MQ Signatures for PKI June 2017 Alan Szepieniec , Ward Beullens, - PowerPoint PPT Presentation

MQ Signatures for PKI June 2017 Alan Szepieniec , Ward Beullens, Bart Preneel 1/17

New Hope Key Exchange • Post-Quantum KX based on RLWE • USENIX 2016 2/17

New Hope Key Exchange • Post-Quantum KX based on RLWE • USENIX 2016 • Facebook Internet Defense Prize 2/17

New Hope Key Exchange • Post-Quantum KX based on RLWE • USENIX 2016 • Facebook Internet Defense Prize • Google Experiment • fraction of Chrome browsers use ECDH+NH 2/17

New Hope Key Exchange • Post-Quantum KX based on RLWE • USENIX 2016 • Facebook Internet Defense Prize • Google Experiment • fraction of Chrome browsers use ECDH+NH \ o/ 2/17

Post-Quantum Key Exchange Alice Bob s a s b a b k k 3/17

Post-Quantum Key Exchange Passive Adversary Alice Bob s a s b a b k k a, b �→ k 3/17

Post-Quantum Key Exchange Active Adversary Alice Bob s a s b 4/17

Post-Quantum Key Exchange Active Adversary Alice Bob s a s b a a ′ b b ′ k a k a k b k b 4/17

Post-Quantum Key Exchange Active Adversary Alice Bob s a s b a a ′ b b ′ k a k a k b k b How to kill MitM? 4/17

Post-Quantum Key Exchange Active Adversary Alice Bob pk b s a s b , pk b , sk b a a ′ , sign sk b ( b ) b b ′ , ??? vfy ( · , · , · ) k a k a k b k b How to kill MitM? Signatures, of course! 4/17

Post-Quantum Key Exchange Active Adversary Alice Bob pk b s a s b , pk b , sk b a a ′ , sign sk b ( b ) b b ′ , ??? vfy ( · , · , · ) k a k a k b k b How to kill MitM? Signatures, of course! Post-Quantum 4/17

Public Key Infrastructure (PKI) Alice b, sign sk b ( b ) 5/17

Public Key Infrastructure (PKI) Alice b, sign sk b ( b ) , pk b 5/17

Public Key Infrastructure (PKI) Alice b, sign sk b ( b ) , pk b , sign sk c ( pk b ) 5/17

Public Key Infrastructure (PKI) Alice b, sign sk b ( b ) , pk b , sign sk c ( pk b ) , pk c 5/17

Public Key Infrastructure (PKI) Alice certificate pk r b, sign sk b ( b ) , pk b , sign sk c ( pk b ) , pk c , . . . , sign sk r ( pk q ) vfy ( · , · , · ) 5/17

Public Key Infrastructure (PKI) Alice certificate pk r b, sign sk b ( b ) , pk b , sign sk c ( pk b ) , pk c , . . . , sign sk r ( pk q ) vfy ( · , · , · ) desirable properties acceptable drawbacks 5/17

Public Key Infrastructure (PKI) Alice certificate pk r b, sign sk b ( b ) , pk b , sign sk c ( pk b ) , pk c , . . . , sign sk r ( pk q ) big vfy ( · , · , · ) desirable properties acceptable drawbacks 5/17

Public Key Infrastructure (PKI) Alice certificate pk r b, sign sk b ( b ) , pk b , sign sk c ( pk b ) , pk c , . . . , sign sk r ( pk q ) big vfy ( · , · , · ) fast desirable properties acceptable drawbacks 5/17

Public Key Infrastructure (PKI) Alice fast certificate pk r b, sign sk b ( b ) , pk b , sign sk c ( pk b ) , pk c , . . . , sign sk r ( pk q ) big vfy ( · , · , · ) fast desirable properties acceptable drawbacks 5/17

