An efficient lattice ‐ based threshold signature scheme using multi ‐ stage secret sharing

Secret sharing is a cryptographic technique used in many different applications such as cloud computing, multi ‐ party computation and electronic voting. Security concerns in these applications are data privacy, availability, integrity and verifiability, where secret sharing provides proper solutions. The authors address some important features like verifiability and being multi ‐ stage to make it usable in various field of application. Here, the authors propose an anonymous threshold signature scheme based on the trapdoor function introduced by Micciancio and Peikert by sharing the private key using a lattice ‐ based threshold multi ‐ stage secret sharing (TMSSS) scheme. Then, the authors improve the previously proposed TMSSS scheme, in such a way that less public values are required to publish on the bulletin board which makes the scheme more efficient while preserving the security of the scheme based on the lattice hard problems. The proposed scheme inherits the desired features such as anonymity and verifiability from the improved TMSSS scheme. Furthermore, both schemes use simple matrix operations, which additionally increase the efficiency.


| INTRODUCTION
Secret sharing schemes are cryptographic primitives to protect a secret by sharing it to some values and assign them to different users. These schemes are used in many different applications such as cloud computing [1], key management in sensor networks [2], electronic voting [3] and electronic cash [4]. Secret sharing provides solutions for data privacy, availability, integrity and verifiability, which makes it suitable for these applications. In a (t, n) threshold secret sharing scheme (TSSS), a trusted third party named dealer, splits a secret among n parties, called participants, in such a way that at least t participants can recover the secret using their assigned values, called shares. The first TSSS was introduced by Blakley and Shamir, independently, in 1979 [5,6]. According to the applications, some features have been added to the TSSS scheme such as being fault-tolerant, [7,8], verifiability of the shares [9,10] and dynamic variation of the threshold and/or the group size [11,12].
Multi-secret sharing schemes are generalizations of the secret sharing schemes to share more than one secret by assigning one share to each participant [13]. If the size of each share is equal to the size of each secret, these schemes provide only the computational security [14]. Pang et al. [15] proposed a multisecret sharing scheme, in which when the participants pull their shares together, all of the secrets are disclosed simultaneously. He and Dawson [16] proposed a (t, n) threshold multi-stage secret sharing (TMSSS) scheme in 1994, in which the secrets are revealed stage by stage, that is in recovering a couple of secrets, the recovered secrets gives no information about the unreconstructed secrets. Geng et al. [17] showed that their scheme is onetime-use and not immune to collusion attacks. Using a one-way hash function, they proposed a TMSSS scheme, in which the shares can be reused by some technical measures, when we wish to share new secrets. In multi-use or multi-stage secret sharing schemes, the following two general security requirements are needed: (1) While recovering the secret(s), the participants should not reveal the original shares. (2) The secrecy of the other unreconstructed secrets should be computationally independent from the reconstructed secrets. In a TMSSS scheme, the participants should provide pseudo-secret shares instead of the original ones to the combiner, in which the pseudo-secret shares depend on the main shares and the desired secret which is to be recovered, while the shares cannot be obtained from the pseudosecret shares. TMSSS schemes use two-variable one-way functions [18,19], one-way (hash) functions [14,20,21] and discrete logarithm problem [22] which is threatened by quantum computers.
