MQDSS signatures: construction

Size: px

Start display at page:

Download "MQDSS signatures: construction"

Marilyn Jackson
5 years ago
Views:

1 MQDSS signatures: construction Ming-Shing Chen 1,2, Andreas Hülsing 3, Joost Rijneveld 4, Simona Samardjiska 5, Peter Schwabe 4 National Taiwan University 1 / Academia Sinica 2, Taipei, Taiwan Eindhoven University of Technology, The Netherlands 3 Radboud University, Nijmegen, The Netherlands 4 Ss. Cyril and Methodius University, Skopje, Republic of Macedonia Crypto Working Group 1 / 29

2 Post-quantum signatures Problem: we want a post-quantum signature scheme Security arguments Acceptable speed and size 2 / 29

3 Post-quantum signatures Problem: we want a post-quantum signature scheme Security arguments Acceptable speed and size Solutions: Hash-based: SPHINCS [BHH+15], XMSS [BDH11, HRS16] Slow or stateful Lattice-based: (Ring-)TESLA [ABB+16, ABB+15], BLISS [DDL+13], GLP [GLP12] Large keys, or additional structure MQ:? Unclear security: many broken (except HFEv-, UOV) 2 / 29

4 This work Transform class of 5-pass IDS to signature schemes Extend Fiat-Shamir transform Prove an earlier attempt [EDV+12] vacuous Amended in [DGV+16] Propose MQDSS Obtained by performing transform Hardness of MQ Instantiate and implement as MQDSS But also: Reduction in the ROM (not in QROM) No tight proof 3 / 29

5 This talk Transform class of 5-pass IDS to signature schemes Extend Fiat-Shamir transform Prove an earlier attempt [EDV+12] vacuous Amended in [DGV+16] Propose MQDSS Obtained by performing transform Hardness of MQ Instantiate and implement as MQDSS But also: Reduction in the ROM (not in QROM) No tight proof 3 / 29

6 Canonical Identification Schemes P V com R P 0 (sk) com ch ch R ChS(1 k ) resp P 1 (sk, com, ch) resp b Vf(pk, com, ch, resp) Informally: 1. Prover commits to some (randomized) value derived from sk 2. Verifier picks a challenge ch 3. Prover computes response resp 4. Verifier checks if response matches challenge 4 / 29

7 Security of the IDS Passively secure IDS Soundness: the probability that an adversary can convince is small Honest-Verifier Zero-Knowledge: simulator can fake transcripts 5 / 29

8 Security of the IDS Passively secure IDS Soundness: the probability that an adversary can convince is small Shows knowledge of secret Adversary A can guess right : soundness error κ [ ] (pk, sk) KGen(1 k ) Pr A(1 k, pk), V(pk) κ + negl(k). = 1 Honest-Verifier Zero-Knowledge: simulator can fake transcripts Shows that transcripts do not leak the secret 5 / 29

9 Fiat-Shamir transform First transform IDS with soundness error κ to negl(k) Using parallel composition 6 / 29

10 Cheating prover P V com R P 0 (sk) com ch ch R ChS(1 k ) resp P 1 (sk, com, ch) resp b Vf(pk, com, ch, resp) 7 / 29

11 Cheating prover P V com R P 0 (sk) com ch ch R ChS(1 k ) resp P 1 (sk, com, ch) resp b Vf(pk, com, ch, resp) P V ch R ChS(1 k ) com, resp R P 0 (sk, ch ) com ch ch R ChS(1 k ) If ch ch, fail resp b Vf(pk, com, ch, resp) 7 / 29

12 Parallel Canonical IDS P V com (1) R P 0 (sk) com (2) R P 0 (sk). com (r) R P 0 (sk) i com (i) i ch (i) ch (1) R ChS(1 k ) ch (2) R ChS(1 k ). ch (r) R ChS(1 k ) resp (1) P 1 (sk, com (1), ch (1) ) resp (2) P 1 (sk, com (2), ch (2) ). resp (r) P 1 (sk, com (r), ch (r) ) i resp (i) b i Vf(pk, com (i), ch (i), resp (i) ) 8 / 29

13 Fiat-Shamir transform First transform IDS with soundness error κ to negl(k) Using parallel composition Transform IDS into signature Non-interactive: Signer is prover Function H provides challenges Transcript is signature 9 / 29