Public Key Infrastructure (PKI) Alice fast certificate slow pk r b, sign sk b ( b ) , pk b , sign sk c ( pk b ) , pk c , . . . , sign sk r ( pk q ) big vfy ( · , · , · ) fast desirable properties acceptable drawbacks 5/17

Public Key Infrastructure (PKI) Alice fast certificate slow pk r b, sign sk b ( b ) , pk b , sign sk c ( pk b ) , pk c , . . . , sign sk r ( pk q ) big small vfy ( · , · , · ) fast desirable properties acceptable drawbacks 5/17

Public Key Infrastructure (PKI) Alice fast certificate slow pk r b, sign sk b ( b ) , pk b , sign sk c ( pk b ) , pk c , . . . , sign sk r ( pk q ) big small vfy ( · , · , · ) prime directive: minimize | pk | + | sig | fast desirable properties acceptable drawbacks 5/17

Post-Quantum Signature Schemes m s CFS e e t g y b a a b g y UOV t e e s e m s z i SPHINCS g i BLISS HFE v − s n MQDSS a y t e u k k s r e i l e t c o y b i b y l s o b t i l e i z k u s e ECDSA p b s e y t t y e b s strategy: transform MQ-signature schemes to shrink | pk | + | s | 6/17

Post-Quantum Signature Schemes 2 m s CFS e e t g y 1 b a a b g y UOV t e e s e m s z i SPHINCS g i BLISS HFE v − s n MQDSS a y t e u k k s r e i l e t c o y b i b y l s o b t i l e i z k u s e ECDSA p b s e y t t y e b s strategy: transform MQ-signature schemes to shrink | pk | + | s | 6/17

Post-Quantum Signature Schemes 2 this paper m s CFS e e t g y 1 b a a b g y UOV t e e s e m s z i SPHINCS g i BLISS HFE v − s n MQDSS a y t e u k k s r e i l e t c o y b i b y l s o b t i l e i z k u s e ECDSA p b s e y t t y e b s strategy: transform MQ-signature schemes to shrink | pk | + | s | 6/17

MQ Signature Schemes signature verification P public knowledge private knowledge S F T signature generation P , F : F n q → F m s ∈ F n q q T, S ∈ GL ( F q ) vfy : P ( s ) ? = H ( d ) 7/17

Transformation Step 1: replace P ( s ) ? = H ( d ) with t P ( s ) ? $ − F α × m = t H ( d ) for t ← q determine t = H ( s ) transmit R ( x ) = t P ( x ) with s as part of signature 8/17

Transformation Step 1: replace P ( s ) ? = H ( d ) with t P ( s ) ? $ − F α × m = t H ( d ) for t ← q determine t = H ( s ) transmit R ( x ) = t P ( x ) with s as part of signature Step 2: authenticate R ( x ) using linearly homomorphic MACs 8/17

Transformation Step 1: replace P ( s ) ? = H ( d ) with t P ( s ) ? $ − F α × m = t H ( d ) for t ← q determine t = H ( s ) transmit R ( x ) = t P ( x ) with s as part of signature Step 2: authenticate R ( x ) using linearly homomorphic MACs 2a. define ˆ R ( z ) , ˆ P ( z ) with same coefficients as R ( x ) , P ( x ) 8/17

Transformation Step 1: replace P ( s ) ? = H ( d ) with t P ( s ) ? $ − F α × m = t H ( d ) for t ← q determine t = H ( s ) transmit R ( x ) = t P ( x ) with s as part of signature Step 2: authenticate R ( x ) using linearly homomorphic MACs 2a. define ˆ R ( z ) , ˆ P ( z ) with same coefficients as R ( x ) , P ( x ) 2b. verify that t ˆ P ( z ) = ˆ R ( z ) instead of t P ( x ) = R ( x ) MAC ˆ P ( x ) P ( z ) t t MAC t ˆ t P ( x ) P ( z ) 8/17

