MQ Signatures for PKI June 2017 Alan Szepieniec , Ward Beullens, - - PowerPoint PPT Presentation

1/17

MQ Signatures for PKI

June 2017 Alan Szepieniec, Ward Beullens, Bart Preneel

2/17

New Hope Key Exchange

• Post-Quantum KX based on RLWE
• USENIX 2016

2/17

New Hope Key Exchange

• Post-Quantum KX based on RLWE
• USENIX 2016
• Facebook Internet Defense Prize

2/17

New Hope Key Exchange

• Post-Quantum KX based on RLWE
• USENIX 2016
• Facebook Internet Defense Prize
• Google Experiment
• fraction of Chrome browsers use ECDH+NH

2/17

New Hope Key Exchange

• Post-Quantum KX based on RLWE
• USENIX 2016
• Facebook Internet Defense Prize
• Google Experiment
• fraction of Chrome browsers use ECDH+NH

\o/

3/17

Post-Quantum Key Exchange

Alice Bob sa a sb b k k

3/17

Post-Quantum Key Exchange

Alice Bob sa a sb b k k Passive Adversary a, b → k

4/17

Post-Quantum Key Exchange

Alice Bob sa sb Active Adversary

4/17

Post-Quantum Key Exchange

Alice Bob sa sb Active Adversary a a′ b b′ ka ka kb kb

4/17

Post-Quantum Key Exchange

Alice Bob sa sb Active Adversary a a′ b b′ ka ka kb kb How to kill MitM?

4/17

Post-Quantum Key Exchange

Alice Bob sa sb Active Adversary a a′ b b′ ka ka kb kb How to kill MitM? Signatures, of course! , skb , pkb pkb , signskb(b) , ??? vfy(·, ·, ·)

4/17

Post-Quantum Key Exchange

Alice Bob sa sb Active Adversary a a′ b b′ ka ka kb kb How to kill MitM? Signatures, of course! , skb , pkb pkb , signskb(b) , ??? vfy(·, ·, ·) Post-Quantum

5/17

Public Key Infrastructure (PKI)

Alice b, signskb(b)

5/17

Public Key Infrastructure (PKI)

Alice b, signskb(b), pkb

5/17

Public Key Infrastructure (PKI)

Alice b, signskb(b), pkb, signskc(pkb)

5/17

Public Key Infrastructure (PKI)

Alice b, signskb(b), pkb, signskc(pkb), pkc

5/17

Public Key Infrastructure (PKI)

Alice b, signskb(b), pkb, signskc(pkb), pkc, . . . , signskr(pkq) pkr vfy(·, ·, ·) certificate

5/17

Public Key Infrastructure (PKI)

Alice b, signskb(b), pkb, signskc(pkb), pkc, . . . , signskr(pkq) pkr vfy(·, ·, ·) certificate desirable properties acceptable drawbacks

5/17

Public Key Infrastructure (PKI)

Alice b, signskb(b), pkb, signskc(pkb), pkc, . . . , signskr(pkq) pkr vfy(·, ·, ·) certificate desirable properties acceptable drawbacks big

5/17

Public Key Infrastructure (PKI)

Alice b, signskb(b), pkb, signskc(pkb), pkc, . . . , signskr(pkq) pkr vfy(·, ·, ·) certificate desirable properties acceptable drawbacks big fast

5/17

Public Key Infrastructure (PKI)

Alice b, signskb(b), pkb, signskc(pkb), pkc, . . . , signskr(pkq) pkr vfy(·, ·, ·) certificate desirable properties acceptable drawbacks big fast fast

5/17

Public Key Infrastructure (PKI)

Alice b, signskb(b), pkb, signskc(pkb), pkc, . . . , signskr(pkq) pkr vfy(·, ·, ·) certificate desirable properties acceptable drawbacks big fast fast slow

5/17

Public Key Infrastructure (PKI)

Alice b, signskb(b), pkb, signskc(pkb), pkc, . . . , signskr(pkq) pkr vfy(·, ·, ·) certificate desirable properties acceptable drawbacks big fast fast slow small

5/17

Public Key Infrastructure (PKI)