14 Parallel Canonical IDS P V com (1) R P 0 (sk) com (2) R P 0 (sk). com (r) R P 0 (sk) i com (i) i ch (i) ch (1) R ChS(1 k ) ch (2) R ChS(1 k ). ch (r) R ChS(1 k ) resp (1) P 1 (sk, com (1), ch (1) ) resp (2) P 1 (sk, com (2), ch (2) ). resp (r) P 1 (sk, com (r), ch (r) ) i resp (i) b i Vf(pk, com (i), ch (i), resp (i) ) 10 / 29

15 Transformed IDS P V com (1) R P 0 (sk). com (r) R P 0 (sk) σ 0 com (1), com (2),... com (r) ch (1), ch (2),..., ch (r) H(σ 0, M) resp (1) P 1 (sk, com (1), ch (1) ). resp (r) P 1 (sk, com (r), ch (r) ) σ 1 resp (1), resp (2),... resp (r) m, σ 0, σ 1 com (1), com (2),..., com (r) σ 0 ch (1), ch (2),..., ch (r) H(σ 0, M) resp (1), resp (2),..., resp (r) σ 1 b i Vf(pk, com (i), ch (i), resp (i) ) 11 / 29

16 Fiat-Shamir transform First transform IDS with soundness error κ to negl(k) Using parallel composition Transform IDS into signature Non-interactive: Signer is prover Function H provides challenges Transcript is signature Generalize to 5-pass Benefit from lower soundness error Two challenges and responses 12 / 29

17 Fiat-Shamir transform First transform IDS with soundness error κ to negl(k) Using parallel composition Transform IDS into signature Non-interactive: Signer is prover Function H provides challenges Transcript is signature Generalize to 5-pass Benefit from lower soundness error Two challenges and responses See Simona s talk! 12 / 29

18 Canonical 5-pass IDS P V com P 0 (sk) com ch 1 ch 1 R ChS 1 (1 k ) resp 1 P 1 (sk, com, ch 1 ) resp 1 ch 2 ch 2 R ChS 2 (1 k ) resp 2 P 2 (sk, com, ch 1, resp 1, ch 2 ) resp 2 b Vf(pk, com, ch 1, resp 1, ch 2, resp 2 ) 13 / 29

19 MQ problem The function family MQ(n, m, F q ): F(x) = (f 1 (x),..., f m (x)), where f s (x) = i,j a(s) i,j x ix j + i b(s) for a (s) i,j, b(s) i F q, s {1,..., m} i x i 14 / 29

20 MQ problem The function family MQ(n, m, F q ): F(x) = (f 1 (x),..., f m (x)), where f s (x) = i,j a(s) i,j x ix j + i b(s) for a (s) i,j, b(s) i F q, s {1,..., m} i x i Problem: For given y F m q, find x F n q such that F(x) = y. 14 / 29

21 MQ problem The function family MQ(n, m, F q ): F(x) = (f 1 (x),..., f m (x)), where f s (x) = i,j a(s) i,j x ix j + i b(s) for a (s) i,j, b(s) i F q, s {1,..., m} i x i Problem: For given y F m q, find x F n q such that F(x) = y. i.e., solve the system of equations: y 1 =a (1) 1,1 x 1x 1 + a (1) 1,2 x 1x a n,nx (1) n x n + b (1) 1 x b n (1). y m =a (m) 1,1 x 1x 1 + a (m) 1,2 x 1x a n,n (m) x n x n + b (m) 1 x b n (m) x n x n 14 / 29

22 MQ problem: numerical example Example parameters: n = m = 3, F q = F 5 15 / 29

23 MQ problem: numerical example Example parameters: n = m = 3, F q = F 5 Random system of functions F: y 1 = 4x 1 x 1 + 3x 1 x 2 + 0x 1 x 3 + x 2 x 2 + 2x 2 x 3 + x 3 x 3 + 0x 1 + 2x 2 + 2x 3 y 2 = x 1 x 1 + 2x 1 x 2 + x 1 x 3 + 0x 2 x 2 + 3x 2 x 3 + 4x 3 x 3 + 0x 1 + 3x 2 + 2x 3 y 3 = 0x 1 x 1 + x 1 x 2 + 4x 1 x 3 + 3x 2 x 2 + 0x 2 x 3 + x 3 x 3 + 4x 1 + x 2 + 0x 3 15 / 29

