Content uploaded by Ha Tran
Author content
All content in this area was uploaded by Ha Tran on Dec 21, 2020
Content may be subject to copyright.
A multivariate blind ring signature
scheme
Dung Hoang Duong1, Willy Susilo1and Ha Tran2
1Institute of Cybersecurity and Cryptology, School of Computing and Information Technology,
University of Wollongong, Northfields Avenue, NSW 2522, Australia
2Department of Mathematical and Physical Sciences, Concordia University of Edmonton,
7128 Ada Blvd NW, Edmonton, Canada
Email: {hduong,wsusilo}@uow.edu.au, hatran1104@gmail.com
Blind signatures are an important and useful tool in designing digital cash schemes
and electronic voting protocols. Ring signatures on the other hand provide the
anonymity of the signer within the ring of users. In order to fit to some real
life applications, it is useful to combine both protocols to create a blind ring
signature scheme which utilizes all of their features. In this paper, we propose,
for the first time, a post-quantum blind ring signature scheme. Our scheme is
constructed based on multivariate public key cryptography, which is one of the
main candidates for post-quantum cryptography.
Keywords: Post-Quantum Cryptography ; Multivariate Cryptography ; Blind Ring Signature ;
MQ Problem
1. INTRODUCTION
Blind signatures were first introduced by Chaum [6]
with intention to use to protect user’s transaction
information. Blind signatures allow a person to get
a message signed by another party without revealing
any information about the message to this other
party, and hence which provide the anonymity of the
signed message. It thus makes blind signatures useful
in electronic auctions and electronic voting systems.
Another important protocol that provides anonymity
is ring signature, which is a group-oriented signature
with privacy concerns, introduced by Rivest et al. [22].
In a ring signature scheme, the message signers form
a ring of any set of possible signers and himself.
The actual signer can then generate a ring signature
entirely using only his secret key and others’ public
keys without assistance of other members within the
ring. The generated ring signature can convince any
verifier that it was generated by one of the members
of the ring without revealing who actually signed the
message, and hence ensures the anonymity of the signer.
Ring signatures then had found many applications in
electronic cash systems and electronic voting systems.
In some real life applications, such as banking,
we must make a single e-bank system more scalable
by supporting many banks, and adding some other
properties like strong anonymity of the signing banks
and unlinkability of two different signatures. It’s
hence necessary to combining blind and ring signatures
into one, called blind ring signatures, to obtain more
spontaneity and flexibility, in order to bring many more
solutions to real life scenarios, specially in e-banking.
For example, a client’s e-coin is signed by a member of
a coalition of banks chosen in an ad hoc manner (ring
of banks). The choice of the coalition could be specified
by either the issuing bank or the client himself. Other
applications of the primitive include multi-authority e-
voting and e-auction systems [13].
There have been several constructions of blind ring
signatures in the literature [27, 13, 28]. However,
their security is based on the hardness of either the
integer factorization problem or the discrete logarithm
problem, which can be easily solved by quantum
computers [25]. It then necessary to build such a scheme
with security ensured by some hard mathematical
problems, which are even hard for quantum computers.
This is the area of post-quantum cryptography [3]. It
takes much more attention recently after the call of
NIST [1] for proposals of post-quantum cryptosystems
to be standardized in near future.
Multivariate public key cryptography (MPKC) is one
of the main candidates for this standardization [1].
These schemes are in general very fast and require
only modest computational resources, which can be
used on low cost devices like smart cards and RFID
chips [5, 7]. Especially in the area of digital signatures,
MPKC has several strong candidates for post-quantum
standardization of NIST, such as Rainbow [9] and
MQDSS [8] which have passed to the second round
of the competition [2]. However, there is a lack of
multivariate signature schemes with special properties,
such as forward-secure, proxy, etc.
The first multivariate ring signature scheme was
recently introduced by Mohamed and Petzoldt [16] in
The Computer Journal, Vol. ??, No. ??, ????
2Dung H. Duong, Willy Susilo and Ha Tran
which they instantiated with the Rainbow signature
scheme. In fact, there construction is quite generic
and can apply to any multivariate signature scheme.
Then together with Szepieniec, they also proposed the
first multivariate blind signature schemes [20]. Their
blind signature scheme utilized both Rainbow signature
scheme for generating a signature and the MQDSS
scheme [8] to prove the knowledge of the generated
signature. As a result, their scheme is very efficient
and produces a much shorter signatures compared to
the lattice construction of R¨uckert [23].
Our contribution. In this paper, by adopting ideas
from classical blind ring signatures [13, 28], we combine
the aforementioned multivariate blind [20] and ring [16]
signature schemes to create the first multivariate blind
ring signature scheme. It is in fact the first post-
quantum blind ring signature scheme in the literature.
We also apply the method of Petzoldt et al. [18] to
reduce the public key size of our scheme. As a result,
we can reduce up to more than 62% of the public key
size (see Table 1 for more details).
Our paper is organized as the following. We recall
definition of bling ring signatures with their security in
Section 2. In Section 3, we provide some basic notions
of MPKC and the construction of Rainbow as well as
MQDSS. Our construction is presented in Section 4
together with security analysis of the proposed scheme.
