Threshold Lattice-Based Signature Scheme for Authentication by Wearable Devices

Abstract

This paper presents a new threshold signature scheme based on Damgaard’s work. The proposed scheme allows for changing the message signature threshold, thereby improving the flexibility of the original Damgaard scheme. This scheme can be applied as a user authentication system using wearable devices. Based on the hardness of lattice problems, this scheme is resistant to attacks on a quantum computer, which is an advantage over the currently used multi-factor authentication schemes. The scheme’s security relies on the computational complexity of the Module-LWE and Module-SIS problems, as well as the Shamir secret sharing scheme’s security.

1. Introduction

Distributed systems are becoming very popular these days. To ensure the security of such systems, threshold cryptographic schemes are used, for instance, threshold encryption or threshold signature. A threshold signature $(t,n)$ is a cryptographic digital signature scheme in which any t or more of n possible participants can sign a message, but a smaller number of participants are not capable of it. Each participant keeps a part of the private signature key with which they partially sign the message.

Threshold schemes have found their application for multi-factor authentication using wearable devices [1]. Nowadays, wearable devices have become very popular and are used by hundreds of millions people daily. Therefore, it is essential to make these devices secure. Since they have low memory, processing capabilities and power, it is feasible to use lightweight cryptography to protect communications [2].

Lightweight cryptography is a subfield of cryptography where algorithms are designed for resource-constrained devices. According to the NIST report [3], lightweight cryptoprimitives include hash functions, block ciphers, stream ciphers, and message authentication codes (MAC). However, this list cannot be considered exhaustive.

There are some works about cryptographic primitives for secure communication between wearables. In [4], authors analyze the feasibility of using cryptographic primitives for wearable devices such as bilinear pairings. The impact of using lightweight block and stream cipher algorithms on power consumption is reviewed in [5]. Several papers are devoted to the safety of wearable medical devices [6,7,8]. Most works use elliptic curves cryptography (ECC) to ensure secure communication.

At the same time, it is reasonable to consider using other cryptoprimitives for wearable devices to solve various tasks. For example, consider a multi-factor authentication system. As illustrated in Figure 1, user authentication is performed through wearable devices, such as a smartwatch or a smartphone. Here, there are n different wearable devices, such as smart glasses or smartwatches. The main idea is to authenticate in the system using t different wearable devices which provide information from the sensors. The user decides which device to use in for authentication. Threshold signature authentication is used to enable user authentication in the absence of one of the devices and also will not allow an attacker who has taken possession of one of the devices to authenticate.

Due to the advent of quantum computers and the invention of the quantum Shor’s algorithm [9], the development of new post-quantum cryptographic schemes that will replace the existing ones has become an urgent task. Therefore, creating a post-quantum analog for the threshold signature scheme is also necessary.

Nowadays, there are five main mathematical constructions on which modern post-quantum cryptographic algorithms are based: error-correcting codes, isogenies, hash functions, multivariate equations, and lattices.

Code-based cryptography dates back to 1978 when the American scientist Robert McEliece presented a cryptosystem based on the syndrome decoding problem [10]. The first attempts to build a digital signature on the error-correcting codes belong to Alabbadi [11] and Wang [12]. However, it has been proven that such schemes are not secure [13]. The first secure algorithm in this area was the Courtois–Finiasz–Sendrier algorithm, published in 2001 [14]. However, in this scheme, there is the possibility of not signing the message the first time. Building a secure and efficient scheme based on error-correcting codes is still an area for improvement due to the inability to balance the sizes of keys, signatures, and the time spent on the signature.

Isogeny-based cryptography is a relatively new area—the first algorithm was presented in 2002 by Rostovtsev and Makhovenko [15]. Nowadays, there exist several signature algorithms, the main algorithms are CSI-FiSh [16] and SQISignHD [17]. Threshold variants of CSI-FiSh signature [18,19] were also presented. The main disadvantage of such algorithms is a long signature and key generation running time. However, the key sizes of such algorithms are the smallest compared with other post-quantum classes.

Hash-based cryptography is a special class of post-quantum cryptography where the construction of signature schemes on hash functions does not depend on complex mathematical and algorithmic problems in algebra or number theory. In 1979, Leslie Lamport published the concept of one-time signatures [20]. In the same year, Ralph Merkle described the MSS [21], the security of which is based on the security of the hash function used. Nowadays, the main algorithm is SPHINCS+ [22], although key sizes are very large. It is possible to use hash functions in many different applications. However, creating a threshold signature based on hash functions is impossible, and it requires an additional mathematical problem.

Multivariate cryptography dates back to 1988 when Matsumoto and Imai presented a cryptosystem that could be practically implemented [23]. However, this scheme was broken in 1995 by Patarin [24]. Nowadays, the most promising signature algorithm is Rainbow [25]. Several threshold signature schemes are based on multivariate equations [26,27]. The main issue of these schemes is large key sizes.

Lattice theory is also one of the promising areas of post-quantum cryptography. The first ideas were presented in 1997 by Ajtai, Dwork [28] and Goldreich, Goldwasser, and Halevi [29]. Nowadays, the most promising lattice-based signature algorithms are Falcon [30] and Crystals-Dilithium [31], which were presented in the NIST post-quantum algorithms competition.

As the review above showed, building an efficient signature based on error-correcting codes is hard. Signing on isogenies requires much time and may not apply to constrained devices. Hash-based cryptography cannot be applied for threshold signatures itself and requires additional use of a mathematical problem. Multivariate cryptography, compared with lattices, has larger key sizes. In this paper, we propose using lattice-based cryptography to build an effective threshold signature scheme.

Currently, several works are already offering lattice-based threshold signature schemes. One of the first threshold signatures on lattices can be considered in [32]. The authors present this work as an improvement of their previous threshold signature scheme based on error-correcting codes. The security of the previous scheme was based on the syndorme decoding problem, in the new work, the authors transformed the problem into an ISIS (inhomogeneous short independent solution) problem on a lattice. The CLRS scheme, conventionally named after its authors’ initials, is an interactive threshold signature scheme. In this case, the signature creation algorithm is presented as an interactive proof protocol, where the “Prover” is the signer. The main disadvantage of this scheme is the large size of signatures. In [33], Bettaib and Sherk improve this algorithm by reducing the signature size.

