From 5-pass MQ -based identification to MQ -based signatures - PowerPoint PPT Presentation

From 5-pass MQ -based identification to MQ -based signatures Ming-Shing Chen 1 , 2 , Andreas Hülsing 3 , Joost Rijneveld 4 , Simona Samardjiska 5 , Peter Schwabe 4 National Taiwan University 1 / Academia Sinica 2 , Taipei, Taiwan Eindhoven University of Technology, The Netherlands 3 Radboud University, Nijmegen, The Netherlands 4 “Ss. Cyril and Methodius” University, Skopje, Republic of Macedonia 5 2016-12-05 ASIACRYPT 2016 2016-12-05 1 / 15

Post-quantum signatures Problem: we want a post-quantum signature scheme ◮ Security arguments ◮ ‘Acceptable’ speed and size Overview 2016-12-05 2 / 15

Post-quantum signatures Problem: we want a post-quantum signature scheme ◮ Security arguments ◮ ‘Acceptable’ speed and size Solutions: ◮ Hash-based: SPHINCS [BHH+15], XMSS [BDH11, HRS16] ◮ Slow or stateful ◮ Lattice-based: (Ring-)TESLA [ABB+16, ABB+15], BLISS [DDL+13], GLP [GLP12] ◮ Large keys, or additional structure ◮ MQ : ? ◮ Unclear security: many broken (except HFEv-, UOV) Overview 2016-12-05 2 / 15

This work ◮ Transform class of 5-pass IDS to signature schemes ◮ Extend Fiat Shamir transform ◮ Prove an earlier attempt [EDV+12] vacuous ◮ Amended in [DGV+16] ◮ Propose MQDSS ◮ Obtained by performing transform ◮ Hardness of MQ ◮ Instantiate and implement as MQDSS -31-64 But also: ◮ Reduction in the ROM (not in QROM) ◮ No tight proof Overview 2016-12-05 3 / 15

Canonical Identification Schemes P V com ← P 0 (sk) com ch ← R ChS(1 k ) ch resp ← P 1 (sk , com , ch) resp b ← Vf(pk , com , ch , resp) Informally: 1. Prover commits to some (random) value derived from sk 2. Verifier picks a challenge ‘ch’ 3. Prover computes response ‘resp’ 4. Verifier checks if response matches challenge Canonical Identification Schemes 2016-12-05 4 / 15

Security of the IDS ◮ Passively secure IDS Soundness: the probability that an adversary can convince is ‘small’ Honest-Verifier Zero-Knowledge: simulator can ‘fake’ transcripts Canonical Identification Schemes 2016-12-05 5 / 15

Security of the IDS ◮ Passively secure IDS Soundness: the probability that an adversary can convince is ‘small’ ◮ Shows knowledge of secret ◮ Adversary A can ‘guess right’: soundness error κ � (pk , sk) ← KGen(1 k ) � Pr ≤ κ + negl( k ) . � A (1 k , pk) , V (pk) � = 1 Honest-Verifier Zero-Knowledge: simulator can ‘fake’ transcripts ◮ Shows that transcripts do not leak the secret Canonical Identification Schemes 2016-12-05 5 / 15

Fiat-Shamir transform ◮ First transform IDS with soundness error κ to negl(k) ◮ Using parallel composition Canonical Identification Schemes 2016-12-05 6 / 15

Fiat-Shamir transform ◮ First transform IDS with soundness error κ to negl(k) ◮ Using parallel composition ◮ Transform IDS into signature ◮ Non-interactive: Canonical Identification Schemes 2016-12-05 6 / 15

Fiat-Shamir transform ◮ First transform IDS with soundness error κ to negl(k) ◮ Using parallel composition ◮ Transform IDS into signature ◮ Non-interactive: ◮ Signer is ‘prover’ ◮ Function H provides challenges ◮ Transcript is signature Canonical Identification Schemes 2016-12-05 6 / 15

Fiat-Shamir transform ◮ First transform IDS with soundness error κ to negl(k) ◮ Using parallel composition ◮ Transform IDS into signature ◮ Non-interactive: ◮ Signer is ‘prover’ ◮ Function H provides challenges ◮ Transcript is signature ◮ Generalize to 5-pass ◮ Benefit from lower soundness error Canonical Identification Schemes 2016-12-05 6 / 15

