mq signatures for pki - pqcrypto · facebook internet defense prize google experiment fraction of...
TRANSCRIPT
1/17
MQSignatures for PKI
June 2017
Alan Szepieniec,Ward Beullens, Bart Preneel
2/17
New Hope Key Exchange
• Post-Quantum KX based on RLWE
• USENIX 2016
• Facebook Internet Defense Prize
• Google Experiment• fraction of Chrome browsers use ECDH+NH
\o/
2/17
New Hope Key Exchange
• Post-Quantum KX based on RLWE
• USENIX 2016• Facebook Internet Defense Prize
• Google Experiment• fraction of Chrome browsers use ECDH+NH
\o/
2/17
New Hope Key Exchange
• Post-Quantum KX based on RLWE
• USENIX 2016• Facebook Internet Defense Prize
• Google Experiment• fraction of Chrome browsers use ECDH+NH
\o/
2/17
New Hope Key Exchange
• Post-Quantum KX based on RLWE
• USENIX 2016• Facebook Internet Defense Prize
• Google Experiment• fraction of Chrome browsers use ECDH+NH
\o/
3/17
Post-Quantum Key Exchange
Alice Bob
sa
a
sb
b
k k
Passive Adversary
a, b 6→ k
3/17
Post-Quantum Key Exchange
Alice Bob
sa
a
sb
b
k k
Passive Adversary
a, b 6→ k
4/17
Post-Quantum Key Exchange
Alice Bob
sa sb
Active Adversary
a
a′
b
b′
ka ka kbkb
How to kill MitM? Signatures, of course!
, skb, pkb
pkb
, signskb(b)
, ???
vfy(·, ·, ·)
Post-Quantum
4/17
Post-Quantum Key Exchange
Alice Bob
sa sb
Active Adversary
a
a′
b
b′
ka ka kbkb
How to kill MitM? Signatures, of course!
, skb, pkb
pkb
, signskb(b)
, ???
vfy(·, ·, ·)
Post-Quantum
4/17
Post-Quantum Key Exchange
Alice Bob
sa sb
Active Adversary
a
a′
b
b′
ka ka kbkb
How to kill MitM?
Signatures, of course!
, skb, pkb
pkb
, signskb(b)
, ???
vfy(·, ·, ·)
Post-Quantum
4/17
Post-Quantum Key Exchange
Alice Bob
sa sb
Active Adversary
a
a′
b
b′
ka ka kbkb
How to kill MitM? Signatures, of course!
, skb, pkb
pkb
, signskb(b)
, ???
vfy(·, ·, ·)
Post-Quantum
4/17
Post-Quantum Key Exchange
Alice Bob
sa sb
Active Adversary
a
a′
b
b′
ka ka kbkb
How to kill MitM? Signatures, of course!
, skb, pkb
pkb
, signskb(b)
, ???
vfy(·, ·, ·)
Post-Quantum
5/17
Public Key Infrastructure (PKI)
Alice
b, signskb(b)
, pkb , signskc(pkb), pkc , . . . , signskr(pkq)
pkr
vfy(·, ·, ·)
certificate
desirable properties
acceptable drawbacks
big
fast
fastslow
small
prime directive: minimize |pk|+ |sig|
5/17
Public Key Infrastructure (PKI)
Alice
b, signskb(b), pkb
, signskc(pkb), pkc , . . . , signskr(pkq)
pkr
vfy(·, ·, ·)
certificate
desirable properties
acceptable drawbacks
big
fast
fastslow
small
prime directive: minimize |pk|+ |sig|
5/17
Public Key Infrastructure (PKI)
Alice
b, signskb(b), pkb , signskc(pkb)
, pkc , . . . , signskr(pkq)
pkr
vfy(·, ·, ·)
certificate
desirable properties
acceptable drawbacks
big
fast
fastslow
small
prime directive: minimize |pk|+ |sig|
5/17
Public Key Infrastructure (PKI)
Alice
b, signskb(b), pkb , signskc(pkb), pkc
, . . . , signskr(pkq)
pkr
vfy(·, ·, ·)
certificate
desirable properties
acceptable drawbacks
big
fast
fastslow
small
prime directive: minimize |pk|+ |sig|
5/17
Public Key Infrastructure (PKI)
Alice
b, signskb(b), pkb , signskc(pkb), pkc , . . . , signskr(pkq)
pkr
vfy(·, ·, ·)
certificate