The threshold signature scheme described in [34], called Feng’s scheme, had an additional property, namely the ability to change the threshold required for signing a message. This scheme is based on NTRUSign [35], and its main disadvantage is the sequential signature of the message, which does not allow parallelizing the signing process. In [36], the authors propose a centralized threshold signature scheme. In [37], a threshold scheme is proposed, where the original message is divided into several blocks signed randomly. One of the most recently developed lattice-based threshold signature schemes presented in [38] deserves special attention. This scheme is based on the previously proposed lattice-based secret sharing scheme described in [39] by the same group of authors. The scheme’s security is based on the Micciancio and Peikert function presented in [40], namely, on the SIS problem. The main drawbacks of this scheme are that the scheme is centralized and the secret sharing scheme is not verifiable, which means that an attacker can easily disrupt the process of signing a message by substituting the wrong part of the secret.

In [41], an anonymous and verifiable threshold signature scheme is presented, in which the private key is shared using a lattice-based threshold multi-stage secret sharing scheme. In [42], a universal approach was presented for generating a threshold signature based on the existing signature schemes using fully homomorphic encryption schemes, but this scheme is quite labor-intensive. One of the well-known paradigms for constructing signatures on lattices is the Fiat–Shamir with abortions paradigm, mentioned for the first time in the work of Lyubashevsky [43,44]. This paradigm is based on Schnorr’s signature [45] and is used in a standardized signature algorithm [31].

In 2022, Damgaard [46] published a new $(n,n)$ threshold signature scheme. This scheme is a two-round protocol based on the Fiat-Shamir with aborts paradigm. The protocol is a distributed version of the Dilithium-G signature scheme, used with the Baum commitment scheme [47]. This commitment scheme is additively homomorphic and allows for generating a commitment key with a trapdoor. Due to such properties of the commitment scheme and its security and resistance to quantum attacks, this distributed scheme was built and proved to be secure. This scheme is based on the Module-LWE and Module-SIS tasks, and its theoretical security of UF-CMA (unforgeability against chosen-message attacks) is proven in the original work. The main disadvantage of the Damgaard scheme is the inability to change the message signature threshold. That is, only all users of the system can sign a message.

The scheme proposed in this paper extends the Damgaard scheme and adds a threshold change property. To implement this property, the Shamir secret sharing scheme [48] is used. However, it is also possible to use the secret sharing scheme on the Newton polynomial [49].

The rest of this paper is organized as follows. Section 2 gives some definitions in lattice theory. Section 3 shows the threshold signature scheme and the corresponding commitment scheme algorithms. Section 4 provides the security analysis of the scheme. Section 5 discusses the benefits and drawbacks of the proposed scheme. Section 6 concludes the paper.

2. Preliminaries

Definition 1 

(Lattice [50]). The set of all integer combinations of n linearly independent vectors ${\mathit{b}}_1,\cdots ,{\mathit{b}}_n\in {\mathbb{R}}^m$, where $n\le m$, is called a lattice. The vectors are called the basis of the lattice. Formally, it can be written as follows:

$$L({\mathit{b}}_1,\cdots ,{\mathit{b}}_n)=\{\sum _{i=1}^n{\mathit{b}}_i·x_i:x_i\in \mathbb{Z}\}.$$

(1)

The basis vectors can be represented as a matrix $\mathit{B}=[{\mathit{b}}_1,\cdots ,{\mathit{b}}_n]$, where vectors are represented as vector-columns, and then the definition of the lattice looks like this:

$$L\left(\mathit{B}\right)=\{\mathit{B}·\mathit{x}:\mathit{x}\in {\mathbb{Z}}^n\}.$$

(2)

One of the important lattice invariants is the minimum distance. The minimum distance of a lattice L is the length of the shortest nonzero vector, denoted as ${\lambda }_1$:

$${\lambda }_1=\underset{\mathbf{v}\in L\backslash \mathbf{0}}{min}\parallel \mathbf{v}\parallel .$$

(3)

Cryptographic schemes do not use classical integer lattices but use either q-ary lattices or special algebraic lattices.

Definition 2 

(q-ary lattice [50]). Given a matrix $\mathit{A}\in {\mathbb{Z}}_q^{m\times n}$, for the given numbers $q,m,n$, two q-ary lattices can be defined:

$$L_q\left(\mathit{A}\right)=\{\mathit{y}\in {\mathbb{Z}}^m:\mathit{y}=\mathit{A}·\mathit{x},\mathit{x}\in {\mathbb{Z}}^n\},$$

(4)

$$L_q^{\perp }\left(\mathit{A}\right)=\{\mathit{y}\in {\mathbb{Z}}^m:{\mathit{A}}^T·\mathit{y}\equiv \mathit{0}modq\}.$$

(5)

The first lattice is given by a linear combination of the rows of the matrix $\mathbf{A}$, and the second lattice is orthogonal modulo q to it. However, in order for the q-ary lattice to cover the entire Euclidean space, a special construction A [51] is used to construct the lattice.

Definition 3 

(Construction A [51]). Given a matrix $\mathit{A}\in {\mathbb{Z}}_q^{m\times n}$, for the given numbers $q,m,n$ we define a lattice $L_q\left(\mathit{A}\right)=\mathit{A}·{\mathbb{Z}}_q^n+q·{\mathbb{Z}}^m$. Alternatively, we can define it as

$$L_q\left(\mathit{A}\right)=\{\mathit{y}\in {\mathbb{Z}}^m:\mathit{y}=\left[\mathit{A}\right|q{\mathit{I}}_m]·\mathit{x},\mathit{x}\in {\mathbb{Z}}^{n+m}\}.$$

(6)

Let $R=\mathbb{Z}\left[X\right]/(X^N+1)$ be a ring of polynomials modulo a polynomial of degree N, where N is a power of two, then $R_q={\mathbb{Z}}_q\left[X\right]/(X^N+1)$ is a ring of polynomials with coefficients of $\{0,\cdots ,q-1\}$. Module lattices are defined in a similar way as q-ary lattices. We define the necessary sets of polynomials:

• A set of keys S with the parameter $\eta$, consisting of polynomials with small coefficients: $S_{\eta }={\{x\in R:\parallel x\parallel }_{\infty }\le \eta \}$, where ${\parallel x\parallel }_{\infty }={max}_{0\le i\le N-1}|x_i|$;
• A set C with parameter k consisting of binary and sparse polynomials: $C=\{c\in R_2:\parallel c{\parallel }_1=k\}$, where ${\parallel c\parallel }_1={\sum }_{0\le i\le N-1}|c_i|$.

There are classical computational problems in lattice theory. The main problems are SVP (shortest vector problem) and CVP (closest vector problem). However, these problems are hard in the worst case [52,53,54] and can not be used in cryptography. Therefore, average-case hard problems were formulated, such as LWE (learning with errors) and SIS (short integer solution). In [55], the reduction from the LWE problem to the Gap-SVP problem was proved. The developed scheme is based on two average-case hard computational problems, namely, module learning with errors (M-LWE) and module short integer solution (M-SIS) [56,57,58].

