of Grilo–Hövelmanns–Hülsing–Majenz [grilo2021], turning the term into ; and (ii) Definition LABEL:def:ds-euf is taken in the QROM, which for Dilithium follows from and [ducas2017, kiltz2018]. The reduction is unchanged, as it relays to the (quantum) challenger and never programs it.
Theorem 3.9.
wbsphack @@writeaux\newlabelthm:withdrawwcurrentlabel1wesphack The scheme of Algorithms LABEL:alg:abs-keygen–LABEL:alg:abs-cverify is withdrawable. For any computationally unbounded adversary making at most signing and random-oracle queries,
where is the number of signing-oracle queries, the number of queries to , and are as in Lemma LABEL:lem:zk and Definition LABEL:ass:entropy. The bound is statistical, so it holds against computationally unbounded adversaries making at most random-oracle queries (assuming both key pairs are generated honestly by the experiment, as in Definition LABEL:def:withdraw). If instead may be chosen by , the bound gains an additive term (Definition LABEL:def:mlwe), see Remark LABEL:rem:wd.
Proof 3.10.
We bound of Definition LABEL:def:withdraw (Algorithm LABEL:alg:withdraw-exp). The experiment generates both key pairs honestly, sets , draws , and gives the challenge together with the signing oracle of Algorithm LABEL:alg:withdraw-oracle; finally outputs a guess and wins iff . Let be the witness-free simulator of Lemma LABEL:lem:zk; crucially depends only on the set (it simulates both branches), not on which party is the prover.
The whole view of consists of withdrawable signatures, all produced under the witness (the challenge and the oracle replies), plus ’s queries to .
Game (witness-free). Modify the experiment so that each of these signatures is produced by , programming the single induced -entry (and aborting on a clash). Since uses neither nor , the entire experiment – and hence the joint distribution of ’s view and output – is independent of . Writing , independence gives .
For let be the real experiment conditioned on that bit, and . We pass from to by replacing the signatures one at a time. Each step turns one into one ; by Lemma LABEL:lem:zk, applied with party as the real prover (valid because is honest, so is a genuine witness), the two are within statistical distance , provided the programmed point is fresh. By Definition LABEL:ass:entropy the commitment pair has min-entropy , so at any step the freshness fails with probability at most (the -table holds at most points). Summing over the hybrids,
Using ,
By the triangle inequality , hence
Every step is information-theoretic, so the bound holds against computationally unbounded adversaries that make at most random-oracle queries.
Remark 3.11 (Theorem LABEL:thm:withdraw in the QROM).
wbsphack @@writeaux\newlabelrem:qrom-wdwcurrentlabel1wesphack Theorem LABEL:thm:withdraw is stated in the classical ROM. Its only use of the random oracle is the witness-free simulation of , which programs at the adaptively chosen, high- min-entropy point (Assumption LABEL:ass:entropy). In the QROM the adaptive-reprogramming lemma of Grilo–Hövelmanns–Hülsing–Majenz [grilo2021] applies exactly as in Remark LABEL:rem:qrom, replacing the classical freshness term by ; the statistical, information-theoretic core of the argument is unchanged. For the no-hint instantiation the two real signing distributions are identical (Lemma LABEL:lem:perfectzk), so the / bound of Proposition LABEL:prop:sdvs is exact in both models and incurs no reprogramming term.
Remark 3.12 (Adversarial ; strong-DV variant).
wbsphack @@writeaux\newlabelrem:wdwcurrentlabel1wesphack Definition LABEL:def:withdraw generates both keys honestly, so the proof is statistical. In the stronger model where chooses , still simulates for any , but the two real provers require both statements to admit short witnesses; bridging an honestly generated to an adversarial one costs one decisional-MLWE step (Definition LABEL:def:mlwe), adding to the bound. For the strong designated-verifier scheme of Section LABEL:sec:sdvs, the same hybrid first replaces every signature by a simulated one and then replaces the two ciphertexts and the one-time pad by uniform strings; this yields , i.e. withdrawability against third parties as in Proposition LABEL:prop:sdvs, now made quantitative; non-transferability against the designated verifier is exactly the statistical statement proved above.
