mq signatures for pki
play

MQ Signatures for PKI June 2017 Alan Szepieniec , Ward Beullens, - PowerPoint PPT Presentation

Mar 20, 2023 •46 likes •586 views

MQ Signatures for PKI June 2017 Alan Szepieniec , Ward Beullens, Bart Preneel 1/17 New Hope Key Exchange Post-Quantum KX based on RLWE USENIX 2016 2/17 New Hope Key Exchange Post-Quantum KX based on RLWE USENIX 2016

  1. MQ Signatures for PKI June 2017 Alan Szepieniec , Ward Beullens, Bart Preneel 1/17

  2. New Hope Key Exchange • Post-Quantum KX based on RLWE • USENIX 2016 2/17

  3. New Hope Key Exchange • Post-Quantum KX based on RLWE • USENIX 2016 • Facebook Internet Defense Prize 2/17

  4. New Hope Key Exchange • Post-Quantum KX based on RLWE • USENIX 2016 • Facebook Internet Defense Prize • Google Experiment • fraction of Chrome browsers use ECDH+NH 2/17

  5. New Hope Key Exchange • Post-Quantum KX based on RLWE • USENIX 2016 • Facebook Internet Defense Prize • Google Experiment • fraction of Chrome browsers use ECDH+NH \ o/ 2/17

  6. Post-Quantum Key Exchange Alice Bob s a s b a b k k 3/17

  7. Post-Quantum Key Exchange Passive Adversary Alice Bob s a s b a b k k a, b �→ k 3/17

  8. Post-Quantum Key Exchange Active Adversary Alice Bob s a s b 4/17

  9. Post-Quantum Key Exchange Active Adversary Alice Bob s a s b a a ′ b b ′ k a k a k b k b 4/17

  10. Post-Quantum Key Exchange Active Adversary Alice Bob s a s b a a ′ b b ′ k a k a k b k b How to kill MitM? 4/17

  11. Post-Quantum Key Exchange Active Adversary Alice Bob pk b s a s b , pk b , sk b a a ′ , sign sk b ( b ) b b ′ , ??? vfy ( · , · , · ) k a k a k b k b How to kill MitM? Signatures, of course! 4/17

  12. Post-Quantum Key Exchange Active Adversary Alice Bob pk b s a s b , pk b , sk b a a ′ , sign sk b ( b ) b b ′ , ??? vfy ( · , · , · ) k a k a k b k b How to kill MitM? Signatures, of course! Post-Quantum 4/17

  13. Public Key Infrastructure (PKI) Alice b, sign sk b ( b ) 5/17

  14. Public Key Infrastructure (PKI) Alice b, sign sk b ( b ) , pk b 5/17

  15. Public Key Infrastructure (PKI) Alice b, sign sk b ( b ) , pk b , sign sk c ( pk b ) 5/17

  16. Public Key Infrastructure (PKI) Alice b, sign sk b ( b ) , pk b , sign sk c ( pk b ) , pk c 5/17

  17. Public Key Infrastructure (PKI) Alice certificate pk r b, sign sk b ( b ) , pk b , sign sk c ( pk b ) , pk c , . . . , sign sk r ( pk q ) vfy ( · , · , · ) 5/17

  18. Public Key Infrastructure (PKI) Alice certificate pk r b, sign sk b ( b ) , pk b , sign sk c ( pk b ) , pk c , . . . , sign sk r ( pk q ) vfy ( · , · , · ) desirable properties acceptable drawbacks 5/17

  19. Public Key Infrastructure (PKI) Alice certificate pk r b, sign sk b ( b ) , pk b , sign sk c ( pk b ) , pk c , . . . , sign sk r ( pk q ) big vfy ( · , · , · ) desirable properties acceptable drawbacks 5/17

  20. Public Key Infrastructure (PKI) Alice certificate pk r b, sign sk b ( b ) , pk b , sign sk c ( pk b ) , pk c , . . . , sign sk r ( pk q ) big vfy ( · , · , · ) fast desirable properties acceptable drawbacks 5/17

