Multisignature schemes constitute important primitives when it comes to save the storage and bandwidth costs in presence of multiple signers. Such constructions are extensively used in financial applications such as Bitcoins, where more than one key is required in order to authorize Bitcoin transactions. However, many of the current state-of-the-art multisignature schemes are based on the RSA or discrete-log assumptions, which may become insecure in the future, for example due to the possibility of quantum attacks. In this paper we propose a new multisignature scheme that is built on top of the intractability of lattice problems that remain hard to solve even in presence of powerful quantum computers. The size of a multisignature is quasi optimal and our scheme can also easily be transformed into a more general aggregate signature scheme. Finally, we give an efficient implementation of the scheme which testifies its practicality and competitive capacity.
展开▼