We give our choice of parameters and compute the
public key and signature sizes in Section 5. Finally,
Section 6 concludes our paper.
2. BLIND RING SIGNATURE
A blind ring signature scheme BRS consists of the
following algorithms.
Setup of system parameters: BRS.Setup is a prob-
abilistic algorithm which takes as input the secu-
rity parameter kand generates system parameters
which include a description of the signature space
and message space, hash function, etc.).
Key generation: BRS.KeyGen is a probabilistic algo-
rithm which takes as input the system parameters
and outputs a signing key pair (pki,ski) for a user
Ui.
Blind ring signature generation: BRS.Sign is an
interactive two-party protocol which is initialized
by a client C. This client chooses a message M
and a ring U= (U1,· · · ,Un) of users, and engages
an interaction with some member Uπof the ring,
who can use his secret key skπas part of the input.
We denote by ICthe secret inputs that the client
Cuses, and as Trans the values that are obtained
by the signer. during this interaction. At the end,
the private output OCfor the client is a valid ring
signature σfor the message Mand the ring of users
U.
Verification of a blind ring signature: Verify is a
deterministic algorithm which takes as input a
message M, a ring of users U= (U1,· · · ,Un), their
public keys (pk1,· · · ,pkn) and a signature σ. The
output is 1 if the signature is valid, and 0 otherwise.
A blind ring signature scheme must satisfy the
following four requirements.
Correctness means that a verifier always accepts as a
valid a signature that has been properly generated
by a honest client and a honest signer in the
corresponding ring of users.
Anonymity means that the client has no information
about which member of the ring has actually
participated in the interactive blind ring signature
generation.
Blindness means that the users in the ring obtain
no information about the message that they are
actually signing for the client.
Unforgeability means that a client is not able to
produce l+ 1 valid and different ring signatures
if he has queried for at most lexecutions of the
blind ring signature protocol.
Below we recall the formal definition of the last two
important properties
2.1. Blindness
Blindness of a blind ring signature scheme is defined by
a game between a challenger and an adversary. This
adversary Asimulates the dishonest behavior of a ring
of users who try to distinguish which of two different
message M0and M1is being signed in an interaction
of the signing protocol with a client. The game is as
follows.
Setup: the adversary Achooses a universe U∗of users
and a security parameter k. The challenger runs
BRS.Setup with input k, as well as BRS.KeyGen
for each user Ui∈U∗. The adversary is given all
resulting information including the public common
parameters, the public and the secret keys of all
users in the ring U.
Challenge: the adversary Achooses a user list U=
U1,· · · , Unand two different messages M0and M1.
The challenger chooses a random bit b∈ {0,1}
and initializes the interactive blind ring signature
protocol with message Mband ring Uas input. The
adversary Achooses some user Uπ∈Uand plays
the role of the signer in the protocol (note that
Aknows the secret key of Uπ). At the end, the
adversary obtains Trans.
Guess: the adversary Afinally outputs its guess b0.
The Computer Journal, Vol. ??, No. ??, ????
A multivariate blind ring signature scheme 3
We say that the adversary Awins if b=b0. The
advantage of the adversary is defined by
AdvBlindness
BRS,A(k) = Pr[b=b0]−1
2.
A blind ring signature scheme satisfies the blindness
property if for any probabilistic polynomial-time (PPT)
adversary A, the function AdvBlindness
BRS,A(k) is negligible in
k.
2.2. Unforgeability
Unforgeability for blind ring signatures is adapted from
the concept of universal one-more-unforgeability for
blind signatures [21] which was used for multivariate
blind signatures [20]. A forger Aagainst a blind ring
signature scheme is defined by means of the following
game played against a challenger:
Setup: the adversary Achooses a universe U∗of users
and a security parameter k. The challenger runs
BRS.Setup with input k, as well as BRS.KeyGen for
each user Ui∈ U∗. It gives to Athe resulting
common public parameters and the public key pki,
and keeps secret keys ski.
Queries: the forger Amakes ldifferent signature
queries to the challenger. All these queries can
be made adaptively. Athen outputs a list L
of lmessage/signature pairs, which are valid and
pairwise distinct.
Forgery: the challenger outputs a message M∗not
contained in the list L. The adversary wins
the game, if he is able to generate a valid blind
signature σfor M∗.
A blind ring signature scheme satisfies the one-more-
unforgeability property if, for all PPT adversary A,
the success probability Pr[Awins] is negligible in the
security parameter.
3. MULTIVARIATE PUBLIC KEY CRYP-
TOGRAPHY
3.1. Basic notions
Let Kbe a finite field. A multivariate quadratic
polynomial over Kis of the form f(x) = Pi,j aij xixj+
Pibixiwith x= (x1,· · · , xn) and aij , bi∈K. The
public key of a multivariate scheme consists of a family
of multivariate quadratic polynomials Fover K. In
other words, F= (f1(x),· · · , fm(x)) where each fs(x)
is a multivariate quadratic polynomial over K,s∈
{1,· · · , m}. The function G(x, y) = F(x+y)− F (x)−
F(y)− F(0) is called the polar form of F.
