From 5-pass MQ-based identification to MQ-based signatures

Size: px

Start display at page:

Download "From 5-pass MQ-based identification to MQ-based signatures"

Charlene Booth
5 years ago
Views:

1 From 5-pass MQ-based identification to MQ-based signatures Ming-Shing Chen 1,2, Andreas Hülsing 3, Joost Rijneveld 4, Simona Samardjiska 5, Peter Schwabe 4 National Taiwan University 1 / Academia Sinica 2, Taipei, Taiwan Technische Universiteit Eindhoven, The Netherlands 3 Radboud University, Nijmegen, The Netherlands 4 Ss. Cyril and Methodius University, Skopje, Republic of Macedonia DiS Lunch Talk / 15

2 Post-quantum signatures Problem: we want a post-quantum signature scheme Security arguments Acceptable speed and size Overview / 15

3 Post-quantum signatures Problem: we want a post-quantum signature scheme Security arguments Acceptable speed and size Solutions: Hash-based: SPHINCS, XMSS Slow or stateful Lattice-based: (Ring-)TESLA, BLISS, GLP Large keys, or additional structure MQ:? Unclear security: many broken (except HFEv-, UOV) Overview / 15

4 Overview MQDSS is a signature scheme Overview / 15

5 Overview MQDSS is a signature scheme obtained by applying a Fiat-Shamir transform Overview / 15

6 Overview MQDSS is a signature scheme obtained by applying a Fiat-Shamir transform to a 5-pass identification scheme Overview / 15

7 Overview MQDSS is a signature scheme obtained by applying a Fiat-Shamir transform to a 5-pass identification scheme which relies on hardness of the MQ problem. Overview / 15

8 Overview MQDSS is a signature scheme obtained by applying a Fiat-Shamir transform to a 5-pass identification scheme which relies on hardness of the MQ problem. MQDSS provides post-quantum secure signatures. Overview / 15

9 This work Transform 5-pass IDS to signature schemes Prove an earlier attempt [EDV+12] vacuous Propose MQDSS Instantiate as MQDSS Implement using AVX2 But also: Reduction in the ROM (not in QROM) No tight proof Overview / 15

10 Identification schemes P V com P 0 (sk) com ch ch R ChS(1 k ) resp P 1 (sk, com, ch) resp b Vf(pk, com, ch, resp) Identification schemes / 15

11 Identification schemes P V com P 0 (sk) com ch ch R ChS(1 k ) resp P 1 (sk, com, ch) resp b Vf(pk, com, ch, resp) Informally: 1. Prover commits to some (random) value 2. Verifier picks a challenge ch 3. Prover computes response resp 4. Verifier checks if response matches challenge Identification schemes / 15

12 Zero-knowledge Special Soundness: given pk, (com, ch, resp), (com, ch, resp ), find sk. Honest-Verifier Zero-Knowledge: simulator can fake transcripts. Identification schemes / 15

13 Zero-knowledge Special Soundness: given pk, (com, ch, resp), (com, ch, resp ), find sk. Shows knowledge of secret Prover can guess right : soundness error κ Honest-Verifier Zero-Knowledge: simulator can fake transcripts. Shows that transcripts do not leak the secret Identification schemes / 15

14 Zero-knowledge Special Soundness: given pk, (com, ch, resp), (com, ch, resp ), find sk. Shows knowledge of secret Prover can guess right : soundness error κ Honest-Verifier Zero-Knowledge: simulator can fake transcripts. Shows that transcripts do not leak the secret Passively secure IDS Identification schemes / 15

15 Fiat-Shamir transform Transform passive IDS into signature Non-interactive: Identification schemes / 15

16 Fiat-Shamir transform Transform passive IDS into signature Non-interactive: Signer is prover Function H provides challenges Transcript is signature Identification schemes / 15

17 Fiat-Shamir transform Transform passive IDS into signature Non-interactive: Signer is prover Function H provides challenges Transcript is signature Repeat, to compensate for error κ Identification schemes / 15

18 Fiat-Shamir transform Transform passive IDS into signature Non-interactive: Signer is prover Function H provides challenges Transcript is signature Repeat, to compensate for error κ Generalise to 5-pass (of certain form) Reduces knowledge error Identification schemes / 15

19 Fiat-Shamir transform Signing a message M (r rounds such that κ r < 1 2 k ): Verifying a signature σ: Identification schemes / 15

20 Fiat-Shamir transform Signing a message M (r rounds such that κ r < 1 2 k ): 1. Generate r commitments com i P 0 (sk) Verifying a signature σ: Identification schemes / 15

