Round-Optimal Lattice-Based Threshold Signatures, Revisited

Authors Shweta Agrawal, Damien Stehlé, Anshu Yadav

Thumbnail PDF


  • Filesize: 0.85 MB
  • 20 pages

Document Identifiers

Author Details

Shweta Agrawal
  • Indian Institute of Technology, Madras, India
Damien Stehlé
  • ENS de Lyon, France
  • Institut Universitaire de France, Paris, France
Anshu Yadav
  • Indian Institute of Technology, Madras, India


Part of the research corresponding to this work was conducted while the authors were visiting the Simons Institute for the Theory of Computing.

Cite AsGet BibTex

Shweta Agrawal, Damien Stehlé, and Anshu Yadav. Round-Optimal Lattice-Based Threshold Signatures, Revisited. In 49th International Colloquium on Automata, Languages, and Programming (ICALP 2022). Leibniz International Proceedings in Informatics (LIPIcs), Volume 229, pp. 8:1-8:20, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2022)


Threshold signature schemes enable distribution of the signature issuing capability to multiple users, to mitigate the threat of signing key compromise. Though a classic primitive, these signatures have witnessed a surge of interest in recent times due to relevance to modern applications like blockchains and cryptocurrencies. In this work, we study round-optimal threshold signatures in the post-quantum regime and improve the only known lattice-based construction by Boneh et al. [CRYPTO'18] as follows: - Efficiency. We reduce the amount of noise flooding used in the construction from 2^Ω(λ) down to √Q, where Q is the bound on the number of generated signatures and λ is the security parameter. By using lattice hardness assumptions over polynomial rings, this allows to decrease the signature bit-lengths from Õ(λ³) to Õ(λ), bringing them significantly closer to practice. Our improvement relies on a careful analysis using Rényi divergence rather than statistical distance in the security proof. - Instantiation. The construction of Boneh et al. requires a standard signature scheme to be evaluated homomorphically. To instantiate this, we provide a homomorphism-friendly variant of Lyubashevsky’s signature [EUROCRYPT '12] which achieves low circuit depth by being "rejection-free" and uses an optimal, moderate noise flooding of √Q, matching the above. - Towards Adaptive Security. The construction of Boneh et al. satisfies only selective security, where all the corrupted parties must be announced before any signing query is made. We improve this in two ways: in the Random Oracle Model, we obtain partial adaptivity where signing queries can be made before the corrupted parties are announced but the set of corrupted parties must be announced all at once. In the standard model, we obtain full adaptivity, where parties can be corrupted at any time but this construction is in a weaker pre-processing model where signers must be provided correlated randomness of length proportional to the number of signatures, in an offline preprocessing phase.

Subject Classification

ACM Subject Classification
  • Security and privacy → Cryptography
  • Post-Quantum Cryptography
  • Lattices
  • Threshold Signatures


