Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives

Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives

Session I1: Post-Quantum CCS’17, October 30-November 3, 2017, Dallas, TX, USA Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives Melissa Chase David Derler Steven Goldfeder Microsoft Research Graz University of Technology Princeton University [email protected] [email protected] [email protected] Claudio Orlandi Sebastian Ramacher Christian Rechberger Aarhus University Graz University of Technology Graz University of Technology & [email protected] [email protected] Denmark Technical University [email protected] Daniel Slamanig Greg Zaverucha AIT Austrian Institute of Technology Microsoft Research [email protected] [email protected] ABSTRACT CCS CONCEPTS We propose a new class of post-quantum digital signature schemes • Security and privacy → Digital signatures; • Theory of com- that: (a) derive their security entirely from the security of symm- putation → Cryptographic primitives; etric-key primitives, believed to be quantum-secure, and (b) have extremely small keypairs, and, (c) are highly parameterizable. KEYWORDS In our signature constructions, the public key is an image y = Post-quantum cryptography, zero-knowledge, signatures, block f (x) of a one-way function f and secret key x. A signature is a cipher, Fiat-Shamir, Unruh, implementation non-interactive zero-knowledge proof of x, that incorporates a message to be signed. For this proof, we leverage recent progress of Giacomelli et al. (USENIX’16) in constructing an efficient Σ-protocol 1 INTRODUCTION for statements over general circuits. We improve this Σ-protocol to More than two decades ago Shor published his polynomial-time reduce proof sizes by a factor of two, at no additional computational quantum algorithm for factoring and computing discrete loga- cost. While this is of independent interest as it yields more compact rithms [81]. Since then, we know that a sufficiently powerful quan- proofs for any circuit, it also decreases our signature sizes. tum computer is able to break nearly all public key cryptography We consider two possibilities to make the proof non-interactive: used in practice today. This motivates the invention of crypto- the Fiat-Shamir transform and Unruh’s transform (EUROCRYPT’12, graphic schemes with post quantum (PQ) security, i.e., security ’15,’16). The former has smaller signatures, while the latter has a against attacks by a quantum computer. Even though no sufficiently security analysis in the quantum-accessible random oracle model. powerful quantum computer currently exists, NIST recently an- By customizing Unruh’s transform to our application, the overhead nounced a post-quantum crypto project1 to avoid a rushed transi- is reduced to 1.6x when compared to the Fiat-Shamir transform, tion from current cryptographic algorithms to PQ secure algorithms. which does not have a rigorous post-quantum security analysis. The project is seeking proposals for public key encryption, key ex- We implement and benchmark both approaches and explore the change and digital signatures thought to have PQ security. The possible choice of f , taking advantage of the recent trend to strive deadline for proposals is fall 2017. for practical symmetric ciphers with a particularly low number of In this paper we are concerned with constructing signature multiplications and end up using LowMC (EUROCRYPT’15). schemes for the post-quantum era. The building blocks of our schemes are interactive honest-verifier zero-knowledge proof sys- tems (Σ-protocols) for statements over general circuits and sym- metric-key primitives, that are conjectured to remain secure in a The full version of this paper is available as IACR Cryptology ePrint Archive Report post-quantum world. 2017/279. This paper is a merge of [34, 46]. Permission to make digital or hard copies of all or part of this work for personal or Post-Quantum Signatures. Perhaps the oldest signature scheme classroom use is granted without fee provided that copies are not made or distributed with post-quantum security are one-time Lamport signatures [63], for profit or commercial advantage and that copies bear this notice and the full citation built using hash functions. As Grover’s quantum search algorithm on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or can invert any black-box function [52] with a quadratic speed-up republish, to post on servers or to redistribute to lists, requires prior specific permission over classical algorithms, one has to double the bit size of the hash and/or a fee. Request permissions from [email protected]. function’s domain, but still requires no additional assumptions to CCS ’17, October 30-November 3, 2017, Dallas, TX, USA © 2017 Copyright held by the owner/author(s). Publication rights licensed to Associa- provably achieve post-quantum security. Combined with Merkle- tion for Computing Machinery. trees, this approach yields stateful signatures for any polynomial ACM ISBN 978-1-4503-4946-8/17/10...