These problems are based on special module lattices. A module is a special algebraic structure constructed over a ring that generalizes rings and vector spaces, and a module lattice, in turn, generalizes both arbitrary and ideal lattices (lattices constructed on the ideal in the polynomial ring). Let the matrix $\mathbf{B}\in R_q^{n\times n}$ of rank n be the basis of the module M, then the module M over the ring $R_q$ is given by the following formula [57]:

$$M=\{\mathbf{B}·\mathbf{x}:\mathbf{x}\in R_q^n\}.$$

(7)

In turn, modular lattices are defined as embeddings of the module vectors by coefficients in the ${\mathbb{Z}}^{n·N}$, or canonical embeddings in ${\mathbb{C}}^{n·N}$. The LWE problem for modules is defined as follows.

Definition 4 

(M-LWE${}_{n,m,q,n}$ [57]). Given a matrix $\mathit{A}\in R_q^{m\times n}$ and a vector $\mathit{t}\in R_q^m$, it is required to find a vector $\mathit{s}\in S_{\eta }^n$ such that $\mathit{t}=\mathit{A}·\mathit{s}+\mathit{e}$, where the vector $\mathbf{e}$ is obtained from a discrete Gaussian distribution $D_s^m$ with mathematical expectation 0 and standard deviation s.

The discrete Gaussian distribution with mathematical expectation $\mathbf{v}\in R^m$ and with standard deviation s is defined as follows:

$$D_{\mathbf{v},s}^m\left(\mathbf{z}\right)=\frac{{\rho }_{\mathbf{v},s}\left(\mathbf{z}\right)}{{\rho }_{\mathbf{v},s}\left(R^m\right)},$$

(8)

where ${\rho }_{\mathbf{v},s}\left(\mathbf{z}\right)=e^{(\frac{{-\pi \parallel \mathbf{x}-\mathbf{v}\parallel }^2}{s^2})}$ is a Gaussian function and ${\rho }_{\mathbf{v},s}\left(R^m\right)={\sum }_{\mathbf{x}\in R^m}{\rho }_{\mathbf{v},s}\left(\mathbf{x}\right)$. Let us define $D_s^m$ as a discrete Gaussian distribution with mathematical expectations equal to 0.

If the rank of the basis of the module is equal to 1, then such a basis sets an ideal over the ring, and the M-LWE problem is now considered within the framework of ideal lattices; in the literature, such a problem is called Ring-LWE [59]. Another problem built on integer lattices, SIS, can also be defined on module lattices.

Definition 5 

(M-SIS${}_{n,m,q,B}$ [57]). Let a random matrix $\mathit{A}\in R_q^{m\times n}$ be given, it is required to find a nonzero vector $\mathit{z}\in R_q^m$ such that $\parallel \mathit{z}\parallel \le B$ and A · z ≡ 0 mod q, where $\parallel \mathit{z}\parallel =\sqrt{{\sum }_{0\le i\le m-1}{z}_i^2}$.

According to the M-SIS problem definition, for signature validity in the proposed scheme, we define the upper bound B of $\parallel \mathbf{z}\parallel$, which is a signature vector. From [44] this bound is defined for parameter $\gamma >1$ as follows:

$$B=\gamma \sigma \sqrt{mN},$$

(9)

where $\sigma =\frac{s}{\sqrt{2\pi }}$ is a standard deviation of Gaussian function. Parameter $\gamma$ is chosen such that the probability ${\gamma }^{mN}{e}^{mN(1-{\gamma }^2)/2}$ is negligible.

The $(t,n)$ threshold scheme that we use in our scheme was proposed by Shamir in 1979 [48]. In his work, he gives it the following definition:

Definition 6 

($(t,n)$ threshold scheme [48]). Let D be secret data, our goal is to divide D into n pieces $D_1,\cdots ,D_n$ in such a way that:

1. 

Knowledge of any t or more $D_i$ pieces makes D easily computable;

2. 

Knowledge of any $t-1$ or fewer $D_i$ pieces leaves D completely undetermined (in the sense that all its possible values are equally likely).

Such a scheme is called the $(t,n)$ threshold scheme.

Shamir’s work presents a mechanism for dividing a secret into n parts and assembling it from t or more parts. The Lagrange interpolation formula is used for this. This scheme is centralized; that is, the dealer who owns the secret divides it between the participants, who are gathering together (or sending their parts to the dealer) to collect the secret. The scheme consists of the following algorithms:

• Secret sharing.
  Let p is a prime number such that $p>D$, the dealer builds a ring of polynomials ${\mathbb{Z}}_p\left[x\right]$ on it and generates a polynomial $f\left(x\right)$ of degree $t-1$ as follows:

  $$f\left(x\right)=a_{t-1}{x}^{t-1}+a_{t-2}{x}^{t-2}+\cdots +a_{1}x+D,$$

  (10)

  where $a_i\in {\mathbb{Z}}_p$.
  Let each user have their unique identifier $ui{d}_i$, such that there are no two $ui{d}_i$ and $ui{d}_j$ such that $ui{d}_i\equiv ui{d}_{j}modp$; the dealer sends each participant his share of the secret as the value of the previously generated polynomial $f\left(x\right)$ at the point of his $ui{d}_i$, calculated as follows:

  $$y_i=f\left(ui{d}_i\right)modp.$$

  (11)
  Thus, each participant eventually gets a pair $(ui{d}_i,y_i)$, which is his part of the secret.
• Recovering a secret.
  In order to recover the secret, a group of t participants gathers together and calculates a polynomial using the Lagrange interpolation formula. Each user computes the Lagrange coefficient, using $ui{d}_i$ of each user, which is known by the following formula:

  $$l_i={(-1)}^{t-1}\prod _{j\ne i,1\le j\le t}\frac{ui{d}_j}{ui{d}_i-ui{d}_j}.$$

  (12)
  Next, the polynomial $f\left(x\right)$ is restored using the following formula:

  $$f\left(x\right)=\sum _{1\le i\le t}{y}_i·l_i.$$

  (13)
  The resulting polynomial $f\left(x\right)$ as a free term will contain a secret value D, i.e., the group of participants successfully obtains the secret data.

3. Threshold Lattice-Based Signature Scheme

As mentioned earlier, the proposed scheme is based on the work of Damgaard [46]. The paper also uses a lattice-based commitment scheme with a trapdoor, presented in [47].

Commitment schemes are used when there is a need to fix some values at the current stage without disclosing them. The received commitment value is disclosed. When the moment comes, and the values are revealed, anyone can ensure they are not being deceived, and indeed the correct values have been used to create a commitment in the past.