Shamir's secret sharing scheme [5] is secure from information theoretic point of view, but in real applications, for distributing the shares securely among the participants, a public key cryptosystem is normally used. The security of conventional public key cryptosystems has been threatened, since Shor proposed a quantum algorithm for solving 'integer factorization' and 'discrete logarithm' problems in polynomial time [23]. Therefore, Shamir's secret sharing scheme cannot be practically used in a secure protocol. Ever since Ajtai's introduction of lattice-based quantum resistant one-way functions [24], lattice-based cryptosystems play a significant role in the world of post-quantum cryptography. Ajtai proposed a family of one-way functions whose security is based on the worst-case hardness of the lattice problems such as shortest vector problem (SVP) known to be NP-hard [25]. Lattice-based cryptosystems are provable secure based on hardness of lattice problems in worst case. Furthermore, they use linear computations on relatively small integers. Since the secret sharing algorithm should be consistent with the lattice-based public key infrastructure, therefore, Shamir's secret sharing scheme should be replaced by a lattice-based secret sharing scheme.
In 2005, Regev proposed a public key cryptosystem based on the LWE problem [26]. The LWE problem was quantumly reduced by Regev to classical lattice problems, such as the shortest independent vector problem, in the worst case. It follows that LWE-based schemes are provably secure assuming the worst-case hardness of classical lattice problems. The LWE problem has been the source of great progress in the latticebased cryptography.
In recent years, there have been some works on lattice-based threshold secret sharing. Georgescu [27] proposed an (n, n) TSSS based on the hardness of the LWE problem. Bansarkhani et al. [28] proposed a verifiable (n, n) TSSS using linear hash functions based on lattice in which each participant is able to verify the recovered secret and her/his share. The security of the scheme depends on the hardness of n c -approximate SVP. Amini et al. [29] and Asaad et al. [30] proposed lattice-based (t, n) TSSSs with asymptotic security, in 2014. Later, we have proposed an efficient lattice-based verifiable TMSSS scheme using the Ajtai's one-way function in 2015 [31].
In threshold cryptographic schemes, which are widely used in multi-party computation, a certain number of participants can decrypt or sign messages. Bendlin et al. proposed the first lattice based threshold encryption scheme [32]. They proposed a threshold decryption algorithm for the Regev's LWE public key encryption scheme supporting one-bit messages. Frederiksen extended this scheme for multi-bit messages [33]. Singh et al. [34] proposed an efficient lattice-based threshold public key encryption scheme based on Lindner's work [35]. In these schemes, Shamir's TSSS have been used to share the private key as an array. Hence, each entry of the private key is shared independently in these schemes. However, this method seems to be inefficient. In 2016, we have proposed a threshold decryption algorithm for the Lindner's LWE-based public key encryption [36]. The authors used the lattice-based TMSSS scheme proposed in Ref. [31] to share the private key among the participants. Threshold signature is another example of threshold cryptography. This scheme must provide anonymity and succinctness. Anonymity means that the same signature is produced, no matter which subset of t participants is used. Succinctness means that the signature size can depend on the security parameter, but must be independent of n and t [37]. In 2010, Cayrel et al. [38] proposed a lattice-based threshold ring signature scheme using an identification scheme. In 2013, Battieb et al. [39] improved this scheme by generalizing the same identification scheme to obtain a more efficient threshold ring signature scheme with less signature size. Both schemes are interactive. A common goal for threshold systems is to minimize the amount of interactions in the system, and in particular, construct one-round schemes. In 2013, Bendlin et al. [40] proposed a sharing algorithm for a lattice-based trapdoor function. In 2017, Boneh et al. proposed a general framework for universally thresholdizing many (non-threshold) cryptographic schemes using a lattice-based fully homomorphic encryption (FHE) scheme [37]. Their reliance on FHE causes the resulting schemes to be slow in practice.

