A Novel Post-Quantum Blind Signature for Log System in Blockchain

In recent decades, log system management has been widely studied for data security management. System abnormalities or illegal operations can be found in time by analyzing the log and provide evidence for intrusions. In order to ensure the integrity of the log in the current system, many researchers have designed it based on blockchain. However, the emerging blockchain is facing significant security challenges with the increment of quantum computers. An attacker equipped with a quantum computer can extract the user's private key from the public key to generate a forged signature, destroy the structure of the blockchain, and threaten the security of the log system. Thus, blind signature on the lattice in post-quantum blockchain brings new security features for log systems. In our paper, to address these, firstly, we propose a novel log system based on post-quantum blockchain that can resist quantum computing attacks. Secondly, we utilize a post-quantum blind signature on the lattice to ensure both security and blindness of log system, which makes the privacy of log information to a large extent. Lastly, we enhance the security level of lattice-based blind signature under the random oracle model, and the signature size grows slowly compared with others. We also implement our protocol and conduct an extensive analysis to prove the ideas. The results show that our scheme signature size edges up subtly compared with others with the improvement of security level.


Introduction
Log system is a significant implement for a complete information system, which provides log collection, log storage, log query, etc. However, confronting illegal online access and malicious tampering, the log system lacks in log validation and user consensus. As a result, data privacy and integrity have been facing a tremendous threat [1][2][3].
In recent years, blockchain technology has set off a subversive revolution and significantly changed current transaction networks [4], especially for log system aspects. Many people favor it because of less expense and easier maintenance compared with traditional systems [5]. More importantly, decentralized structure is an innovative feature of blockchain and point-to-point direct interaction can be achieved, which helps people reach a consensus without the control of the administrators in the current log system to ensure the irreversibility of data [6]. This feature attracts many researchers to study how to design decentralized applications based on blockchain [7][8][9][10].
As the modern network information society tending to globalization, log systems based on the blockchain can withstand the attack of adversaries equipping traditional computers, but the emergence of quantum computing has threatened the security of log systems again. The importance of security is profound in terms of a more robust demand for privacy protection and identity authentication. In this way, research on blockchain security should consider traditional cryptography and other potential threats, such as quantum attacks [11]. Therefore, blockchain-based systems against quantum computing play an irrevocable role in the next few decades. In a conventional log system, blockchain is based on the Elliptic Curve Digital Signature Algorithm (ECDSA) [12] and RSA algorithm [13], which cannot deal with quantum attacks. However, suppose some individuals utilize the Shor algorithm [14] and Grover algorithm [15] to extract users' secret keys from their public keys to produce numerous unauthorized transactions or forged signatures. In that case, the valid customers will lose their privacy.
Many researchers have focused on anti-quantum methodologies [16]. Specifically, the research of lattice cryptography has been widely used against quantum computing. Some researchers proposed lattice-based construction of preimage sampleable trapdoor function in 2008 [17], and a signature scenario which is dependable security under the random oracle model based on Small Integer Solution (SIS) problem. In 2010, Cash et al. [18] proved to design other beneficial characteristics of lattice trapdoors, defined as bonsai tree technology.
Further, an effective signature protocol utilizes to identify the facticity of node content [19]. Many security protection scenarios have been proposed for the aspect of blockchain, which is roughly classified into pseudonym-based authentication, group signature [20], and blind signature. According to protecting blockchain privacy, pseudonym-based schemes are prevalent and have been researched a lot. However, it requires constant modification as to protect privacy, which creating a bottleneck for the log system. Thus, this scheme may not be the most appropriate one for our scheme. We then consider a group signature, which utilized features traits of anonymity and traceability to construct anonymous certificates. For instance, Lin et al. [21] utilized group signature to security-preserving systems. Nevertheless, as one log system needs to store revocation lists which might cause some troubles as for group signature mainly because they have to face up to a significant problem that how to choose administrators in a group which holds the most extraordinary power in the scheme, but we cannot assure whether they are honest and reliable.
Blind signature based on lattice designed by Rückert [22]. It has been getting more attention since the emergence of digital cash schemes on the blockchain, which Chaum initially introduced to make signers sign the information without seeing the plaintext. Nevertheless, the signer notices nothing about and the security signature proved by Juels et al. [23] Furthermore, Pointcheval et al. [24] studied two essential points, which are blindness and one-more unforgeability. Blindness means a signer could sign one passage without being noticed by other people. The one-more unforgeability, which could allow the signer to master the number of exceptions of valid signatures, is also essential in lattice-based blind signature. In 2019, Li et al. [25] proposed an anti-quantum proxy blind signature scheme based on lattice cryptography, ensuring user anonymity and untraceability in the Internet of Things (IoT).
In summary, our proposed scheme also has the features above. The significant contributions of this article are as follows: (1) In the current blockchain-based log system, the signer can view the log information he signed during the signing process, which poses a great threat to the security and privacy of log information. Fortunately, blind signature can effectively solve this problem. Moreover, with the development of quantum computers, malicious attackers can launch quantum computing attacks on log system, which makes the traditional cryptographic-based signature lose its protection for log information. Based on the above reasons, we have proposed a novel post-quantum blind signature scheme for log system in blockchain. (2) Firstly, in response to the problem of excessive power in the central organization of the log system, we have used blockchain technology, which can eliminate the centralized system to ensure the immutability of log information. Secondly, since the log system faces quantum computing attacks, we use lattice-based cryptography to resist quantum computing attacks from malicious attackers. Further, for the issue that signers can threaten the privacy of log information, we proposed a novel lattice-based blind signature scheme enhanced the security level to complete the signature operation in this system, which blindness protects the privacy of log information, and one-more unforgeability keeps the validity of the blind signature. (3) We analyze the security in theory and implement a complete security proof, which reduces the difficulty of malicious attackers to forge signatures to the SIS problem. Moreover, we evaluate the comprehensive performance and prove that our scheme has a smaller signature length compared with similar schemes.
2 Log System Vulnerability and Post-Quantum Blockchain 2.1 Log System Vulnerability People could collect various information by utilizing log systems, attracting more and more individuals to adopt log systems in various circumstances. In order to figure out the shortage which traditional log systems cannot avert the log from being tampered with, many researchers have applied blockchain to log systems. In 2019, Huang not only proposed a blockchain-based framework for log storage, but also utilized Inter Planetary File System (IPFS) to store log files which decreased the expenditure of storing enormous files in the blockchain [26]. However, many log systems, which storage privacy information in the blockchain, show apparent vulnerability to attackers equipped with quantum computers. The proposal of the quantum algorithm takes severe challenges to existing conventional cryptographies and results in the current blockchain system break down [27] since the Shor algorithm can solve the prime factorization problem during the polynomial-time using quantum computers.
Moreover, Proof of Work (PoW) in blockchain depends on a search problem. Unfortunately, the Grover algorithm is a robust quantum search algorithm that provides square root acceleration for many search problems. By this, the privacy of individuals' information in the log system will be seriously exposed, and the security of the log system will no longer exist.
Thus, log security in blockchain cannot be guaranteed. In our paper, a post-quantum blockchain is applied to the log system so as to solve this urgent problem.