In threshold signature, the commitment scheme is used for the scheme’s security. After all, if users sent messages to each other without commitments, then an attacker who compromised one of the users would be able to choose parameters based on the received messages and send messages to other users in such a way that it is possible to find out the other users’ private keys or forge the signature. However, when using the commitment scheme, users first send each other commitments and then the values that they have calculated. In this case, the attacker cannot select such parameters that allow him to break the system if the commitment scheme is secure and unbreakable. For this purpose, this work also uses a lattice-based commitment scheme because breaking the commitment scheme will completely violate the system’s security. However, this commitment scheme can also generate a trapdoor corresponding to the commitment key, which allows one to calculate the randomness of a commitment and the corresponding message. This property of the commitment scheme will be used to prove the security of the signature scheme.

The trapdoor commitment scheme consists of the following algorithms:

• Parameter setting. Receives the security parameter $\lambda$, which defines the security level of the scheme, as input and returns the parameters $(q,N,k,l,w,\eta )$ [47].
• Key generation. Generates the commitment key $ck$, consisting of matrix $\widehat{\mathbf{A}}\in R_q^{2\times (l+2w)}$, which is defined as follows:

  $$\widehat{\mathbf{A}}=\left[\begin{array}{ccccc}{a}_{11}& a_{12}& a_{13}& \cdots & a_{1(l+2w)}\\ 0& 1& a_{23}& \cdots & a_{2(l+2w)}\end{array}\right],$$

  (14)

  where $a_{ij}\in R_q$ and $a_{11}$ is invertible in $R_q$.
• Commitment generation. Receives a value $x\in R_q$ as input, randomly calculates $\mathbf{r}\leftarrow D_s^{l+2w}$, where $\parallel \mathbf{r}\parallel \le B$, and returns the commitment $\mathbf{f}\in R_q^2$:

  $$\mathbf{f}=\widehat{\mathbf{A}}·\mathbf{r}+\left[\begin{array}{c}0\\ x\end{array}\right].$$

  (15)
  It is known from [47] that the commitment scheme has the binding property; that is, it is hard for a published commitment $\mathbf{f}$, obtained by the vector $\mathbf{r}$ and the value x, to find the vector ${\mathbf{r}}^{\prime }$ and the value $x^{\prime }$ for which ${\mathbf{f}}^{\prime }=\mathbf{f}$ since it reduces to solving the Ring-SIS problem, which is a hard problem. It is also proved in [47] that the commitment scheme has the hiding property since the distribution $\widehat{\mathbf{A}}·D_s^{l+2w}$ is close to uniform.
• Commitment opening. Receives a commitment, a value $x\in R_q$, and a random vector $\mathbf{r}$ as input and checks that $\parallel \mathbf{r}\parallel \le B$ and the Equation (15) is being fulfilled.
• Key generation with a trapdoor. Generates the matrix $\overline{\mathbf{A}}$ according to (14) and randomly chooses a trapdoor, $td$, which is equal to a matrix $\mathbf{R}\leftarrow D_s^{l\times 2w}$. Then, the commitment key $tck$ is formed as follows $tck=\widehat{\mathbf{A}}=[\overline{\mathbf{A}}|\mathbf{G}-\overline{\mathbf{A}}\left|\mathbf{R}\right]$, where $\mathbf{G}\in R^{2\times 2w}$ is a gadget matrix, which is defined as follows:

  $$\mathbf{G}=\left[\begin{array}{cccccccc}1& 2& \cdots & 2^{w-1}& 0& 0& \cdots & 0\\ 0& 0& \cdots & 0& 1& 2& \cdots & 2^{w-1}\end{array}\right].$$

  (16)
• Commitment generation with a trapdoor. Randomly chooses a vector $\mathbf{f}\in R_q^2$ and outputs as a commitment.
• Equivocation algorithm. Uses the trapdoor $td$ and the Micciancio–Peikert algorithm [40] in order to generate a vector $\mathbf{r}$ from a discrete Gaussian distribution on the coset of the lattice ${\Lambda }_{\mathbf{u}}^{\perp }\left(\widehat{\mathbf{A}}\right)$, which is defined as follows:

  $${\Lambda }_{\mathbf{u}}^{\perp }\left(\widehat{\mathbf{A}}\right)=\{\mathbf{z}\in R^{l+2w}:\widehat{\mathbf{A}}·\mathbf{z}\equiv \mathbf{u}modq\},$$

  (17)

  where $\mathbf{u}=\mathbf{f}-\left[\begin{array}{c}0\\ x\end{array}\right]$.

Next, we describe the threshold signature scheme itself. It includes the following algorithms:

• Parameters setting. Having received the security parameter $\lambda$ as input, the public parameters of the system are generated, namely, the rings of polynomials, the public matrix rank l and dimension k, the sets S and C, the parameters of distributions, the boundary B for the length of the signature vector, as well as random oracles $H_0:{\{0,1\}}^{*}\to C$, $H_1:{\{0,1\}}^{*}\to {\{0,1\}}^{l_1}$, $H_2:{\{0,1\}}^{*}\to {\{0,1\}}^{l_2}$ and $H_3:{\{0,1\}}^{*}\to S_{ck}$ [46].
• Key generation. After initializing public parameters, keys are generated, consisting of two phases: matrix generation and key pair creation. All subsequent steps of the algorithm are performed by each $P_i$ user of the system, where $i\in \{1,\cdots ,n\}$ and n is the total number of users.

  (a)

  Matrix generation

  i.

  A random matrix ${\mathbf{A}}_i\leftarrow R_q^{k\times l}$ is calculated and a commitment $g_i=H_1({\mathbf{A}}_i,i)$ is generated and sent to other users.

  ii.

  After receiving all $g_j$ for each $j\ne i$, ${\mathbf{A}}_i$ matrix is sent out for each one.

  iii.

  After obtaining all ${\mathbf{A}}_j$ matrices for each $j\ne i$, the equalities $g_j=H_1({\mathbf{A}}_j,j)$ are checked. If at least one equality is not met, then an ABORT is sent, otherwise a public matrix $\overline{\mathbf{A}}=\left[\mathbf{A}\right|\mathbf{I}]\in R_q^{k\times (k+l)}$ is set, where $\mathbf{A}={\displaystyle \sum _{1\le j\le n}}{\mathbf{A}}_j$.

  (b)

  Generation of a key pair

  i.

  A secret vector ${\mathbf{s}}_i\leftarrow S_{\eta }^{l+k}$ is randomly selected, and a part of the public key is calculated: ${\mathbf{t}}_i=\overline{\mathbf{A}}·{\mathbf{s}}_i$. A commitment $g_i^{\prime }=H_2({\mathbf{t}}_i,i)$ is generated and sent to other users.

  ii.

