# Threshold Lattice-Based Signature Scheme for Authentication by Wearable Devices

^{1}

^{2}

^{*}

## Abstract

**:**

## 1. Introduction

## 2. Preliminaries

**Definition**

**1**

**.**The set of all integer combinations of n linearly independent vectors ${\mathit{b}}_{1},\cdots ,{\mathit{b}}_{n}\in {\mathbb{R}}^{m}$, where $n\le m$, is called a lattice. The vectors are called the basis of the lattice. Formally, it can be written as follows:

**Definition**

**2**

**.**Given a matrix $\mathit{A}\in {\mathbb{Z}}_{q}^{m\times n}$, for the given numbers $q,m,n$, two q-ary lattices can be defined:

**Definition**

**3**

**.**Given a matrix $\mathit{A}\in {\mathbb{Z}}_{q}^{m\times n}$, for the given numbers $q,m,n$ we define a lattice ${L}_{q}\left(\mathit{A}\right)=\mathit{A}\xb7{\mathbb{Z}}_{q}^{n}+q\xb7{\mathbb{Z}}^{m}$. Alternatively, we can define it as

- A set of keys S with the parameter $\eta $, consisting of polynomials with small coefficients: ${S}_{\eta}={\{x\in R:\parallel x\parallel}_{\infty}\le \eta \}$, where ${\parallel x\parallel}_{\infty}={max}_{0\le i\le N-1}|{x}_{i}|$;
- A set C with parameter k consisting of binary and sparse polynomials: $C=\{c\in {R}_{2}:\parallel c{\parallel}_{1}=k\}$, where ${\parallel c\parallel}_{1}={\sum}_{0\le i\le N-1}|{c}_{i}|$.

**Definition**

**4**

**.**Given a matrix $\mathit{A}\in {R}_{q}^{m\times n}$ and a vector $\mathit{t}\in {R}_{q}^{m}$, it is required to find a vector $\mathit{s}\in {S}_{\eta}^{n}$ such that $\mathit{t}=\mathit{A}\xb7\mathit{s}+\mathit{e}$, where the vector $\mathbf{e}$ is obtained from a discrete Gaussian distribution ${D}_{s}^{m}$ with mathematical expectation 0 and standard deviation s.

**Definition**

**5**

**.**Let a random matrix $\mathit{A}\in {R}_{q}^{m\times n}$ be given, it is required to find a nonzero vector $\mathit{z}\in {R}_{q}^{m}$ such that $\parallel \mathit{z}\parallel \le B$ and

**A**·

**z**≡

**0**mod q, where $\parallel \mathit{z}\parallel =\sqrt{{\sum}_{0\le i\le m-1}{z}_{i}^{2}}$.

**Definition**

**6**

**.**Let D be secret data, our goal is to divide D into n pieces ${D}_{1},\cdots ,{D}_{n}$ in such a way that:

- 1.
- Knowledge of any t or more ${D}_{i}$ pieces makes D easily computable;
- 2.
- Knowledge of any $t-1$ or fewer ${D}_{i}$ pieces leaves D completely undetermined (in the sense that all its possible values are equally likely).

- Secret sharing.Let p is a prime number such that $p>D$, the dealer builds a ring of polynomials ${\mathbb{Z}}_{p}\left[x\right]$ on it and generates a polynomial $f\left(x\right)$ of degree $t-1$ as follows:$$f\left(x\right)={a}_{t-1}{x}^{t-1}+{a}_{t-2}{x}^{t-2}+\cdots +{a}_{1}x+D,$$Let each user have their unique identifier $ui{d}_{i}$, such that there are no two $ui{d}_{i}$ and $ui{d}_{j}$ such that $ui{d}_{i}\equiv ui{d}_{j}\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}p$; the dealer sends each participant his share of the secret as the value of the previously generated polynomial $f\left(x\right)$ at the point of his $ui{d}_{i}$, calculated as follows:$${y}_{i}=f\left(ui{d}_{i}\right)\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}p.$$Thus, each participant eventually gets a pair $(ui{d}_{i},{y}_{i})$, which is his part of the secret.
- Recovering a secret.In order to recover the secret, a group of t participants gathers together and calculates a polynomial using the Lagrange interpolation formula. Each user computes the Lagrange coefficient, using $ui{d}_{i}$ of each user, which is known by the following formula:$${l}_{i}={(-1)}^{t-1}\prod _{j\ne i,1\le j\le t}\frac{ui{d}_{j}}{ui{d}_{i}-ui{d}_{j}}.$$Next, the polynomial $f\left(x\right)$ is restored using the following formula:$$f\left(x\right)=\sum _{1\le i\le t}{y}_{i}\xb7{l}_{i}.$$The resulting polynomial $f\left(x\right)$ as a free term will contain a secret value D, i.e., the group of participants successfully obtains the secret data.