desirable properties
acceptable drawbacks
big
fast
fastslow
small
prime directive: minimize |pk|+ |sig|
5/17
Public Key Infrastructure (PKI)
Alice
b, signskb(b), pkb , signskc(pkb), pkc , . . . , signskr(pkq)
pkr
vfy(·, ·, ·)
certificate
desirable properties
acceptable drawbacks
big
fast
fastslow
small
prime directive: minimize |pk|+ |sig|
5/17
Public Key Infrastructure (PKI)
Alice
b, signskb(b), pkb , signskc(pkb), pkc , . . . , signskr(pkq)
pkr
vfy(·, ·, ·)
certificate
desirable properties
acceptable drawbacks
big
fast
fastslow
small
prime directive: minimize |pk|+ |sig|
5/17
Public Key Infrastructure (PKI)
Alice
b, signskb(b), pkb , signskc(pkb), pkc , . . . , signskr(pkq)
pkr
vfy(·, ·, ·)
certificate
desirable properties
acceptable drawbacks
big
fast
fastslow
small
prime directive: minimize |pk|+ |sig|
5/17
Public Key Infrastructure (PKI)
Alice
b, signskb(b), pkb , signskc(pkb), pkc , . . . , signskr(pkq)
pkr
vfy(·, ·, ·)
certificate
desirable properties
acceptable drawbacks
big
fast
fast
slow
small
prime directive: minimize |pk|+ |sig|
5/17
Public Key Infrastructure (PKI)
Alice
b, signskb(b), pkb , signskc(pkb), pkc , . . . , signskr(pkq)
pkr
vfy(·, ·, ·)
certificate
desirable properties
acceptable drawbacks
big
fast
fastslow
small
prime directive: minimize |pk|+ |sig|
5/17
Public Key Infrastructure (PKI)
Alice
b, signskb(b), pkb , signskc(pkb), pkc , . . . , signskr(pkq)
pkr
vfy(·, ·, ·)
certificate
desirable properties
acceptable drawbacks
big
fast
fastslow
small
prime directive: minimize |pk|+ |sig|
5/17
Public Key Infrastructure (PKI)
Alice
b, signskb(b), pkb , signskc(pkb), pkc , . . . , signskr(pkq)
pkr
vfy(·, ·, ·)
certificate
desirable properties
acceptable drawbacks
big
fast
fastslow
small
prime directive: minimize |pk|+ |sig|
6/17
Post-Quantum Signature Schemes
byte
ski
loby
tes
meg
abyt
es
bytes
kilobytes
megabytes
publicke
ysiz
esignaturesize ECDSA
BLISSSPHINCSMQDSS
UOV
HFEv−
CFS
1
2this paper
strategy: transform MQ-signature schemes to shrink |pk|+ |s|
6/17
Post-Quantum Signature Schemes
byte
ski
loby
tes
meg
abyt
es
bytes
kilobytes
megabytes
publicke
ysiz
esignaturesize ECDSA
BLISSSPHINCSMQDSS
UOV
HFEv−
CFS1
2
this paper
strategy: transform MQ-signature schemes to shrink |pk|+ |s|
6/17
Post-Quantum Signature Schemes
byte
ski
loby
tes
meg
abyt
es
bytes
kilobytes
megabytes
publicke
ysiz
esignaturesize ECDSA
BLISSSPHINCSMQDSS
UOV
HFEv−
CFS1
2this paper
strategy: transform MQ-signature schemes to shrink |pk|+ |s|
7/17
MQ Signature Schemes
S F T
Ppublic knowledge
private knowledge
signature verification
signature generation
P,F : Fnq → FmqT, S ∈ GL(Fq)
s ∈ Fnq
vfy : P(s)?= H(d)
8/17
Transformation
Step 1: replace P(s)?= H(d) with tP(s)
?= tH(d) for t
$←− Fα×mq
determine t = H(s)
transmit R(x) = tP(x) with s as part of signature
Step 2: authenticate R(x) using linearly homomorphic MACs
2a. define R̂(z), P̂(z) with same coefficients as R(x),P(x)
2b. verify that tP̂(z) = R̂(z) instead of tP(x) = R(x)
P(x) P̂(z)
tP(x) tP̂(z)
MAC
MACt t
2c. verify tP̂(zi) = R̂(zi) in only ϑ randomly chosen points
