mqdss
play

MQDSS Ming-Shing Chen 1 , Andreas Hlsing 2 , Joost Rijneveld 3 , - PowerPoint PPT Presentation

Jul 10, 2023 •390 likes •783 views

MQDSS Ming-Shing Chen 1 , Andreas Hlsing 2 , Joost Rijneveld 3 , Simona Samardjiska 3 , and Peter Schwabe 3 1 National Taiwan University / Academia Sinica, Taipei, Taiwan 2 Technische Universiteit Eindhoven, Eindhoven, The Netherlands 3 Radboud

  1. MQDSS Ming-Shing Chen 1 , Andreas Hülsing 2 , Joost Rijneveld 3 , Simona Samardjiska 3 , and Peter Schwabe 3 1 National Taiwan University / Academia Sinica, Taipei, Taiwan 2 Technische Universiteit Eindhoven, Eindhoven, The Netherlands 3 Radboud University, Nijmegen, The Netherlands 2019-08-23 Second NIST PQC Standardization Conference 1 / 11

  2. In a nutshell.. ◮ MQ -based 5-pass identification scheme ◮ Fiat-Shamir transform ◮ Loose reduction from (only!) MQ problem ◮ Security proof, instead of typical ‘break and tweak’ in MQ cryptography ◮ Very small keys, big signatures 2 / 11

  3. In a nutshell.. ◮ MQ -based 5-pass identification scheme ◮ Fiat-Shamir transform ◮ Loose reduction from (only!) MQ problem ◮ Security proof, instead of typical ‘break and tweak’ in MQ cryptography ◮ Very small keys, big signatures ◮ First proposed at ASIACRYPT 2016 [CHR + 16] 2 / 11

  4. In a nutshell.. ◮ MQ -based 5-pass identification scheme ◮ Fiat-Shamir transform ◮ Loose reduction from (only!) MQ problem ◮ Security proof, instead of typical ‘break and tweak’ in MQ cryptography ◮ Very small keys, big signatures ◮ First proposed at ASIACRYPT 2016 [CHR + 16] ◮ Changes in Second Round submission ◮ Reduction of number of rounds ◮ Added randomness in commitments ◮ More precise analysis of best attacks against MQ 2 / 11

  5. Fiat-Shamir transform IDS P V com ← P 0 (sk) com ch ← R ChS (1 k ) ch resp ← P 1 (sk , com , ch) resp b ← Vf (pk , com , ch , resp) 3 / 11

  6. Fiat-Shamir transform IDS P r V r com ← P 0 r (sk) com ch ← R ChS r (1 k ) ch resp ← P 1 r (sk , com , ch) resp b ← Vf r (pk , com , ch , resp) 3 / 11

  7. Fiat-Shamir transform IDS P r V r com ← P 0 r (sk) com ch ← R ChS r (1 k ) ch resp ← P 1 r (sk , com , ch) resp b ← Vf r (pk , com , ch , resp) ↓ ↓ ↓ FS signature Signer Verifier com ← P 0 (sk) ch ← H ( m , com) ch ← H ( m , com) resp ← P 1 (sk , com , ch) b ← Vf(pk , com , ch , resp) output : σ = (com , resp) output : b 3 / 11

  8. Sakumoto-Shirai-Hiwatari 5-pass IDS [SSH11] P : ( F , v , s ) V : ( F , v ) r 0 , t 0 ← R F n q , e 0 ← R F m q r 1 ← s − r 0 c 0 ← Com ( r 0 , t 0 , e 0 ) ( c 0 , c 1 ) c 1 ← Com ( r 1 , G ( t 0 , r 1 ) + e 0 ) α ← R F q α t 1 ← α r 0 − t 0 e 1 ← α F ( r 0 ) − e 0 resp 1 = ( t 1 , e 1 ) ch 2 ← R { 0 , 1 } ch 2 If ch 2 = 0 , resp 2 ← r 0 resp 2 Else resp 2 ← r 1 If ch 2 = 0 , Parse resp 2 = r 0 , check ? c 0 = Com ( r 0 , α r 0 − t 1 , α F ( r 0 ) − e 1 ) Else Parse resp 2 = r 1 , check ? c 1 = Com ( r 1 , α ( v − F ( r 1 )) − G ( t 1 , r 1 ) − e 1 ) 4 / 11