## 3. Threshold Lattice-Based Signature Scheme

- Parameter setting. Receives the security parameter $\lambda $, which defines the security level of the scheme, as input and returns the parameters $(q,N,k,l,w,\eta )$ [47].
- Key generation. Generates the commitment key $ck$, consisting of matrix $\widehat{\mathbf{A}}\in {R}_{q}^{2\times (l+2w)}$, which is defined as follows:$$\widehat{\mathbf{A}}=\left[\begin{array}{ccccc}{a}_{11}& {a}_{12}& {a}_{13}& \cdots & {a}_{1(l+2w)}\\ 0& 1& {a}_{23}& \cdots & {a}_{2(l+2w)}\end{array}\right],$$
- Commitment generation. Receives a value $x\in {R}_{q}$ as input, randomly calculates $\mathbf{r}\leftarrow {D}_{s}^{l+2w}$, where $\parallel \mathbf{r}\parallel \le B$, and returns the commitment $\mathbf{f}\in {R}_{q}^{2}$:$$\mathbf{f}=\widehat{\mathbf{A}}\xb7\mathbf{r}+\left[\begin{array}{c}0\\ x\end{array}\right].$$It is known from [47] that the commitment scheme has the binding property; that is, it is hard for a published commitment $\mathbf{f}$, obtained by the vector $\mathbf{r}$ and the value x, to find the vector ${\mathbf{r}}^{\prime}$ and the value ${x}^{\prime}$ for which ${\mathbf{f}}^{\prime}=\mathbf{f}$ since it reduces to solving the Ring-SIS problem, which is a hard problem. It is also proved in [47] that the commitment scheme has the hiding property since the distribution $\widehat{\mathbf{A}}\xb7{D}_{s}^{l+2w}$ is close to uniform.
- Commitment opening. Receives a commitment, a value $x\in {R}_{q}$, and a random vector $\mathbf{r}$ as input and checks that $\parallel \mathbf{r}\parallel \le B$ and the Equation (15) is being fulfilled.
- Key generation with a trapdoor. Generates the matrix $\overline{\mathbf{A}}$ according to (14) and randomly chooses a trapdoor, $td$, which is equal to a matrix $\mathbf{R}\leftarrow {D}_{s}^{l\times 2w}$. Then, the commitment key $tck$ is formed as follows $tck=\widehat{\mathbf{A}}=[\overline{\mathbf{A}}|\mathbf{G}-\overline{\mathbf{A}}\left|\mathbf{R}\right]$, where $\mathbf{G}\in {R}^{2\times 2w}$ is a gadget matrix, which is defined as follows:$$\mathbf{G}=\left[\begin{array}{cccccccc}1& 2& \cdots & {2}^{w-1}& 0& 0& \cdots & 0\\ 0& 0& \cdots & 0& 1& 2& \cdots & {2}^{w-1}\end{array}\right].$$
- Commitment generation with a trapdoor. Randomly chooses a vector $\mathbf{f}\in {R}_{q}^{2}$ and outputs as a commitment.
- Equivocation algorithm. Uses the trapdoor $td$ and the Micciancio–Peikert algorithm [40] in order to generate a vector $\mathbf{r}$ from a discrete Gaussian distribution on the coset of the lattice ${\Lambda}_{\mathbf{u}}^{\perp}\left(\widehat{\mathbf{A}}\right)$, which is defined as follows:$${\Lambda}_{\mathbf{u}}^{\perp}\left(\widehat{\mathbf{A}}\right)=\{\mathbf{z}\in {R}^{l+2w}:\widehat{\mathbf{A}}\xb7\mathbf{z}\equiv \mathbf{u}\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}q\},$$

- Parameters setting. Having received the security parameter $\lambda $ as input, the public parameters of the system are generated, namely, the rings of polynomials, the public matrix rank l and dimension k, the sets S and C, the parameters of distributions, the boundary B for the length of the signature vector, as well as random oracles ${H}_{0}:{\{0,1\}}^{*}\to C$, ${H}_{1}:{\{0,1\}}^{*}\to {\{0,1\}}^{{l}_{1}}$, ${H}_{2}:{\{0,1\}}^{*}\to {\{0,1\}}^{{l}_{2}}$ and ${H}_{3}:{\{0,1\}}^{*}\to {S}_{ck}$ [46].
- Key generation. After initializing public parameters, keys are generated, consisting of two phases: matrix generation and key pair creation. All subsequent steps of the algorithm are performed by each ${P}_{i}$ user of the system, where $i\in \{1,\cdots ,n\}$ and n is the total number of users.
- (a)
- Matrix generation
- i.
- A random matrix ${\mathbf{A}}_{i}\leftarrow {R}_{q}^{k\times l}$ is calculated and a commitment ${g}_{i}={H}_{1}({\mathbf{A}}_{i},i)$ is generated and sent to other users.
- ii.
- After receiving all ${g}_{j}$ for each $j\ne i$, ${\mathbf{A}}_{i}$ matrix is sent out for each one.
- iii.
- After obtaining all ${\mathbf{A}}_{j}$ matrices for each $j\ne i$, the equalities ${g}_{j}={H}_{1}({\mathbf{A}}_{j},j)$ are checked. If at least one equality is not met, then an ABORT is sent, otherwise a public matrix $\overline{\mathbf{A}}=\left[\mathbf{A}\right|\mathbf{I}]\in {R}_{q}^{k\times (k+l)}$ is set, where $\mathbf{A}={\displaystyle \sum _{1\le j\le n}}{\mathbf{A}}_{j}$.

