 Research
 Open access
 Published:
Efficient postquantum secure deterministic wallet scheme
Cybersecurity volume 7, Article number: 24 (2024)
Abstract
Since the advent of Bitcoin, cryptocurrencies have gained substantial popularity, and crypto wallets have evolved into the predominant tool for safeguarding and managing cryptographic keys to access cryptocurrency funds. Deterministic wallets are proposed as an advanced wallet mechanism to provide benefits such as lowmaintenance, easy backup and recovery, and support for functionalities required by cryptocurrencies. Alkeilani Alkadri et al. (ACM CCS’20) presented the first postquantum secure deterministic wallet scheme, but it exhibits a gap to bridge before achieving practical applicability, as reflected in both their concrete parameters size and computational efficiency. In this paper, we propose an efficient postquantum secure deterministic wallet scheme. In particular, we present a new construction method for deterministic wallets, prove the security in the quantum random oracle model, and provide an efficient instantiation. The comparison result, with the work of Alkeilani Alkadri et al. (ACM CCS’20), shows our work has a comprehensive improvement on efficiency, e.g., the pk size is \(\approx 40.7\) times shorter, sk is \(\approx 9.2\) times shorter, and the signing time is \(\approx 3.1\) times faster.
Introduction
Since the introduction of Bitcoin Nakamoto (2009), cryptocurrencies have developed tremendously as they provide a revolutionary payment paradigm. In most cryptocurrencies, balance updates are executed via transactions between coinaddresses, and digital signature (NIST 2021; Rivest et al. 1978) is employed to enable users to own and spend their coins. Specifically, each coin is assigned to a coinaddress that technically is represented by a public key of a digital signature scheme, implying that the coin belongs to the owner of the public key. If a coin owner wants to spend the coin on a public key pk, it needs to generate a transaction tx and a signature \(\sigma\) such that \((\textsf {tx}, \sigma )\) constitutes a valid (message, signature) pair w.r.t. pk, authenticating the spending of the coin by this transaction. In this setting, the secret keys naturally became a highly attractive target for attacks since the users control funds through secret keys. Therefore, key management plays a crucial role in cryptocurrencies and it needs to work like a wallet for the coins.
Deterministic wallets (Buterin 2013) has been accepted as one of the most prominent solutions in the community for safeguarding the security of the keys in cryptocurrency. At a high level, a deterministic wallet consists of two components: a hot wallet and a cold wallet, along with a deterministic key derivation mechanism. The hot wallet is permanently connected to the network, while the cold wallet stores the secret key and comes online only rarely (e.g., when a large amount of money needs to be transferred). This effectively reduces the exposure chance of secret keys and achieves enhanced safety of the coins. More concretely, after an initialization phase, a master key pair (mpk, msk) is generated, where the master secret key msk is stored in the cold wallet, while the hot wallet retains the corresponding master public key mpk. The deterministic key derivation mechanism enables both the cold and hot wallets to derive matching secret and public session keys without any interaction. As the name deterministic wallet implies, the deterministic property means that all keys in a wallet are deterministically generated from a ‘seed’, which allows the wallet owner to recover all keys from the seed when necessary (e.g., when the device hosting the wallet crashes). As formalized by Das et al. (2019), deterministic wallets provide two security guarantees. The first is wallet unforgeability, which states that once coins have been sent to the cold wallet, they must remain secure even if the hot wallet was compromised. The second is wallet unlinkability, which guarantees that session public keys generated from the same master public key mpk are computationally indistinguishable from freshly generated session public keys.
There is an evident need to design quantumsecure alternatives of currently deployed cryptocurrency protocols since most cryptographic primitives used by cryptocurrencies today can be broken by quantum adversaries. Most notably, the ECDSA signature scheme that is implemented by nearly all popular cryptocurrencies relies on the hardness of computing discrete logarithms, which can be broken by the Shor algorithm (Shor 1994). Among the available options, latticebased cryptography has emerged as one of the most promising branches of postquantum secure cryptography, as it enables elegant and practical schemes that come with strong security guarantees against quantum attackers (Li et al. 2023; Alkim et al. 2020). Alkeilani Alkadri et al. (2020) presented the first postquantum secure deterministic wallet scheme from the Fiat–Shamir with aborts latticebased signature framework, but their concrete parameters size (e.g., the public verification key size and the secret signing key size) and computational efficiency still exhibits a gap to bridge for practical applicability. There are essentially two paradigms for latticebased signatures: the Fiat–Shamir with aborts framework (Lyubashevsky 2009, 2012) and the hashandsign GPV framework (Gentry et al. 2008). However, as far as we know, no postquantum secure deterministic wallet that adopts the hashandsign GPV framework has been introduced so far. As evidenced by Espitau et al. (2022, Abstract), latticebased digital signature schemes following the hashandsign GPV framework offer an attractive level of efficiency, particularly when instantiated with structured compact lattices. In this work, we fill this theoretical gap and analyze the efficiency improvement when instantiated with structured compact NTRU lattices.
Contributions
In this work, the main contribution is presenting an efficient postquantum secure deterministic wallet scheme, which is threefold: A new construction method for postquantum secure deterministic wallet schemes; A provably secure deterministic wallet construction in the quantum random oracle model; An efficient instantiation from compact NTRU lattice.
A new construction method for postquantum secure deterministic wallet scheme. On the construction, similar to Alkeilani Alkadri et al. (2020), our deterministic wallet scheme is also constructed based on a signature scheme with rerandomizable public keys (RKS), but the difference is that our RKS scheme is based on a latticebased signature scheme from hashandsign GPV framework (LHS), while Alkeilani Alkadri et al.’s RKS scheme is based on the latticebased signature scheme Fiat–Shamir with aborts framework. In addition, we give a new formalization for deterministic wallets, specifically, we expand upon the prior syntax (Alkeilani Alkadri et al. 2020; Das et al. 2019) by introducing a randomness generation algorithm DW.RandGen. It enables a more natural key derivation since it only requires the input of the master public/secret key and a randomness \(\rho _{_{I\!D}}\) from DW.RandGen, that is
rather than \((pk_{_{I\!D}}, St_{i})\leftarrow \textsf {DW.PKDer}(mpk, I\!D, St_{i1})\) as in prior works (Alkeilani Alkadri et al. 2020; Das et al. 2019) that need to input an identifier \(I\!D\) and an original state \(St_{i1}\). Accordingly, we also augment the underlying signature scheme RKS with a randomness generation algorithm RKS.RandGen (cf. Definition 3). This mode is also beneficial for practical implementation because in this way randomness can be generated offline, enabling offlineonline mode support for key derivation.
The key derivation mechanism plays a key role in wallets. In our construction, since the underlying hashandsign GPV framework is trapdoor enabled, we could introduce the lattice basis delegation algorithm to realize the session keys derivation mechanism. Therefore, we believe our work not only fills the theoretical gap that no postquantum secure deterministic wallet that adopts the hashandsign GPV framework, but also could be taken as a stepping stone for further research on the trapdoor enabled deterministic wallets, as there is a flourish of researches being conducted on techniques related to lattice trapdoor (Agrawal et al. 2010a, b; Cash et al. 2010; Micciancio and Peikert 2012). However, although we can instantiate our construction efficiently in this mode, the degradation of lattice basis/trapdoor quality^{Footnote 1} caused by the lattice basis delegation algorithms leads to a larger signature size. Therefore, how to further reduce the signature size (e.g., employ or design a new lattice basis delegation algorithm) will be worth studying as future work.
Provably secure in the quantum random oracle model. We note that our construction has three levels, from bottom to top they are the latticebased signature scheme from hashandsign GPV framework (LHS), the signature scheme with rerandomizable public keys (RKS), and the deterministic wallet scheme (DW). Therefore, for the security proof, we first need to reduce the security of the LHS to the security of the intermediate RKS (cf. Theorem 3). Then we need to further reduce the security of the RKS to the security of the DW (cf. Theorem 2). The security of the LHS scheme in QROM was analyzed in several works (Boneh et al. 2011; Chailloux and DebrisAlazard 2020; Fouque et al. 2018). We prove the Theorem 2, i.e., the security reduction from RKS to DW, in a similar manner with Alkeilani Alkadri et al. (2020) at an additive polynomial reduction loss. We prove the Theorem 3, i.e., the security reduction from LHS to RKS, by showing a perfect simulation with the leveraging of the simulation tool SampleRwithBasis (Agrawal et al. 2010b). In addition, we conducted a quantitative analysis of the reduction loss incurred by our security reductions and considered it in our experiments (cf. “Parameters setting” section).
Efficient instantiation from compact NTRU lattice. In cryptocurrencies, transaction throughput is important, which is dominated by the public key size and the signature size of the wallet scheme. Furthermore, in signaturebased cryptographic schemes, the overall efficiency performance of the scheme (such as signature size, signing time, etc.) is often closely related to the secret signing key size. In this regard, Alkeilani Alkadri et al. (2020) posed the construction of an efficient postquantum secure deterministic wallet scheme as an open problem. As we mentioned earlier, there are essentially two latticebased signature paradigms: the Fiat–Shamir with aborts framework (Lyubashevsky 2009, 2012) (that the work of Alkeilani Alkadri et al. (2020) based) and the hashandsign GPV framework (Gentry et al. 2008) (that our work based). We present an efficient instantiation from the NTRU latticebased signature scheme Falcon (Fouque et al. 2018), and provide an implementation. Finally, we compare our work with the stateoftheart deterministic wallet proposed by Alkeilani Alkadri et al. (2020) under the same security level. Our comparison result shows that our work has a comprehensive improvement on efficiency (cf. “Implementation” section).
Related work
We provide a further comparison with related work. Prior to the security model for hot/cold wallets formalized by Das et al. (2019), there were also works aimed to present provably secure deterministic wallet schemes. For example, Liu et al. (2019) proposed an ‘identitybased signature’ like signature scheme, which was later adapted to lattice setting by Liu et al. (2020), however, it was proven in a random oracle rather than a quantum random oracle, and the public key and signature sizes of their construction are too large for practical use (cf. Liu et al. 2020, Section 1.1). More recently, the signature scheme was transformed into a deterministic wallet scheme by Liu et al. (2022) but lacking quantum security. Until recently, Das et al. (2019) first formalized the security model for hot/cold deterministic wallets and provided a construction, however, it was not postquantum secure. Building upon the framework of Das et al. (2019), Erwig and Riahi (2022) presented a novel deterministic wallet based on a new cryptographic primitive called adaptor signatures, but it was not postquantum secure.
There are also researches on hierarchical variants, i.e., hierarchical deterministic wallets (Das et al. 2021; Di Luzio et al. 2020; Fan et al. 2020; Gutoski and Stebila 2015; Yin et al. 2022), which can be applied in hierarchical organizations (e.g., large companies and institutions) to support use cases such as treasurers allocating funds to departments. However, to the best of our knowledge, no quantumsecure hierarchical deterministic wallet has been introduced so far. Therefore, it is a promising direction for future research to extend our methods to hierarchical variants.
Definitions
In this section, we introduce the syntax and relevant security notions for signatures and deterministic wallets.
Definitions for signatures
Definition 1
(Signature Scheme) A signature scheme SIG := (SIG.KeyGen, SIG.Sign, SIG.Ver) is a triple of algorithms, SIG.KeyGen, SIG.Sign, and SIG.Ver, where SIG.KeyGen is called a key generation algorithm, SIG.Sign is called a signing algorithm, and SIG.Ver is called a verification algorithm.

SIG.KeyGen is a probabilistic algorithm that is invoked as \((pk,sk)\leftarrow \textsf {SIG.KeyGen}(1^n)\), where n is the security parameter, sk is called a secret signing key, and pk is called a public verification key. The algorithm outputs the key pair (pk, sk).

SIG.Sign is a probabilistic algorithm that is invoked as \(\sigma \leftarrow \textsf {SIG.Sign}(sk,\mu )\), where sk is a signing key and \(\mu\) is a message. The algorithm outputs a signature \(\sigma\).

SIG.Ver is a deterministic algorithm that is invoked as \(1/0\leftarrow \textsf {SIG.Ver}(pk,\mu ,\sigma )\). The algorithm outputs 1 if signature \(\sigma\) is valid and 0 otherwise.
Correctness: A signature scheme SIG is correct, let \({\mathcal {M}}\) be the message space, for all \(n\in {\mathbb {N}}\), any key pair \((pk,sk)\leftarrow \textsf {SIG.KeyGen}(1^n)\), any message \(\mu \in {\mathcal {M}}\), and any signature \(\sigma \leftarrow \textsf {SIG.Sign}(sk, \mu )\), we have the following holds (over all the randomness in the experiment).
In this work we will use the standard security notion of existential unforgeability under adaptive chosenmessage attacks (Goldwasser et al. 1988) (EUFCMA). Below we formalize the EUFCMA security notion for a signature scheme SIG through the following security game between an adversary \({\mathcal {A}}\) and a challenger \({\mathcal {C}}\).

\({\mathcal {C}}\) runs \((pk,sk)\leftarrow \textsf {SIG.KeyGen}(1^n)\) and sends pk to \({\mathcal {A}}\).

\({\mathcal {A}}\) selects messages \(\mu _1,\ldots ,\mu _{q_{\textsf {s}}}\) to query for the corresponding signatures under pk from \({\mathcal {C}}\). For the query \(\mu _i\), \({\mathcal {C}}\) responds with a signature \(\sigma _{i}\leftarrow \textsf {SIG.Sign}(sk,\mu _{i})\).

\({\mathcal {A}}\) outputs a pair \((\mu ^*,\sigma ^*)\) and wins if

1.
\(\mu ^*\notin \{\mu _1,\ldots ,\mu _{q_{\textsf {s}}}\}\), and

2.
\(1\leftarrow \textsf {SIG.Ver}(pk,\mu ^*,\sigma ^*)\).

1.
We refer to such an adversary \({\mathcal {A}}\) as EUFCMA adversary. We define the advantage \(\textsf {Adv}_{\mathcal {A}}^{\textsc {eufcma}}\) of \({\mathcal {A}}\) in attacking a signature scheme SIG to be the probability that \({\mathcal {A}}\) wins above game, that is \(\textsf {Adv}_{{\mathcal {A}}}^{\textsc {eufcma}}=\Pr [{\mathcal {A}}~succeeds]\).
Definition 2
(EUFCMA Security) For a security parameter n, let \(t=t(n)\), \(q_\textsf {s}=q_\textsf {s}(n)\), and \(\epsilon =\epsilon (n)\). A signature scheme SIG is \((t,q_\textsf {s},\epsilon )\) EUFCMA secure if for any t time EUFCMA adversary \({\mathcal {A}}\) that makes at most \(q_\textsf {s}\) signing queries such that \(\textsf {Adv}_{\mathcal {A}}^{\textsc {eufcma}}\le \epsilon\).
We will use the following notion of signature schemes with rerandomizable public keys from Alkeilani Alkadri et al. (2020), Das et al. (2019), which is a relaxed version of the notion of signature schemes with rerandomizable keys from Fleischhacker et al. (2016) since it holds only for the generated public keys, but not in case of secret keys. In our setting, this notion is augmented with an additional algorithm RKS.RandGen.
Definition 3
(Signature Scheme with Rerandomizable Public Keys) A signature scheme with rerandomizable public keys RKS is a tuple of algorithms RKS := (RKS.KeyGen, RKS.RandGen, RKS.RandPK, RKS.RandSK, RKS.Sign, RKS.Ver) where algorithms (RKS.KeyGen, RKS.Sign, RKS.Ver) satisfy the definition of a standard signature scheme as defined above (cf. Definition of SIG). For randomness space \({\mathcal {R}}\), (RKS.RandGen, RKS.RandPK, RKS.RandSK) are three polynomialtime algorithms such that

RKS.RandGen is a deterministic algorithm which takes as input a seed \(\gamma\) and outputs randomness \(\rho \in {\mathcal {R}}\), i.e., it is invoked as \(\rho \leftarrow \textsf {RKS.RandGen}(\gamma )\).