  After receiving all $g_j$ for each $j\ne i$, the vector ${\mathbf{t}}_i$ is sent to other users.

  iii.

  After obtaining all vectors ${\mathbf{t}}_j$ for each $j\ne i$, the equalities $g_j^{\prime }=H_2({\mathbf{t}}_j,j)$ are checked. If at least one equality is not met, then an ABORT is sent, otherwise a public key $\mathbf{t}={\displaystyle \sum _{1\le j\le n}}{\mathbf{t}}_j$ is set.

  If the protocol does not return ABORT, then each user, $P_i$, gets $(s{k}_i,pk)=({\mathbf{s}}_i,(\mathbf{A},\mathbf{t}))$.

• Secret sharing. To separate the secret, the Shamir secret sharing scheme is used [48]. The $P_i$ user has a unique own $ui{d}_i$ and knows the $ui{d}_j$ of other users. Then it performs the following actions:

  (a)

  Generates $k+l$ polynomials $f_z^i$ ($z\in \{1,\cdots ,k+l\}$; i is an index of $P_i$) of degree $(t-1)$, where free terms are specified as entries of secret vector ${\mathbf{s}}_i$.

  (b)

  For each user $P_j$, including himself, the user $P_i$ generates a vector consisting of polynomials generated in advance with $ui{d}_j$ values substituted in them, which is a vector ${\mathbf{f}}_j^i=(f_1^i\left(ui{d}_j\right),f_2^i\left(ui{d}_j\right),\cdots ,f_{k+l}^i\left(ui{d}_j\right))$, and sends this vector only to user $P_j$.

  (c)

  After receiving all the vectors ${\mathbf{f}}_i^j$ for each $j\ne i$, user $P_i$ calculates his secret key share ${\mathbf{x}}_i={\displaystyle \sum _{1\le j\le n}}{\mathbf{f}}_i^j$, with which he will then carry out the signature procedure.

  As it can be seen, users, in this case, perform distributed secret sharing; that is, they get the share of a common secret without calculating the secret polynomial directly. This approach differs from the classical one when the dealer forms a secret polynomial and distributes shares of the secret to users.
• Signature generation. For signing message $\mu$t users are selected. Let the users $\{P_i,i\in \{1,\cdots ,t\}\}$ be selected. Each $P_i$ receives a unique session ID ($sid$) and a message $\mu$ that needs to be signed. The user checks that the $sid$ has not been used before and calculates locally the key for the commitment scheme $ck=H_3(\mu ,pk)$. A new random oracle function is also used for the signature procedure $H_4:\{0,1\}\to {\{0,1\}}^{l_4}$. Next, the user performs the following actions.

  (a)

  Randomly selects a vector ${\mathbf{y}}_i\leftarrow D_s^{l+k}$ and calculates ${\mathbf{w}}_i=\overline{\mathbf{A}}·{\mathbf{y}}_i$.

  (b)

  Calculates the commitment $co{m}_i=Commi{t}_{ck}({\mathbf{w}}_i,r_i)$, where $r_i\leftarrow D\left(S_{\eta }\right)$, and sends it to all other users.

  (c)

  After receiving all $co{m}_j$ calculates $com={\displaystyle \sum _{1\le j\le t}}co{m}_j$.

  (d)

  Next, the user calculates the Lagrange coefficient

  $$l_i={(-1)}^{t-1}\prod _{j\ne i,1\le j\le t}ui{d}_j{(ui{d}_i-ui{d}_j)}^{-1}$$

  and the value ${\overline{\mathbf{y}}}_i={\mathbf{y}}_i{l}_i^{-1}$ by modulo q.

  (e)

  Then receives the challenge $c=H_0(com,\mu ,pk)$ and calculates the partial signature ${\mathbf{z}}_i=c{\mathbf{x}}_i+{\overline{\mathbf{y}}}_i$. For the next step user also computes vector ${\mathbf{z}}_i^{\prime }=c{\mathbf{s}}_i+{\mathbf{y}}_i$.

  (f)

  For the received value ${\mathbf{z}}^{\prime }$, the user checks that $\parallel {\mathbf{z}}^{\prime }\parallel <B$; if the condition is not met, then the user sends out RESTART. If the condition is met, then the user with the probability

  $$min(1,D_s^{l+k}\left({\mathbf{z}}_i^{\prime }\right)/(M·D_{c{\mathbf{s}}_i,s}^{l+k}\left({\mathbf{z}}_i^{\prime }\right))$$

  (18)

  generates $g_i^{″}=H_4({\mathbf{z}}_i,r_i)$ and sends out it, or otherwise sends RESTART and returns to step (a). This rejection sampling technique is used to counter statistical attacks that can restore the secret $c{\mathbf{s}}_i$ vector by obtaining multiple ${\mathbf{z}}_i$.

  (g)

  After obtaining all $g_j^{″}$ for each $j\ne i$, the partial signature $({\mathbf{z}}_i,r_i)$ is sent to other users.

  (h)

  After receiving all the partial signatures $({\mathbf{z}}_j,r_j)$, checks that $g_j^{″}=H_4({\mathbf{z}}_j,r_j)$, and if all conditions are met, calculates the values $\mathbf{z}={\displaystyle \sum _{1\le j\le t}}{\mathbf{z}}_j·l_j$ and $r={\displaystyle \sum _{1\le j\le t}}{r}_j$. Then, calculates $\mathbf{w}=\overline{\mathbf{A}}\mathbf{z}-c\mathbf{t}$, checks that $\parallel \mathbf{z}\parallel \le t·B$ and $Ope{n}_{ck}(com,r,\mathbf{w})=1$. If errors occur, then send ABORT.

  If the protocol is not interrupted, the signature $\sigma =(com,\mathbf{z},r)$ will be received at the end of the protocol.
• Signature verification. Having received the message $\mu$, signature $\sigma$ and public key $pk$, the commitment key is generated $ck=H_3(\mu ,pk)$, and the challenge is calculated $c=H_0(com,\mu ,pk)$ and restored $\mathbf{w}=\overline{\mathbf{A}}\mathbf{z}-c\mathbf{t}$. The signature is accepted if $\parallel \mathbf{z}\parallel \le t·B$, and $Ope{n}_{ck}(com,r,\mathbf{w})=1$.