- (b)
- Generation of a key pair
- i.
- A secret vector ${\mathbf{s}}_{i}\leftarrow {S}_{\eta}^{l+k}$ is randomly selected, and a part of the public key is calculated: ${\mathbf{t}}_{i}=\overline{\mathbf{A}}\xb7{\mathbf{s}}_{i}$. A commitment ${g}_{i}^{\prime}={H}_{2}({\mathbf{t}}_{i},i)$ is generated and sent to other users.
- ii.
- After receiving all ${g}_{j}$ for each $j\ne i$, the vector ${\mathbf{t}}_{i}$ is sent to other users.
- iii.
- After obtaining all vectors ${\mathbf{t}}_{j}$ for each $j\ne i$, the equalities ${g}_{j}^{\prime}={H}_{2}({\mathbf{t}}_{j},j)$ are checked. If at least one equality is not met, then an ABORT is sent, otherwise a public key $\mathbf{t}={\displaystyle \sum _{1\le j\le n}}{\mathbf{t}}_{j}$ is set.

If the protocol does not return ABORT, then each user, ${P}_{i}$, gets $(s{k}_{i},pk)=({\mathbf{s}}_{i},(\mathbf{A},\mathbf{t}))$.

- Secret sharing. To separate the secret, the Shamir secret sharing scheme is used [48]. The ${P}_{i}$ user has a unique own $ui{d}_{i}$ and knows the $ui{d}_{j}$ of other users. Then it performs the following actions:
- (a)
- Generates $k+l$ polynomials ${f}_{z}^{i}$ ($z\in \{1,\cdots ,k+l\}$; i is an index of ${P}_{i}$) of degree $(t-1)$, where free terms are specified as entries of secret vector ${\mathbf{s}}_{i}$.
- (b)
- For each user ${P}_{j}$, including himself, the user ${P}_{i}$ generates a vector consisting of polynomials generated in advance with $ui{d}_{j}$ values substituted in them, which is a vector ${\mathbf{f}}_{j}^{i}=({f}_{1}^{i}\left(ui{d}_{j}\right),{f}_{2}^{i}\left(ui{d}_{j}\right),\cdots ,{f}_{k+l}^{i}\left(ui{d}_{j}\right))$, and sends this vector only to user ${P}_{j}$.
- (c)
- After receiving all the vectors ${\mathbf{f}}_{i}^{j}$ for each $j\ne i$, user ${P}_{i}$ calculates his secret key share ${\mathbf{x}}_{i}={\displaystyle \sum _{1\le j\le n}}{\mathbf{f}}_{i}^{j}$, with which he will then carry out the signature procedure.

As it can be seen, users, in this case, perform distributed secret sharing; that is, they get the share of a common secret without calculating the secret polynomial directly. This approach differs from the classical one when the dealer forms a secret polynomial and distributes shares of the secret to users. - Signature generation. For signing message $\mu $t users are selected. Let the users $\{{P}_{i},i\in \{1,\cdots ,t\}\}$ be selected. Each ${P}_{i}$ receives a unique session ID ($sid$) and a message $\mu $ that needs to be signed. The user checks that the $sid$ has not been used before and calculates locally the key for the commitment scheme $ck={H}_{3}(\mu ,pk)$. A new random oracle function is also used for the signature procedure ${H}_{4}:\{0,1\}\to {\{0,1\}}^{{l}_{4}}$. Next, the user performs the following actions.
- (a)
- Randomly selects a vector ${\mathbf{y}}_{i}\leftarrow {D}_{s}^{l+k}$ and calculates ${\mathbf{w}}_{i}=\overline{\mathbf{A}}\xb7{\mathbf{y}}_{i}$.
- (b)
- Calculates the commitment $co{m}_{i}=Commi{t}_{ck}({\mathbf{w}}_{i},{r}_{i})$, where ${r}_{i}\leftarrow D\left({S}_{\eta}\right)$, and sends it to all other users.
- (c)
- After receiving all $co{m}_{j}$ calculates $com={\displaystyle \sum _{1\le j\le t}}co{m}_{j}$.
- (d)
- Next, the user calculates the Lagrange coefficient$${l}_{i}={(-1)}^{t-1}\prod _{j\ne i,1\le j\le t}ui{d}_{j}{(ui{d}_{i}-ui{d}_{j})}^{-1}$$
- (e)
- Then receives the challenge $c={H}_{0}(com,\mu ,pk)$ and calculates the partial signature ${\mathbf{z}}_{i}=c{\mathbf{x}}_{i}+{\overline{\mathbf{y}}}_{i}$. For the next step user also computes vector ${\mathbf{z}}_{i}^{\prime}=c{\mathbf{s}}_{i}+{\mathbf{y}}_{i}$.
- (f)
- For the received value ${\mathbf{z}}^{\prime}$, the user checks that $\parallel {\mathbf{z}}^{\prime}\parallel <B$; if the condition is not met, then the user sends out RESTART. If the condition is met, then the user with the probability$$min(1,{D}_{s}^{l+k}\left({\mathbf{z}}_{i}^{\prime}\right)/(M\xb7{D}_{c{\mathbf{s}}_{i},s}^{l+k}\left({\mathbf{z}}_{i}^{\prime}\right))$$
- (g)
- After obtaining all ${g}_{j}^{\u2033}$ for each $j\ne i$, the partial signature $({\mathbf{z}}_{i},{r}_{i})$ is sent to other users.
- (h)
- After receiving all the partial signatures $({\mathbf{z}}_{j},{r}_{j})$, checks that ${g}_{j}^{\u2033}={H}_{4}({\mathbf{z}}_{j},{r}_{j})$, and if all conditions are met, calculates the values $\mathbf{z}={\displaystyle \sum _{1\le j\le t}}{\mathbf{z}}_{j}\xb7{l}_{j}$ and $r={\displaystyle \sum _{1\le j\le t}}{r}_{j}$. Then, calculates $\mathbf{w}=\overline{\mathbf{A}}\mathbf{z}-c\mathbf{t}$, checks that $\parallel \mathbf{z}\parallel \le t\xb7B$ and $Ope{n}_{ck}(com,r,\mathbf{w})=1$. If errors occur, then send ABORT.