24 MQ problem: numerical example Example parameters: n = m = 3, F q = F 5 Random system of functions F: y 1 = 4x 1 x 1 + 3x 1 x 2 + 0x 1 x 3 + x 2 x 2 + 2x 2 x 3 + x 3 x 3 + 0x 1 + 2x 2 + 2x 3 y 2 = x 1 x 1 + 2x 1 x 2 + x 1 x 3 + 0x 2 x 2 + 3x 2 x 3 + 4x 3 x 3 + 0x 1 + 3x 2 + 2x 3 y 3 = 0x 1 x 1 + x 1 x 2 + 4x 1 x 3 + 3x 2 x 2 + 0x 2 x 3 + x 3 x 3 + 4x 1 + x 2 + 0x 3 Secret input x = (1, 4, 3) 15 / 29

25 MQ problem: numerical example Example parameters: n = m = 3, F q = F 5 Random system of functions F: y 1 = 4x 1 x 1 + 3x 1 x 2 + 0x 1 x 3 + x 2 x 2 + 2x 2 x 3 + x 3 x 3 + 0x 1 + 2x 2 + 2x 3 y 2 = x 1 x 1 + 2x 1 x 2 + x 1 x 3 + 0x 2 x 2 + 3x 2 x 3 + 4x 3 x 3 + 0x 1 + 3x 2 + 2x 3 y 3 = 0x 1 x 1 + x 1 x 2 + 4x 1 x 3 + 3x 2 x 2 + 0x 2 x 3 + x 3 x 3 + 4x 1 + x 2 + 0x 3 Secret input x = (1, 4, 3) y 1 = y 2 = y 3 = / 29

26 MQ problem: numerical example Example parameters: n = m = 3, F q = F 5 Random system of functions F: y 1 = 4x 1 x 1 + 3x 1 x 2 + 0x 1 x 3 + x 2 x 2 + 2x 2 x 3 + x 3 x 3 + 0x 1 + 2x 2 + 2x 3 y 2 = x 1 x 1 + 2x 1 x 2 + x 1 x 3 + 0x 2 x 2 + 3x 2 x 3 + 4x 3 x 3 + 0x 1 + 3x 2 + 2x 3 y 3 = 0x 1 x 1 + x 1 x 2 + 4x 1 x 3 + 3x 2 x 2 + 0x 2 x 3 + x 3 x 3 + 4x 1 + x 2 + 0x 3 Secret input x = (1, 4, 3) y 1 = = 79 4 y 2 = = y 3 = = 81 1 Public output y = (4, 2, 1) 15 / 29

27 Sakumoto-Shirai-Hiwatari IDS [SSH11] Key technique: cut-and-choose for MQ Analogously, consider DLP: s = r0 + r 1 g s = g r0 g r1 16 / 29

28 Sakumoto-Shirai-Hiwatari IDS [SSH11] Key technique: cut-and-choose for MQ Analogously, consider DLP: s = r0 + r 1 g s = g r0 g r1 Bilinear map G(x, y) = F(x + y) F(x) F(y) Split s and F(s) into r0, r 1 and F(r 0 ), F(r 1 ) Since then s = r 0 + r 1 F(s) = G(r 0, r 1) + F(r 0) + F(r 1) Split r0 and F(r 0 ) further into t 0, t 1 resp. e 0, e 1 16 / 29

29 Sakumoto-Shirai-Hiwatari IDS [SSH11] Key technique: cut-and-choose for MQ Analogously, consider DLP: s = r0 + r 1 g s = g r0 g r1 Bilinear map G(x, y) = F(x + y) F(x) F(y) Split s and F(s) into r0, r 1 and F(r 0 ), F(r 1 ) Since then s = r 0 + r 1 F(s) = G(r 0, r 1) + F(r 0) + F(r 1) Split r0 and F(r 0 ) further into t 0, t 1 resp. e 0, e 1 For gs G: g s (x, y) = i,j a(s) i,j (x iy j + x j y i ) Recall: f s(x) = i,j a(s) i,j xixj + i b(s) i x i 16 / 29

30 Sakumoto-Shirai-Hiwatari IDS [SSH11] Key technique: cut-and-choose for MQ Analogously, consider DLP: s = r0 + r 1 g s = g r0 g r1 Bilinear map G(x, y) = F(x + y) F(x) F(y) Split s and F(s) into r0, r 1 and F(r 0 ), F(r 1 ) Since then s = r 0 + r 1 F(s) = G(r 0, r 1) + F(r 0) + F(r 1) Split r0 and F(r 0 ) further into t 0, t 1 resp. e 0, e 1 For gs G: g s (x, y) = i,j a(s) i,j (x iy j + x j y i ) Recall: f s(x) = i,j a(s) i,j xixj + i b(s) i See [SSH11] for details Takeaway: evaluating G evaluating F x i 16 / 29