$15.00 https://doi.org/http://dx.doi.org/10.1145/3133956.3133997 1http://csrc.nist.gov/groups/ST/post-quantum-crypto/ 1825 Session I1: Post-Quantum CCS’17, October 30-November 3, 2017, Dallas, TX, USA number of messages [71], where the state ensures that a one-time We build upon these results to achieve our central contribution: signature key from the tree is not reused. By making the tree very two concrete signature schemes. In both schemes the public key large, and randomly selecting a key from it (cf. [47]), along with is set up to be an image y = f (k) with respect to one-way func- other optimizations, yields practical stateless hash-based signa- tion f and secret key k. We then turn an instance of ZKB++ to tures [17]. prove knowledge of k into two signature schemes – one using the There are also existing schemes that make structured (or number- FS transform and the other using Unruh’s transform. The FS vari- theoretic) assumptions. Code-based signature schemes can be ob- ant, dubbed Fish, yields a signature scheme that is secure in the tained from identification schemes based on the syndrome decoding ROM, whereas the Unruh variant, dubbed Picnic, yields a signature (SD) problem [70, 82, 86] by applying a variant of the well-known scheme that is secure in the QROM, and we include a complete Fiat-Shamir (FS) transform [40]. Lattice-based signature schemes security proof. secure under the short integer solution (SIS) problem on lattices We review symmetric-key primitives with respect to their suit- following the Full-Domain-Hash (FDH) paradigm [13] have been in- ability to serve as f in our application and conclude that the troduced in [43]. More efficient approaches [7, 9, 65, 66] rely on the LowMC family of block ciphers [4, 6] is well suited. We explore the FS transform instead of FDH. BLISS [36], a very practical scheme, parameter space of LowMC and show that we can obtain various also relies on the FS transform, but buys efficiency at the cost of trade-offs between signature size and computation time. Thereby, more pragmatic assumptions, i.e., a ring version of the SIS problem. our approach turns out to be very flexible as besides the aforemen- For signatures based on problems related to multivariate systems of tioned trade-offs we are also able to adjust the security parameter quadratic equations only recently provably secure variants relying of our construction in a very fine-grained way. on the FS transform have been proposed [56]. We provide an implementation of both schemes for 128-bit post- When it comes to confidence in the underlying assumptions, quantum security, demonstrating the practical relevance of our hash-based signatures are arguably the preferred candidate among approach. In particular, we provide two reference implementations all existing approaches. All other practical signatures require an ad- on GitHub2,3. Moreover, we rigorously compare our schemes with ditional structured assumption (in addition to assumptions related other practical provably secure post-quantum schemes. to hash functions). 1.2 Related Work 1.1 Contributions We now give a brief overview of other candidate schemes and We contribute a novel class of practical post-quantum signature defer a detailed comparison of parameters and performance to schemes. Our approach only requires symmetric key primitives like Section 7. We start with the only existing instantiation that solely hash functions and block ciphers and does not require additional relies on standard assumptions, i.e., comes with a security proof in structured hardness assumptions. the standard model (SM). The remaining existing schemes rely on Along the way to building our signature schemes, we make structured assumptions related to codes, lattices and multivariate several contributions of general interest to zero-knowledge proofs systems of quadratic equations that are assumed to be quantum both in the classical and post-quantum setting: safe and have a security proof in the ROM. At the end of the section, • We improve ZKBoo [44], a recent Σ-protocol for proving we review the state of the art in zero-knowledge proofs for non- statements over general circuits. We reduce the transcript algebraic statements. size by more than half without increasing the computa- Hash-Based Signatures (SM). Hash-based signatures are attrac- tional cost. We call the improved protocol ZKB++. This tive as they can be proven secure in the standard model (i.e., without improvement is of general interest outside of our applica- ROs) under well-known properties of hash functions such as second tion to post-quantum signatures as it yields significantly preimage resistance. Unfortunately, highly efficient schemes like more concise zero knowledge proofs even in the classical XMSS [22] are stateful, which seems to be problematic for practical setting. applications [68]. Stateless schemes like SPHINCS [17] are thus • We also show how to apply Unruh’s generic transform [83– more desirable, but this comes at reduced efficiency and increased 85] to obtain a non-interactive counterpart of ZKB++ that signature sizes.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    18 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us