Rejection Sampling Revisit: How to Choose Parameters in Lattice-Based Signature

Rejection sampling technology is a core tool in the design of lattice-based signatures with ‘Fiat–Shamir with Aborts’ structure, and it is related to signing efficiency and signature, size as well as security. In the rejection sampling theorem proposed by Lyubashevsky, the masking vector of rejection sampling is chosen from discrete Gaussian distribution. However, in practical designs, the masking vector is more likely to be chosen from bounded uniform distribution due to better efficiency and simpler implementation. Besides, as one of the third-round candidate signatures in the NISTpostquantum cryptography standardization process, the 3rd round version of CRYSTALS-Dilithium has proposed a newmethod to decrease the rejection probability in order to achieve better efficiency and smaller signature size by decreasing the number of nonzero coefficients of the challenge polynomial according to the security levels. However, it is seen that small entropies in this new method may lead to higher risk of forgery attack compared with former schemes proposed in its 2nd version. 'us, in this paper, we first analyze the complexity of forgery attack for small entropies and then introduce a new method to decrease the rejection probability without loss of security including the security against forgery attack. 'is method is achieved by introducing a new rejection sampling theorem with tighter bound by utilizing Rényi divergence where masking vector follows uniform distribution. By observing large gaps between the security claim and actual security bound in CRYSTALS-Dilithium, we propose two series of adapted parameters for CRYSTALS-Dilithium. 'e first set can improve the efficiency of the signing process in CRYSTALS-Dilithium by factors of 61.7% and 41.7%, according to the security levels, and ensure the security against known attacks, including forgery attack. And, the second set can reduce the signature size by a factor of 14.09% with small improvements in efficiency at the same security level.