3.2 An instantiation
wbsphack @@writeaux\newlabelsubsec:instantiationwcurrentlabel1wesphack The general construction of Section LABEL:sec:abstract for a withdrawable digital signature scheme whose underlying scheme is built using the Fiat–Shamir with aborts paradigm was proven to be unforgeable under insider corruption and withdrawable. As a direct application of this proposal, in this section we present a withdrawable signature scheme based on a no-hint, full- Dilithium-style Fiat–Shamir-with-aborts signature [ducas2017]; adapting to production ML-DSA (with hints, and a nonzero ) is discussed after Corollary LABEL:cor:concrete. The verification algorithm below is public; it serves as a building block () that Section LABEL:sec:sdvs encrypts to the designated verifier to obtain the strong designated-verifier withdrawable signature of Definition LABEL:def:ws.
Taking the above algorithm as starting point and following the general construction in Section LABEL:sec:abstract, it is straightforward to set a withdrawable digital signature based on Dilithium.
Since Dilithium relies on the hardness of MSIS, Theorem LABEL:thm:unforge applies to prove that the proposal below is unforgeable under insider corruption. Theorem LABEL:thm:withdraw then proves withdrawability of the honest-key public core statistically, under Assumption LABEL:ass:entropy and perfect naHVZK; the hardness of the decisional MLWE problem is used only for adversarially chosen verifier keys (Remark LABEL:rem:wd) and for the privacy of the encryption layer in Section LABEL:sec:sdvs.
Below follows the withdrawable signature based on Dilithium:
Throughout, the signer instance of a key pair is written with , and the verifier instance ; the primes are the per-party renaming of the generic output by .
Remark 3.13.
wbsphack @@writeaux\newlabelrem:symwcurrentlabel1wesphack is invoked by either party: the caller runs its own branch for real (with the rejection loop) and simulates the other from the accepted distribution above. A verifier signs by swapping the roles of and . Because both branches are now drawn from the accepted low-order distribution, the two invocations produce identically distributed (Lemma LABEL:lem:perfectzk, ), and the public predicates and hold simultaneously, revealing nothing about the origin.
Remark 3.14 (Correctness).
wbsphack @@writeaux\newlabelrem:rrwcurrentlabel1wesphack For the real branch, the rejection condition yields ; the simulated branch matches by construction; and by definition of . Hence accepts honest signatures, and accepts by correctness of . The quantity of the original construction is no longer used, so the former identity is unnecessary.
Instantiation of and .
Our scheme uses the no-hint identification scheme: verification recomputes from the full (no split, no hint). For this scheme the simulator of Lemma LABEL:lem:zk is perfect.
Lemma 3.15 (Perfect naHVZK).
wbsphack @@writeaux\newlabellem:perfectzkwcurrentlabel1wesphack Conditioned on the programmed -point being fresh, the simulator of Lemma LABEL:lem:zk produces a transcript identically distributed to a genuine ; that is, .
Proof 3.16.
Fix the challenge (uniform in the real game as is a random oracle, and uniform in the simulation by programming a fresh point). In , is uniform over and ; conditioned on , is uniform over , because each target in that box has a unique in-range preimage (as ). The further test equals (since ), a function of and the public only; and the recomputed commitment is . The corrected simulator (Lemma LABEL:lem:zk) draws uniformly over with the identical low-order test and sets . Hence the conditional law of is identical in both, and the verifier branch is produced by the same simulation on both sides. The transcripts therefore coincide.
| Dilithium2 / ML-DSA-44 | |||||
|---|---|---|---|---|---|
| Dilithium3 / ML-DSA-65 | |||||
| Dilithium5 / ML-DSA-87 |
Corollary 3.17 (Concrete security).
wbsphack @@writeaux\newlabelcor:concretewcurrentlabel1wesphack Instantiated with no-hint Dilithium, the scheme has (Lemma LABEL:lem:perfectzk) and (Assumption LABEL:ass:entropy). Hence, for any adversary making signing and random-oracle queries, Theorems LABEL:thm:unforge and LABEL:thm:withdraw give
Unforgeability reduces to the EUF-CMA security of the underlying no-hint Dilithium-style signature (up to the programming term), whereas withdrawability follows statistically from perfect naHVZK () and Assumption LABEL:ass:entropy, up to the same programming term; it does not reduce to EUF-CMA.