determine {z1, . . . , zϑ} = H(R(x))
2d. Merkleize all τ evaluations P̂(zi)
new signature: (s,R(x),Merkle paths) new public key: Merkle root
8/17
Transformation
Step 1: replace P(s)?= H(d) with tP(s)
?= tH(d) for t
$←− Fα×mq
determine t = H(s)
transmit R(x) = tP(x) with s as part of signature
Step 2: authenticate R(x) using linearly homomorphic MACs
2a. define R̂(z), P̂(z) with same coefficients as R(x),P(x)
2b. verify that tP̂(z) = R̂(z) instead of tP(x) = R(x)
P(x) P̂(z)
tP(x) tP̂(z)
MAC
MACt t
2c. verify tP̂(zi) = R̂(zi) in only ϑ randomly chosen points
determine {z1, . . . , zϑ} = H(R(x))
2d. Merkleize all τ evaluations P̂(zi)
new signature: (s,R(x),Merkle paths) new public key: Merkle root
8/17
Transformation
Step 1: replace P(s)?= H(d) with tP(s)
?= tH(d) for t
$←− Fα×mq
determine t = H(s)
transmit R(x) = tP(x) with s as part of signature
Step 2: authenticate R(x) using linearly homomorphic MACs
2a. define R̂(z), P̂(z) with same coefficients as R(x),P(x)
2b. verify that tP̂(z) = R̂(z) instead of tP(x) = R(x)
P(x) P̂(z)
tP(x) tP̂(z)
MAC
MACt t
2c. verify tP̂(zi) = R̂(zi) in only ϑ randomly chosen points
determine {z1, . . . , zϑ} = H(R(x))
2d. Merkleize all τ evaluations P̂(zi)
new signature: (s,R(x),Merkle paths) new public key: Merkle root
8/17
Transformation
Step 1: replace P(s)?= H(d) with tP(s)
?= tH(d) for t
$←− Fα×mq
determine t = H(s)
transmit R(x) = tP(x) with s as part of signature
Step 2: authenticate R(x) using linearly homomorphic MACs
2a. define R̂(z), P̂(z) with same coefficients as R(x),P(x)
2b. verify that tP̂(z) = R̂(z) instead of tP(x) = R(x)
P(x) P̂(z)
tP(x) tP̂(z)
MAC
MACt t
2c. verify tP̂(zi) = R̂(zi) in only ϑ randomly chosen points
determine {z1, . . . , zϑ} = H(R(x))
2d. Merkleize all τ evaluations P̂(zi)
new signature: (s,R(x),Merkle paths) new public key: Merkle root
8/17
Transformation
Step 1: replace P(s)?= H(d) with tP(s)
?= tH(d) for t
$←− Fα×mq
determine t = H(s)
transmit R(x) = tP(x) with s as part of signature
Step 2: authenticate R(x) using linearly homomorphic MACs
2a. define R̂(z), P̂(z) with same coefficients as R(x),P(x)
2b. verify that tP̂(z) = R̂(z) instead of tP(x) = R(x)
P(x) P̂(z)
tP(x) tP̂(z)
MAC
MACt t
2c. verify tP̂(zi) = R̂(zi) in only ϑ randomly chosen points
determine {z1, . . . , zϑ} = H(R(x))
2d. Merkleize all τ evaluations P̂(zi)
new signature: (s,R(x),Merkle paths) new public key: Merkle root
8/17
Transformation
Step 1: replace P(s)?= H(d) with tP(s)
?= tH(d) for t
$←− Fα×mq
determine t = H(s)
transmit R(x) = tP(x) with s as part of signature
Step 2: authenticate R(x) using linearly homomorphic MACs
2a. define R̂(z), P̂(z) with same coefficients as R(x),P(x)
2b. verify that tP̂(z) = R̂(z) instead of tP(x) = R(x)
P(x) P̂(z)
tP(x) tP̂(z)
MAC
MACt t
2c. verify tP̂(zi) = R̂(zi) in only ϑ randomly chosen points
determine {z1, . . . , zϑ} = H(R(x))
2d. Merkleize all τ evaluations P̂(zi)
new signature: (s,R(x),Merkle paths) new public key: Merkle root
8/17
Transformation
Step 1: replace P(s)?= H(d) with tP(s)
?= tH(d) for t
$←− Fα×mq
determine t = H(s)