The MQ-Problem(F, v) is defined as follows: Given
v∈Km, find, if any, x∈Knsuch that F(x) = v.
The security of multivariate schemes is based on the
MQ-Problem which is proven to be NP-hard even for
quadratic polynomials over the field F2[11].
In order to build a multivariate public key cryptosys-
tem, one first constructs an easily invertible quadratic
map F:Kn→Km(the central map). To hide the
structure of Fin the public key, one composes it with
two invertible affine (or linear) maps T:Km→Km
and S:Kn→Kn. The public key is therefore given by
P=T ◦ F ◦ S :Kn→Km. The private key consists of
T,Fand S. In this paper we consider multivariate sig-
nature schemes. For these schemes, we require n≥m,
which ensures that every message has a signature.
Signature Generation: To generate a signature for a
message (or its hash value) m∈Km, one computes
recursively w=T−1(m)∈Km,y=F−1(w)∈Kn
and s=S−1(y). Then s∈Knis the signature of
the message m. Here, F−1(w) means finding one (of
possibly many) pre-image of wunder the central map
F.
Signature Verification: To check the authenticity
of a signature s∈Kn, the verifier simply computes
m0=P(s). If the result is equal to the message m, the
signature is accepted, otherwise rejected.
3.2. Rainbow signature scheme
Rainbow signature schemes [9] are multi-layer versions
of UOV [14]. For convenience we introduce two layered
Rainbow scheme (in design, there is no advantage
of using more than two layers). Let K=Fqbe
the finite field with qelements n=v1+o1+o2
with v1, o1, o2positive integers. Set m=o1+o2,
v2=o1+v1. The Rainbow central map F:Kn→
Ko1+o2,(x1, . . . , xn)7→ (f1, . . . , fo1+o2) consists of m=
o1+o2following polynomials
f(1) =X
1≤i≤v1+o1
1≤j≤v1
a(1)
ij xixj+
v1+o1
X
i=1
b(1)
ixi+c(1),
·········
f(o1)=X
1≤i≤v1+o1
1≤j≤v1
a(o1)
ij xixj+
v1+o1
X
i=1
b(o1)
ixi+c(o1),
f(o1+1) =X
1≤i≤n
1≤j≤v1+o1
a(o1+1)
ij xixj+
n
X
i=1
b(o1+1)
ixi+c(o1+1),
·········
f(o1+o2)=X
1≤i≤n
1≤j≤v1+o1
a(o1+o2)
ij xixj+
n
X
i=1
b(o1+o2)
ixi+c(o1+o2),
where the coefficients a(k)
ij , b(k)
ij , c(k)are in K. Choose
randomly two invertible affine maps S:Kn→Knand
T:Ko1+o2→Ko1+o2. The public key is given by
The Computer Journal, Vol. ??, No. ??, ????
4Dung H. Duong, Willy Susilo and Ha Tran
P=T ◦ F ◦ S :Kn→Ko1+o2, and the private key
consists of T,Fand S.
To sign a message m= (m1, . . . , mo1+o2)∈Ko1+o2,
we first compute y=T−1(m)=(y1, . . . , yo1+o2) and
do the following.
(1) Choose a= (a1, . . . , av1)∈Kv1and plug into
the polynomials in the central map to obtain
¯
f(1),..., ¯
f(o1+o2).
(2) Solving the linear system ¯
f(i)=yiwith i=
1, . . . , o1yields solution (b1, . . . , bo1). If there is no
solution then come back to Step (1).
(3) Plug (b1, . . . , bo1) into ¯
f(o1+1),..., ¯
f(o1+o2)and
solve the linear system ¯
f(i)=yiwith i=o1+
1, . . . , o1+o2to get a solution (bo1+1, . . . , bo1+o2).
If there is no solution then come back to Step (1).
(4) Set x= (a1, . . . , av1, b1, . . . , bo1+o2). A signature is
computed by s:= S−1(x).
A signature sis accepted if P(s) = m, otherwise it is
rejected.
The public key of the scheme consists of mquadratic
equations in nvariables, and hence the public key has
size
m·(n+ 1)(n+ 2)
2·log2(q) bits.
3.3. The MQDSS signature scheme from the
MQ-based identification scheme
Another way to construct a digital signature scheme
is first to construct a secure identification scheme and
then transform it into a digital scheme by the Fiat-
Shamir’s transformation [12]. The first provably 3-
pass identification scheme was proposed by Sakumoto
et al. [24]. Its impersonation probability is 2
3. Hence,
in order to reach a suitable security level, the protocol
needs to repeat many rounds. They also proposed a
5-pass protocol with impersonation probability 1
2+1
2q
for qbeing the cardinality of the associate finite field.
Thus, for suitable choice of q, the 5-pass protocol
repeats less rounds than the 3-pass one and hence
reduces the communication cost. The 5-pass protocol
was later utilized to design a very efficient signature
scheme MQDSS [8], which has just passed to the second
round of NIST standardization competition [2].
