Bai–Galbraith Signature Scheme

• Bai–Galbraith signature scheme is a lattice-based digital signature protocol built on standard LWE, featuring rejection sampling to mask secrets.
• It operates in cyclotomic rings with carefully chosen small coefficient bounds, ensuring strong unforgeability under EUF-CMA in the random oracle model.
• The scheme highlights a trade-off between larger public keys and compact signatures, influencing post-quantum cryptosystems including code-based designs like LEDAsig.

The Bai–Galbraith signature scheme is a lattice-based digital signature protocol distinguished by its lack of public key compression and security reductions to the standard Learning with Errors (LWE) problem in general lattices. Originally proposed for use in post-quantum cryptography, it has close connections with the code-based LEDAsig system design and is notable for its explicit trade-off between public key size and signature length. It operates over polynomial rings, uses rejection sampling to mask secrets, and achieves strong unforgeability guarantees in the random oracle model.

1. Algebraic Foundations and Parameters

The Bai–Galbraith (B-G) scheme is constructed in the cyclotomic ring $R_q = \mathbb{Z}_q[X]/(X^n + 1)$ of degree $n$, with modulus $q = 2^{23} - 2^{13} + 1$. The principal distributional parameters are two integer “smallness” bounds $\eta \ll \gamma \ll q$, typically $n=256$, $\eta \approx 2$–$4$, $\gamma \approx 2^{15}$.

Two flat discrete distributions are employed to generate secret and ephemeral elements:

• $$S_\eta = \{ f \in R_q : \text{coefficients in } [-\eta,\eta] \}$$
• $$S_\gamma = \{ f \in R_q : \text{coefficients in } [-\gamma,\gamma] \}$$

A challenge space $B_{60} \subset R_q$ is defined as those ring elements with exactly $60$ coefficients in $\{+1,-1\}$ and the remainder zero, yielding a $256$-bit (classical and moderate quantum) security level.

The LWE problem underpinning security is: given $A \in R_q^{k\times l}$ (uniformly random) and $t = A s_1 + s_2 \in R_q^k$ for secrets $(s_1, s_2) \leftarrow S_\eta^l \times S_\eta^k$, recover $(s_1, s_2)$. The difficulty of solving this with $\eta \ll q$ provides the security foundation (Sengupta et al., 12 Nov 2025).

2. Protocol Algorithms

Key Generation

Let $s_1 \in R_q^l$ and $s_2 \in R_q^k$ be sampled independently from $S_\eta$. The public matrix $A \in R_q^{k \times l}$ is chosen uniformly at random. The public tag vector is $t \coloneqq A s_1 + s_2 \in R_q^k$.

• Secret key: $(s_1, s_2) \in S_\eta^l \times S_\eta^k$
• Public key: $(A, t) \in R_q^{k\times l} \times R_q^{k}$

KeyGen procedure:

1. Sample $A \leftarrow R_q^{k \times l}$ uniformly.
2. Sample $s_1 \leftarrow S_\eta^l$, $s_2 \leftarrow S_\eta^k$.
3. Compute $t \leftarrow A s_1 + s_2 \bmod q$.
4. Output $pk = (A,t)$, $sk = (s_1, s_2)$.

Signing

To sign $M$:

1. Sample ephemeral $y \leftarrow S_\gamma^l$.
2. Compute $w = A y$.
3. Compute $c = H(\mathrm{High}(w), M) \in B_{60}$, where $\mathrm{High}(\cdot)$ extracts the most significant $$\lceil \log_2 q \rceil - \lfloor \log_2(2\gamma)\rfloor$$ bits per coefficient.
4. Set $z = y + c s_1$.
5. With $\beta = 60 \eta$: if $\|z\|_\infty > \gamma - \beta$ or $$\|\mathrm{Low}(w - c s_2)\|_\infty > \gamma - \beta$$, abort and retry.
6. Output $\sigma = (z, c)$.

$\mathrm{Low}(\cdot)$ denotes the complementary least significant bits such that $w = \mathrm{High}(w) 2^\ell + \mathrm{Low}(w)$, with $\mathrm{Low}$ in $[-2^{\ell-1}, 2^{\ell-1})$.

Verification

Given input $(A, t)$, $M$, and signature $(z, c)$:

1. Check $\| z \|_\infty \le \gamma - \beta$.
2. Compute $u = A z - c t \bmod q$.
3. Extract $\mathrm{High}(u)$.
4. Compute $c' = H(\mathrm{High}(u), M)$.
5. Accept if $c' = c$.