RKS.RandPK is a deterministic algorithm that is invoked as \(pk'\leftarrow \textsf {RKS.RandPK}(pk,\rho )\), where pk is a public verification key and \(\rho \in {\mathcal {R}}\) is a randomness. The algorithm outputs a randomized public verification key \(pk'\).

RKS.RandSK is a deterministic algorithm that is invoked as \(sk'\leftarrow \textsf {RKS.RandSK}(sk,\rho )\), where sk is a secret signing key and \(\rho \in {\mathcal {R}}\) is a randomness. The algorithm outputs a randomized secret signing key \(sk'\).
The RKS has a property that is the rerandomizability of public keys, which ensures the distributions of the output rerandomized public keys are identical. In our setting, we adopt the relaxed version of that property, the distributions of the output rerandomized public keys are statistically indistinguishable.
Rerandomizability of public keys: For any \((pk,\cdot )\leftarrow \textsf {RKS.KeyGen}(1^n)\) and any randomness \(\rho \in {\mathcal {R}}\), the distributions of \(pk'\) and \(pk''\) are statistically indistinguishable, where \(pk'\leftarrow \textsf {RKS.RandPK}(pk,\rho )\) and \((pk'',\cdot )\leftarrow \textsf {RKS.KeyGen}(1^n)\).
Correctness: For any \(n\in {\mathbb {N}}\), any key pair \((pk,sk)\leftarrow \textsf {RKS.KeyGen}(1^n)\), any message \(\mu \in {\mathcal {M}}\), and any signature \(\sigma \leftarrow \textsf {RKS.Sign}(sk,\mu )\), it holds that
and all randomness \(\rho \leftarrow \textsf {RKS.RandGen}(\gamma )\), for a pair of rerandomized keys \(pk'\leftarrow \textsf {RKS.RandPK}(pk,\rho )\) and \(sk'\leftarrow \textsf {RKS.RandSK}(sk,\rho )\), it holds that
We also use the security notion of EUFCMAHRK honestly rerandomizable keys of prior works (Alkeilani Alkadri et al. 2020; Das et al. 2019). The ‘honestly’ means that the underlying randomness used in signing oracle queries and valid signature forging was obtained honestly by querying the Rand oracle. Below we formalize the EUFCMAHRK security notion for a signature scheme with rerandomizable public keys RKS through the following security game between an adversary \({\mathcal {A}}\) and a challenger \({\mathcal {C}}\).

\({\mathcal {C}}\) initializes two empty lists (R, M) and runs \((pk,sk)\leftarrow \textsf {RKS.KeyGen}(1^n)\). Finally, \({\mathcal {C}}\) sends pk to \({\mathcal {A}}\).

\({\mathcal {A}}\) is given access to Rand oracle to derive a randomness. To respond that, \({\mathcal {C}}\) chooses \(\rho \xleftarrow {_{_\$}}{\mathcal {R}}\) and sets \(R~:=~R\cup \{\rho \}\). Finally, \({\mathcal {C}}\) sends \(\rho\) to \({\mathcal {A}}\).

\({\mathcal {A}}\) is also given access to the signing oracle Sign. Concretely, \({\mathcal {A}}\) sends the pairs \((\mu _1, \rho _1),\dots ,(\mu _{q_{\textsf {s}}}, \rho _{q_{\textsf {s}}})\) to \({\mathcal {C}}\). For each pair \((\mu _i, \rho _i)\), the game aborts if \(\rho _i\notin R\), \({\mathcal {C}}\) computes \(sk_i'\leftarrow \textsf {RKS.RandSK}(sk,\rho _i)\) and \(\sigma _i\leftarrow \textsf {RKS.Sign}(sk_i', \mu _i)\), then \({\mathcal {C}}\) sets \(M~:=~M\cup \{\mu _i\}\) and sends \(\sigma _i\) to \({\mathcal {A}}\).

\({\mathcal {A}}\) outputs a tuple \((\mu ^*,\sigma ^*,\rho ^*)\) and wins if

1.
\(\mu ^*\notin M\), and

2.
\(\rho ^*\in R\), and

3.
\(1\leftarrow \textsf {RKS.Ver}({pk^*}',\mu ^*,\sigma ^*)\) where \({pk^*}'\leftarrow \textsf {RKS.RandPK}(pk,\rho ^*)\).

1.
We refer to such an adversary \({\mathcal {A}}\) as EUFCMAHRK adversary. We define the advantage \(\textsf {Adv}_{\mathcal {A}}^{\textsc {eufcmahrk}}\) of \({\mathcal {A}}\) in attacking a signature scheme with rerandomizable public keys RKS to be the probability that \({\mathcal {A}}\) wins above game, that is \(\textsf {Adv}_{{\mathcal {A}}}^{\textsc {eufcmahrk}}=\Pr [{\mathcal {A}}~succeeds]\).
Definition 4
(EUFCMAHRK Security) For a security parameter n, let \(t=t(n)\), \(q_\textsf {s}=q_\textsf {s}(n)\), and \(\epsilon =\epsilon (n)\). A signature scheme with rerandomizable public keys RKS is \((t,q_\textsf {s},\epsilon )\) EUFCMAHRK secure if for any t time EUFCMA adversary \({\mathcal {A}}\) that makes at most \(q_\textsf {s}\) signing queries such that \(\textsf {Adv}_{\mathcal {A}}^{\textsc {eufcmahrk}}\le \epsilon\).
Definitions for deterministic wallets
In this section, we introduce the syntax and relevant security notions for deterministic wallets. The definitions are essentially same as prior works (Alkeilani Alkadri et al. 2020; Das et al. 2019) except some modifications to make the definitions more concise: We augment the existing syntax (Alkeilani Alkadri et al. 2020; Das et al. 2019) by introducing a randomness generation algorithm DW.RandGen which acts the same role as the RandG algorithm of Alkeilani Alkadri et al. (2020) (cf. Alkeilani Alkadri et al. 2020, Section 4.1). At a high level, a deterministic wallet consists of two components: a cold wallet and a hot wallet, along with a deterministic key derivation mechanism. Specifically, upon initialization of the scheme, the cold wallet generates a master key pair (mpk, msk) and a chaincode ch and forwards (mpk, ch) to the hot wallet. Then the cold wallet and the hot wallet can use the key derivation algorithms SKDer and PKDer, respectively, to derive an arbitrary number of session key pairs, without further interaction, from the (mpk, msk) and an identifier set. The correctness requires that if the cold wallet and the hot wallet derive session key pairs on the same set of identifiers \(I\!D_0,\dots ,I\!D_{N1}\in \{0,1\}^*\) and in the same order, then any signature created under one of the signing keys derived from the cold wallet should be correctly verified under the corresponding verification key derived from the hot wallet.
Definition 5
A deterministic wallet scheme is a tuple of algorithms \(\textsf {DW}~:=~(\textsf {DW.KeyGen}, \textsf {DW.RandGen}, \textsf {DW.PKDer}, \textsf {DW.SKDer}, \textsf {DW.Sign}, \textsf {DW.Ver})\), where DW.KeyGen is a master key generation algorithm, DW.RandGen is a randomness generation algorithm, DW.PKDer is a session public key derivation algorithm, DW.SKDer is a session secret key derivation algorithm, and DW.Ver is a verification algorithm.

DW.KeyGen is a probabilistic algorithm that is invoked as \((mpk, msk)\leftarrow \textsf {DW.KeyGen}(1^n)\), where n is the security parameter. The algorithm outputs a master public key mpk, a master secret key msk, and a chaincode ch.

DW.RandGen is a deterministic algorithm that is invoked as \(\rho _{_{I\!D}}\leftarrow \textsf {DW.RandGen} (ch, I\!D)\), where ch is a chaincode and \(I\!D\) is an identifier. The algorithm outputs a randomness \(\rho _{_{I\!D}}\).

DW.PKDer is a deterministic algorithm that is invoked as \(pk_{_{I\!D}}\leftarrow \textsf {DW.PKDer}(mpk, \rho _{_{I\!D}})\), where mpk is the master public key and \(\rho _{_{I\!D}}\) is a randomness with respect to \(I\!D\). The algorithm outputs a session public key \(pk_{_{I\!D}}\).

DW.SKDer is a deterministic algorithm that is invoked as \(sk_{_{I\!D}}\leftarrow \textsf {DW.SKDer}(msk, \rho _{_{I\!D}})\), where msk is the master secret key and \(\rho _{_{I\!D}}\) is a randomness with respect to \(I\!D\). The algorithm outputs a session secret key \(sk_{_{I\!D}}\).

DW.Sign is a probabilistic algorithm that is invoked as \(\sigma \leftarrow \textsf {DW.Sign}(sk_{_{I\!D}}, \mu )\), where \(sk_{_{I\!D}}\) is a session secret key and \(\mu\) is a message. The algorithm outputs a signature \(\sigma\).

DW.Ver is a deterministic algorithm that is invoked as \(1/0\leftarrow \textsf {DW.Ver}(pk_{_{I\!D}}, \mu , \sigma )\), where \(pk_{_{I\!D}}\) is a session public key, \(\mu\) is a message, and \(\sigma\) is a signature. The outputs 1 if \(\sigma\) is a valid signature for \(\mu\) under public key \(pk_{_{I\!D}}\). It outputs 0 otherwise.
Definition 6
(Correctness) For \(N\in {\mathbb {N}}\), any tuple of \((mpk,msk,ch)\leftarrow \textsf {DW.KeyGen}(1^n)\), any \({\varvec{I\!D}}~:=~(I\!D_1,\dots ,I\!D_N)\in \{0,1\}^*\), and any randomness \(\rho _{_{I\!D_i}}\leftarrow \textsf {DW.RandGen}(ch, I\!D_i)\), define \((pk_{I\!D_i},sk_{I\!D_i})\) for \(1\le i\le N\) as
DW is correct if for all \(\mu \in {\mathcal {M}}\), it holds that
A deterministic wallet scheme DW should satisfy the following two security properties  wallet unlinkability and wallet unforgeability.
Wallet unlinkability
The unlinkability property guarantees that different public session keys that are derived from the same master public key should be unlinkable. Formally, it requires that, given the master public key, the distribution of the session public keys is computationally indistinguishable from session public keys that are generated from a fresh master public key and a fresh chain code. The unlinkability game for deterministic wallets DWUNL is presented in Fig. 1. Initially, the adversary \({\mathcal {A}}=({\mathcal {A}}_1, {\mathcal {A}}_2)\) runs its subprocedure \({\mathcal {A}}_1\) on input a master public key mpk generated by \(\textsf {DW.KeyGen}(1^n)\) and subsequently interacts with the oracles PK and \(\textsf {Sign}\). These oracles represent the adversary’s capability to observe signatures with corresponding session public keys of the wallet on the ledger. The oracle PK takes a \(I\!D\) as input and checks if there is a record of the session public key \(pk_{_{I\!D}}\). If there is no record, the oracle generates a randomness \(\rho _{_{I\!D}}\) and uses it as input in DW.PKDer to derive \(pk_{_{I\!D}}\). After that, it stores \(pk_{_{I\!D}}\) and \(\rho _{_{I\!D}}\) in an array \(K\!eys[{I\!D}]\). The oracle \(\textsf {Sign}\) takes as input a message \(\mu\) and a \(I\!D\), and outputs the corresponding signature with the condition that \(I\!D\) has been previously queried on PK. After the query phase of \({\mathcal {A}}_1\), a challenge \({I\!D}^*\) is provided. Note that we use the array \(K\!eys[{I\!D}]\) to store session public key \(pk_{_{I\!D}}\) and randomness \(\rho _{_{I\!D}}\) w.r.t. the key value \(I\!D\). If there is no record for \({I\!D}^*\), the game proceeds to the challenge phase, otherwise return 0. Then the adversary \({\mathcal {A}}_2\) will be given a challenge public key \(pk_{_{I\!D^*}}^b\) which is either real or random, namely, it depends on either the tuple (mpk, msk, ch) or a fresh and independent tuple \(({\widehat{mpk}},{\widehat{msk}},{\widehat{ch}})\). \({\mathcal {A}}_2\)’s goal is to distinguish these two scenarios.
Definition 7
A deterministic wallet scheme DW is postquantum unlinkable if for any quantum adversary \({\mathcal {A}}\), the advantage \(\big \Pr [b'=b]\frac{1}{2}\ \big \) in game \(\textsf {DWUNL}\) (cf. Fig. 1) is negligible.
Wallet unforgeability
The unforgeability guarantees that once funds are transferred to the cold wallet they remain secure even if the hot wallet is compromised, and the adversary can observe transfers of coins that are sent from the cold wallet. Figure 2 presents the unforgeability game for deterministic wallets DWUF. Initially, the adversary \({\mathcal {A}}\) obtains a master public key mpk and the chain code ch as input. Then \({\mathcal {A}}\) can access two oracles PK and \(\textsf {Sign}\). These oracles are defined in the same way as in the game DWUNL, except that \(\textsf {Sign}\) now additionally keeps track of all queried messages by using an array \(M\!sg[I\!D]\). Finally, \({\mathcal {A}}\) outputs a forgery tuple \((\mu ^*, \sigma ^*, I\!D^*)\). We say \({\mathcal {A}}\) wins the DWUF game if (1) \(\mu ^*\) has not been queried on oracle \(\textsf {Sign}\), (2) \(I\!D^*\) has been queried on oracle \(\textsf {PK}\), and (3) \(\sigma ^*\) is a valid signature for \(\mu ^*\) w.r.t. \(pk_{_{I\!D^*}}\).
Definition 8
A deterministic wallet scheme DW is postquantum unforgeable if for any quantum adversary \({\mathcal {A}}\), the advantage \(\Pr \big [\textsf {DWUF}_{\textsf {DW}}^{{\mathcal {A}}}=1\big ]\) in game \(\textsf {DWUF}\) (cf. Fig. 2) is negligible.
Preliminaries
Notation We denote vectors with lowercase bold letters (e.g. \({\textbf{x}}\)) and matrices with uppercase bold letters (e.g. \({\textbf{A}}\)). We denote \(e\xleftarrow {_{\$}} {\mathcal {S}}\) as the uniform sampling of the variable e from the set \({\mathcal {S}}\). We say that a function in n is \(\textit{negligible}\), written negl(n), if it vanishes faster than the inverse of any polynomial in n. We say probability p(n) is \(\textit{overwhelming}\) if \(1p(n)\) is negligible. We always denote the security parameter by n, and o(n) denotes a linear function in n. We always use a ‘randomizedrounding parameter’ r that we let be a fixed function \(r(n)=\omega (\!\sqrt{\log n})\) growing asymptotically faster than \(\sqrt{\log n}\). We denote the horizontal concatenation of two matrices \({\textbf{A}}\) and \({\textbf{B}}\) as \({\textbf{A}}\ \ {\textbf{B}}\). For any set \({\textbf{S}}=\{{\textbf{s}}_1,\dots ,{\textbf{s}}_m\}\subset {\mathbb {R}}^m\) of linearly independent vectors, we use \(\Vert {{\textbf {S}}} \Vert\) denotes the \(\ell _2\)norm of \({{\textbf {A}}}\) that is \(\Vert {{\textbf {S}}} \Vert :=\max _i \Vert {\textbf{s}}_i\Vert\), and use \(\Vert \textbf{S} \Vert _{\textsc {gs}}\) denotes GramSchmidt norm of \({\textbf{S}}\) that is \(\Vert {\textbf{S}} \Vert _{\textsc {gs}}:=\max _i \Vert {\textbf{s}}_i\Vert _{\textsc {gs}}\) for \(i\in [m]\). Unless otherwise stated, all algorithms are probabilistic, we use \(y\leftarrow \textsf {A}(x)\) to denote that algorithm A outputs y when running on input x, and write \(y\leftarrow \textsf {A}(x,\rho )\) to denote algorithm A outputs y when running on input x and randomness \(\rho\). In this way, algorithm A becomes a deterministic algorithm. We use \(\textsf {A}(x)\) to denote the set of all possible outputs of (probabilistic) algorithm A on input x. We model hash functions as classical random oracles (Bellare and Rogaway 1993) or quantum random oracles (Boneh et al. 2011). We denote the classical random oracle by the symbol H and the quantum random oracle by the notation \(\textsf {H}\rangle\). In our proofs, we will consider reprogrammed random oracles. For a (quantum) random oracle H we write \(\textsf {H}_{x\rightarrow y}\) for the (quantum) random oracle that is reprogrammed on input x to y.
Quantum random oracle model
We review the quantum random oracle model and the existing results that we will use. The quantum random oracle model (QROM) is introduced by Boneh et al. (2011) which is motivated by the observation that the random oracle model (ROM) is not appropriate in the postquantum setting. In the real world, an adversary equipped with a quantum computer is able to implement the hash function and evaluate it in superposition. In QROM, parties with quantum computing power get access to the oracle \(\textsf {H}\rangle\) where \(\textsf {H}\rangle :x,y\rangle \mapsto x,y\oplus \textsf {H}(x)\rangle\). Below we describe a result for quantum random oracles that are required for our proofs. As mentioned in Alkeilani Alkadri et al. (2020), the oneway to hiding (O2H) lemma (Unruh 2015) is an important tool for security proofs in the QROM. It provides bounds on the advantage of an adversary in distinguishing between different random oracles when the adversary is allowed to query them in superposition. Below we state the O2H lemma using the reformulation by Ambainis et al. (2019).
Lemma 1
(OneWay to Hiding (O2H) (Ambainis et al. 2019)) Let G, \(\textsf {H}:{\mathcal {X}}\rightarrow {\mathcal {Y}}\) be random functions, let z be a random value, and let \({\mathcal {S}}\subset {\mathcal {X}}\) be a random set such that \(\forall x\notin {\mathcal {S}}\), \(\textsf {G}(x)=\textsf {H}(x)\). \((\textsf {G},\textsf {H},{\mathcal {S}},z)\) may have arbitrary joint distribution. Furthermore, let \({\mathcal {A}}^{\textsf {H}\rangle }\) be a quantum oracle algorithm which queries \(\textsf {H}\rangle\) at most \(q_{_{\textsf {H}}}\) times. Let Ev be an arbitrary classical event. Define an oracle algorithm \({\mathcal {B}}^{\textsf {H}\rangle }\) as follows: Choose \(i\xleftarrow {_{\$}}[q_{_{\textsf {H}}}]\) and run \({\mathcal {A}}^{\textsf {H}\rangle }(z)\) until just before its ith round of queries to \(\textsf {H}\rangle\). Measure the query in the computational basis, and output the measurement outcome. It holds that
We also use the following smallrange distributions presented by Zhandry’s (2021). These are distributions where the set of possible outputs is limited.
Definition 9
(SmallRange Distributions (Zhandry 2021)) Let \({\mathcal {X}},{\mathcal {Y}}\) be sets, r be an integer, D be a distribution on \({\mathcal {Y}}\), P be a random function from \({\mathcal {X}}\) to [r], and \({\varvec{y}}=(y_1,\dots ,y_r)\) be r samples of D. Define a function \(\textsf {H}:{\mathcal {X}}\rightarrow {\mathcal {Y}}\) by \(\textsf {H}(x)\mapsto y_{P(x)}\). The distribution of \(\textsf {H}\), induced by P and \({\varvec{y}}\), is called a smallrange distribution with r samples of D.
The following lemma provides a bound on the distinguishing advantage between a random oracle and an oracle drawn from a smallrange distribution when superposition access is granted.
Lemma 2
(Zhandry 2021) There is a universal constant C such that, for any set \({\mathcal {X}}\) and \({\mathcal {Y}}\), distribution D on \({\mathcal {Y}}\), integer l, and any quantum algorithm \({\mathcal {A}}\) making \(q_{_{\textsf {H}}}\) queries to an oracle \(\textsf {H}:{\mathcal {X}}\rightarrow {\mathcal {Y}}\), the following two cases are indistinguishable, except with probability less than \(\frac{Cq_{_{\textsf {H}}}^3}{l}\):