Alice b, signskb(b), pkb, signskc(pkb), pkc, . . . , signskr(pkq) pkr vfy(·, ·, ·) certificate desirable properties acceptable drawbacks big fast fast slow small

prime directive: minimize |pk| + |sig|

6/17

Post-Quantum Signature Schemes

b y t e s k i l

• b

y t e s m e g a b y t e s b y t e s k i l

• b

y t e s m e g a b y t e s

p u b l i c k e y s i z e s i g n a t u r e s i z e

ECDSA BLISS SPHINCS MQDSS UOV HFEv− CFS strategy: transform MQ-signature schemes to shrink |pk| + |s|

6/17

Post-Quantum Signature Schemes

b y t e s k i l

• b

y t e s m e g a b y t e s b y t e s k i l

• b

y t e s m e g a b y t e s

p u b l i c k e y s i z e s i g n a t u r e s i z e

ECDSA BLISS SPHINCS MQDSS UOV HFEv− CFS

1 2

strategy: transform MQ-signature schemes to shrink |pk| + |s|

6/17

Post-Quantum Signature Schemes

b y t e s k i l

• b

y t e s m e g a b y t e s b y t e s k i l

• b

y t e s m e g a b y t e s

p u b l i c k e y s i z e s i g n a t u r e s i z e

ECDSA BLISS SPHINCS MQDSS UOV HFEv− CFS

1 2

this paper strategy: transform MQ-signature schemes to shrink |pk| + |s|

7/17

MQ Signature Schemes

S F T P public knowledge private knowledge signature verification signature generation P, F : Fn

q → Fm q

T, S ∈ GL(Fq) s ∈ Fn

q

vfy : P(s) ? = H(d)

8/17

Transformation

Step 1: replace P(s) ? = H(d) with tP(s) ? = tH(d) for t

$

← − Fα×m

q

determine t = H(s) transmit R(x) = tP(x) with s as part of signature

8/17

Transformation

Step 1: replace P(s) ? = H(d) with tP(s) ? = tH(d) for t

$

← − Fα×m

q

determine t = H(s) transmit R(x) = tP(x) with s as part of signature Step 2: authenticate R(x) using linearly homomorphic MACs

8/17

Transformation

Step 1: replace P(s) ? = H(d) with tP(s) ? = tH(d) for t

$

← − Fα×m

q

determine t = H(s) transmit R(x) = tP(x) with s as part of signature Step 2: authenticate R(x) using linearly homomorphic MACs

• 2a. define ˆ

R(z), ˆ P(z) with same coefficients as R(x), P(x)

8/17

Transformation

Step 1: replace P(s) ? = H(d) with tP(s) ? = tH(d) for t

$

← − Fα×m

q

determine t = H(s) transmit R(x) = tP(x) with s as part of signature Step 2: authenticate R(x) using linearly homomorphic MACs

• 2a. define ˆ

R(z), ˆ P(z) with same coefficients as R(x), P(x)

• 2b. verify that t ˆ

P(z) = ˆ R(z) instead of tP(x) = R(x) P(x) ˆ P(z) tP(x) t ˆ P(z)

MAC MAC t t

8/17

Transformation

Step 1: replace P(s) ? = H(d) with tP(s) ? = tH(d) for t

$

← − Fα×m

q

determine t = H(s) transmit R(x) = tP(x) with s as part of signature Step 2: authenticate R(x) using linearly homomorphic MACs

• 2a. define ˆ

R(z), ˆ P(z) with same coefficients as R(x), P(x)

• 2b. verify that t ˆ

P(z) = ˆ R(z) instead of tP(x) = R(x) P(x) ˆ P(z) tP(x) t ˆ P(z)

MAC MAC t t

• 2c. verify t ˆ

P(zi) = ˆ R(zi) in only ϑ randomly chosen points determine {z1, . . . , zϑ} = H(R(x))

8/17

Transformation

Step 1: replace P(s) ? = H(d) with tP(s) ? = tH(d) for t

$

← − Fα×m

q

determine t = H(s) transmit R(x) = tP(x) with s as part of signature Step 2: authenticate R(x) using linearly homomorphic MACs

• 2a. define ˆ

R(z), ˆ P(z) with same coefficients as R(x), P(x)

• 2b. verify that t ˆ

P(z) = ˆ R(z) instead of tP(x) = R(x) P(x) ˆ P(z) tP(x) t ˆ P(z)

MAC MAC t t

• 2c. verify t ˆ

P(zi) = ˆ R(zi) in only ϑ randomly chosen points determine {z1, . . . , zϑ} = H(R(x))