If the protocol is not interrupted, the signature $\sigma =(com,\mathbf{z},r)$ will be received at the end of the protocol. - Signature verification. Having received the message $\mu $, signature $\sigma $ and public key $pk$, the commitment key is generated $ck={H}_{3}(\mu ,pk)$, and the challenge is calculated $c={H}_{0}(com,\mu ,pk)$ and restored $\mathbf{w}=\overline{\mathbf{A}}\mathbf{z}-c\mathbf{t}$. The signature is accepted if $\parallel \mathbf{z}\parallel \le t\xb7B$, and $Ope{n}_{ck}(com,r,\mathbf{w})=1$.

## 4. Security

**Lemma**

**1**

**.**Let $(G,S,V)$ be a digital signature algorithm with a security parameter k. Let $\mathcal{A}$ be a probabilistic, polynomial–time Turing machine whose input data are public. We will denote as Q the number of requests that $\mathcal{A}$ can send to a random oracle. Suppose that during time T, machine $\mathcal{A}$ can generate a valid signature $(m,{\sigma}_{1},h,{\sigma}_{2})$ with probability $\u03f5\ge 7Q/{2}^{k}$. Then there is another Turing machine that controls machine $\mathcal{A}$, generating two valid signatures $(m,{\sigma}_{1},h,{\sigma}_{2})$ and $(m,{\sigma}_{1},{h}^{\prime},{\sigma}_{2}^{\prime})$ such that $h\ne {h}^{\prime}$, in time ${T}^{\prime}\le 84480TQ/\u03f5$.

**Theorem**

**1.**

**Proof.**

- Split the incoming value x into $(\mathbf{z},r)$;
- If $H{T}_{4}[\mathbf{z},r]=\perp $ then set $H{T}_{4}[\mathbf{z},r]\leftarrow {\{0,1\}}^{{l}_{4}}$;
- Return $H{T}_{4}[\mathbf{z},r]$.

- The commitment $co{m}_{t}\leftarrow TCommi{t}_{tck}\left(td\right)$ is calculated and sent to other users.
- After receiving all $co{m}_{j}$ for each $j\in [t-1]$, the message signature is calculated as follows:
- (a)
- $com={\sum}_{j\in \left[t\right]}co{m}_{j}$ is set.
- (b)
- Challenge $c\leftarrow {H}_{0}(com,\mu ,pk)$ is calculated.
- (c)
- ${{g}_{t}}^{\u2033}\leftarrow {\{0,1\}}^{{l}_{4}}$ is generated randomly and sent to other users.
- (d)
- After receiving all ${{g}_{j}}^{\u2033}$ for each $j\in [t-1]$, the following actions are performed:
- i.
- The $H{T}_{4}$ table is searched for values $({\mathbf{z}}_{1},{r}_{1}),({\mathbf{z}}_{2},{r}_{2}),\cdots ,({\mathbf{z}}_{t-1},{r}_{t-1})$ according to the obtained ${g}_{j}^{\u2033}$.
- ii.
- Then vector $\mathbf{z}\leftarrow {D}_{s}^{l+k}$ is generated and the Lagrange coefficients ${l}_{i}$ are calculated.
- iii.
- The vector ${\mathbf{z}}_{t}^{\prime}=\mathbf{z}-{\sum}_{j=1}^{t-1}{\mathbf{z}}_{j}\xb7{l}_{j}$ is calculated, and then the vector of partial signature ${\mathbf{z}}_{t}={\mathbf{z}}_{t}^{\prime}\xb7{l}_{t}^{-1}$ is obtained.
- iv.
- Next, the vector $\mathbf{w}=\widehat{\mathbf{A}}\mathbf{z}-c\mathbf{t}$ is calculated and with the trapdoor $td$, and the value of randomness $r\leftarrow Eq{v}_{tck}(td,com,\mathbf{w})$ is obtained.
- v.
- The value of ${r}_{t}=r-{\sum}_{j=1}^{t-1}{r}_{j}$ is obtained, using the property of homomorphism by addition of the commitment function.
- vi.
- If $H{T}_{4}[{\mathbf{z}}_{t},{r}_{t}]=\perp $, then signature generation fails, otherwise $H{T}_{4}[{\mathbf{z}}_{t},{r}_{t}]={g}_{t}^{\u2033}$ is set, and a partial signature $({\mathbf{z}}_{t},{r}_{t})$ is sent with probability $1/M$. Otherwise, RESTART is sent, and the algorithm returns to step 1.

- After receiving all partial signatures $({\mathbf{z}}_{j},{r}_{j})$ for each $j\in [t-1]$, the final signature of the message is formed:
- (a)
- It is checked that ${g}_{j}^{\u2033}={H}_{4}({\mathbf{z}}_{j},{r}_{j})$. If all the equalities are met, then the values $\mathbf{z}={\sum}_{j\in \left[t\right]}{\mathbf{z}}_{j}\xb7{l}_{j}$ and $r={\sum}_{j\in \left[t\right]}{r}_{j}$ are calculated.
- (b)
- Next, the value $\mathbf{w}=\widehat{\mathbf{A}}\mathbf{z}-c\mathbf{t}$ is calculated and it is checked that $\parallel \mathbf{z}\parallel \le tB$ and $Ope{n}_{ck}(co{m}_{j},{r}_{j},\mathbf{w})=1$. If one of the checks fails, an ABORT is sent.