  21. Public Key Infrastructure (PKI) Alice fast certificate pk r b, sign sk b ( b ) , pk b , sign sk c ( pk b ) , pk c , . . . , sign sk r ( pk q ) big vfy ( · , · , · ) fast desirable properties acceptable drawbacks 5/17

  22. Public Key Infrastructure (PKI) Alice fast certificate slow pk r b, sign sk b ( b ) , pk b , sign sk c ( pk b ) , pk c , . . . , sign sk r ( pk q ) big vfy ( · , · , · ) fast desirable properties acceptable drawbacks 5/17

  23. Public Key Infrastructure (PKI) Alice fast certificate slow pk r b, sign sk b ( b ) , pk b , sign sk c ( pk b ) , pk c , . . . , sign sk r ( pk q ) big small vfy ( · , · , · ) fast desirable properties acceptable drawbacks 5/17

  24. Public Key Infrastructure (PKI) Alice fast certificate slow pk r b, sign sk b ( b ) , pk b , sign sk c ( pk b ) , pk c , . . . , sign sk r ( pk q ) big small vfy ( · , · , · ) prime directive: minimize | pk | + | sig | fast desirable properties acceptable drawbacks 5/17

  25. Post-Quantum Signature Schemes m s CFS e e t g y b a a b g y UOV t e e s e m s z i SPHINCS g i BLISS HFE v − s n MQDSS a y t e u k k s r e i l e t c o y b i b y l s o b t i l e i z k u s e ECDSA p b s e y t t y e b s strategy: transform MQ-signature schemes to shrink | pk | + | s | 6/17

  26. Post-Quantum Signature Schemes 2 m s CFS e e t g y 1 b a a b g y UOV t e e s e m s z i SPHINCS g i BLISS HFE v − s n MQDSS a y t e u k k s r e i l e t c o y b i b y l s o b t i l e i z k u s e ECDSA p b s e y t t y e b s strategy: transform MQ-signature schemes to shrink | pk | + | s | 6/17

  27. Post-Quantum Signature Schemes 2 this paper m s CFS e e t g y 1 b a a b g y UOV t e e s e m s z i SPHINCS g i BLISS HFE v − s n MQDSS a y t e u k k s r e i l e t c o y b i b y l s o b t i l e i z k u s e ECDSA p b s e y t t y e b s strategy: transform MQ-signature schemes to shrink | pk | + | s | 6/17

  28. MQ Signature Schemes signature verification P public knowledge private knowledge S F T signature generation P , F : F n q → F m s ∈ F n q q T, S ∈ GL ( F q ) vfy : P ( s ) ? = H ( d ) 7/17

  29. Transformation Step 1: replace P ( s ) ? = H ( d ) with t P ( s ) ? $ − F α × m = t H ( d ) for t ← q determine t = H ( s ) transmit R ( x ) = t P ( x ) with s as part of signature 8/17

  30. Transformation Step 1: replace P ( s ) ? = H ( d ) with t P ( s ) ? $ − F α × m = t H ( d ) for t ← q determine t = H ( s ) transmit R ( x ) = t P ( x ) with s as part of signature Step 2: authenticate R ( x ) using linearly homomorphic MACs 8/17

  31. Transformation Step 1: replace P ( s ) ? = H ( d ) with t P ( s ) ? $ − F α × m = t H ( d ) for t ← q determine t = H ( s ) transmit R ( x ) = t P ( x ) with s as part of signature Step 2: authenticate R ( x ) using linearly homomorphic MACs 2a. define ˆ R ( z ) , ˆ P ( z ) with same coefficients as R ( x ) , P ( x ) 8/17

  32. Transformation Step 1: replace P ( s ) ? = H ( d ) with t P ( s ) ? $ − F α × m = t H ( d ) for t ← q determine t = H ( s ) transmit R ( x ) = t P ( x ) with s as part of signature Step 2: authenticate R ( x ) using linearly homomorphic MACs 2a. define ˆ R ( z ) , ˆ P ( z ) with same coefficients as R ( x ) , P ( x ) 2b. verify that t ˆ P ( z ) = ˆ R ( z ) instead of t P ( x ) = R ( x ) MAC ˆ P ( x ) P ( z ) t t MAC t ˆ t P ( x ) P ( z ) 8/17

