NEW NUMBER-THEORETIC CRYPTOGRAPHIC PRIMITIVES ric Brier Houda - PowerPoint PPT Presentation

Innovation Centre NEW NUMBER-THEORETIC CRYPTOGRAPHIC PRIMITIVES Éric Brier Houda Ferradi Marc Joye David Naccache NutMiC 2019 � Paris, June 24–27, 2019

THE ZOOLOGICAL COLLECTION OF SIGNATURE SCHEMES (1) The oldest and most known family comprises species based on the inversion of a one-way permutation Notable species belonging to this family: RSA, Rabin, Paillier, ... • Faithful, well-behaved, well understood, long history. .. c 2019 OneSpan Innovation Centre 2 Innovation Centre

THE ZOOLOGICAL COLLECTION OF SIGNATURE SCHEMES (2) Appeared in the late 1980’s. Derived from domesticated (non-interactivized) ZKPs using the Fiat–Shamir transform Notable species belonging to this family: Fiat–Shamir, Schnorr, (EC)DSA, ... • Faster, give you signatures because they consent to, bend muscles in silence (pre-computation) then perform a fast jump to sign. .. c 2019 OneSpan Innovation Centre 3 Innovation Centre

THE ZOOLOGICAL COLLECTION OF SIGNATURE SCHEMES (3) The pairing-based family appeared in the 2000’s Notable species belonging to this family: Boneh–Lynn–Shacham, Waters, ... • More clumsy maths, cute, robust, look good, popular... c 2019 OneSpan Innovation Centre 4 Innovation Centre

THE ZOOLOGICAL COLLECTION OF SIGNATURE SCHEMES (4) We also have a few lattice-based and coding-based schemes Containing species such as BLISS, RLWE-SIGN, NTRU-SIGN, Güneysu–Lyubashevsky–Pöppelmann, ... • Agile, post-quantum, rare, some seem to stink while still alive... c 2019 OneSpan Innovation Centre 5 Innovation Centre

THE ZOOLOGICAL COLLECTION OF SIGNATURE SCHEMES (5) We know one intriguing species based on p 2 q Called ESIGN • Very smart, first found in Japan c 2019 OneSpan Innovation Centre 6 Innovation Centre

THIS TALK INTRODUCES AN ODDITY c 2019 OneSpan Innovation Centre 7 Innovation Centre

THIS TALK INTRODUCES AN ODDITY • Thick fur to keep warm and dry under water • Electro-sensory system for underwater foraging • Snake-like venom released from back claws of males • A mammal laying eggs in underground burrows like reptiles. .. • Webbed feet for swimming like aquatic birds, toothless mouth and beak Platypus Signatures are prime numbers, works best modulo p r q , no known attacks � c 2019 OneSpan Innovation Centre 7 Innovation Centre

LET’S GET STARTED WITH DEFINITIONS Definition (Jacobi Imprint) n = ( n 0 , . . . , n k − 1 ) ∈ N k such that gcd( a , n i ) = 1 for 0 ≤ i ≤ k − 1, the For an integer a and � Jacobi imprint I � n ( a ) is given by k − 1 1 − � a � � a � � a � � n i 2 i where I � n ( a ) = = 2 n i n i i = 0 � a � a � a � a Remark: � = 0 if � = 1 and � = 1 if � = − 1 n i n i n i n i c 2019 OneSpan Innovation Centre 8 Innovation Centre

LET’S GET STARTED WITH DEFINITIONS Definition (Jacobi Imprint) n = ( n 0 , . . . , n k − 1 ) ∈ N k such that gcd( a , n i ) = 1 for 0 ≤ i ≤ k − 1, the For an integer a and � Jacobi imprint I � n ( a ) is given by k − 1 1 − � a � � a � � a � � n i 2 i where I � n ( a ) = = 2 n i n i i = 0 � a � a � a � a Remark: � = 0 if � = 1 and � = 1 if � = − 1 n i n i n i n i Facts 1 Factoring n i is not required for computing � a � n i 2 Legendre and Jacobi symbols coincide when n i ∈ P 3 Legendre symbol checks whether a is a square, but Jacobi symbol does not c 2019 OneSpan Innovation Centre 8 Innovation Centre