- If ${\mu}^{*}\in Mset$, where $Mset$ is the set of messages for which the adversary $\mathcal{A}$ requested a signature from $\mathcal{B}$, then the algorithm $\mathcal{B}$ returns ⊥.
- Next, $\mathcal{B}$ calculates $c{k}^{*}\leftarrow {H}_{3}({\mu}^{*},pk)$ and ${c}^{*}\leftarrow {H}_{0}(co{m}^{*},{\mu}^{*},pk)$.
- If $Ope{n}_{ck}(co{m}^{*},{r}^{*},\widehat{\mathbf{A}}\mathbf{z}-c\mathbf{t})\ne 1$ or $\parallel {\mathbf{z}}^{*}\parallel >t\xb7B$, then $\mathcal{B}$ returns ⊥.
- If $TDT[{\mu}^{*},pk]\ne \perp $, that is, there was a request to generate a commitment key and a trapdoor for the message ${\mu}^{*}$, then $\mathcal{B}$ also returns ⊥.
- If the signature successfully passes checks 1–4, then algorithm $\mathcal{B}$ returns$(co{m}^{*},{\mathbf{z}}^{*},{r}^{*},{\mu}^{*},c{k}^{*})$.

## 5. Discussion

## 6. Conclusions

## Author Contributions

## Funding

## Data Availability Statement

## Conflicts of Interest

## References

- Ometov, A.; Bezzateev, S.; Mäkitalo, N.; Andreev, S.; Mikkonen, T.; Koucheryavy, Y. Multi-Factor Authentication: A Survey. Cryptography
**2018**, 2, 1. [Google Scholar] [CrossRef] [Green Version] - Rao, V.; Prema, K. A review on lightweight cryptography for Internet-of-Things based applications. J. Ambient Intell. Humaniz. Comput.
**2021**, 12, 8835–8857. [Google Scholar] [CrossRef] - McKay, K.; Bassham, L.; Sönmez Turan, M.; Mouha, N. Report on Lightweight Cryptography; NIST Interagency/Internal Report (NISTIR); National Institute of Standards and Technology: Gaithersburg, MD, USA, 2017. [Google Scholar]
- Ometov, A.; Masek, P.; Malina, L.; Florea, R.; Hosek, J.; Andreev, S.; Hajny, J.; Niutanen, J.; Koucheryavy, Y. Feasibility characterization of cryptographic primitives for constrained (wearable) IoT devices. In Proceedings of the 2016 IEEE International Conference on Pervasive Computing and Communication Workshops (PerCom Workshops), Sydney, Australia, 14–18 March 2016; pp. 1–6. [Google Scholar]
- Coelho, K.; Damião, D.; Noubir, G.; Borges, A.; Nogueira, M.; Nacif, J. Cryptographic algorithms in wearable communications: An empirical analysis. IEEE Commun. Lett.
**2019**, 23, 1931–1934. [Google Scholar] [CrossRef] - Perumal, P.; Subha, S. An analysis of a secure communication for healthcare system using wearable devices based on elliptic curve cryptography. World Rev. Sci. Technol. Sustain. Dev.
**2022**, 18, 51–58. [Google Scholar] [CrossRef] - Hernández-Álvarez, L.; Bullón Pérez, J.J.; Batista, F.K.; Queiruga-Dios, A. Security Threats and Cryptographic Protocols for Medical Wearables. Mathematics
**2022**, 10, 886. [Google Scholar] [CrossRef] - Sowjanya, K.; Dasgupta, M.; Ray, S. An elliptic curve cryptography based enhanced anonymous authentication protocol for wearable health monitoring systems. Int. J. Inf. Secur.
**2020**, 19, 129–146. [Google Scholar] [CrossRef] - Shor, P.W. Algorithms for quantum computation: Discrete logarithms and factoring. In Proceedings of the 35th Annual Symposium on Foundations of Computer Science, Santa Fe, NM, USA, 20–22 November 1994; pp. 124–134. [Google Scholar]
- McEliece, R.J. A public-key cryptosystem based on algebraic. Coding Thv.
**1978**, 4244, 114–116. [Google Scholar] - Alabbadi, M.; Wicker, S.B. Digital signature schemes based on error-correcting codes. In Proceedings of the IEEE International Symposium on Information Theory, San Antonio, TX, USA, 17–22 January 1993; p. 199. [Google Scholar]
- Xinmei, W. Digital signature scheme based on error-correcting codes. Electron. Lett.
**1990**, 26, 898–899. [Google Scholar] [CrossRef] - Harn, L.; Wang, D. Cryptanalysis and modification of digital signature scheme based on error-correcting code. Electron. Lett.
**1992**, 2, 157–159. [Google Scholar] - Courtois, N.T.; Finiasz, M.; Sendrier, N. How to achieve a McEliece-based digital signature scheme. In Advances in Cryptology—ASIACRYPT 2001, Proceedings of the 7th International Conference on the Theory and Application of Cryptology and Information Security Gold Coast, Australia, 9–13 December 2001; Proceedings 7; Springer: Berlin/Heidelberg, Germany, 2001; pp. 157–174. [Google Scholar]
- Rostovtsev, A.; Makhovenko, E. Cryptosysten based on category of isogenious elliptic curves. Inf. Secur. Probl. Comput. Syst.
**2002**, 2006/145, 74. [Google Scholar] - Beullens, W.; Kleinjung, T.; Vercauteren, F. CSI-FiSh: Efficient isogeny based signatures through class group computations. In Advances in Cryptology—ASIACRYPT 2019, Proceedings of the 25th International Conference on the Theory and Application of Cryptology and Information Security, Kobe, Japan, 8–12 December 2019; Proceedings, Part I; Springer: Berlin/Heidelberg, Germany, 2019; pp. 227–247. [Google Scholar]
- Dartois, P.; Leroux, A.; Robert, D.; Wesolowski, B. SQISignHD: New Dimensions in Cryptography. Cryptol. Eprint Arch.
**2023**, 2023, 436. [Google Scholar] - De Feo, L.; Meyer, M. Threshold schemes from isogeny assumptions. In Public-Key Cryptography–PKC 2020, Proceedings of the 23rd IACR International Conference on Practice and Theory of Public-Key Cryptography, Edinburgh, UK, 4–7 May 2020; Proceedings, Part II 23; Springer: Berlin/Heidelberg, Germany, 2020; pp. 187–212. [Google Scholar]
- Davydov, V.; Khutsaeva, A.; Ioganson, I.; Dakuo, Z.M.; Bezzateev, S. Improved threshold signature scheme CSI-FiSh with fast secret recovery. Her. Sib. State Univ. Telecommun. Inf. Sci.
