MQDSS signatures: construction
|
|
- Marilyn Jackson
- 5 years ago
- Views:
Transcription
1 MQDSS signatures: construction Ming-Shing Chen 1,2, Andreas Hülsing 3, Joost Rijneveld 4, Simona Samardjiska 5, Peter Schwabe 4 National Taiwan University 1 / Academia Sinica 2, Taipei, Taiwan Eindhoven University of Technology, The Netherlands 3 Radboud University, Nijmegen, The Netherlands 4 Ss. Cyril and Methodius University, Skopje, Republic of Macedonia Crypto Working Group 1 / 29
2 Post-quantum signatures Problem: we want a post-quantum signature scheme Security arguments Acceptable speed and size 2 / 29
3 Post-quantum signatures Problem: we want a post-quantum signature scheme Security arguments Acceptable speed and size Solutions: Hash-based: SPHINCS [BHH+15], XMSS [BDH11, HRS16] Slow or stateful Lattice-based: (Ring-)TESLA [ABB+16, ABB+15], BLISS [DDL+13], GLP [GLP12] Large keys, or additional structure MQ:? Unclear security: many broken (except HFEv-, UOV) 2 / 29
4 This work Transform class of 5-pass IDS to signature schemes Extend Fiat-Shamir transform Prove an earlier attempt [EDV+12] vacuous Amended in [DGV+16] Propose MQDSS Obtained by performing transform Hardness of MQ Instantiate and implement as MQDSS But also: Reduction in the ROM (not in QROM) No tight proof 3 / 29
5 This talk Transform class of 5-pass IDS to signature schemes Extend Fiat-Shamir transform Prove an earlier attempt [EDV+12] vacuous Amended in [DGV+16] Propose MQDSS Obtained by performing transform Hardness of MQ Instantiate and implement as MQDSS But also: Reduction in the ROM (not in QROM) No tight proof 3 / 29
6 Canonical Identification Schemes P V com R P 0 (sk) com ch ch R ChS(1 k ) resp P 1 (sk, com, ch) resp b Vf(pk, com, ch, resp) Informally: 1. Prover commits to some (randomized) value derived from sk 2. Verifier picks a challenge ch 3. Prover computes response resp 4. Verifier checks if response matches challenge 4 / 29
7 Security of the IDS Passively secure IDS Soundness: the probability that an adversary can convince is small Honest-Verifier Zero-Knowledge: simulator can fake transcripts 5 / 29
8 Security of the IDS Passively secure IDS Soundness: the probability that an adversary can convince is small Shows knowledge of secret Adversary A can guess right : soundness error κ [ ] (pk, sk) KGen(1 k ) Pr A(1 k, pk), V(pk) κ + negl(k). = 1 Honest-Verifier Zero-Knowledge: simulator can fake transcripts Shows that transcripts do not leak the secret 5 / 29
9 Fiat-Shamir transform First transform IDS with soundness error κ to negl(k) Using parallel composition 6 / 29
10 Cheating prover P V com R P 0 (sk) com ch ch R ChS(1 k ) resp P 1 (sk, com, ch) resp b Vf(pk, com, ch, resp) 7 / 29
11 Cheating prover P V com R P 0 (sk) com ch ch R ChS(1 k ) resp P 1 (sk, com, ch) resp b Vf(pk, com, ch, resp) P V ch R ChS(1 k ) com, resp R P 0 (sk, ch ) com ch ch R ChS(1 k ) If ch ch, fail resp b Vf(pk, com, ch, resp) 7 / 29
12 Parallel Canonical IDS P V com (1) R P 0 (sk) com (2) R P 0 (sk). com (r) R P 0 (sk) i com (i) i ch (i) ch (1) R ChS(1 k ) ch (2) R ChS(1 k ). ch (r) R ChS(1 k ) resp (1) P 1 (sk, com (1), ch (1) ) resp (2) P 1 (sk, com (2), ch (2) ). resp (r) P 1 (sk, com (r), ch (r) ) i resp (i) b i Vf(pk, com (i), ch (i), resp (i) ) 8 / 29
13 Fiat-Shamir transform First transform IDS with soundness error κ to negl(k) Using parallel composition Transform IDS into signature Non-interactive: Signer is prover Function H provides challenges Transcript is signature 9 / 29
14 Parallel Canonical IDS P V com (1) R P 0 (sk) com (2) R P 0 (sk). com (r) R P 0 (sk) i com (i) i ch (i) ch (1) R ChS(1 k ) ch (2) R ChS(1 k ). ch (r) R ChS(1 k ) resp (1) P 1 (sk, com (1), ch (1) ) resp (2) P 1 (sk, com (2), ch (2) ). resp (r) P 1 (sk, com (r), ch (r) ) i resp (i) b i Vf(pk, com (i), ch (i), resp (i) ) 10 / 29
15 Transformed IDS P V com (1) R P 0 (sk). com (r) R P 0 (sk) σ 0 com (1), com (2),... com (r) ch (1), ch (2),..., ch (r) H(σ 0, M) resp (1) P 1 (sk, com (1), ch (1) ). resp (r) P 1 (sk, com (r), ch (r) ) σ 1 resp (1), resp (2),... resp (r) m, σ 0, σ 1 com (1), com (2),..., com (r) σ 0 ch (1), ch (2),..., ch (r) H(σ 0, M) resp (1), resp (2),..., resp (r) σ 1 b i Vf(pk, com (i), ch (i), resp (i) ) 11 / 29
16 Fiat-Shamir transform First transform IDS with soundness error κ to negl(k) Using parallel composition Transform IDS into signature Non-interactive: Signer is prover Function H provides challenges Transcript is signature Generalize to 5-pass Benefit from lower soundness error Two challenges and responses 12 / 29
17 Fiat-Shamir transform First transform IDS with soundness error κ to negl(k) Using parallel composition Transform IDS into signature Non-interactive: Signer is prover Function H provides challenges Transcript is signature Generalize to 5-pass Benefit from lower soundness error Two challenges and responses See Simona s talk! 12 / 29
18 Canonical 5-pass IDS P V com P 0 (sk) com ch 1 ch 1 R ChS 1 (1 k ) resp 1 P 1 (sk, com, ch 1 ) resp 1 ch 2 ch 2 R ChS 2 (1 k ) resp 2 P 2 (sk, com, ch 1, resp 1, ch 2 ) resp 2 b Vf(pk, com, ch 1, resp 1, ch 2, resp 2 ) 13 / 29
19 MQ problem The function family MQ(n, m, F q ): F(x) = (f 1 (x),..., f m (x)), where f s (x) = i,j a(s) i,j x ix j + i b(s) for a (s) i,j, b(s) i F q, s {1,..., m} i x i 14 / 29
20 MQ problem The function family MQ(n, m, F q ): F(x) = (f 1 (x),..., f m (x)), where f s (x) = i,j a(s) i,j x ix j + i b(s) for a (s) i,j, b(s) i F q, s {1,..., m} i x i Problem: For given y F m q, find x F n q such that F(x) = y. 14 / 29
21 MQ problem The function family MQ(n, m, F q ): F(x) = (f 1 (x),..., f m (x)), where f s (x) = i,j a(s) i,j x ix j + i b(s) for a (s) i,j, b(s) i F q, s {1,..., m} i x i Problem: For given y F m q, find x F n q such that F(x) = y. i.e., solve the system of equations: y 1 =a (1) 1,1 x 1x 1 + a (1) 1,2 x 1x a n,nx (1) n x n + b (1) 1 x b n (1). y m =a (m) 1,1 x 1x 1 + a (m) 1,2 x 1x a n,n (m) x n x n + b (m) 1 x b n (m) x n x n 14 / 29
22 MQ problem: numerical example Example parameters: n = m = 3, F q = F 5 15 / 29
23 MQ problem: numerical example Example parameters: n = m = 3, F q = F 5 Random system of functions F: y 1 = 4x 1 x 1 + 3x 1 x 2 + 0x 1 x 3 + x 2 x 2 + 2x 2 x 3 + x 3 x 3 + 0x 1 + 2x 2 + 2x 3 y 2 = x 1 x 1 + 2x 1 x 2 + x 1 x 3 + 0x 2 x 2 + 3x 2 x 3 + 4x 3 x 3 + 0x 1 + 3x 2 + 2x 3 y 3 = 0x 1 x 1 + x 1 x 2 + 4x 1 x 3 + 3x 2 x 2 + 0x 2 x 3 + x 3 x 3 + 4x 1 + x 2 + 0x 3 15 / 29