The 5-pass identification scheme by Sakumoto et
al. [24] uses a system Pof mmultivariate quadratic
polynomials in nvariables as a public parameter. The
prover chooses a random s∈Fnas the secret key and
computes the public key v∈Fmby v=P(s). In order
to prove his identity to a verifier, the prover performs
several rounds of the interactive protocol shown in
Figure 1. Note that here
G(x,y) = P(x+y)− P(x)− P(y) + P(0)
is the polar form of the system P. In our scheme, we use
a system Pwith zero constant terms, i.e., P(0) = 0. A
method for generating such a system can be found in [8].
The impersonation probability per round is 1
2+1
2q.
To decrease the impersonation probability below 2−η,
one needs to perform r=d−η
log2(1/2+1/2q)erounds of
the protocol. For identification scheme, one just needs
η∼
=30, but for signatures, we require ηto be at least
as large as the security level.
The MQDSS signature scheme [8] was obtained by
first developing a technique to transform (2n+ 1)-pass
identification schemes into signature schemes and then
applying to the 5-pass identification protocol above, to
obtain an EU-CMA secure signature scheme.
To generate a signature for a message M, the
signer produces a transcript of the above identification
protocol over rrounds. As a result, a signature is of
the form
σ= (c0,1,··· , c1,r,t1,1,e1,1,··· ,t1,r ,e1,r ,Rsp1,··· ,Rspr).
To check the validity of the signature, the verifier
parses the signature into its components and uses the
commitments to compute the challenges and checks the
correctness as in Figure 1; see [8] for more details.
4. OUR BLIND RING SIGNATURE
SCHEME
4.1. Construction
In this Section, we propose our blind ring signature
scheme based on the blind signature scheme [20] and the
ring signature scheme [16]. The idea is as the following.
First, we blind the message as in [13]. Then we sign
the blinded message in the same manner with the ring
signature scheme [16] to obtain (z1,· · · ,zt,z∗) as below.
This is a ring signature of the blinded message, which
is finally signed in the same manner with the blind
signature scheme [20] to obtain a blind ring signature.
The details are as the following.
Setup of system parameters: Finite field Fq, inte-
gers m, n and rwith input security parameter k.
Here ris the number of rounds that the identifi-
cation scheme performs during the generation of a
signature.
Key generation: each user Uigenerates a key pair
(ski,pki) = ((Si,Fi,Ti),Pi) of the underlying
Rainbow signature scheme. A random system
R:Fm
q→Fm
qis generated by using a crypto-
graphically secure pseudo-random number gener-
ator (CSPRNG), R=CSPRNG(P1k · · · kPt,U).
Signature generation: The client who wants to
obtain a blind ring signature for a message M,
with respect to a ring U={U1,· · · ,Ut}of users,
proceeds as follows: choose a random z∗∈Fm
qand
computes w∗=R(z∗)∈Fm
q. Then he sends
˜
w=H(M, U)−w∗∈Fm
q
together with the ring Uto the signer.
Some of these members, say Ui, where i∈
{1,· · · , t}, acts as follows:
The Computer Journal, Vol. ??, No. ??, ????
A multivariate blind ring signature scheme 5
FIGURE 1. The 5-pass MQ identification scheme of Sakumoto et al. [24]
Prover: P,v,s Verifier: P,v
Choose r0,t0∈Fn,e0∈Fm
r1=s−r0
c0=Com(r0,t0,e0)
c1=Com(r1,G(t0,r1) + e0)
(c0,c1)
−−−−−→
α∈F
α
←−−−−−
t1=αr0−t0
e1=αP(r0−e0)
(t1,e1)
−−−−−→
ch ∈ {0,1}
ch
←−−−−−
If ch = 0,Rsp =r0
Else,Rsp =r1
Rsp
−−−−−−→
If ch = 0,check :
c0
?
=Com(r0, αr0−t1, αP(r0)−e1)
If ch = 1,check :
c1
?
=Com(r1, α(v− P(r1)− G(t1,r1)−e1)
1. For j∈ {1,· · · , t}.j6=i, choose random
vectors z1,· · · zi−1,zi+1,zt∈Fn
qand compute
w=˜
w−
t
X
j=1
j6=i
Pj(zj)∈Fm
q.
2. Use his secret key skito compute a vector
zi∈Fn
qsuch that Pi(zi) = w.
3. Send to the client the tuple (z1,· · · ,zt).
The client first verifies if
H(M, U) =
t
X
i=1
Pi(zi) + R(z∗).
If so then he obtains a solution (z1,· · · ,zt,z∗) of
the system
P(x) =
t
X
i=1
Pi(xi) + R(y).
The client will not publish (z1,· · · ,zt,z∗) since it
will violate the blindness of the scheme. Instead,
we will prove his knowledge of the signature by
generating a MQDSS signature from Section 3.3 for
H(M, U). As the public parameter of the scheme
he hereby uses the system P(x) = Pt
i=1 Pi(xi) +
R(y), which is a system of mequations in e=
t·n+mvariables. Furthermore, G(x,y)is the
polar form of the system P, i.e., G(x,y) = P(x+
y)− P(x)− P(y) + P(0). In particular, the client
performs the following.