• 2d. Merkleize all τ evaluations ˆ

P(zi)

8/17

Transformation

Step 1: replace P(s) ? = H(d) with tP(s) ? = tH(d) for t

$

← − Fα×m

q

determine t = H(s) transmit R(x) = tP(x) with s as part of signature Step 2: authenticate R(x) using linearly homomorphic MACs

• 2a. define ˆ

R(z), ˆ P(z) with same coefficients as R(x), P(x)

• 2b. verify that t ˆ

P(z) = ˆ R(z) instead of tP(x) = R(x) P(x) ˆ P(z) tP(x) t ˆ P(z)

MAC MAC t t

• 2c. verify t ˆ

P(zi) = ˆ R(zi) in only ϑ randomly chosen points determine {z1, . . . , zϑ} = H(R(x))

• 2d. Merkleize all τ evaluations ˆ

P(zi) new signature: (s, R(x), Merkle paths) new public key: Merkle root

9/17

Merkle Tree

ˆ P(z1) ˆ P(z2) · · · · · · ˆ P(zτ)

10/17

Provable Security

InSecEUF−CMA

NEW

(t, Q) ≤ InSecEUF−CMA

ORIGINAL (t + O(Q), Q)

+ (2τ − 1)

Q+1 2κ

+

• n(n+1)

2τ

ϑ (Q + 1) + q−α(Q + 1)

10/17

Provable Security

InSecEUF−CMA

NEW

(t, Q) ≤ InSecEUF−CMA

ORIGINAL (t + O(Q), Q)

+ (2τ − 1)

Q+1 2κ

+

• n(n+1)

2τ

ϑ (Q + 1) + q−α(Q + 1)

• riginal scheme

Merkle tree MAC polynomials lucky s

10/17

Provable Security

InSecEUF−CMA

NEW

(t, Q) ≤ InSecEUF−CMA

ORIGINAL (t + O(Q), Q)

+ (2τ − 1)

Q+1 2κ

+

• n(n+1)

2τ

ϑ (Q + 1) + q−α(Q + 1)

• riginal scheme

Merkle tree MAC polynomials lucky s ... in the QROM Θ

• (

)2

Θ

• 2

Θ

• 2

ˆ ˆ ˆ ˆ ˆ ˆ

11/17

Example Parameters

scheme parameters

• sec. lvl.

|pk| |s| UOVrand q = 256, n = 135, m = 45 128 45.5 kB 1080 transformed α = 16, ϑ = 12, τ = 220 128 256 bits 21.3 kB UOVrand q = 256, n = 210, m = 70 192 169.9 kB 1 680 bits transformed α = 24, ϑ = 19, τ = 220 192 384 bits 70.4 kB UOVrand q = 256, n = 285, m = 95 256 423.0 kB 2 280 bits transformed α = 32, ϑ = 28, τ = 220 256 512 bits 166.3 kB

12/17

Improvement

• idea: use multiple signatures
• s1, . . . , sσ such that P(si) = H(di)

12/17

Improvement

• idea: use multiple signatures
• s1, . . . , sσ such that P(si) = H(di)
• ... reduce α

− → fewer polynomials in R

12/17

Improvement

• idea: use multiple signatures
• s1, . . . , sσ such that P(si) = H(di)
• ... reduce α

− → fewer polynomials in R

• |si| = n log2 q whereas |Ri(x)| = n(n+1)

2

log2 q

• qα > 2κ becomes qασ > 2κ

13/17

Security Proof Fails

InSecEUF−CMA

NEW

(t, Q) ≤ InSecEUF−CMA

ORIGINAL (t + O(Q), Q)

+ (2τ − 1)

Q+1 2κ

+

• n(n+1)

2τ

ϑ (Q + 1) + q−σα(Q + 1)

• riginal scheme

Merkle tree MAC polynomials lucky s Θ

• (

)2

Θ

• 2

Θ

• 2

ˆ ˆ ˆ ˆ ˆ ˆ

13/17

Security Proof Fails

InSecEUF−CMA

NEW

(t, Q) ≤ InSecEUF−CMA

ORIGINAL (t + O(Q), Q)

+ (2τ − 1)

Q+1 2κ

+

• n(n+1)

2τ

ϑ (Q + 1) + q−σα(Q + 1)

