A Note on the PostQuantum Security of (Ring) Signatures
Abstract
This work revisits the security of classical signatures and ring signatures in a quantum world. For (ordinary) signatures, we focus on the arguably preferable security notion of blindunforgeability recently proposed by Alagic et al. (Eurocrypt'20). We present two short signature schemes achieving this notion: one is in the quantum random oracle model, assuming quantum hardness of SIS; and the other is in the plain model, assuming quantum hardness of LWE with superpolynomial modulus. Prior to this work, the only known blindunforgeable schemes are Lamport's onetime signature and the Winternitz onetime signature, and both of them are in the quantum random oracle model. For ring signatures, the recent work by Chatterjee et al. (Crypto'21) proposes a definition trying to capture adversaries with quantum access to the signer. However, it is unclear if their definition, when restricted to the classical world, is as strong as the standard security notion for ring signatures. They also present a construction that only partially achieves (even) this seeming weak definition, in the sense that the adversary can only conduct superposition attacks over the messages, but not the rings. We propose a new definition that does not suffer from the above issue. Our definition is an analog to the blindunforgeability in the ring signature setting. Moreover, assuming the quantum hardness of LWE, we construct a compiler converting any blindunforgeable (ordinary) signatures to a ring signature satisfying our definition.
 Publication:

arXiv eprints
 Pub Date:
 December 2021
 arXiv:
 arXiv:2112.06078
 Bibcode:
 2021arXiv211206078C
 Keywords:

 Quantum Physics;
 Computer Science  Cryptography and Security