31 Sakumoto-Shirai-Hiwatari IDS [SSH11] Key technique: cut-and-choose for MQ Analogously, consider DLP: s = r0 + r 1 g s = g r0 g r1 Bilinear map G(x, y) = F(x + y) F(x) F(y) Split s and F(s) into r0, r 1 and F(r 0 ), F(r 1 ) Since then s = r 0 + r 1 F(s) = G(r 0, r 1) + F(r 0) + F(r 1) Split r0 and F(r 0 ) further into t 0, t 1 resp. e 0, e 1 For gs G: g s (x, y) = i,j a(s) i,j (x iy j + x j y i ) Recall: f s(x) = i,j a(s) i,j xixj + i b(s) i x i See [SSH11] for details Takeaway: evaluating G evaluating F Result: reveal either r 0 or r 1, and (t 0, e 0 ) or (t 1, e 1 ) 16 / 29

32 Sakumoto-Shirai-Hiwatari 3-pass IDS [SSH11] P : (F, v, s) V : (F, v) r 0, t 0 R F n q, e 0 R F m q r 1 s r 0, t 1 r 0 t 0 e 1 F(r 0 ) e 0 c 0 Com(r 1, G(t 0, r 1 ) + e 0 ) c 1 Com(t 0, e 0 ) c 2 Com(t 1, e 1 ) (c 0, c 1, c 2 ) ch ch R {0, 1, 2} If ch = 0, resp (r 0, t 1, e 1 ) If ch = 1, resp (r 1, t 1, e 1 ) If ch = 2, resp (r 1, t 0, e 0 ) resp If ch = 0, Parse resp = (r 0, t 1, e 1 ), check? c 1 = Com(r0 t 1, F (r 0 ) e 1 )? c 2 = Com(t1, e 1 ) If ch = 1, Parse resp = (r 1, t 1, e 1 ), check? c 0 = Com(r1, v F (r 1 ) G(t 1, r 1 ) e 1 )? c 2 = Com(t1, e 1 ) If ch = 2, Parse resp = (r 1, t 0, e 0 ), check? c 0 = Com(r1, G(t 0, r 1 ) + e 0 ) c 1? = Com(t0, e 0 ) 17 / 29

33 Sakumoto-Shirai-Hiwatari 5-pass IDS [SSH11] P : (F, v, s) V : (F, v) r 0, t 0 R F n q, e 0 R F m q r 1 s r 0 c 0 Com(r 0, t 0, e 0 ) c 1 Com(r 1, G(t 0, r 1 ) + e 0 ) (c 0, c 1 ) α α R F q t 1 αr 0 t 0 e 1 αf(r 0 ) e 0 resp1 = (t 1, e 1 ) ch 2 ch 2 R {0, 1} If ch 2 = 0, resp 2 r 0 Else resp 2 r 1 resp 2 If ch 2 = 0, Parse resp 2 = r 0, check c 0? = Com(r0, αr 0 t 1, αf(r 0 ) e 1 ) Else Parse resp 2 = r 1, check c 1? = Com(r1, α(v F(r 1 )) G(t 1, r 1 ) e 1 ) 18 / 29

34 MQDSS Generate keys Sample seed SF {0, 1} k, sk F n q (S F, sk) Expand SF to F, compute pk = F(sk) (S F, pk) 19 / 29

35 MQDSS Generate keys Sample seed SF {0, 1} k, sk F n q (S F, sk) Expand SF to F, compute pk = F(sk) (S F, pk) Signing Sign randomized digest D over M 19 / 29

36 MQDSS Generate keys Sample seed SF {0, 1} k, sk F n q (S F, sk) Expand SF to F, compute pk = F(sk) (S F, pk) Signing Sign randomized digest D over M Perform r parallel rounds of transformed IDS 2r commitments, some multiplications in F q 2r MQ evaluations 19 / 29

37 Sakumoto-Shirai-Hiwatari 5-pass IDS [SSH11] P : (F, v, s) V : (F, v) r 0, t 0 R F n q, e 0 R F m q r 1 s r 0 c 0 Com(r 0, t 0, e 0 ) c 1 Com(r 1, G(t 0, r 1 ) + e 0 ) (c 0, c 1 ) α α R F q t 1 αr 0 t 0 e 1 αf(r 0 ) e 0 resp1 = (t 1, e 1 ) ch 2 ch 2 R {0, 1} If ch 2 = 0, resp 2 r 0 Else resp 2 r 1 resp 2 If ch 2 = 0, Parse resp 2 = r 0, check c 0? = Com(r0, αr 0 t 1, αf(r 0 ) e 1 ) Else Parse resp 2 = r 1, check c 1? = Com(r1, α(v F(r 1 )) G(t 1, r 1 ) e 1 ) 20 / 29