21 Fiat-Shamir transform Signing a message M (r rounds such that κ r < 1 2 k ): 1. Generate r commitments com i P 0 (sk) 2. Construct σ 0 = com 0... com r 1 Verifying a signature σ: Identification schemes / 15

22 Fiat-Shamir transform Signing a message M (r rounds such that κ r < 1 2 k ): 1. Generate r commitments com i P 0 (sk) 2. Construct σ 0 = com 0... com r 1 3. Generate challenges ch i H(σ 0 M) Verifying a signature σ: Identification schemes / 15

23 Fiat-Shamir transform Signing a message M (r rounds such that κ r < 1 2 k ): 1. Generate r commitments com i P 0 (sk) 2. Construct σ 0 = com 0... com r 1 3. Generate challenges ch i H(σ 0 M) 4. Compute resp i P 1 (sk, com i, ch i ) Verifying a signature σ: Identification schemes / 15

24 Fiat-Shamir transform Signing a message M (r rounds such that κ r < 1 2 k ): 1. Generate r commitments com i P 0 (sk) 2. Construct σ 0 = com 0... com r 1 3. Generate challenges ch i H(σ 0 M) 4. Compute resp i P 1 (sk, com i, ch i ) 5. Construct σ 1 = (resp 0,... resp r 1 ), σ = (σ 0, σ 1 ) Verifying a signature σ: Identification schemes / 15

25 Fiat-Shamir transform Signing a message M (r rounds such that κ r < 1 2 k ): 1. Generate r commitments com i P 0 (sk) 2. Construct σ 0 = com 0... com r 1 3. Generate challenges ch i H(σ 0 M) 4. Compute resp i P 1 (sk, com i, ch i ) 5. Construct σ 1 = (resp 0,... resp r 1 ), σ = (σ 0, σ 1 ) Verifying a signature σ: 1. Generate challenges ch i H(σ 0 M) Identification schemes / 15

26 Fiat-Shamir transform Signing a message M (r rounds such that κ r < 1 2 k ): 1. Generate r commitments com i P 0 (sk) 2. Construct σ 0 = com 0... com r 1 3. Generate challenges ch i H(σ 0 M) 4. Compute resp i P 1 (sk, com i, ch i ) 5. Construct σ 1 = (resp 0,... resp r 1 ), σ = (σ 0, σ 1 ) Verifying a signature σ: 1. Generate challenges ch i H(σ 0 M) 2. Verify that i, Vf(pk, com i, ch i, resp i ) Identification schemes / 15

27 MQ problem The function family MQ(n, m, F q ): { F(x) = (f 1 (x),..., f m (x)) f i,j a l,i,jx i x j + i b l,i, l(x) = for a l,i,j, b l,i F q l 1,..., m } MQ / 15

28 MQ problem The function family MQ(n, m, F q ): { F(x) = (f 1 (x),..., f m (x)) f i,j a l,i,jx i x j + i b l,i, l(x) = for a l,i,j, b l,i F q l 1,..., m Problem: For given y F m q, find x F n q such that F(x) = y. } MQ / 15

29 MQ problem The function family MQ(n, m, F q ): { F(x) = (f 1 (x),..., f m (x)) f i,j a l,i,jx i x j + i b l,i, l(x) = for a l,i,j, b l,i F q l 1,..., m Problem: For given y F m q, find x F n q such that F(x) = y. } i.e., solve the system of equations: f 0 (x) =a 0,0,0 x 0 x 0 + a 0,0,1 x 0 x a 0,n,n x n x n + b 0, b 0,n. f m (x) =a m,0,0 x 0 x 0 + a m,0,1 x 0 x a m,n,n x n x n + b m, b m,n MQ / 15

30 Sakumoto et al. 5-pass IDS [SSH11] Key technique: v = F(s) = F(r 0 ) + F(r 1 ) + G(r 0, r 1 ) P : (F, v, s) V : (F, v) r 0, t 0 R F n q, e 0 R F m q r 1 s r 0 c 0 Com(r 0, t 0, e 0 ) c 1 Com(r 1, G(t 0, r 1 ) + e 0 ) (c 0, c 1 ) α α R F q t 1 αr 0 t 0 e 1 αf(r 0 ) e 0 resp1 = (t 1, e 1 ) ch 2 ch 2 R {0, 1} If ch 2 = 0, resp 2 r 0 Else resp 2 r 1 resp 2 If ch 2 = 0, Parse resp 2 = r 0, check c 0? = Com(r0, αr 0 t 1, αf(r 0 ) e 1 ) Else Parse resp 2 = r 1, check c 1? = Com(r1, α(v F(r 1 )) G(t 1, r 1 ) e 1 ) Identification schemes / 15