Introduction
With the rapid developments in quantum algorithms and computations, research in lattice-based cryptography has attracted considerable attention because lattice-based cryptosystems are likely to be effective against quantum computing attacks in the future. e first lattice-based cryptosystem is proposed by Ajtai and Dwork [1] in 1997 which is also known as the first cryptosystem that achieves worst case to average case reduction. Since then, many wellknown lattice-based cryptosystems have been designed, including GGH [2] by Goldreich et al. and NTRU [3] by Hoffstein et al., as well as LWE by Regev [4]. Nowadays, schemes with various features, such as digital signatures [5,6], identity-based and attribute-based encryption [7,8], zero-knowledge proof [9], and fully homomorphic schemes [10], can be realized based on these basic designs. On the contrary, the developments of methods in solving lattice problem including enumeration [11,12] and lattice reduction algorithms [13,14], as well as sieving algorithms [15,16], also contribute to the selection of parameters in these schemes. As a result, lattice-based cryptosystems are now regarded as promising candidates for the NIST postquantum cryptography standardization process.
Most lattice-based signatures are designed based on three general structures, namely, GGH structure, Fiat-Shamir structure, and GPV trapdoor structure. e GGH signature is the first practical lattice-based signature scheme which is proposed in [2] and known as the source of signatures following the GGH structure. is scheme is based on the closest vector problem (CVP) and enjoys the advantages such as high efficiency, small signature size, and simple verification. However, analysis [17] shows that signatures of the scheme leak the information of the secret key; thus, the secret key can be recovered by collecting enough number of signatures. As a result, many variants based on GGH structure concentrate on improving the security against the attack proposed in [17]. As for another basic type, Fiat-Shamir structure is first used to design practical latticebased signature scheme in [18].
is work combines the Fiat-Shamir structure with rejection sampling technology to avoid the risk of secret leakage. Due to its high security, high efficiency, and small signature size, many variants have been proposed based on this work including [19][20][21]. Among the signature schemes based on Fiat-Shamir structure, two schemes named CRYSTALS-Dilithium [22] and qTESLA [23] have been widely studied because they are known as the 2nd round NISTpostquantum cryptography standardization candidates. Moreover, recently CRYSTALS-Dilithium has become one of the 3rd round NIST candidates of signatures. e other type of lattice-based signature schemes is based on GPV trapdoor structure [24], such as [25,26]. Compared with those based on Fiat-Shamir structure, the schemes have smaller signature size but lower efficiency. Furthermore, it should be noted that the scheme FALCON [27] is a 3rd round NIST postquantum cryptography standardization candidate with the GPV trapdoor structure.
As an important subroutine in Fiat-Shamir structure, rejection sampling technology is widely used in the design of signatures schemes. e idea of this process is simple but effective, where it demands the signer selectively outputs signatures to ensure that the secret key should not be leaked by signatures. To achieve this goal, the rejection sampling process will choose to output a signature or reject it according to a fixed condition. is technology is first introduced in [18] and then further improved in [19]. When first introduced in [18], the vector for masking the secret is chosen from a bounded uniform distribution and then changed to be chosen from discrete Gaussian distribution in [19]. Besides, a theoretical analysis is also provided in [19] to prove that, under properly chosen parameters, a masking vector sampled from discrete Gaussian distribution can be used to protect the secret key from leakage by ensuring the outputted distribution of the rejection sampling process is statistically close to a certain discrete Gaussian distribution. In other words, the upper bound of statistical distance between the output distribution and the ideal one is small.
Although discrete Gaussian distribution enjoys the property of high security, sampling from it demands more time and space complexity than from a uniform distribution. As a result, many practical schemes choose to sample from a bounded uniform distribution for the masking vector including the two NIST candidates, CRYSTALS-Dilithium [22] and qTESLA [23]. Besides, the method to increase the success probability of rejection sampling without loss of securities is an important issue in the design of these schemes. For example, in the third-round version of CRYSTALS-Dilithium, a new technique is used to decrease the rejection probability to achieve better efficiency and smaller signature size by decreasing the number of nonzero coefficients of the challenge polynomial according to the security levels. However, it is seen that small entropies in this new method may lead to higher risk of forgery attack compared with former schemes proposed in the 2nd version which will be described in Section 2.
In this paper, we propose another way to increase the success probability of rejection sampling without loss of security. is idea is obtained by firstly proposing a more practical rejection sampling theorem with masking vector sampled from bounded uniform distribution, where a tighter bound is achieved by using Rényi divergence rather than statistical distance. Secondly, we use the proposed theorem to analyze the parameters used in CRYSTALS-Dilithium and observe that more accurate security estimation can be obtained due to the new rejection sampling theorem which allows us to adjust the parameters by balancing the securities and optimize their efficiencies as well as sizes. Our result shows that, by choosing proper parameters, the efficiency of sign algorithm in CRYSTALS-Dilithium can be further improved depending on the security levels. As lattice-based signatures with the Fiat-Shamir structure usually have higher efficiency but larger size compared with other types of lattice-based signatures, how to minimize the size of public key and signature is a core issue in the designs. So, we further propose a variant of the scheme with optimized size by utilizing our rejection sampling theorem which reduces the size of signature at the same security level.
is is the third contribution of our paper. e rest of the paper is organized as follows. In Section 2, we introduce some background about lattice, discrete Gaussian sampling, LWE problem, divergences, and rejection sampling technology. Our analysis of the rejection sampling theorem for the uniform distribution and its proof are presented in Section 3. In Section 4, some applications of the above theorem are described, including a security analysis of CRYSTALS-Dilithium parameters and several variants of CRYSTALS-Dilithium which can provide higher efficiency of signing and smaller signature size. Finally, we give our conclusion in Section 5.

Preliminaries
For x ∈ R, let ⌊x⌋ be the maximum integer that is no more than x and let ⌊x⌋ be the nearest integer to x. Let Z q denote the set of integers in [0, q − 1].