  33. Transformation Step 1: replace P ( s ) ? = H ( d ) with t P ( s ) ? $ − F α × m = t H ( d ) for t ← q determine t = H ( s ) transmit R ( x ) = t P ( x ) with s as part of signature Step 2: authenticate R ( x ) using linearly homomorphic MACs 2a. define ˆ R ( z ) , ˆ P ( z ) with same coefficients as R ( x ) , P ( x ) 2b. verify that t ˆ P ( z ) = ˆ R ( z ) instead of t P ( x ) = R ( x ) MAC ˆ P ( x ) P ( z ) t t MAC t ˆ t P ( x ) P ( z ) 2c. verify t ˆ P ( z i ) = ˆ R ( z i ) in only ϑ randomly chosen points determine { z 1 , . . . , z ϑ } = H ( R ( x )) 8/17

  34. Transformation Step 1: replace P ( s ) ? = H ( d ) with t P ( s ) ? $ − F α × m = t H ( d ) for t ← q determine t = H ( s ) transmit R ( x ) = t P ( x ) with s as part of signature Step 2: authenticate R ( x ) using linearly homomorphic MACs 2a. define ˆ R ( z ) , ˆ P ( z ) with same coefficients as R ( x ) , P ( x ) 2b. verify that t ˆ P ( z ) = ˆ R ( z ) instead of t P ( x ) = R ( x ) MAC ˆ P ( x ) P ( z ) t t MAC t ˆ t P ( x ) P ( z ) 2c. verify t ˆ P ( z i ) = ˆ R ( z i ) in only ϑ randomly chosen points determine { z 1 , . . . , z ϑ } = H ( R ( x )) 2d. Merkleize all τ evaluations ˆ P ( z i ) 8/17

  35. Transformation Step 1: replace P ( s ) ? = H ( d ) with t P ( s ) ? $ − F α × m = t H ( d ) for t ← q determine t = H ( s ) transmit R ( x ) = t P ( x ) with s as part of signature Step 2: authenticate R ( x ) using linearly homomorphic MACs 2a. define ˆ R ( z ) , ˆ P ( z ) with same coefficients as R ( x ) , P ( x ) 2b. verify that t ˆ P ( z ) = ˆ R ( z ) instead of t P ( x ) = R ( x ) MAC ˆ P ( x ) P ( z ) t t MAC t ˆ t P ( x ) P ( z ) 2c. verify t ˆ P ( z i ) = ˆ R ( z i ) in only ϑ randomly chosen points determine { z 1 , . . . , z ϑ } = H ( R ( x )) 2d. Merkleize all τ evaluations ˆ P ( z i ) new signature: ( s , R ( x ) , Merkle paths ) new public key: Merkle root 8/17

  36. Merkle Tree P ( z 1 ) ˆ ˆ ˆ P ( z 2 ) · · · · · · P ( z τ ) 9/17

  37. Provable Security InSec EUF − CMA ( t, Q ) ≤ InSec EUF − CMA ORIGINAL ( t + O ( Q ) , Q ) NEW Q +1 + (2 τ − 1) 2 κ � ϑ � n ( n +1) + ( Q + 1) 2 τ q − α ( Q + 1) + 10/17

  38. Provable Security InSec EUF − CMA ( t, Q ) ≤ InSec EUF − CMA original scheme ORIGINAL ( t + O ( Q ) , Q ) NEW Q +1 + (2 τ − 1) Merkle tree 2 κ � ϑ � n ( n +1) MAC polynomials + ( Q + 1) 2 τ lucky s q − α ( Q + 1) + 10/17

  39. Provable Security ... in the QROM InSec EUF − CMA ( t, Q ) ≤ InSec EUF − CMA ˆ ˆ ˆ original scheme ORIGINAL ( t + O ( Q ) , Q ) NEW ˆ � ) 2 � ( Q +1 + Θ (2 τ − 1) Merkle tree 2 κ � ϑ � � 2 � n ( n +1) MAC polynomials ˆ + Θ ( Q + 1) 2 τ � 2 � lucky s q − α ( Q + 1) ˆ + Θ 10/17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties Signatures Signatures with various functionality/properties Constructions come in different flavors (well sample each flavor): Signatures