38 Sakumoto-Shirai-Hiwatari 5-pass IDS [SSH11] P : (F, v, s) V : (F, v) r 0, t 0 R F n q, e 0 R F m q r 1 s r 0 c 0 Com(r 0, t 0, e 0 ) c 1 Com(r 1, G(t 0, r 1 ) + e 0 ) (c 0, c 1 ) α α R F q t 1 αr 0 t 0 e 1 αf(r 0 ) e 0 resp1 = (t 1, e 1 ) ch 2 ch 2 R {0, 1} If ch 2 = 0, resp 2 r 0 Else resp 2 r 1 resp 2 If ch 2 = 0, Parse resp 2 = r 0, check c 0? = Com(r0, αr 0 t 1, αf(r 0 ) e 1 ) Else Parse resp 2 = r 1, check c 1? = Com(r1, α(v F(r 1 )) G(t 1, r 1 ) e 1 ) 20 / 29

39 MQDSS Generate keys Sample seed SF {0, 1} k, sk F n q (S F, sk) Expand SF to F, compute pk = F(sk) (S F, pk) Signing Sign randomized digest D over M Perform r parallel rounds of transformed IDS 2r commitments, some multiplications in F q 2r MQ evaluations Tricks to reduce size Only include necessary commits (hash others) [SSH11] Commit to seeds 21 / 29

40 Sakumoto-Shirai-Hiwatari 5-pass IDS [SSH11] P : (F, v, s) V : (F, v) r 0, t 0 R F n q, e 0 R F m q r 1 s r 0 c 0 Com(r 0, t 0, e 0 ) c 1 Com(r 1, G(t 0, r 1 ) + e 0 ) (c 0, c 1 ) α α R F q t 1 αr 0 t 0 e 1 αf(r 0 ) e 0 resp1 = (t 1, e 1 ) ch 2 ch 2 R {0, 1} If ch 2 = 0, resp 2 r 0 Else resp 2 r 1 resp 2 If ch 2 = 0, Parse resp 2 = r 0, check c 0? = Com(r0, αr 0 t 1, αf(r 0 ) e 1 ) Else Parse resp 2 = r 1, check c 1? = Com(r1, α(v F(r 1 )) G(t 1, r 1 ) e 1 ) 22 / 29

41 Sakumoto-Shirai-Hiwatari 5-pass IDS [SSH11] P : (F, v, s) V : (F, v) r 0, t 0 R F n q, e 0 R F m q r 1 s r 0 c 0 Com(r 0, t 0, e 0 ) c 1 Com(r 1, G(t 0, r 1 ) + e 0 ) H(c 0, c 1 ) α α R F q t 1 αr 0 t 0 e 1 αf(r 0 ) e 0 resp1 = (t 1, e 1 ) ch 2 ch 2 R {0, 1} If ch 2 = 0, resp 2 r 0 Else resp 2 r 1 resp 2, c (1 ch2 ) If ch 2 = 0, Parse resp 2 = r 0, c 0 Com(r 0, αr 0 t 1, αf(r 0 ) e 1 ) c 1 c 1 Else Parse resp 2 = r 1, c 0 c 0 c 1 Com(r 1, α(v F(r 1 )) G(t 1, r 1 ) e 1 ) check H(c 0, c 1 )? = H(c 0, c 1 ) 23 / 29

42 MQDSS Generate keys Sample seed SF {0, 1} k, sk F n q (S F, sk) Expand SF to F, compute pk = F(sk) (S F, pk) Signing Sign randomized digest D over M Perform r parallel rounds of transformed IDS 2r commitments, some multiplications in F q 2r MQ evaluations Tricks to reduce size Only include necessary commits (hash others) [SSH11] Commit to seeds Verifying Reconstruct D, F 24 / 29

43 MQDSS Generate keys Sample seed SF {0, 1} k, sk F n q (S F, sk) Expand SF to F, compute pk = F(sk) (S F, pk) Signing Sign randomized digest D over M Perform r parallel rounds of transformed IDS 2r commitments, some multiplications in F q 2r MQ evaluations Tricks to reduce size Only include necessary commits (hash others) [SSH11] Commit to seeds Verifying Reconstruct D, F Reconstruct challenges from σ 0, σ 1 Verify responses in σ2 24 / 29