24 MQ problem: numerical example Example parameters: n = m = 3, F q = F 5 Random system of functions F: y 1 = 4x 1 x 1 + 3x 1 x 2 + 0x 1 x 3 + x 2 x 2 + 2x 2 x 3 + x 3 x 3 + 0x 1 + 2x 2 + 2x 3 y 2 = x 1 x 1 + 2x 1 x 2 + x 1 x 3 + 0x 2 x 2 + 3x 2 x 3 + 4x 3 x 3 + 0x 1 + 3x 2 + 2x 3 y 3 = 0x 1 x 1 + x 1 x 2 + 4x 1 x 3 + 3x 2 x 2 + 0x 2 x 3 + x 3 x 3 + 4x 1 + x 2 + 0x 3 Secret input x = (1, 4, 3) 15 / 29
25 MQ problem: numerical example Example parameters: n = m = 3, F q = F 5 Random system of functions F: y 1 = 4x 1 x 1 + 3x 1 x 2 + 0x 1 x 3 + x 2 x 2 + 2x 2 x 3 + x 3 x 3 + 0x 1 + 2x 2 + 2x 3 y 2 = x 1 x 1 + 2x 1 x 2 + x 1 x 3 + 0x 2 x 2 + 3x 2 x 3 + 4x 3 x 3 + 0x 1 + 3x 2 + 2x 3 y 3 = 0x 1 x 1 + x 1 x 2 + 4x 1 x 3 + 3x 2 x 2 + 0x 2 x 3 + x 3 x 3 + 4x 1 + x 2 + 0x 3 Secret input x = (1, 4, 3) y 1 = y 2 = y 3 = / 29
26 MQ problem: numerical example Example parameters: n = m = 3, F q = F 5 Random system of functions F: y 1 = 4x 1 x 1 + 3x 1 x 2 + 0x 1 x 3 + x 2 x 2 + 2x 2 x 3 + x 3 x 3 + 0x 1 + 2x 2 + 2x 3 y 2 = x 1 x 1 + 2x 1 x 2 + x 1 x 3 + 0x 2 x 2 + 3x 2 x 3 + 4x 3 x 3 + 0x 1 + 3x 2 + 2x 3 y 3 = 0x 1 x 1 + x 1 x 2 + 4x 1 x 3 + 3x 2 x 2 + 0x 2 x 3 + x 3 x 3 + 4x 1 + x 2 + 0x 3 Secret input x = (1, 4, 3) y 1 = = 79 4 y 2 = = y 3 = = 81 1 Public output y = (4, 2, 1) 15 / 29
27 Sakumoto-Shirai-Hiwatari IDS [SSH11] Key technique: cut-and-choose for MQ Analogously, consider DLP: s = r0 + r 1 g s = g r0 g r1 16 / 29
28 Sakumoto-Shirai-Hiwatari IDS [SSH11] Key technique: cut-and-choose for MQ Analogously, consider DLP: s = r0 + r 1 g s = g r0 g r1 Bilinear map G(x, y) = F(x + y) F(x) F(y) Split s and F(s) into r0, r 1 and F(r 0 ), F(r 1 ) Since then s = r 0 + r 1 F(s) = G(r 0, r 1) + F(r 0) + F(r 1) Split r0 and F(r 0 ) further into t 0, t 1 resp. e 0, e 1 16 / 29
29 Sakumoto-Shirai-Hiwatari IDS [SSH11] Key technique: cut-and-choose for MQ Analogously, consider DLP: s = r0 + r 1 g s = g r0 g r1 Bilinear map G(x, y) = F(x + y) F(x) F(y) Split s and F(s) into r0, r 1 and F(r 0 ), F(r 1 ) Since then s = r 0 + r 1 F(s) = G(r 0, r 1) + F(r 0) + F(r 1) Split r0 and F(r 0 ) further into t 0, t 1 resp. e 0, e 1 For gs G: g s (x, y) = i,j a(s) i,j (x iy j + x j y i ) Recall: f s(x) = i,j a(s) i,j xixj + i b(s) i x i 16 / 29
30 Sakumoto-Shirai-Hiwatari IDS [SSH11] Key technique: cut-and-choose for MQ Analogously, consider DLP: s = r0 + r 1 g s = g r0 g r1 Bilinear map G(x, y) = F(x + y) F(x) F(y) Split s and F(s) into r0, r 1 and F(r 0 ), F(r 1 ) Since then s = r 0 + r 1 F(s) = G(r 0, r 1) + F(r 0) + F(r 1) Split r0 and F(r 0 ) further into t 0, t 1 resp. e 0, e 1 For gs G: g s (x, y) = i,j a(s) i,j (x iy j + x j y i ) Recall: f s(x) = i,j a(s) i,j xixj + i b(s) i See [SSH11] for details Takeaway: evaluating G evaluating F x i 16 / 29
31 Sakumoto-Shirai-Hiwatari IDS [SSH11] Key technique: cut-and-choose for MQ Analogously, consider DLP: s = r0 + r 1 g s = g r0 g r1 Bilinear map G(x, y) = F(x + y) F(x) F(y) Split s and F(s) into r0, r 1 and F(r 0 ), F(r 1 ) Since then s = r 0 + r 1 F(s) = G(r 0, r 1) + F(r 0) + F(r 1) Split r0 and F(r 0 ) further into t 0, t 1 resp. e 0, e 1 For gs G: g s (x, y) = i,j a(s) i,j (x iy j + x j y i ) Recall: f s(x) = i,j a(s) i,j xixj + i b(s) i x i See [SSH11] for details Takeaway: evaluating G evaluating F Result: reveal either r 0 or r 1, and (t 0, e 0 ) or (t 1, e 1 ) 16 / 29
32 Sakumoto-Shirai-Hiwatari 3-pass IDS [SSH11] P : (F, v, s) V : (F, v) r 0, t 0 R F n q, e 0 R F m q r 1 s r 0, t 1 r 0 t 0 e 1 F(r 0 ) e 0 c 0 Com(r 1, G(t 0, r 1 ) + e 0 ) c 1 Com(t 0, e 0 ) c 2 Com(t 1, e 1 ) (c 0, c 1, c 2 ) ch ch R {0, 1, 2} If ch = 0, resp (r 0, t 1, e 1 ) If ch = 1, resp (r 1, t 1, e 1 ) If ch = 2, resp (r 1, t 0, e 0 ) resp If ch = 0, Parse resp = (r 0, t 1, e 1 ), check? c 1 = Com(r0 t 1, F (r 0 ) e 1 )? c 2 = Com(t1, e 1 ) If ch = 1, Parse resp = (r 1, t 1, e 1 ), check? c 0 = Com(r1, v F (r 1 ) G(t 1, r 1 ) e 1 )? c 2 = Com(t1, e 1 ) If ch = 2, Parse resp = (r 1, t 0, e 0 ), check? c 0 = Com(r1, G(t 0, r 1 ) + e 0 ) c 1? = Com(t0, e 0 ) 17 / 29
33 Sakumoto-Shirai-Hiwatari 5-pass IDS [SSH11] P : (F, v, s) V : (F, v) r 0, t 0 R F n q, e 0 R F m q r 1 s r 0 c 0 Com(r 0, t 0, e 0 ) c 1 Com(r 1, G(t 0, r 1 ) + e 0 ) (c 0, c 1 ) α α R F q t 1 αr 0 t 0 e 1 αf(r 0 ) e 0 resp1 = (t 1, e 1 ) ch 2 ch 2 R {0, 1} If ch 2 = 0, resp 2 r 0 Else resp 2 r 1 resp 2 If ch 2 = 0, Parse resp 2 = r 0, check c 0? = Com(r0, αr 0 t 1, αf(r 0 ) e 1 ) Else Parse resp 2 = r 1, check c 1? = Com(r1, α(v F(r 1 )) G(t 1, r 1 ) e 1 ) 18 / 29
34 MQDSS Generate keys Sample seed SF {0, 1} k, sk F n q (S F, sk) Expand SF to F, compute pk = F(sk) (S F, pk) 19 / 29
35 MQDSS Generate keys Sample seed SF {0, 1} k, sk F n q (S F, sk) Expand SF to F, compute pk = F(sk) (S F, pk) Signing Sign randomized digest D over M 19 / 29
36 MQDSS Generate keys Sample seed SF {0, 1} k, sk F n q (S F, sk) Expand SF to F, compute pk = F(sk) (S F, pk) Signing Sign randomized digest D over M Perform r parallel rounds of transformed IDS 2r commitments, some multiplications in F q 2r MQ evaluations 19 / 29
37 Sakumoto-Shirai-Hiwatari 5-pass IDS [SSH11] P : (F, v, s) V : (F, v) r 0, t 0 R F n q, e 0 R F m q r 1 s r 0 c 0 Com(r 0, t 0, e 0 ) c 1 Com(r 1, G(t 0, r 1 ) + e 0 ) (c 0, c 1 ) α α R F q t 1 αr 0 t 0 e 1 αf(r 0 ) e 0 resp1 = (t 1, e 1 ) ch 2 ch 2 R {0, 1} If ch 2 = 0, resp 2 r 0 Else resp 2 r 1 resp 2 If ch 2 = 0, Parse resp 2 = r 0, check c 0? = Com(r0, αr 0 t 1, αf(r 0 ) e 1 ) Else Parse resp 2 = r 1, check c 1? = Com(r1, α(v F(r 1 )) G(t 1, r 1 ) e 1 ) 20 / 29
38 Sakumoto-Shirai-Hiwatari 5-pass IDS [SSH11] P : (F, v, s) V : (F, v) r 0, t 0 R F n q, e 0 R F m q r 1 s r 0 c 0 Com(r 0, t 0, e 0 ) c 1 Com(r 1, G(t 0, r 1 ) + e 0 ) (c 0, c 1 ) α α R F q t 1 αr 0 t 0 e 1 αf(r 0 ) e 0 resp1 = (t 1, e 1 ) ch 2 ch 2 R {0, 1} If ch 2 = 0, resp 2 r 0 Else resp 2 r 1 resp 2 If ch 2 = 0, Parse resp 2 = r 0, check c 0? = Com(r0, αr 0 t 1, αf(r 0 ) e 1 ) Else Parse resp 2 = r 1, check c 1? = Com(r1, α(v F(r 1 )) G(t 1, r 1 ) e 1 ) 20 / 29