  9. MQDSS ◮ Generate keys ◮ Sample seed S F ∈ { 0 , 1 } k , s ∈ F n ⇒ sk = ( S F , s ) q ◮ Expand S F to F , compute v = F ( s ) ⇒ pk = ( S F , v ) 5 / 11

  10. MQDSS ◮ Generate keys ◮ Sample seed S F ∈ { 0 , 1 } k , s ∈ F n ⇒ sk = ( S F , s ) q ◮ Expand S F to F , compute v = F ( s ) ⇒ pk = ( S F , v ) ◮ Signing ◮ Sign randomized digest D of message M ◮ Perform r parallel rounds of transformed IDS 5 / 11

  11. MQDSS ◮ Generate keys ◮ Sample seed S F ∈ { 0 , 1 } k , s ∈ F n ⇒ sk = ( S F , s ) q ◮ Expand S F to F , compute v = F ( s ) ⇒ pk = ( S F , v ) ◮ Signing ◮ Sign randomized digest D of message M ◮ Perform r parallel rounds of transformed IDS ◮ Verifying ◮ Reconstruct D , F ◮ Reconstruct challenges ◮ Reconstruct commitments ◮ Check combined commitments hash 5 / 11

  12. MQDSS ◮ Generate keys ◮ Sample seed S F ∈ { 0 , 1 } k , s ∈ F n ⇒ sk = ( S F , s ) q ◮ Expand S F to F , compute v = F ( s ) ⇒ pk = ( S F , v ) ◮ Signing ◮ Sign randomized digest D of message M ◮ Perform r parallel rounds of transformed IDS ◮ Verifying ◮ Reconstruct D , F ◮ Reconstruct challenges ◮ Reconstruct commitments ◮ Check combined commitments hash ◮ Parameters: n , m , q , r (and Com, Hash & PRG) 5 / 11

  13. Round 2 update: Parameter Sets n pk sk Signature Sec. q r (= m ) (bytes) (bytes) (bytes) cat. MQDSS-31-48 1-2 31 48 135 46 16 20854 (Round 1) 269 62 32 32882 MQDSS-31-64 3-4 31 64 202 64 24 43728 (Round 1) 403 88 48 67800 Table: Round 1 parameters in black, Round 2 parameters in red. ◮ q , n = m chosen using best attacks on MQ ◮ q additionally chosen for fast arithmetic 6 / 11

  14. Round 2 update: Parameter Sets n pk sk Signature Sec. q r (= m ) (bytes) (bytes) (bytes) cat. MQDSS-31-48 1-2 31 48 135 46 16 20854 (Round 1) 269 62 32 32882 MQDSS-31-64 3-4 31 64 202 64 24 43728 (Round 1) 403 88 48 67800 Table: Round 1 parameters in black, Round 2 parameters in red. ◮ q , n = m chosen using best attacks on MQ ◮ q additionally chosen for fast arithmetic 2 q ◮ r chosen such that 2 − ( r log q +1 ) < 2 − k ◮ mistake in calculation in Round 1, chose k too large 6 / 11

  15. Round 2 update: Commitments ◮ MQDSS uses hash for commitments - instantiated with SHAKE-256 7 / 11

  16. Round 2 update: Commitments ◮ MQDSS uses hash for commitments - instantiated with SHAKE-256 ◮ In Round 1 proof assumes statistically hiding commitments 7 / 11

  17. Round 2 update: Commitments ◮ MQDSS uses hash for commitments - instantiated with SHAKE-256 ◮ In Round 1 proof assumes statistically hiding commitments ◮ Requires a lot of randomness: 5 × commitment length [Lei18] ◮ Round 1 MQDSS does not provide any (dedicated) randomness 7 / 11