1.55k views • 131 slides
Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And Putting It All Together Lecture 12 Digital Signatures Digital Signatures Syntax: KeyGen, Sign SK and Verify VK . Security: Same experiment as MAC s,

1.72k views • 142 slides
Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Motivation Research Question Results Conclusion Notes Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from Standard Signatures Siamak Shahandashti 1 Rei Safavi-Naini 2 1 SCSSE & CCISR, Uni

465 views • 46 slides
1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Digital Signatures have looked at message authentication but does not address issues of lack of trust Chapter 13 Digital Signatures digital signatures provide the ability to:

361 views • 3 slides
Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils

Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils

Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils Fleischhacker Johannes Krupp Giulio Malavolta Jonas Schneider Dominique Schr oder Mark Simkin March 7, 2016 Sanitizable Signatures

577 views • 46 slides
Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s

Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s

Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s users require only secretkeys users require n 2 secretkeys Privately verifiable and non-transferable Same signature

764 views • 53 slides
Leptophilic Higgs Leptophilic Higgs Signatures at the LHC Signatures at the LHC (And the

Leptophilic Higgs Leptophilic Higgs Signatures at the LHC Signatures at the LHC (And the

Leptophilic Higgs Leptophilic Higgs Signatures at the LHC Signatures at the LHC (And the Importance of Leptonic Decays for Higgs Discovery) Brooks Thomas (The University of Arizona) Shufang Su & BT [arXiv:0903.0667] What do we know about

375 views • 26 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-02-25 1 Outline Recap: security experiments Message space extension One-time signatures One-time signatures from one-way functions Digital

1.07k views • 48 slides
Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976

Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976

Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976 Diffie Hellman: Public-key signatures would allow verification by anyone, not just signer. Cool! Can we build a signature system? 1977 Rivest

743 views • 33 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-03-03 1 Outline Why assumptions? Efficient one-time signatures Digital Signatures 2020-03-03 2 Recap: Lamport EUF-1-CMA secure

1.14k views • 37 slides
The Petition 11 614 signatures so far, on-line and hard copy Raised in Parliament by Jacob

The Petition 11 614 signatures so far, on-line and hard copy Raised in Parliament by Jacob

The Petition 11 614 signatures so far, on-line and hard copy Raised in Parliament by Jacob Rees-Mogg Submitted to 10 Downing Street 21 March www.change.org Geographical spread of signatures Distribution of Signatures Bath East of

483 views • 13 slides
Mediated Signatures - Towards Advanced Undeniability of Digital Data in Technical Digital

Mediated Signatures - Towards Advanced Undeniability of Digital Data in Technical Digital

M. Kutyowski Mediated Signatures - Towards Advanced Undeniability of Digital Data in Technical Digital Signatures Qualified Signatures and Legal Framework Validity of the Signature Standard Implementation Risk Issues Reasons of

436 views • 42 slides
Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis

Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis

Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis Hofheinz ETH Zrich Quantum computers Grovers algorithm: speed up searches (N O(N)) Bigger problem for cryptography: Shors algorithm

468 views • 15 slides
Signatures and grammars Signatures and grammars Why manual disambiguation in SDF?

Signatures and grammars Signatures and grammars Why manual disambiguation in SDF?

Signatures and grammars Signatures and grammars Why manual disambiguation in SDF? Associativity of binary operators y g y y Fully declarative definition of syntax Priorities between binary operators Implicit disambiguation

281 views • 6 slides
Why attribute-based signatures? The kind of authentication required in an attribute-based system

Why attribute-based signatures? The kind of authentication required in an attribute-based system

Attribute-Based Signatures Hemanta K. Maji Manoj Prabhakaran Mike Rosulek November 22, 2010 Abstract We introduce Attribute-Based Signatures (ABS) , a versatile primitive that allows a party to sign a message with fine-grained

864 views • 35 slides
DTTF/NB479: Dszquphsbqiz Day 29 Announcements: Questions? This week: Digital signatures, DSA

DTTF/NB479: Dszquphsbqiz Day 29 Announcements: Questions? This week: Digital signatures, DSA