Post-Quantum Blockchain
As interpreted in Section 2.1, our paper emphasizes the vulnerability of log to quantum attacks in systems equipping with blockchain. Therefore, we adopt post-quantum cryptography so as to make sure the security of blockchain in quantum circumstances [28]. Post-quantum cryptography includes hash function, code, lattice, and multivariate [29]. Some researchers have explored these ways deeply, like using Quantum Key Distribution (QKD) in traditional blockchain to avoid quantum attacking, but this cost too much time during new blocks generating step in most log systems.
Post-Quantum Blockchain (PQB) includes conventional blockchain and quantum cryptography, which combines the features of blockchain and resisting quantum adversary. In this paper, we apply PQB in order to not only maintain decentralization but also withstand quantum computing attacks.

Preliminaries
In this paper, we use ℝ for real numbers, and ℤ for integers. For any positive integer k, it is represented by [k] together with {1, 2, …, k}. If s is a string, the length of s is denoted by |s|. The string a||b represents a new string which is concatenated by a as well as b. For a matric A = [a 1 , …, a m ] ∈ ℤ n×m . Use e A to represent the result of matrix A after Gram-Schmidt orthogonalization. And let ||s|| = max i∈[m] ||a i ||, where || ⋅ || represents the Euclidean norm. The expression b ← B means that b is randomly and uniformly derive from the set B.