39 MQDSS Generate keys Sample seed SF {0, 1} k, sk F n q (S F, sk) Expand SF to F, compute pk = F(sk) (S F, pk) Signing Sign randomized digest D over M Perform r parallel rounds of transformed IDS 2r commitments, some multiplications in F q 2r MQ evaluations Tricks to reduce size Only include necessary commits (hash others) [SSH11] Commit to seeds 21 / 29
40 Sakumoto-Shirai-Hiwatari 5-pass IDS [SSH11] P : (F, v, s) V : (F, v) r 0, t 0 R F n q, e 0 R F m q r 1 s r 0 c 0 Com(r 0, t 0, e 0 ) c 1 Com(r 1, G(t 0, r 1 ) + e 0 ) (c 0, c 1 ) α α R F q t 1 αr 0 t 0 e 1 αf(r 0 ) e 0 resp1 = (t 1, e 1 ) ch 2 ch 2 R {0, 1} If ch 2 = 0, resp 2 r 0 Else resp 2 r 1 resp 2 If ch 2 = 0, Parse resp 2 = r 0, check c 0? = Com(r0, αr 0 t 1, αf(r 0 ) e 1 ) Else Parse resp 2 = r 1, check c 1? = Com(r1, α(v F(r 1 )) G(t 1, r 1 ) e 1 ) 22 / 29
41 Sakumoto-Shirai-Hiwatari 5-pass IDS [SSH11] P : (F, v, s) V : (F, v) r 0, t 0 R F n q, e 0 R F m q r 1 s r 0 c 0 Com(r 0, t 0, e 0 ) c 1 Com(r 1, G(t 0, r 1 ) + e 0 ) H(c 0, c 1 ) α α R F q t 1 αr 0 t 0 e 1 αf(r 0 ) e 0 resp1 = (t 1, e 1 ) ch 2 ch 2 R {0, 1} If ch 2 = 0, resp 2 r 0 Else resp 2 r 1 resp 2, c (1 ch2 ) If ch 2 = 0, Parse resp 2 = r 0, c 0 Com(r 0, αr 0 t 1, αf(r 0 ) e 1 ) c 1 c 1 Else Parse resp 2 = r 1, c 0 c 0 c 1 Com(r 1, α(v F(r 1 )) G(t 1, r 1 ) e 1 ) check H(c 0, c 1 )? = H(c 0, c 1 ) 23 / 29
42 MQDSS Generate keys Sample seed SF {0, 1} k, sk F n q (S F, sk) Expand SF to F, compute pk = F(sk) (S F, pk) Signing Sign randomized digest D over M Perform r parallel rounds of transformed IDS 2r commitments, some multiplications in F q 2r MQ evaluations Tricks to reduce size Only include necessary commits (hash others) [SSH11] Commit to seeds Verifying Reconstruct D, F 24 / 29
43 MQDSS Generate keys Sample seed SF {0, 1} k, sk F n q (S F, sk) Expand SF to F, compute pk = F(sk) (S F, pk) Signing Sign randomized digest D over M Perform r parallel rounds of transformed IDS 2r commitments, some multiplications in F q 2r MQ evaluations Tricks to reduce size Only include necessary commits (hash others) [SSH11] Commit to seeds Verifying Reconstruct D, F Reconstruct challenges from σ 0, σ 1 Verify responses in σ2 24 / 29
44 MQDSS Generate keys Sample seed SF {0, 1} k, sk F n q (S F, sk) Expand SF to F, compute pk = F(sk) (S F, pk) Signing Sign randomized digest D over M Perform r parallel rounds of transformed IDS 2r commitments, some multiplications in F q 2r MQ evaluations Tricks to reduce size Only include necessary commits (hash others) [SSH11] Commit to seeds Verifying Reconstruct D, F Reconstruct challenges from σ 0, σ 1 Verify responses in σ2 Reconstruct missing commitments Check combined commitments hash 24 / 29
45 MQDSS Generate keys Sample seed SF {0, 1} k, sk F n q (S F, sk) Expand SF to F, compute pk = F(sk) (S F, pk) Signing Sign randomized digest D over M Perform r parallel rounds of transformed IDS 2r commitments, some multiplications in F q 2r MQ evaluations Tricks to reduce size Only include necessary commits (hash others) [SSH11] Commit to seeds Verifying Reconstruct D, F Reconstruct challenges from σ 0, σ 1 Verify responses in σ2 Reconstruct missing commitments Check combined commitments hash Parameters: k, n, m, F q, Com, hash functions, PRGs 24 / 29
46 MQDSS Security parameter k = 256 ( 128-bit PQ security) Soundness error κ = q+1 2q Determines number of rounds; larger q less rounds F q = F 31, n = m = / 29
47 MQDSS Security parameter k = 256 ( 128-bit PQ security) Soundness error κ = q+1 2q Determines number of rounds; larger q less rounds F q = F 31, n = m = 64 Restricted by security If m > n, F5 and Hybrid approach perform better If m < n, simply fix n m variables Classically, analysis from [BFP12]: n 51 Post-quantum: Grover search 25 / 29
48 MQDSS Security parameter k = 256 ( 128-bit PQ security) Soundness error κ = q+1 2q Determines number of rounds; larger q less rounds F q = F 31, n = m = 64 Restricted by security If m > n, F5 and Hybrid approach perform better If m < n, simply fix n m variables Classically, analysis from [BFP12]: n 51 Post-quantum: Grover search Chosen for ease of implementation Fast reduction 5-bit elements; 16x 16-bit words in AVX2 25 / 29
49 MQDSS Security parameter k = 256 ( 128-bit PQ security) Soundness error κ = q+1 2q Determines number of rounds; larger q less rounds F q = F 31, n = m = 64 Restricted by security If m > n, F5 and Hybrid approach perform better If m < n, simply fix n m variables Classically, analysis from [BFP12]: n 51 Post-quantum: Grover search Chosen for ease of implementation Fast reduction 5-bit elements; 16x 16-bit words in AVX2 In hindsight: reduce size by going lower? 25 / 29
50 MQDSS Security parameter k = 256 ( 128-bit PQ security) Soundness error κ = q+1 2q Determines number of rounds; larger q less rounds F q = F 31, n = m = 64 Restricted by security If m > n, F5 and Hybrid approach perform better If m < n, simply fix n m variables Classically, analysis from [BFP12]: n 51 Post-quantum: Grover search Chosen for ease of implementation Fast reduction 5-bit elements; 16x 16-bit words in AVX2 In hindsight: reduce size by going lower? From q = 31, we get r = 269: κ 269 < ( 1 2 ) / 29
51 MQDSS Security parameter k = 256 ( 128-bit PQ security) F q = F 31, n = m = 64 r = / 29
52 MQDSS Security parameter k = 256 ( 128-bit PQ security) F q = F 31, n = m = 64 r = 269 Commitments, hashes, PRGs: SHA3-256, SHAKE / 29
53 MQDSS Security parameter k = 256 ( 128-bit PQ security) F q = F 31, n = m = 64 r = 269 Commitments, hashes, PRGs: SHA3-256, SHAKE-128 Signature σ contains: R, for random digest 32B Hash H(commits) 32B For every round: 269 Response vectors r, t, e 3 40B Missing commit 32B 26 / 29
54 MQDSS Security parameter k = 256 ( 128-bit PQ security) F q = F 31, n = m = 64 r = 269 Commitments, hashes, PRGs: SHA3-256, SHAKE-128 Signature σ contains: R, for random digest 32B Hash H(commits) 32B For every round: 269 Response vectors r, t, e 3 40B Missing commit 32B Adds up to bytes 26 / 29
55 Evaluating MQ From F(x) to x is hard From x to F(x) should be easy 27 / 29
56 Evaluating MQ From F(x) to x is hard From x to F(x) should be fast x 0 x 1 x 2. x n x 0 x 1 x 2... x n 27 / 29
57 Evaluating MQ From F(x) to x is hard From x to F(x) should be fast x 0 x 1 x 2. x n x 0 x 1 x 2... x n 27 / 29
58 Evaluating MQ From F(x) to x is hard From x to F(x) should be fast??? x 0 x 1 x 2... x n 27 / 29
