A Blind Digital Signature Protocol over NTRU

. Actually, the NIST post-quantum cryptosystem standardization competition reached its third round with seven finalist candidates. And NIST invites the cryptographic community to analyzing the selected candidates. In this context, we contribute by creating a new blind digital signature protocol over our release of NTRU post-quantum cryptosystem. Our protocol can be a variant of FALCON digital signature scheme, which is among of those finalist candidates. Because of our NTRU release is additively homomorphic, we successfully blind and unblind the digital signature by adding a random message. We obtained good results; the speed performance of our protocol outperforms FALCON by a factor up to 27, with a stronger security level, and perfect correctness.


Introduction
Actually, the NIST post-quantum cryptosystem standardization project is still in process and the competition reached its third round in July 2020, with seven finalists candidates, and eight alternate candidates.The digital signature schemes selected for this round are " FALCON, RAINBOW, and CRYSTALS".
FALCON [1] is based on NTRU assumption, which is structured lattice and in its report [2], NIST states that the "structured lattice schemes appear to be the most promising general-purpose algorithms for public-key encryption/KEM and digital signature schemes ".For more details about FALCON and the others candidates, the reader can see NIST competition website.
The handwritten signatures on documents have long been used to prove the identity of their authors or at least the signatory's agreement with the content of the document.We would like to do the same with computers and communication networks during exchanges.Therefore, the digital signature mechanism makes it possible to guarantee the integrity of an electronic document and to authenticate the document author, by analogy with the handwritten signature of a paper document.
In this paper, we consider FALCON as our study case, and we create a new Bind Digital Signature Protocol over our NTRU release [3], which implements an improved NTT(Number Theoretic Transform) algorithm [4] for increasing the performance and uses the (SHA3-512) Keccak hash function [5] for increasing the security level.
The Blind and UnBlind of the digital signature down correctly, because NTRU is Additively Homomorphic.
The plan of this work is as below: the section.1 contains this introduction; in section.2,we give the preliminaries knowledge by describing briefly of the blind digital signature scheme over RSA, the FALCON signature scheme, the NTRU cryptosystem, and the Fully Homomorphic Encryption (FHE) ; the section.3describes our Blind Digital Signature Protocol, namely "NTRUblind_Sign"; in section .4,we give a benchmarking and result of our NTRUblind_Sign compared to the FALCON signature scheme; and the latest section.5 concerns the conclusion and our future works.

Preliminaries
There are many examples and studies focused especially on the digital signature schemes and the blind digital signature schemes.In this section, we describe briefly how RSA implements the Blind signature [6]; we give an over view of the FALCON signature scheme [1] which is finalist candidate and which is our study case; we describe the NTRU post-quantum cryptosystem which our protocol is based on; and we describe the FHE (Fully Homomorphic Encryption ) technique, which we are going to use for blinding the signature.As in the literature of RSA, let be:  =  * , e the public key, and d the private key, with  *  = 1 ( ).

Bob verify if (m = s e (mod N)).
Alice performs the RSA blind signature in line.3 by multiplying his message m by the random message r received from Bob.And Bob unblind the signature by decrypting the message m' received from Alice and multiplying the result by the inverse of his random message r.NB: It is possible that Alice encrypts the message m by Bob's public key and Bob decrypts it by using its private key.

FALCON
It is a lattice-based signature scheme over NTRU, inspired from Gentry et al.Lattice-Based signatures framework constructed by solving appSVP for obtaining secure lattice-based signature [9].The FALCON obtains the trapdoor sampler by using fast Fourier sampling to construct hash-and-sign lattice-based signature scheme [1].FALCON team creates two releases with sequences parameters satisfying the security level 3 and 5 claimed by NIST, respectively [2]. = ℤ[] = ( � + 1) It operates in the ring, and the polynomials are sampled according to Centered Binomial Distribution (sampCBD), by using SHAKE-256 Keccak hash function, inspired from Alkim et al. work [10].

