Threshold Raccoon: Practical Threshold Signatures from Standard Lattice Assumptions

Source: IACR Eurocrypt
Authors: Rafael del Pino, PQShield , Shuichi Katsumata, PQShield, National Institute of Advanced Industrial Science and Technology, Mary Maller, PQShield, Ethereum Foundation Fabrice Mouhartem, Fabrice Mouhartem, XWiki/CryptPad, Thomas Prest, PQShield, Markku-Juhani Saarinen, PQShield, Tampere University

Abstract

Threshold signatures improve both availability and security of digital signatures by splitting the signing key into N shares handed out to different parties. Later on, any subset of at least T parties can cooperate to produce a signature on a given message. While threshold signatures have been extensively studied in the pre-quantum setting, they remain sparse from quantum-resilient assumptions. We present the first efficient lattice-based threshold signatures with signature size 13 KiB and communication cost 40 KiB per user, supporting a threshold size as large as 1024 signers. We provide an accompanying high performance implementation. The security of the scheme is based on the same assumptions as Dilithium, a signature recently selected by NIST for standardisation which, as far as we know, cannot easily be made threshold efficiently. All operations used during signing are due to symmetric primitives and simple lattice operations; in particular our scheme does not need heavy tools such as threshold fully homomorphic encryption or homomorphic trapdoor commitments as in prior constructions. The key technical idea is to use one-time additive masks to mitigate the leakage of the partial signing keys through partial signatures.