Let us show the correctness of the scheme. Let $\parallel \mathbf{z}\parallel \le t·B$, then

$$\overline{\mathbf{A}}·\mathbf{z}=\overline{\mathbf{A}}·\sum _{1\le j\le t}{\mathbf{z}}_j·l_j=\sum _{1\le j\le t}\overline{\mathbf{A}}·{\mathbf{x}}_j·c·l_j+\frac{\overline{\mathbf{A}}·{\mathbf{y}}_j·l_j}{l_j}.$$

(19)

According to the Shamir secret sharing scheme ${\sum }_{1\le j\le t}{\mathbf{x}}_j·l_j={\sum }_{1\le j\le n}{\mathbf{s}}_j=\mathbf{s}$, thus,

$${\displaystyle \sum _{1\le j\le t}}\overline{\mathbf{A}}·{\mathbf{x}}_j·c·l_j+\frac{\overline{\mathbf{A}}·{\mathbf{y}}_j·l_j}{l_j}=\overline{\mathbf{A}}·\mathbf{s}·c+\sum _{1\le j\le t}{\mathbf{w}}_j=\mathbf{t}·c+\mathbf{w}.$$

(20)

4. Security

To prove the security of the scheme, we introduce the concepts of the forking lemma proposed in [60].

Lemma 1 

(Forking lemma [60]). Let $(G,S,V)$ be a digital signature algorithm with a security parameter k. Let $\mathcal{A}$ be a probabilistic, polynomial–time Turing machine whose input data are public. We will denote as Q the number of requests that $\mathcal{A}$ can send to a random oracle. Suppose that during time T, machine $\mathcal{A}$ can generate a valid signature $(m,{\sigma }_1,h,{\sigma }_2)$ with probability $ϵ\ge 7Q/2^k$. Then there is another Turing machine that controls machine $\mathcal{A}$, generating two valid signatures $(m,{\sigma }_1,h,{\sigma }_2)$ and $(m,{\sigma }_1,h^{\prime },{\sigma }_2^{\prime })$ such that $h\ne h^{\prime }$, in time $T^{\prime }\le 84480TQ/ϵ$.

Now we formulate a theorem about the security of the system.

Theorem 1.

Let us assume that the trapdoor commitment scheme is secure, as well as additively homomorphic. Then, if there is an algorithm $\mathcal{A}$ such that it can forge the signature of the system with a non-negligible probability ϵ, then there is an algorithm $\mathcal{B}$ such that it can solve the M-SIS problem with a non-negligible probability ϵ.

Proof. 

The proof is based on a random oracle model and uses definitions of some oracles from Damgaard’s work [46]. Algorithm $\mathcal{B}$ simulates the work of an honest user of the system, and algorithm $\mathcal{A}$ is a signature forgery algorithm and is an adversary, and it controls $t-1$ users of the system. Adversary $\mathcal{A}$ can send to $\mathcal{B}$ requests for the use of random oracles $H_0,H_1,H_2,H_3,H_4$, as well as requests for the signature generation of the message.

First, we define the simulation of the random oracles $H_0,H_1,H_2,H_3,H_4$. For each of the oracle, we create tables $H{T}_0,H{T}_1,H{T}_2,H{T}_3,H{T}_4$, in which values are stored as a key-value pair, and for oracle $H_3$, we also create a $TDT$ table in which trapdoors for the created commitment keys are stored. The tables are supplemented when referring to the oracles. The simulation of the oracles $H_0,H_1,H_2$ can be generally described as generating random values for input data and setting them into the corresponding tables. The simulation of a random oracle $H_3$ consists in generating a commitment key, also with a certain probability $\omega$, and a trapdoor is generated for the obtained commitment key, which is placed in the $TDT$ table, and the commitment key is placed in the $H{T}_3$ table. A more detailed description of the simulation of random oracle algorithms is described in Damgaard’s work [46]. Here, we detail the simulation of the random oracle $H_4$.

$H_4\left(x\right)$:

• Split the incoming value x into $(\mathbf{z},r)$;
• If $H{T}_4[\mathbf{z},r]=\perp$ then set $H{T}_4[\mathbf{z},r]\leftarrow {\{0,1\}}^{l_4}$;
• Return $H{T}_4[\mathbf{z},r]$.

Now let us describe the simulation of the algorithms for generating the key and signing the message by $\mathcal{B}$. Let the input of algorithm $\mathcal{B}$ be a matrix ${\mathbf{A}}^{\prime }$, for which it is required to solve the M-SIS problem. For the key generation algorithm, $\mathcal{B}$ takes the matrix ${\mathbf{A}}^{\prime }$ and presents it in the following form: ${\mathbf{A}}^{\prime }=\left[\mathbf{A}\right|\mathbf{t}\left|\mathbf{I}\right]$, where $\mathbf{A}$ is used as the open matrix of the whole system, and $\mathbf{t}$ is used as the public key of the system.

Since all requests to access a random oracle are displayed in the corresponding tables, when generating a public matrix and a public key, algorithm $\mathcal{B}$ takes data from the tables $H{T}_i$ and restores the values of partial public keys and matrices of each user and forms its partial matrix and partial key according to the following formulas:

$${\mathbf{A}}_t=\mathbf{A}-\sum _{j=1,j\ne t}^n{\mathbf{A}}_j,$$

(21)

$${\mathbf{t}}_t=\mathbf{t}-\sum _{j=1,j\ne t}^n{\mathbf{t}}_j,$$

(22)

where ${\mathbf{A}}_t$ and ${\mathbf{t}}_t$ are the matrix and the public key of $\mathcal{B}$, respectively. Thereby, parameters for which $\mathcal{B}$ wants to solve the M-SIS problem are set as general parameters of the system. A more detailed description of these algorithms can be found in Damgaard’s work [46].

Now let us describe a signing simulation algorithm. Before $\mathcal{B}$ starts generating the signature, $\mathcal{B}$ locally calculates the commitment key without using the trapdoor $ck\leftarrow S_{ck}$. Next, $\mathcal{B}$ receives on input a unique session ID $sid$ and a message $\mu$, which has to be signed. The user checks that the $sid$ has not been used before and calculates locally the commitment key $tck\leftarrow H_3(\mu ,pk)$. If $TDT[\mu ,pk]=\perp$; that is, instead of generating a key with a trapdoor, the previously generated key $ck$ was obtained, then the signature generation process ends with an error. Otherwise, it receives a trapdoor for the newly generated key $td\leftarrow TDT[\mu ,pk]$. Next, $\mathcal{B}$ performs the following actions.

• The commitment $co{m}_t\leftarrow TCommi{t}_{tck}\left(td\right)$ is calculated and sent to other users.
• After receiving all $co{m}_j$ for each $j\in [t-1]$, the message signature is calculated as follows:

  (a)

  $com={\sum }_{j\in \left[t\right]}co{m}_j$ is set.

