MMSAT: A Scheme for Multimessage Multiuser Signature Aggregation

Post-Quantum (PQ) signature schemes are known for large key and signature sizes, which may inhibit their deployment in real world applications. In this work, we construct a PQ signature scheme MMSAT that is the first such scheme capable of aggregating unrelated messages signed individually by different parties. Our proposal extends the notion of multisignatures, which are signatures that support aggregation of signatures on a single message signed by multiple parties. Multisignatures are especially useful in blockchain applications, where a transaction may be signed by multiple users. The proposed construction achieves significant gains in bandwidth and storage requirements by allowing aggregation of unrelated transactions. Our construction is derived by extending the PASSRS scheme, and thus the security of our scheme relies on the hardness of the Vandermonde-SIS problem. When aggregated, a signature consists of two parts. The first part is a post-quantum size signature that grows very slowly, scaling by on the order of logK bits for K signatures. The second part scales linearly with K, with a very short fixed cost, roughly twice the bit security. Thus even when aggregating a modest number of signatures, the per signature cost of MMSAT is in line with that of traditional pre-quantum signature schemes such as ECDSA. As an extension to MMSAT, we describe a variant called MMSATK in which it the public keys required to verify an aggregated signature are compressed by a factor of 20 to 30.

[1]  Vadim Lyubashevsky,et al.  Lattice Signatures Without Trapdoors , 2012, IACR Cryptol. ePrint Arch..

[2]  R. F.,et al.  Mathematical Statistics , 1944, Nature.

[3]  William Whyte,et al.  Practical Signatures from the Partial Fourier Recovery Problem , 2013, IACR Cryptol. ePrint Arch..

[4]  Erdem Alkim,et al.  Post-quantum Key Exchange - A New Hope , 2016, USENIX Security Symposium.

[5]  Silvio Micali,et al.  Accountable-subgroup multisignatures: extended abstract , 2001, CCS '01.

[6]  Dan Boneh,et al.  Compact Multi-Signatures for Smaller Blockchains , 2018, IACR Cryptol. ePrint Arch..

[7]  Masaaki Sibuya,et al.  A method for generating uniformly distributed points onN-dimensional spheres , 1962 .

[8]  Hovav Shacham,et al.  Aggregate and Verifiably Encrypted Signatures from Bilinear Maps , 2003, EUROCRYPT.

[9]  Miklós Ajtai,et al.  Generating hard instances of lattice problems (extended abstract) , 1996, STOC '96.

[10]  Phong Q. Nguyen Hermite's Constant and Lattice Algorithms , 2010, The LLL Algorithm.

[11]  Dan Boneh,et al.  Homomorphic Signatures for Polynomial Functions , 2011, EUROCRYPT.

[12]  Daniele Micciancio Almost Perfect Lattices, the Covering Radius Problem, and Applications to Ajtai's Connection Factor , 2003, SIAM J. Comput..

[13]  Daniele Micciancio,et al.  Worst-case to average-case reductions based on Gaussian measures , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[14]  Tim Güneysu,et al.  Practical Lattice-Based Cryptography: A Signature Scheme for Embedded Systems , 2012, CHES.

[15]  Daniel Wichs,et al.  Leveled Fully Homomorphic Signatures from Standard Lattices , 2015, IACR Cryptol. ePrint Arch..

[16]  Nicolas Gama,et al.  Predicting Lattice Reduction , 2008, EUROCRYPT.

[17]  Peter Schwabe,et al.  High-speed key encapsulation from NTRU , 2017, IACR Cryptol. ePrint Arch..

[18]  Joseph H. Silverman,et al.  Polynomial Rings and Efficient Public Key Authentication II , 2001 .

[19]  Yannick Seurin,et al.  Simple Schnorr multi-signatures with applications to Bitcoin , 2019, Designs, Codes and Cryptography.

[20]  Claus-Peter Schnorr,et al.  Lattice Reduction by Random Sampling and Birthday Methods , 2003, STACS.

[21]  Chris Peikert,et al.  Public-key cryptosystems from the worst-case shortest vector problem: extended abstract , 2009, STOC '09.

[22]  K. Itakura,et al.  A public-key cryptosystem suitable for digital multisignatures , 1983 .

[23]  Martin R. Albrecht,et al.  On the Efficacy of Solving LWE by Reduction to Unique-SVP , 2013, ICISC.

[24]  Léo Ducas,et al.  Lattice Signatures and Bimodal Gaussians , 2013, IACR Cryptol. ePrint Arch..

[25]  Mervin E. Muller,et al.  A note on a method for generating points uniformly on n-dimensional spheres , 1959, CACM.

[26]  Yuanmi Chen Réduction de réseau et sécurité concrète du chiffrement complètement homomorphe , 2013 .

[27]  Florian Göpfert,et al.  Securely Instantiating Cryptographic Schemes Based on the Learning with Errors Assumption , 2016 .

[28]  Chris Peikert,et al.  Hardness of SIS and LWE with Small Parameters , 2013, CRYPTO.

[29]  Michael Naehrig,et al.  A Comparison of the Homomorphic Encryption Schemes FV and YASHE , 2014, AFRICACRYPT.

[30]  Martin R. Albrecht,et al.  The General Sieve Kernel and New Records in Lattice Reduction , 2019, IACR Cryptol. ePrint Arch..

[31]  Feller William,et al.  An Introduction To Probability Theory And Its Applications , 1950 .

[32]  Fernando Virdia,et al.  Revisiting the Expected Cost of Solving uSVP and Applications to LWE , 2017, ASIACRYPT.

[33]  Rachid El Bansarkhani,et al.  An Efficient Lattice-Based Multisignature Scheme with Applications to Bitcoins , 2016, CANS.

[34]  Vadim Lyubashevsky,et al.  Fiat-Shamir with Aborts: Applications to Lattice and Factoring-Based Signatures , 2009, ASIACRYPT.

[35]  Phong Q. Nguyen,et al.  BKZ 2.0: Better Lattice Security Estimates , 2011, ASIACRYPT.