5-pass Fiat-Shamir transform ◮ Attempt in [EDV+12] incorrect ◮ ‘n-soundness’ ◮ Two transcripts agree up to last challenge ⇒ extract sk ◮ Vacuous assumption: satisfying schemes reduce to 3-pass ◮ HVZK: combine first 3 messages into 1 ◮ Special soundness: transform transcripts, use extractor Canonical Identification Schemes 2016-12-05 7 / 15

5-pass Fiat-Shamir transform ◮ Attempt in [EDV+12] incorrect ◮ ‘n-soundness’ ◮ Two transcripts agree up to last challenge ⇒ extract sk ◮ Vacuous assumption: satisfying schemes reduce to 3-pass ◮ HVZK: combine first 3 messages into 1 ◮ Special soundness: transform transcripts, use extractor ◮ Existing schemes do not satisfy n-soundness Canonical Identification Schemes 2016-12-05 7 / 15

5-pass Fiat-Shamir transform ◮ Attempt in [EDV+12] incorrect ◮ ‘n-soundness’ ◮ Two transcripts agree up to last challenge ⇒ extract sk ◮ Vacuous assumption: satisfying schemes reduce to 3-pass ◮ HVZK: combine first 3 messages into 1 ◮ Special soundness: transform transcripts, use extractor ◮ Existing schemes do not satisfy n-soundness ◮ n-soundness fixed in [DGV+16] ◮ Still does not apply to existing schemes Canonical Identification Schemes 2016-12-05 7 / 15

5-pass Fiat-Shamir transform ◮ Restrict to challenge spaces of size q resp. 2 ◮ ‘q2-IDS’ ◮ Prove EU-CMA using dedicated forking lemma Canonical Identification Schemes 2016-12-05 8 / 15

5-pass Fiat-Shamir transform ◮ Restrict to challenge spaces of size q resp. 2 ◮ ‘q2-IDS’ ◮ Prove EU-CMA using dedicated forking lemma ◮ Assuming a successful forgery .. ◮ .. generate 4 signatures fulfilling pattern on challenges ◮ .. obtain 4 traces with same commitments, pattern on challenges ◮ Use q2-IDS that allow extracting sk Canonical Identification Schemes 2016-12-05 8 / 15

MQ problem The function family MQ ( n , m , F q ): i , j a ( s ) i b ( s ) F ( x ) = ( f 1 ( x ) , . . . , f m ( x )), where f s ( x ) = � i , j x i x j + � x i i for a ( s ) i , j , b ( s ) ∈ F q , s ∈ { 1 , . . . , m } i MQ 2016-12-05 9 / 15

MQ problem The function family MQ ( n , m , F q ): i , j a ( s ) i b ( s ) F ( x ) = ( f 1 ( x ) , . . . , f m ( x )), where f s ( x ) = � i , j x i x j + � x i i for a ( s ) i , j , b ( s ) ∈ F q , s ∈ { 1 , . . . , m } i Problem : For given y ∈ F m q , find x ∈ F n q such that F ( x ) = y . MQ 2016-12-05 9 / 15

MQ problem The function family MQ ( n , m , F q ): i , j a ( s ) i b ( s ) F ( x ) = ( f 1 ( x ) , . . . , f m ( x )), where f s ( x ) = � i , j x i x j + � x i i for a ( s ) i , j , b ( s ) ∈ F q , s ∈ { 1 , . . . , m } i Problem : For given y ∈ F m q , find x ∈ F n q such that F ( x ) = y . i.e., solve the system of equations: y 0 = a (0) 0 , 0 x 0 x 0 + a (0) n , n x n x n + b (0) 0 , 1 x 0 x 1 + . . . + a (0) 0 x 0 + . . . + b (0) n x n . . . y m = a ( m ) 0 , 0 x 0 x 0 + a ( m ) n , n x n x n + b ( m ) 0 , 1 x 0 x 1 + . . . + a ( m ) x 0 + . . . + b ( m ) x n 0 n MQ 2016-12-05 9 / 15