44 MQDSS Generate keys Sample seed SF {0, 1} k, sk F n q (S F, sk) Expand SF to F, compute pk = F(sk) (S F, pk) Signing Sign randomized digest D over M Perform r parallel rounds of transformed IDS 2r commitments, some multiplications in F q 2r MQ evaluations Tricks to reduce size Only include necessary commits (hash others) [SSH11] Commit to seeds Verifying Reconstruct D, F Reconstruct challenges from σ 0, σ 1 Verify responses in σ2 Reconstruct missing commitments Check combined commitments hash 24 / 29

45 MQDSS Generate keys Sample seed SF {0, 1} k, sk F n q (S F, sk) Expand SF to F, compute pk = F(sk) (S F, pk) Signing Sign randomized digest D over M Perform r parallel rounds of transformed IDS 2r commitments, some multiplications in F q 2r MQ evaluations Tricks to reduce size Only include necessary commits (hash others) [SSH11] Commit to seeds Verifying Reconstruct D, F Reconstruct challenges from σ 0, σ 1 Verify responses in σ2 Reconstruct missing commitments Check combined commitments hash Parameters: k, n, m, F q, Com, hash functions, PRGs 24 / 29

46 MQDSS Security parameter k = 256 ( 128-bit PQ security) Soundness error κ = q+1 2q Determines number of rounds; larger q less rounds F q = F 31, n = m = / 29

47 MQDSS Security parameter k = 256 ( 128-bit PQ security) Soundness error κ = q+1 2q Determines number of rounds; larger q less rounds F q = F 31, n = m = 64 Restricted by security If m > n, F5 and Hybrid approach perform better If m < n, simply fix n m variables Classically, analysis from [BFP12]: n 51 Post-quantum: Grover search 25 / 29

48 MQDSS Security parameter k = 256 ( 128-bit PQ security) Soundness error κ = q+1 2q Determines number of rounds; larger q less rounds F q = F 31, n = m = 64 Restricted by security If m > n, F5 and Hybrid approach perform better If m < n, simply fix n m variables Classically, analysis from [BFP12]: n 51 Post-quantum: Grover search Chosen for ease of implementation Fast reduction 5-bit elements; 16x 16-bit words in AVX2 25 / 29

49 MQDSS Security parameter k = 256 ( 128-bit PQ security) Soundness error κ = q+1 2q Determines number of rounds; larger q less rounds F q = F 31, n = m = 64 Restricted by security If m > n, F5 and Hybrid approach perform better If m < n, simply fix n m variables Classically, analysis from [BFP12]: n 51 Post-quantum: Grover search Chosen for ease of implementation Fast reduction 5-bit elements; 16x 16-bit words in AVX2 In hindsight: reduce size by going lower? 25 / 29

50 MQDSS Security parameter k = 256 ( 128-bit PQ security) Soundness error κ = q+1 2q Determines number of rounds; larger q less rounds F q = F 31, n = m = 64 Restricted by security If m > n, F5 and Hybrid approach perform better If m < n, simply fix n m variables Classically, analysis from [BFP12]: n 51 Post-quantum: Grover search Chosen for ease of implementation Fast reduction 5-bit elements; 16x 16-bit words in AVX2 In hindsight: reduce size by going lower? From q = 31, we get r = 269: κ 269 < ( 1 2 ) / 29

51 MQDSS Security parameter k = 256 ( 128-bit PQ security) F q = F 31, n = m = 64 r = / 29

52 MQDSS Security parameter k = 256 ( 128-bit PQ security) F q = F 31, n = m = 64 r = 269 Commitments, hashes, PRGs: SHA3-256, SHAKE / 29

53 MQDSS Security parameter k = 256 ( 128-bit PQ security) F q = F 31, n = m = 64 r = 269 Commitments, hashes, PRGs: SHA3-256, SHAKE-128 Signature σ contains: R, for random digest 32B Hash H(commits) 32B For every round: 269 Response vectors r, t, e 3 40B Missing commit 32B 26 / 29

54 MQDSS Security parameter k = 256 ( 128-bit PQ security) F q = F 31, n = m = 64 r = 269 Commitments, hashes, PRGs: SHA3-256, SHAKE-128 Signature σ contains: R, for random digest 32B Hash H(commits) 32B For every round: 269 Response vectors r, t, e 3 40B Missing commit 32B Adds up to bytes 26 / 29

