We consider the multi-user security under the adaptive corruptions and key leakages (MUc&l security) for lattice-based signatures. There already exists an MUc&l secure signature based on a number-theoretic assumption, or a leakage-resilient lattice-based signature in the single-user setting. However, MUc&l secure lattice-based signature is not known. We examine the existing lattice-based signature schemes from the viewpoint of MUc&l security. We find that the security of the Lyubashevsky’s signature, which is proven to have the ordinary single-user security only, can be extended to the multi-user security even if we take into account the adaptive corruptions and the key leakages. Our security proof in the multi-user setting makes use of the feature of the SIS problem so that a SIS instance is set to the public parameter and a reduction algorithm can set a public key with a secret key in order to answer a corruption query. We also show that the entropy of the secret key is kept under the bounded leakage with a high probability and then the leakage resilience of signature holds. Copyright © 2026 The Institute of Electronics, Information and Communication Engineers.

Aggregate signatures without the bilinear map is a challenging and important problem in aspects of both practical and theoretical cryptology. In order to construct an aggregate signature which does not use the bilinear map, it is general to restrict some functionality of aggregate signatures or to employ strong cryptographic assumptions. The aggregate signature with the pre-communication (ASwPC) is one of the variants of aggregate signatures to achieve the security from a standard cryptographic assumption without the bilinear map. The ASwPC requires signers to interact with each other to share a temporary randomness before they determine their messages to be signed. After the pre-communication, each signer can start the signing process individually. An instantiation of ASwPC is given based on the discrete logarithm (DL) assumption, and its security is proven in the random oracle and the knowledge of secret key (KOSK) model via a loose security reduction. In this paper, we aim to construct a new ASwPC scheme whose security is proven via a tight security reduction. We employ the DDH assumption rather than the DL assumption. The combination of the property of the decisional assumption and that of the KOSK model enables us to apply the lossy key technique even in the case of ASwPC. Then we can prove the security of our scheme with a tight security reduction. Copyright © 2025 The Institute of Electronics, Information and Communication Engineers.

We consider the multi-user security under the adaptive corruptions and key leakages (MUc&l security) for lattice-based signatures. Although there exists an MUc&l secure signature based on a number-theoretic assumption, or a leakage-resilient lattice-based signature in the single-user setting, MUc&l secure lattice-based signature is not known. We examine the existing lattice-based signature schemes from the viewpoint of MUc&l security, and find that the security of the Lyubashevsky’s signature, which is proven to have the ordinary single-user security only, can be extended to the multi-user security even if we take the adaptive corruptions and the key leakages into account. Our security proof in the multi-user setting makes use of the feature of the SIS problem so that a SIS instance is set to the public parameter and a reduction algorithm can set a public key with a secret key in order to answer a corruption query. We also show that the entropy of the secret key is kept under the bounded leakage with a high probability and then the leakage resilience of signature holds. © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2025.

Synchronized aggregate signature (AS) can aggregate multiple individual signatures into one signature, when the individual signatures are generated at the same period. Although several synchronized AS schemes have been proposed, all of them are not quantum computer resistant. In this paper, we discuss a lattice-based synchronized AS that is secure in the standard model and the certified-key model. The proposed scheme is based on the multi-signature scheme proposed by Fleischhacker, Herold, Simkin and Zhang. We convert their multi-signature scheme into the synchronized AS scheme by separating a public key into two parts and applying the homomorphic vector commitment to each part. Our technique can handle hash values of messages as coefficients of homomorphic operation even if a message is different for each user, and then we can aggregate individual signatures for different messages into one signature. Our result is not only the first lattice-based synchronizedAS but also the first lattice-based AS secure in the standard model. © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2025.

The group signature with designated traceability (GSdT) is a kind of group signatures (GS) which aim to restrict the opening authority of the group manager; by setting an access structure over openers' attributes at the signing, a signer is able to control openers who can open the signature. A generic construction of GSdT was given when the notion was introduced, then a pairing-based construction and a symmetric-key-based one were presented. Nonetheless, it remains open whether or not a post-quantum GSdT that has full anonymity can be really constructed.In this paper, we give a lattice-based GSdT scheme that has full anonymity for the first time. In our construction, the lattice-based ciphertext-policy attribute-based encryption (CP-ABE) by Tsabary and the lattice-based group signatures (GS) by Libert et al. are employed. The CP-ABE is based on the Regev public-key encryption, while the GS uses a non-interactive zero-knowledge proof to prove the correctness of the encryption in the signing process. Based on the compatibility, we combine and modify them to build up a GSdT scheme. © 2024 IEEE.

A group signature scheme in which signers are able to designate openers by specifying access structures over openers' attributes was introduced at CANDAR 2021, which is called GSdT. In this paper, we present a construction of GSdT from only symmetric-key primitives; pseudorandom functions, hash functions and commitments. Due to the features, our GSdT is expected to be secure against computational power of quantum computers. We first introduce syntax and security definitions in the static group model. Then, in our construction, the key ingredient is a non-interactive zero-knowledge proof of knowledge system that is constructed from the primitives in the 'MPC-in-the-head' paradigm, owing the technique that was developed by Katz, Kolesnikov and Wang (ACM-CCS 2018). Our approach starts with their group signature scheme, but non-trivially extends the Merkle tree so that signers can treat (all-AND) boolean formulas as the access structures. According to our estimation, the signing time is less than 3.0 sec and the signature size is less than 0.5 MB in a scenario that the numbers of group members and attributes are 27 and 23, respectively, and security to be attained is 128 bit quantum security. © 2024 IEEE.

We propose an accountable ring signature scheme (ARS) that is constructed from only symmetric-key primitives; pseudorandom functions, hash functions and commitments. Introducing interaction between a user and an opener in the key-issuing phase, our ARS is a composition of the previous two schemes of the ring and group signatures that were proposed by Katz et al. at ACM-CCS 2018. It attains two non-Trivial features. One is effective use of the Merkle trees to keep the length of a signature logarithmic to the size of a ring. The other is post-quantum security due to the security properties of the building blocks. © 2023 IEEE.