This work aims to improve the practicality of gadget-based cryptosystems, with a focus on hash-and-sign signatures. To this end, we develop a compact gadget framework in which the used gadget is a square matrix instead of the short and fat one used in previous constructions. To work with this compact gadget, we devise a specialized gadget sampler, called semi-random sampler, to compute the approximate preimage. It first deterministically computes the error and then randomly samples the preimage. We show that for uniformly random targets, the preimage and error distributions are simulatable without knowing the trapdoor. This ensures the security of the signature applications. Compared to the Gaussian-distributed errors in previous algorithms, the deterministic errors have a smaller size, which lead to a substantial gain in security and enables a practically working instantiation. As the applications, we present two practically efficient gadget-based signature schemes based on NTRU and Ring-LWE respectively. The NTRU-based scheme offers comparable efficiency to Falcon and Mitaka and a simple implementation without the need of generating the NTRU trapdoor. The LWE-based scheme also achieves a desirable overall performance. It not only greatly outperforms the state-of-the-art LWE-based hash-and-sign signatures, but also has an even smaller size than the LWE-based Fiat-Shamir signature scheme Dilithium. These results fill the long-term gap in practical gadget-based signatures.

翻译：本文旨在提升基于格基工具密码系统的实用性，重点关注哈希-签名方案。为此，我们开发了一种紧凑型格基框架，其中使用的工具是一个方阵，而非先前构造中采用的短胖矩阵。为适配该紧凑工具，我们设计了一种专用格基采样器——称为半随机采样器——用于计算近似原像。该算法首先确定性计算误差，然后随机采样原像。研究表明，对于均匀随机目标，无需知道陷门即可模拟原像与误差分布，从而确保签名应用的安全性。与先前算法中的高斯分布误差相比，确定性误差具有更小的尺寸，这带来了安全性的显著提升，并实现了实际可行的实例化。作为应用，我们分别提出了基于NTRU与环-LWE的两种实用高效格基签名方案。其中，NTRU方案在效率上与Falcon及Mitaka相当，且无需生成NTRU陷门即可简单实现；而LWE方案亦实现了优异的综合性能，不仅显著优于当前最先进的基于LWE的哈希-签名方案，其尺寸甚至小于基于LWE的Fiat-Shamir签名方案Dilithium。这些成果填补了实用格基签名领域长期存在的空白。