Remark 3.18 (Hint-optimised Dilithium).
Production Dilithium publishes (not ) plus a hint , which trades the exact recovery for . That variant has a small, standard naHVZK defect in place of and slightly smaller signatures; our no-hint choice keeps the proofs clean (perfect naHVZK) at a modest size cost. Either way the asymptotic and concrete security are governed by the same and terms.
3.3 Strong designated-verifier variant
wbsphack @@writeaux\newlabelsec:sdvswcurrentlabel1wesphack
The scheme of Sections LABEL:sec:abstract and 3.2 is publicly verifiable. To match the Liu–Baek–Susilo model [liu2023], where a withdrawable signature is verifiable only by the designated verifier, we upgrade it to a strong designated-verifier (SDVS) scheme: we hybrid-encrypt the publicly-verifiable signature to the verifier (and to the signer, so that stays stateless). Write for the scheme of Section LABEL:subsec:instantiation (Algorithms LABEL:alg:dil-wsign–LABEL:alg:dil-cverify), where is public; is as amended (each party holds ). Let denote a public ring signature and its bit length.
Remark 3.19 (Scope of confirmed verification).
wbsphack @@writeaux\newlabelrem:cverify-scopewcurrentlabel1wesphack certifies that the signer authenticated the outer object (via ) and that the revealed pad opens to a public core that passes . It does not publicly certify ciphertext consistency, i.e. that and encrypt the same : for randomised this cannot be checked without opening the encryption randomness. Confirmation is therefore a signer-authenticated opening of to a valid ambiguous core, which is all correctness (Definition LABEL:def:correct) and unforgeability (Theorem LABEL:thm:unforge) require; it does not retroactively attest that the designated verifier could decrypt prior to confirmation. For honestly generated the two ciphertexts do share , so as stated.
Proposition 3.20 (SDVS variant).
wbsphack @@writeaux\newlabelprop:sdvswcurrentlabel1wesphack Assume has ciphertext pseudorandomness (advantage ) and is a secure PRG. Then Algorithms LABEL:alg:sdvs-wsign–LABEL:alg:sdvs-cverify form a correct withdrawable signature (Definitions LABEL:def:ws–LABEL:def:withdraw) with designated verification, and:
-
•
(Designated verification / privacy.) Without or , is pseudorandom; in particular third parties cannot publicly verify ; recovering (and hence verifying) requires a decryption key, so both the designated verifier (via ) and the signer (via ) can verify.
-
•
(Withdrawability.) For any PPT third-party adversary making signing and random-oracle queries, , where is the ciphertext-pseudorandomness advantage of . Against an adversary holding the full verifier secret key the bound is : by the perfect naHVZK of Lemma LABEL:lem:perfectzk the verifier branch is identically distributed whether produced for real or simulated, so the witness confers no distinguishing power. This equals exactly for the no-hint Dilithium instantiation.
-
•
(Unforgeability under insider corruption.) Reduces to the EUF-CMA security of exactly as in Theorem LABEL:thm:unforge; the reduction chooses and the ciphertexts itself, hence needs no secret key.
Proof 3.21.
The strong-DV algorithms (Algorithms LABEL:alg:sdvs-wsign–LABEL:alg:sdvs-cverify) are built on the public core
of Section LABEL:subsec:instantiation, a public-key encryption scheme with decryption-failure probability and ciphertext-pseudorandomness advantage (i.e. for any message , is indistinguishable from a uniform ciphertext given but not ; this implies IND-CPA and key-privacy), and a PRG with advantage . Recall , , , , , .
The verifier recovers and , so
by correctness of the core. recovers the same via and outputs , ; then makes the following verifications: (true), , and , all of which hold. The error is at most plus the negligible correctness errors of the core and of .
We show is pseudorandom to any party lacking both . Hybrids: real ; replaces by a uniform string; also replaces by a uniform string; also replaces by a uniform string . Each PKE step costs (the reduction picks , embeds the challenge as resp. , and computes the rest from the known ; no decryption key is used); the PRG step costs (in , feeds only ). In , is uniform and independent of , so is uniform. Hence . Consequently no public procedure can decide validity of (it would distinguish from ); verification requires a decryption key, so the designated verifier (via ) and the signer (via ) can verify, while third parties cannot.