59 Evaluating MQ From F(x) to x is hard From x to F(x) should be fast??? x 0 x 1 x 2... x n 27 / 29
60 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: A B C D E F 28 / 29
61 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: A B C D E F A 3B 0C 1D 2E 3F 28 / 29
62 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: <<< A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F 28 / 29
63 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F A 7B 4C 5D 6E 7F 28 / 29
64 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: <<< A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F A 7B 4C 5D 6E 7F A 4B 5C 6D 7E 4F 28 / 29
65 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F A 7B 4C 5D 6E 7F A 4B 5C 6D 7E 4F AA BB 8C 9D AE BF 28 / 29
66 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: <<< A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F A 7B 4C 5D 6E 7F A 4B 5C 6D 7E 4F AA BB 8C 9D AE BF 90 A1 B A5 B A9 BA 8B 9C AD BE 8F 28 / 29
67 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F A 7B 4C 5D 6E 7F A 4B 5C 6D 7E 4F AA BB 8C 9D AE BF 90 A1 B A5 B A9 BA 8B 9C AD BE 8F CC DD EE FF 28 / 29
68 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: <<< A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F A 7B 4C 5D 6E 7F A 4B 5C 6D 7E 4F AA BB 8C 9D AE BF 90 A1 B A5 B A9 BA 8B 9C AD BE 8F CC DD EE FF D0 E1 F2 C3 D4 E5 F6 C7 D8 E9 FA CB DC ED FE CF 28 / 29
69 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F A 7B 4C 5D 6E 7F A 4B 5C 6D 7E 4F AA BB 8C 9D AE BF 90 A1 B A5 B A9 BA 8B 9C AD BE 8F CC DD EE FF D0 E1 F2 C3 D4 E5 F6 C7 D8 E9 FA CB DC ED FE CF C2 D / 29
70 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F A 7B 4C 5D 6E 7F A 4B 5C 6D 7E 4F AA BB 8C 9D AE BF 90 A1 B A5 B A9 BA 8B 9C AD BE 8F CC DD EE FF D0 E1 F2 C3 D4 E5 F6 C7 D8 E9 FA CB DC ED FE CF C2 D C6 D / 29
71 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F A 7B 4C 5D 6E 7F A 4B 5C 6D 7E 4F AA BB 8C 9D AE BF 90 A1 B A5 B A9 BA 8B 9C AD BE 8F CC DD EE FF D0 E1 F2 C3 D4 E5 F6 C7 D8 E9 FA CB DC ED FE CF C2 D C6 D A 1B - - 4A 5B - - 8A 9B - - CA DB / 29
72 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F A 7B 4C 5D 6E 7F A 4B 5C 6D 7E 4F AA BB 8C 9D AE BF 90 A1 B A5 B A9 BA 8B 9C AD BE 8F CC DD EE FF D0 E1 F2 C3 D4 E5 F6 C7 D8 E9 FA CB DC ED FE CF C2 D C6 D A 1B - - 4A 5B - - 8A 9B - - CA DB - - 0E 1F - - 4E 5F - - 8E 9F - - CE DF / 29
73 Benchmarks & conclusion Signatures: ~40 KB ( SPHINCS) Public and private keys: 72 resp. 64 bytes Signing time: ~8.5M cycles 3.5GHz) Verification 5.2M, key generation 1.8M ~6x faster than SPHINCS, >10x slower than lattices 29 / 29
74 Benchmarks & conclusion Signatures: ~40 KB ( SPHINCS) Public and private keys: 72 resp. 64 bytes Signing time: ~8.5M cycles 3.5GHz) Verification 5.2M, key generation 1.8M ~6x faster than SPHINCS, >10x slower than lattices Competitive signatures with (non-tight) reduction to MQ Rewinding extractor for Fiat-Shamir, see e.g. [DOR+16] Relies only on MQ (and not IP) 29 / 29
75 Benchmarks & conclusion Signatures: ~40 KB ( SPHINCS) Public and private keys: 72 resp. 64 bytes Signing time: ~8.5M cycles 3.5GHz) Verification 5.2M, key generation 1.8M ~6x faster than SPHINCS, >10x slower than lattices Competitive signatures with (non-tight) reduction to MQ Rewinding extractor for Fiat-Shamir, see e.g. [DOR+16] Relies only on MQ (and not IP) Code is available (public domain): 29 / 29
76 References I Koichi Sakumoto, Taizo Shirai and Harunaga Hiwatari. Public-key identification schemes based on multivariate quadratic polynomials. In Phillip Rogaway, editor, Advances in Cryptology CRYPTO 2011, volume 6841 of LNCS, pages Springer, Sidi Mohamed El Yousfi Alaoui, Özgür Dagdelen, Pascal Véron, David Galindo and Pierre-Louis Cayrel. Extended security arguments for signature schemes. In Aikaterini Mitrokotsa and Serge Vaudenay, editors, Progress in Cryptology AFRICACRYPT 2012, volume 7374 of LNCS, pages Springer, Özgür Dagdelen, David Galindo, Pascal Véron, Sidi Mohamed El Yousfi Alaoui, and Pierre-Louis Cayrel. Extended security arguments for signature schemes. In Designs, Codes and Cryptography, 78(2), pages Springer, / 29
77 References II Daniel J. Bernstein, Diana Hopwood, Andreas Hülsing, Tanja Lange, Ruben Niederhagen, Louiza Papachristodoulou, Peter Schwabe and Zooko Wilcox O Hearn. SPHINCS: Stateless, practical, hash-based, incredibly nice cryptographic signatures. In Marc Fischlin and Elisabeth Oswald, editors, Advances in Cryptology EUROCRYPT 2015, volume 9056 of LNCS, pages Springer, Johannes Buchmann, Erik Dahmen and Andreas Hülsing. XMSS a practical forward secure signature scheme based on minimal security assumptions. In Bo-Yin Yang, editor, PQCrypto 2011, volume 7071 of LNCS, pages Springer, Andreas Hülsing, Joost Rijneveld and Fang Song. Mitigating multi-target attacks in hash-based signatures. In Chen-Mou Cheng, Kai-Min Chung, Giuseppe Persiano and Bo-Yin Yang, editors, Public-Key Cryptography PKC 2016, volume 9614 of LNCS, pages Springer, / 29
78 References III Sedat Akleylek, Nina Bindel, Johannes Buchmann, Juliane Krämer and Giorgia Azzurra Marson. An Efficient Lattice-Based Signature Scheme with Provably Secure Instantiation. In David Pointcheval, Abderrahmane Nitaj, Tajjeeddine Rachidi, editors, Progress in Cryptology AFRICACRYPT 2016, volume 9646 of LNCS, pages Springer, Erdem Alkim, Nina Bindel, Johannes Buchmann, Özgür Dagdelen and Peter Schwabe. TESLA: Tightly-Secure Efficient Signatures from Standard Lattices. In Cryptology eprint Archive, Report 2015/755, Léo Ducas, Alain Durmus, Tancrède Lepoint, and Vadim Lyubashevsky. Lattice signatures and bimodal gaussians. In Ran Canetti and Juan A. Garay, editors, Advances in Cryptology CRYPTO 2013, volume 8042 of LNCS, pages Springer, / 29
79 References IV Tim Güneysu, Vadim Lyubashevsky and Thomas Pöppelmann. Practical Lattice-Based Cryptography: A Signature Scheme for Embedded Systems. In Emmanuel Prouff and Patrick Schaumont, editors, Cryptographic Hardware and Embedded Systems CHES 2012, volume 7428 of LNCS, pages Springer, David Pointcheval and Jacques Stern. Security proofs for signature schemes. In Ueli Maurer, editor, Advances in Cryptology EUROCRYPT 1996, volume 1070 of LNCS, pages Springer, David Derler, Claudio Orlandi, Sebastian Ramacher, Christian Rechberger and Daniel Slamanig. Digital Signatures from Symmetric-Key Primitives. In Cryptology eprint Archive, Report 2016/1085, / 29