A NEW CANDIDATE ONE-WAY FUNCTION (1) q = ( q 0 , . . . , q k − 1 ) be a set of k distinct (odd) primes and let Q = � k − 1 Let � j = 0 q j Consider the function F 0 given by F 0 : D ⊂ Z ∗ Q → N , x �→ F 0 ( x ) = I � q ( x ) c 2019 OneSpan Innovation Centre 9 Innovation Centre

A NEW CANDIDATE ONE-WAY FUNCTION (1) q = ( q 0 , . . . , q k − 1 ) be a set of k distinct (odd) primes and let Q = � k − 1 Let � j = 0 q j Consider the function F 0 given by F 0 : D ⊂ Z ∗ Q → N , x �→ F 0 ( x ) = I � q ( x ) y i 2 i with ˆ y = � k − 1 Attack #1 Given ˆ y i ∈ { 0 , 1 } , do the following: i = 0 ˆ � r i 1 For 0 ≤ i ≤ k − 1, choose r i $ q i such that ← Z ∗ � = ˆ y i q i 2 Set x ← CRT ( � q ) where � r ,� r = ( r 0 , . . . , r k − 1 ) 3 Output x as a pre-image of ˆ y c 2019 OneSpan Innovation Centre 9 Innovation Centre

A NEW CANDIDATE ONE-WAY FUNCTION (1) q = ( q 0 , . . . , q k − 1 ) be a set of k distinct (odd) primes and let Q = � k − 1 Let � j = 0 q j Consider the function F 0 given by F 0 : D ⊂ Z ∗ Q → N , x �→ F 0 ( x ) = I � q ( x ) y i 2 i with ˆ y = � k − 1 Attack #1 Given ˆ y i ∈ { 0 , 1 } , do the following: i = 0 ˆ � r i 1 For 0 ≤ i ≤ k − 1, choose r i $ q i such that ← Z ∗ � = ˆ y i q i 2 Set x ← CRT ( � q ) where � r ,� r = ( r 0 , . . . , r k − 1 ) 3 Output x as a pre-image of ˆ y Solution: Restrict D to entries smaller than a given bound B c 2019 OneSpan Innovation Centre 9 Innovation Centre

A NEW CANDIDATE ONE-WAY FUNCTION (1) q = ( q 0 , . . . , q k − 1 ) be a set of k distinct (odd) primes and let Q = � k − 1 Let � j = 0 q j Consider the function F 0 given by F 0 : D ⊂ Z ∗ Q → N , x �→ F 0 ( x ) = I � q ( x ) F 0 induces a group homomorphism from to { 0 , 1 } k , ⊕ : � Z ∗ � � � Q , · ∀ x 1 , x 2 ∈ Z ∗ F 0 ( x 1 · x 2 mod Q ) = F 0 ( x 1 ) ⊕ F 0 ( x 2 ) , Q c 2019 OneSpan Innovation Centre 9 Innovation Centre

A NEW CANDIDATE ONE-WAY FUNCTION (1) q = ( q 0 , . . . , q k − 1 ) be a set of k distinct (odd) primes and let Q = � k − 1 Let � j = 0 q j Consider the function F 0 given by F 0 : D ⊂ Z ∗ Q → N , x �→ F 0 ( x ) = I � q ( x ) y i 2 i with ˆ y = � k − 1 Attack #2 Given ˆ y i ∈ { 0 , 1 } , do the following: i = 0 ˆ 1 Generate a set of ℓ “small” primes p i and compute z i = F 0 ( p i ) 2 Use linear algebra modulo 2 to find ε i ∈ { 0 , 1 } such that ˆ y = ε 1 z 1 ⊕ · · · ⊕ ε ℓ z ℓ 3 Output x = � p i as a pre-image of ˆ y 1 ≤ i ≤ ℓ ε i = 1 c 2019 OneSpan Innovation Centre 9 Innovation Centre