In Definition LABEL:def:withdraw the adversary holds no secret keys and sees signatures (challenge and oracle replies) under the bit . Applying the previous hybrid to each, every signature is within of uniform independently of (a uniform reveals neither nor which keys were used). Thus each of the two conditional views is within of the same -independent all-uniform view, whence
If holds the full verifier secret key (in particular its ), it decrypts and recovers ; the ciphertexts and are then determined by and carry no further information about . Here we do not route through the simulator/programming hybrid of Theorem LABEL:thm:withdraw; instead we compare the two real public-core distributions and directly. In each, one branch is produced for real and the other is drawn from the accepted low-order distribution, and in both cases the challenge is read from the honest random oracle. By the per-branch naHVZK of Lemma LABEL:lem:zk, a real accepted branch and a simulated accepted branch are within statistical distance as distributions, with no oracle reprogramming; hence the two real signing distributions are within per signature, and no freshness term is incurred. Summing over the signatures, . For the no-hint Dilithium instantiation (Lemma LABEL:lem:perfectzk), so the two real distributions are identical and the excess advantage is exactly : even the designated verifier cannot tell whether it or the signer produced .
The reduction is that of Theorem LABEL:thm:unforge, with the reduction performing the encryption itself. receives the -challenge key , sets , receives the -challenge key (the signing component only). It generates a fresh encryption key pair itself and sets , keeping private; it never uses (confirmation replies are served from stored , and signing queries encrypt under the public ). It generates all other keys honestly (so it holds and may give it to ). It answers: by simulating with the witness-free simulator of Lemma LABEL:lem:zk (programming ), drawing , setting , , , storing in , and returning ; and , for , by retrieving the stored and returning through the signing oracle. Thus uses neither nor any decryption key. A confirmed forgery with never confirmed satisfies on the fresh message , which outputs. As in Theorem LABEL:thm:unforge,
with no contribution from or (which evaluates honestly).
3.4 Comparison with Liu–Baek–Susilo
wbsphack @@writeaux\newlabelsec:comparisonwcurrentlabel1wesphack
Our construction realises the same primitive and the same security model as Liu, Baek and Susilo [liu2023]: the syntax of Definition LABEL:def:ws and the security notions of Definitions LABEL:def:correct, LABEL:def:euf and LABEL:def:withdraw are theirs, and we follow their two-stage “withdraw, then confirm” template. The differences are confined to the construction, and each of them follows from a single structural fact about lattices.
Root cause: the group shared secret has no cheap lattice analogue.
The designation mechanism of [liu2023] is, at its core, a Diffie–Hellman (or pairing) shared secret embedded in the signature. In their Schnorr-based scheme the withdrawable signature contains , which the designated verifier checks by raising to its secret key via ; the BLS-based scheme uses in the same way. A single algebraic object thereby delivers both properties required of a withdrawable signature at once: signer/verifier ambiguity — either party can compute from its own secret — and designation — verification requires — using nothing but the parties’ ordinary public keys, in effect a non-interactive key agreement (NIKE). This shared secret is essentially free in a group but has no cheap lattice counterpart: the noisy analogue of agrees only approximately, so a literal transcription that blinds the signature by a uniform matrix leaves a residue that the verifier cannot cancel (it is given , never ). Lattice NIKE is in fact possible: after a long line of negative evidence, including information-theoretic efficiency barriers for polynomial-modulus reconciliation [guo2022], the recent SWOOSH scheme [gajland2024] gives the first practical M-LWE NIKE — but at a cost (public keys of hundreds of kilobytes, a super-polynomial modulus-to-noise ratio, and a NIZK for active security) well above what designation needs. Crucially, designation does not require a shared secret at all: it only needs to deliver a key to the designated verifier, which is public-key encryption — a weaker and far cheaper primitive. We therefore keep ambiguity and designation as separate mechanisms, an OR-proof for the former and encryption for the latter; this is the origin of every row of Table LABEL:tab:comparison.