| Contributions
We improve the previously proposed lattice-based TMSSS scheme, in such a way that less public values are published on the bulletin board by preserving the security of the scheme. Then, we propose a threshold signature scheme based on the trapdoor function introduced by Micciancio and Peikert [41]. Here, we share the private key using the proposed lattice-based TMSSS scheme. For threshold signing, each participant signs the message using their share and send the result to the combiner as partial signature. Because of additive homomorphic property of the TMSSS scheme and linear property of the signature scheme, the combiner can sign the message using the partial signatures. The proposed signature scheme inherits the desired features like anonymity and verifiability from the improved TMSSS scheme. Furthermore, since we use TMSSS scheme to share the private key, the size of the shares in the proposed signature scheme is much smaller than that of the only counterpart lattice-based threshold signature scheme [40], which makes it suitable for memory-constrained applications. Our proposed lattice based schemes are resistant against the quantum computers. Moreover, both schemes are efficient because simple matrix operations are used in the secret sharing and threshold signature protocols. This paper is organized as follows: Section 2 provides a brief review of lattices, our previous multi-stage secret sharing scheme and the lattice-based trapdoor function proposed by PILARAM ET AL.

-99
Micciancio and Peikert. Section 3 is dedicated to the improved lattice-based TMSSS scheme. The proposed threshold signature scheme is introduced in Section 4. In Sections 5 and 6, we discuss about the security and efficiency of the proposed schemes, respectively. Finally, we end up the paper with a brief conclusion in Section 7.

| PRELIMINARIES
This section deals with some basic definitions we need in the rest of the paper.

| Notations
In the following, we assume column vectors. Vectors and matrices are denoted by lowercase and uppercase letters, respectively. The matrices I n and 0 m�n denote the n � n identity matrix and the zero matrix of size m � n, respectively. The transpose of a rectangular matrix is denoted by (⋅) T . Furthermore, R, Z and Z q denote the sets of reals, integers and the finite field modulo q, respectively. We denote S n and S m�n as the set of vectors of size n and the set of m � n matrices, whose entries are chosen from a set of numbers S. The operators ⌊⋅⌉ and ‖⋅‖ denote rounding operation to the nearest integer and an arbitrary norm, respectively. The ℓ p norms are defined for any p ≥ 1 and a vector x ∈ R n as ‖x‖

| Lattices
We use lattices as a tool for constructing a TMSSS scheme and a threshold signature scheme. In the following, we give a formal definition of lattices.
as the set of all integer linear combinations of b 1 , b 2 , …, b n as follows: The set of vectors {b 1 , …b n } is called a basis for the lattice Λ, and n is called the rank of the lattice.

Definition 2 [42]
A q-ary lattice is a lattice Λ satisfying qZ n ⊆ Λ ⊆ Z n for some (possibly prime) integer q.
The well-known instance of q-ary lattices is and q is the modulus. Λ ⊥ q ðAÞ is a lattice of dimension m.
Lattice-based cryptographic schemes are based on the hardness of lattice problems such as the well-known SVP and CVP, which are secure against quantum computers. [25] Let a lattice basis B ∈ Z m�n be given. The solution is a nonzero lattice vector Bx (with x ∈ Z n nf0g) such that ‖Bx‖ ≤ ‖By‖ for any other y ∈ Z n nf0g, with respect to any norm. [25] Let a lattice basis B ∈ Z m�n and a target vector t ∈ Z m be given. The solution is a lattice vector Bx closest to the target t, that is finding an integer vector x ∈ Z n such that ‖Bx À t‖ ≤ ‖By À t‖ for any other y ∈ Z n , with respect to any norm. [25] Let a lattice basis B ∈ Z m�n be given. The solution is a nonzero lattice vector Bx (with x ∈ Z n nf0g) such that ‖Bx‖ ≤ γ‖By‖ for any other y ∈ Z n nf0g, with respect to any norm.

Definition 5 Approximate SVP problem
In 1996, Ajtai introduced a lattice-based one-way function whose security is based on the worst-case hardness of n capproximate SVP, which is resistant against quantum computers in polynomial time. This function is described by This problem is a special case of the Inhomogeneous Small Integer Solution problem, in which the condition x ∈{0,1} m is replaced by ‖x‖ ≤ β for a real parameter β [43]. [42] Let n, m and q be integers and χ be a probability distribution on Z q , typically taken to be a rounded normal distribution. The input is a pair (A, v), where A ∈ Z m�n q is uniformly distributed, and v ¼ As þ e for a uniformly chosen s ∈ Z n q and a vector e ∈ Z m q chosen according to χ. The goal is finding s with some non-negligible probability.

Definition 6 LWE problem
Regev showed that the approximate SVP can be quantumly reduced to the LWE problem and hence the hardness of LWE problem is based on the worst-case quantum hardness of approximate SVP [26]. [43] For any s > 0, define the Gaussian function on R n centred at c with parameter s:

Definition 7 Gaussians on Lattices
For any c ∈ R n , real s > 0, and n-dimensional lattice Λ, define the discrete Gaussian distribution over Λ as:

| Secret sharing
In a secret sharing scheme, a secret is shared among a set of parties, called participants, denoted by P . Each participant is assigned a confidential value, named share, by a trusted third party, called dealer. Only some subsets of participants, the authorized subsets, can reconstruct the secret by executing a predefined algorithm. An access structure is defined as the set of all authorized subsets. In this paper, we deal with a threshold access structure, which, for a given parameter t, authorized subsets consist of at least t participants.
In a secret sharing scheme we consider two phases: � Share distribution: The shares are computed using a prespecified algorithm by the dealer who sends the shares to the participants through a secure channel � Secret recovery: A server, called combiner, receives the shares from the authorized participants and recover the secret by running the algorithm The above-defined protocol is simple and cannot be used in real world applications directly. Depending on different features, TSSSs can be extended as follows:

Verifiable TSSS
In this scheme, the participants can verify the validity of the shares received from the dealer and the recovered secrets by the combiner [21].

Threshold multi-secret sharing scheme
In this scheme, we wish to share multiple secrets among the participants. For the sake of efficiency, we desire to distribute only one share among the participants for reconstructing all the secrets [13].

Threshold multi-stage secret sharing scheme
In this multi-secret sharing scheme, the secrets can be recovered in multiple stages and the unrecovered secrets cannot be computed from the recovered secret(s) in polynomial time, despite information leakage between the recovered and unrecovered secrets [20,44].

| Lattice-based TMSSS scheme
In this section, we introduce the lattice-based (t, n) TMSSS scheme [31], where for recovering each of the secrets at least t participants should take part. In this scheme, multiple secrets can be recovered separately. It is worth noting that the recovered secret(s) do not leak information to the unrecovered secrets in polynomial time. In this scheme, there are m secrets s i ∈ Z t q ; i ¼ 1; …; m, where t is the threshold and q is a prime number. A random vector v ∈ Z t q is selected by the dealer and published. Then, a private lattice basis B i is found for each secret s i , such that where B i ∈ Z t�t q forms a basis for a lattice of dimension t. Then, n public vectors λ j ∈ Z t q ; j ¼ 1; …; n are chosen by the dealer, in such a way that every t of these vectors are linearly independent. Then, the dealer finds some public matrices E i ∈ Z t�r q ; i ¼ 1; …; m and some private shares c j ∈{0,1} r , j ¼ 1, …, n, in such a way that the relation E i c j ¼ B i λ j holds, for i ¼ 1, …, m and j ¼ 1, …, n, where r ≥ max{t log t, n}. Therefore, n shares c j from {0,1} r are chosen randomly by the dealer and then the dealer solves a system of linear equations to obtain the matrices For share verification by the participants, a random matrix F ∈ Z t�r q is chosen by the dealer and published together with the hash values of the shares as the vectors of h j ¼ Fc j , j ¼ 1, …, n. Moreover, the dealer uses a public hash function H(⋅) and publishes H(s i ), i ¼ 1, …, m on the bulletin board, by means of which the participants can verify the recovered secrets.

| THE IMPROVED LATTICE-BASED TMSSS SCHEME
In this section, we improve the lattice-based TMSSS scheme, introduced in Section 2.4, in such a way that less public values are published. Here, for saving the memory needed for storing the public matrices E i , i ¼ 1, …, m, the dealer chooses them as where E is chosen uniformly at random from Z t�r q and P is a permutation matrix of size r. To hold the equations E i c j ¼ B i λ j , i ¼ 1, …, m; j ¼ 1, …, n, the dealer chooses the share vectors c j ∈{0,1} r , j ¼ 1, …, n uniformly at random and the public vectors λ j ∈ Z t q ; j ¼ 1; …; n, such that any t out of n vectors are linearly independent, as before. Then the matrices . The participants are able to verify the reconstructed secret by computing its hash value H(s i ) and comparing it with that published on the bulletin board.

| THRESHOLD SIGNATURE SCHEME
In this paper, we propose a threshold signature scheme.

Signature scheme
A signature scheme S is a triple (KGen, Sign, Verify) of efficient algorithms. KGen is the key generation algorithm, which on input of the security parameter 1 λ , outputs a pair (pk, sk), such that pk is the public key and sk is the secret key of the signature scheme. Sign is the signing algorithm: On input a message m and the secret key sk, outputs the signature s on the message m. Verify is the verification algorithm: On input a message m, the public key pk and s, checks whether s is a valid signature on m or not.

