SPHINCS $^+ $ Post-Quantum Digital Signature Scheme with Streebog
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Etsi Gr Qsc 001 V1.1.1 (2016-07)
ETSI GR QSC 001 V1.1.1 (2016-07) GROUP REPORT Quantum-Safe Cryptography (QSC); Quantum-safe algorithmic framework 2 ETSI GR QSC 001 V1.1.1 (2016-07) Reference DGR/QSC-001 Keywords algorithm, authentication, confidentiality, security ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N° 348 623 562 00017 - NAF 742 C Association à but non lucratif enregistrée à la Sous-Préfecture de Grasse (06) N° 7803/88 Important notice The present document can be downloaded from: http://www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https://portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. -
State of the Art in Lightweight Symmetric Cryptography
State of the Art in Lightweight Symmetric Cryptography Alex Biryukov1 and Léo Perrin2 1 SnT, CSC, University of Luxembourg, [email protected] 2 SnT, University of Luxembourg, [email protected] Abstract. Lightweight cryptography has been one of the “hot topics” in symmetric cryptography in the recent years. A huge number of lightweight algorithms have been published, standardized and/or used in commercial products. In this paper, we discuss the different implementation constraints that a “lightweight” algorithm is usually designed to satisfy. We also present an extensive survey of all lightweight symmetric primitives we are aware of. It covers designs from the academic community, from government agencies and proprietary algorithms which were reverse-engineered or leaked. Relevant national (nist...) and international (iso/iec...) standards are listed. We then discuss some trends we identified in the design of lightweight algorithms, namely the designers’ preference for arx-based and bitsliced-S-Box-based designs and simple key schedules. Finally, we argue that lightweight cryptography is too large a field and that it should be split into two related but distinct areas: ultra-lightweight and IoT cryptography. The former deals only with the smallest of devices for which a lower security level may be justified by the very harsh design constraints. The latter corresponds to low-power embedded processors for which the Aes and modern hash function are costly but which have to provide a high level security due to their greater connectivity. Keywords: Lightweight cryptography · Ultra-Lightweight · IoT · Internet of Things · SoK · Survey · Standards · Industry 1 Introduction The Internet of Things (IoT) is one of the foremost buzzwords in computer science and information technology at the time of writing. -
Exponential S-Boxes: a Link Between the S-Boxes of Belt and Kuznyechik/Streebog
Exponential S-Boxes: a Link Between the S-Boxes of BelT and Kuznyechik/Streebog Léo Perrin and Aleksei Udovenko SnT, University of Luxembourg {leo.perrin,aleksei.udovenko}@uni.lu Abstract. The block cipher Kuznyechik and the hash function Streebog were recently standardized by the Russian Federation. These primitives use a common 8-bit S-Box, denoted 휋, which is given only as a look-up table. The rationale behind its design is, for all practical purposes, kept secret by its authors. In a paper presented at Eurocrypt 2016, Biryukov et al. reverse-engineered this S-Box and recovered an unusual Feistel-like structure relying on finite field multiplications. In this paper, we provide a new decomposition of this S-Box and describe how we obtained it. The first step was the analysis of the 8-bit S-Box of the current standard block cipher of Belarus, BelT. This S-Box is a variant of a so-called exponential substitution, a concept we generalize into pseudo-exponential substitution. We derive distinguishers for such permutations based on properties of their linear approximation tables and notice that 휋 shares some of them. We then show that 휋 indeed has a decomposition based on a pseudo-exponential substitution. More precisely, we obtain a simpler structure based on an 8-bit finite field exponentiation, one 4-bit S-Box, a linear layer and a few modular arithmetic operations. We also make several observations which may help cryptanalysts attempting to reverse-engineer other S-Boxes. For example, the visual pattern used in the previous work as a starting point to decompose 휋 is mathematically formalized and the use of differential patterns involving operations other than exclusive-or is explored. -
Streebog and Kuznyechik Inconsistencies in the Claims of Their Designers
