NEW NUMBER-THEORETIC CRYPTOGRAPHIC PRIMITIVES ric Brier Houda - - PowerPoint PPT Presentation

Innovation Centre

NEW NUMBER-THEORETIC CRYPTOGRAPHIC PRIMITIVES

Éric Brier Houda Ferradi Marc Joye David Naccache

NutMiC 2019 Paris, June 24–27, 2019

THE ZOOLOGICAL COLLECTION OF SIGNATURE SCHEMES (1)

The oldest and most known family comprises species based on the inversion of a one-way permutation Notable species belonging to this family: RSA, Rabin, Paillier, ...

• Faithful, well-behaved, well understood,

long history. ..

Innovation Centre c 2019 OneSpan Innovation Centre 2

THE ZOOLOGICAL COLLECTION OF SIGNATURE SCHEMES (2)

Appeared in the late 1980’s. Derived from domesticated (non-interactivized) ZKPs using the Fiat–Shamir transform Notable species belonging to this family: Fiat–Shamir, Schnorr, (EC)DSA, ...

• Faster, give you signatures because they

consent to, bend muscles in silence (pre-computation) then perform a fast jump to sign. ..

Innovation Centre c 2019 OneSpan Innovation Centre 3

THE ZOOLOGICAL COLLECTION OF SIGNATURE SCHEMES (3)

The pairing-based family appeared in the 2000’s Notable species belonging to this family: Boneh–Lynn–Shacham, Waters, ...

• More clumsy maths, cute, robust, look

good, popular...

Innovation Centre c 2019 OneSpan Innovation Centre 4

THE ZOOLOGICAL COLLECTION OF SIGNATURE SCHEMES (4)

We also have a few lattice-based and coding-based schemes Containing species such as BLISS, RLWE-SIGN, NTRU-SIGN, Güneysu–Lyubashevsky–Pöppelmann, ...

• Agile, post-quantum, rare, some seem to

stink while still alive...

Innovation Centre c 2019 OneSpan Innovation Centre 5

THE ZOOLOGICAL COLLECTION OF SIGNATURE SCHEMES (5)

We know one intriguing species based on p2q Called ESIGN

• Very smart, first found in Japan

Innovation Centre c 2019 OneSpan Innovation Centre 6

THIS TALK INTRODUCES AN ODDITY

Innovation Centre c 2019 OneSpan Innovation Centre 7

THIS TALK INTRODUCES AN ODDITY

• Thick fur to keep warm and dry under water
• Electro-sensory system for underwater foraging
• Snake-like venom released from back claws of males
• A mammal laying eggs in underground burrows like reptiles. ..
• Webbed feet for swimming like aquatic birds, toothless mouth and beak

Platypus Signatures are prime numbers, works best modulo prq, no known attacks

Innovation Centre c 2019 OneSpan Innovation Centre 7

LET’S GET STARTED WITH DEFINITIONS Definition (Jacobi Imprint)

For an integer a and n = (n0, . . . , nk−1) ∈ Nk such that gcd(a, ni) = 1 for 0 ≤ i ≤ k − 1, the Jacobi imprint I

n(a) is given by

I

n(a) = k−1

• i=0

a ni

• 2i

where a ni

• =

1 − a

ni

• 2

Remark: a

ni

• = 0 if

a

ni

• = 1 and

a

ni

• = 1 if

a

ni

• = −1

Innovation Centre c 2019 OneSpan Innovation Centre 8

LET’S GET STARTED WITH DEFINITIONS Definition (Jacobi Imprint)

For an integer a and n = (n0, . . . , nk−1) ∈ Nk such that gcd(a, ni) = 1 for 0 ≤ i ≤ k − 1, the Jacobi imprint I

n(a) is given by

I

n(a) = k−1

• i=0

a ni

• 2i

where a ni

• =

1 − a

ni

• 2

Remark: a

ni

• = 0 if

a

ni

• = 1 and

a

ni

• = 1 if

a

ni

• = −1

Facts

1 Factoring ni is not required for computing

a

ni

• 2 Legendre and Jacobi symbols coincide when ni ∈ P

3 Legendre symbol checks whether a is a square, but Jacobi symbol does not

Innovation Centre c 2019 OneSpan Innovation Centre 8

A NEW CANDIDATE ONE-WAY FUNCTION (1)