transmit R(x) = tP(x) with s as part of signature
Step 2: authenticate R(x) using linearly homomorphic MACs
2a. define R̂(z), P̂(z) with same coefficients as R(x),P(x)
2b. verify that tP̂(z) = R̂(z) instead of tP(x) = R(x)
P(x) P̂(z)
tP(x) tP̂(z)
MAC
MACt t
2c. verify tP̂(zi) = R̂(zi) in only ϑ randomly chosen points
determine {z1, . . . , zϑ} = H(R(x))
2d. Merkleize all τ evaluations P̂(zi)
new signature: (s,R(x),Merkle paths) new public key: Merkle root
9/17
Merkle Tree
P̂(z1)P̂(z2) · · · · · · P̂(zτ )
10/17
Provable Security
InSecEUF−CMANEW (t, Q) ≤ InSecEUF−CMA
ORIGINAL (t+O(Q), Q)
+ (2τ − 1) Q+12κ
+(n(n+1)
2τ
)ϑ(Q+ 1)
+ q−α(Q+ 1)
original scheme
Merkle tree
MAC polynomials
lucky s
... in the QROM
Θ(
( )2)
Θ(
2)
Θ(
2)
ˆ ˆ ˆ
ˆ
ˆ
ˆ
10/17
Provable Security
InSecEUF−CMANEW (t, Q) ≤ InSecEUF−CMA
ORIGINAL (t+O(Q), Q)
+ (2τ − 1) Q+12κ
+(n(n+1)
2τ
)ϑ(Q+ 1)
+ q−α(Q+ 1)
original scheme
Merkle tree
MAC polynomials
lucky s
... in the QROM
Θ(
( )2)
Θ(
2)
Θ(
2)
ˆ ˆ ˆ
ˆ
ˆ
ˆ
10/17
Provable Security
InSecEUF−CMANEW (t, Q) ≤ InSecEUF−CMA
ORIGINAL (t+O(Q), Q)
+ (2τ − 1) Q+12κ
+(n(n+1)
2τ
)ϑ(Q+ 1)
+ q−α(Q+ 1)
original scheme
Merkle tree
MAC polynomials
lucky s
... in the QROM
Θ(
( )2)
Θ(
2)
Θ(
2)
ˆ ˆ ˆ
ˆ
ˆ
ˆ
11/17
Example Parameters
scheme parameters sec. lvl. |pk| |s|UOVrand q = 256, n = 135,m = 45 128 45.5 kB 1080transformed α = 16, ϑ = 12, τ = 220 128 256 bits 21.3 kB
UOVrand q = 256, n = 210,m = 70 192 169.9 kB 1 680 bitstransformed α = 24, ϑ = 19, τ = 220 192 384 bits 70.4 kB
UOVrand q = 256, n = 285,m = 95 256 423.0 kB 2 280 bitstransformed α = 32, ϑ = 28, τ = 220 256 512 bits 166.3 kB
12/17
Improvement
• idea: use multiple signatures
• s1, . . . , sσ such that P(si) = H(d‖i)
• ... reduce α −→ fewer polynomials in R• |si| = n log2 q whereas |Ri(x)| = n(n+1)
2 log2 q
• qα > 2κ becomes qασ > 2κ
12/17
Improvement
• idea: use multiple signatures
• s1, . . . , sσ such that P(si) = H(d‖i)• ... reduce α −→ fewer polynomials in R
• |si| = n log2 q whereas |Ri(x)| = n(n+1)2 log2 q
• qα > 2κ becomes qασ > 2κ
12/17
Improvement
• idea: use multiple signatures
• s1, . . . , sσ such that P(si) = H(d‖i)• ... reduce α −→ fewer polynomials in R• |si| = n log2 q whereas |Ri(x)| = n(n+1)
2 log2 q
• qα > 2κ becomes qασ > 2κ
13/17
Security Proof Fails
InSecEUF−CMANEW (t, Q) ≤ InSecEUF−CMA
ORIGINAL (t+O(Q), Q)
+ (2τ − 1) Q+12κ
+(n(n+1)
2τ
)ϑ(Q+ 1)
+ q−σα(Q+ 1)
original scheme
Merkle tree
MAC polynomials
lucky s
Θ(
( )2)
Θ(
2)
Θ(
2)
ˆ ˆ ˆ
ˆ
ˆ
ˆ
rows of t are independent events ...
... but si are not!
13/17
Security Proof Fails
InSecEUF−CMANEW (t, Q) ≤ InSecEUF−CMA
ORIGINAL (t+O(Q), Q)
+ (2τ − 1) Q+12κ
+(n(n+1)
2τ
)ϑ(Q+ 1)
+ q−σα(Q+ 1)
original scheme
Merkle tree
MAC polynomials
lucky s
Θ(
( )2)
Θ(
2)
Θ(
2)
ˆ ˆ ˆ
ˆ
ˆ
ˆ
rows of t are independent events ...
... but si are not!
13/17
Security Proof Fails
InSecEUF−CMANEW (t, Q) ≤ InSecEUF−CMA
ORIGINAL (t+O(Q), Q)
+ (2τ − 1) Q+12κ
+(n(n+1)
2τ
)ϑ(Q+ 1)
+ q−σα(Q+ 1)
original scheme
Merkle tree
MAC polynomials
lucky s
Θ(
( )2)
Θ(
2)
Θ(
2)
ˆ ˆ ˆ
ˆ
ˆ
ˆ
rows of t are independent events ...