Blind Signature
Blind Signature (BS) protocol includes four concrete algorithms (Setup, Key-Gen, Sign-Gen, Sign-Veri). In the Key-Gen step, signer has to keep his/her secret key sk and the user has his/her public key pk.
Sign-Gen is an interactive scheme between signer S and user U, which shows in Fig. 1. Initially, the user computes a blinded message m b and the signer receives it. Then, signer generates a corresponding signature σ′. Lastly, user utilizes σ′ to obtain a new valid signature σ.
For the Sign-Veri part, we have to input(pk, m b , σ), and it will output for accepting as well as 0 to reject through this protocol. Therefore, we could consider blind signature is correct iff 8m; m 2 M and (pk, sk) ← Key − Gen( ⋅ ) and the Sign − Veri(pk, m, σ) = 1.
Concerning security, blind signature consists of two main proportions, which is blindness and one-more unforgeability [23]. First of all, blindness means that there is an adversarial signer S Ã who only knows independent views. We take S Ã U ðpk;m b ;m 1Àb Þ to represent two messages m b and m 1−b with a reliable user U. We then let σ b as the output U(pk, m b ), and σ 1−b as the corresponding U(pk, m 1−b ). According to these, even if one of them is wrong, the scheme will be halted. Then, the advantage of S Ã U ðpk;m b ;m 1Àb Þ can be defined as: For the other part, one-more unforgeability characteristic guarantees an adversary user U Ã only generates l successful interactions for maximum. We take U Ã U ðpk;m b ;m 1Àb Þ to denote two messages m b and Having noticed the unblinded signatures initially, the signer has to guess the bit b as for respect to m 0 , m 1 . Therefore, the advantage of U Ã U ðpk;m b ;m 1Àb Þ is defined as: ðpk; skÞ Key À GenðÁÞ (2) Our blind signature protocol is accurately blind if Adv blindness BS S Ã U ðpk;m b ;m 1Àb Þ of all attackers are negligible, and it also achieves one-more unforgeability if the corresponding Adv omuf BS U Ã U ðpk;m b ;m 1Àb Þ is negligible.

Gaussian Distribution
Gaussian distribution with lattices has been a standard model in mathematics, which use it to randomly select sections in Z n q so as to be associated with complex problems on any lattice. Definition 6 (Gaussian function): Λ ∈ ℝ m is an m-dimensional lattice. Take each vector c ∈ ℝ m and a positive number σ > 0. Then the Gaussian function is defined as: q r;c ðxÞ ¼ expð ÀpkxÀck 2 2r 2 Þ. Among them, c represents the center of Λ, and σ represents the standard deviation. If c = 0, we simplify ρ σ,c (x) to q r ðxÞ.

Rejection Sampling
There is an aborting methodology used in lattice-based cryptography for rejection samples. In this protocol, one could prevent the interactive protocol if his/her secret key leaked. As for almost all x, after taken a probability distribution f(x), we have to seek other probability distributions g(x) to certify  In this paper, we propose a log storage system on the post-quantum blockchain, including a lattice-based blind signature scheme to resist quantum computing attacks and ensure signers' log information privacy. The architecture of our system shows in Fig. 2, and the log uploading process describes as follows.
To begin with, a log owner packages her log information which she will upload. The log information is integrated into blocks in a period and stored in our post-quantum blockchain. The current owner uses her secret key to sign a signature to the transaction and to the next owner, which appends to the end of the currency. In order to ensure that the content of the transaction is kept secret from the current owner, we use a blind signature in our system. Then, the current owner broadcasts his/her transaction to the entire network, where every network node collects several unverified transactions into blocks and completes the qualification of creating a new block for these transactions through PoW. When a node accomplished PoW, it will generate a new block as well as data fingerprint including log information, public key, signature, and data fingerprint of the previous transaction so as to verify the validity of its information and link to the next block.
After that, this node broadcasts the block to the whole network, and the rest of the network checks whether the transactions contained in the block are valid. As the block containing log information passes all authentication, it is formally added to the post-quantum blockchain automatically. Consequently, log system utilized lattice-based blind signature has more robust security resisting quantum attackers and privacy protection capability for log information.