Let q = (q0, . . . , qk−1) be a set of k distinct (odd) primes and let Q = k−1

j=0 qj

Consider the function F0 given by F0 : D ⊂ Z∗

Q → N, x → F0(x) = I q(x)

Innovation Centre c 2019 OneSpan Innovation Centre 9

A NEW CANDIDATE ONE-WAY FUNCTION (1)

Let q = (q0, . . . , qk−1) be a set of k distinct (odd) primes and let Q = k−1

j=0 qj

Consider the function F0 given by F0 : D ⊂ Z∗

Q → N, x → F0(x) = I q(x)

Attack #1 Given ˆ y = k−1

i=0 ˆ

yi 2i with ˆ yi ∈ {0, 1}, do the following:

1 For 0 ≤ i ≤ k − 1, choose ri

$

← Z∗

qi such that

ri

qi

• = ˆ

yi

2 Set x ← CRT(

r, q) where r = (r0, . . . , rk−1)

3 Output x as a pre-image of ˆ

y

Innovation Centre c 2019 OneSpan Innovation Centre 9

A NEW CANDIDATE ONE-WAY FUNCTION (1)

Let q = (q0, . . . , qk−1) be a set of k distinct (odd) primes and let Q = k−1

j=0 qj

Consider the function F0 given by F0 : D ⊂ Z∗

Q → N, x → F0(x) = I q(x)

Attack #1 Given ˆ y = k−1

i=0 ˆ

yi 2i with ˆ yi ∈ {0, 1}, do the following:

1 For 0 ≤ i ≤ k − 1, choose ri

$

← Z∗

qi such that

ri

qi

• = ˆ

yi

2 Set x ← CRT(

r, q) where r = (r0, . . . , rk−1)

3 Output x as a pre-image of ˆ

y Solution: Restrict D to entries smaller than a given bound B

Innovation Centre c 2019 OneSpan Innovation Centre 9

A NEW CANDIDATE ONE-WAY FUNCTION (1)

Let q = (q0, . . . , qk−1) be a set of k distinct (odd) primes and let Q = k−1

j=0 qj

Consider the function F0 given by F0 : D ⊂ Z∗

Q → N, x → F0(x) = I q(x)

F0 induces a group homomorphism from

• Z∗

Q, ·

• to
• {0, 1}k, ⊕
• :

F0(x1 · x2 mod Q) = F0(x1) ⊕ F0(x2) , ∀x1, x2 ∈ Z∗

Q

Innovation Centre c 2019 OneSpan Innovation Centre 9

A NEW CANDIDATE ONE-WAY FUNCTION (1)

Let q = (q0, . . . , qk−1) be a set of k distinct (odd) primes and let Q = k−1

j=0 qj

Consider the function F0 given by F0 : D ⊂ Z∗

Q → N, x → F0(x) = I q(x)

Attack #2 Given ˆ y = k−1

i=0 ˆ

yi 2i with ˆ yi ∈ {0, 1}, do the following:

1 Generate a set of ℓ “small” primes pi and compute zi = F0(pi) 2 Use linear algebra modulo 2 to find εi ∈ {0, 1} such that ˆ

y = ε1z1 ⊕ · · · ⊕ εℓzℓ

3 Output x = 1≤i≤ℓ εi=1

pi as a pre-image of ˆ y

Innovation Centre c 2019 OneSpan Innovation Centre 9

A NEW CANDIDATE ONE-WAY FUNCTION (1)

Let q = (q0, . . . , qk−1) be a set of k distinct (odd) primes and let Q = k−1

j=0 qj

Consider the function F0 given by F0 : D ⊂ Z∗

Q → N, x → F0(x) = I q(x)

