Lattice-Based Blind Signatures: Short, Efficient, and Round-Optimal

Abstract

We give a construction of a 2-round blind signature scheme based on the hardness of standard lattice problems (Ring/Module-SIS/LWE and NTRU) with a signature size of 22 KB. The protocol is round-optimal and has a transcript size that can be as small as 60 KB. This blind signature is around 4 times shorter than the most compact lattice-based scheme based on standard assumptions of del Pino and Katsumata (Crypto 2022) and around 2 times shorter than the scheme of Agrawal et al. (CCS 2022) based on their newly-proposed one-more-SIS assumption. We also give a construction of a "keyed-verification" blind signature scheme in which the verifier and the signer need to share a secret key. The signature size in this case is only 48 bytes, but more work needs to be done to explore the efficiency of the protocol which generates the signature.