**2023**, 17, 76–91. [Google Scholar] [CrossRef] - Lamport, L. Constructing Digital Signatures from a One Way Function; Computer Science Laboratory, SRI International: Menlo Park, CA, USA, 1979. [Google Scholar]
- Merkle, R.C. Secrecy, Authentication, and Public Key Systems; Stanford University: Stanford, CA, USA, 1979. [Google Scholar]
- Bernstein, D.J.; Hülsing, A.; Kölbl, S.; Niederhagen, R.; Rijneveld, J.; Schwabe, P. The SPHINCS+ signature framework. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, London, UK, 11–15 November 2019; pp. 2129–2146. [Google Scholar]
- Matsumoto, T.; Imai, H. Public quadratic polynomial-tuples for efficient signature-verification and message-encryption. In Advances in Cryptology—EUROCRYPT’88, Proceedings of the Workshop on the Theory and Application of Cryptographic Techniques Davos, Switzerland, 25–27 May 1988; Proceedings 7; Springer: Berlin/Heidelberg, Germany, 1988; pp. 419–453. [Google Scholar]
- Patarin, J. Cryptanalysis of the Matsumoto and Imai public key scheme of Eurocrypt’88. In Advances in Cryptology—CRYPT0’95, Proceedings of the 15th Annual International Cryptology Conference Santa Barbara, CA, USA, 27–31 August 1995; Proceedings 15; Springer: Berlin/Heidelberg, Germany, 1995; pp. 248–261. [Google Scholar]
- Ding, J.; Schmidt, D. Rainbow, a new multivariable polynomial signature scheme. Proc. ACNS
**2005**, 5, 164–175. [Google Scholar] - Wang, S.; Ma, R.; Zhang, Y.; Wang, X. Ring signature scheme based on multivariate public key cryptosystems. Comput. Math. Appl.
**2011**, 62, 3973–3979. [Google Scholar] [CrossRef] [Green Version] - Petzoldt, A.; Bulygin, S.; Buchmann, J. A multivariate based threshold ring signature scheme. Appl. Algebra Eng. Commun. Comput.
**2013**, 24, 255–275. [Google Scholar] [CrossRef] [Green Version] - Ajtai, M.; Dwork, C. A public-key cryptosystem with worst-case/average-case equivalence. In Proceedings of the Twenty-Ninth Annual ACM Symposium on Theory of Computing, El Paso, TX, USA, 4–6 May 1997; pp. 284–293. [Google Scholar]
- Goldreich, O.; Goldwasser, S.; Halevi, S. Public-key cryptosystems from lattice reduction problems. In Advances in Cryptology—CRYPTO’97, Proceedings of the 17th Annual International Cryptology Conference Santa Barbara, CA, USA, 17–21 August 1997; Proceedings 17; Springer: Berlin/Heidelberg, Germany, 1997; pp. 112–131. [Google Scholar]
- Fouque, P.A.; Hoffstein, J.; Kirchner, P.; Lyubashevsky, V.; Pornin, T.; Prest, T.; Ricosset, T.; Seiler, G.; Whyte, W.; Zhang, Z.; et al. Falcon: Fast-Fourier lattice-based compact signatures over NTRU. Submiss. NIST’s Post-Quantum Cryptogr. Stand. Process
**2018**, 36. [Google Scholar] - Ducas, L.; Kiltz, E.; Lepoint, T.; Lyubashevsky, V.; Schwabe, P.; Seiler, G.; Stehlé, D. Crystals-dilithium: A lattice-based digital signature scheme. IACR Trans. Cryptogr. Hardw. Embed. Syst.
**2018**, 2018, 238–268. [Google Scholar] [CrossRef] - Cayrel, P.L.; Lindner, R.; Rückert, M.; Silva, R. A lattice-based threshold ring signature scheme. In Progress in Cryptology–LATINCRYPT 2010, Proceedings of the First International Conference on Cryptology and Information Security in Latin America, Puebla, Mexico, 8–11 August 2010; proceedings 1; Springer: Berlin/Heidelberg, Germany, 2010; pp. 255–272. [Google Scholar]
- Bettaieb, S.; Schrek, J. Improved lattice-based threshold ring signature scheme. In Post-Quantum Cryptography, Proceedings of the 5th International Workshop, PQCrypto 2013, Limoges, France, 4–7 June 2013, Proceedings 5; Springer: Berlin/Heidelberg, Germany, 2013; pp. 34–51. [Google Scholar]
- Feng, T.; Gao, Y.; Ma, J. Changeable threshold signature scheme based on lattice theory. In Proceedings of the 2010 International Conference on E-Business and E-Government, Guangzhou, China, 7–9 May 2010; pp. 1311–1315. [Google Scholar]
- Hoffstein, J.; Howgrave-Graham, N.; Pipher, J.; Silverman, J.H.; Whyte, W. NTRUSIGN: Digital signatures using the NTRU lattice. In Topics in Cryptology—CT-RSA 2003, Proceedings of The Cryptographers’ Track at the RSA Conference 2003, San Francisco, CA, USA, 13–17 April 2003; Springer: Berlin/Heidelberg, Germany, 2003; pp. 122–140. [Google Scholar]
- Wang, K.; Xu, Q.; Zhang, G. A secure threshold signature scheme from lattices. In Proceedings of the 2013 Ninth International Conference on Computational Intelligence and Security, Emei Mountain, China, 14–15 December 2013; pp. 469–473. [Google Scholar]
- Choi, R.; Kim, K. Lattice-based threshold signature with message block sharing. In Proceedings of the 31st Symposium on Cryptography and Information Security, Kagoshima, Japan, 21–24 January 2014; pp. 1–7. [Google Scholar]
- Pilaram, H.; Eghlidos, T.; Toluee, R. An efficient lattice-based threshold signature scheme using multi-stage secret sharing. IET Inf. Secur.