\(\textsf {H}(x)= y_{x}\) where \({\varvec{y}}\) is a list of samples of D of size \({\mathcal {X}}\).

\(\textsf {H}\) is drawn from the smallrange distribution with l samples of D.
Lattices and Gaussian distributions
Let \(m\in {\mathbb {Z}}\) be a positive integer and \(\varvec{\Lambda }\subset {\mathbb {R}}^m\) be an mdimensional fullrank lattice formed by the set of all integral combinations of m linearly independent basis vectors \({{\textbf {B}}}=({{\textbf {b}}}_1,\ldots ,{{\textbf {b}}}_m)\subset {\mathbb {Z}}^{m}\). For positive integers n, q, a matrix \({{\textbf {A}}}\in {\mathbb {Z}}_q^{n\times m}\), and a vector \({{\textbf {u}}} \in {\mathbb {Z}}_q^m\), the mdimensional integer lattice \({\varvec{\Lambda }}_q^{\perp }({{\textbf {A}}})\) and its coset \({\varvec{\Lambda }}_q^{{{\textbf {u}}}}({{\textbf {A}}})\) are defined as
For a vector \({{\textbf {c}}}\in {\mathbb {R}}^m\) and a positive parameter \(\sigma \in {\mathbb {R}}\), the Gaussian functions for any \({{\textbf {x}}}\in {\mathbb {R}}^m\) and any \({{\textbf {x}}}\in \varvec{\Lambda }\) with center \({\textbf{c}}\) and parameter \(\sigma\) are defined as
Define the discrete Gaussian distribution as \(D_{\varvec{\Lambda },\sigma ,{{\textbf {c}}}}({{\textbf {x}}})=\rho _{\sigma ,{{\textbf {c}}}}({{\textbf {x}}})/\rho _{\sigma ,{{\textbf {c}}}}( \varvec{\Lambda })\). For simplicity, \(D_{\varvec{\Lambda },\sigma ,{{\textbf {0}}}}\) is abbreviated as \(D_{\varvec{\Lambda },\sigma }\) when the center vector \({\textbf{c}}={\textbf{0}}\).
Properties of Gaussian Distributions: The following lemma captures some properties of Gaussian distributions. Property1 gives a norm bound on the Gaussian sampled preimage vector. Property2 will be used to make our RKS scheme satisfy the rerandomizability of public keys (cf. “Latticebased signatures with rerandomizable PK” section). Property3, i.e., SampleGaussian algorithm is the basic algorithm which is called by several algorithms such as SampleR, SamplePre, and RandBasis that will be given later. Property4, i.e., SamplePre algorithm will be mainly used in the signing algorithm of LHS scheme (cf. “Latticebased hashandsign signatures” section).
Lemma 3
(Gentry et al. 2008) Let \(q\ge 2\) be a prime and let \({\textbf{A}}\) be a matrix in \({\mathbb {Z}}_q^{n\times m}\) with \(m>n\). Let \({\textbf{B}}\) be a basis of \(\mathbf {\Lambda }_q^{\perp }({\textbf{A}})\) and standard deviation \(s\ge \Vert {\textbf{B}}\Vert _{\textsc {gs}}\cdot \omega (\!\sqrt{\log m})\). Then for \({\textbf{c}}\in {\mathbb {R}}^m\) and \({\textbf{u}}\in {\mathbb {Z}}_q^n\), we have the following properties:

1.
\(\Pr _{{\textbf{e}}\leftarrow D_{\mathbf {\Lambda }_{{\textbf{u}}}^\perp ({\textbf{A}}),s}}\big [\ \Vert {\textbf{e}}\Vert \ge s\cdot \!\sqrt{m}\ \big ]\le negl (n)\).

2.
For \({\textbf{e}}\leftarrow D_{{\mathbb {Z}}^m,s}\), the distribution of \({\textbf{u}}={{\textbf{A}}}{{\textbf{e}}}\in {\mathbb {Z}}_q^n\) is within negligible statistical distance of uniform over \({\mathbb {Z}}_q^n\).

3.
There is a PPT algorithm \(\textsf {SampleGaussian}({\textbf{A}},{\textbf{B}},s,{\textbf{c}})\) that outputs \({\textbf{e}}\in \mathbf {\Lambda }_q^{\perp }({\textbf{A}})\) drawn from a distribution statistically close to \(D_{\mathbf {\Lambda },s,{\textbf{c}}}\).

4.
There is a PPT algorithm \(\textsf {SamplePre}({\textbf{A}},{\textbf{B}},{\textbf{u}},s)\) that outputs \({\textbf{e}}\in \mathbf {\Lambda }_q^{{\textbf{u}}}({\textbf{A}})\) drawn from a distribution statistically close to \(D_{\mathbf {\Lambda }_q^{{\textbf{u}}}({\textbf{A}}),s,{\textbf{c}}}\).
The following lemma shows how to sample an essentially uniform matrix \({\textbf{A}}\in {\mathbb {Z}}_q^{n\times m}\) with an associated basis \({\textbf{B}}\) of \(\mathbf {\Lambda }_q^{\perp }({\textbf{A}})\) with low GramSchmidt norm. The BasisGen algorithm will be used in the sampling of the master public key mpk and master secret key msk, i.e., master key pair (mpk, msk) in the key generation phase of our wallet scheme.
Lemma 4
(Lattice Basis Generation Algorithm (Alwen and Peikert 2009; Micciancio and Peikert 2012)) There is a fixed constant \(C>1\) and a PPT algorithm \(\textsf {BasisGen}(1^n,q)\) that, for polynomial bounded \(m\ge Cn\log q\), the algorithm outputs \({\textbf{A}}\in {\mathbb {Z}}_q^{n\times m}\) and \({\textbf{B}}\in {\mathbb {Z}}^{m\times m}\) such that \({\textbf{B}}\) is a basis of \(\mathbf {\Lambda }_q^{\perp }({\textbf{A}})\), the distribution of \({\textbf{A}}\) is within negligible statistical distance of uniform, and \(\Vert {\textbf{B}}\Vert _{\textsc {gs}}\le L_{\textsc {tg}}\) for \(L_{\textsc {tg}} = O(\!\sqrt{n\log q})\) where we let \(L_{\textsc {tg}}\) be the GramSchmidt norm bound on the generated basis \({\textbf{B}}\).
Lattice basis delegation
We now review the lattice basis delegation algorithm BasisDel by Agrawal et al. (2010b) which is the core procedure of the key derivation algorithm of our wallet scheme. The main inputs of the algorithm are a matrix \({\textbf{A}}\) in \({\mathbb {Z}}_q^{n\times m}\), a basis \({\textbf{B}}\) of \(\mathbf {\mathbf {\Lambda }}_q^{\perp }({\textbf{A}})\), and an invertible matrix \({\textbf{R}}\) in \({\mathbb {Z}}^{m\times m}\). The goal is to generate a matrix \({\textbf{A}}'\) that is within negligible statistical distance of uniform, and generate a basis \({\textbf{B}}'\) of lattice \(\mathbf {\Lambda }_q^{\perp }({\textbf{A}}')\). At a high level, let \({\textbf{A}}'={\textbf{A}}{\textbf{R}}\), let \({\textbf{B}}':={\textbf{R}}^{1}{\textbf{B}}\), we can observe that \({\textbf{B}}'\in \mathbf {\Lambda }_q^{\perp }({\textbf{A}}')\) since \({\textbf{A}}'{\textbf{B}}'={\textbf{0}}\pmod q\). The resulting basis \({\textbf{B}}'\) will be a short basis when the input matrix \({\textbf{R}}\) is sampled from a certain distribution. And \({\textbf{B}}'\) is distributed statistically independent with the original basis \({\textbf{B}}\) by a basis randomization algorithm.
The BasisDel algorithm consists of three parts: an invertible matrix \({\textbf{R}}\) in \({\mathbb {Z}}^{m\times m}\) where all the columns of \({\textbf{R}}\) are lownorm, ToBasis algorithm, and RandBasis algorithm. Define \(s_{\textsc {r}}:=L_{\textsc {tg}}\cdot \omega (\!\sqrt{\log m})\). Define \(D_{{m\times m}}\), the distribution on matrices in \({\mathbb {Z}}^{m\times m}\), as \((D_{{\mathbb {Z}}^{m},s_{\textsc {r}}})^m\) conditioned on the resulting matrix being invertible. The following algorithm shows how to sample the desired \({\textbf{R}}\).
Lemma 5
(SampleR Algorithm (Agrawal et al. 2010b)) Let \({\textbf{T}}\) be the canonical basis of the lattice \({\mathbb {Z}}^m\). There is a PPT algorithm \(\textsf {SampleR}(1^m)\) which outputs an invertible matrix \({\textbf{R}}\in D_{{m\times m}}\) by calling \(\textsf {SampleGaussian}({\mathbb {Z}}^m,{\textbf{T}},s_{\textsc {r}},{\textbf{0}})\).
The following algorithm shows that a fullrank set of lattice vectors \({\textbf{S}}\) of a lattice \(\mathbf {\Lambda }\) can be converted into a basis \({\textbf{T}}\) for \(\mathbf {\Lambda }\) with an equally low Gram–Schmidt norm.
Lemma 6
(To Basis Algorithm (Micciancio and Goldwasser 2002)) Let \(\mathbf {\Lambda }\) be an mdimensional lattice with basis \({\textbf{B}}\). There is a deterministic polynomial time algorithm \(\textsf {ToBasis}({\textbf{S}},{\textbf{B}})\) which takes as input the basis \({\textbf{B}}\) and a fullrank set (not necessarily a basis) \({\textbf{S}}\) of lattice vectors in \(\mathbf {\Lambda }\), outputs a basis \({\textbf{T}}\) of \(\mathbf {\Lambda }\) such that \(\Vert {\textbf{t}}_i\Vert _{\textsc {gs}}\le \Vert {\textbf{s}}_i\Vert _{\textsc {gs}}\) for all i.
We use the following algorithm to randomize a lattice basis, which is used for our wallet scheme to delegate the control on asset to another entity securely. The resulting basis remains short and is essentially statistically independent of the original basis.
Lemma 7
(RandBasis Algorithm (Cash et al. 2010)) There is a PPT basis randomization algorithm \(\textsf {RandBasis}({\textbf{B}},s)\) which takes as input a basis \({\textbf{B}}\) of \(\mathbf {\Lambda }_q^{\perp }({\textbf{A}})\) and a standard deviation \(s\ge \Vert {\textbf{B}}\Vert _{\textsc {gs}}\cdot \omega (\!\sqrt{\log m})\), outputs a new basis \({\textbf{B}}'\) of \(\mathbf {\Lambda }_q^{\perp }({\textbf{A}})\) such that \(\Vert {\textbf{B}}'\Vert _{\textsc {gs}}\le s\sqrt{m}\) holds with overwhelming probability. Furthermore, the distribution of \({\textbf{B}}'\) is statistically independent with the original basis \({\textbf{B}}\).
Next, we introduce the lattice basis delegation algorithm BasisDel which is composed of the aboveintroduced matrix \({\textbf{R}}\) and algorithms ToBasis and RandBasis.
Lattice Basis Delegation Algorithm: \(\textsf {BasisDel}({\textbf{A}},{\textbf{B}},{\textbf{R}},s)\)
Inputs: A matrix \({\textbf{A}}\) in \({\mathbb {Z}}_q^{n\times m}\), a basis \({\textbf{B}}\) of \(\mathbf {\mathbf {\Lambda }}_q^{\perp }({\textbf{A}})\), an invertible matrix \({\textbf{R}}\) generated by \(\textsf {SampleR}\) algorithm, and a standard deviation s.
Outputs: Let \({\textbf{A}}'={\textbf{A}}{\textbf{R}}\). It outputs a basis \({\textbf{B}}'\) of \(\mathbf {\mathbf {\Lambda }}_q^{\perp }({\textbf{A}}')\).
The \(\textsf {BasisDel}\) algorithm runs as follows:

1.
Let \({\textbf{B}}=\big [\ {\textbf{b}}_1\mid \dots \mid {\textbf{b}}_m\ \big ]\subseteq {\mathbb {Z}}^m\) and \({\textbf{S}}=\big [\ {\textbf{R}}^{1}{\textbf{b}}_1\mid \dots \mid {\textbf{R}}^{1}{\textbf{b}}_m\ \big ]\subseteq {\mathbb {Z}}^m\). Because \({\textbf{B}}\) is a basis of \(\mathbf {\mathbf {\Lambda }}_q^{\perp }({\textbf{A}})\), \({\textbf{R}}\) is invertible, and \({\textbf{A}}'{\textbf{S}}={\textbf{0}}\pmod q\), therefore, \({\textbf{S}}\) is a set of independent vectors in \(\mathbf {\Lambda }_q^{\perp }({\textbf{A}}')\).

