Tighter reduction for lattice-based multisignature

Masayuki Fukumitsu, Shingo Hasegawa

    Research output: Contribution to journalArticlepeer-review


    Multisignatures enable multiple users to sign a message interactively. Many instantiations are proposed for multisignatures, however, most of them are quantum-insecure, because these are based on the integer factoring assumption or the discrete logarithm assumption. Although there exist some constructions based on the lattice problems, which are believed to be quantum-secure, their security reductions are loose. In this paper, we aim to improve the security reduction of lattice-based multisignature schemes concerning tightness. Our basic strategy is combining the multisignature scheme proposed by El Bansarkhani and Sturm with the lattice-based signature scheme by Abdalla, Fouque, Lyubashevsky, and Tibouchi which has a tight security reduction from the Ring-LWE (Ring Learning with Errors) assumption. Our result shows that proof techniques for standard signature schemes can be applied to multisignature schemes, then we can improve the polynomial loss factor concerning the Ring-LWE assumption. Our second result is to address the problem of security proofs of existing lattice-based multisignature schemes pointed out by Damgård, Orlandi, Takahashi, and Tibouchi. We employ a new cryptographic assumption called the Rejected-Ring-LWE assumption, to complete the security proof.

    Original languageEnglish
    Pages (from-to)1685-1697
    Number of pages13
    JournalIEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences
    Issue number12
    Publication statusPublished - 2021


    • Lattice cryptography
    • Multisignature
    • Ring-LWE
    • Tight security

    ASJC Scopus subject areas

    • Signal Processing
    • Computer Graphics and Computer-Aided Design
    • Electrical and Electronic Engineering
    • Applied Mathematics


    Dive into the research topics of 'Tighter reduction for lattice-based multisignature'. Together they form a unique fingerprint.

    Cite this