31 MQDSS Generate keys Sample seeds {0, 1} k, sk F q Expand to F, compute pk = F(sk) MQDSS / 15

32 MQDSS Generate keys Sample seeds {0, 1} k, sk F q Expand to F, compute pk = F(sk) Signing Sign deterministic digest D over M MQDSS / 15

33 MQDSS Generate keys Sample seeds {0, 1} k, sk F q Expand to F, compute pk = F(sk) Signing Sign deterministic digest D over M Perform r rounds of transformed IDS 2r commitments 2r MQ evaluations Some multiplications in F q MQDSS / 15

34 MQDSS Generate keys Sample seeds {0, 1} k, sk F q Expand to F, compute pk = F(sk) Signing Sign deterministic digest D over M Perform r rounds of transformed IDS 2r commitments 2r MQ evaluations Some multiplications in F q Tricks to reduce size Only include necessary commits (hash others) [SSH11] Commit to seeds MQDSS / 15

35 MQDSS Generate keys Sample seeds {0, 1} k, sk F q Expand to F, compute pk = F(sk) Signing Sign deterministic digest D over M Perform r rounds of transformed IDS 2r commitments 2r MQ evaluations Some multiplications in F q Tricks to reduce size Only include necessary commits (hash others) [SSH11] Commit to seeds Verifying Reconstruct D, F MQDSS / 15

36 MQDSS Generate keys Sample seeds {0, 1} k, sk F q Expand to F, compute pk = F(sk) Signing Sign deterministic digest D over M Perform r rounds of transformed IDS 2r commitments 2r MQ evaluations Some multiplications in F q Tricks to reduce size Only include necessary commits (hash others) [SSH11] Commit to seeds Verifying Reconstruct D, F Reconstruct challenges from σ 0, σ 1 Verify responses in σ2 MQDSS / 15

37 MQDSS Generate keys Sample seeds {0, 1} k, sk F q Expand to F, compute pk = F(sk) Signing Sign deterministic digest D over M Perform r rounds of transformed IDS 2r commitments 2r MQ evaluations Some multiplications in F q Tricks to reduce size Only include necessary commits (hash others) [SSH11] Commit to seeds Verifying Reconstruct D, F Reconstruct challenges from σ 0, σ 1 Verify responses in σ2 Reconstruct missing commitments Check combined commitments hash MQDSS / 15

38 MQDSS Generate keys Sample seeds {0, 1} k, sk F q Expand to F, compute pk = F(sk) Signing Sign deterministic digest D over M Perform r rounds of transformed IDS 2r commitments 2r MQ evaluations Some multiplications in F q Tricks to reduce size Only include necessary commits (hash others) [SSH11] Commit to seeds Verifying Reconstruct D, F Reconstruct challenges from σ 0, σ 1 Verify responses in σ2 Reconstruct missing commitments Check combined commitments hash Parameters: k, n, m, F q, Com, hash functions, PRGs MQDSS / 15

39 MQDSS Security parameter k = 256 Soundness error κ depends on q κ = q+1 2q Determines number of rounds: r = 269, κ 269 < 1 2 F q = F 31, n = m = 64 Bounded by attacks Chosen for ease of implementation 256 MQDSS / 15

40 MQDSS Security parameter k = 256 Soundness error κ depends on q κ = q+1 2q Determines number of rounds: r = 269, κ 269 < 1 2 F q = F 31, n = m = 64 Bounded by attacks Chosen for ease of implementation Commitments, hashes, PRGs: SHA3-256, SHAKE MQDSS / 15

41 Evaluating MQ From F(x) to x is hard From x to F(x) should be easy MQ / 15

42 Evaluating MQ From F(x) to x is hard From x to F(x) should be fast x 0 x 1 x 2. x n x 0 x 1 x 2... x n MQ / 15

43 Evaluating MQ From F(x) to x is hard From x to F(x) should be fast x 0 x 1 x 2. x n x 0 x 1 x 2... x n MQ / 15

44 Evaluating MQ From F(x) to x is hard From x to F(x) should be fast??? x 0 x 1 x 2... x n MQ / 15

45 Evaluating MQ From F(x) to x is hard From x to F(x) should be fast??? x 0 x 1 x 2... x n MQ / 15

46 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: A B C D E F MQ / 15

47 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: A B C D E F A 3B 0C 1D 2E 3F MQ / 15

48 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: <<< A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F MQ / 15

49 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F A 7B 4C 5D 6E 7F MQ / 15

50 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: <<< A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F A 7B 4C 5D 6E 7F A 4B 5C 6D 7E 4F MQ / 15