2.
Call \(\textsf {ToBasis}\) by taking as input the \({\textbf{S}}\) and an arbitrary basis of \(\mathbf {\Lambda }_q^{\perp }({\textbf{A}}')\) and outputs a basis \(\bar{{\textbf{B}}}\) whose GramSchmidt norm is no more than that of \({\textbf{S}}\).

3.
Call \(\textsf {RandBasis}\) by taking as input \(\bar{{\textbf{B}}}\) and standard deviation s then outputs the resulting basis \({\textbf{B}}'\) of \(\mathbf {\Lambda }_q^{\perp }({\textbf{A}}')\).
Lemma 8
(BasisDel Algorithm (Agrawal et al. 2010b)) There is a PPT basis delegation algorithm \(\textsf {BasisDel}({\textbf{A}},{\textbf{B}},{\textbf{R}},s)\) which takes as input a matrix \({\textbf{A}}\) in \({\mathbb {Z}}_q^{n\times m}\), a basis \({\textbf{B}}\) of \(\mathbf {\mathbf {\Lambda }}_q^{\perp }({\textbf{A}})\), an invertible matrix \({\textbf{R}}\in D_{{m\times m}}\), and a standard deviation \(s>\Vert {\textbf{B}}\Vert _{\textsc {gs}}\sqrt{nm\log q}\cdot \omega (\log ^{2}m)\). Let \({\textbf{A}}'={\textbf{A}}{\textbf{R}}\). The algorithm outputs a basis \({\textbf{B}}'\) of \(\mathbf {\mathbf {\Lambda }}_q^{\perp }({\textbf{A}}')\) such that \(\Vert {\textbf{B}}' \Vert _{\textsc {gs}}/\Vert {\textbf{B}} \Vert _{\textsc {gs}}\le m^{3/2}\omega (\log ^2m)\). Furthermore, the distribution of \({\textbf{B}}'\) is statistically close to the distribution \(\textsf {RandBasis}({\textbf{T}},s)\) where \({\textbf{T}}\) is an arbitrary basis of \(\mathbf {\Lambda }_q^{\perp }({\textbf{A}}')\) satisfying \(\Vert {\textbf{T}}\Vert _\textsc {gs}\le s/\omega (\!\sqrt{\log m})\).
Our proof of the security of the RKS scheme employs the algorithm SampleRwithBasis that takes as input a random matrix \({\textbf{A}}\in {\mathbb {Z}}_q^{n\times m}\), it outputs a lownorm and invertible matrix \({\textbf{R}}\in D_{{m\times m}}\) as well as a short basis \({\textbf{B}}\) for \(\mathbf {\mathbf {\Lambda }}_q^{\perp }({{\textbf{A}}}{{\textbf{R}}})\).
Lemma 9
(SampleRwithBasis Algorithm (Agrawal et al. 2010b)) There is a PPT algorithm \(\textsf {SampleRwithBasis}({\textbf{A}},s)\) which takes as input a matrix \({\textbf{A}}\in {\mathbb {Z}}_q^{n\times m}\) whose columns generate \({\mathbb {Z}}_q^{n}\) and a Gaussian parameter s, the algorithm outputs a matrix \({\textbf{R}}\in D_{{m\times m},s}\) and an invertible basis \({\textbf{B}}\) for \(\mathbf {\mathbf {\Lambda }}_q^{\perp }({{\textbf{A}}}{{\textbf{R}}})\) such that \(\Vert {\textbf{B}}\Vert _\textsc {gs}\le s_\textsc {r}/\omega (\!\sqrt{\log q})\).
Latticebased hashandsign signatures
Our construction is based on the HashandSign signature paradigm, rather than the Fiat–Shamir paradigm as in prior work (Alkeilani Alkadri et al. 2020). We review a generic construction of latticebased hashandsign (LHS) signatures. The scheme LHS:=(LHS.KeyGen, LHS.Sign, LHS.Ver) is formally described in Fig. 3. The key generation algorithm LHS.KeyGen generates an instance of a computationally hard lattice problem called the short integer solution (SIS) (Ajtai 1996). In essence, the LHS.KeyGen algorithm is a lattice basis generation algorithm \(\textsf {BasisGen}\) (cf. Lemma 4) which outputs \({\textbf{A}}\in {\mathbb {Z}}_q^{n\times m}\) and \({\textbf{B}}\in {\mathbb {Z}}^{m\times m}\) such that \({\textbf{B}}\) is a lattice basis of \(\mathbf {\Lambda }_q^{\perp }({\textbf{A}})\), the distribution of \({\textbf{A}}\) is within negligible statistical distance of uniform, and \({\textbf{B}}\) has a low GramSchmidt norm. The LHS.Sign algorithm mainly consists of two components, a hash function \(\textsf {H}:\{0,1\}^*\rightarrow {\mathbb {Z}}_q^n\) which is modeled as a random oracle, and a Gaussian preimage sampling algorithm SamplePre (cf. item 4 of Lemma 3). The SamplePre algorithm is able to sample a lownorm preimage
A signature consists of two items \(({\textbf{e}}, {\textbf{r}})\), a Gaussian sampled preimage \({\textbf{e}}\) and a random vector \({\textbf{r}}\). The verification algorithm LHS.Ver checks if \({{\textbf{A}}}{{\textbf{e}}}=\textsf {H}(\mu ,{\textbf{r}})\), \({\textbf{r}}\in \{0,1\}^{o(n)}\), and if \({\textbf{e}}\in D_{s}\) where we let the distribution \(D_{s}=\{{\textbf{e}}\in {\mathbb {Z}}^m: \Vert {\textbf{e}}\Vert \le s\sqrt{m}\}\) for a specified Gaussian parameter (standard deviation) s, otherwise another \({\textbf{e}}'\) is easy to find such that \({\textbf{A}}{\textbf{e}}'=\textsf {H}(\mu ,{\textbf{r}})\) and hence the unforgeability is broken. For the correctness, by the property of SamplePre (cf. Item 4 of Lemma 3), \({\textbf{e}}\in D_{s}\) and \({\textbf{A}}{\textbf{e}}=\textsf {H}(\mu ,{\textbf{r}})\) holds with overwhelming probability. The EUFCMA security of latticebased hashandsign signatures in QROM was analyzed in several works (Boneh et al. 2011; Chailloux and DebrisAlazard 2020; Fouque et al. 2018).
The construction for deterministic wallets
In this section, we introduce our generic construction and proofs of deterministic wallets in a quantum world. We assume in the following a signature scheme with rerandomizable public keys RKS:= (RKS.KeyGen, RKS.RandGen, RKS.RandPK, RKS.RandSK, RKS.Sign, RKS.Ver). Let \(\textsf {H}:\{0,1\}^*\rightarrow \{0,1\}^{o(n)}\) be a hash function that is modeled as a random oracle. A generic construction of a deterministic wallet scheme \(\textsf {DW}:= (\textsf {DW.KeyGen,~DW.RandGen,~DW.PKDer,~DW.SKDer},\) \(\textsf {DW.Sign,~DW.Ver})\) is depicted in Fig. 4 and is described as below.

\(\textsf {DW.KeyGen}(1^n)\). On input a security parameter n, compute the master public key and master secret key by \((mpk, msk)\leftarrow \textsf {RKS.KeyGen}(1^n)\). Select a uniformly random chaincode \(ch\xleftarrow {_\$}\{0,1\}^n\). Output the tuple (mpk, msk, ch).

\(\textsf {DW.RandGen}(ch, I\!D)\). On input a chaincode ch and an identifier \(I\!D\), generate the randomness \(\rho _{_{I\!D}}\leftarrow \textsf {RKS.RandGen}(\gamma _{_{I\!D}})\) where \(\gamma _{_{I\!D}}\leftarrow \textsf {H}(ch, I\!D)\), and finally output \(\rho _{_{I\!D}}\).

\(\textsf {DW.PKDer}(mpk, \rho _{_{I\!D}})\). On input a master public key mpk and a randomness \(\rho _{_{I\!D}}\), compute \(pk_{_{I\!D}}\leftarrow \textsf {RKS.RandPK}(mpk,\rho _{_{I\!D}})\). Output the session public key \(pk_{_{I\!D}}\).

\(\textsf {DW.SKDer}(msk, \rho _{_{I\!D}})\). On input a master secret key msk and a randomness \(\rho _{_{I\!D}}\), compute \(sk_{_{I\!D}}\leftarrow \textsf {RKS.RandSK}(msk,\rho _{_{I\!D}})\). Output the session secret key \(sk_{_{I\!D}}\).

\(\textsf {DW.Sign}(sk_{_{I\!D}}, (pk_{_{I\!D}},\mu ))\). On input a session secret key \(sk_{_{I\!D}}\), a session public key \(pk_{_{I\!D}}\), and a message \(\mu\), let \(\mu ':=(pk_{_{I\!D}},\mu )\), compute the signature \(\sigma \leftarrow \textsf {RKS.Sign}(sk_{_{I\!D}},\mu ')\), and finally output \(\sigma\).