55 Evaluating MQ From F(x) to x is hard From x to F(x) should be easy 27 / 29

56 Evaluating MQ From F(x) to x is hard From x to F(x) should be fast x 0 x 1 x 2. x n x 0 x 1 x 2... x n 27 / 29

57 Evaluating MQ From F(x) to x is hard From x to F(x) should be fast x 0 x 1 x 2. x n x 0 x 1 x 2... x n 27 / 29

58 Evaluating MQ From F(x) to x is hard From x to F(x) should be fast??? x 0 x 1 x 2... x n 27 / 29

59 Evaluating MQ From F(x) to x is hard From x to F(x) should be fast??? x 0 x 1 x 2... x n 27 / 29

60 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: A B C D E F 28 / 29

61 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: A B C D E F A 3B 0C 1D 2E 3F 28 / 29

62 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: <<< A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F 28 / 29

63 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F A 7B 4C 5D 6E 7F 28 / 29

64 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: <<< A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F A 7B 4C 5D 6E 7F A 4B 5C 6D 7E 4F 28 / 29

65 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F A 7B 4C 5D 6E 7F A 4B 5C 6D 7E 4F AA BB 8C 9D AE BF 28 / 29

66 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: <<< A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F A 7B 4C 5D 6E 7F A 4B 5C 6D 7E 4F AA BB 8C 9D AE BF 90 A1 B A5 B A9 BA 8B 9C AD BE 8F 28 / 29

67 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F A 7B 4C 5D 6E 7F A 4B 5C 6D 7E 4F AA BB 8C 9D AE BF 90 A1 B A5 B A9 BA 8B 9C AD BE 8F CC DD EE FF 28 / 29

68 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: <<< A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F A 7B 4C 5D 6E 7F A 4B 5C 6D 7E 4F AA BB 8C 9D AE BF 90 A1 B A5 B A9 BA 8B 9C AD BE 8F CC DD EE FF D0 E1 F2 C3 D4 E5 F6 C7 D8 E9 FA CB DC ED FE CF 28 / 29

69 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F A 7B 4C 5D 6E 7F A 4B 5C 6D 7E 4F AA BB 8C 9D AE BF 90 A1 B A5 B A9 BA 8B 9C AD BE 8F CC DD EE FF D0 E1 F2 C3 D4 E5 F6 C7 D8 E9 FA CB DC ED FE CF C2 D / 29

70 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F A 7B 4C 5D 6E 7F A 4B 5C 6D 7E 4F AA BB 8C 9D AE BF 90 A1 B A5 B A9 BA 8B 9C AD BE 8F CC DD EE FF D0 E1 F2 C3 D4 E5 F6 C7 D8 E9 FA CB DC ED FE CF C2 D C6 D / 29

71 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F A 7B 4C 5D 6E 7F A 4B 5C 6D 7E 4F AA BB 8C 9D AE BF 90 A1 B A5 B A9 BA 8B 9C AD BE 8F CC DD EE FF D0 E1 F2 C3 D4 E5 F6 C7 D8 E9 FA CB DC ED FE CF C2 D C6 D A 1B - - 4A 5B - - 8A 9B - - CA DB / 29

72 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F A 7B 4C 5D 6E 7F A 4B 5C 6D 7E 4F AA BB 8C 9D AE BF 90 A1 B A5 B A9 BA 8B 9C AD BE 8F CC DD EE FF D0 E1 F2 C3 D4 E5 F6 C7 D8 E9 FA CB DC ED FE CF C2 D C6 D A 1B - - 4A 5B - - 8A 9B - - CA DB - - 0E 1F - - 4E 5F - - 8E 9F - - CE DF / 29

73 Benchmarks & conclusion Signatures: ~40 KB ( SPHINCS) Public and private keys: 72 resp. 64 bytes Signing time: ~8.5M cycles 3.5GHz) Verification 5.2M, key generation 1.8M ~6x faster than SPHINCS, >10x slower than lattices 29 / 29

74 Benchmarks & conclusion Signatures: ~40 KB ( SPHINCS) Public and private keys: 72 resp. 64 bytes Signing time: ~8.5M cycles 3.5GHz) Verification 5.2M, key generation 1.8M ~6x faster than SPHINCS, >10x slower than lattices Competitive signatures with (non-tight) reduction to MQ Rewinding extractor for Fiat-Shamir, see e.g. [DOR+16] Relies only on MQ (and not IP) 29 / 29

75 Benchmarks & conclusion Signatures: ~40 KB ( SPHINCS) Public and private keys: 72 resp. 64 bytes Signing time: ~8.5M cycles 3.5GHz) Verification 5.2M, key generation 1.8M ~6x faster than SPHINCS, >10x slower than lattices Competitive signatures with (non-tight) reduction to MQ Rewinding extractor for Fiat-Shamir, see e.g. [DOR+16] Relies only on MQ (and not IP) Code is available (public domain): 29 / 29