... but si are not!
13/17
Security Proof Fails
InSecEUF−CMANEW (t, Q) ≤ InSecEUF−CMA
ORIGINAL (t+O(Q), Q)
+ (2τ − 1) Q+12κ
+(n(n+1)
2τ
)ϑ(Q+ 1)
+ q−σα(Q+ 1)
original scheme
Merkle tree
MAC polynomials
lucky s
Θ(
( )2)
Θ(
2)
Θ(
2)
ˆ ˆ ˆ
ˆ
ˆ
ˆ
rows of t are independent events ...
... but si are not!
13/17
Security Proof Fails
InSecEUF−CMANEW (t, Q) ≤ InSecEUF−CMA
ORIGINAL (t+O(Q), Q)
+ (2τ − 1) Q+12κ
+(n(n+1)
2τ
)ϑ(Q+ 1)
+ q−σα(Q+ 1)
original scheme
Merkle tree
MAC polynomials
lucky s
Θ(
( )2)
Θ(
2)
Θ(
2)
ˆ ˆ ˆ
ˆ
ˆ
ˆ
rows of t are independent events ...
... but si are not!
14/17
Low-Dim Errors
• find s1, . . . , sσ such that ∀i . tP(si) = tH(d‖i)
• model t← H(d‖s1‖ · · · ‖sσ) as t$←− Fα×mq
• works if 0 6= P(si)− H(d‖i) ∈ ker t
• error space is low-dim =⇒ high success probability
14/17
Low-Dim Errors
• find s1, . . . , sσ such that ∀i . tP(si) = tH(d‖i)
• model t← H(d‖s1‖ · · · ‖sσ) as t$←− Fα×mq
• works if 0 6= P(si)− H(d‖i) ∈ ker t
• error space is low-dim =⇒ high success probability
14/17
Low-Dim Errors
• find s1, . . . , sσ such that ∀i . tP(si) = tH(d‖i)
• model t← H(d‖s1‖ · · · ‖sσ) as t$←− Fα×mq
• works if 0 6= P(si)− H(d‖i) ∈ ker t
• error space is low-dim =⇒ high success probability
15/17
AMQ Problem
Definition
AMQ Problem. (Approximate Multivariate Quadratic)Given: P : Fnq → Fmq ;y1, . . . ,yσ ∈ FmqFind: x1, . . . ,xσ ∈ FnqSuch that: dim 〈{P(xi)− yi}i〉 ≤ r
• exhaustive search: O(qm−r); Grover: O(q(m−r)/2)
• AMQ[m,n, σ, r] ≤ σ ·MQ[m− r, n]
• AMQ[m,n, σ, r] ≤ AMQ[m,n, σ + 1, r] (gets harder with σ)
• AMQ[m,n, σ, r + 1] ≤ AMQ[m,n, σ, r] (gets easier with r)
• AMQ[m,n, σ = 1, r = 0] = MQ[m,n]
15/17
AMQ Problem
Definition
AMQ Problem. (Approximate Multivariate Quadratic)Given: P : Fnq → Fmq ;y1, . . . ,yσ ∈ FmqFind: x1, . . . ,xσ ∈ FnqSuch that: dim 〈{P(xi)− yi}i〉 ≤ r
• exhaustive search: O(qm−r); Grover: O(q(m−r)/2)
• AMQ[m,n, σ, r] ≤ σ ·MQ[m− r, n]
• AMQ[m,n, σ, r] ≤ AMQ[m,n, σ + 1, r] (gets harder with σ)
• AMQ[m,n, σ, r + 1] ≤ AMQ[m,n, σ, r] (gets easier with r)
• AMQ[m,n, σ = 1, r = 0] = MQ[m,n]
16/17
Example Parameters
scheme parameters sec. lvl. |pk| |s|original HFEv− q = 2, n = 98,m = 90 80 56.8 kB 98 bitstransformed α = 1, σ = 80, ϑ = 7, τ = 220 80 ? 80 bits 4.4 kB
original HFEv− q = 2, n = 133,m = 123 120 139.2 kB 123 bitstransformed α = 1, σ = 120, ϑ = 11, τ = 220 120 ? 120 bits 9.4 kB
original HFEv− q = 4, n = 141,m = 129 128 (PQ) 288.4 kB 258 bitstransformed α = 1, σ = 64, ϑ = 13, τ = 220 128 ? (PQ) 256 bits 16.5 kB