\(\textsf {DW.Ver}(pk_{_{I\!D}}, \mu , \sigma )\). On input a session public key \(pk_{_{I\!D}}\), a message \(\mu\), and a signature \(\sigma\), let \(\mu ':=(pk_{_{I\!D}},\mu )\), return the result of invoking \(\textsf {RKS.Ver}(pk_{_{I\!D}}, \mu ', \sigma )\).
Security proofs
The correctness of the DW scheme directly follows from the correctness of the RKS scheme. Below we prove that the DW scheme achieves both unlinkability and unforgeability against quantum adversaries.
Theorem 1
The deterministic wallet scheme DW depicted in Fig. 4is DWUNL secure in the QROM if the DW is built from the signature scheme with rerandomizable public keys RKS (depicted in Fig. 5).
In our setting, all the wallet public keys are derived from a parameter that is the chaincode ch, so the adversary’s winning probability is reduced significantly. Therefore, the point is to check whether a query made by the adversary is problematic, i.e., whether it coincides with the chaincode. However, we cannot check the problematic query by a simple comparison as classic ROM setting (cf. Das et al. 2019), since in the QROM, the adversary is able to query the random oracle in superposition. Instead, we consider a game hop in which we can bound the adversary’s advantage in distinguishing two random oracles, which in turn can be bound by the oneway to hiding lemma (cf. Lemma 1). For the remained games, we argue the adversary only has negligible advantage in winning the game by the rerandomizable property of the underlying signature schemes.
Proof
Let \({\mathcal {A}}=({\mathcal {A}}_1,{\mathcal {A}}_2)\) be an adversary which makes \(q_{_{\textsf {H}}}\) queries to its oracles \(\textsf {H}\rangle\). We prove the theorem via the following two games.
Game \(\textsf {G}_0\): This game behaves exactly as the game DWUNL (cf. Fig. 1) instantiated with DW.
Game \(\textsf {G}_1\): This game is the same as \(\textsf {G}_0\), except that the randomness seed \(\gamma _{_{I\!D}}\) is sampled at random, i.e., independent of the random oracle. In this way, the only difference between two games \(\textsf {G}_0\) and \(\textsf {G}_1\) lies in the random oracle, since the randomness seed \(\gamma _{_{I\!D}}\) in both games is distributed identically. From the point of view of \({\mathcal {A}}=({\mathcal {A}}_1,{\mathcal {A}}_2)\), the random oracle in game \(\textsf {G}_1\) is \(\textsf {H}_{{\mathcal {S}}\rightarrow \$}\rangle\), i.e., the random oracle that is reprogrammed the chain codes in \({\mathcal {S}}\) to random value. Hence, we can bound the advantage in distinguishing \(\textsf {G}_0\) and \(\textsf {G}_1\) by the advantage in distinguishing the random oracles \(\textsf {H}\rangle\) and \(\textsf {H}_{{\mathcal {S}}\rightarrow \$}\rangle\). Applying the O2H Lemma (cf. Lemma 1) yields
where \({\mathcal {B}}\) is the adversary specified in Lemma 1, \({\mathcal {S}}\) is a set that contains all chaincodes used in the experiment, and \(ch'\) is the chain code that output by \({\mathcal {B}}\). In our setting, \({\mathcal {S}}=2\) since there are only two chaincodes \((ch,{\widehat{ch}})\) throughout the system. This yields
Combining the above equations yields that the advantage in distinguishing \(\textsf {G}_0\) and \(\textsf {G}_1\) is negligible in the security parameter n. It remains to bound the advantage of \({\mathcal {A}}\) in game \(\textsf {G}_1\), where the same argument from the classical proof applies. In \(\textsf {G}_1\), the challenge public key \(pk_{_{I\!D^*}}^b\) given to \({\mathcal {A}}_2\) is independent of the random oracle (as the random oracle is not used in \(\textsf {G}_1\) anymore for deriving keys). Hence, it is irrelevant whether the adversary makes any query (classical or quantum) to the random oracle. By the rerandomizability of public keys, the property of RKS scheme, the challenge public keys \(pk_{_{I\!D^*}}^0\) and \(pk_{_{I\!D^*}}^1\) are statistically indistinguishable, which yields that the adversarial advantage is negligible. \(\square\)
Theorem 2
The deterministic wallet scheme DW depicted in Fig. 4 is DWUF secure in the QROM if the signature scheme with rerandomizable public keys RKS (depicted in Fig. 5) is EUFCMAHRK secure in the QROM.
As the unlinkability proof, the unforgeability proof should also be careful of the adversary’s ability to access the quantum random oracle \(\textsf {H}\rangle\). That is, while the adversary is able to query \(\textsf {H}\rangle\) in superposition of exponential amounts of inputs, the reduction can only respond it in a classical way as its challenger does not provide a quantum random oracle to let the simulator forwards and responses the query in superposition. In other words, the reduction will be useless since it cannot efficiently response the adversary’s query, unless it can be resolved in a classical way. To resolve that, we consider a game hop in which exponential amounts of queries are replied by the samples from a smallrange distribution. This method, by the fact of the smallrange distribution (cf. Lemma 2), only affects the negligible advantage of the adversary, which allows us to construct a reduction to simulate the quantum random oracle for the adversary.
Proof
Let \({\mathcal {A}}\) be an adversary which makes \(q_{_{\textsf {H}}}\) queries to \(\textsf {H}\rangle\). The proof proceeds via the following games.
Game \(\textsf {G}_0\): This game behaves exactly as the game DWUF (cf. Fig. 2) instantiated with DW (cf. Fig. 4). Assume that \({\mathcal {A}}\) has nonnegligible advantage \(\epsilon =\epsilon (n)\) in winning \(\textsf {G}_0\). This means that there exists a polynomial \(p=p(n)\) such that \(p(n)>\frac{1}{\epsilon (n)}\).
Game \(\textsf {G}_1\): This game behaves as \(\textsf {G}_0\) but aborts when there is a collision of keys for different identifiers. Note that the access to the oracle PK remains classical even for a quantum adversary. Therefore, the bound from Das et al. (2019) is applicable, which is a simple counting argument over the number of queries to PK. This yields that the advantage of \({\mathcal {A}}\) in \(\textsf {G}_1\) is \(\epsilon \mathrm{negl(n)}\).
Game \(\textsf {G}_2\): In this game, the adversaries queries to \(\textsf {H}\rangle\) is simulated using Definition 9 and Lemma 2. Let \(l=2Cq_{_{\textsf {H}}}^3 p\) with C being the constant from Lemma 2 and p being the polynomial described in \(\textsf {G}_0\). At the start of the game, the challenger will generate l random values and draw the randomness seed \(\gamma _{_{I\!D}}\) from a smallrange distribution using these l samples. According to Lemma 2, \({\mathcal {A}}\) can only distinguish this game from the previous one with a probability less than \(\frac{1}{2p}\). Therefore, Lemma 2 yields that the advantage of \({\mathcal {A}}\) in this game is at least \(\epsilon \textrm{negl}(n)\frac{1}{2p}\).
Bounding the advantage. We now show how to transform an adversary \({\mathcal {A}}\) playing \(\textsf {G}_1\) into an adversary \({\mathcal {B}}\) playing \(\textsf {EUFCMARK}_{\textsf {RKS}}^{\mathcal { B}}\) (where the underlying signature scheme is RKS). At the start, \({\mathcal {B}}\) receives a public key pk, let \(mpk:=pk\), then it samples a chain code \(ch\xleftarrow {_{\$}}\{0,1\}^{n}\) and \(l=2Cq_{_{\textsf {H}}}^3 p\) samples from a smallrange distribution. \({\mathcal {A}}\) is invoked on input (mpk, ch).
Simulation of Quantum Random Oracle \(\textsf {H}\rangle\). \({\mathcal {B}}\) simulates the output (the randomness seed \(\gamma _{_{I\!D}}\)) of the quantum random oracle \(\textsf {H}\rangle\) by using the l samples from Rand drawn from a smallrange distribution.
Simulation of PK Oracle. When \({\mathcal {A}}\) queries the oracle PK on \(I\!D\), \({\mathcal {B}}\) computes \(\gamma _{_{I\!D}}\leftarrow \textsf {H}(ch,I\!D)\), \(\rho _{_{I\!D}}\leftarrow \textsf {RKS.RandGen}(\gamma _{_{I\!D}})\), and \(pk_{_{I\!D}}\leftarrow \textsf {RKS.RandPK}(pk,\rho _{_{I\!D}})\). Then \({\mathcal {B}}\) adds the \((pk_{_{I\!D}}, \rho _{_{I\!D}})\) into the array \(K\!eys[I\!D]\) that \({\mathcal {B}}\) initialized in prior. Finally, \({\mathcal {B}}\) sends \(pk_{_{I\!D}}\) to \({\mathcal {A}}\).
Simulation of \(\textsf {Sign}\) Oracle. When \({\mathcal {A}}\) makes a query \((\mu , I\!D)\) to the oracle \(\textsf {Sign}\), \({\mathcal {B}}\) checks if the \(I\!D\) had been queried on the oracle PK, otherwise aborts. \({\mathcal {B}}\) computes \(pk_{_{I\!D}}\leftarrow \textsf {DW.PKDer}(mpk, \rho _{_{I\!D}})\) then sets \(\mu '=(pk_{_{I\!D}}, \mu )\), and queries its own oracle \(\textsf {Sign}_{\textsc {rks}}\) on \(\mu '\) and obtains the response \(\sigma\). Then \({\mathcal {B}}\) adds the \({\mu }\) to an array \(M\!sg[I\!D]\) that \({\mathcal {B}}\) initialized in prior, then sends \(\sigma\) to \({\mathcal {A}}\). When \({\mathcal {A}}\) outputs a forgery \((\mu ^*,\sigma ^*,I\!D^*)\), \({\mathcal {B}}\) checks if \(\mu ^*\notin M\!sg[I\!D^*]\) and \(K\!eys[I\!D^*]\ne \perp\), otherwise aborts. Then \({\mathcal {B}}\) gets the \((pk_{_{I\!D^*}}, \rho _{_{I\!D^*}})\leftarrow K\!eys[I\!D^*]\), and sets \({\hat{\mu }}^*=(pk_{_{I\!D^*}},\mu ^*)\). Finally, \({\mathcal {B}}\) outputs \(({\hat{\mu }}^*,\sigma ^*,\rho _{_{I\!D^*}})\). In this process, observe that \({\mathcal {B}}\) can complete the signing oracle simulation through relaying \({\mathcal {A}}\) and the challenger’s response, so they have the same total running time.
We now show that the output of \({\mathcal {B}}\) is a valid forgery whenever the output of \({\mathcal {A}}\) is. Namely, if \({\mathcal {A}}\)’s forgery \((\mu ^*,\sigma ^*,I\!D^*)\) is valid in Game \(\textsf {G}_1\), then \({\mathcal {B}}\)’s forgery \(({\hat{\mu }}^*,\sigma ^*,\rho _{_{I\!D^*}})\) is also valid in EUFCMARK. Since \((\mu ^*,\sigma ^*,I\!D^*)\) is a valid forgery by \({\mathcal {A}}\), we know that \({\mathcal {A}}\) never queried \((\mu ^*,I\!D^*)\) to Sign. Recall that, for every query to Sign by \({\mathcal {A}}\) on any \((\mu ,I\!D)\), \({\mathcal {B}}\) queries the oracle \(\textsf {Sign}_{\textsc {rks}}\) on the public key prefixed message \(\mu '=(pk_{_{I\!D}},\mu )\). Since \({\mathcal {A}}\) never queried Sign on input \((\mu ^*,I\!D^*)\), \({\mathcal {B}}\) never queried \(({\hat{\mu }}^*,\rho _{_{I\!D^*}})\) to oracle \(\textsf {Sign}_{\textsc {rks}}\), where \({\hat{\mu }}^*=(pk_{_{I\!D^*}},\mu ^*)\). Therefore, if \(\mu ^*\notin M\!sg[I\!D]\), then \({\hat{\mu }}^*\notin M\) where M is the set that was initialized by the challenger (cf. Definition 3). Second, it holds that \(\rho _{_{I\!D^*}}\in {\mathcal {R}}\). This follows from the simulation of the quantum random oracle where, for every possible output \(\gamma _{_{I\!D}}\), \(\gamma _{_{I\!D}}\) is in \({\mathcal {R}}\). Therefore, the validity of the forgery by \({\mathcal {A}}\) yields the validity of the forgery by \({\mathcal {B}}\).
Recall that \(l=2Cq_{_{\textsf {H}}}^3 p\) and as discussed at the beginning of this game, according to Lemma 2, the advantage of the adversary in this game is equal to \(\epsilon \textrm{negl}(n)\frac{1}{2p}\). Assuming the security of the underlying signature scheme RKS, we have that this advantage be negligible. Combined with \(\epsilon >\frac{1}{p}\) (see description of \(\textsf {G}_0\)), this yields that \(\frac{1}{2p}\) is negligible, resulting in a contradiction. Hence, we can conclude that \(\epsilon\), the advantage of \({\mathcal {A}}\), is negligible.
\(\square\)
Latticebased signatures with rerandomizable PK
In this section, we propose a latticebased construction of a signature scheme with rerandomizable public keys RKS (cf. Definition 3) in “Construction” section, set the parameters in “Parameters” section, and prove the security in “Security proof” section.
Construction
In the following, we describe the signature scheme with rerandomizable public keys RKS. The scheme extends the generic construction of latticebased hashandsign signatures LHS. In addition, we define the following algorithms:

GenR is an algorithm that on input \((\textsf {dim},s,\textsf {rnd})\), then outputs an invertible matrix \({\textbf{R}}=[\ {\textbf{r}}_1\mid \cdots \mid {\textbf{r}}_{\textsf {dim}}\ ]\in D_{{\mathbb {Z}}^{\textsf {dim}\times \textsf {dim}},s}\) by using a randomness rnd. As mentioned in Agrawal et al. (2010b), GenR algorithm in practice can be built from a “standard” random function \(h:\{0,1\}^*\rightarrow \{0,1\}^t\) by using h as a coin generator and rnd as the randomness seed for the sampling process in SampleR algorithm (cf. Lemma 5).