80 References V Luk Bettale, Jean-Charles Faugère, and Ludovic Perret. Solving polynomial systems over finite fields: improved analysis of the hybrid approach. In Joris van der Hoeven and Mark van Hoeij, editors, ISSAC 12 Proceedings of the 37th International Symposium on Symbolic and Algebraic Computation 34 / 29
From 5-pass MQ-based identification to MQ-based signatures
From 5-pass MQ-based identification to MQ-based signatures Ming-Shing Chen 1,2, Andreas Hülsing 3, Joost Rijneveld 4, Simona Samardjiska 5, Peter Schwabe 4 National Taiwan University 1 / Academia Sinica
More informationFrom 5-pass MQ-based identification to MQ-based signatures
From 5-pass MQ-based identification to MQ-based signatures Ming-Shing Chen 1,2, Andreas Hülsing 3, Joost Rijneveld 4, Simona Samardjiska 5, Peter Schwabe 4 National Taiwan University 1 / Academia Sinica
More informationFrom 5-pass MQ-based identification to MQ-based signatures
From 5-pass MQ-based identification to MQ-based signatures Andreas Hülsing, Joost Rijneveld, Simona Samardjiska, and Peter Schwabe 30 June 2016 1 / 31 Our take on PQ-Crypto Prepare for actual use Reliable
More informationSOFIA: MQ-based signatures in the QROM
SOFIA: MQ-based signatures in the QROM Ming-Shing Chen 1, Andreas Hülsing 2, Joost Rijneveld 3, Simona Samardjiska 3,4, and Peter Schwabe 3 1 National Taiwan University / Academia Sinica, Taipei, Taiwan
More informationMitigating Multi-Target-Attacks in Hash-based Signatures. Andreas Hülsing joint work with Joost Rijneveld, Fang Song
Mitigating Multi-Target-Attacks in Hash-based Signatures Andreas Hülsing joint work with Joost Rijneveld, Fang Song A brief motivation Trapdoor- / Identification Scheme-based (PQ-)Signatures Lattice, MQ,
More informationPublic-Key Identification Schemes based on Multivariate Quadratic Polynomials
Public-Key Identification Schemes based on Multivariate Quadratic Polynomials Koichi Sakumoto, Taizo Shirai, Harunaga Hiwatari from Tokyo, Japan Sony Corporation @CRYPTO2011 Motivation Finding a new alternative
More informationAn update on Hash-based Signatures. Andreas Hülsing
An update on Hash-based Signatures Andreas Hülsing Trapdoor- / Identification Scheme-based (PQ-)Signatures Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters 9-9-2015 PAGE 2... 1
More informationImproved Parameters for the Ring-TESLA Digital Signature Scheme
Improved Parameters for the Ring-TESLA Digital Signature Scheme Arjun Chopra Abstract Akleylek et al. have proposed Ring-TESLA, a practical and efficient digital signature scheme based on the Ring Learning
More informationMasking the GLP Lattice-Based Signature Scheme at any Order
Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software Institute) Sonia Belaïd (CryptoExperts) Thomas Espitau (UPMC) Pierre-Alain Fouque (Univ. Rennes I and IUF) Benjamin
More informationPicnic Post-Quantum Signatures from Zero Knowledge Proofs
Picnic Post-Quantum Signatures from Zero Knowledge Proofs MELISSA CHASE, MSR THE PICNIC TEAM DAVID DERLER STEVEN GOLDFEDER JONATHAN KATZ VLAD KOLESNIKOV CLAUDIO ORLANDI SEBASTIAN RAMACHER CHRISTIAN RECHBERGER
More informationPublic-Key Identification Schemes Based on Multivariate Quadratic Polynomials
Public-Key Identification Schemes Based on Multivariate Quadratic Polynomials Koichi Sakumoto, Taizo Shirai, and Harunaga Hiwatari Sony Corporation 5-1-12 Kitashinagawa Shinagawa-ku, Tokyo 141-0001, Japan
More informationOn the Complexity of the Hybrid Approach on HFEv-
On the Complexity of the Hybrid Approach on HFEv- Albrecht Petzoldt National Institute of Standards and Technology, Gaithersburg, Maryland, USA albrecht.petzoldt@gmail.com Abstract. The HFEv- signature
More informationZero-Knowledge for Multivariate Polynomials
Zero-Knowledge for Multivariate Polynomials Valérie Nachef, Jacques Patarin 2, Emmanuel Volte Department of Mathematics, University of Cergy-Pontoise, CNRS UMR 888 2 avenue Adolphe Chauvin, 95 Cergy-Pontoise
More informationDifferential Fault Attacks on Deterministic Lattice Signatures
S C I E N C E P A S S I O N T E C H N O L O G Y Differential Fault Attacks on Deterministic Lattice Signatures Leon Groot Bruinderink 1, Peter Pessl 2 1 Technische Universiteit Eindhoven, 2 Graz University
More informationA Practical Multivariate Blind Signature Scheme
A Practical Multivariate Blind Signature Scheme Albrecht Petzoldt 1, Alan Szepieniec 2, Mohamed Saied Emam Mohamed 3 albrecht.petzoldt@nist.gov, alan.szepieniec@esat.kuleuven.be, mohamed@cdc.informatik.tu-darmstadt.de
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Public-key crypto ECC RSA DSA Secret-key crypto AES SHA2 SHA1... Combination of both
More informationMing-Shing Chen Andreas Hülsing Joost Rijneveld Simona Samardjiska Peter Schwabe. MQDSS specifications
Ming-Shing Chen Andreas Hülsing Joost Rijneveld Simona Samardjiska Peter Schwabe MQDSS specifications Version 1.0 November 2017 Introduction TODO: This document specifies Contents Part I Backbone Results
More informationPublic-Key Identification Schemes Based on Multivariate Quadratic Polynomials
Public-Key Identification Schemes Based on Multivariate Quadratic Polynomials Koichi Sakumoto, Taizo Shirai, and Harunaga Hiwatari Sony Corporation 5-1-12 Kitashinagawa Shinagawa-ku, Tokyo 141-0001, Japan
More informationCRYSTALS Kyber and Dilithium. Peter Schwabe February 7, 2018
CRYSTALS Kyber and Dilithium Peter Schwabe peter@cryptojedi.org https://cryptojedi.org February 7, 2018 Crypto today 5 building blocks for a secure channel Symmetric crypto Block or stream cipher (e.g.,
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationMultivariate Quadratic Public-Key Cryptography Part 1: Basics
Multivariate Quadratic Public-Key Cryptography Part 1: Basics Bo-Yin Yang Academia Sinica PQCrypto Executive Summer School 2017 Eindhoven, the Netherlands Friday, 23.06.2017 B.-Y. Yang (Academia Sinica)
More informationSPHINCS: practical stateless hash-based signatures
SPHINCS: practical stateless hash-based signatures D. J. Bernstein, D. Hopwood, A. Hülsing, T. Lange, R. Niederhagen, L. Papachristodoulou, P. Schwabe, and Z. Wilcox O'Hearn Digital Signatures are Important!