Streebog and Kuznyechik Inconsistencies in the Claims of their Designers Léo Perrin [email protected] @lpp_crypto IETF Workshop, Montréal Standards and S-boxes On the S-box of RFC 6986 and 7801 The Core Issue: the S-Box Generation Process Conclusion Partitions in the S-Box of Streebog and Kuznyechik Transactions in Symmetric Léo Perrin Inria, France [email protected] Cryptology, Volume 2019, No. 1, pp. Abstract. Streebog and Kuznyechik are the latest symmetric cryptographic primitives standardized by the Russian GOST. They share the same S-Box, 휋, whose design process was not described by its authors. In previous works, Biryukov, Perrin and 302-329. Best paper award! Udovenko recovered two completely different decompositions of this S-Box. We revisit their results and identify a third decomposition of 휋. It is an instance of a fairly small family of permutations operating on 2푚 bits which we call TKlog and which is closely related tofnitefeld logarithms. Its simplicity and the small number of components it uses lead us to claim that it has to be the structure intentionally used by the designers of Streebog and Kuznyechik. The 2푚-bit permutations of this type have a very strong algebraic structure: they 푚 푚 map multiplicative cosets of the subfield GF(2 )* to additive cosets of GF(2 )*. Furthermore, the function relating each multiplicative coset to the corresponding additive coset is always essentially the same. To the best of our knowledge, we are thefrst to expose this very strong algebraic structure. We also investigate other properties of the TKlog and show in particular that it can always be decomposed in a fashion similar to thefrst decomposition of Biryukov et al., thus explaining the relation between the two previous decompositions. -
Performance Analysis of Cryptographic Hash Functions Suitable for Use in Blockchain
I. J. Computer Network and Information Security, 2021, 2, 1-15 Published Online April 2021 in MECS (http://www.mecs-press.org/) DOI: 10.5815/ijcnis.2021.02.01 Performance Analysis of Cryptographic Hash Functions Suitable for Use in Blockchain Alexandr Kuznetsov1 , Inna Oleshko2, Vladyslav Tymchenko3, Konstantin Lisitsky4, Mariia Rodinko5 and Andrii Kolhatin6 1,3,4,5,6 V. N. Karazin Kharkiv National University, Svobody sq., 4, Kharkiv, 61022, Ukraine E-mail: [email protected], [email protected], [email protected], [email protected], [email protected] 2 Kharkiv National University of Radio Electronics, Nauky Ave. 14, Kharkiv, 61166, Ukraine E-mail: [email protected] Received: 30 June 2020; Accepted: 21 October 2020; Published: 08 April 2021 Abstract: A blockchain, or in other words a chain of transaction blocks, is a distributed database that maintains an ordered chain of blocks that reliably connect the information contained in them. Copies of chain blocks are usually stored on multiple computers and synchronized in accordance with the rules of building a chain of blocks, which provides secure and change-resistant storage of information. To build linked lists of blocks hashing is used. Hashing is a special cryptographic primitive that provides one-way, resistance to collisions and search for prototypes computation of hash value (hash or message digest). In this paper a comparative analysis of the performance of hashing algorithms that can be used in modern decentralized blockchain networks are conducted. Specifically, the hash performance on different desktop systems, the number of cycles per byte (Cycles/byte), the amount of hashed message per second (MB/s) and the hash rate (KHash/s) are investigated. -
Handling the State of Hash-Based Signatures
Let Live and Let Die — Handling the State of Hash-based Signatures Stefan-Lukas Gazdag1, Denis Butin2, and Johannes Buchmann2 1 genua mbh, Germany [email protected] 2 TU Darmstadt, Germany {dbutin,buchmann}@cdc.informatik.tu-darmstadt.de Abstract. Real-world use of digital signatures currently relies on algo rithms that will be broken once quantum computers become available. Quantum-safe alternatives exist; in particular, hash-based schemes offer adequate performance and security and are seen as a fitting solution for post-quantum signatures. Unfortunately, they are not used at large because practical hurdles have not yet been overcome. In particular, their reliance on one-time signing keys makes it necessary to carefully keep track of a key index. We present strategies for handling the state of hash- based signatures for different use cases, ranging from infrequent software update authentication to high-frequency TLS connection initialization. Keywords: Digital signatures, Hash-based, Integration 1 Motivation Digital signatures are massively used online, notably for authentication, integrity checking and non-repudiation. The digital signature algorithms most commonly used in practice — RSA, DSA and ECDSA — rely on hardness assumptions about number theoretic problems, namely composite integer factorisation and the computation of discrete logarithms. In light of Shor’s [19] algorithm, these arithmetical problems would be broken in the presence of quantum computing. While quantum computers are not yet available, their development is occurring at a swift pace [18]. However, post-quantum cryptography [3] provides a variety of quantum-resistant alternatives to classical digital signature schemes. Hash- based (or Merkle) signatures are one of the most promising of these alternatives and have received a lot of attention lately. -
2 XII December 2014