As prior works (Alkeilani Alkadri et al. 2020; Das et al. 2019), we also adopt the public key prefixing method which is the common counter measure to against the related key attacks (Das et al. 2019; Morita et al. 2015), i.e., a signature on a message \(\mu\) is computed as \(\textsf {Sign}(sk, (hpk,\mu ))\) where \(hpk:=\textsf {F}(pk)\) and \(\textsf {F}:\{0,1\}^*\rightarrow \{0,1\}^{o(n)}\) is a collisionresistant hash function.
Let \({\mathcal {R}}_{\textsc {r}}:=D_{{m\times m}}\) and \({\mathcal {R}}_{\textsc {l}}:=D_{{n\times n}}\) be the randomness spaces. The matrices \(({\textbf{R}}_{\textsc {l}}, {\textbf{R}}_{\textsc {r}})\in {\mathcal {R}}_{\textsc {l}}\times {\mathcal {R}}_{\textsc {r}}\), output from GenR, play the role in the keys randomization. Specifically, given a valid LHS key pair \((pk:={\textbf {A}}, sk:={\textbf {B}})\), the randomized key pair is computed as \((pk':={\textbf{R}}_{\textsc {l}}{} {\textbf {A}}{\textbf{R}}_{\textsc {r}}, sk':={\textbf{R}}_{\textsc {r}}^{1}{} {\textbf {B}})\) such that \(pk'\cdot sk'={\textbf{0}}\pmod q\). By the item 2 of Lemma 3, the distribution of \(pk'\) is statistically indistinguishable from pk. By the basis randomization algorithm RandBasis that is called by BasisDel algorithm (cf. Lemma 8), the delegation cannot be inverted, i.e., the secret key \({\textbf{B}}\) cannot be revealed from the randomized key \({\textbf{B}}'\). Below we formally describe the RKS scheme. The respective algorithms are formalized in Fig. 5.
RKS.KeyGen: The key generation algorithm RKS.KeyGen takes as input a security parameter and then invokes the algorithm LHS.KeyGen to obtain a key pair (pk, sk) where \(pk:={\textbf{A}}\in {\mathbb {Z}}_q^{n\times m}\) and \(sk:={\textbf{B}}\in {\mathbb {Z}}^{m\times m}\). Then, it computes \(\textsf {hpk}:=\textsf {F}(pk)\), and prepends \(\textsf {hpk}\) to sk. Finally, it outputs (pk, sk).
RKS.RandGen: On input a randomness seed \(\gamma \in \{0,1\}^{o(n)}\), the randomness generation algorithm RKS.RandGen computes \(\rho := ({\textbf{R}}_\textsc {l},{\textbf{R}}_\textsc {r})\in {\mathcal {R}}_\textsc {l}\times {\mathcal {R}}_\textsc {r}\) by \(\textsf {GenR}(m,s,\gamma )\). Finally, it outputs \(\rho\).
RKS.RandPK: On input a public key \(pk={\textbf{A}}\) and the randomness \(\rho :=({\textbf{R}}_\textsc {l},{\textbf{R}}_\textsc {r})\in {\mathcal {R}}_\textsc {l}\times {\mathcal {R}}_\textsc {r}\), the public key randomization algorithm RKS.RandPK computes \({\textbf{A}}'={\textbf{R}}_{\textsc {l}}{\textbf{A}}{\textbf{R}}_{\textsc {r}}\) and sets \(pk':={\textbf{A}}'\). Finally, it outputs \(pk'\).
RKS.RandSK: On input a secret key \(sk=(\textsf {hpk},{\textbf{B}})\) and the randomness \(\rho := ({\textbf{R}}_\textsc {l},{\textbf{R}}_\textsc {r})\in {\mathcal {R}}_\textsc {l}\times {\mathcal {R}}_\textsc {r}\), the secret key randomization algorithm RKS.RandSK computes the randomized basis \({\textbf{B}}'\) in two steps: let \(\bar{{\textbf{A}}}={\textbf{R}}_{\textsc {l}}{\textbf{A}}\), it first computes a basis \(\bar{{\textbf{B}}}\) of \(\mathbf {\mathbf {\Lambda }}_q^{\perp }(\bar{{\textbf{A}}})\) by \(\textsf {ToBasis}({\textbf{B}},{\textbf{B}}_{\textsc {e}})\) where \({\textbf{B}}_{\textsc {e}}\) is an arbitrary ephemeral basis of \(\mathbf {\mathbf {\Lambda }}_q^{\perp }(\bar{{\textbf{A}}})\). Then it computes \({\textbf{B}}'\) by the basis delegation algorithm \(\textsf {BasisDel}(\bar{{\textbf{A}}},\bar{{\textbf{B}}},{\textbf{R}}_{\textsc {r}},s)\), then it computes \({\textbf{A}}'={\textbf{R}}_\textsc {l}{\textbf{A}}{\textbf{R}}_\textsc {r}\) and \(\textsf {hpk}'\leftarrow \textsf {F}({\textbf{A}}')\). Finally, set \(sk':=({\textbf{B}}', \textsf {hpk}')\) and outputs \(sk'\).
RKS.Sign: On input a secret key \(sk'=({\textbf{B}}',\textsf {hpk}')\) and a message \(\mu\), the signing algorithm sets \(\mu ':=(\textsf {hpk}',\mu )\) and calls LHS.Sign\((sk',\mu ')\) to obtain a signature \(({\textbf{e}},{\textbf{r}})\). Finally, it outputs \(({\textbf{e}},{\textbf{r}})\).
RKS.Ver: On input a public key pk, a message \(\mu\), and a signature \(({\textbf{e}},{\textbf{r}})\), the verification algorithm RKS.Ver sets \(\mu ':=(\textsf {hpk}',\mu )\) and outputs the bit obtained by calling LHS.Ver\((pk',\mu ',({\textbf{e}},{\textbf{r}}))\).
Parameters
The correctness of the RKS scheme directly follows from the correctness of the LHS scheme. We explain how to set the parameters. Let n be the security parameter. To ensure that hard lattices with short bases can be generated by BasisGen, we need to set \(m=6n^{1+c}\) where \(c>0\) is a constant such that \(n^{c}>O(\log n)\). To guarantee that the distribution on the output of \(\textsf {SamplePre}\) statistically indistinguishable between the real and simulated world, we need to set the Gaussian parameter s sufficiently large
\(s=O(nm\log q)\cdot \omega (\log ^{2.5}m)\) (cf. the security proof below.)
To ensure the preimage vectors sampled by \(\textsf {SamplePre}\) are not trivial to find (otherwise, the unforgeability is broken), we need to set a norm bound, i.e., the parameter \(\beta\) on those preimage vectors
\(\beta =O((n{m}^{4/3}\log q)^{3/2})\cdot \omega (\log ^{3}m)\) (cf. the security proof below.)
To ensure our construction has a worstcase lattice reduction, by the result that is given by Gentry et al. (2008), it is required to set \(q=\beta \cdot \omega (\!\sqrt{n\log n})\) (at least).
Security proof
In this section, we analyze the EUFCMAHRK security of the scheme RKS in the QROM. More precisely, we reduce its EUFCMAHRK security to the EUFCMA security of the latticebased hashandsign signature scheme LHS described in “Latticebased hashandsign signatures” section. Note that rerandomizability of public keys (cf. Definition 3) follows from the property of Gaussian distribution that is item 2 of Lemma 3. That is, for any public key \({\textbf{A}}\in {\mathbb {Z}}_q^{n\times m}\) which is within negligible statistical distance of uniform over \({\mathbb {Z}}_q^{n\times m}\) since it is generated by BasisGen algorithm, any randomness \(\rho :=({\textbf{R}}_\textsc {l},{\textbf{R}}_\textsc {r})\in {\mathcal {R}}_\textsc {l}\times {\mathcal {R}}_\textsc {r}\), then by the item 2 of Lemma 3, the distribution of \({\textbf{A}}'={\textbf{R}}_\textsc {l}{\textbf{A}}{\textbf{R}}_\textsc {r}\) is within negligible statistical distance of uniform over \({\mathbb {Z}}_q^{n\times m}\). Therefore, the public key \(pk:={\textbf{A}}\) and its randomized public key \(pk':={\textbf{A}}'\) are statistically indistinguishable.
Theorem 3
Set \(s=O(nm\log q)\cdot \omega (\log ^{2.5}m)\) and \(\beta =O((n{m}^{\frac{4}{3}}\log q)^{\frac{3}{2}})\cdot \omega (\log ^{3}m)\). If the signature scheme LHS described in Fig. 3is \((t_{\textsc {lhs}},q_{\textsf {s},\textsc {lhs}},\epsilon _{\textsc {lhs}})\textsf {EUFCMA}\) secure in the QROM, the signature scheme with rerandomizable public keys RKS depicted in Fig. 5is \((t_{\textsc {rks}},q_{\textsf {s},\textsc {rks}},\epsilon _{\textsc {rks}})\textsf {EUFCMAHRK}\) secure in the QROM.
Proof
Let \({\mathcal {A}}\) be an adversary that is able to generate valid forgeries under RKS scheme, i.e., \({\mathcal {A}}\) is able to win the unforgeability game of \(\textsf {EUFCMAHRK}_{\textsf {RKS}}^{{\mathcal {A}}}\) (cf. Definition 4). We construct an algorithm \({\mathcal {B}}\) (depicted in Fig. 6) that runs \({\mathcal {A}}\) as subroutine in order to win the game \(\textsf {EUFCMA}_{\textsf {LHS}}^{{\mathcal {B}}}\) (cf. Definition 2) against the LHS scheme. In the QROM setting, \({\mathcal {A}}\) has quantum access to a random oracle \(\textsf {H}\) and classical access to signing oracle \(\textsf {Sign}\). And the reduction \({\mathcal {B}}\) has quantum access to the random oracle \(\textsf {H}_{\textsc {lhs}}\) and classical access to signing oracle \(\textsf {Sign}_{\textsc {lhs}}\). \({\mathcal {B}}\) obtains as input a public key \(pk_{\textsc {lhs}}:={\textbf{A}}\), then simulates to \({\mathcal {A}}\) as described in the following.
Setup. \({\mathcal {B}}\) uses the public key \(pk_{\textsc {lhs}}\) from the EUFCMA game as the public key \(pk_{\textsc {rks}}\) in its simulation of EUFCMAHRK. In other words, it runs \({\mathcal {A}}\) on input \(pk_{\textsc {rks}}:=pk_{\textsc {lhs}}\) in EUFCMAHRK.
Simulation of Random Oracle Queries. When \({\mathcal {A}}\) queries on random oracle \(\textsf {H}\), \({\mathcal {B}}\) forwards the queries to \(\textsf {H}_{\textsc {lhs}}\) and then forwards the response from \(\textsf {H}_{\textsc {lhs}}\) as the response of \(\textsf {H}\) to \({\mathcal {A}}\).
Simulation of Randomness Queries. When \({\mathcal {A}}\) queries on the oracle Rand, let \({\mathcal {R}}:={\mathcal {I}}_{n\times n}\times {\mathcal {R}}_{\textsc {r}}\), \({\mathcal {B}}\) randomly sample \(\rho\) from \({\mathcal {R}}\), sets \(R:=R\cup \{\rho \}\), and finally returns \(\rho\). Under this setting, by the item 2 of Lemma 3, the randomized public keys \(pk'\) are statistically close to those in the real scheme.
Simulation of Signing Queries. When \({\mathcal {A}}\) queries signing oracle \(\textsf {Sign}\) on input \((pk_\textsc {rks},\mu ,\rho )\), after set \({\mathcal {Q}}:={\mathcal {Q}}\cup \{\mu \}\), \({\mathcal {B}}\) first parses \(\rho :=({\textbf{R}}_{\textsc {l}}, {\textbf{R}}_{\textsc {r}})\) and checks if \(\rho \in R\) otherwise aborts. Then, \({\mathcal {B}}\) computes the randomized public key \(pk'_{\textsc {rks}}\) and \(\textsf {hpk}' \leftarrow \textsf {F}(pk'_{\textsc {rks}})\), sets \(\mu '=(\textsf {hpk}',\mu )\) and then obtain \(({\textbf{e}},{\textbf{r}})\leftarrow \textsf {Sign}_\textsc {lhs}(\mu ')\) by querying its own challenge signing oracle. We note that here \({\mathcal {B}}\) cannot direct output \(({\textbf{R}}_{\textsc {r}}{\textbf{e}},{\textbf{r}})\) as the resulting signature to \({\mathcal {A}}\). The reason is that the Gaussian parameter should be set carefully so that the resulting signature has a correct distribution. We elaborate that as below.
Let \(({\textbf{e}}_\texttt {r},s_\texttt {r})\) and \(({\textbf{e}}_\texttt {s},s_\texttt {s})\) be the (preimage \({\textbf{e}}\), Gaussian parameter s) of the RKS in real world and simulation, respectively. Let \(s_\textsc {lhs}\) be the Gaussian parameter of the LHS scheme. Let \(s_\texttt {BDel}\) be the Gaussian parameter used in the BasisDel algorithm. We first bound the preimage \({\textbf{e}}_\texttt {r}\) and the Gaussian parameter \(s_\texttt {r}\). In the real scheme, \({\textbf{e}}_\texttt {r}\) is sampled by the SamplePre algorithm with the input \(s_\texttt {r}\) and a basis \({\textbf{B}}'\) generated by BasisDel algorithm (in which the RandBasis algorithm is called). By the facts related to these algorithms, we bound \(({\textbf{e}}_\texttt {r},s_\texttt {r})\) as follows.

By Lemma 4, \(\Vert {\textbf{B}}\Vert _{\textsc {gs}}\le L_{\textsc {tg}} = O(\!\sqrt{n\log q})\), where \({\textbf{B}}\) is the basis of \(\mathbf {\Lambda }_q^{\perp }({\textbf{A}})\).

By Lemma 8, \(s_\texttt {BDel}>\Vert {\textbf{B}}\Vert _{\textsc {gs}}\sqrt{nm\log q}\cdot \omega (\log ^{2}m)\).

By Lemma 7, the randomized basis \({\textbf{B}}'\) has the GramSchmidt norm bound \(\Vert {\textbf{B}}'\Vert _{\textsc {gs}}\le s_\texttt {BDel}\sqrt{m}\).

By Lemma 3, it is required to set \(s_\texttt {r}\ge \Vert {\textbf{B}}'\Vert _{\textsc {gs}}\cdot \omega (\!\sqrt{\log m})\).

By item 1 of Lemma 3, \(\Vert {\textbf{e}}_\texttt {r}\Vert \le s_\texttt {r}\cdot \!\sqrt{m}\).
Therefore, we can conclude that the Gaussian parameter \(s_\texttt {r}\) and \(\ell _2\)norm of \({\textbf{e}}_\texttt {r}\) have the following bounds
We next bound the preimage \({\textbf{e}}_\texttt {s}\) and the Gaussian parameter \(s_\texttt {s}\). In the simulation, \({\textbf{e}}_\texttt {s}={{\textbf{R}}}{{\textbf{e}}}\) where \({\textbf{R}}\) is sampled with Gaussian parameter \(s_{\textsc {r}}\) while \({\textbf{e}}\) with \(s_\textsc {lhs}\), so we have the following.

By Lemma 3, \(s_\textsc {lhs}\ge \Vert {\textbf{B}}\Vert _{\textsc {gs}}\cdot \omega (\!\sqrt{\log m})\). Then by Lemma 3 (item 1 and 4), \(\Vert {\textbf{e}}\Vert \le s_\textsc {lhs}\cdot \!\sqrt{m}\).

By Lemma 5, we know \({\textbf{R}}_{\textsc {r}}\in D_{m\times m}\), then by item 1 of Lemma 3, the \(\ell _2\)norm of each column \({\textbf{r}}_i\) of \({\textbf{R}}_{\textsc {r}}\) is bounded as \(\Vert {\textbf{r}}_i\Vert \le s_{\textsc {r}}\sqrt{m}\). Then we can compute the \(\ell _2\)norm bound on the vector \({\textbf{e}}_\texttt {s}={\textbf{R}}_{\textsc {r}}{\textbf{e}}\) is \(s_\textsc {lhs}s_\textsc {r}m\), i.e., \(\Vert {\textbf{e}}_\texttt {s}\Vert \le s_\textsc {lhs}s_\textsc {r}m\).

As we defined \(s_{\textsc {r}}=O(\!\sqrt{n\log q})\cdot \omega (\!\sqrt{\log m})\), we have
$$\begin{aligned} \Vert {\textbf{e}}_\texttt {s}\Vert ~\le ~\Vert {\textbf{B}}\Vert _{\textsc {gs}}\sqrt{n\log q}\cdot \omega (\log m)\cdot m ~\le ~ O(nm\log q)\cdot \omega (\log m) \end{aligned}$$ 
As \({\textbf{e}}_\texttt {s}={\textbf{R}}_{\textsc {r}}{\textbf{e}}\), we have \(s_\textsc {s} = s_\textsc {r}s_\textsc {lhs}\ge O(n\log q)\cdot \omega (\log m)\).
Observe that the Gaussian parameter in simulation (i.e., \(s_\texttt {s}\)) is smaller than it in the real scheme (i.e., \(s_\texttt {r}\)). To make the distribution of the signature tuple \(({\textbf{e}},{\textbf{r}})\) response from oracle Sign statistically close to those in real scheme, by Lemma 3, it is required to set \(s = \textrm{max}\{s_\texttt {r}, s_\texttt {s}\}\), therefore, the Gaussian parameter of the RKS scheme should be set (at least) \(s=O(nm\log q)\cdot \omega (\log ^{2.5}m)\).
Then we analyze how to set the parameter \({\bar{s}}\). Recall that \(\bar{{\textbf{R}}}\in D_{m\times m}\) is sampled with an ephemeral basis \(\bar{{\textbf{B}}}\) of lattice \(\mathbf {\Lambda }_q^\perp ({\textbf{A}}')\) by \((\bar{{\textbf{R}}}, \bar{{\textbf{B}}})\leftarrow \textsf {SampleRwithBasis}({\textbf{A}}')\), then sample a preimage \(\bar{{\textbf{e}}}\) by
where we set \({\bar{s}}=\frac{s}{s_\textsc {r}\sqrt{m}}s_\textsc {lhs}\) and \({\textbf{u}}:=\textsf {H}(\mu ',{\textbf{r}}){\textbf{A}}'\bar{{\textbf{R}}}^{1}{\textbf{e}}\). We can check the following equation holds
Finally, let \({\textbf{e}}'=\bar{{\textbf{R}}}^{1}({\textbf{e}}+\bar{{\textbf{e}}})\) and output \(({\textbf{e}}', {\textbf{r}})\) as the signature (instead of \(({\textbf{e}}_s, {\textbf{r}})\)). As we set \({\bar{s}}=\frac{s}{s_\textsc {r}\sqrt{m}}s_\textsc {lhs}\), by item 1 of Lemma 3, \(\Vert \bar{{\textbf{e}}}\Vert \le \frac{s}{s_\textsc {r}}\). Since \(\bar{{\textbf{R}}}\in D_{m\times m}\) and \(\Vert {\textbf{e}}\Vert \le s_\textsc {lhs}\cdot \!\sqrt{m}\), so we have \(\Vert {\textbf{e}}'\Vert \le s\sqrt{m}\) which is identical with \({\textbf{e}}_r\).
Exploiting the Forgery. When \({\mathcal {A}}\) provides the forgery \((\mu ,({\textbf{e}},{\textbf{r}})),\rho )\), \({\mathcal {B}}\) parses \(\rho :=({\textbf{R}}_\textsc {l},{\textbf{R}}_\textsc {r})\) and computes the randomized public key \({\textbf{A}}'={\textbf{R}}_\textsc {l}{\textbf{A}}{\textbf{R}}_\textsc {r}\). \({\mathcal {B}}\) aborts if the forgery with respect to a queried message, i.e., \(\mu \in M\), or the randomness \(\rho\) is illegal, i.e., \(\rho \notin R\). \({\mathcal {B}}\) also aborts if the forgery is not valid by checking as Line 7 of Fig. 6. Otherwise \({\mathcal {B}}\) outputs \(({\textbf{R}}_{\textsc {r}}{\textbf{e}},{\textbf{r}})\) as the forgery under LHS.
We note that the environment of \({\mathcal {A}}\) is perfectly simulated, and whenever \({\mathcal {A}}\) wins the game \(\textsf {EUFCMAHRK}_{\textsf {RKS}}^{{\mathcal {A}}}\), \({\mathcal {B}}\) wins the game \(\textsf {EUFCMA}_{\textsf {LHS}}^{{\mathcal {B}}}\), hence \(\epsilon _{\textsc {lhs}} = \epsilon _{\textsc {rks}}\). Let \(T_{\textsc {srb}}\), \(T_{\textsc {s}}\), \(T_{\textsc {bd}}\), and \(T_{\textsc {toB}}\) be the maximum running time of SampleRwithBasis, SamplePre, BasisDel, and ToBasis, respectively. To answer each query within \(\{q_{\textsf {s}}\}\), \({\mathcal {B}}\)’s running time is bounded by \(O(T_{\textsc {srb}} + T_{\textsc {s}})\). So the total running time of \({\mathcal {B}}\) in the simulation is bounded by \(O(q_{\textsf {s}}(T_{\textsc {srb}} + T_{\textsc {s}}))\). In the real scheme, the total running time is \(O(q_{\textsf {s}}(T_{\textsc {toB}} + T_{\textsc {bd}} + T_{\textsc {s}}))\). By Theorem 15 of (Agrawal et al. 2010b, full version), we know \(T_{\textsc {srb}} = T_{\textsc {toB}} + T_{\textsc {bd}}\). Therefore, \(t_{\textsc {lhs}} = t_{\textsc {rks}}\).
Below we argue that the \(({\textbf{R}}_{\textsc {r}}{\textbf{e}},{\textbf{r}})\) that \({\mathcal {B}}\) finally outputs is a valid forgery for LHS scheme. After the check at Line 7 of Fig. 6, we know ‘\({\textbf{R}}_{\textsc {r}}\)’, ‘\({\textbf{e}}\)’, and ‘\({\textbf{r}}\)’ are wellformed, so the remained explanation is to show \({\textbf{R}}_{\textsc {r}}{\textbf{e}}\) is sufficiently short and give a concrete bound.