Transformation Step 1: replace P ( s ) ? = H ( d ) with t P ( s ) ? $ − F α × m = t H ( d ) for t ← q determine t = H ( s ) transmit R ( x ) = t P ( x ) with s as part of signature Step 2: authenticate R ( x ) using linearly homomorphic MACs 2a. define ˆ R ( z ) , ˆ P ( z ) with same coefficients as R ( x ) , P ( x ) 2b. verify that t ˆ P ( z ) = ˆ R ( z ) instead of t P ( x ) = R ( x ) MAC ˆ P ( x ) P ( z ) t t MAC t ˆ t P ( x ) P ( z ) 2c. verify t ˆ P ( z i ) = ˆ R ( z i ) in only ϑ randomly chosen points determine { z 1 , . . . , z ϑ } = H ( R ( x )) 8/17

Transformation Step 1: replace P ( s ) ? = H ( d ) with t P ( s ) ? $ − F α × m = t H ( d ) for t ← q determine t = H ( s ) transmit R ( x ) = t P ( x ) with s as part of signature Step 2: authenticate R ( x ) using linearly homomorphic MACs 2a. define ˆ R ( z ) , ˆ P ( z ) with same coefficients as R ( x ) , P ( x ) 2b. verify that t ˆ P ( z ) = ˆ R ( z ) instead of t P ( x ) = R ( x ) MAC ˆ P ( x ) P ( z ) t t MAC t ˆ t P ( x ) P ( z ) 2c. verify t ˆ P ( z i ) = ˆ R ( z i ) in only ϑ randomly chosen points determine { z 1 , . . . , z ϑ } = H ( R ( x )) 2d. Merkleize all τ evaluations ˆ P ( z i ) 8/17

Transformation Step 1: replace P ( s ) ? = H ( d ) with t P ( s ) ? $ − F α × m = t H ( d ) for t ← q determine t = H ( s ) transmit R ( x ) = t P ( x ) with s as part of signature Step 2: authenticate R ( x ) using linearly homomorphic MACs 2a. define ˆ R ( z ) , ˆ P ( z ) with same coefficients as R ( x ) , P ( x ) 2b. verify that t ˆ P ( z ) = ˆ R ( z ) instead of t P ( x ) = R ( x ) MAC ˆ P ( x ) P ( z ) t t MAC t ˆ t P ( x ) P ( z ) 2c. verify t ˆ P ( z i ) = ˆ R ( z i ) in only ϑ randomly chosen points determine { z 1 , . . . , z ϑ } = H ( R ( x )) 2d. Merkleize all τ evaluations ˆ P ( z i ) new signature: ( s , R ( x ) , Merkle paths ) new public key: Merkle root 8/17

Merkle Tree P ( z 1 ) ˆ ˆ ˆ P ( z 2 ) · · · · · · P ( z τ ) 9/17

Provable Security InSec EUF − CMA ( t, Q ) ≤ InSec EUF − CMA ORIGINAL ( t + O ( Q ) , Q ) NEW Q +1 + (2 τ − 1) 2 κ � ϑ � n ( n +1) + ( Q + 1) 2 τ q − α ( Q + 1) + 10/17

Provable Security InSec EUF − CMA ( t, Q ) ≤ InSec EUF − CMA original scheme ORIGINAL ( t + O ( Q ) , Q ) NEW Q +1 + (2 τ − 1) Merkle tree 2 κ � ϑ � n ( n +1) MAC polynomials + ( Q + 1) 2 τ lucky s q − α ( Q + 1) + 10/17

Provable Security ... in the QROM InSec EUF − CMA ( t, Q ) ≤ InSec EUF − CMA ˆ ˆ ˆ original scheme ORIGINAL ( t + O ( Q ) , Q ) NEW ˆ � ) 2 � ( Q +1 + Θ (2 τ − 1) Merkle tree 2 κ � ϑ � � 2 � n ( n +1) MAC polynomials ˆ + Θ ( Q + 1) 2 τ � 2 � lucky s q − α ( Q + 1) ˆ + Θ 10/17