  (b)

  Challenge $c\leftarrow H_0(com,\mu ,pk)$ is calculated.

  (c)

  ${g_t}^{″}\leftarrow {\{0,1\}}^{l_4}$ is generated randomly and sent to other users.

  (d)

  After receiving all ${g_j}^{″}$ for each $j\in [t-1]$, the following actions are performed:

  i.

  The $H{T}_4$ table is searched for values $({\mathbf{z}}_1,r_1),({\mathbf{z}}_2,r_2),\cdots ,({\mathbf{z}}_{t-1},r_{t-1})$ according to the obtained $g_j^{″}$.

  ii.

  Then vector $\mathbf{z}\leftarrow D_s^{l+k}$ is generated and the Lagrange coefficients $l_i$ are calculated.

  iii.

  The vector ${\mathbf{z}}_t^{\prime }=\mathbf{z}-{\sum }_{j=1}^{t-1}{\mathbf{z}}_j·l_j$ is calculated, and then the vector of partial signature ${\mathbf{z}}_t={\mathbf{z}}_t^{\prime }·l_t^{-1}$ is obtained.

  iv.

  Next, the vector $\mathbf{w}=\widehat{\mathbf{A}}\mathbf{z}-c\mathbf{t}$ is calculated and with the trapdoor $td$, and the value of randomness $r\leftarrow Eq{v}_{tck}(td,com,\mathbf{w})$ is obtained.

  v.

  The value of $r_t=r-{\sum }_{j=1}^{t-1}{r}_j$ is obtained, using the property of homomorphism by addition of the commitment function.

  vi.

  If $H{T}_4[{\mathbf{z}}_t,r_t]=\perp$, then signature generation fails, otherwise $H{T}_4[{\mathbf{z}}_t,r_t]=g_t^{″}$ is set, and a partial signature $({\mathbf{z}}_t,r_t)$ is sent with probability $1/M$. Otherwise, RESTART is sent, and the algorithm returns to step 1.

• After receiving all partial signatures $({\mathbf{z}}_j,r_j)$ for each $j\in [t-1]$, the final signature of the message is formed:

  (a)

  It is checked that $g_j^{″}=H_4({\mathbf{z}}_j,r_j)$. If all the equalities are met, then the values $\mathbf{z}={\sum }_{j\in \left[t\right]}{\mathbf{z}}_j·l_j$ and $r={\sum }_{j\in \left[t\right]}{r}_j$ are calculated.

  (b)

  Next, the value $\mathbf{w}=\widehat{\mathbf{A}}\mathbf{z}-c\mathbf{t}$ is calculated and it is checked that $\parallel \mathbf{z}\parallel \le tB$ and $Ope{n}_{ck}(co{m}_j,r_j,\mathbf{w})=1$. If one of the checks fails, an ABORT is sent.

If the simulation algorithm is not interrupted, the output is the final signature $(com,\mathbf{z},r)$. Thus, the interface of interaction between the adversary $\mathcal{A}$ and algorithm $\mathcal{B}$ was configured, resulting in a valid signature for the message.

Suppose now adversary $\mathcal{A}$ has made a certain number of signature and hash requests to $\mathcal{B}$ and issued a signature forgery $(co{m}^{*},{\mathbf{z}}^{*},r^{*})$ for the message ${\mu }^{*}$; then, algorithm $\mathcal{B}$ performs the following steps:

• If ${\mu }^{*}\in Mset$, where $Mset$ is the set of messages for which the adversary $\mathcal{A}$ requested a signature from $\mathcal{B}$, then the algorithm $\mathcal{B}$ returns ⊥.
• Next, $\mathcal{B}$ calculates $c{k}^{*}\leftarrow H_3({\mu }^{*},pk)$ and $c^{*}\leftarrow H_0(co{m}^{*},{\mu }^{*},pk)$.
• If $Ope{n}_{ck}(co{m}^{*},r^{*},\widehat{\mathbf{A}}\mathbf{z}-c\mathbf{t})\ne 1$ or $\parallel {\mathbf{z}}^{*}\parallel >t·B$, then $\mathcal{B}$ returns ⊥.
• If $TDT[{\mu }^{*},pk]\ne \perp$, that is, there was a request to generate a commitment key and a trapdoor for the message ${\mu }^{*}$, then $\mathcal{B}$ also returns ⊥.
• If the signature successfully passes checks 1–4, then algorithm $\mathcal{B}$ returns
  $(co{m}^{*},{\mathbf{z}}^{*},r^{*},{\mu }^{*},c{k}^{*})$.

By the forking lemma, let $\mathcal{B}$ return two signature forgeries for the message ${\mu }^{*}$, namely $(co{m}^{*},{\mathbf{z}}^{*},r^{*},{\mu }^{*},c{k}^{*})$ and $(co{m}^{\prime },{\mathbf{z}}^{\prime },r^{\prime },{\mu }^{*},c{k}^{\prime })$. It can be immediately noted that $c{k}^{*}=c{k}^{\prime }$, since the other commitment keys are discarded by algorithm $\mathcal{B}$. The values of $co{m}^{*}$ and $co{m}^{\prime }$ are also equal, but the values of the challenges $c^{*}$ and $c^{\prime }$ are not equal. Since the signatures are valid, we obtain

$$Ope{n}_{ck}(co{m}^{*},r^{*},\widehat{\mathbf{A}}{\mathbf{z}}^{*}-c^{*}\mathbf{t})=Ope{n}_{ck}(co{m}^{*},r^{\prime },\widehat{\mathbf{A}}{\mathbf{z}}^{\prime }-c^{\prime }\mathbf{t})=1.$$

(23)

If $\widehat{\mathbf{A}}{\mathbf{z}}^{*}-c^{*}\mathbf{t}\ne \widehat{\mathbf{A}}{\mathbf{z}}^{\prime }-c^{\prime }\mathbf{t}$, then the binding property of the commitment scheme on the key $ck$ is violated, which cannot be from the problem condition (since the commitment scheme is safe). Therefore, $\widehat{\mathbf{A}}{\mathbf{z}}^{*}-c^{*}\mathbf{t}=\widehat{\mathbf{A}}{\mathbf{z}}^{\prime }-c^{\prime }\mathbf{t}$. Rewriting this equation, we obtain

$$\left[\mathbf{A}\left|\mathbf{I}\right|\mathbf{t}\right]\left[\begin{array}{c}{\mathbf{z}}^{*}-{\mathbf{z}}^{\prime }\\ c^{*}-c^{\prime }\end{array}\right]=0.$$

(24)

Since the matrix $\left[\mathbf{A}\right|\mathbf{t}\left|\mathbf{I}\right]$ was submitted to the input of algorithm $\mathcal{B}$, and the vector $\left[\begin{array}{c}{\mathbf{z}}^{*}-{\mathbf{z}}^{\prime }\\ c^{*}-c^{\prime }\end{array}\right]$ is small, we found a solution to the M-SIS problem. Thus, the theorem is proved. □

Based on the proof of this theorem, we can say that the developed threshold scheme is UF-CMA secure. In addition, it is necessary to consider the classical vectors of attacks on lattice-based signature schemes, for example, an attack on a lattice using basis reductions. To counteract these attacks, it is required to select parameters for the system for which resistance to such attacks has been proven, that is, for example, for which the BKZ algorithm for a polynomial approximating factor works in exponential time. It is recommended to take the NIST parameters proposed for the CRYSTALS-Dilithium scheme [31], since the scheme proposed in this paper is based on this signature scheme.