Blind Signature Algorithm
In this sector, we introduce our blind signature based on lattice protocol, which is under the average case SIS problem including four Probabilistic Polynominal À TimeðPPT Þ algorithms which contain Setup(U, S, pk, sk, M), Key − Gen(pk, sk), Sign − Gen(sk, S, U), Sign À VeriðA; B; M ; z; eÞ.
1. Setup(U, S, pk, sk, M): Initially, we denote user as U, signer as S as well as the public key and secret key denoted as pk and sk. Moreover, we let message as M. 2. Key − Gen(pk, sk): The algorithm generates A Z nÂm q and S k ← { − a, …, 0, …, a} m×k for the secret key. Considering the security as well as efficiency, we choose a as small as possible. The calculation method of the public key is (A, B), which is named pk. And B ← AS k . Therefore, the reliability of sk is depends on the SIS problem.  sends a commitment x ← Ar. Then the user gets blind factors a D m r 3 , b D m r 1 , and they compute x + Aa + Bb. Moreover, the user sets a hash function H: f0; 1g Ã ! fv 2 fÀ1; 0; 1g k ; jjvjj 1 jg to hash x + Aa + Bb with C = com(M, t), and the resulting value ε is a part of the signature. After that, the signer sends e Ã ¼ e þ b to user for cover ε. Having received e Ã , the user figures out r þ Se Ã , then sends it to the signer. In order to make sure that S is classified, the process may restart with some probability. After that, the user computes z ¼ r þ Se Ã þ a, and combines (z, ε) as last signatures. In this section, R ′ denotes a rejection in the rejection sampling lemma. If the resulting signature z is included R′, it will be useless. Moreover, user can contact signer to reopen this process and the signer could know user whether gained one valid signature because user has to send (a, b, ε, C) to the signer as a result. Consequently, the signer will verify its credibility of user who desires to reopen it, although she owns a valid signature.

Correctness
In this sector, we prove our protocol for correctness, blindness, one-more unforgeability under random oracle. For each, we propose some theorems which prove theoretically. It is unquestionable that the correctness in our proposed protocol. First, when received a blind signature , e Ã ; e . , the verifier utilizes Algorithm 1 to verify whether it is legal. If ke Ã k . b 2 or ke Ã k 1 . 9 4 , the signature will reject. Theorem 2: After at most e 2 repetitions, the blind signature process is effective.
Proof of Theorem 2: To begin with, we prove the current correctness of ε = H(Az − Tε, C). Given a message M, public key A and B, and signature (z, ε), We get: Therefore, H(Az − Tε, C) = H(x + Aa + Bb, C) = ε. In Lemma 1, we know that the probability of kzk gr ffiffiffi ffi m p is preponderant for η > 1. Thus, we get Sign − Veri(A, B, M, z, ε) = True. Moreover, we prove that the probability prob Ã m;v;r ¼ in order to let M as small as possible.
Therefore, we know that e has not do anything with correctness mainly because users can only use it.

Blindness
Blindness is one of the most significant characters that the signer only knows independent of signed message views. Thus, attackers cannot discern the views produced by different kinds of information.
Theorem 3: Our BS scheme is statistically blind since the signer only understands values that are independent of the signed message.
Proof of Theorem 3: Adversaries with advantage Adv blind BS ðS Ã Þ, S Ã interact with two different users U(pk, μ b ),U(pk, μ 1−b ) to attack our scheme. In order to prove blindness to malicious S Ã , we merely illustrates that the output of users are self-governed of their corresponding message m Ã , which involving signature (z, ε) with a challenge e Ã .
To begin with, as a challenge e Ã , we take e Ã b ; e Ã 1Àb generated by the user U(pk, μ b ) and U(pk, μ 1−b ). As we calculate e Ã ¼ e þ b which be outputted with the probability of minð D k r 1 ðeÞ M 1 D k r 1 ;e ðeÞ ; 1Þ, we have tailored ε b and ε 1−b depending on the same distribution D k r 1 . Therefore, D k r 1 is distributed with the signed message. Furthermore, according to the signature z, which resembles to e Ã , take z b and z 1−b is the signature of U(pk, μ b ) responding U(pk, μ 1−b ) as z = y + a and output it with probability minð