2.1.
Lattice. An m-dimensional lattice is a discrete additive subgroup in R m which can be represented as the set of integer linear combination of n linearly independent vectors b 1 , . . . , b n , i.e., where B � [b 1 , . . . , b n ] is called a basis of L which is not unique, n (n ≤ m) is the rank of the lattice, a lattice is called full-rank if m � n. e determinant of L is defined as 2 Mathematical Problems in Engineering e quantity det(L) is invariant regardless of the choice of B. e dual lattice L * is defined as (3) q-ary lattice: as a kind of important lattices in latticebased cryptography, a q-ary lattice refers to the lattice such that qZ n ⊆ L ⊆ Z n , where q is an integer.
Two types of q-ary lattices frequently used in lattice cryptography are defined as follows, with respect to an n × m matrix B ∈ Z n×m q :

Gaussian Distribution over Lattices.
For s > 0, the Gaussian function is defined as for y ∈ R m , where s is called the width. When s � 1 or c � 0, the corresponding subscript is usually omitted for simplicity.
Definition 1 (discrete Gaussian distribution). For s > 0 and c ∈ R m , the discrete Gaussian distribution D L+c,s over L + c is defined as where x ∈ L + c and ρ s (L + c) � x∈L+c ρ s (x). We call σ � s/ �� � 2π √ the standard deviation for D L+c,s .
It is difficult to calculate the sum ρ s (L) directly, but it is related to the sum of values of a Gaussian function over the dual lattice according to the celebrated Poisson summation formula.
Lemma 1 (Poisson summation formula, see [28]). For an n-dimensional lattice L, let s > 0 and t ∈ R n , and the following hold: ere is a tail bound for the continuous Gaussian distribution and the discrete Gaussian distribution also has a similar property which was first proven by Banaszczyk [28]. e following is a refinement to the bound of Banaszczyk given in [29].

LWE Problem.
Learning with error (LWE) problem was proposed by Regev [4] in 2005 and has been widely used in the construction of lattice-based cryptography. We first introduce some definitions in order to describe LWE problems.
Definition 2 (LWE distribution). Let n ≥ 1, q ≥ 2 and χ be an error distribution over Z q ; given a secret vector s ∈ Z n q , the LWE distribution L s,χ over Z n q × Z q is sampled by choosing a ⟵ $ U(Z n q ) U(Z n q ) and e ⟵ $ χχ and outputting e LWE problem has a search version and a decision version, which are defined as follows.
q × Z q that are independently sampled from L s,χ with a fixed secret s ∈ Z n q , the goal of search-LWE is to find the secret vector s.
In the following part of this paper, we denote A ∈ Z n×m q to be the matrix formed by m columns a i Definition 4 (decision-LWE). Given m independent samples (A, b) ∈ Z m×n q × Z m q that follow either the LWE distribution L s,χ with a fixed secret s ∈ Z n q or the uniform distribution, the goal of decision-LWE is to decide which distribution the samples follow.
To make LWE more practical in cryptography, variants of LWE problems (e.g., ring-LWE and module-LWE) have been investigated. More details of these variants can be found in [30].

Statistical Distance and Rényi Divergence.
Statistical distance and Rényi divergence are two measures of closeness of two probability distributions which are often used in security proofs. e definitions of statistical distance and Rényi divergence are as follows.
Definition 5 (statistical distance). For any two discrete probability distributions P and Q over a countable support X, the statistical distance between the two distributions, denoted as Δ sd , is defined by Definition 6 (Rényi divergence). For any two discrete probability distributions P and Q such that Supp(P) ⊂ Supp(Q) and α ∈ (1, +∞), the Rényi divergence of order α, denoted as Δ α , is defined by . (9) According to the research of [31], using Rényi divergence to estimate security can provide smaller parameters in designing lattice-based schemes than using statistical distance.

Rejection Sampling.
Rejection sampling is an important tool which is widely used in designing lattice-based signature [19,22,23]. It is first proposed in [18] and can be used to produce a distribution that is statistically close to another one. In this way, one can output a distribution without leaking information of the secret keys and the lower bound of the complexity against attacks which use the information of signatures and has been given in eorem 1.
Theorem 1 (rejection sampling theorem, see [19]). Let V be a subset of Z m in which all elements have norms less than T, σ be some element in R such that σ � ω(T ����� log m ), and h: V ⟶ R be a probability distribution. en, there exists a constant M � O(1) such that the distribution of the following algorithm A is as follows: Moreover, the probability that A outputs something is at least (1 − 2 − ω(log m) )/M.