Correctness follows from $A z - c t = w - c s_2$, and the low-norm checks ensure $\mathrm{High}(w) = \mathrm{High}(w - c s_2)$ (Sengupta et al., 12 Nov 2025).

3. Security Analysis

• Security reduces to the average-case hardness of LWE for random $A$ and secrets in $S_\eta$, as forging a signature with $(z, c)$ such that $A z - c t$ is low-norm is equivalent to solving LWE.
• The scheme leverages rejection sampling to decouple $z$ from $s_1$, with distributional bias $O(\beta/\gamma)$, negligible for large enough $\gamma$.
• The protocol is a Fiat–Shamir with aborts transformation of a Σ-protocol for knowledge of $s_1$, yielding existential unforgeability under chosen-message attack (EUF-CMA) in the random oracle model.

A successful signature forgery provides an adversary with an oracle for distinguishing LWE samples from uniform random elements, thus connecting signature forgery directly to the LWE assumption's hardness (Sengupta et al., 12 Nov 2025).

4. Concrete Parameterization and Performance

With $n=256$, $q\approx 2^{23}$, $k=l=4$ for 128-bit standard LWE security:

• Public key: $$|A| = 4 \cdot 4 \cdot 256 \cdot 23 \approx 94\ \mathrm{kB}$$, $|t| = 4 \cdot 256 \cdot 23 \approx 23\ \mathrm{kB}$, total $\approx 117\ \mathrm{kB}$.
• Secret key: $$2 \cdot 4 \cdot 256 \cdot \log_2(2\eta) \approx 6\ \mathrm{kB}$$.
• Signature: $|z| = 4 \cdot 256 \cdot 16 \approx 16\ \mathrm{kB}$, $|c| \approx 61\ \mathrm{B}$, total $\approx 16\ \mathrm{kB} + 61\ \mathrm{B}$.

Computation per signature involves two ring-matrix multiplications using NTT of complexity $O(k l n \log n)$, and a single hash to $B_{60}$. The expected number of restarts is constant (i.e., $O(1)$) when $\gamma/\beta \gtrsim 2$, which holds for practical settings (Sengupta et al., 12 Nov 2025).

5. Comparison with Related Lattice Schemes

Relative to CRYSTALS-Dilithium:

• Bai–Galbraith omits public key compression. Dilithium compresses the tag $t$ to about $11$ bits per coefficient, while B-G uses $23$ bits per coefficient, making B-G’s public key about twice the size.
• B-G’s signature is $(z, c)$, omitting the $z_2$ vector found in Dilithium, thus yielding signatures about half the length of Dilithium at the cost of larger public keys.
• Algebraically, Dilithium operates on Ring-LWE in power-of-two cyclotomics, while B-G is constructed from plain LWE in $R_q$, with flexible $n$ not restricted to powers of two.
• Both attain comparable provable security under their respective hardness assumptions, with B-G proofs relying on standard LWE (not Ring-LWE), while Dilithium’s security depends on Ring-LWE, which is subject to additional ideal-lattice cryptanalysis (Sengupta et al., 12 Nov 2025).

6. Significance and Use Scenarios

The architectural choice not to compress the public key makes the Bai–Galbraith scheme suitable for environments where signature size must be minimized (e.g., high-rate, low-bandwidth signing), while the larger public key can be pre-distributed or amortized. In contrast, schemes such as Dilithium favor smaller public keys for efficient key exchange or frequent public key distribution.

The scheme’s reliance on standard LWE and simple rejection sampling ensures a conservative security profile, and the statistical properties of the output via rejection sampling render direct lattice attacks on the signature distribution ineffective. A plausible implication is that B-G's explicit LWE security basis may be preferable in scenarios where algebraic ring structures (as in Ring-LWE) are viewed as a potential weakness.

7. Connections to Code-Based Systems

The LEDAsig code-based signature scheme is characterized as "Bai–Galbraith-style" in its trapdoor structure and signing mechanism. LEDAsig replaces the lattice setting with sparse quasi-cyclic LDGM codes, analogous key generation and rejection sampling for masking trapdoor elements, and performance tuned for rapid sub-millisecond signing cycles with key sizes in the hundreds of kilobytes and signatures in the single- to tens-of-kilobyte range (Baldi et al., 2018). This suggests an architectural lineage where the B-G paradigm informs both lattice- and code-based cryptosystems for post-quantum signing.

---

References

• "Revisit to the Bai-Galbraith signature scheme" (Sengupta et al., 12 Nov 2025)
• "Design and Implementation of a Digital Signature Scheme Based on Low-density Generator Matrix Codes" (Baldi et al., 2018)