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Asymmetric Crypto ECC RSA DSA Symmetric Crypto AES SHA2 SHA1... Combination of both
More informationCode-based identification and signature schemes in software
Author manuscript, published in "MoCrySEn 2013, Germany (2013)" Code-based identification and signature schemes in software Sidi Mohamed El Yousfi Alaoui 1, Pierre-Louis Cayrel 2, Rachid El Bansarkhani
More informationRevisiting TESLA in the quantum random oracle model
Revisiting TESLA in the quantum random oracle model Erdem Alkim 1, Nina Bindel 2, Johannes Buchmann 2, Özgür Dagdelen 3, Edward Eaton 4,5, Gus Gutoski 4, Juliane Krämer 2, and Filip Pawlega 4,5 1 Ege University,
More informationA Second Look at s Transforma3on
A Second Look at s Transforma3on - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Özgür Dagdelen Technische Universität Darmstadt Daniele Venturi Sapienza University
More informationA Lattice-Based Threshold Ring Signature Scheme (TRSS-L)
A Lattice-Based Threshold Ring Signature Scheme (TRSS-L) Pierre-Louis Cayrel 1 Richard Lindner 2 Markus Rückert 2 Rosemberg Silva 3 1 Center for Advanced Security Research Darmstadt (CASED) 2 Technische
More informationMasking the GLP Lattice-Based Signature Scheme at Any Order
Masking the GLP Lattice-Based Signature Scheme at Any Order Sonia Belaïd Joint Work with Gilles Barthe, Thomas Espitau, Pierre-Alain Fouque, Benjamin Grégoire, Mélissa Rossi, and Mehdi Tibouchi 1 / 31
More informationThe Shortest Signatures Ever
The Shortest Signatures Ever Mohamed Saied Emam Mohamed 1, Albrecht Petzoldt 2 1 Technische Universität Darmstadt, Germany 2 Kyushu University, Fukuoka, Japan mohamed@cdc.informatik.tu-darmstadt.de, petzoldt@imi.kyushu-u.ac.jp
More informationAn improved compression technique for signatures based on learning with errors
An improved compression technique for signatures based on learning with errors Shi Bai and Steven D. Galbraith Department of Mathematics, University of Auckland. CT-RSA 2014 1 / 22 Outline Introduction
More informationEnhanced Lattice-Based Signatures on Reconfigurable Hardware
Enhanced Lattice-Based Signatures on Reconfigurable Hardware Thomas Pöppelmann 1 Léo Ducas 2 Tim Güneysu 1 1 Horst Görtz Institute for IT-Security, Ruhr-University Bochum, Germany 2 University of California,
More informationNew candidates for multivariate trapdoor functions
New candidates for multivariate trapdoor functions Jaiberth Porras 1, John B. Baena 1, Jintai Ding 2,B 1 Universidad Nacional de Colombia, Medellín, Colombia 2 University of Cincinnati, Cincinnati, OH,
More informationPost-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives
Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives Melissa Chase Microsoft Research melissac@microsoft.com Claudio Orlandi Aarhus University orlandi@cs.au.dk David Derler Graz University
More informationTESLA: Tightly-Secure Efficient Signatures from Standard Lattices.
TESLA: Tightly-Secure Efficient Signatures from Standard Lattices. Erdem Alkim Nina Bindel Johannes Buchmann Özgür Dagdelen Peter Schwabe Date: 2016-10-05 Abstract Generally, lattice-based cryptographic
More informationConstructing Provably-Secure Identity-Based Signature Schemes
Constructing Provably-Secure Identity-Based Signature Schemes Chethan Kamath Indian Institute of Science, Bangalore November 23, 2013 Overview Table of contents Background Formal Definitions Schnorr Signature
More informationAn Identification Scheme Based on KEA1 Assumption
All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to
More informationAnalysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh
Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh Bruno Produit Institute of Computer Science University of Tartu produit@ut.ee December 19, 2017 Abstract This document is an analysis
More informationA new zero-knowledge code based identification scheme with reduced communication
A new zero-knowledge code based identification scheme with reduced communication Carlos Aguilar, Philippe Gaborit, Julien Schrek Université de Limoges, France. {carlos.aguilar,philippe.gaborit,julien.schrek}@xlim.fr
More informationFang Song. Joint work with Sean Hallgren and Adam Smith. Computer Science and Engineering Penn State University
Fang Song Joint work with Sean Hallgren and Adam Smith Computer Science and Engineering Penn State University Are classical cryptographic protocols secure against quantum attackers? 2 Are classical cryptographic
More informationMiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity
MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity. Arnab Roy 1 (joint work with Martin Albrecht 2, Lorenzo Grassi 3, Christian Rechberger 1,3 and Tyge Tiessen
More informationHash-based Signatures
Hash-based Signatures Andreas Hülsing Summer School on Post-Quantum Cryptography June 2017, TU Eindhoven Post-Quantum Signatures Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters
More informationMI-T-HFE, a New Multivariate Signature Scheme
MI-T-HFE, a New Multivariate Signature Scheme Wenbin Zhang and Chik How Tan Temasek Laboratories National University of Singapore tslzw@nus.edu.sg and tsltch@nus.edu.sg Abstract. In this paper, we propose
More informationLattice Reduction Attacks on HE Schemes. Martin R. Albrecht 15/03/2018
Lattice Reduction Attacks on HE Schemes Martin R. Albrecht 15/03/2018 Learning with Errors The Learning with Errors (LWE) problem was defined by Oded Regev. 1 Given (A, c) with uniform A Z m n q, uniform
More informationA Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems
A Polynomial-Time Key-Recovery Attack on MQQ Cryptosystems Jean-Charles Faugère, Danilo Gligoroski, Ludovic Perret, Simona Samardjiska, Enrico Thomae PKC 2015, March 30 - April 1, Maryland, USA 2 Summary
More informationPAPER An Identification Scheme with Tight Reduction
IEICE TRANS. FUNDAMENTALS, VOL.Exx A, NO.xx XXXX 200x PAPER An Identification Scheme with Tight Reduction Seiko ARITA, Member and Natsumi KAWASHIMA, Nonmember SUMMARY There are three well-known identification
More informationFPGA-BASED ACCELERATOR FOR POST-QUANTUM SIGNATURE SCHEME SPHINCS-256
IMES FPGA-BASED ACCELERATOR FOR POST-QUANTUM SIGNATURE SCHEME SPHINCS-256 Dorian Amiet 1, Andreas Curiger 2 and Paul Zbinden 1 1 HSR Hochschule für Technik, Rapperswil, Switzerland 2 Securosys SA, Zürich,
More informationThe Advanced Encryption Standard
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 48 The Advanced Encryption Standard Successor of DES DES considered insecure; 3DES considered too slow. NIST competition in 1997 15
More informationRandom Oracles in a Quantum World
Dan Boneh 1 Özgür Dagdelen 2 Marc Fischlin 2 Anja Lehmann 3 Christian Schaffner 4 Mark Zhandry 1 1 Stanford University, USA 2 CASED & Darmstadt University of Technology, Germany 3 IBM Research Zurich,
More informationDigital Signature Schemes and the Random Oracle Model. A. Hülsing
Digital Signature Schemes and the Random Oracle Model A. Hülsing Today s goal Review provable security of in use signature schemes. (PKCS #1 v2.x) PAGE 1 Digital Signature Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/dsa.jpg
More informationHomework 3 Solutions
5233/IOC5063 Theory of Cryptology, Fall 205 Instructor Prof. Wen-Guey Tzeng Homework 3 Solutions 7-Dec-205 Scribe Amir Rezapour. Consider an unfair coin with head probability 0.5. Assume that the coin
More informationCryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1
Cryptography CS 555 Topic 23: Zero-Knowledge Proof and Cryptographic Commitment CS555 Topic 23 1 Outline and Readings Outline Zero-knowledge proof Fiat-Shamir protocol Schnorr protocol Commitment schemes
More informationMultivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar?
Multivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar? Christian Eder, Jean-Charles Faugère and Ludovic Perret Seminar on Fundamental Algorithms, University
More informationFault Attacks Against Lattice-Based Signatures
Fault Attacks Against Lattice-Based Signatures T. Espitau P-A. Fouque B. Gérard M. Tibouchi Lip6, Sorbonne Universités, Paris August 12, 2016 SAC 16 1 Towards postquantum cryptography Quantum computers
More informationOptimal Parameters for XMSS MT
Optimal Parameters for XMSS MT Andreas Hülsing, Lea Rausch, and Johannes Buchmann Cryptography and Computeralgebra Department of Computer Science TU Darmstadt, Germany huelsing@cdc.informatik.tu-darmstadt.de
More informationThe Fiat Shamir Transformation in a Quantum World
The Fiat Shamir Transformation in a Quantum World Özgür Dagdelen Marc Fischlin Tommaso Gagliardoni Technische Universität Darmstadt, Germany www.cryptoplexity.de oezguer.dagdelen @ cased.de marc.fischlin
More informationPost-quantum key exchange for the Internet based on lattices
Post-quantum key exchange for the Internet based on lattices Craig Costello Talk at MSR India Bangalore, India December 21, 2016 Based on J. Bos, C. Costello, M. Naehrig, D. Stebila Post-Quantum Key Exchange
More informationSchnorr Signature. Schnorr Signature. October 31, 2012
. October 31, 2012 Table of contents Salient Features Preliminaries Security Proofs Random Oracle Heuristic PKS and its Security Models Hardness Assumption The Construction Oracle Replay Attack Security
More informationAn improved compression technique for signatures based on learning with errors
An improved compression technique for signatures based on learning with errors Shi Bai and Steven D. Galbraith Department of Mathematics, University of Auckland, New Zealand. S.Bai@auckland.ac.nz S.Galbraith@math.auckland.ac.nz
More informationQuantum Attacks on Classical Proof Systems
Quantum Attacks on Classical Proof Systems The Hardness of Quantum Rewinding University of Tartu With Andris Ambainis, Ansis Rosmanis QCrypt 2014 Classical Crypto (Quick intro.) Quantum Attacks on Classical
More informationLittle Dragon Two: An efficient Multivariate Public Key Cryptosystem
Little Dragon Two: An efficient Multivariate Public Key Cryptosystem Rajesh P Singh, A.Saikia, B.K.Sarma Department of Mathematics Indian Institute of Technology Guwahati Guwahati -781039, India October
More informationA Classification of Differential Invariants for Multivariate Post-Quantum Cryptosystems
A Classification of Differential Invariants for Multivariate Post-Quantum Cryptosystems Ray Perlner 1 and Daniel Smith-Tone 1,2 1 National Institute of Standards and Technology, Gaithersburg, Maryland,
More informationLecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension
CS 294 Secure Computation February 16 and 18, 2016 Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension Instructor: Sanjam Garg Scribe: Alex Irpan 1 Overview Garbled circuits
More informationµkummer: efficient hyperelliptic signatures and key exchange on microcontrollers
µkummer: efficient hyperelliptic signatures and key exchange on microcontrollers Joost Renes 1 Peter Schwabe 1 Benjamin Smith 2 Lejla Batina 1 1 Digital Security Group, Radboud University, The Netherlands
More informationFrom Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes
From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 2001, vol. 2020 of Lecture Notes in Computer
More informationSimple SK-ID-KEM 1. 1 Introduction
1 Simple SK-ID-KEM 1 Zhaohui Cheng School of Computing Science, Middlesex University The Burroughs, Hendon, London, NW4 4BT, United Kingdom. m.z.cheng@mdx.ac.uk Abstract. In 2001, Boneh and Franklin presented
More informationCMSC 858K Introduction to Secure Computation October 18, Lecture 19
CMSC 858K Introduction to Secure Computation October 18, 2013 Lecturer: Jonathan Katz Lecture 19 Scribe(s): Alex J. Malozemoff 1 Zero Knowledge Variants and Results Recall that a proof-of-knowledge (PoK)
More informationHash-based Signatures. Andreas Hülsing
Hash-based Signatures Andreas Hülsing Post-Quantum Signatures Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters 23-2-2016 PAGE 2... 1 3 1 4 2 3 2 2 3 2 3 4 1 2 1 2 1 1 y x x x x
More informationCode-based cryptography
Code-based graphy Laboratoire Hubert Curien, UMR CNRS 5516, Bâtiment F 18 rue du professeur Benoît Lauras 42000 Saint-Etienne France pierre.louis.cayrel@univ-st-etienne.fr 16 Novembre 2011 Pierre-Louis
More informationSolving Multivariate Polynomial Systems
Solving Multivariate Polynomial Systems Presented by: Bo-Yin Yang work with Lab of Yang and Cheng, and Charles Bouillaguet, ENS Institute of Information Science and TWISC, Academia Sinica Taipei, Taiwan
More informationAURORA: A Cryptographic Hash Algorithm Family
AURORA: A Cryptographic Hash Algorithm Family Submitters: Sony Corporation 1 and Nagoya University 2 Algorithm Designers: Tetsu Iwata 2, Kyoji Shibutani 1, Taizo Shirai 1, Shiho Moriai 1, Toru Akishita
More informationCryptographie basée sur les codes correcteurs d erreurs et arithmétique
Cryptographie basée sur les correcteurs d erreurs et arithmétique with with with with Laboratoire Hubert Curien, UMR CNRS 5516, Bâtiment F 18 rue du professeur Benoît Lauras 42000 Saint-Etienne France
More informationSome ZK security proofs for Belenios
Some ZK security proofs for Belenios Pierrick Gaudry CNRS, INRIA, Université de Lorraine January 30, 2017 The purpose of this document is to justify the use of ZK proofs in Belenios. Most of them are exactly
More informationRandom Oracles in a Quantum World
Random Oracles in a Quantum World AsiaISG Research Seminars 2011/2012 Özgür Dagdelen, Marc Fischlin (TU Darmstadt) Dan Boneh, Mark Zhandry (Stanford University) Anja Lehmann (IBM Zurich) Christian Schaffner
More informationImproved Cryptanalysis of HFEv- via Projection
Improved Cryptanalysis of HFEv- via Projection Jintai Ding 1, Ray Perlner 2, Albrecht Petzoldt 2, and Daniel Smith-Tone 2,3 1 Department of Mathematical Sciences, University of Cincinnati, Cincinnati,
More informationAlgebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL
Algebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL Mohamed Saied Emam Mohamed 1, Jintai Ding 2, and Johannes Buchmann 1 1 TU Darmstadt, FB Informatik Hochschulstrasse 10, 64289 Darmstadt,