Overview of Signatures Based on Fiat-Shamir with Aborts.
Fiat-Shamir with Aborts approach is an LWE-based signature framework that is firstly introduce in [18]. Based on this framework, many improvements have been proposed for better security and efficiency in [19,22,23]. e overview of the 'Fiat-Shamir with Aborts' framework can be summarized in Figure 1. Note that the original scheme proposed in [18] is based on the LWE problem, and further improvements [19,22,23] are mainly designed based on ring-LWE or module-LWE to achieve better efficiency. In this paper, we concentrate on practical designs; thus, all elements as well as computations in the following paper are in the polynomial ring Z q [X]/(X n + 1). even may not be secure in the classical model, as shown in Table 1. Since the proposed idea of decreasing the rejection probability may also decrease the security of the scheme, in Section 3, we will provide another method to achieve this goal without loss of security and use it to introduce variants of CRYSTALS-Dilithium which achieve better efficiency and smaller signature size. Since the security claims of the third round parameters in CRYSTALS-Dilithium have large gaps with the complexities of the forgery attack, our comparisons shall be conducted based on the second version of parameters in CRYSTALS-Dilithium rather than the third-round ones (note that the practical verification process of the 3rd version CRYSTALS-Dilithium is more complex than the framework shown in Figure 1 due to the application of hint vector as well as two stages' sampling process; however, it is easy to check that the proposed forgery attack also applies to this practical scheme).

Rejection Sampling Theorem for Uniform Distribution
Rejection sampling theorem proposed in [19] can be used to estimate the security of the rejection sampling process against secret recovery attacks by computing the upper bound of the statistical distance of the output distribution and the target one where the two distributions follow discrete Gaussian distribution with distinct centers. However, in practical designs, uniform distributions are often used rather than discrete Gaussian distributions. is makes it more efficient and more convenient to sample elements, but the complexity of recovering secret key from the output of such samples remains unknown. Besides, by utilizing Rényi divergence instead of statistical distance used in the rejection sampling theorem of [19], a tighter security bound which leads to smaller parameter size can be obtained. So, let us start with clearly defining the problem and then providing a theorem about solving the problem.
Definition 7 (distinguish problem for rejection sampling with bounded uniform masking vector). Let S c be a uniform distribution with elements in − c, . . . , 0, . . . , c , D η be an arbitrary distribution with the support − η, . . . , 0, . . . , η , and β < c be a positive constant. Given a number of samples, the goal is to decide which of the two algorithms the samples follow. Algorithm A: Algorithm F: output z � y.

Theorem 2. Given a distinguish problem for rejection sampling with bounded uniform masking vector defined by the probability distribution S c and D η and integers
where Q(k) � 1/(2(c − β) − 1),

and P z i (k) is defined as follows:
Mathematical Problems in Engineering Proof. Let us first study the distribution of z � y + follows the probability distribution as follows: where CDF D denotes the cumulative distribution function of the distribution D η and CDF When applying rejection sampling with the condition |z i | ≥ c − β to z i , whether β > η or not shall influence the output distribution, if β > η, we have P z i ′ (k) (k ∈ [− c + β + 1, c − β − 1]) as follows: And, for 0 < β ≤ η, we have P z i ′ (k) (k ∈ [− c + β + 1, c − β − 1]) as follows: . As a result, we now have the output distribution of algorithm A denoted as P z i ′ (k), and the output distribution P * of algorithm F can be derived in a similar way. For β > 0, we have P * z i (k) (k ∈ [− c + β + 1, c − β − 1]) as follows: Now, we have clear descriptions of the output distributions of the two algorithms, and it is seen that the two distributions are exactly the same when β > η, and attacks utilizing the information of outputs can only be performed for the cases when β ≤ η. To measure the distances between the two probability distributions and evaluate the security, we shall recall the definition of Rényi divergence.
For any two discrete probability distributions P and Q such that Supp(P) ⊂ Supp(Q) and α ∈ (1, +∞), the Rényi divergence of order α, denoted as Δ α , is defined by .