One-more Unforgeability
One-more unforgeability represents adversary U Ã will get l valid signatures at most which l is the amount of successful processes. We prove forging our blind signature by an adversary is equal to find an answer to the SIS q,n,m,β problem for β = 2β 2 .
Theorem 4: With probabilityδ, an attacker can fight one-more unforgeability to our blind signature. Ands, h is the account of queries towards H. Then, there is an answer to the SIS q,n,m,β problem for β = 2β 2 where b 2 ¼ ffiffiffi ffi m p ðgr 3 þ djÞ, with probability ¼ d 2 2ðsþhÞ in a polynomial-time algorithm. Proof of Theorem 4: It is abided by the fact that our signature output is self-governed of the signing key. Further, the simulator will generate a solution to the SIS problem when a malicious forger fights with onemore unforgeability.
Lemma 4: Assume that D is a user that will test Algorithm 2, s is the amount of testing D to the blind signing oracle, and h is the number of a random oracle H. Then user has the ability to differentiate the correct blind signature process from that in Algorithm 2 with the maximum probability prob max l;h ¼ 2 Ànþ1 Á sðh þ sÞ þ 1 M 2 À100 Á s. Proof of Lemma 4: In the first part, we design Algorithm 3 as follows, which is as same as a real blind signature algorithm except for output ε. We note w = a + r + Sb. Since ε ← B k , and B k = {v ∈ { − 1, 0, 1} k :‖v‖ 1 ≤ k}, it is the answer of H(Az − Bε, M) = H(Aw, M). As s is the amount of D and h is the number of random oracle H, it is unessential for use to check values (Aw, M) which will ever be h + s values. Moreover, we show that every time the Algorithm is called, with at most 2 −n+1 of probability, D will create a value y which Ay is the previous queried one. Therefore, A is regarded as A ¼ AkI, and notice that w follows D m r 0 . Consequently, for each w D m r 0 , we have Therefore, if Algorithm 3 is accessed s times, with probability at most 2 −n+1 s + 2 −n+1 h, the probability that occurs after a query is at most M 3 D m y;r 3 ðzÞ ! D m r 3 ðzÞ. After that, we calculate that the outputs of Algorithm 2 and Algorithm 3 is similar at most 2 À100 M . Thus, it is obvious for all z that the statistical distance has been vanished since we have M 3 D m y;r 3 ðzÞ ! D m r 3 ðzÞ according to Lemma 3.
Lemma 5: There is an opponent S Ã which breaks one more unforgeability successfully with probability δ, s is the amount of testing D to the blind signature protocol and h is the number of random oracle H. Consequently, with probability ¼ d 2 2ðsþhÞ , we compute a non-zero vector v ∈ ℤ m such that ||v|| < 2β 2 and Av = 0.
Proof of Lemma 5: We set randomly b ← {0, 1}, b′ ← {0, 1} to forger and signer, respectively. Then, let l = s + h , and the responses of H is ε 1 , ε 2 , …, ε l ← B k and select the appropriate value. It starts a functional element program A taking as input (A, B, b, b′, ε 1 , ε 2 , …, ε l ). After that, A has a table consisting of all queries to H in order to make sure that an element does not appear twice.
The functional element program A sends the (A, B) and b to S Ã randomly. When S Ã supposed to sign it, A will utilize a stochastic number b′ to produce the signature through Algorithm 2. During signing steps for H, the answer should be the first c i in a set (ε 1 , ε 2 , …, ε l ) that has not been used. S Ã will get s + 1 valid signature (z 1 , ε 1 ), (z 2 , ε 2 ), …, (z s+1 , ε s+1 ) for different messages with probability δ when S Ã accomplishes running after s queries.
All the output of A maintains jjzjj gr 3 ffiffiffi ffi m p . On condition that c does not respond to H, S Ã can generate a c = H(w, μ) with probability¼ 1 jB k j . In other words, c comes from (ε 1 , ε 2 , …, ε l ) with probability¼ 1 À 1 jB k j . Therefore, for some indexes i, S Ã success and generate ε = ε i with probability¼ d À 1 To a signing query, if ε i was an action by S Ã on (Az′ − Bε i , μ′), then c = c′.
There is an overwhelming probability Az = Az′, and we note that it as a means of S Ã can seek a preimage of ε i since if it not the case. Consequently, we have A(z − z′) = 0. We may figure out z ≠ z′ because the signature is different. Therefore, if kzk; kz 0 k gr 3 ffiffiffi ffi m p , we can gain kz À z 0 k 2gr 3 ffiffiffi ffi m p .
Furthermore, we assume that ε j is an action computing by an adversary to a random oracle H. To begin with, the blind signature is recorded as (z, ε j ), and then produce disparate ðe 0 j ; . . . ; e 0 s Þ B k randomly. Then, we run the subroutine again ðA; B; b; b 0 ; e 1 ; e 2 . . . ; e jÀ1 ; e 0 j ; e 0 jþ1 . . . ; e 0 s Þ. According to the lemma [28], with the probability of at least d 0 ¼ jB k j , e j 6 ¼ e 0 j and attacker utilizes the action e 0 j .
Thus, we get the subroutine's blind signature ðz 0 ; e 0 j Þ so that Aðz À z 0 þ Se 0 j À Se j Þ ¼ 0. We also get kSe 0 j À Se j þ z À z 0 k 2 ffiffiffi ffi m p ðgr þ djÞ due to the fact that kSe j k; kSe 0 j k dj ffiffiffi ffi m p .
Lemma 6 [31]: For matrix A Z nÂm q , m > nlog (q), and secret key S, there is another secret key S′ such that AS = AS′ with probability at least 1 − 2 −100 .
For any adversary, secret S or S′ has equal probability to be used, so the probability is at least 1 2 . Consequently, we obtain a non-zero vector v with at least probability of 1 2 À 1 2ðlþhÞ such that ‖v‖ ≤ 2(ησ 3 + dκ) and Av = 0. Due to Lemma 6, we know that AðSe 0 j À Se j þ z À z 0 Þ ¼ 0 when z À z 0 þ Se 0 j À Se j ¼ 0 and z À z 0 þ S 0 e 0 j À S 0 e j 6 ¼ 0. In a nutshell, there is a non-zero solution to figure the SIS q,n,m,β problem with probability ¼ d 2 2ðlþhÞ .
6 Performance Evaluation

