This work revisits the security of classical signatures and ring signatures in a quantum world. For (ordinary) signatures, we focus on the arguably preferable security notion of blind-unforgeability recently proposed by Alagic et al. (Eurocrypt'20). We present two short signature schemes achieving this notion: one is in the quantum random oracle model, assuming quantum hardness of SIS; and the other is in the plain model, assuming quantum hardness of LWE with super-polynomial modulus. Prior to this work, the only known blind-unforgeable schemes are Lamport's one-time signature and the Winternitz one-time signature, and both of them are in the quantum random oracle model. For ring signatures, the recent work by Chatterjee et al. (Crypto'21) proposes a definition trying to capture adversaries with quantum access to the signer. However, it is unclear if their definition, when restricted to the classical world, is as strong as the standard security notion for ring signatures. They also present a construction that only partially achieves (even) this seeming weak definition, in the sense that the adversary can only conduct superposition attacks over the messages, but not the rings. We propose a new definition that does not suffer from the above issue. Our definition is an analog to the blind-unforgeability in the ring signature setting. Moreover, assuming the quantum hardness of LWE, we construct a compiler converting any blind-unforgeable (ordinary) signatures to a ring signature satisfying our definition.
翻译:这项工作重新审视了在量子世界中古典签名和环形签名的安全性。 对于(普通的)签名来说,我们侧重于Alagic 等人(Eurocrypt'20)最近提出的失明和不可救药的所谓更可取的安全性概念。我们提出了两个实现这个概念的简短签名计划:一个是量子随机神器模型,假设SIS的量子硬度;另一个是普通模型,假设LWE的量子硬度与超极极极极模数。在这项工作之前,唯一已知的盲目不可磨灭计划是Limport的一次性签名和Winternnitz的一次性签名,两者都在量子随机或触摸模型中。对于戒指签名来说,最近的一项工作是:Chatterjee 等人(Crypto'21)提出一个试图用量子进入SISSIS的接触来捕捉对手的定义。然而,它们的定义,如果局限于经典世界,那么还不清楚它们的定义是否和戒指的标准安全性概念一样强大。它们也只是部分实现(甚至)Lwentnniumstable) 和We milling mainer made 定义, 我们的精确定义中一个似乎的定义, 一个比我们更难的定义。这个定义更难得多。
相关内容
微信扫码咨询专知VIP会员