HSE Scientists Contribute to Development of Postquantum Ring Signature for Sber

A new cryptographic data protection mechanism has been jointly proposed by experts from the HSE Tikhonov Moscow Institute of Electronics and Mathematics, Sber, and QApp. The researchers have developed a postquantum ring signature scheme that ensures anonymity (within a defined group of participants), as well as the integrity and authentication of the source of digital transactions, even in the presence of an adversary equipped with a quantum computer.

A significant part of the work was carried out by experts from HSE MIEM, who developed an almost fully secure postquantum ring signature scheme based on NTRU lattices that is compatible with the requirements of currently used blockchain systems.

The joint development by experts from Sber, MIEM, and QApp, presented at the international conference FI Day: AI & Blockchain, addresses one of the major threats anticipated in the coming decades—the ability of quantum computers to break classical encryption and authentication algorithms.

Ekaterina Malygina, Associate Professor at the School of Applied Mathematics at HSE MIEM, spoke about the new mechanism and the contribution from HSE experts.

'Quantum computers do not yet pose a practical threat, but it is already clear that as their capabilities grow, they will be able to break most modern cryptosystems, including those used in the banking sector and blockchain infrastructure, such as RSA and ECDSA. This raises legitimate concerns: an adversary who intercepts and stores encrypted data today may be able to decrypt it in the future once quantum computers become available. Therefore, the global cryptographic community is actively developing postquantum algorithms whose security is based not on factorisation or discrete logarithm problems but on other mathematical problems that are resistant to quantum attacks. The banking and financial sectors are particularly interested in such solutions, as the security of transactions and the confidentiality of customer data are fundamental to their operations.

Our solution is based on a postquantum linkable ring signature scheme that allows a participant to sign a message on behalf of a group ('ring') without revealing which member produced the signature. If the same participant signs two different messages, the signatures can be linked without disclosing the signer’s identity. This feature is extremely useful, for example, in cryptocurrencies, where it helps prevent double spending while preserving user anonymity.

The goal was to design a scheme compatible with the requirements of real-world blockchain systems. The main challenge in its development was achieving high efficiency together with flexible and versatile parameters, which is critically important for a wide range of applications in the financial sector. At present, most postquantum ring signature schemes lack such versatility and suffer from drawbacks and limitations that prevent their practical use, particularly in blockchain networks. Due to the flexibility of its parameters, our solution overcomes these limitations.

Our solution employs lattice cryptography, an independent branch of postquantum cryptography that is currently considered one of the most promising. In mathematics, a lattice is a set of points in a multidimensional space arranged in a regular structure (eg like the nodes of a net). The security of lattice-based schemes typically relies on the computational hardness of problems such as the Shortest Vector Problem (SVP)—finding the shortest nonzero vector in a lattice—or on solving systems of linear equations with errors, such as LWE and SIS. These problems are widely regarded as difficult even for quantum computers.

We developed a scheme based on NTRU lattices using a hybrid approach:

 the signature generation and verification algorithms are derived from the Falcon scheme—one of the most compact and fastest lattice-based schemes submitted to the NIST standardisation process

 key generation is taken from the Mitaka scheme, an improved version of Falcon that offers greater resistance to side-channel attacks

 vector sampling is performed using the Ducas–Prest method, which eliminates floating-point operations, thereby enhancing security and making the scheme more suitable for implementation on embedded devices

The existing Raptor framework was adapted to the modern Falcon and Mitaka algorithms, enabling us to achieve several key improvements: the elimination of floating-point arithmetic, which is crucial for hardware security; flexibility in selecting the ring size, a feature rarely seen in lattice-based ring signature schemes; and competitive signature sizes for small rings—eg those with 11 participants.

I would like to highlight the outstanding work of Artyom Kuninets, a doctoral student at MIEM. He made a key contribution by adapting the Ducas–Prest hybrid sampler for ring signature generation and integrating key generation from the Mitaka scheme. His technical work was crucial in combining the efficiency of Falcon with that of Mitaka, ensuring the correct operation of the mechanism within the lattice-based framework.'

The results of this R&D have been published in the Journal of Computer Virology and Hacking Techniques, a leading cryptography journal ranked in the second quartile of the international Scopus database.