1. Compute C=H(PkH(M, U)) and D=
H(CkH(M , U)).
2. Choose random values for
r0,1,· · · ,r0,r ,t0,1,· · · ,t0,r ∈Fe
q, and
e0,1,· · · ,e0,r ∈Fm
q, set r1,i =
(z1k···kztkz∗)−r0,i for i= 1,· · · , r
and compute the commitments
c0,i =Com(r0,i,t0,i ,e0,i)
c1,i =Com(r1,i,G(t0,i ,r1,i) + e0,i ) (i= 1,· · · , r ).
3. Derive the challenges α1,· · · , αr∈Fqfrom
(D,COM).
4. Compute t1,i =αi·r0,i −t0,i ∈Fe
qand
e1,i =αi· P(r0,i)−e0,i for i= 1,· · · , r. Set
Rsp1= (t1,1,e1,1,· · · ,t1,r ,e1,r ).
5. Derive the challenges (ch1,· · · , chr) from
(D,COM,Rsp1).
6. Set Rsp2= (rch1,1,· · · ,rchr,r ).
7. Output the blind ring signature σfor the
message Mand the ring Uis given by
σ= (C,COM,Rsp1,Rsp2).
The length of the blind ring signature σis
|σ|=1 · |hash value|+ 2r· |Commitment|
+r·(2tn + 3m)Fqelements.
Verification: To verify the validity of the signature
σfor the message Mwith respect to the
ring U, the verifier first parses σinto its
The Computer Journal, Vol. ??, No. ??, ????
6Dung H. Duong, Willy Susilo and Ha Tran
components (C,COM,Rsp1,Rsp2) and computes
D=H(CkH(M , U)). Next, he derives
challenges αi∈Ffrom (D,COM) and chifrom
(D,COM,Rsp1) for i= 1,· · · , r. Then he parses
COM into (c0,1, c1,1, c0,2, c1,2,· · · , c0,r , c1,2), Rsp1
into t1,e1,· · · ,tr,erand Rsp2into r1,· · · ,rrand
check whether
c0,i
?
=Com(ri, αi·ri−ti, αi· P(ri)−ei)
c1,i
?
=Com(ri, αi·(H(M, U)− P (ri)) − G(ti,ri)−ei).
(1)
If all the tests are fulfilled then the signature σis
accepted. Otherwise it is rejected.
Theorem 1 (Correctness).If the signer of the ring
and the client follow the above blind ring signature
protocol then the output will be accepted with
probability 1.
Proof. One can easily see that after the first step,
the client gets a solution (z1,· · · ,zt,z∗) of P(x) =
Pt
i=1 Pi(xi) + R(y). In the second step, we simply use
the correctness of the MQDSS scheme [8] which shows
that an MQDSS signature produced by an honest signer
knowing a solution to the public system Pis accepted
with probability 1.
4.2. Reducing the signature length
We follow [20, Section 4.3] to reduce the length of the
blind ring signature σ. Instead of attaching all the
commitments c0,1, c1,1,· · · , c0,r , c1,r in the signature, we
just transmit COM =H(c0,1kc1,1k···kc0,r kc1,r) and
add (c1−ch1,1,· · · , c1−ch1,r ) to Rsp2. In the verification
process, the verifier recovers (cch1,1,· · · , cchr,r ) by (1)
and checks whether
COM ?
=H(c0,1, c1,1,· · · , c0,r , c1,r ).
Hence the length of the signature σis reduced to
|σ|=2 · |hash value|+r·(2tn + 3m)Fqelements
+r· |Commitment|.
4.3. Security analysis
4.3.1. Anonymity
Since our blind ring signature scheme is constructed
based on the Rainbow ring signature scheme [16],
and hence ring signature property ensures that the
anonymity property of our scheme hold uncondition-
ally; that is to say that even if a client has unlimited
computational resources, he can not obtain any infor-
mation about which member has actually participated
in the interactive protocol to compute a blind ring sig-
nature.
4.3.2. Blindness
We now prove the blindness property of our scheme.
In order to show the blindness, it suffices to show
that the information Trans that the signer obtains from
an execution of the signing protocol, follows the same
probability distribution for any possible message. If it
is proved then in the challenge phase of the blindness
game, the adversary cannot obtain from Trans any
information about which message Mbis actually being
signed, and therefore its success probability is limited
to 1/2.
Theorem 2.Assume that the distribution of R(x)
for uniform z∈Fm
qis computationally indistinguishable
from uniform, and assume that a perfectly hiding
commitment scheme is used. Then our blind
ring signature scheme provides blindness against any
computationally bounded adversary. In particular, for
any PPT adversary A, its advantage against our scheme
AdvBlindness
BRS,A(k) is negligible.
Proof. In our case, Trans consists of (U,˜
w,z1,· · · ,zt),
in which we recall that
˜
w=H(M, U)−w∗,
where w∗=R(z∗) with a random z∗∈Fm
q.