DTTF/NB479: Dszquphsbqiz Day 29 Announcements: Questions? This week: Digital signatures, DSA Flipping coins over the phone Why are digital signatures important? Compare with paper signatures Danger: Eve would like to use your

423 views • 7 slides
OSG PKI Transition: Status and Next Steps (and Lessons Learned) Von Welch OSG PKI

OSG PKI Transition: Status and Next Steps (and Lessons Learned) Von Welch OSG PKI

OSG PKI Transition: Status and Next Steps (and Lessons Learned) Von Welch OSG PKI Transition Lead Indiana University Center for Applied Cybersecurity Research Key Message DOE Grids CA stops issuing new certificates March 23 rd ,

397 views • 29 slides
c b roland.vanrijswijk@surfnet.nl Overview - Introduction - The 2-factor landscape - Something

c b roland.vanrijswijk@surfnet.nl Overview - Introduction - The 2-factor landscape - Something

tiqr: a novel take on two-factor authentication LISA 2011, Boston, MA Roland van Rijswijk c b roland.vanrijswijk@surfnet.nl Overview - Introduction - The 2-factor landscape - Something we all have - - Comparison of 2-factor AuthN

546 views • 19 slides
A PKI for IP Address Space and AS Numbers Dr. Stephen Kent Chief Scientist - Information

A PKI for IP Address Space and AS Numbers Dr. Stephen Kent Chief Scientist - Information

A PKI for IP Address Space and AS Numbers Dr. Stephen Kent Chief Scientist - Information Security Why A PKI? All proposals for improving the security of BGP rely on a secure infrastructure that attests to address space and AS number

252 views • 13 slides
OFF-PATH ATTACKS AGAINST PKI Markus Brandt, Tianxiang Dai, Amit Klein, Haya Shulman, Michael

OFF-PATH ATTACKS AGAINST PKI Markus Brandt, Tianxiang Dai, Amit Klein, Haya Shulman, Michael

OFF-PATH ATTACKS AGAINST PKI Markus Brandt, Tianxiang Dai, Amit Klein, Haya Shulman, Michael Waidner 1 WHO AM I? n Security Researcher n Technische Universitt Darmstadt n Fraunhofer-Institut fr Sichere Informationstechnologie n Freelancer n

588 views • 55 slides
M M 4. PKIX 7. peer 2 peer 8. Identity 5. Cross Certification 2. Ingredients 6. Trust

M M 4. PKIX 7. peer 2 peer 8. Identity 5. Cross Certification 2. Ingredients 6. Trust

Rglements LDAPS europens Services de X.509 Rseau de con fi ance Direc ves X.509 lemployeur PKI architectures: references X.509 eIDAS AC AC @ Prestataires e-gouv Commerant X.509 X.509 en ligne FOUNDATIONS RGS

438 views • 16 slides
Measurement and Analysis of Private Key Sharing in the HTTPS Ecosystem Frank Cangialosi, Taejoong

Measurement and Analysis of Private Key Sharing in the HTTPS Ecosystem Frank Cangialosi, Taejoong

Measurement and Analysis of Private Key Sharing in the HTTPS Ecosystem Frank Cangialosi, Taejoong Chung, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, Christo Wilson How do we know with whom we are communicating? How do we know

1.21k views • 119 slides
Multi-Party Computation in Presence of Corrupted Majorities Dominik Raub Institute of

Multi-Party Computation in Presence of Corrupted Majorities Dominik Raub Institute of

Multi-Party Computation in Presence of Corrupted Majorities Dominik Raub Institute of Theoretical Computer Science ETH Zrich on joint work with R. Knzler, J. Mller-Quade, C. Lucas, U. Maurer, M. Fitzi Metaguse, 2009/10/04 Multi-Party

1.04k views • 83 slides
Network Security Dr. Mohammed Shafiul Alam Khan Assistant Professor Institute of Information

Network Security Dr. Mohammed Shafiul Alam Khan Assistant Professor Institute of Information

Network Security Dr. Mohammed Shafiul Alam Khan Assistant Professor Institute of Information Technology (IIT), University of Dhaka (DU) shafiul@du.ac.bd December 10, 2017 M S A Khan (IIT, DU) Network Security December 10, 2017 1 / 23

447 views • 23 slides

More recommend