Sakumoto et al. 5-pass IDS [SSH11] P : ( F , v , s ) V : ( F , v ) r 0 , t 0 ← R F n q , e 0 ← R F m q r 1 ← s − r 0 c 0 ← Com ( r 0 , t 0 , e 0 ) ( c 0 , c 1 ) c 1 ← Com ( r 1 , G ( t 0 , r 1 ) + e 0 ) α ← R F q α t 1 ← α r 0 − t 0 e 1 ← α F ( r 0 ) − e 0 resp 1 = ( t 1 , e 1 ) ch 2 ← R { 0 , 1 } ch 2 If ch 2 = 0 , resp 2 ← r 0 resp 2 Else resp 2 ← r 1 If ch 2 = 0 , Parse resp 2 = r 0 , check ? c 0 = Com ( r 0 , α r 0 − t 1 , α F ( r 0 ) − e 1 ) Else Parse resp 2 = r 1 , check ? c 1 = Com ( r 1 , α ( v − F ( r 1 )) − G ( t 1 , r 1 ) − e 1 ) Identification schemes 2016-12-05 10 / 15

Sakumoto et al. 5-pass IDS [SSH11] ◮ Relies only on MQ , not IP ◮ Key technique: cut-and-choose for MQ ◮ Analogously, consider DLP: s = r 0 + r 1 ⇒ g s = g r 0 · g r 1 ◮ Bilinear map G ( x , y ) = F ( x + y ) − F ( x ) − F ( y ) ◮ Split s and F ( s ) into r 0 , r 1 and F ( r 0 ) , F ( r 1 ) ◮ Split again into t 0 , t 1 resp. e 0 , e 1 , using α ◮ See [SSH11] for details ◮ Result: reveal either ( r 0 , t 1 , e 1 ) or ( r 1 , t 1 , e 1 ) Identification schemes 2016-12-05 11 / 15

MQDSS ◮ Generate keys ◮ Sample seed S F ∈ { 0 , 1 } k , sk ∈ F n ⇒ ( S F , sk ) q ◮ Expand S F to F , compute pk = F ( sk ) ⇒ ( S F , pk ) 2016-12-05 12 / 15 MQDSS

MQDSS ◮ Generate keys ◮ Sample seed S F ∈ { 0 , 1 } k , sk ∈ F n ⇒ ( S F , sk ) q ◮ Expand S F to F , compute pk = F ( sk ) ⇒ ( S F , pk ) ◮ Signing ◮ Sign randomized digest D over M 2016-12-05 12 / 15 MQDSS

MQDSS ◮ Generate keys ◮ Sample seed S F ∈ { 0 , 1 } k , sk ∈ F n ⇒ ( S F , sk ) q ◮ Expand S F to F , compute pk = F ( sk ) ⇒ ( S F , pk ) ◮ Signing ◮ Sign randomized digest D over M ◮ Perform r rounds of transformed IDS ◮ 2 r commitments, some multiplications in F q ◮ 2 r MQ evaluations 2016-12-05 12 / 15 MQDSS

MQDSS ◮ Generate keys ◮ Sample seed S F ∈ { 0 , 1 } k , sk ∈ F n ⇒ ( S F , sk ) q ◮ Expand S F to F , compute pk = F ( sk ) ⇒ ( S F , pk ) ◮ Signing ◮ Sign randomized digest D over M ◮ Perform r rounds of transformed IDS ◮ 2 r commitments, some multiplications in F q ◮ 2 r MQ evaluations ◮ Tricks to reduce size ◮ Only include necessary commits (hash others) [SSH11] ◮ Commit to seeds 2016-12-05 12 / 15 MQDSS

MQDSS ◮ Generate keys ◮ Sample seed S F ∈ { 0 , 1 } k , sk ∈ F n ⇒ ( S F , sk ) q ◮ Expand S F to F , compute pk = F ( sk ) ⇒ ( S F , pk ) ◮ Signing ◮ Sign randomized digest D over M ◮ Perform r rounds of transformed IDS ◮ 2 r commitments, some multiplications in F q ◮ 2 r MQ evaluations ◮ Tricks to reduce size ◮ Only include necessary commits (hash others) [SSH11] ◮ Commit to seeds ◮ Verifying ◮ Reconstruct D , F 2016-12-05 12 / 15 MQDSS