2 XII December 2014 www.ijraset.com Volume 2 Issue XII, December 2014 ISSN: 2321-9653 International Journal for Research in Applied Science & Engineering Technology (IJRASET) Privacy in Data Storage and MultiOwner Authentication with Load Balancing in Cloud Computing Thulasibai.U1, Arul prem.G2, Deepika.J3 Sri Venkateshwara College of Engineering and Technology, India Abstract: Using Cloud Storage, users can remotely store their data and enjoy the on-demand high quality applications and services from a shared pool of configurable computing resources, without the encumbrance of local data storage and maintenance. the data integrity protection in Cloud Computing a formidable task, especially for users with constrained computing resources. Moreover, users should be able to just use the cloud storage as if it is local, without worrying about the need to verify its integrity. Thus, enabling public audit ability for cloud storage is of critical prominence so that users can resort to a Third Party Auditor (TPA) to check the integrity of outsourced data and be worry-free. To securely introduce an effective TPA, the auditing process should bring in no new vulnerabilities towards user data privacy, and introduce no additional online burden to user. In this project, we propose a secure cloud storage system supporting privacy-preserving public auditing. We further extend our result to enable the TPA to perform audits for multiple users simultaneously and efficiently. Extensive security and performance analysis show the proposed schemes are provably secure and highly efficient. Keyword: Cloud Storage Security, batch auditing, Tpa, load balancing, Rdpc I. INTRODUCTION Cloud computing is recognized as an alternative to traditional information technology due to its intrinsic resource-sharing and low-maintenance characteristics. -
Question 1.1. What Is the RSA Laboratories' Frequently Asked
Copyright © 1996, 1998 RSA Data Security, Inc. All rights reserved. RSA BSAFE Crypto-C, RSA BSAFE Crypto-J, PKCS, S/WAN, RC2, RC4, RC5, MD2, MD4, and MD5 are trade- marks or registered trademarks of RSA Data Security, Inc. Other products and names are trademarks or regis- tered trademarks of their respective owners. For permission to reprint or redistribute in part or in whole, send e-mail to [email protected] or contact your RSA representative. RSA Laboratories’ Frequently Asked Questions About Today’s Cryptography, v4.0 2 Table of Contents Table of Contents............................................................................................ 3 Foreword......................................................................................................... 8 Section 1: Introduction .................................................................................... 9 Question 1.1. What is the RSA Laboratories’ Frequently Asked Questions About Today’s Cryptography? ................................................................................................................ 9 Question 1.2. What is cryptography? ............................................................................................10 Question 1.3. What are some of the more popular techniques in cryptography? ................... 11 Question 1.4. How is cryptography applied? ............................................................................... 12 Question 1.5. What are cryptography standards? ...................................................................... -
Survey of One Time Signature Schemes on Cloud Computing
ISSN(Online): 2320-9801 ISSN (Print): 2320-9798 International Journal of Innovative Research in Computer and Communication Engineering (An ISO 3297: 2007 Certified Organization) Vol. 3, Issue 4, April 2015 Survey of One Time Signature Schemes on Cloud Computing Revatthy Krishnamurthy1, K.P. Kaliyamurthie2 1M.Tech Scholar, Department of Computer Science & Engineering, Bharath University, Chennai, India 2Professor, Department of Computer Science & Engineering, Bharath University, Chennai, India. ABSTRACT : Cloud computing is a technology and large - scale computing resources to effectively integrate, and the resources are computed based on cryptographic secure hash functions. The biggest problem of one time signature scheme is the key management. An efficient key management is needed to make one-time signature scheme and the Merkle signature schemes feasible. This paper presents detailed study on one-time signature and Merkle signature schemes. KEYWORDS: Cloud computing, one-time signature scheme, Merkle signature scheme, Key generation. I. INTRODUCTION Cloud is a large group of interconnected computers, which is a major change in how we store information and run application. Cloud computing is used for many bigdata applications and it is cost effective. Data storage and sharing services in the cloud with three entities such as the cloud, the third party Auditor (TPA), and users who participate as a group includes one original user and a number of group users. The original user is an original owner of data, and shares data in the cloud with other users [2]. A single message using a given piece of private or public information. The conventional signature schemes like RSA, the same key pair can be used to authenticate large number of documents. -