| Aspect | Liu–Baek–Susilo [liu2023] | This work | Reason |
|---|---|---|---|
| Designation of | enters the verification exponent (Diffie–Hellman / pairing) | encrypt to via a PKE | no free shared secret |
| Signer/verifier ambiguity | algebraic symmetry of | two-party FS-with-aborts OR-proof (witness-indist.) | no DH symmetry |
| Confirmation | re-derive shared randomness ; rebuild a linked | ordinary signature | FS randomness not reusable |
| Key material | one key pair (signing designation) | signing key pair encryption key pair | signing key cannot designate |
| Withdrawability from | DDH (Schnorr) / DBDH (BLS) | decisional MLWE (PKE) statistical WI | lattice counterpart |
| Unforgeability from | CDH / DL | MSIS / SelfTargetMSIS | lattice counterpart |
| Overall structure | monolithic designated-verifier object | public ambiguous core encryption layer | composition forced |
Ambiguity and confirmation.
For ambiguity we use a two-clause Fiat–Shamir-with-aborts OR-proof (Algorithm LABEL:alg:dil-wsign): a proof of knowledge of a short witness for or for , which either party can produce by executing its own branch and simulating the other. This is the natural lattice substitute for the group symmetry, and it agrees with the authors’ own description of withdrawable signatures as two-party ring signatures augmented with a transformation stage [liu2023]. For confirmation, where [liu2023] reconstructs the shared randomness and rebuilds an algebraically linked , we let emit an ordinary signature on the entire withdrawable object: the masking randomness of Fiat–Shamir with aborts is not reusable in the way a discrete-logarithm nonce is, and binding by a signature is both simpler and reducible to the unforgeability of the underlying scheme (Theorem LABEL:thm:unforge).
Designation by encryption: a PKE, not a KEM.
Lacking the free shared secret, we transport the designation explicitly: the scheme of Section LABEL:sec:sdvs encrypts the publicly verifiable, ambiguous signature to the verifier, so that only a holder of can recover and check it. This encryption must place the same chosen key under two public keys: , so that the verifier can decrypt and verify, and , so that the signer can decrypt and run statelessly (it is given only ). A key-encapsulation mechanism returns a fresh random key for each encapsulation and recipient, so and would produce two independent keys and the parties could never reconstruct the same ; delivering one shared chosen to both recipients is exactly encryption of a chosen message, i.e. a public-key encryption scheme. We therefore instantiate with the CPA-secure module-LWE encryption underlying ML-KEM (Kyber), and not with the KEM itself. This encryption is precisely what the group construction obtains for nothing: there the shared key is the Diffie–Hellman value that both parties derive from their public keys, so [liu2023] require no encryption at all, whereas we must transport it — and to both parties — which is why a public-key encryption scheme appears in our construction where theirs has none.
Consequences.
The two schemes rest on parallel hardness assumptions: decisional MLWE replaces DDH/DBDH for withdrawability, and MSIS/SelfTargetMSIS replace CDH/DL for unforgeability. The lattice route is less compact — an extra encryption key pair per party, and a withdrawable signature carrying two ciphertexts and a one-time pad rather than three group elements — but it gains two properties: the withdrawable signature is pseudorandom, concealing from outsiders even the existence of a signature, and non-transferability against the designated verifier is perfect ( for the no-hint instantiation) rather than computational. We regard these as necessary adaptations of the Liu–Baek–Susilo notion to the post-quantum setting rather than departures from it.
4 Conclusion and future research
This work uses the ideas in [liu2023] to extend the Fiat–Shamir with aborts paradigm [lyubashevsky2009] with withdrawability and defines a general construction for withdrawable lattice-based digital signature schemes.
We demonstrated our approach by creating a withdrawable version of Dilithium, though the same principles could be applied to other signature schemes like HAETAE [cheon2024]. Our construction maintains the security properties of the underlying signature scheme while adding the ability to withdraw signatures when needed by the signer.
Several directions remain for future research, including optimizing our construction’s efficiency and exploring additional features such as blindness, multiparty capabilities, or enhancing this construction with extended withdrawability, where rather than limiting verification to a specific entity, we can ensure the universal verifiability of the withdrawable signature by employing any signature scheme that can maintain signer ambiguity (this is work done in [liu2024]).
Another potential line of research is given by practical applications, particularly how these constructions could enhance quantum resistance in blockchain systems. The ability to withdraw signatures could prove valuable in blockchain environments where transaction revocation is desirable but traditionally difficult to implement.
References
uxtagasecondoftwo