  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    PDF Downloads


  1. Submission requirements and evaluation criteria for the post-quantum cryptography standardization process. URL:, 2017.
  2. Shweta Agrawal, Damien Stehlé, and Anshu Yadav. Round-optimal lattice-based threshold signatures, revisited. Cryptology eprint Archive, 2022. Google Scholar
  3. Martin R Albrecht and Amit Deo. Large modulus ring-LWE ≥ module-LWE. In ASIACRYPT, 2017. Google Scholar
  4. Erdem Alkim, Léo Ducas, Thomas Pöppelmann, and Peter Schwabe. Post-quantum key exchange—a new hope. In USENIX Security, 2016. Google Scholar
  5. Shi Bai, Tancrède Lepoint, Adeline Roux-Langlois, Amin Sakzad, Damien Stehlé, and Ron Steinfeld. Improved security proofs in lattice-based cryptography: using the Rényi divergence rather than the statistical distance. J. Cryptol., 2018. Google Scholar
  6. Rikke Bendlin and Ivan Damgård. Threshold decryption and zero-knowledge proofs for lattice-based cryptosystems. In TCC, 2010. Google Scholar
  7. Rikke Bendlin, Sara Krehbiel, and Chris Peikert. How to share a lattice trapdoor: threshold protocols for signatures and (H) IBE. In ACNS, 2013. Google Scholar
  8. Andrej Bogdanov, Siyao Guo, Daniel Masny, Silas Richelson, and Alon Rosen. On the hardness of learning with rounding over small modulus. In TCC, 2016. Google Scholar
  9. Dan Boneh, Rosario Gennaro, Steven Goldfeder, Aayush Jain, Sam Kim, Peter M. R. Rasmussen, and Amit Sahai. Threshold cryptosystems from threshold fully homomorphic encryption. In CRYPTO, 2018. Google Scholar
  10. Joppe Bos, Craig Costello, Léo Ducas, Ilya Mironov, Michael Naehrig, Valeria Nikolaenko, Ananth Raghunathan, and Douglas Stebila. Frodo: Take off the ring! practical, quantum-secure key exchange from LWE. In ACM CCS, 2016. Google Scholar
  11. Zvika Brakerski, Craig Gentry, and Vinod Vaikuntanathan. (Leveled) fully homomorphic encryption without bootstrapping. In ITCS, 2012. Google Scholar
  12. Zvika Brakerski and Vinod Vaikuntanathan. Efficient fully homomorphic encryption from (standard) LWE. In FOCS, 2011. Google Scholar
  13. Ran Canetti, Rosario Gennaro, Steven Goldfeder, Nikolaos Makriyannis, and Udi Peled. UC non-interactive, proactive, threshold ECDSA with identifiable aborts. In CCS, 2020. Google Scholar
  14. Guilhem Castagnos, Dario Catalano, Fabien Laguillaumie, Federico Savasta, and Ida Tucker. Two-party ECDSA from hash proof systems and efficient instantiations. In CRYPTO, 2019. Google Scholar
  15. Guilhem Castagnos, Dario Catalano, Fabien Laguillaumie, Federico Savasta, and Ida Tucker. Bandwidth-efficient threshold EC-DSA. In PKC, 2020. Google Scholar
  16. Jung Hee Cheon, Kyoohyung Han, Andrey Kim, Miran Kim, and Yongsoo Song. Bootstrapping for approximate homomorphic encryption. In Jesper Buus Nielsen and Vincent Rijmen, editors, EUROCRYPT, 2018. Google Scholar
  17. Jung Hee Cheon, Andrey Kim, Miran Kim, and Yongsoo Song. Homomorphic encryption for arithmetic of approximate numbers. In ASIACRYPT, 2017. Google Scholar
  18. Ilaria Chillotti, Nicolas Gama, Mariya Georgieva, and Malika Izabachène. TFHE: fast fully homomorphic encryption over the torus. Journal of Cryptology, 2020. Google Scholar
  19. Daniele Cozzo and Nigel P. Smart. Sharing the LUOV: threshold post-quantum signatures. In IMACC, 2019. Google Scholar
  20. Anders Dalskov, Claudio Orlandi, Marcel Keller, Kris Shrishak, and Haya Shulman. Securing DNSSEC keys via threshold ECDSA from generic MPC. In ESORICS, 2020. Google Scholar
  21. Ivan Damgård, Thomas Pelle Jakobsen, Jesper Buus Nielsen, Jakob Illeborg Pagter, and Michael Bæksvang Østergård. Fast threshold ECDSA with honest majority. In SCN, 2020. Google Scholar
  22. Ivan Damgård, Claudio Orlandi, Akira Takahashi, and Mehdi Tibouchi. Two-round n-out-of-n and multi-signatures and trapdoor commitment from lattices. In PKC, 2021. Google Scholar
  23. Yvo Desmedt. Threshold cryptography. European Transactions on Telecommunications, 1994. Google Scholar
  24. Jack Doerner, Yashvanth Kondi, Eysa Lee, and Abhi Shelat. Secure two-party threshold ECDSA from ECDSA assumptions. In S& P, 2018. Google Scholar
  25. Jack Doerner, Yashvanth Kondi, Eysa Lee, and Abhi Shelat. Threshold ECDSA from ECDSA assumptions: The multiparty case. In S&P, 2019. Google Scholar
  26. Léo Ducas and Daniele Micciancio. FHEW: bootstrapping homomorphic encryption in less than a second. In EUROCRYPT, 2015. Google Scholar
  27. Léo Ducas and Thomas Prest. Fast Fourier orthogonalization. In ISSAC, 2016. Google Scholar