Threshold signature schemes
Let S ¼ (KGen, Sign, Verify) be a signature scheme. A (t, n) threshold signature scheme TS for S is a pair of protocols (TKGen, TSign) for the set of participants P 1 , …, P n . TKGen is a key generation protocol which outputs the public key pk and private shares c j , j ¼ 1, …, n for the participant P j on input a security parameter 1 λ in such a way that the values (c 1 , …, c n ) form a (t, n) threshold secret sharing for the secret s k . TSign is a distributed algorithm which outputs a signature s on inputs, a message m and the t private shares.

Definition 8
We say that a (t, n) threshold signature scheme TS ¼ (TKGen, TSign) is unforgeable, if no adversary who corrupts up to t À 1 participants can produce the signature on any new message m, given the threshold signatures on input messages m 1 , …, m k .

Security model
We assume that the set of participants receive their shares from a dealer through a secure channel. Furthermore, we consider an adversary to be capable of corrupting up to tÀ 1 participants that has access to their shares and all information communicated for recovering the already recovered secrets. We use the hash-andsign framework for signature scheme, in which the public verification key is a trapdoor function f and the signing key is f À 1 . To sign a message m, it is first hashed to a value y ¼ H(m) in the range of the trapdoor function f and outputs the signature σ ¼ f À 1 (y). For verification, the correctness of the equation f(σ) ¼ H(m) is checked. Bellare and Rogaway [45] have formalized this notion and showed that this basic scheme, called Full-Domain Hash, is existentially unforgeable under chosenmessage attacks, when f is a trapdoor permutation and the hash function H is modelled as a random oracle.

| The proposed threshold signature scheme
We propose a threshold signature scheme in which the signed message is computed based on the trapdoor function, proposed by Micciancio and Peikert [41], in a distributed manner. According to Section 4.1 our scheme consists of the following algorithms:

TKGen
The parameters are the integers l; q; m and the so-called gadget vector g ¼ ð1; 2; 4; …; 2 kÀ 1 Þ T ∈ Z k q where k ¼ ⌊ log q⌉. To generate a random matrix A with a trapdoor, they build the matrix A using two sub-matrices as chosen uniformly at random from Z l�m q , m ¼ m À lk and R ∈ Z m�lk q is the trapdoor. The gadget matrix G is defined as follows: We share the vectors r i , i ¼ 1, …, m using the improved TMSSS scheme with the threshold t ¼ lk, where r T i is the i th row of the matrix R.
where n is the number of the participants.
The matrices E i ∈ Z t�r q ; i ¼ 1; …; m; r ≥ maxftlogt; ng, the vectors λ j ∈ Z t q ; j ¼ 1; …; n and v i ∈ Z t q ; i ¼ 1; …; m are considered as public parameter pk and published on the bulletin board. The vectors c j ∈{0,1} r , j ¼ 1, …, n are the private shares and the dealer sends them securely to the participants.

TSign
Each participant from the set {j 1 , …, j t } solves the equation where H(⋅) is a public hash function. Note that there are efficient algorithms to sample from a discrete Gaussian distribution over Λ ⊥ q;HðmÞ ðGÞ ¼ fz ∈ Z lk q : Gz ¼ HðmÞmod qg, for any syndrome HðmÞ ∈ Z l q . This operation can be performed by a server computer and then the result can be sent to the participants. The participant j k , k ¼ 1, …, t computes the partial signature d k ¼ The combiner computes w as the main diagonal of matrix DΛ À 1 V using the received partial signatures, where Then, he obtains the signature y ¼ w z

