Lattice-Based Threshold, Accountable, and Private Signature

Recently, Boneh and Komlo (CRYPTO 2022) initiated the study of threshold, accountable, and private signature (TAPS) schemes. Classical threshold signature schemes are either fully private or fully accountable. At a high level, a fully private threshold signature reveals no information about the signing parties, while the signers of a fully accountable threshold signature can be easily traced because their identities are revealed directly in the signature. TAPS opens up a brand new opportunity to enjoy the two seemingly contradicting features at the same time and therefore has great potential to be applicable in emerging blockchain applications. Unfortunately, the only TAPS to date are based on classical cryptographic assumptions that do not hold against quantum computers. In this paper, we propose the first TAPS from lattice-based assumptions, which remain hard against quantum algorithms. Our main building blocks are a new lattice-based t-out-of-N proof of knowledge that employs a recent framework by Lyubashevsky et al. (CRYPTO 2022) and a lattice-based accountable threshold signature, which may be of independent interest. Using these building blocks, we provide a compact construction of lattice-based TAPS with asymptotically optimal signature size. Instantiating the scheme with our suggested parameters, the signature size is 42.34KB for N = 32.