76 References I Koichi Sakumoto, Taizo Shirai and Harunaga Hiwatari. Public-key identification schemes based on multivariate quadratic polynomials. In Phillip Rogaway, editor, Advances in Cryptology CRYPTO 2011, volume 6841 of LNCS, pages Springer, Sidi Mohamed El Yousfi Alaoui, Özgür Dagdelen, Pascal Véron, David Galindo and Pierre-Louis Cayrel. Extended security arguments for signature schemes. In Aikaterini Mitrokotsa and Serge Vaudenay, editors, Progress in Cryptology AFRICACRYPT 2012, volume 7374 of LNCS, pages Springer, Özgür Dagdelen, David Galindo, Pascal Véron, Sidi Mohamed El Yousfi Alaoui, and Pierre-Louis Cayrel. Extended security arguments for signature schemes. In Designs, Codes and Cryptography, 78(2), pages Springer, / 29

77 References II Daniel J. Bernstein, Diana Hopwood, Andreas Hülsing, Tanja Lange, Ruben Niederhagen, Louiza Papachristodoulou, Peter Schwabe and Zooko Wilcox O Hearn. SPHINCS: Stateless, practical, hash-based, incredibly nice cryptographic signatures. In Marc Fischlin and Elisabeth Oswald, editors, Advances in Cryptology EUROCRYPT 2015, volume 9056 of LNCS, pages Springer, Johannes Buchmann, Erik Dahmen and Andreas Hülsing. XMSS a practical forward secure signature scheme based on minimal security assumptions. In Bo-Yin Yang, editor, PQCrypto 2011, volume 7071 of LNCS, pages Springer, Andreas Hülsing, Joost Rijneveld and Fang Song. Mitigating multi-target attacks in hash-based signatures. In Chen-Mou Cheng, Kai-Min Chung, Giuseppe Persiano and Bo-Yin Yang, editors, Public-Key Cryptography PKC 2016, volume 9614 of LNCS, pages Springer, / 29

78 References III Sedat Akleylek, Nina Bindel, Johannes Buchmann, Juliane Krämer and Giorgia Azzurra Marson. An Efficient Lattice-Based Signature Scheme with Provably Secure Instantiation. In David Pointcheval, Abderrahmane Nitaj, Tajjeeddine Rachidi, editors, Progress in Cryptology AFRICACRYPT 2016, volume 9646 of LNCS, pages Springer, Erdem Alkim, Nina Bindel, Johannes Buchmann, Özgür Dagdelen and Peter Schwabe. TESLA: Tightly-Secure Efficient Signatures from Standard Lattices. In Cryptology eprint Archive, Report 2015/755, Léo Ducas, Alain Durmus, Tancrède Lepoint, and Vadim Lyubashevsky. Lattice signatures and bimodal gaussians. In Ran Canetti and Juan A. Garay, editors, Advances in Cryptology CRYPTO 2013, volume 8042 of LNCS, pages Springer, / 29

79 References IV Tim Güneysu, Vadim Lyubashevsky and Thomas Pöppelmann. Practical Lattice-Based Cryptography: A Signature Scheme for Embedded Systems. In Emmanuel Prouff and Patrick Schaumont, editors, Cryptographic Hardware and Embedded Systems CHES 2012, volume 7428 of LNCS, pages Springer, David Pointcheval and Jacques Stern. Security proofs for signature schemes. In Ueli Maurer, editor, Advances in Cryptology EUROCRYPT 1996, volume 1070 of LNCS, pages Springer, David Derler, Claudio Orlandi, Sebastian Ramacher, Christian Rechberger and Daniel Slamanig. Digital Signatures from Symmetric-Key Primitives. In Cryptology eprint Archive, Report 2016/1085, / 29

80 References V Luk Bettale, Jean-Charles Faugère, and Ludovic Perret. Solving polynomial systems over finite fields: improved analysis of the hybrid approach. In Joris van der Hoeven and Mark van Hoeij, editors, ISSAC 12 Proceedings of the 37th International Symposium on Symbolic and Algebraic Computation 34 / 29

From 5-pass MQ-based identification to MQ-based signatures

From 5-pass MQ-based identification to MQ-based signatures Ming-Shing Chen 1,2, Andreas Hülsing 3, Joost Rijneveld 4, Simona Samardjiska 5, Peter Schwabe 4 National Taiwan University 1 / Academia Sinica