**2021**, 15, 98–106. [Google Scholar] [CrossRef] - Pilaram, H.; Eghlidos, T. An efficient lattice based multi-stage secret sharing scheme. IEEE Trans. Dependable Secur. Comput.
**2015**, 14, 2–8. [Google Scholar] [CrossRef] - Micciancio, D.; Peikert, C. Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller. Eurocrypt
**2012**, 7237, 700–718. [Google Scholar] - Agrawal, S.; Kirshanova, E.; Stehlé, D.; Yadav, A. Practical, round-optimal lattice-based blind signatures. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, Los Angeles, CA, USA, 7–11 November 2022; pp. 39–53. [Google Scholar]
- Boneh, D.; Gennaro, R.; Goldfeder, S.; Jain, A.; Kim, S.; Rasmussen, P.M.; Sahai, A. Threshold cryptosystems from threshold fully homomorphic encryption. In Advances in Cryptology–CRYPTO 2018, Proceedings of the 38th Annual International Cryptology Conference, Santa Barbara, CA, USA, 19–23 August 2018; Proceedings, Part I 38; Springer: Berlin/Heidelberg, Germany, 2018; pp. 565–596. [Google Scholar]
- Lyubashevsky, V. Fiat-Shamir with aborts: Applications to lattice and factoring-based signatures. In Advances in Cryptology–ASIACRYPT 2009, Proceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security, Tokyo, Japan, 6–10 December 2009; Proceedings 15; Springer: Berlin/Heidelberg, Germany, 2009; pp. 598–616. [Google Scholar]
- Lyubashevsky, V. Lattice signatures without trapdoors. In Advances in Cryptology—EUROCRYPT 2012, Proceedings of the 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cambridge, UK, 15–19 April 2012; Proceedings 31; Springer: Berlin/Heidelberg, Germany, 2012; pp. 738–755. [Google Scholar]
- Schnorr, C.P. Efficient signature generation by smart cards. J. Cryptol.
**1991**, 4, 161–174. [Google Scholar] [CrossRef] [Green Version] - Damgård, I.; Orlandi, C.; Takahashi, A.; Tibouchi, M. Two-round n-out-of-n and multi-signatures and trapdoor commitment from lattices. J. Cryptol.
**2022**, 35, 14. [Google Scholar] [CrossRef] - Baum, C.; Damgård, I.; Lyubashevsky, V.; Oechsner, S.; Peikert, C. More efficient commitments from structured lattice assumptions. In Security and Cryptography for Networks, Proceedings of the 11th International Conference, SCN 2018, Amalfi, Italy, 5–7 September 2018; Springer: Berlin/Heidelberg, Germany, 2018; pp. 368–385. [Google Scholar]
- Shamir, A. How to share a secret. Commun. ACM
**1979**, 22, 612–613. [Google Scholar] [CrossRef] - Bezzateev, S.; Davydov, V.; Ometov, A. On Secret Sharing with Newton’s Polynomial for Multi-Factor Authentication. Cryptography
**2020**, 4, 34. [Google Scholar] [CrossRef] - Micciancio, D.; Regev, O. Lattice-based Cryptography. In Post-Quantum Cryptography; Bernstein, D.J., Buchmann, J., Dahmen, E., Eds.; Springer: Berlin/Heidelberg, Germany, 2009; pp. 147–191. [Google Scholar] [CrossRef] [Green Version]
- Sphere Packings, Lattices and Groups; Springer Science & Business Media: Berlin/Heidelberg, Germany, 2013; Volume 290.
- Ajtai, M. Generating hard instances of lattice problems. In Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing, Philadelphia, PA, USA, 22–24 May 1996; pp. 99–108. [Google Scholar]
- Goldreich, O.; Micciancio, D.; Safra, S.; Seifert, J.P. Approximating shortest lattice vectors is not harder than approximating closest lattice vectors. Inf. Process. Lett.
**1999**, 71, 55–61. [Google Scholar] [CrossRef] - Ajtai, M. The shortest vector problem in L2 is NP-hard for randomized reductions. In Proceedings of the Thirtieth Annual ACM Symposium on Theory of Computing, Dallas, TX, USA, 23–26 May 1998; pp. 10–19. [Google Scholar]
- Regev, O. On lattices, learning with errors, random linear codes, and cryptography. J. ACM (JACM)
**2009**, 56, 1–40. [Google Scholar] [CrossRef] - Brakerski, Z.; Gentry, C.; Vaikuntanathan, V. (Leveled) fully homomorphic encryption without bootstrapping. ACM Trans. Comput. Theory (TOCT)
**2014**, 6, 1–36. [Google Scholar] [CrossRef] [Green Version] - Langlois, A.; Stehlé, D. Worst-case to average-case reductions for module lattices. Des. Codes Cryptogr.
**2015**, 75, 565–599. [Google Scholar] [CrossRef] - Gentry, C.; Peikert, C.; Vaikuntanathan, V. Trapdoors for hard lattices and new cryptographic constructions. In Proceedings of the Fortieth Annual ACM Symposium on Theory of Computing, Victoria, BC, Canada, 17–20 May 2008; pp. 197–206. [Google Scholar]
- Lyubashevsky, V.; Peikert, C.; Regev, O. On ideal lattices and learning with errors over rings. J. ACM (JACM)
**2013**, 60, 1–35. [Google Scholar] [CrossRef] - Pointcheval, D.; Stern, J. Security arguments for digital signatures and blind signatures. J. Cryptol.
**2000**, 13, 361–396. [Google Scholar] [CrossRef] - Ducas, L.; Lepoint, T.; Lyubashevsky, V.; Schwabe, P.; Seiler, G.; Stehle, D. CRYSTALS—Dilithium: Digital Signatures from Module Lattices. Cryptology ePrint Archive, Paper 2017/633. 2017. Available online: https://eprint.iacr.org/2017/633 (accessed on 15 January 2023).
- Pettit, M. Efficient threshold-optimal ECDSA. In Cryptology and Network Security, Proceedings of the 20th International Conference, CANS 2021, Vienna, Austria, 13–15 December 2021; Springer: Berlin/Heidelberg, Germany, 2021; pp. 116–135. [Google Scholar]