More informationThe Fiat Shamir Transformation in a Quantum World
The Fiat Shamir Transformation in a Quantum World Özgür Dagdelen, Marc Fischlin, and Tommaso Gagliardoni Technische Universität Darmstadt, Germany oezguer.dagdelen@cased.de, marc.fischlin@gmail.com, tommaso@gagliardoni.net
More informationReassessing Grover s Algorithm
Reassessing Grover s Algorithm Scott Fluhrer Cisco Systems, USA sfluhrer@cisco.com Abstract. We note that Grover s algorithm (and any other quantum algorithm that does a search using an oracle) does not
More informationTighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)
1 Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shuichi Katsumata (The University of Tokyo /AIST) Shota Yamada (AIST) Takashi Yamakawa
More informationBoneh-Franklin Identity Based Encryption Revisited
Boneh-Franklin Identity Based Encryption Revisited David Galindo Institute for Computing and Information Sciences Radboud University Nijmegen P.O.Box 9010 6500 GL, Nijmegen, The Netherlands. d.galindo@cs.ru.nl
More informationFast Lattice-Based Encryption: Stretching SPRING
Fast Lattice-Based Encryption: Stretching SPRING Charles Bouillaguet 1 Claire Delaplace 1,2 Pierre-Alain Fouque 2 Paul Kirchner 3 1 CFHP team, CRIStAL, Université de Lille, France 2 EMSEC team, IRISA,
More informationWhat are we talking about when we talk about post-quantum cryptography?
PQC Asia Forum Seoul, 2016 What are we talking about when we talk about post-quantum cryptography? Fang Song Portland State University PQC Asia Forum Seoul, 2016 A personal view on postquantum cryptography
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationInvariant Subspace Attack Against Full Midori64
Invariant Subspace Attack Against Full Midori64 Jian Guo 1, Jérémy Jean 1, Ivica Nikolić 1, Kexin Qiao 1,2, Yu Sasaki 1,3, and Siang Meng Sim 1 1 Nanyang Technological University, Singapore 2 Institute
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationImproving Stateless Hash-Based Signatures
Improving Stateless Hash-Based Signatures Jean-Philippe Aumasson 1 and Guillaume Endignoux 2 1 Kudelski Security, Switzerland 2 Google, Switzerland Abstract. We present several optimizations to SPHINCS,
More informationMessage Authentication Codes (MACs)
Message Authentication Codes (MACs) Tung Chou Technische Universiteit Eindhoven, The Netherlands October 8, 2015 1 / 22 About Me 2 / 22 About Me Tung Chou (Tony) 2 / 22 About Me Tung Chou (Tony) Ph.D.
More informationOptimal Parameters for XMSSMT
Optimal Parameters for XMSSMT Andreas Hülsing, Lea Rausch, Johannes Buchmann To cite this version: Andreas Hülsing, Lea Rausch, Johannes Buchmann. Optimal Parameters for XMSSMT. Alfredo Cuzzocrea; Christian
More informationMutantXL: Solving Multivariate Polynomial Equations for Cryptanalysis
MutantXL: Solving Multivariate Polynomial Equations for Cryptanalysis Johannes Buchmann 1, Jintai Ding 2, Mohamed Saied Emam Mohamed 1, and Wael Said Abd Elmageed Mohamed 1 1 TU Darmstadt, FB Informatik
More informationCommunication-Efficient Non-Interactive Proofs of Knowledge with Online Extractors
Communication-Efficient Non-Interactive Proofs of Knowledge with Online Extractors Marc Fischlin Institute for Theoretical Computer Science, ETH Zürich, Switzerland marc.fischlin @ inf.ethz.ch http://www.fischlin.de/
More informationZero-knowledge Identification based on Lattices with Low Communication Costs
Zero-knowledge Identification based on Lattices with Low Communication Costs Rosemberg Silva 1, Pierre-Louis Cayrel 2, Richard Lindner 3 1 State University of Campinas (UNICAMP) Institute of Computing
More informationSmall Public Keys and Fast Verification for Multivariate Quadratic Public Key Systems
Small Public Keys and Fast Verification for Multivariate Quadratic Public Key Systems Albrecht Petzoldt 1, Enrico Thomae, Stanislav Bulygin 3, and Christopher Wolf 4 1,3 Technische Universität Darmstadt
More informationQuantum-Safe Crypto Why & How? JP Aumasson, Kudelski Security
Quantum-Safe Crypto Why & How? JP Aumasson, Kudelski Security Flight plan What s a quantum computer? How broken are your public keys? AES vs. quantum search Hidden quantum powers Defeating quantum computing
More informationMTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Zero-knowledge Proofs Sven Laur University of Tartu Formal Syntax Zero-knowledge proofs pk (pk, sk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) (pk,sk)? R
More informationCryptographic Protocols Notes 2
ETH Zurich, Department of Computer Science SS 2018 Prof. Ueli Maurer Dr. Martin Hirt Chen-Da Liu Zhang Cryptographic Protocols Notes 2 Scribe: Sandro Coretti (modified by Chen-Da Liu Zhang) About the notes:
More informationBeyond the MD5 Collisions
Beyond the MD5 Collisions Daniel Joščák Daniel.Joscak@i.cz S.ICZ a.s. Hvězdova 1689/2a, 140 00 Prague 4; Faculty of Mathematics and Physics, Charles University, Prague Abstract We summarize results and
More informationA Lattice-based AKE on ARM Cortex-M4
A Lattice-based AKE on ARM Cortex-M4 Julian Speith 1, Tobias Oder 1, Marcel Kneib 2, and Tim Güneysu 1,3 1 Horst Görtz Institute for IT Security, Ruhr-Universität Bochum, Germany {julian.speith,tobias.oder,tim.gueneysu}@rub.de
More informationOn the Big Gap Between p and q in DSA
On the Big Gap Between p and in DSA Zhengjun Cao Department of Mathematics, Shanghai University, Shanghai, China, 200444. caozhj@shu.edu.cn Abstract We introduce a message attack against DSA and show that
More informationOn The (In)security Of Fischlin s Paradigm
On The (In)security Of Fischlin s Paradigm Prabhanjan Ananth 1, Raghav Bhaskar 1, Vipul Goyal 1, and Vanishree Rao 2 1 Microsoft Research India prabhanjan.va@gmail.com,{rbhaskar,vipul}@microsoft.com 2
More informationTightly-Secure Signatures From Lossy Identification Schemes
Tightly-Secure Signatures From Lossy Identification Schemes Michel Abdalla, Pierre-Alain Fouque, Vadim Lyubashevsky, and Mehdi Tibouchi 2 École normale supérieure {michel.abdalla,pierre-alain.fouque,vadim.lyubashevsky}@ens.fr
More informationReport on Learning with Errors over Rings-based HILA5 and its CCA Security
Report on Learning with Errors over Rings-based HILA5 and its CCA Security Jesús Antonio Soto Velázquez January 24, 2018 Abstract HILA5 is a cryptographic primitive based on lattices that was submitted
More information