  18. Round 2 update: Commitments ◮ MQDSS uses hash for commitments - instantiated with SHAKE-256 ◮ In Round 1 proof assumes statistically hiding commitments ◮ Requires a lot of randomness: 5 × commitment length [Lei18] ◮ Round 1 MQDSS does not provide any (dedicated) randomness ◮ Round 2: ◮ Computationally hiding commitments suffices! ◮ Proof updated accordingly 7 / 11

  19. Round 2 update: Commitments ◮ MQDSS uses hash for commitments - instantiated with SHAKE-256 ◮ In Round 1 proof assumes statistically hiding commitments ◮ Requires a lot of randomness: 5 × commitment length [Lei18] ◮ Round 1 MQDSS does not provide any (dedicated) randomness ◮ Round 2: ◮ Computationally hiding commitments suffices! ◮ Proof updated accordingly ◮ Still needs randomness (2 × commitment length [Lei18]) ◮ ⇒ adds approx 4KB (10KB) to signature for MQDSS-31-48 (MQDSS-31-64) 7 / 11

  20. Round 2 performance ◮ Reference implementation keygen signing verification MQDSS-31-48 1 192 984 26 630 590 19 840 136 Round 1 1 206 730 52 466 398 38 686 506 MQDSS-31-64 2 767 384 85 268 712 62 306 098 Round 1 2 806 750 169 298 364 123 239 874 Table: Round 1 performance in black, Round 2 performance in red. 8 / 11

  21. Round 2 performance ◮ Reference implementation keygen signing verification MQDSS-31-48 1 192 984 26 630 590 19 840 136 Round 1 1 206 730 52 466 398 38 686 506 MQDSS-31-64 2 767 384 85 268 712 62 306 098 Round 1 2 806 750 169 298 364 123 239 874 Table: Round 1 performance in black, Round 2 performance in red. ◮ AVX2 implementation (only round 2) keygen signing verification MQDSS-31-48 1 074 644 3 816 106 2 551 270 MQDSS-31-64 2 491 050 9 047 148 6 132 948 8 / 11

  22. Round 2 update: More precise analysis of hardness of MQ ◮ Best strategy: Algebraic techniques with exhaustive search ◮ HybridF5 [BFS15], BooleanSolve [BFSS13], Crossbred [JV17] 9 / 11

  23. Round 2 update: More precise analysis of hardness of MQ ◮ Best strategy: Algebraic techniques with exhaustive search ◮ HybridF5 [BFS15], BooleanSolve [BFSS13], Crossbred [JV17] ◮ Analyze both classically and using Grover ◮ Classical gates, quantum gates, circuit depth 9 / 11

  24. Round 2 update: More precise analysis of hardness of MQ ◮ Best strategy: Algebraic techniques with exhaustive search ◮ HybridF5 [BFS15], BooleanSolve [BFSS13], Crossbred [JV17] ◮ Analyze both classically and using Grover ◮ Classical gates, quantum gates, circuit depth ◮ minor changes in Round 2 - more precise analysis ◮ no influence to security of parameter sets 9 / 11

  25. Recent attack ◮ August 2019, Daniel Kales and Greg Zaverucha - forgery in approx. 2 95 hash calls for MQDSS-31-48 10 / 11

  26. Recent attack ◮ August 2019, Daniel Kales and Greg Zaverucha - forgery in approx. 2 95 hash calls for MQDSS-31-48 ◮ Can be mitigated by ≈ 1 . 4 × (number of rounds) 10 / 11

  27. Recent attack ◮ August 2019, Daniel Kales and Greg Zaverucha - forgery in approx. 2 95 hash calls for MQDSS-31-48 ◮ Can be mitigated by ≈ 1 . 4 × (number of rounds) ◮ Proof still valid! ◮ Attack is result of not taking into account non-tightness of proof for choosing parameters 10 / 11