(17)
Combining the result of P z i ′ (k) and the definition of Q(k), this finishes the proof.

□
To measure the complexities of distinguish problems by eorem 2, the probability distribution of D η should be used. Note that, in signatures based on Fiat-Shamir with Aborts approach, as shown in Figure 1, a secret key s 1 may be used for different signatures where random chosen challenge polynomials c are outputted. eir product corresponds to x in eorem 2, where x i � j+k�i modm c j · s 1,k . As a result, the probability distribution of x i , denoted as D η , should be measured according to the challenge polynomials. As each challenge polynomial has τ nonzero coefficients randomly chosen from 1, − 1 { }, the entropy of a challenge polynomial is log 256 τ + τ bit. For a set of signatures signed with the same secret key if all challenge polynomials share a number of the same nonzero coefficients which forms a set C share containing l elements. en, D η (l) � c j ∈C share c j · s 1,k + c j ∉ C (share] c j · s 1,k , and its first part r � c j ∈C share c j · s 1,k is a constant and its second part can be measured as random variables following specific distribution because c j ∉ C share vary. Since the upper bound of |s 1,k | is η s , |r| is bounded by l · η s , and the Rényi divergence, denoted as Δ α (l), of the distinguish problem in Definition 7 is bounded by taking D η ′ (l) � l · η s + c j ∉ C share c j · s 1,k as D η in eorem 2. Besides, to collect challenge polynomials which share the set C share , the probability of finding a challenge polynomial is com- the last 2 is due to the same values with the opposite symbol. So, the advantage for the distinguish problem under C share is given by (Δ α (l) · P C (l)) and the advantage of a distinguish problem with any challenge polynomials is naturally obtained by enumerating all possible l as follows:

Distinguish Analysis for Rejection Sampling.
With the help of eorem 2 and equation (18), we can evaluate the security against attacks utilizing information of signatures by Rényi divergence for practical lattice-based signature schemes, including the NIST candidates. We shall take the parameters used in CRYSTALS-Dilithium as examples to show how to analyze the lower bound of the complexities of these attacks by utilizing eorem 2. Besides, it should be noted that the compress technology proposed in [21] is commonly used to reduce the length of signature (which corresponds the rejection condition about the infinite norm of low bits shown in line 11 of Figure 1), this process can be viewed as another distinguish problem of rejection sampling for uniform distribution with different parameters. Take the parameters used in CRYSTALS-Dilithium-II and III which separately correspond to the first and the second level of NIST's categories as examples, we can normalize them into the following distinguish problems in Table 2, where we use 'R' to denote the distinguish problem of rejection sampling process and 'C' to denote the distinguish problem of compress process.
Since the upper bound of advantage for attacks utilizing the outputs of signatures is given by equation (18), say when advantage is no more than 2 − α , the lower bound of complexity for attacks is at least 2 α . us, applying eorem 2 to the two distinguish problems, we can get the following results of security analysis, as shown in Table 3. Besides, we also take the proposed forgery attack into consideration because the securities of schemes are decided by the most optimal complexity of all known attacks. us, it is seen that, in CRYSTALS-Dilithium, the complexities of attacks utilizing the information of signatures are much larger than other types of attacks especially for the forgery attack brought by the small entropy of c. By observing the large gaps between complexities of different type attacks, refined parameters which can provide better efficiency, smaller sizes, and higher security can be obtained by balancing these complexities. We will discuss how to choose parameters and what can be achieved in Section 4.2.