� � .
Verify: This algorithm checks if the vector y is short enough and. Ay ¼ ? HðmÞ Correctness In the following we show that the vector y computed by the combiner lies in the equation Ay ¼ H(m).
The Equations (7) and (8) imply the correctness of our threshold signature scheme which outputs the correct signature through the distributed method.
As mentioned in Ref. [41], since y ¼ R I � � z, the distribution of y depends on the private key R, leading to an attack similarly to the one given in Ref. [46]. To sample from a spherical Gaussian over Λ ⊥ q;HðmÞ ðAÞ, the authors have used the convolution technique from Ref. [47] to dissolve this problem. Specifically, they have chosen a Gaussian Permutation p ∈ Z m q with the covariance matrix s 2 À R I to the above-mentioned signing algorithm and output Here, we discuss about the perturbation vector p in our threshold signature scheme. Assume that some p's with the are shared among the participants. The authorized set of participants j 1 , …, j t sends Ap j 1 ; …; Ap j t to the combiner. He combines them to obtain Ap and send the result to authorized set of participants. The participant j k computes the w ¼ H(m) À Ap and do the partial signature using the syndrome w and add the partial perturbation p j k to it and sends the result to the combiner. He combines the partial signatures to obtain the signature x ¼ y þ p.

| SECURITY
In secret sharing schemes, any tÀ 1 subset or less of participants should not be able to recover the secret. In the TMSSS scheme proposed in Section 3, no tÀ 1 participants are able to obtain the basis B i , since they face with a system of (tÀ 1) � t linear equations and t 2 unknowns: In Theorem 1, we prove that the pseudo-secret shares corresponding to different secrets are not computable in polynomial time from each other.

Theorem 1 Let E be a randomly chosen matrix from
Z t�r q ; r ≥ maxft logt; ng, P be a random permutation matrix and x ∈{0,1} r be a random vector. Then, knowledge of EP i x does not help to compute EP k x in polynomial time, where 1 ≤ k≠i ≤ m.

Proof:
We argue by contradiction. Let we have an algorithm A which returns EP k x on inputs E, P and EP i x, with a nonnegligible probability in polynomial time, where E is chosen randomly from Z t�r q ; r ≥ maxft logt; ng, P is a random permutation matrix and x is a random vector from {0,1} r . By PILARAM ET AL.
applying A , we design another algorithm B which returns x on inputs B and Bx, meaning inversion of Ajtai's function, where B is chosen at random from Z t�r q and x is randomly chosen from {0,1} r . We observe that the algorithm A can output E′Qx on inputs E′, Q and E′x by defining E′ ≜ EP i and Q ≜ P kÀ i . Like E, E′ is a uniformly random matrix and Q is also a random permutation matrix similar to P. The algorithm B chooses two permutation matrices P1 and P2 in such a way that they only differ in two columns. For example, we assume that the permutation matrices P1 and P2 are different in two columns i and j, that is, where e i is the i th standard unit vector.
The algorithm A outputs c 1 ¼ BP1x and c 2 ¼ BP2x on inputs B, Bx and the matrices P1 and P2. The algorithm B computes Proof: The proof is by contradiction. Assume that there is an adversary A that breaks the existential unforgeability of the threshold signature scheme in polynomial time with non-negligible probability δ(n). We propose a polynomial time adversary B that finds collision in the trapdoor collision-resistant hash function with a non-negligible probability. Using a public key matrix A and the function f A (x) ¼ Ax, B takes A into service on the public key A, and performs the following simulation using the signing oracle and the random oracle H: B samples σ m using SampleDom(1 n ) and sends f A (σ m ) to A , where SampleDom(1 n ) samples some x from a distribution, for which f A (x) is uniformly distributed. Whenever A makes a signing query on m, B looks up (m, σ m ) in its local storage and returns σ m as the signature. A queries H on m* and produces (m*, σ*) as a forge. Then, B looks up ðm * ; σ m * Þ in its local storage and outputs ðσ * ; σ m * Þ as a collision in f A . Now, we show that σ * ≠ σ m * , which makes them a correct collision. To do so, we consider two cases: Case 1: If A had made a signing query on m*, it had received the signature σ m * . Since A outputs a forge, it should produce a different valid signature σ* meaning σ * ≠ σ m * . Case 2: If A has not made a signing query on m*, A only views f A ðσ m * Þ and because of preimage min-entropy property of the hash family, σ * ≠ σ m * , with overwhelming probability 1 À 2 À ω( log n) . Hence, we conclude that B outputs a collision in f A with negligible probability close to δ(n). □ Proposition 1 Let c 1 , …, c n be the shares corresponding to the private key R. Then, using the pseudo-secret and z ∈ Z t q . Furthermore, the anonymity of the participants is preserved.
Proof: Because of one-wayness of the Ajtai's functions f E i ðxÞ ¼ E i x; i ¼ 1; …; m, one cannot compute the shares c j k ; k ¼ 1; …; t from the E i c j k and consequently from the pseudo-secret shares d k i ¼ z T E i c j k . Hence, the private key R cannot be revealed in polynomial time.
Consider that M ∈{0,1}* is a message to be signed and t i 0 ; t i 1 are two sets of the participants. The signatures σ t i 0 and σ t i 1 are the vectors having the same distribution of the domain in f A within negligible statistical distance of D Λ ⊥ q;HðmÞ ðAÞ;s which implies that σ t i 0 and σ t i 1 are computationally indistinguishable [43]. Therefore, the anonymity of the participants taking part in the threshold signature process is preserved, enabling the proposed scheme to be a threshold anonymous signature scheme. □