  28. Recent attack ◮ August 2019, Daniel Kales and Greg Zaverucha - forgery in approx. 2 95 hash calls for MQDSS-31-48 ◮ Can be mitigated by ≈ 1 . 4 × (number of rounds) ◮ Proof still valid! ◮ Attack is result of not taking into account non-tightness of proof for choosing parameters ◮ New parameters after attack (estimate): q n r pk Signature Sec. cat. sk MQDSS-31-48 (new) 1-2 31 48 184 46B 16B 28400B Round 1 269 62B 32B 32882B MQDSS-31-64 (new) 3-4 31 64 277 64B 24B 59928B Round 1 403 88B 48B 67800B Table: Round 1 parameters in black, New parameters (attack fixed) in red. 10 / 11

  29. Conclusion ◮ Fiat-Shamir transform from MQ -based 5-pass identification scheme ◮ Security proof in ROM, instead of typical ‘break and tweak’ in MQ cryptography ◮ Very small keys, big signatures 11 / 11

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Dynamic Impact Analysis: Methodology and Output PRESENTED TO SENATE FINANCE COMMITTEE

Dynamic Impact Analysis: Methodology and Output PRESENTED TO SENATE FINANCE COMMITTEE

Dynamic Impact Analysis: Methodology and Output PRESENTED TO SENATE FINANCE COMMITTEE LEGISLATIVE BUDGET BOARD STAFF March 2016 Dynamic Economic Impact The Legislative Budget Board has the capability to produce analysis demonstrating the

97 views • 7 slides
IARS PRESENTATION FOR EUROPEAN COMMISSION PROJECT ERASMUS + Care2Entrepreneurship Duration:1 st

IARS PRESENTATION FOR EUROPEAN COMMISSION PROJECT ERASMUS + Care2Entrepreneurship Duration:1 st

IARS PRESENTATION FOR EUROPEAN COMMISSION PROJECT ERASMUS + Care2Entrepreneurship Duration:1 st April 2018 to 31 st March 2020 May 2018 - London C2E Project Coordination Roles within the project Principles for good internal

930 views • 79 slides
Presentation, June 23, 2016 Topics 1. Overview of Sources of Impact 2. Describing the Transit

Presentation, June 23, 2016 Topics 1. Overview of Sources of Impact 2. Describing the Transit

Chandler Duncan Economic Development Research Group, Inc. Presentation, June 23, 2016 Topics 1. Overview of Sources of Impact 2. Describing the Transit Market 3. The Efficiency Impact of Transit 4. Strategic Issues 5. Potential Investment

285 views • 15 slides
Analog Additive Synthesis Vaishnav Janardhan, Rob Katz, Language Carlos Ren Prez, Albert

Analog Additive Synthesis Vaishnav Janardhan, Rob Katz, Language Carlos Ren Prez, Albert

Analog Additive Synthesis Vaishnav Janardhan, Rob Katz, Language Carlos Ren Prez, Albert Tsai Motivation Sound Synthesis Generating or manipulating electronic signals/audio tones for music creation. Motivation Sound Synthesis Generating

502 views • 29 slides
Vamp plugins Chunks of compiled program code delivered in shared library files (DLLs), which

Vamp plugins Chunks of compiled program code delivered in shared library files (DLLs), which

Vamp plugins Chunks of compiled program code delivered in shared library files (DLLs), which can be loaded and used by a compatible host Extract partially structured data (features) from audio input No display or interaction,

487 views • 14 slides
Zhiyong Li, Jonathan Crook, Galina Andreeva 25.08.2011 Financial information Accounting data

Zhiyong Li, Jonathan Crook, Galina Andreeva 25.08.2011 Financial information Accounting data

Zhiyong Li, Jonathan Crook, Galina Andreeva 25.08.2011 Financial information Accounting data and financial ratios in statements (since Beaver, 1966) Altman (1968): Multiple Discriminant Analysis, Z-score Z = .012X1 + .014X2 + .033X3 + .006X4

451 views • 21 slides
Discussion of Hall on Output and Unemployment Laurence Ball Johns Hopkins University October

Discussion of Hall on Output and Unemployment Laurence Ball Johns Hopkins University October

