Mqsas - A multivariate sequential aggregate signature scheme

Abstract

(Sequential) Aggregate signature schemes enable a group of users u1, …, uk with messages m1, …, mk to produce a single signature Σ which states the integrity and authenticity of all the messages m1, …, mk. The length of the signature Σ is thereby significantly shorter than a concatenation of individual signatures. Therefore, aggregate sig- natures can improve the efficiency of numerous applications, e.g. the BGPsec protocol of Internet routing and the development of new efficient aggregate signature schemes is an important task for cryptographic research. On the other hand, most of the existing schemes for aggregate signatures are based on number theoretic problems and therefore become insecure as soon as large enough quantum computers come into existence. In this paper, we propose a technique to extend multivariate signature schemes such as HFEv- to sequential aggregate signature schemes. By doing so, we create the first multivariate signature scheme of this kind, which is, at the same time, also one of the first post-quantum aggregate signature schemes. Our scheme is very efficient and offers compression rates that outperform current lattice-based constructions for practical parameters.