A NEW CANDIDATE ONE-WAY FUNCTION (1) q = ( q 0 , . . . , q k − 1 ) be a set of k distinct (odd) primes and let Q = � k − 1 Let � j = 0 q j Consider the function F 0 given by F 0 : D ⊂ Z ∗ Q → N , x �→ F 0 ( x ) = I � q ( x ) y i 2 i with ˆ y = � k − 1 Attack #2 Given ˆ y i ∈ { 0 , 1 } , do the following: i = 0 ˆ 1 Generate a set of ℓ “small” primes p i and compute z i = F 0 ( p i ) 2 Use linear algebra modulo 2 to find ε i ∈ { 0 , 1 } such that ˆ y = ε 1 z 1 ⊕ · · · ⊕ ε ℓ z ℓ 3 Output x = � p i as a pre-image of ˆ y 1 ≤ i ≤ ℓ ε i = 1 Solution: Restrict D to prime values c 2019 OneSpan Innovation Centre 9 Innovation Centre

A NEW CANDIDATE ONE-WAY FUNCTION (2) Let κ denote a security parameter. Let also k = k ( κ ) and ℓ = ℓ ( κ ) Define D = x ∈ P | x < 2 k ℓ � and � F 1 : D → N , x �→ F 1 ( x ) = I � n ( x ) n = ( n 0 , . . . , n k − 1 ) is a set of k pairwise co-prime moduli of the form n i = p i 2 q i for where � ℓ -bit primes p i and q i , 0 ≤ i ≤ k − 1 Assumption For every polynomial-time algorithm A , the success probability $ � � Pr ˆ ← D ; A ( F 1 (ˆ x )) = x | F 1 ( x ) = F 1 (ˆ x ) x is negligible c 2019 OneSpan Innovation Centre 10 Innovation Centre

SIGNATURES MODULO p 2 q Key generation Signer publishes k moduli n i = p i 2 q i . All secret factors (i.e., the p i ’s and q i ’s) are ℓ -bit long c 2019 OneSpan Innovation Centre 11 Innovation Centre

SIGNATURES MODULO p 2 q Key generation Signer publishes k moduli n i = p i 2 q i . All secret factors (i.e., the p i ’s and q i ’s) are ℓ -bit long Signing Signer hashes H ( m ) = ( h 0 , . . . , h k − 1 ) ∈ { 0 , 1 } k and picks k random ℓ -bit integers r i such that � r i � for 0 ≤ i ≤ k − 1 = h i , q i Next, signer generates at random u ∈ Z ∗ Q such that k − 1 q ) · u 2 mod Q � σ := CRT ( � where Q = r ,� ∈ P q i i = 0 c 2019 OneSpan Innovation Centre 11 Innovation Centre

SIGNATURES MODULO p 2 q Key generation Signer publishes k moduli n i = p i 2 q i . All secret factors (i.e., the p i ’s and q i ’s) are ℓ -bit long Signing Signer hashes H ( m ) = ( h 0 , . . . , h k − 1 ) ∈ { 0 , 1 } k and picks k random ℓ -bit integers r i such that � r i � for 0 ≤ i ≤ k − 1 = h i , q i Next, signer generates at random u ∈ Z ∗ Q such that k − 1 q ) · u 2 mod Q � σ := CRT ( � where Q = r ,� ∈ P q i i = 0 Verification To verify, check that (i) σ ∈ P , (ii) σ < 2 ℓ k (iii) I � n ( σ ) = H ( m ) c 2019 OneSpan Innovation Centre 11 Innovation Centre

TOY EXAMPLE ( k = 8) Picking the secret primes i = 0 i = 1 i = 2 i = 3 i = 4 i = 5 i = 6 i = 7 p i 59069 54139 52639 53813 49871 41269 53653 40361 q i 62989 32917 36583 48383 36653 34963 52517 38971 we have the public moduli n 0 = 219777865328629 n 1 = 096480757993357 n 2 = 101366529455143 n 3 = 140109376837127 n 4 = 091160286242573 n 5 = 059546546811643 n 6 = 151177768427453 n 7 = 063484161219691 and the value Q = � 7 i = 0 q i = 9625354820834308444301890854766785161 c 2019 OneSpan Innovation Centre 12 Innovation Centre