Choosing New Parameters for Rejection Sampling of
Dilithium. In Section 4.1, we estimate the complexities of corresponding distinguish problems and observe there exist large gaps between the complexities of different types of attacks. As the parameters of rejection sampling relate to the efficiency, the security, and the signature size of the schemes at the same time, we can balance the gaps in order to achieve better efficiency, higher security, and smaller size of the schemes. e balancing shall be used based on parameters of CRYSTALS-Dilithium, and it should be noted that this technology can be naturally applied to other signature schemes Mathematical Problems in Engineering using rejection sampling for uniform distributed masking vectors. Our approaches contain the following steps: (1) Utilizing the method in Section 2.7 to balance the complexities of forgery attack by adjusting proper entropy of c according to the security levels (2) Utilizing eorem 2 to balance the complexities of the two distinguish problems by setting β 1 and β 2 separately for rejection sampling process and compress process rather than using the same β for the two processes (3) Utilizing the methods of primal attack, dual attack, and SIS attack used in [22] to balance the complexities of various types of attacks by choosing proper β, η, and c To apply these modifications, new parameter β 1 and β 2 should be introduced to replace β, and the revised framework is shown in Figure 2. Besides, since the choices of parameters for β 1 and β 2 are very close, the hardness reduction of the framework in Figure 2 follows the one in Figure 1 naturally. e success probability of rejection sampling and compress process relates to the efficiency of signature because the sign process will be continuously repeated until a proper signature is outputted, and the success probability is computed as Based on these analyses, we choose parameters by designing a program which contains the algorithms of success probabilities, primal attack estimation, dual attack estimation, sis attack estimation, and the distinguish attack estimation given by eorem 2. With the input of parameters, the program outputs these complexities and properties. And, the final results are obtained by testing different values iteratively and make a balance of these complexities and the efficiency. e comparisons of the parameters in this work (separately denoted as is Work-I and is Work-II corresponding to different security levels) and those in CRYSTALS-Dilithium are shown in Table 4. e implementations can be found in https://github.com/ Anonymous496/Digital-signatures. And, the experiments of efficiency are conducted with the environment of Intel(R) Core(TM) i5-8250U CPU @ 1.60 GHz.
As the signing procedure will repeat several times until a signature is outputted, the success probabilities influence the efficiency of signing process directly. In other words, the efficiency of the signing process with our technique are 61.7% and 41.7% faster than that in CRYSTALS-Dilithium according to the security levels. Furthermore, since the sizes of public key and signature are considered as more important factors than their efficiency for signature schemes based on Fiat-Shamir structure, we can use the proposed technology to introduce a new set of parameters with smaller signature size and keep the same security level with small improvement in efficiency. We denote the adapted scheme as this Work-III, and the comparisons can be found in Table 5.
From the comparison, it is seen that the signature size of the proposed scheme is 14.09% smaller than the original one with small improvement in signing efficiency and keeps the same security level compared with CRYSTALS-Dilithium-II. It should be noted that similar optimizations can also be applied to other sets of parameters in CRYSTALS-Dilithium.

Conclusion
In this paper, we study rejection sampling technology for lattice-based signatures and concentrate on the conditions for practical designs. We first introduce a new rejection sampling theorem for bounded uniform distributed masking vectors which is widely used in current designs where a tighter result is obtained due to the usage of Rényi divergence, and then, we use the proposed theorem to analyze the complexities against attacks utilizing information of signatures for the parameters in CRYSTALS-Dilithium and observe that there exist large gaps between complexities of different types of attacks, e.g., forgery attack and key recovery attack.
irdly, we propose two series of adapted parameters for CRYSTALS-Dilithium. e first set can improve the efficiency of the signing process in CRYSTALS-Dilithium by factors of 61.7% and 41.7% according to the security levels and ensure the same signature size as well as security claims including forgery attack. And, the second set can reduce the signature size by a factor of 14.09% with small improvement in signing efficiency and keep the same security level.

Data Availability
e data used to support the findings of the study are available at https://github.com/Anonymous496/Digitalsignatures.

Conflicts of Interest
e authors declare that they have no conflicts of interest.