**Table 1.**Experimental data on the running time of key generation, secret sharing, signature generation, and verification for different security levels.

Security Level | Algorithm | Execution Time, ms |
---|---|---|

2 | Key generation | 22.1 |

Secret sharing | 1.1 | |

Signature generation | 20.4 | |

Signature verification | 2.7 | |

3 | Key generation | 27.8 |

Secret sharing | 1.5 | |

Signature generation | 26.5 | |

Signature verification | 2.8 | |

5 | Key generation | 37.9 |

Secret sharing | 1.8 | |

Signature generation | 37.8 | |

Signature verification | 4.0 |

Parameter | Actual Size of Proposed Scheme, Bytes | Actual Size of tECDSA Scheme, Bytes |
---|---|---|

Partial signature size | 7360 | 64 |

Signature size | 11,775 | 64 |

Secret data size | 13,247 | 32 |

Size of transmitted data by signature generation | $\mathrm{15,700}\xb7t$ | $3300\xb7t$ |

**Table 3.**Stored and transmitted data sizes for the observed schemes and comparison with the proposed scheme.

Parameter | CLRS Scheme [32] | Feng’s Scheme [34] | Choi Scheme [37] | PET Scheme [38] | Proposed Scheme |
---|---|---|---|---|---|

Partial signature size, kB | 451 | 1.8 | $0.8\xb7N$ | 40.5 | 7.2 |

Signature size, kB | $451\xb7t$ | 1.8 | $0.8\xb7N\xb7t$ | 60.4 | 11.5 |

Secret data size, kB | 128 | 3.5 | 1,081,600 | 275,808 | 12.9 |

Size of transmitted data by signature generation, kB | $451\xb7t$ | $1.8\xb7t$ | $0.8\xb7N\xb7t$ | $40.5\xb7t$ | $15.3\xb7t$ |

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |

© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Leevik, A.; Davydov, V.; Bezzateev, S.
Threshold Lattice-Based Signature Scheme for Authentication by Wearable Devices. *Cryptography* **2023**, *7*, 33.
https://doi.org/10.3390/cryptography7030033

**AMA Style**

Leevik A, Davydov V, Bezzateev S.
Threshold Lattice-Based Signature Scheme for Authentication by Wearable Devices. *Cryptography*. 2023; 7(3):33.
https://doi.org/10.3390/cryptography7030033

**Chicago/Turabian Style**

Leevik, Anton, Vadim Davydov, and Sergey Bezzateev.
2023. "Threshold Lattice-Based Signature Scheme for Authentication by Wearable Devices" *Cryptography* 7, no. 3: 33.
https://doi.org/10.3390/cryptography7030033