| PERFORMANCE ANALYSIS
In this section, we investigate the performance of the proposed schemes in view of memory usage and time complexity.
The proposed TMSSS scheme r þ n r/(t log q) ≈ 0.5 From the viewpoint of memory consumption, the matrix E, the permutation matrix P and the vectors λ j , j ¼ 1, …, n used in the improved TMSSS scheme, proposed in Section 3, are published on the bulletin board. The shares c j , j ¼ 1, …, n are sent to the participants via a secure channel. The amount of memory needed to save these matrices are given in Table 1. m is the number of secrets, n is the number of participants and t is the threshold. In the improved scheme, the size of public parameters is independent from the number of the secrets, significantly outperforming the previous schemes. The ratio of public values in our proposed TMSSS scheme compared to Ref. [31] is equal to rþn m�r ≈ 2=m, if r ≈ n. This ratio is very low for large values of m as the number of secrets. It should be noted that the size of each share per secret is equal to r/(t log q), which approximately equals to 0.5, if r ¼ max{t log t, n} ≈ t log t.
From the viewpoint of complexity, secret recovery consists of two steps: 1. The participants' side: In this step, each participant computes the pseudo-secret share from his share. In computing the pseudo-secret shares, we need simple column addition in matrix E i , since the shares are binary vectors. This process has the complexity of O(tr) for each participant which is less than the complexity of modular exponentiation used in other schemes. Therefore, this scheme is suitable for the low-complex applications 2. The combiner's side: The complexity of this step is ofO(t 3 ), which includes one matrix inversion and one matrix multiplication The share verification by the participants has complexity of O(tr) for each participant, since the shares are binary vectors, which has lower complexity than that of the other schemes using modular exponentiation.
Here, we compare our proposed threshold signature scheme with that proposed in Ref. [40], in which the Shamir's scheme is applied to each entry of the private key matrix. The size of shares for each participant in [40] is equal to the number of entries in the private matrix R that is equal to m � lk, where m ¼ m À lk, k ¼ ⌊ log q⌉ and l, q are security parameters. In our proposed scheme, the share size is decreased to max{lk log (lk), n}/ log q ¼ max{l log(lk), n/k} ≈ l log(lk), where n is the number of the participants. In Table 2, we compare the size of each share in the proposed scheme, using the parameters suggested in Ref. [41], with that proposed in Ref. [40]. We observe that the share size is much smaller than that of Bendlin's [40], which makes it suitable for memory-constrained applications such as smart cards.

| CONCLUSIONS
We have improved the previously proposed TMSSS scheme, in such a way that less public values are published on the bulletin board while preserving the security. Furthermore, we have proposed a threshold signature scheme based on the trapdoor function introduced by Micciancio and Peikert. Here, we share the private key using the already improved lattice-based TMSSS scheme. For threshold signing, the participants do partial signature on the plaintext using their shares and send the results to the combiner. The proposed threshold signature scheme inherits the desired features such as anonymity and verifiability from the improved TMSSS scheme. Moreover, both schemes are efficient because simple matrix operations are used in the secret sharing and threshold signature protocols. The security of the proposed schemes is based on the lattice hard problems which are believed to resist against quantum computers.

ACKNOWLEDGEMENT
This work is supported by Iran National Science Foundation (INSF) under grant number 94017742.