NTRU post-quantum cryptosystem.
NTRU was created in 1996 by the three mathematicians J. Hofstein, J. Pipher, and J. H. Silverman, and published in 1998.It is the first cryptosystem that is completely structured lattices.NTRU is defined in the ring  = ℤ[] = ( � − 1), with n is prime and  = 2 � , or in the ring  = ℤ[] = ( � + 1) with  = 2 � , and q prime.The use of the ring structure reduces the key size and increases the speed performance that can be carried out [11].The latest version is actually a candidate for the NIST PQC project, see [12].

Fully Homomorphic Encryption (FHE).
Rivest, et al. proposed the FHE method since 1978, but the creation of the first FHE scheme based on lattice scheme(Ring-LWE) was realized in 2009 by Gentry [13].
Our protocol Blind and UnBlind the digital signature by using the homomorphic encryption technique over our NTRU post-quantum cryptosystem release [14].We give herein a brief definition of the homomorphic encryption.
Multiplicative Homomorphic Encryption: A cryptosystem is FHE, if it is additively and multiplicatively homomorphic.In our work, we used only additive homomorphic encryption for blinding the digital signature.For more information the reader can see the NIST report [15].

NTRUblind_Sign Description.
NTRUblind_Sign protocol is inspired by our NTRU [3] release and it is defined in the polynomial ring  = ℤ[] = ( + 1).Its parameters satisfying the security level category 5 defined by NIST, and the polynomials are chosen according to Centered Binomial Distribution (sampCBD) [10], with the coefficients defined in [-3,…, 3], except the plain-text is codified in a binary polynomial.We note that the modulus q is the fourth prime number, which was first studied by Pierre Fermat [8].
The keys generation process of NTRU, begin by : (1) generating two polynomials f and g according to CBD; (2) computing a polynomial  =  + 1 [16], and computing its inverse  = � � ( ) ; (3) computing the polynomial  =  *  ( ); and for our protocol, we consider F as the public key and H as the private key .
In the literature [11] , the NTRU assumption of public key encryption (PKE) scheme is defined by: "Having the public key  = � � (  ), it is hard to find the private keys F and g" So we can define the NTRU assumption for the Digital Signature scheme by: "Having the public key  = � � ( ) it is hard to find H and g".Then in our digital signature scheme, we keep H and g as private keys and we consider F as the public key.

NTRUblind_Sign implementation .
Its keys generation function is 33 times faster, the Signature function is 7.8 times faster, and the Verification is 1.6 times faster.That means we did better by increasing the speed performance and our release outperforms the FALCON version by a factor of up to 27 times for the complete cryptographic process.
In terms of the security performance, the researchers on structured lattice schemes use essentially the lattice reduction algorithms (LLL, BKZ, etc.) to check the robustness of the cryptosystems based on lattices [19].BKZ is chosen by NIST and many researchers to check the complexity of solving the lattice problems (CVP, SVP, uSVP, etc).
Therefore, we used Albrecht et al. [20] tools and their proposed BKZ cost model to measure the security levels.The NTRUblind_Sign achieves 2 216 security level for classical security level and 2 196 security for quantum security level.The security level of our release is almost the same as the security of FALCON, and we improve the security of our NTRUblind_Sign by implementing the strong SHA3-512 Keccak hash function, unlike FALCON which uses SHAKE-256 hash function.

Conclusion
Our NTRUblind_Sign Blind Signature Protocol can be a variant of FALCON which is actually a finalist candidate to NIST post-quantum standardization project, it can be also an alternative to RSA digital signature schemes which is actually used for many applications in the industrial area.The RSA is considered as classical cryptosystem and it can't resist to eventual quantum computer attacks.
The performance of our protocol is obtained because of the use of the NTT algorithm optimized, and the blind and unblind the signature down correctly because of the NTRU post-quantum cryptosystem release which is Additively homomorphic.
The flexibility of NTRUblind_Sign, allows us to implement it for the payment system, credit card, and in software as well as in hardware.
In our future works, we will study the implementation of the multiplicative homomorphic encryption technique for blinding the signature and improving our protocol to use it for the banking systems.