A Code-Based Blind Signature Olivier Blazy, Philippe Gaborit, Julien Schrek, Nicolas Sendrier
Total Page:16
File Type:pdf, Size:1020Kb
A code-based blind signature Olivier Blazy, Philippe Gaborit, Julien Schrek, Nicolas Sendrier To cite this version: Olivier Blazy, Philippe Gaborit, Julien Schrek, Nicolas Sendrier. A code-based blind signature. ISIT 2017 - IEEE International Symposium on Information Theory, Jun 2017, Aachen, Germany. pp.2718– 2722, 10.1109/ISIT.2017.8007023. hal-01610410 HAL Id: hal-01610410 https://hal.archives-ouvertes.fr/hal-01610410 Submitted on 13 Apr 2018 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. A code-based blind signature Olivier Blazy Philippe Gaborit Julien Schrek Nicolas Sendrier Universite´ de Limoges Universite´ de Limoges Universite´ de Limoges INRIA [email protected] [email protected] [email protected] [email protected] Abstract—In this paper we give the first blind signature II. SECURITY MODEL FOR BLIND SIGNATURE protocol for code-based cryptography. Our approach is different As formalized in the paper by Pointcheval and Stern in from the classical original RSA based blind signature scheme, it is done in the spirit of the Fischlin approach [9] which is [18], a blind signature scheme involves two parties, a user based on proofs of knowledge. To achieve our goal we consider a U and a Signer S. The user submits a masked (or blinded) new tool for zero-knowledge (ZK) proofs, the Concatenated Stern message that the Signer sign with a digital signature scheme ZK protocol, which permits to obtain an authentication protocol whose public key is known. This part is named BSProtocol. for concatenated matrices. A signature is then obtained from The user unmasks this signature to build a signature of the the usual Fiat-Shamir heuristic. We describe our blind signature protocol for cryptography based on Hamming metric and show unmasked message which is valid for the Signer’s public key. how it can be extended to rank based cryptography. The security A verification can be made on the final signature with the of our blind protocol is based on the security of a trapdoor Signer’s public key. function for the syndrome decoding problem: the CFS signature More precisely, we can derive the definition from digital scheme for Hamming distance and on the more recent RankSign signatures. Instead of having a signing phase Sign(sk;M; µ) protocol for rank metric. We give proofs in the random oracle model (ROM) for our blind signature scheme, which rely on we have an interactive phase BSProtocolhS; Ui between the the Syndrome Decoding problem. The parameters we obtain for user U(vk;M; ρ) who will (probably) transmit a masked our protocol are practical for rank metric (200kBytes) for the information on M under some randomness ρ in order to obtain signature length and 15kBytes for public key size) and a little a signature valid under the verification key vk, and the signer less practical for Hamming distance. S(sk; µ), who will generate something based on this value, and Keywords: Zero-knowledge protocols, coding theory, Stern his secret key which should lead the user to a valid signature. SD scheme, CFS signature, code-based cryptography. Such signatures are correct if when both the user and signer I. INTRODUCTION AND MOTIVATION are honest then BSProtocolhS; Ui does indeed lead to valid signature on M under vk. Since the seminal work of Chaum on blind signature [4], There are two additional security properties, one protecting this type of signature has found many applications in pri- the signer, the other the user. vacy preserving protocols like electronic voting protocol or • On one hand, there is an Unforgeability property, where electronic cash. The original blind signature scheme is based a malicious user should not be able to compute n + 1 on the RSA signature protocol and many schemes have been valid signatures on different messages after at most n proposed since, essentially based on number theory. interactions with the signer. Our contribution: in this paper we propose the first generic • On the other hand, the Blindness property says that a blind signature protocol based on coding theory. The signature malicious signer who signed two messages M and M is based on a code-based trapdoor function which inverts a 0 1 should not be able to decide which one was signed first. random syndrome. Previous works Although there exist many blind signature uf Exp ∗ (K) bl−b BS;U Exp (K) K scheme in classical cryptography based on number theory, BS;S∗ 1. (param) BSSetup(1 ) 1. param BSSetup(1K) 2. (vk; sk) BSKeyGen(param) there is only one published post-quantum blind signature 2. (vk;M ;M ) A(FIND : param) 3. For i = 1; : : : ; qs, BSProtocolhS(sk); A(INIT : vk)i 0 1 ! 