• riginal scheme

Merkle tree MAC polynomials lucky s Θ

• (

)2

Θ

• 2

Θ

• 2

ˆ ˆ ˆ ˆ ˆ ˆ

13/17

Security Proof Fails

InSecEUF−CMA

NEW

(t, Q) ≤ InSecEUF−CMA

ORIGINAL (t + O(Q), Q)

+ (2τ − 1)

Q+1 2κ

+

• n(n+1)

2τ

ϑ (Q + 1) + q−σα(Q + 1)

• riginal scheme

Merkle tree MAC polynomials lucky s Θ

• (

)2

Θ

• 2

Θ

• 2

ˆ ˆ ˆ ˆ ˆ ˆ rows of t are independent events ...

13/17

Security Proof Fails

InSecEUF−CMA

NEW

(t, Q) ≤ InSecEUF−CMA

ORIGINAL (t + O(Q), Q)

+ (2τ − 1)

Q+1 2κ

+

• n(n+1)

2τ

ϑ (Q + 1) + q−σα(Q + 1)

• riginal scheme

Merkle tree MAC polynomials lucky s Θ

• (

)2

Θ

• 2

Θ

• 2

ˆ ˆ ˆ ˆ ˆ ˆ rows of t are independent events ... ... but si are not!

13/17

Security Proof Fails

InSecEUF−CMA

NEW

(t, Q) ≤ InSecEUF−CMA

ORIGINAL (t + O(Q), Q)

+ (2τ − 1)

Q+1 2κ

+

• n(n+1)

2τ

ϑ (Q + 1) + q−σα(Q + 1)

• riginal scheme

Merkle tree MAC polynomials lucky s Θ

• (

)2

Θ

• 2

Θ

• 2

ˆ ˆ ˆ ˆ ˆ ˆ rows of t are independent events ... ... but si are not!

14/17

Low-Dim Errors

• find s1, . . . , sσ such that ∀i . tP(si) = tH(di)
• model t ← H(ds1 · · · sσ) as t

$

← − Fα×m

q

14/17

Low-Dim Errors

• find s1, . . . , sσ such that ∀i . tP(si) = tH(di)
• model t ← H(ds1 · · · sσ) as t

$

← − Fα×m

q

• works if 0 = P(si) − H(di) ∈ ker t

14/17

Low-Dim Errors

• find s1, . . . , sσ such that ∀i . tP(si) = tH(di)
• model t ← H(ds1 · · · sσ) as t

$

← − Fα×m

q

• works if 0 = P(si) − H(di) ∈ ker t
• error space is low-dim =

⇒ high success probability

15/17

AMQ Problem Definition

AMQ Problem. (Approximate Multivariate Quadratic) Given: P : Fn

q → Fm q ; y1, . . . , yσ ∈ Fm q

Find: x1, . . . , xσ ∈ Fn

q

Such that: dim {P(xi) − yi}i ≤ r

15/17

AMQ Problem Definition

AMQ Problem. (Approximate Multivariate Quadratic) Given: P : Fn

q → Fm q ; y1, . . . , yσ ∈ Fm q

Find: x1, . . . , xσ ∈ Fn

q

Such that: dim {P(xi) − yi}i ≤ r

• exhaustive search: O(qm−r); Grover: O(q(m−r)/2)
• AMQ[m, n, σ, r] ≤ σ · MQ[m − r, n]
• AMQ[m, n, σ, r] ≤ AMQ[m, n, σ + 1, r] (gets harder with σ)
• AMQ[m, n, σ, r + 1] ≤ AMQ[m, n, σ, r] (gets easier with r)
• AMQ[m, n, σ = 1, r = 0] = MQ[m, n]

16/17

Example Parameters

scheme parameters

• sec. lvl.

|pk| |s|

• riginal HFEv−

q = 2, n = 98, m = 90 80 56.8 kB 98 bits transformed α = 1, σ = 80, ϑ = 7, τ = 220 80 ? 80 bits 4.4 kB

• riginal HFEv−

q = 2, n = 133, m = 123 120 139.2 kB 123 bits transformed α = 1, σ = 120, ϑ = 11, τ = 220 120 ? 120 bits 9.4 kB

• riginal HFEv−

q = 4, n = 141, m = 129 128 (PQ) 288.4 kB 258 bits transformed α = 1, σ = 64, ϑ = 13, τ = 220 128 ? (PQ) 256 bits 16.5 kB