51 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F A 7B 4C 5D 6E 7F A 4B 5C 6D 7E 4F AA BB 8C 9D AE BF MQ / 15

52 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: <<< A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F A 7B 4C 5D 6E 7F A 4B 5C 6D 7E 4F AA BB 8C 9D AE BF 90 A1 B A5 B A9 BA 8B 9C AD BE 8F MQ / 15

53 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F A 7B 4C 5D 6E 7F A 4B 5C 6D 7E 4F AA BB 8C 9D AE BF 90 A1 B A5 B A9 BA 8B 9C AD BE 8F CC DD EE FF MQ / 15

54 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: <<< A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F A 7B 4C 5D 6E 7F A 4B 5C 6D 7E 4F AA BB 8C 9D AE BF 90 A1 B A5 B A9 BA 8B 9C AD BE 8F CC DD EE FF D0 E1 F2 C3 D4 E5 F6 C7 D8 E9 FA CB DC ED FE CF MQ / 15

55 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F A 7B 4C 5D 6E 7F A 4B 5C 6D 7E 4F AA BB 8C 9D AE BF 90 A1 B A5 B A9 BA 8B 9C AD BE 8F CC DD EE FF D0 E1 F2 C3 D4 E5 F6 C7 D8 E9 FA CB DC ED FE CF C2 D3 - - MQ / 15

56 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F A 7B 4C 5D 6E 7F A 4B 5C 6D 7E 4F AA BB 8C 9D AE BF 90 A1 B A5 B A9 BA 8B 9C AD BE 8F CC DD EE FF D0 E1 F2 C3 D4 E5 F6 C7 D8 E9 FA CB DC ED FE CF C2 D C6 D7 - - MQ / 15

57 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F A 7B 4C 5D 6E 7F A 4B 5C 6D 7E 4F AA BB 8C 9D AE BF 90 A1 B A5 B A9 BA 8B 9C AD BE 8F CC DD EE FF D0 E1 F2 C3 D4 E5 F6 C7 D8 E9 FA CB DC ED FE CF C2 D C6 D A 1B - - 4A 5B - - 8A 9B - - CA DB - - MQ / 15

58 Evaluating MQ First compute monomials, then evaluate polynomials 64 elements in F 31 ; 16 (or 32) per 256 bit AVX2 register Monomials: intuition of arrangement using 4 4: A B C D E F A 3B 0C 1D 2E 3F A 0B 1C 2D 3E 0F A 7B 4C 5D 6E 7F A 4B 5C 6D 7E 4F AA BB 8C 9D AE BF 90 A1 B A5 B A9 BA 8B 9C AD BE 8F CC DD EE FF D0 E1 F2 C3 D4 E5 F6 C7 D8 E9 FA CB DC ED FE CF C2 D C6 D A 1B - - 4A 5B - - 8A 9B - - CA DB - - 0E 1F - - 4E 5F - - 8E 9F - - CE DF - - MQ / 15

59 Benchmarks & conclusion Signatures: ~40 KB ( SPHINCS) Public and private keys: 72 resp. 64 bytes Signing time: ~8.5M cycles (2.43ms) Verification 5.2M, key generation 1.8M ~6x faster than SPHINCS, >10x slower than lattices Conclusions / 15

60 Benchmarks & conclusion Signatures: ~40 KB ( SPHINCS) Public and private keys: 72 resp. 64 bytes Signing time: ~8.5M cycles (2.43ms) Verification 5.2M, key generation 1.8M ~6x faster than SPHINCS, >10x slower than lattices Competitive signatures with (non-tight) reduction to MQ Conclusions / 15

61 References Koichi Sakumoto, Taizo Shirai, and Harunaga Hiwatari. Public-key identification schemes based on multivariate quadratic polynomials. In Phillip Rogaway, editor, Advances in Cryptology CRYPTO 2011, volume 6841 of LNCS, pages Springer, Sidi Mohamed El Yousfi Alaoui, Özgür Dagdelen, Pascal Véron, David Galindo, and Pierre-Louis Cayrel. Extended security arguments for signature schemes. In Aikaterini Mitrokotsa and Serge Vaudenay, editors, Progress in Cryptology AFRICACRYPT 2012, volume 7374 of LNCS, pages Springer, References / 15

From 5-pass MQ-based identification to MQ-based signatures

From 5-pass MQ-based identification to MQ-based signatures Ming-Shing Chen 1,2, Andreas Hülsing 3, Joost Rijneveld 4, Simona Samardjiska 5, Peter Schwabe 4 National Taiwan University 1 / Academia Sinica