Lecture 17 March 28, 2019
Outline Lamport Signatures Merkle Signatures Passwords CPSC 367: Cryptography and Security Michael J. Fischer Lecture 17 March 28, 2019 CPSC 367, Lecture 17 1/23 Outline Lamport Signatures Merkle Signatures Passwords Lamport One-Time Signatures Merkle Signatures Authentication Using Passwords Authentication problem Passwords authentication schemes CPSC 367, Lecture 17 2/23 Outline Lamport Signatures Merkle Signatures Passwords Lamport One-Time Signatures CPSC 367, Lecture 17 3/23 Outline Lamport Signatures Merkle Signatures Passwords Overview of Lamport signatures Leslie Lamport devised a digital signature scheme based on hash functions rather than on public key cryptography. Its drawback is that each key pair can be used to sign only one message. We describe how Alice uses it to sign a 256-bit message. As wtih other signature schemes, it suffices to sign the hash of the actual message. CPSC 367, Lecture 17 4/23 Outline Lamport Signatures Merkle Signatures Passwords How signing works The private signing key consists of a sequence r = (r 1;:::; r 256) of k k pairs( r0 ; r1 ) of random numbers,1 ≤ k ≤ 256. th Let m be a 256-bit message. Denote by mk the k bit of m. The signature of m is the sequence of numbers s = (s1;:::; s256), where sk = r k : mk k k Thus, one element from the pair( r0 ; r1 ) is used to sign mk , so k k k k s = r0 if mk = 0 and s = r1 if mk = 1. CPSC 367, Lecture 17 5/23 Outline Lamport Signatures Merkle Signatures Passwords How verification works The public verification key consists of the sequence 1 256 k k k k v = (v ;:::; v ) of pairs( v0 ; v1 ), where vj = H(rj ), and H is any one-way function (such as a cryptographically strong hash function). -
Performance Evaluation of Post-Quantum Public-Key Cryptography in Smart Mobile Devices Noureddine Chikouche, Abderrahmen Ghadbane
Performance Evaluation of Post-quantum Public-Key Cryptography in Smart Mobile Devices Noureddine Chikouche, Abderrahmen Ghadbane To cite this version: Noureddine Chikouche, Abderrahmen Ghadbane. Performance Evaluation of Post-quantum Public- Key Cryptography in Smart Mobile Devices. 17th Conference on e-Business, e-Services and e-Society (I3E), Oct 2018, Kuwait City, Kuwait. pp.67-80, 10.1007/978-3-030-02131-3_9. hal-02274171 HAL Id: hal-02274171 https://hal.inria.fr/hal-02274171 Submitted on 29 Aug 2019 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Distributed under a Creative Commons Attribution| 4.0 International License Performance Evaluation of Post-Quantum Public-Key Cryptography in Smart Mobile Devices Noureddine Chikouche1;2[0000−0001−9653−6608] and Abderrahmen Ghadbane2 1 Laboratory of Pure and Applied Mathematics, University of M'sila, Algeria 2 Computer Science Department, University of M'sila, Algeria Abstract. The classical public-key schemes are based on number the- ory, such as integer factorization and discrete logarithm. In 1994, P.W. Shor proposed an algorithm to solve these problems in polynomial time using quantum computers. Recent advancements in quantum computing open the door to the possibility of developing quantum computers so- phisticated enough to solve these problems. -
Flexible Signatures: Making Authentication Suitable for Real-Time Environments
Flexible Signatures: Making Authentication Suitable for Real-Time Environments Duc V. Le1, Mahimna Kelkar2 ?, and Aniket Kate1 1 Purdue University fle52,[email protected] 2 Cornell University [email protected] Abstract. This work introduces the concept of flexible signatures. In a flexible signature scheme, the verification algorithm quantifies the va- lidity of a signature based on the number of computations performed, such that the signature's validation (or confidence) level in [0; 1] improves as the algorithm performs more computations. Importantly, the defini- tion of flexible signatures does not assume the resource restriction to be known in advance, a significant advantage when the verification process is hard stopped by a system interrupt. Prominent traditional signature schemes such as RSA, (EC)DSA seem unsuitable towards building flexi- ble signatures because rigid all-or-nothing guarantees offered by the tra- ditional cryptographic primitives have been particularly unattractive in these unpredictably resource-constrained environments. In this work, we find the use of the Lamport-Diffie one-time signature and Merkle authentication tree to be suitable for building flexible signatures. We present a flexible signature construction based on these hash-based primitives and prove its security with concrete security analysis. We also perform a thorough validity-level analysis demonstrating an attractive computation-vs-validity trade-off offered by our construction: a security 2 level of 80 bits can be ensured by performing only around 3 rd of the total hash computations for our flexible signature construction with a Merkle tree of height 20. Finally, we have implemented our constructions in a resource-constrained environment on a Raspberry Pi.