Since z∗is random, and hence w∗is computationally
indistinguishable to uniform, which implies that ˜
w
is computationally indistinguishable to uniform. For
the rest of values in Trans, either they are chosen by
the adversary or they depend on ˜
w. In any case,
their probability distribution does not depend on the
signed message M. The rest of the proof follows the
blindness property of the underlying multivariate blind
signature scheme; see proof of [20, Theorem 2] for more
details.
4.3.3. Unforgeability
We are now going to prove that our scheme is one-more-
unforgeable in the random oracle model, and under
the assumption that the Rainbow signature scheme
is secure. We denote by qhthe number of queries
that an adversary Aagainst the unforgeability of our
scheme can make to the random oracle which models
the behaviour of the hash function H.
Theorem 3.Assume that finding a solution for
the equation Pt
i=1 Pi(xi) + R(y) = 0, where
each Piis a Rainbow public key, is hard, the
commitment function is computationally binding and
hiding. Then our blind ring signature scheme satisfies
the one-more-unforgeability property. That is for all
PPT adversaries A, there advantage in winning the
one-more-unforgeability game against our scheme is
negligible.
Proof. Assume that there exists such a forger A. We
construct a solver Bto find a solution to the problem
of the form Pt
i=1 Pi(xi) + R(y) = 0.
First of all, Breceives the instance Pt
i=1 Pi(xi) +
R(y) = 0 to solve. In order to use Aas a sub-program,
Bwill simulate a challenger and the oracles (the hash
The Computer Journal, Vol. ??, No. ??, ????
A multivariate blind ring signature scheme 7
[t]
TABLE 1. Proposed parameters for our blind ring signature scheme over GF(31). Here the parameters stand for Rainbow
parameters (v1, o1, o2)
Security level (bit) # rounds 5 users 10 users 15 users
80 84
Parameters (16,20,19) (16,22,22) (16,24,25)
Public key size (standard) (kB) 192.7 515.3 1006.4
Public key size (reduced) (kB) 72.1 196.4 384.2
Signature size (kB) 35.2 69.8 109.7
100 105
Parameters (21,23,24) (21,25,25) (21,28,29)
Public key size (standard) (kB) 351.5 813.7 1673.2
Public key size (reduced) (kB) 127.9 297.3 619.6
Signature size (kB) 54.1 105.8 164.1
128 135
Parameters (25,29,29) (25,31,32) (25,34,34)
Public key size (standard) (kB) 641.1 1503.5 2820.4
Public key size (reduced) (kB) 237.5 512.0 1055.9
Signature size (kB) 85 164.1 251.5
oracle and the signing oracle) for A. He does as the
following.
In the setup phase, let Ube a user set. For each
i= 1,· · · , t,Bsends Pito the user Ui∈ U. He
chooses a random s∈Fm
qand sends R+sto A. In
addition, we also program an backdoored random oracle
H0(x, U) = Pt
i=1 Pi(Hi(x)) + R(Ht+1(x)) + sand gives
the access to A. Here H1,· · · ,Ht:{0,1}∗→Fn
q,Ht+1 :
{0,1}∗→Fm
qare true random oracles. Whenever A
requests a signature for a message M∈ {0,1}∗,B
answers with (z1,· · · ,zt,zt+1 ) with zi=Hi(M) for
i= 1,· · · , t + 1, which is valid from the point of view
of Asince Acan check through the access of H0.
When the queries are done, Bchooses a new message
M∗, programs H0(M∗,U) = sand sends to A. By
assumption Awins and produces a valid signature σ
for M∗. It follows from [8] that Bcan use Ato solve
the equation
t
X
i=1
Pi(xi) + R(y) + s=s
which means that Bcan find a solution of the instance
Pt
i=1 Pi(xi) + R(y) = 0. This completes the proof.
4.3.4. Direct attack
It remains in Theorem 3 to show that solving the system
Pt
i=1 Pi(xi) + R(y) = 0 of mquadratic equations in t·
n+mvariables is hard. This system is underdetermined
and there are several issues:
1. If t·n+m=ω·mthen a solution of the above
system can be found in the same time as finding
a solution of a determined system of m− bωc+ 1
equations [26].
2. If the number of variables t·n+mexceeds m(m+3)
2
then we can solve the above system in polynomial
time [15].
We will choose suitable parameters that make
impossible to solve efficiently the above system.
5. PARAMETERS
In this section, we give concrete parameters for our
blind ring signature scheme. We define our scheme over
Fq= GF(31), since the MQDSS [8] was constructed
over that field. The proposed parameter sets are
obtained to ensure the following.
1. Direct attack against the system Pt
i=1 Pi(xi) +
R(y) = 0 is infeasible. That means the parameters
should make two aforementioned methods to solve
the above underdetermined system infeasible.
2. Attacks against a single Rainbow scheme P(x) = w
is impossible. We will follow [19] for choosing
secure parameters for Rainbow schemes.
Petzoldt et al. [18] proposed a way to reduce the
public key size of a Rainbow signature scheme. The idea
is to divide the matrix corresponding to the coefficients
of public polynomials into several blocks and for two
main blocks, instead of using all entries in Fq, one just
needs a row vector for one block and generates other
entries in that block by rotating the vector; see [18]
for more details. With this method, for a Rainbow
scheme with parameter (v1, o1, o2), the new public key
is reduced to
m·(n+ 1) ·(n+ 2)
2−o1·D1−(o2−1)·D2Fqelements,
where D1=v1·(v1+1)
2+v1·o1and D2=v2·(v2+1)
2+v2·o2.