3. σb BSProtocolhA; U(vk;Mb)i protocol: the recent lattice based protocol of Ruckert [19], 4. (m1; σ1);:::; (mq +1; σq +1) A(GUESS : vk); 4. σ1−b BSProtocolhA; U(vk;M1−b)i s s ∗ ∗ 5. b S (GUESS : M0;M1); 5. IF 9i 6= j; m = m OR 9i; Verif(pk; m ; σ ) = 0 but this approach is based on the original RSA approach and ∗ i j i i 6. RETURN b = b. RETURN 0 cannot be not directly adaptated for Hamming or rank distance, 6. ELSE RETURN 1 because of the properties of the metric. Organization of the paper The paper is organized as Fig. 1. Security Games for the Blind Signatures follows: Section 2 describes our security model for blind sig- natures, Section 3 recalls background on code-based cryptog- raphy, Section 4 describes a variation on Stern authentication III. BACKGROUND ON CODE-BASED CRYPTOGRAPHY protocol, Section 5 describes the protocol, Section 6 explains Let F denote the finite field with 2 elements and let H 2 how the approach can be generalized to rank metric, and at F (n−k)×n denote the parity-check matrix of some linear code last sections 6 and 7 study the security and the parameters of of length n and dimension k. In this section and in all the the protocol. paper h() will denote a cryptographic hash function. A. Syndrome Decoding 2) Security of CFS.: Parity check matrices of high rate 1) The CSD Problem: We consider the following problem: Goppa codes can be distinguished from random matrices [6]. Still, this distinguishing attack does not lead to an efficient Computational Syndrome Decoding Problem: Given a matrix key recovery attack (recovering DH from H), however it H 2 F (n−k)×n, a word u 2 F n−k, and an integer w > 0, invalidates the security reduction given in [5]. We refer to find x 2 F n of Hamming weight ≤ w such that H:xT = u. [17] for more details on the security of CFS. This well known problem is NP-hard. Limitations of CFS. The computational complexity of the CFS problem is super-polynomial in the size of the public Decisional Syndrome Decoding Problem(D-SD): Given a ma- key, so that the scheme leads to very high parameters, but still trix H 2 F (n−k)×n, an integer w > 0 a random word x 2 F the scheme permits to construct usable difficult instances than of weight w and a random syndrome s2 of size n − k. Is it can be used for cryptographic purposes. possible to distinguish between the random syndrome s2 and 3) Parallel-CFS.: It was proposed by Finiasz [8]. It consists T the syndrome s1 = H:x associated to a small weight vector in producing λ signatures (3 or 4) of related digests. If done x ? correctly, the cost for an existential forgery attack can be made The previous DSD problem is proven as hard as its search arbitrarily close to the cost for a universal forgery attack. version CSD in [3]. C. Stern’s Authentication Protocols 2) Gilbert-Varshamov Bound: The volume of a ball of n Pw 1) Stern’s protocol: Stern proposed in 1993 an authentica- radius w in the Hamming space F is Vn(w) = i=0(q − n tion algorithm in [21]. In the protocol the prover P convinces 1)i . For given n and k, we call Gilbert-Varshamov (GV) i the verifier V that he knows a secret word s 2 F n of weight bound is the integer b such that V (b ) ≥ qn−k. GV n GV w such that u = H:sT where u 2 F n−k and H 2 F (n−k)×n 3) Complete Decoder: We call w-bounded decoder asso- are public. A fake prover has a probability 2=3 to cheat at ciated to H a procedure F n−k !F n which returns for all each iteration and thus many iterations are needed (137 for a u 2 F n−k an element of CSD(H; u; w) (or fails if this set cheating probability < 2−80). is empty). For given n and k and for almost all codes a w- A transcript of the protocol for the pair (H; s), denoted bounded decoder fails for a proportion ≈ exp(−V (w)=qn−k) n SP(H; s), is a proof of knowledge that the prover knows a of the instances. If we choose an integer w > b , a w- GV vector of weight w associated to the syndrome s for H, it bounded decoder almost never fails1.