Parameters Setting
The methodology of selecting parameters is the same as in [31] shown in Tab. 1. We choose the k = 128 bits in terms of security level; for instance, we take the Hermite factor d¼ 1:007 [32] as the notion, which considers having around 80 bits of security. Meanwhile, the complexity of the SIS problem has around 80 bits of security and considers choosing parameters n, m, q to maintain the SIS problem.
We use m = n ⋅ log (q) in order to prove the security and also let parameters k to define the size of challenges, which k should satisfy 2 k k k ! 100. σ = 12‖v‖ from Lemma 2, we derive this equation as . M 2 together with M 2 will be derived in same way. Moreover, the signature size is roughly affected by vector z as ε is merely a little bit. As for the signature z D m r 3 , therefore, the approximate size is mlog (12σ 3 ) bits.

Comparison
We conduct on Windows 10, AMD Ryzen 7 5800H with Radeon Graphics 3.20 GHz processor, 16.0GB running in RAM, and produce the simulation through MATLAB 2020. In Fig. 3, we compare the security among three blind signature schemes, including RSA blind signature, lattice-based blind signature [22], and our protocol. Although RSA blind signature size is the smallest, it could not resist quantum attacks, and also the security level of our scheme is 80 bits, but the signature size is 56.36 KB, which is smaller than [22]. This result demonstrates that our scheme can not only resist quantum computing attacks, but also has higher efficiency in same security level. Furthermore, we calculate the signature size in terms of separate security levels, including 80, 128, 256, 512, 1024, and 2048 bits, respectively, which shows in Tab. 2. The signature size of RSA and ECC according to different levels illustrate. As we present in Tab. 2, with the rising security level, its signature size of RSA skyrockets and the signature size of our protocol increases slightly. It permanently stabilizes regardless of the increment of security level shown in Fig. 4 with more concrete. This phenomenon reveals that our scheme has superior signature generation efficiency and stable storage consumption under the condition of significantly improved security level, which reflects the practicality of the scheme.
Though the signature size of ECC edges up, it is frequently 2 times of its security level. Last but not least, those two algorithms cannot resist quantum computing attacks. Therefore, our scheme is more useful in terms of security, blindness, and unforgeability than other methods utilized in the log system.

Conclusion
We present a novel post-quantum blind signature scheme for log system, which integrates a postquantum blockchain to achieve decentralization and undeniability. Moreover, we designed a lattice-based blind signature not only maintains our protocol to resist quantum computing, but satisfies the blindness and one-more unforgeability, ensuring the privacy of log information and the validity of the blind signature. In addition, through the theoretical security analysis and the comprehensive performance evaluation to prove that our scheme has superior efficiency. As this is the first paper regarding to the post-quantum blind signature to secure log system, there are still some open questions for researchers to solve and enhance like how to minimize the signature size and how to improve the security without any increase in the communication overhead. Conflicts of Interest: The authors declare that they have no conflicts of interest to report regarding the present study.