It is mentioned in the multivariate ring signature [16]
that one can use the same two blocks for all users to
reduce further public key size. The choice of parameter
sets and corresponding key sizes are illustrated in
Table 1.
It follows from Table 1 that by using the method of
Petzoldt et al. [18], we can reduce the public key size of
our blind ring signature scheme up to more than 62%.
The Computer Journal, Vol. ??, No. ??, ????
8Dung H. Duong, Willy Susilo and Ha Tran
6. CONCLUSION
In this paper, we propose, for the first time, a
post-quantum blind ring signature scheme based on
multivariate polynomials. Our scheme is constructed
from Rainbow [9, 16] and MDQSS [8, 20] signature
schemes which are two candidates of the second round
in NIST Post-quantum Cryptography Standardization
Competition [2]. Our scheme is constructed over
GF(31) due to the construction of MQDSS. There
maybe possibilities to improve our scheme and base
it over prime field GF(2) or its extension, by utilizing
the improved 3-pass identification scheme [17] and the
construction of LUOV [4] together with its choice of
parameters [10], which we leave as a future work.
ACKNOWLEDGEMENTS
The first author is supported by the Start-Up Grant
2018-2019 from University of Wollongong. The second
author is supported by the Australian Research Council
Discovery Project DP180100665. The third author is
supported by the Seed grant (Grant ID: CIG-SEED-
1905-05) from Concordia University of Edmonton.
REFERENCES
[1] National Institute of Standards and Tech-
nology: Post-Quantum Cryptography -
Call for Proposals. https://csrc.nist.
gov/Projects/Post-Quantum-Cryptography/
Post-Quantum-Cryptography-Standardization/
Call-for-Proposals.
[2] National Institute of Standards and Technology:
Post-Quantum Cryptography - Round 2 Sub-
missions. https://csrc.nist.gov/Projects/
Post-Quantum-Cryptography/Round-2-Submissions.
[3] Bernstein, D. J., Buchmann, J., and Dahmen, E.
(2009) Post-Quantum Cryptography. Springer, Berlin-
Heidleberg.
[4] Beullens, W., and Preneel, B. (2017) Field lifting
for smaller UOV public keys. In Progress in Cryptology
- INDOCRYPT 2017 - 18th International Conference
on Cryptology in India, Chennai, India, December 10-
13, 2017, pp. 227–246. Springer, Cham.
[5] Bogdanov, A., Eisenbarth, T., Rupp, A., and
Wolf, C. (2008) Time-area optimized public-key
engines: Mq-cryptosystems as replacement for elliptic
curves? International Workshop on Cryptographic
Hardware and Embedded Systems, Aug 10, pp. 45–61.
Springer, Berlin, Heidelberg.
[6] Chaum, D. (1982) Blind signatures for untraceable
payments. In Advances in Cryptology: Proceedings of
CRYPTO ’82, Santa Barbara, California, USA, August
23-25. , pp. 199–203. Springer, Boston, MA.
[7] Chen, A. I., Chen, M., Chen, T., Cheng, C., Ding,
J., Kuo, E. L., Lee, F. Y., and Yang, B. (2009)
SSE implementation of multivariate pkcs on modern
x86 cpus. In Cryptographic Hardware and Embedded
Systems - CHES 2009, 11th International Workshop,
Lausanne, Switzerland, September 6-9, pp. 33–48.
Springer, Berlin, Heidelberg.
[8] Chen, M., H¨
ulsing, A., Rijneveld, J., Samard-
jiska, S., and Schwabe, P. (2016) From 5-pass MQ
-based identification to MQ -based signatures. In Ad-
vances in Cryptology - ASIACRYPT 2016 - 22nd Inter-
national Conference on the Theory and Application of
Cryptology and Information Security, Hanoi, Vietnam,
December 4-8, Part II , pp. 135–165. Springer.
[9] Ding, J., and Schmidt, D. (2005) Rainbow, a
new multivariable polynomial signature scheme. In
Applied Cryptography and Network Security, Third
International Conference, ACNS 2005, New York, NY,
USA, June 7-10, pp. 164–175. Springer, Berlin,
Heidelberg.
[10] Duong, D. H., Luyen, L. V., and Tran, H. (2018)
Choosing subfields for luov and lrainbow signature
scheme. In Preprint 2018.
[11] Garey, M. R., and Johnson, D. S. (1979)
Computers and Intractability: A Guide to the Theory of
NP-Completeness. Vol. 1. WH Freeman, San Francisco
[12] Fiat, A., Shamir, A. (1986) How to prove yourself:
Practical solutions to identification and signature
problems. In Conference on the Theory and Application
of Cryptographic Techniques, August 11, pp. 186–194.
Springer, Berlin, Heidelberg.
