 Cryptography

# Trapdoor committement using ring lattices involving three parties

Assume there are three parties say A, B, C.

1. A commits to a message $$m$$ say $$c(m)$$ and sends tuple $$(m,c(m))$$ to B.
2. B has to prove to C that he possesses commitment $$c(m)$$. There is no interaction between A and C. But B should not cheat by sending commitment to some other message $$m^\prime$$.

I guess for this we need A to generate $$c(m)$$ using his own trapdoor and later C can verify it is generated by A itself. Is it possible to achieve this using lattice based hard problems like $$RSIS$$ or $$RLWE$$.

Or is there any other way to achieve this using $$RSIS$$ or $$RLWE$$. ? ## Solution

I think that this is just a digital signature scheme. $$A$$ should generate a private signing key and a public verification key for your signature scheme of choice. The then create a signature for the message $$m$$ and which you are calling the commitment $$c(m)$$. $$B$$ can then pass on the $$c(m)$$ to $$C$$ who can confirm that is is signed by $$A$$, but $$B$$ cannot produce signatures for other messages that verify using $$A$$'s verification key.

There are several lattice-based signature schemes though they are all quite tricky to parameterise and implement securely. The NIST competition has advanced the lattice-based signatures FALCON and Crystals DILITHIUM to the final round.