A Note on the Post-Quantum Security of (Ring) Signatures

TL;DR

This paper analyzes the post-quantum security of classical and ring signatures, introducing new schemes and definitions that ensure security against quantum adversaries, and providing constructions based on lattice problems.

Contribution

It presents two short signature schemes achieving blind-unforgeability in the quantum setting and proposes a new, stronger security definition for ring signatures with a construction from blind-unforgeable signatures.

Findings

Two short signature schemes achieve blind-unforgeability in the quantum model.

A new security definition for ring signatures is proposed and justified.

A compiler converts blind-unforgeable signatures into secure ring signatures.

Abstract

This work revisits the security of classical signatures and ring signatures in a quantum world. For (ordinary) signatures, we focus on the arguably preferable security notion of blind-unforgeability recently proposed by Alagic et al. (Eurocrypt'20). We present two short signature schemes achieving this notion: one is in the quantum random oracle model, assuming quantum hardness of SIS; and the other is in the plain model, assuming quantum hardness of LWE with super-polynomial modulus. Prior to this work, the only known blind-unforgeable schemes are Lamport's one-time signature and the Winternitz one-time signature, and both of them are in the quantum random oracle model. For ring signatures, the recent work by Chatterjee et al. (Crypto'21) proposes a definition trying to capture adversaries with quantum access to the signer. However, it is unclear if their definition, when restricted to the classical world, is as strong as the standard security notion for ring signatures. They also present a construction that only partially achieves (even) this seeming weak definition, in the sense that the adversary can only conduct superposition attacks over the messages, but not the rings. We propose a new definition that does not suffer from the above issue. Our definition is an analog to the blind-unforgeability in the ring signature setting. Moreover, assuming the quantum hardness of LWE, we construct a compiler converting any blind-unforgeable (ordinary) signatures to a ring signature satisfying our definition.