[13] Herranz, J., and Laguillaumie, F. (2006) Blind
ring signatures secure under the chosen-target-cdh
assumption. In Information Security, 9th International
Conference, ISC 2006, Samos Island, Greece, August
30 - September 2, pp. 117–130. Springer, Berlin,
Heidelberg.
[14] Kipnis, A., Patarin, J., and Goubin, L. (1999)
Unbalanced oil and vinegar signature schemes. In
Advances in Cryptology - EUROCRYPT ’99, Inter-
national Conference on the Theory and Application
of Cryptographic Techniques, Prague, Czech Republic,
May 2-6, pp. 206–222. Springer, Berlin, Heidelberg.
[15] Miura, H., Hashimoto, Y., and Takagi, T.
(2013) Extended algorithm for solving underdefined
multivariate quadratic equations. In Post-Quantum
Cryptography - 5th International Workshop, PQCrypto
2013, Limoges, France, June 4-7, pp. 118–135.
Springer, Berlin, Heidelberg.
[16] Mohamed, M. S. E., and Petzoldt, A. (2017)
Ringrainbow - an efficient multivariate ring signature
scheme. In Progress in Cryptology - AFRICACRYPT
2017 - 9th International Conference on Cryptology in
Africa, Dakar, Senegal, May 24-26, pp. 3–20. Springer,
Cham.
[17] Monteiro, F. S., Goya, D. H., and Terada, R.
(2015) Improved identification protocol based on the
MQ problem. IEICE Transactions on Fundamentals of
Electronics, Communications and Computer Sciences,
6, 1255–1265.
[18] Petzoldt, A., Bulygin, S., and Buchmann, J. A.
(2010) Cyclicrainbow - A multivariate signature
scheme with a partially cyclic public key. In Progress
in Cryptology - INDOCRYPT 2010 - 11th International
Conference on Cryptology in India, Hyderabad, India,
December 12-15, pp. 33–48. Springer, Berlin,
Heidelberg.
[19] Petzoldt, A., Bulygin, S., and Buchmann, J. A.
(2010) Selecting parameters for the rainbow signature
The Computer Journal, Vol. ??, No. ??, ????
A multivariate blind ring signature scheme 9
scheme. In Post-Quantum Cryptography, Third
International Workshop, PQCrypto 2010, Darmstadt,
Germany, May 25-28, pp. 218–240. Springer, Berlin,
Heidelberg.
[20] Petzoldt, A., Szepieniec, A., and Mohamed, M.
S. E. (2017) A practical multivariate blind signature
scheme. In Financial Cryptography and Data Security
- 21st International Conference, FC 2017, Sliema,
Malta, April 3-7, Revised Selected Papers, pp. 437–454.
Springer, Cham.
[21] Pointcheval, D., and Stern, J. (2000) Security
arguments for digital signatures and blind signatures.
J. Cryptology 13, 3 , 361–396.
[22] Rivest, R. L., Shamir, A., and Tauman, Y. (2001)
How to leak a secret. In Advances in Cryptology
- ASIACRYPT 2001, 7th International Conference
on the Theory and Application of Cryptology and
Information Security, Gold Coast, Australia, December
9-13, pp. 552–565. Springer, Berlin, Heidelberg.
[23] R¨
uckert, M. (2010) Lattice-based blind signatures.
In Advances in Cryptology - ASIACRYPT 2010 -
16th International Conference on the Theory and
Application of Cryptology and Information Security,
Singapore, December 5-9, pp. 413–430. Springer,
Berlin, Heidelberg.
[24] Sakumoto, K., Shirai, T., and Hiwatari, H. (2011)
Public-key identification schemes based on multivariate
quadratic polynomials. In Advances in Cryptology -
CRYPTO 2011 - 31st Annual Cryptology Conference,
Santa Barbara, CA, USA, August 14-18, pp. 706–723.
Springer, Berlin, Heidelberg.
[25] Shor, P. W. (1997) Polynomial-time algorithms
for prime factorization and discrete logarithms on a
quantum computer. SIAM J. Comput. 26, 5 , 1484–
1509.
[26] Thomae, E., and Wolf, C. (2012) Solving
underdetermined systems of multivariate quadratic
equations revisited. In Public Key Cryptography -
PKC 2012 - 15th International Conference on Practice
and Theory in Public Key Cryptography, Darmstadt,
Germany, May 21-23 , pp. 156–171. Springer, Berlin,
Heidelberg.
[27] Wu, Q., Zhang, F., Susilo, W., and Mu, Y. (2005)
An efficient static blind ring signature scheme. In
Information Security and Cryptology - ICISC 2005, 8th
International Conference, Seoul, Korea, December 1-2,
Revised Selected Papers , pp. 410–423. Springer, Berlin,
Heidelberg.
[28] Zhang, J., Chen, H., Liu, X., and Liu, C. (2010) An
efficient blind ring signature scheme without pairings.
In Web-Age Information Management - WAIM 2010
International Workshops: IWGD 2010, XMLDM 2010,
WCMT 2010, Jiuzhaigou Valley, China, July 15-17,
Revised Selected Papers, pp. 177–188. Springer, Berlin,
Heidelberg.
The Computer Journal, Vol. ??, No. ??, ????