5. Discussion

In this section, the effectiveness of the developed scheme is analyzed, and its quantitative indicators are evaluated. The signature generation and verification consist of multiplying and adding by modulo q and multiplying polynomials in a polynomial ring. These operations are not expensive, and with the fast Fourier transform, they are calculated quickly enough. Therefore this scheme can be used for devices with a limitation on the processor clock frequency. For example, the Dilithium signature [61], built on the same paradigm as the presented scheme, uses 508K and 175K CPU cycles, respectively, for the signature generation and verification processes.

The proposed scheme was implemented using Python with Sagemath to demonstrate the efficiency and high operational speed of calculations. Algorithms of key generation, secret sharing, signature generation, and verification were tested on the same device for different security levels, defined by NIST [31].

Table 1. Experimental data on the running time of key generation, secret sharing, signature generation, and verification for different security levels.

Security Level	Algorithm	Execution Time, ms
2	Key generation	22.1
	Secret sharing	1.1
	Signature generation	20.4
	Signature verification	2.7
3	Key generation	27.8
	Secret sharing	1.5
	Signature generation	26.5
	Signature verification	2.8
5	Key generation	37.9
	Secret sharing	1.8
	Signature generation	37.8
	Signature verification	4.0

shows the execution time of each stage of the scheme for different security levels.

As seen from Table 1, the time spent on key generation, secret sharing, signature generation, and signature verification operations does not exceed 40 ms for the latest security level, and the time spent on signature verification and secret sharing is less than 5 ms. The results obtained during the experiments confirm the high speed of algorithm operations in lattice theory, which positively distinguishes this area from other areas of post-quantum cryptography. In addition, it should be said that the speed of calculations is important in distributed systems, since such systems should process a large amount of information quickly.

However, the scheme has several shortcomings that must be eliminated in future research. First, it requires intensive communication between users, which can negatively affect network congestion. Second, like other lattice-based schemes, the signature size is significant, requiring additional storage and transmission resources. The stored and transmitted data sizes were calculated for the recommended parameters from [31,47] and are presented in

Table 2. Stored and transmitted data sizes.

Parameter	Actual Size of Proposed Scheme, Bytes	Actual Size of tECDSA Scheme, Bytes
Partial signature size	7360	64
Signature size	11,775	64
Secret data size	13,247	32
Size of transmitted data by signature generation	$\mathrm{15,700}·t$	$3300·t$

. As can be seen from Table 2, the data sizes are really large in comparison with the classical threshold elliptic curve digital signature algorithm (ECDSA) scheme [62]. For example, the amount of data transferred for one user is about 15 kilobytes, although the scheme on ECDSA requires about 3 kilobytes per user [62]. This is a consequence of using recommended parameters that provide a 128-bit security level. This is a disadvantage of the system itself, as well as of lattice-based post-quantum schemes in general. Therefore, reducing the size of keys is an urgent task for all lattice-based systems.

It is worth noting that the scheme proposed in this paper is more efficient regarding data sizes than other threshold lattice-based signature schemes. In

Table 3. Stored and transmitted data sizes for the observed schemes and comparison with the proposed scheme.

Parameter	CLRS Scheme [32]	Feng’s Scheme [34]	Choi Scheme [37]	PET Scheme [38]	Proposed Scheme
Partial signature size, kB	451	1.8	$0.8·N$	40.5	7.2
Signature size, kB	$451·t$	1.8	$0.8·N·t$	60.4	11.5
Secret data size, kB	128	3.5	1,081,600	275,808	12.9
Size of transmitted data by signature generation, kB	$451·t$	$1.8·t$	$0.8·N·t$	$40.5·t$	$15.3·t$

, the sizes of partial and full signatures, secret data, as well as transmitted data for various studied schemes are shown, and estimates for the developed scheme are also given. The sizes of stored and transmitted data for each of the schemes were calculated taking into account the NIST’s recommended parameters.

As seen from Table 3, the developed scheme has one of the best indicators among the schemes considered. The CLRS scheme and the PET scheme exceed the proposed scheme in terms of data sizes in all indicators by several times. The Choi scheme greatly exceeds the size of the secret data, and despite the initially small size of the signature, it increases rapidly with an increasing number of users in the system and the size of the threshold t. Therefore, starting with certain parameters, this scheme will greatly lose to the proposed scheme. However, Feng’s scheme surpasses all schemes in quantitative parameters. Due to the centralization of Feng’s scheme and the fact that the original secret is restored during the signature generation process, this scheme cannot be used in distributed systems from a security point of view. Thus, the developed scheme is the best of the presented schemes regarding quantitative indicators.

It is worth noting that since Shamir’s secret sharing scheme is not a verified secret sharing scheme, an attacker can seize control of one of the nodes and send incorrect messages to other users, which makes it impossible to form a common signature. Therefore, to eliminate the third drawback, a special system is required to verify the correctness of partial signatures and block unwanted participants.

6. Conclusions

The threshold signature scheme developed in this paper is an improvement over the Damgaard scheme [46]. However, as with other post-quantum threshold schemes, this scheme has certain drawbacks, such as the large size of the signature and transmitted data. Despite these disadvantages, the scheme provides significant advantages, including scalability and resistance to attacks on quantum computers. This makes it a valuable tool for protecting users’ private keys in distributed systems and providing multi-factor authentication for wearable devices.

It is worth noting that data compactness is a crucial factor in distributed systems. As a result, the large size of signatures generated using this scheme can significantly reduce the efficiency of such systems. Therefore, it is important to continue exploring ways to improve the effectiveness of the proposed scheme to solve this problem. Future research should focus on developing methods to reduce the size of signatures while maintaining the same level of security and resistance to attacks on quantum computers.