2

I have been reviewing the FIPS 204 draft specification for the ML-DSA (Module-Lattice-based Digital Signature Algorithm), which is part of NIST’s Post-Quantum Cryptography (PQC) standardization effort.

Question:

Is it possible to recover the public key (or signer identity) from the signature and message in ML-DSA, similar to secp256k1 in Bitcoin, where the public key can be recovered directly from the signature?

If ML-DSA does not support this, are there any other PQC signature schemes that allow recovery of the signer’s public key from the signature?

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
Geek
  • 21
  • 2

2 Answers2

1

ML-DSA does not support this, at least in the way that ECDSA does - it uses a Fiat-Shamir (with aborts) transform that results in a signature including the challenge and the response, not the commitment and the response as in ECDSA. This means the public key cannot be solved for from the public information in the signature and the message: you would have to find the preimage of SHAKE256 to do so.

Deirdre Connolly
  • 340
  • 2
  • 9
0

There are other post-quantum cryptographic (PQC) signature schemes that do allow this. Here are a few alternatives:

1. SPHINCS+ with Public Key Recovery (Hybrid Variants)

  • While the standard SPHINCS+ (a stateless hash-based signature scheme) does not natively support public key recovery, some variants or hybrid constructions could incorporate this feature by encoding the public key in the signature structure.

2. Picnic (Symmetric-Key-Based Signatures)

  • Picnic is a signature scheme based on symmetric primitives (like block ciphers or hash functions). While it doesn’t inherently support public key recovery, some adaptations could allow for partial reconstruction of signer information.

3. Non-PQC Traditional Schemes (for Reference)

  • ECDSA with Recovery: In classical cryptography, ECDSA supports public key recovery (as seen in Ethereum’s ecrecover). While not post-quantum, this demonstrates that such mechanisms exist in some signature schemes.

4. Custom or Hybrid PQC Schemes

  • Some newer or experimental PQC schemes may incorporate public key recovery for efficiency in certain applications (e.g., blockchain or lightweight protocols). For example:
    • SQISign: An isogeny-based signature scheme with compact signatures, though it’s unclear if it supports recovery natively.
    • Lattice-Based Schemes with Redundancy: Some lattice-based schemes could be modified to embed public key information in the signature.
R_Jalaei
  • 515
  • 2
  • 12