Discussion of Hall on Output and Unemployment Laurence Ball Johns Hopkins University October 2016 1. Good methodology: careful examination of data based on Okun (1962) and growth accounting. Okuns Law 2. I agree that Okuns Law should be

360 views • 20 slides
Outline: Getting the Best Scans Andrew Rodney (andrew 4059@aol.com) 1. Resolutions Basics How

Outline: Getting the Best Scans Andrew Rodney (andrew 4059@aol.com) 1. Resolutions Basics How

Outline: Getting the Best Scans Andrew Rodney (andrew 4059@aol.com) 1. Resolutions Basics How big is a Pixel (How big is the dot)? Why deal with resolution at a Pixel level? PPI vs. DPI what are the differences? Scanners and Digital Cameras

350 views • 7 slides
Recording Audio to a PowerPoint Presentation and Exporting to MP4 1. Open the PowerPoint file you

Recording Audio to a PowerPoint Presentation and Exporting to MP4 1. Open the PowerPoint file you

Recording Audio to a PowerPoint Presentation and Exporting to MP4 1. Open the PowerPoint file you wish to add Audio to. 2. Navigate to the slide you wish to add audio to. 3. Select the Insert tab at the top of the window. 4. Select

168 views • 5 slides
Congressional Budget Office April 26, 2018 An Overview of The Budget and Economic Outlook: 2018

Congressional Budget Office April 26, 2018 An Overview of The Budget and Economic Outlook: 2018

Congressional Budget Office April 26, 2018 An Overview of The Budget and Economic Outlook: 2018 to 2028 Presentation to the National Economists Club Washington, D.C. Keith Hall Director For more details, see www.cbo.gov/publication/53651.

448 views • 31 slides
Implications of Wide-Area Geographic Diversity for Short-Term Variability of Solar Power Andrew

Implications of Wide-Area Geographic Diversity for Short-Term Variability of Solar Power Andrew

Implications of Wide-Area Geographic Diversity for Short-Term Variability of Solar Power Andrew Mills and Ryan Wiser Lawrence Berkeley National Laboratory September 2010 This analysis was funded by the U.S. Department of Energy, Office of

457 views • 22 slides
Debt Financing and Real Output Growth: Is There a Threshold Effect? M. Hashem Pesaran Department

Debt Financing and Real Output Growth: Is There a Threshold Effect? M. Hashem Pesaran Department

Debt Financing and Real Output Growth: Is There a Threshold Effect? M. Hashem Pesaran Department of Economics &amp; USC Dornsife INET, University of Southern California, USA and Trinity College, Cambridge, UK 2017 INET Conference October

670 views • 41 slides
Presented by: Paul Silvern, Partner David Berneman, Senior Analyst HR&amp;A is a national economic

Presented by: Paul Silvern, Partner David Berneman, Senior Analyst HR&amp;A is a national economic

Presented by: Paul Silvern, Partner David Berneman, Senior Analyst HR&amp;A is a national economic development, real estate advisory and public policy consultant. The firm has extensive experience preparing economic and fiscal impact analyses of

767 views • 28 slides
Deliverability Assessment Methodology Draft Final Proposal Paper Deliverability Assessment

Deliverability Assessment Methodology Draft Final Proposal Paper Deliverability Assessment

Deliverability Assessment Methodology Draft Final Proposal Paper Deliverability Assessment Methodology Straw Proposal Paper Stakeholder Meeting October 4, 2019 California ISO Public California ISO Public Introduction Neil Millar Executive

789 views • 54 slides
1 2 3 The Industry Standard The Industry Standard 27 28 One-way systems Two-way systems

1 2 3 The Industry Standard The Industry Standard 27 28 One-way systems Two-way systems

1 2 3 The Industry Standard The Industry Standard 27 28 One-way systems Two-way systems Options Options Span Data Span Data Defining Spans Span Manipulation g p p p 29 Support Data Support Data Defining Supports