  28. Pierre-Alain Fouque, Jeffrey Hoffstein, Paul Kirchner, Vadim Lyubashevsky, Thomas Pornin, Thomas Prest, Thomas Ricosset, Gregor Seiler, William Whyte, and Zhenfei Zhang. Falcon: Fast-Fourier lattice-based compact signatures over NTRU. Specification v1.0, available at URL:
  29. Tore Kasper Frederiksen, Marcel Keller, Emmanuela Orsini, and Peter Scholl. A unified approach to MPC with preprocessing using OT. In ASIACRYPT, 2015. Google Scholar
  30. Adam Gągol, Jędrzej Kula, Damian Straszak, and Michał Świętek. Threshold ECDSA for decentralized asset custody. Cryptology ePrint Archive, 2020. Google Scholar
  31. Rosario Gennaro and Steven Goldfeder. Fast multiparty threshold ECDSA with fast trustless setup. In CCS, 2018. Google Scholar
  32. Rosario Gennaro and Steven Goldfeder. One round threshold ECDSA with identifiable abort. IACR Cryptol. ePrint Arch., 2020. Google Scholar
  33. Rosario Gennaro, Steven Goldfeder, and Arvind Narayanan. Threshold-optimal DSA/ECDSA signatures and an application to bitcoin wallet security. In ACNS, 2016. Google Scholar
  34. Craig Gentry. A fully homomorphic encryption scheme. PhD thesis, Stanford University, 2009. URL:
  35. Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan. Trapdoors for hard lattices and new cryptographic constructions. In STOC, 2008. Google Scholar
  36. Craig Gentry, Amit Sahai, and Brent Waters. Homomorphic encryption from learning with errors: Conceptually-simpler, asymptotically-faster, attribute-based. In CRYPTO, 2013. Google Scholar
  37. Shafi Goldwasser, Yael Tauman Kalai, Chris Peikert, and Vinod Vaikuntanathan. Robustness of the learning with errors assumption. In ICS, 2010. Google Scholar
  38. Gottfried Herold, Elena Kirshanova, and Alexander May. On the asymptotic complexity of solving LWE. Des. Codes Cryptogr., 2018. Google Scholar
  39. James Howe, Thomas Prest, Thomas Ricosset, and Mélissa Rossi. Isochronous gaussian sampling: From inception to implementation. In PQCrypto, 2020. Google Scholar
  40. Andreas Hülsing, Tanja Lange, and Kit Smeets. Rounded gaussians - fast and secure constant-time sampling for lattice-based crypto. In PKC, 2018. Google Scholar
  41. Kamil Kluczniak and Leonard Schild. Fdfb: Full domain functional bootstrapping towards practical fully homomorphic encryption. arXiv preprint, 2021. URL:
  42. Adeline Langlois, Damien Stehlé, and Ron Steinfeld. GGHLite: More efficient multilinear maps from ideal lattices. In EUROCRYPT, 2014. Google Scholar
  43. Yehuda Lindell. Fast secure two-party ECDSA signing. In CRYPTO, 2017. Google Scholar
  44. Yehuda Lindell and Ariel Nof. Fast secure multiparty ECDSA with practical distributed key generation and applications to cryptocurrency custody. In CCS, 2018. Google Scholar
  45. San Ling, Duong Hieu Phan, Damien Stehlé, and Ron Steinfeld. Hardness of k-LWE and applications in traitor tracing. In CRYPTO, 2014. Google Scholar
  46. Vadim Lyubashevsky. Fiat-Shamir with aborts: Applications to lattice and factoring-based signatures. In ASIACRYPT, 2009. Google Scholar
  47. Vadim Lyubashevsky. Lattice signatures without trapdoors. In EUROCRYPT, 2012. Google Scholar
  48. Vadim Lyubashevsky and Daniele Micciancio. Generalized compact knapsacks are collision resistant. In ICALP, 2006. Google Scholar
  49. Vadim Lyubashevsky, Chris Peikert, and Oded Regev. On ideal lattices and learning with errors over rings. In EUROCRYPT, 2010. Google Scholar
  50. Chris Peikert and Alon Rosen. Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In TCC, 2006. Google Scholar
  51. Thomas Pornin and Thomas Prest. More efficient algorithms for the NTRU key generation using the field norm. In PKC, 2019. Google Scholar
  52. Thomas Prest. Sharper bounds in lattice-based cryptography using the Rényi divergence. In ASIACRYPT, 2017. Google Scholar
  53. Mélissa Rossi. Extended Security of Lattice-Based Cryptography. PhD thesis, Université PSL, 2020. URL:
  54. Damien Stehlé, Ron Steinfeld, Keisuke Tanaka, and Keita Xagawa. Efficient public key encryption based on ideal lattices. In ASIACRYPT, 2009. Google Scholar
  55. Katsuyuki Takashima and Atsushi Takayasu. Tighter security for efficient lattice cryptography via the Rényi divergence of optimized orders. In ProvSec, 2015. Google Scholar
  56. Raymond K. Zhao, Ron Steinfeld, and Amin Sakzad. COSAC: compact and scalable arbitrary-centered discrete Gaussian sampling over integers. In PQCrypto, 2020. Google Scholar
  57. Ruiyu Zhu, Changchang Ding, and Yan Huang. Practical MPC+ FHE with applications in secure multi-partyneural network evaluation. IACR Cryptol. ePrint Arch., 2020. Google Scholar