By item 1 of Lemma 3, we have \(\Vert {\textbf{e}}\Vert \le s\sqrt{m}\).

Since \({\textbf{R}}_{\textsc {r}}\in D_{m\times m}\) (by Lemma 5), \(\Vert {\textbf{R}}_{\textsc {r}}\Vert \le s_{\textsc {r}}\sqrt{m}\) (by item 1 of Lemma 3).
Therefore, the parameter \(\beta\), the length bound of the preimage, should be set as \(\beta = s_\textsc {r}sm\) (at least). As we set \(s=O(nm\log q)\cdot \omega (\log ^{2.5}m)\) and defined \(s_{\textsc {r}}=O(\!\sqrt{n\log q})\cdot \omega (\!\sqrt{\log m})\), so set \(\beta =O((n{m}^{4/3}\log q)^{3/2})\cdot \omega (\log ^{3}m)\) is sufficient. \(\square\)
Practical instantiation and implementation
In this section, we present the practical instantiation and implementation of our work. We note that our method is generic which can be applied to a wide range of lattice settings, including the standard lattice given above, the compact lattices defined over polynomial rings (Lyubashevsky et al. 2010) (i.e., number rings) of the form \(R={\mathbb {Z}}[X]/(\mathrm {\Phi }_{n}(X))\) for a cyclotomic polynomial \(\mathrm {\Phi }_{n}(X)=X^n+1\), and the more compact NTRU lattices (Hoffstein et al. 1998). Due to the fact that polynomial rings setting can be instantiated directly using the transformation mechanism outlined in (Micciancio and Peikert 2012, Section 4.3, full version) and the concrete instantiation of signature scheme is provided by Ducas and Micciancio (2014), below we will focus on the latter setting, i.e., instantiation from NTRU lattices.
Specifically, we demonstrate an efficient instantiation of our work from Falcon (Fouque et al. 2018), an NTRU latticebased signature scheme, which is also based on the hashandsign GPV paradigm. Below, we provide the concrete instantiation of our work by instantiating the signature schemes LHS and RKS, respectively.
LHS in Falcon setting
For \(\phi =X^n+1\), a set of NTRU secrets consists of four polynomials \(f,g,F,G\in {\mathbb {Z}}[X]/(\phi )\) which verify the NTRU equation \(fGgF=q \mod \phi\). Provided that f is invertible modulo q, we can define the polynomial \(h:=g\cdot f^{1}\pmod q\). Typically, h will be a public key, whereas f, g, F, G will be secret keys.
Recall there are two algorithms are invoked in LHS scheme (cf. Fig. 3), the basis generation algorithm BasisGen and the preimage Gaussian sampling algorithm SamplePre. In Falcon setting, the basis is composed by the polynomials f, g, F, G in the form , where g, f are coordinatewise sampled from Gaussian distribution over \({\mathbb {Z}}\), then the G, F are computed by a NTRU equation solving procedure NTRUSolve (cf. Fouque et al. (2018, Algorithm 6)). Let the polynomial \(h:=g\cdot f^{1} \pmod q\). The public key is set as \({\textbf{A}}=\big [\ 1\mid h\ \big ]\), secret key . We can check that \({\textbf{A}}\) and \({\textbf{B}}\) are indeed orthogonal, i.e., \({\textbf{A}}\cdot {\textbf{B}}^{\top }={\textbf{0}}\pmod q\). Then the signature is sampled by fast fourier sampling procedure (ffSampling, cf. (Fouque et al. 2018, Algorithm 11)). Formally, a generic hashandsign signature scheme instantiated from Falcon is given below (where the optimization details such as fast fourier transform and compress methods are omitted).

\(\textsf {LHS.KeyGen:}\) The key generation algorithm takes as input a security parameter, it samples each coordinate of g, f from \(D_{{\mathbb {Z}},s_{\{g,f\}}}\) where \(s_{\{g,f\}}\) is specified in “Parameters setting” section, and it will be repeated if the generated polynomial \(f\pmod q\) is noninvertible. Then it computes \(F,G\leftarrow \textsf {NTRUSolve}(f,g)\). Let \(h:=g\cdot f^{1} \pmod q\). The public key is set as \({\textbf{A}}=\big [\ 1\mid h\ \big ]\), secret key . Finally, it outputs \(({\textbf{A}},{\textbf{B}})\).

\(\textsf {LHS.Sign:}\) As same as the signing algorithm in Fig. 3 except that the preimage \({\textbf{e}}\) is sampled by ffSample instead of SamplePre.

\(\textsf {LHS.Ver:}\) As same as the verification algorithm in Fig. 3.
RKS in Falcon setting
We now describe how to instantiate the RKS scheme from the LHS scheme that is instantiated by Falcon as shown in “LHS in Falcon setting” section. The key point is how to instantiate the BasisDel algorithm since it is the core of the session key derivation mechanism. By Lemma 8, we know the BasisDel has three subalgorithms: SampleR, ToBasis, and RandBasis. As we described in Lemma 3, both the SampleR and RandBasis take the Gaussian sampling algorithm as the underlying basic algorithm. In SampleR, the Gaussian sampling algorithm provides the benefit that the preimages are sufficiently short and can be invertible under certain conditions. In RandBasis, the Gaussian sampling algorithm provides the benefit that the sampled preimages are distributed statistically independent with the input basis.

The SampleR is used to generate the randomness, i.e., the short and invertible \(({\textbf{R}}_{\textsc {l}},{\textbf{R}}_{\textsc {r}})\). In Falcon setting, \({\textbf{R}}_{\textsc {l}}=[r_{\textsc {l}}]\), where \(r_{\textsc {l}},r_{\textsc {r}_1},r_{\textsc {r}_2}\) are coordinatewise sampled from \(D_{{\mathbb {Z}},s_{\{g,f\}}}\) (where \(s_{\{g,f\}}\) is set in “Parameters setting” section). As mentioned by Fouque et al. (2018, Algorithm 5), in order to ensure the \(r_{\textsc {l}},r_{\textsc {r}_1},r_{\textsc {r}_2}\) are invertible, they will be coordinatewise resampled until the number theoretic transform of \(r_{\textsc {l}},r_{\textsc {r}_1},r_{\textsc {r}_2}\) does not contain 0 as a coefficient.

Let \({\textbf{A}}'={\textbf{R}}_{\textsc {l}}{\textbf{A}}{\textbf{R}}_{\textsc {r}}=[ r_{\textsc {l}}r_{\textsc {r}_1}  r_{\textsc {l}} h r_{\textsc {r}_2} ]\) be the randomized public key. There are two ways to delegate the secret key. We can compute the randomized secret key
Note that \({\textbf{A}}'\) and \(\bar{{\textbf{B}}}\) are orthogonal, i.e., \({\textbf{A}}'\cdot \bar{{\textbf{B}}}={\textbf{0}}\pmod q\). Due to the \((r_{\textsc {r}_1},r_{\textsc {r}_2})\) are sampled by SampleR, we know \((r_{\textsc {r}_1}^{1}g, r_{\textsc {r}_1}^{1}G, r_{\textsc {r}_2}^{1}f, r_{\textsc {r}_2}^{1}F)\) are independent. Therefore, by Lemma 6, we can transform the \(\bar{{\textbf{B}}}\) to the basis \(\bar{{\textbf{B}}}'\) of \({\textbf{A}}'\). The other way is by the standard method introduced in Falcon. As the LHS.KeyGen instantiated above, we can direct compute the desired basis by invoking the NTRU equation solving procedure, i.e., by computing \((G', F')\leftarrow \textsf {NTRUSolve}(r_{\textsc {r}_1}g, r_{\textsc {r}_2}f)\). As \((r_{\textsc {r}_1}g, r_{\textsc {r}_2}f)\in {\mathbb {Z}}[X]/(\phi )\), the valid solution \((G',F')\) can be found with overwhelming probability (cf. Fouque et al. (2018, Algorithm 11)). Remark: In practice, \(\bar{{\textbf{B}}}'\) is computed in cold wallet, the input \(({\textbf{R}}_{\textsc {l}},{\textbf{R}}_{\textsc {r}})\) would be required to resample when the NTRUSolve output \(\perp\). Therefore, the overwhelming probability for generating the correctdistributed \(\bar{{\textbf{B}}}'\) is necessary for wallet systems to deploy in hot/cold setting.

But we cannot output the derived session secret key \(\bar{{\textbf{B}}}'\) directly, as leaking \(\bar{{\textbf{B}}}'\) would allow an adversary who knows \({\textbf{R}}\) to easily reveal the secret information with respect to \({\textbf{B}}\). To address this issue, we use the RandBasis algorithm, which is actually realized by Gaussian sampling algorithm SamplePre (cf. (Cash et al. 2010, Lemma 3.3, full version)). In the Falcon setting, we use the fast Fourier sampling algorithm ffSampling instead of the SamplePre algorithm given in Lemma 3. The RandBasis algorithm takes as input the basis \(\bar{{\textbf{B}}}'\) and a Gaussian paramemter \(s_{\texttt {Rand}}\) (which is specified in “Parameters setting” section), and outputs a randomized basis \({\textbf{B}}'\), that is
$$\begin{aligned} {\textbf{B}}'\leftarrow \textsf {RandBasis}(\bar{{\textbf{B}}}',s_{\texttt {Rand}}) \end{aligned}$$By the property of RandBasis, specifically the property of ffSampling, \({\textbf{B}}'\) is distributed statistically independent with \(\bar{{\textbf{B}}}'\). This means that even if an adversary knows the randomness \({\textbf{R}}\), who cannot obtain any useful information about \({\textbf{B}}\) or \(\bar{{\textbf{B}}}'\) from the randomized basis \({\textbf{B}}'\).
Based on the key derivation mechanism instantiated above, below we present the RKS scheme. Since the algorithms of RKS.KeyGen, RKS.Sign, and RKS.Ver directly call the corresponding algorithm from the underlying LHS scheme, we will only focus on the algorithms of RKS.RandGen, RKS.RandPK, and RKS.RandSK.

\(\textsf {RKS.RandGen:}\) As same as the randomness generation algorithm in Fig. 5 except the output \({\textbf{R}}_{\textsc {l}}=[r_{\textsc {l}}]\), is constructed by polynomials \((r_{\textsc {l}},r_{\textsc {r}_1},r_{\textsc {r}_2})\) from \({\mathbb {Z}}[X]/(\phi )\) instead of a square matrix from \({\mathbb {Z}}^{m\times m}\).

\(\textsf {RKS.RandPK:}\) On input the public key \({\textbf{A}}=\big [\ 1\mid h\ \big ]\) and the randomness \(\rho :=({\textbf{R}}_{\textsc {l}},{\textbf{R}}_{\textsc {r}})\), compute the randomized public key \({\textbf{A}}'={\textbf{R}}_{\textsc {l}}{\textbf{A}}{\textbf{R}}_{\textsc {r}}=\big [\ r_{\textsc {l}}r_{\textsc {r}_1}\mid r_{\textsc {l}}hr_{\textsc {r}_2}\ \big ]\). Finally, it outputs \({\textbf{A}}'\).