531 views • 15 slides
International Transmission Through Relative Prices by Keyu Jin (LSE) and Nan Li (OSU&amp;IMF)

International Transmission Through Relative Prices by Keyu Jin (LSE) and Nan Li (OSU&amp;IMF)

International Transmission Through Relative Prices by Keyu Jin (LSE) and Nan Li (OSU&amp;IMF) Discussion Wei Liao (HKIMR) June 2012 1 The International Comovement Puzzle Data: positive investment correlation and output correlation

303 views • 15 slides
BEST Reinforced Concrete Column Reinforced concrete design according to DIN, EN with

BEST Reinforced Concrete Column Reinforced concrete design according to DIN, EN with

BEST Reinforced Concrete Column Reinforced concrete design according to DIN, EN with national annexes for DE, AT, SK/CZ and UK Calculation according to the linear and nonlinear theory under consideration of effective stiffness in

118 views • 8 slides
Effects of increased wind on Coal Creek Station generation Presentation for ND Energy Conference

Effects of increased wind on Coal Creek Station generation Presentation for ND Energy Conference

Effects of increased wind on Coal Creek Station generation Presentation for ND Energy Conference Tuesday, October 10, 2017 David Farnsworth, Great River Energy Coal Creek Station NDs largest, most efficient lignite power plant (2 x 600

624 views • 20 slides
Presentation to CPTWG January 27, 2016 Robust content protection system developed for

Presentation to CPTWG January 27, 2016 Robust content protection system developed for

Presentation to CPTWG January 27, 2016 Robust content protection system developed for Enhanced Image as well as current audiovisual formats Stronger cryptographic elements Hardware root of trust DTCP2 Core Functions

458 views • 22 slides
Automated Machine Learning (AutoML) and Pentaho Caio Moreno de Souza Pentaho Senior Consultant,

Automated Machine Learning (AutoML) and Pentaho Caio Moreno de Souza Pentaho Senior Consultant,

Automated Machine Learning (AutoML) and Pentaho Caio Moreno de Souza Pentaho Senior Consultant, Hitachi Vantara Agenda We will discuss how Automated Machine Learning (AutoML) and Pentaho, together, can help customers save time in the process

763 views • 54 slides
Use of Input Output Data in Building Evidence for Trade Policy Making Joseph Mariasingham Asian

Use of Input Output Data in Building Evidence for Trade Policy Making Joseph Mariasingham Asian

Use of Input Output Data in Building Evidence for Trade Policy Making Joseph Mariasingham Asian Development Bank Central Theme of the Discussions Session 7 Economic measurement using input output framework Session 8 Utility of the

588 views • 40 slides
12 SLIDE 1 In 2018, natural gas demand reached a record high, driven primarily by increased

12 SLIDE 1 In 2018, natural gas demand reached a record high, driven primarily by increased

A-3 Staff Presentation: The Office of Enforcements Division of Energy Market Oversight is pleased to present the 2018 State of the Markets Report. This report summarizes our assessment of natural gas, electric, and other energy market

403 views • 12 slides
EE16A Lab Find a seat wherever! Waitlisted Students - wait by the round table Todays Agenda

EE16A Lab Find a seat wherever! Waitlisted Students - wait by the round table Todays Agenda

EE16A Lab Find a seat wherever! Waitlisted Students - wait by the round table Todays Agenda About Lab: Policies &amp; Overview Account Forms Anaconda Installation Ipython Bootcamp Lab Logistics &amp; Policies Go to your

223 views • 21 slides
Infrared and Raman Chemical Imaging of Pharmaceutical Biological Matter Thom as J. Tague Jr.,

Infrared and Raman Chemical Imaging of Pharmaceutical Biological Matter Thom as J. Tague Jr.,

Infrared and Raman Chemical Imaging of Pharmaceutical Biological Matter Thom as J. Tague Jr., Ph.D. Lisa M. Miller, Ph.D Bone disease Osteoporosis affects (WHO report) ~ 1 in 4 women over the age of 50 ~ 1 in 8 men over 50

477 views • 44 slides

More recommend