\(\textsf {RKS.RandSK:}\) On input the secret key and a randomness \({\textbf{R}}\), compute the randomized secret key \({\textbf{B}}'\leftarrow \textsf {BasisDel}({\textbf{A}},{\textbf{B}},{\textbf{R}},s)\) where the Gaussian parameter s is specified in “Parameters setting” section. Finally, it outputs \({\textbf{B}}'\).
The security of the instantiated RKS scheme can be proven in the same way as the standard RKS scheme in “Security proof” section, since the simulation tool SampleRwithBasis can be instantiated directly in the Falcon setting. Specifically, as mentioned in Section 3.2 of Agrawal et al. (2010b), the SampleRwithBasis algorithm actually consists of two subalgorithms, namely BasisGen and SampleR, which are instantiated as above.
Parameters setting
We now discuss the parameters setting. Given that we would conduct the concrete experiment to examine the practical effectiveness of our instantiated schemes, we can no longer solely discuss the parameters in the asymptotic sense based on security proofs as in “Parameters” section; we must also quantify the reduction costs induced in the security reduction, and evaluate the impact of the quantified results on our implementation, thereby determining the basic parameter, i.e., the security bit level.
On Security Level. Given that we have selected Alkeilani Alkadri’s work (Alkeilani Alkadri et al. 2020) as our baseline for comparison, which is instantiated from the latticebased signature scheme qTESLA (Alkim et al. 2020) while our work is Falcon. Due to both qTESLA and Falcon stated the bit security level in the same BKZ cost model (Chen and Nguyen 2011), we adopt the latest method (Albrecht et al. 2019) that is \(0.265 B + 16.4 + \log (8n)\) for the hardness estimation of our parameters, where B is the BKZ block size and n is the ring degree. We estimate the complexity of the best attack as equivalent to a BKZ with block size \(B=497\) and ring degree \(n=512\), then we can compute the bit security level is 160 bits. Therefore, for any algorithm \({\mathcal {A}}\) with running time t and advantage \(\epsilon\) in breaking the corresponding security, it holds that \(t/\epsilon \ge 2^{160}\).
Informally, there are three levels for our schemes, from bottom to top they are LHS, RKS, and DW. The reduction from the EUFCMA security of LHS to the EUFCMAHRK security of RKS in the QROM, as proved in Theorem 3, is perfectly simulated. The reduction from the EUFCMAHRK secure of RKS to the DWUF secure of DW in the QROM, as proved in Theorem 2, is at a factor p additive reduction loss. Therefore, there is an additive reduction loss of p in total. From Theorems 2, 3, we compute the bit security level of our wallet schemes, considering an algorithm \({\mathcal {A}}\) with the runtime and advantage \((t', \epsilon ')\) in attacking the DWUF security of scheme DW, where \(t'=t\) and \(\epsilon '=\epsilon + l\) for the reduction loss l respect to p, and where \((t, \epsilon )\) denote the runtime and advantage of the related adversary in attacking the EUFCMA security of the LHS scheme. Thus, we obtain
As we defined in Theorem 2, \(p=p(n)\) such that \(p(n)>1/{\epsilon (n)}\) where \(\epsilon (n)\) is the adversary’s negligible advantage, hence the item \(2^{160}\cdot l/\epsilon\) is negligible.
On Concrete Parameters. We clarify that we cannot use exactly the same parameters proposed for Falcon due to the randomized operations in our work. Specifically, in the process of BasisDel, the operation of randomizing the \({\textbf {B}}\) to \(\bar{{\textbf{B}}}\) by multiplying \({\textbf {R}}_{\textsc {r}}\), i.e., \(\bar{{\textbf{B}}}={\textbf{R}}_{\textsc {r}}^{1}{\textbf{B}}^{\top }\), and the invoked subalgorithm RandBasis, both of which would enlarge the norm of the final output \({\textbf {B}}'\). Therefore, in the signing phase, the input Gaussian parameter s would be larger than the one in Falcon. Accordingly, the parameter \(\beta\) that is the norm bound on the preimages would also be larger. To better understand the interplay of the parameters, we recommend the Fouque et al. (2018, Fig. 2.1), and in Table 1 we give a concrete parameters setting and below we give the concrete computation. Concretely, by the parameters summary given in Falcon (cf. Section 2.6 of Fouque et al. 2018), we have the following parameters relations:
where \(w = \frac{1}{\pi }\cdot \sqrt{\log {(4n(1+\frac{1}{\varepsilon }))}/2}\) and \(\varepsilon \le 1/\sqrt{q_{_{\textsf {S}}}}\). Recall \(q_{_{\textsf {S}}}\) denotes the maximal number of signing queries in our definition, following Falcon, we set \(q_{_{\textsf {S}}}=2^{64}\). To make our implementation be NTT (Number Theoretic Transform) friendly, the modulus q needs to be the form \(k\cdot 2n + 1\) in order to maximize the efficiency of the NTT. We use the smallest prime of this form, that is \(q = 12\cdot 1024 + 1 = 12289\).
By the parameter relations given above, we have
Implementation
In this section, we analyze the performance that can be achieved in a cryptocurrency system when employing the RKS instantiated from Falcon. Below, we explain how to analyze the transaction throughput, which is an important measure for the wallet schemes when considering deployment in the practical scenario of cryptocurrency system. As mentioned in Alkeilani Alkadri et al. (2020), a transaction (tx) on blockchains must usually consist of a public key pk and the signature \(\sigma\) that was signed by the sender such that the validity of the transaction can be verified. The raw transaction size (i.e., exclude the size of pk and \(\sigma\)) of a cryptocurrency system, such as Bitcoin, is roughly 100 Bytes (WIKI 2019). Therefore, the size of a transaction should be estimated as
tx’s size = 100 Bytes + pk’s + \(\sigma\)’s
When instantiating our wallet scheme with Falcon, the pk size \(= 897\) Bytes and signature size \(=23755\) Bytes (cf. Table 2) for a postquantum security level of 160 bits. Therefore, the size of a tx would then result in 100 Bytes + 897 Bytes + 23755 Bytes \(\approx 24.07\) KB.
To demonstrate the performance of our work, under the concrete parameters given in Table 1, we show a comparison in Tables 2 and 3 (for the clarity of comparison results, the optimal items are presented in bold type) with the stateoftheart work (Alkeilani Alkadri et al. 2020) that is also instantiated from lattices and proven in the quantum random oracle. To show the comparison comprehensively, we consider the transaction throughput, concrete parameters size (such as public key, etc.), and concrete computation time (on AVX2optimized implementations).
For the concrete implementation, we implement the work (Alkeilani Alkadri et al. 2020) and ours by using Clanguage in the environment 3.4GHz Intel(R) Core(TM) i76600U CPU, 16GB Memory, and the operating system ubuntu 20.04 LTS. We perform the basic operations over polynomials via NTT, the analogy of the FFT (Fast Fourier Transform) in the field \({\mathbb {Z}}_q\) for a prime q such that \(q = 1\mod 2n\). Under this setting, \(\phi\) has n roots \(\{\tau _i\}\) over \({\mathbb {Z}}_q\), and any polynomial \(f\in {\mathbb {Z}}_q[x]/\phi\) can be represented by the values \(f(\tau _i)\). The conversion to and from NTT representation can be performed efficiently in \(O(n\log n)\) operations in \({\mathbb {Z}}_q\). When conducting our experiment in NTT representation, additions, subtractions, multiplications and divisions of polynomials (i.e., modulo \(\phi\) and q) can be performed coordinatewise in \({\mathbb {Z}}_q\).
Conclusion and future works
In this paper, we present an efficient deterministic wallet scheme in the quantum random oracle model. Particularly, we provide a new construction method for postquantum secure deterministic wallet schemes, which enables efficient instantiation. To demonstrate that, we present an efficient instantiation from the NTRU latticebased signature scheme Falcon, and show an implementation. By comparison with the stateoftheart deterministic wallet under the same security level, our work has a comprehensive improvement. While this is the case, the signature size of our scheme is easily affected by the trapdoor quality degradation caused by lattice basis delegation. That is to say, it is worth investigating how to design a latticebased derivation algorithm that is suitable for key derivation in wallet schemes, specifically an algorithm that produces trapdoors of higher quality, then the signature size and transaction throughput of the scheme would be further improved.
Availability of data and materials
Not applicable.
Notes
In latticebased cryptosystems, the lattice basis often plays the role of a trapdoor. The quality of the socalled basis or trapdoor refers to the size of the basis under certain measures (such as the maximal Gram–Schmidt length used in Gentry et al. (2008), Agrawal et al. (2010a, b), Cash et al. (2010) and this paper, or the maximum singular value used in Micciancio and Peikert (2012), Ducas and Micciancio (2014)), and its value is usually smaller, representing better quality.
References
Agrawal S, Boneh D, Boyen X (2010a) Efficient lattice (H)IBE in the standard model. In: Gilbert H (ed) Advances in Cryptology  EUROCRYPT 2010, 29th annual international conference on the theory and applications of cryptographic techniques, Monaco/French Riviera, May 30–June 3, 2010. Proceedings. LNCS, vol 6110, pp 553–572. Springer, Heidelberg. https://doi.org/10.1007/9783642131905_28
Agrawal S, Boneh D, Boyen X (2010b) Lattice basis delegation in fixed dimension and shorterciphertext hierarchical IBE. In: Rabin T (ed) CRYPTO 2010. Springer, Santa Barbara, pp 98–115
Ajtai M (1996) Generating hard instances of lattice problems. In: STOC 1996. ACM, Pennsylvania, USA, pp 99–108
Albrecht MR, Ducas L, Herold G, Kirshanova E, Postlethwaite EW, Stevens M (2019) The general sieve kernel and new records in lattice reduction. In: EUROCRYPT 2019, Darmstadt, Germany. Springer, pp 717–746
Alkeilani Alkadri N, Das P, Erwig A, Faust S, Krämer J, Riahi S, Struck P (2020) Deterministic wallets in a quantum world. In: CCS 2020. ACM, Gather.town (a virtual platform), pp 1017–1031
Alkim E, Barreto PS, Bindel N, Krämer J, Longa P, Ricardini JE (2020) The latticebased digital signature scheme qTESLA. In: Conti M, Zhou J, Casalicchio E, Spognardi A (eds) ACNS 2020. Springer, Rome, pp 441–460
Alwen J, Peikert C (2009) Generating shorter bases for hard random lattices. In: Albers S, Marion J (eds) STACS 2009, Freiburg, Germany, pp 75–86
Ambainis A, Hamburg M, Unruh D (2019) Quantum security proofs using semiclassical oracles. In: Boldyreva A, Micciancio D (eds) CRYPTO 2019. Springer, Santa Barbara, pp 269–295
Bellare M, Rogaway P (1993) Random oracles are practical: a paradigm for designing efficient protocols. In: Denning DE, Pyle R, Ganesan R, Sandhu RS, Ashby V (eds) CCS 1993. ACM, Virginia, pp 62–73
Boneh D, Dagdelen Ö, Fischlin M, Lehmann A, Schaffner C, Zhandry M (2011) Random oracles in a quantum world. In: Lee DH, Wang X (eds) ASIACRYPT 2011. Springer, Seoul, pp 41–69
Buterin V (2013) Deterministic Wallets, Their Advantages and Their Understated Flaws, https://bitcoinmagazine.com/articles/deterministicwalletsadvantagesflaw1385450276
Cash D, Hofheinz D, Kiltz E, Peikert C (2010) Bonsai trees, or how to delegate a lattice basis. In: Gilbert H (ed) EUROCRYPT 2010. Springer, Monaco, pp 523–552
Chailloux A, DebrisAlazard T (2020) Tight and optimal reductions for signatures based on average trapdoor preimage sampleable functions and applications to codebased signatures. In: PKC 2020. Springer, Virtual, pp 453–479
Chen Y, Nguyen PQ (2011) Bkz 2.0: Better lattice security estimates. In: ASIACRYPT 2011, Seoul, South Korea. Springer, pp 1–20
Das P, Erwig A, Faust S, Loss J, Riahi S (2021) The exact security of BIP32 wallets. In: CCS 2021. ACM, Seoul, South Korea, pp 1020–1042
Das P, Faust S, Loss J (2019) A formal treatment of deterministic wallets. In: CCS 2019. ACM, New York, pp 651–668
Di Luzio A, Francati D, Ateniese G (2020) Arcula: A secure hierarchical deterministic wallet for multiasset blockchains. In: Krenn S, Shulman H, Vaudenay S (eds) CANS 2020. Springer, Virtual, pp 323–343
Ducas L, Micciancio D (2014) Improved short lattice signatures in the standard model. In: CRYPTO 2014, Santa Barbara, USA, pp 335–352
Erwig A, Riahi S (2022) Deterministic wallets for adaptor signatures. In: ESORICS 2022. Springer, Copenhagen, Denmark, pp 487–506
Espitau T, Tibouchi M, Wallet A, Yu Y (2022) Shorter hashandsign latticebased signatures. In: Dodis STY (ed) CRYPTO 2022. Springer, Santa Barbara, pp 245–275
Fan CI, Tseng YF, Su HP, Hsu RH, Kikuchi H (2020) Secure hierarchical bitcoin wallet scheme against privilege escalation attacks. Int J Inf Secur 19(3):245–255
Fleischhacker N, Krupp J, Malavolta G, Schneider J, Schröder D, Simkin M (2016) Efficient unlinkable sanitizable signatures from signatures with rerandomizable keys. In: Cheng C, Chung K, Persiano G, Yang B (eds) PKC 2016. Springer, Taipei, pp 301–330
Fouque PA, Hoffstein J, Kirchner P, Lyubashevsky V, Pornin T, Prest T, Ricosset T, Seiler G, Whyte W, Zhang Z (2018) Falcon: fastFourier latticebased compact signatures over NTRU. Submission to the NIST’s postquantum cryptography standardization process 36(5)
Gentry C, Peikert C, Vaikuntanathan V (2008) Trapdoors for hard lattices and new cryptographic constructions. In: Dwork C (ed) STOC 2008, Victoria, British Columbia, Canada, May 17–20. ACM, New York, pp 197–206
Goldwasser S, Micali S, Rivest RL (1988) A digital signature scheme secure against adaptive chosenmessage attacks. SIAM J Comput 17(2):281–308
Gutoski G, Stebila D (2015) Hierarchical deterministic bitcoin wallets that tolerate key leakage. In: FC 2015. Springer, Puerto Rico, pp 497–504
Hoffstein J, Pipher J, Silverman JH (1998) NTRU: a ringbased public key cryptosystem. In: ANTS 1998. Springer, Heidelberg, pp 267–288
Li S, Chen Y, Chen L, Liao J, Kuang C, Li K, Liang W, Xiong N (2023) Postquantum security: opportunities and challenges. Sensors 23(21):8744
Liu Z, Yang G, Wong DS, Nguyen K, Wang H, Ke X, Liu Y (2022) Secure deterministic wallet and stealth address: keyinsulated and privacypreserving signature scheme with publicly derived public key. IEEE Trans Dependable Secure Comput 19(5):2934
Liu W, Liu Z, Nguyen K, Yang G, Yu Y (2020) A latticebased keyinsulated and privacypreserving signature scheme with publicly derived public key. In: ESORICS 2022. Springer, Copenhagen, Denmark, pp 357–377
Liu Z, Yang G, Wong DS, Nguyen K, Wang H (2019) Keyinsulated and privacypreserving signature scheme with publicly derived public key. In: EuroS &P 2019. IEEE, Stockholm, Sweden, pp 215–230
Lyubashevsky V (2009) Fiat–Shamir with aborts: applications to lattice and factoringbased signatures. In: Matsui M (ed) ASIACRYPT 2009. Springer, Tokyo, pp 598–616
Lyubashevsky V (2012) Lattice signatures without trapdoors. In: Pointcheval D, Johansson T (eds) EUROCRYPT 2012. LNCS, vol 7237. Springer, Cambridge, pp 738–755
Lyubashevsky V, Peikert C, Regev O (2010) On ideal lattices and learning with errors over rings. In: Gilbert H (ed) EUROCRYPT 2010. Springer, French Riviera, pp 1–23
Micciancio D, Goldwasser S (2002) Complexity of lattice problems: a cryptographic perspective, vol 671. Kluwer Academic Publishers, Boston
Micciancio D, Peikert C (2012) Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval D, Johansson T (eds) EUROCRYPT 2012. Springer, Cambridge, pp 700–718
Morita H, Schuldt JC, Matsuda T, Hanaoka G, Iwata T (2015) On the security of the Schnorr signature scheme and DSA against relatedkey attacks. In: ICISC 2015. Springer, Seoul, South Korea, pp 20–35
Nakamoto S (2009) Bitcoin: a peertopeer electronic cash system. http://bitcoin.org/bitcoin.pdf
NIST (2021) FIPS Pub 1864  Digital Signature Standard (DSS), https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.1864.pdf
Rivest RL, Shamir A, Adleman L (1978) A method for obtaining digital signatures and publickey cryptosystems. Commun ACM 21(2):120–126
Shor PW (1994) Algorithms for quantum computation: discrete logarithms and factoring. In: FOCS 1994. IEEE, Santa Fe, New Mexico, pp 124–134
Unruh D (2015) Revocable quantum timedrelease encryption. J ACM 62(6):1–76
WIKI (2019) Bitcoin wiki transaction format. In: Accessed: 20200504. https://en.bitcoin.it/wiki/Transaction
Yin X, Liu Z, Yang G, Chen G, Zhu H (2022) Secure hierarchical deterministic wallet supporting stealth address. In: Atluri V, Di Pietro R, Jensen CD, Meng W (eds) ESORICS 2022. Springer, Copenhagen
Zhandry M (2021) How to construct quantum random functions. J ACM 68(5):1–43
Acknowledgements
Not applicable.
Funding
This research was supported by the National Natural Science Foundation of China (62072305).
Author information
Authors and Affiliations
Contributions
The first author completed the main work of the paper and drafted the manuscript; The second and third authors participated in problem discussions and improvements of the manuscript. All authors read and approved the final manuscript.
Corresponding author
Ethics declarations
Competing interests
The authors declare no competing interests.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
The main contribution of this paper is presenting an efficient deterministic wallet scheme in the quantum random oracle model. Particularly, we provide a new construction method for postquantum secure deterministic wallet schemes, which enables efficient instantiation. To demonstrate that, we present an efficient instantiation from the NTRU latticebased signature scheme Falcon, and show an implementation. By a comparison with the stateoftheart deterministic wallet under the same security level, our work has a comprehensive improvement.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Hu, M., Liu, Z. & Zhou, Y. Efficient postquantum secure deterministic wallet scheme. Cybersecurity 7, 24 (2024). https://doi.org/10.1186/s4240002400216w
Received:
Accepted:
Published:
DOI: https://doi.org/10.1186/s4240002400216w