Attack #2 Given ˆ y = k−1

i=0 ˆ

yi 2i with ˆ yi ∈ {0, 1}, do the following:

1 Generate a set of ℓ “small” primes pi and compute zi = F0(pi) 2 Use linear algebra modulo 2 to find εi ∈ {0, 1} such that ˆ

y = ε1z1 ⊕ · · · ⊕ εℓzℓ

3 Output x = 1≤i≤ℓ εi=1

pi as a pre-image of ˆ y Solution: Restrict D to prime values

Innovation Centre c 2019 OneSpan Innovation Centre 9

A NEW CANDIDATE ONE-WAY FUNCTION (2)

Let κ denote a security parameter. Let also k = k(κ) and ℓ = ℓ(κ) Define D =

• x ∈ P | x < 2kℓ

and F1 : D → N, x → F1(x) = I

n(x)

where n = (n0, . . . , nk−1) is a set of k pairwise co-prime moduli of the form ni = pi2qi for ℓ-bit primes pi and qi, 0 ≤ i ≤ k − 1

Assumption

For every polynomial-time algorithm A, the success probability Pr

• ˆ

x

$

← D; A(F1(ˆ x)) = x | F1(x) = F1(ˆ x)

• is negligible

Innovation Centre c 2019 OneSpan Innovation Centre 10

SIGNATURES MODULO p2q

Key generation Signer publishes k moduli ni = pi2qi. All secret factors (i.e., the pi’s and qi’s) are ℓ-bit long

Innovation Centre c 2019 OneSpan Innovation Centre 11

SIGNATURES MODULO p2q

Key generation Signer publishes k moduli ni = pi2qi. All secret factors (i.e., the pi’s and qi’s) are ℓ-bit long Signing Signer hashes H(m) = (h0, . . . , hk−1) ∈ {0, 1}k and picks k random ℓ-bit integers ri such that ri qi

• = hi ,

for 0 ≤ i ≤ k − 1 Next, signer generates at random u ∈ Z∗

Q such that

σ := CRT( r, q) · u2 mod Q ∈ P where Q =

k−1

• i=0

qi

Innovation Centre c 2019 OneSpan Innovation Centre 11

SIGNATURES MODULO p2q

Key generation Signer publishes k moduli ni = pi2qi. All secret factors (i.e., the pi’s and qi’s) are ℓ-bit long Signing Signer hashes H(m) = (h0, . . . , hk−1) ∈ {0, 1}k and picks k random ℓ-bit integers ri such that ri qi

• = hi ,

for 0 ≤ i ≤ k − 1 Next, signer generates at random u ∈ Z∗

Q such that

σ := CRT( r, q) · u2 mod Q ∈ P where Q =

k−1

• i=0

qi Verification To verify, check that (i) σ ∈ P , (ii) σ < 2ℓk (iii) I

n(σ) = H(m)

Innovation Centre c 2019 OneSpan Innovation Centre 11

TOY EXAMPLE (k = 8)

Picking the secret primes

i = 0 i = 1 i = 2 i = 3 i = 4 i = 5 i = 6 i = 7 pi 59069 54139 52639 53813 49871 41269 53653 40361 qi 62989 32917 36583 48383 36653 34963 52517 38971

we have the public moduli

n0 = 219777865328629 n1 = 096480757993357 n2 = 101366529455143 n3 = 140109376837127 n4 = 091160286242573 n5 = 059546546811643 n6 = 151177768427453 n7 = 063484161219691

and the value Q = 7

i=0 qi = 9625354820834308444301890854766785161

Innovation Centre c 2019 OneSpan Innovation Centre 12

TOY EXAMPLE (k = 8)

Consider a message whose digest is h = (h0, . . . , h7) and draw ri’s as:

i = 0 i = 1 i = 2 i = 3 i = 4 i = 5 i = 6 i = 7 hi 1 1 1 1 1 ri 64863 58999 47120 50684 37458 57079 43135 56942

We get CRT( r, q) = 1395786251559231878789764535858641198 By selecting u = 2152266820709866295140077504687803459, we obtain the signature σ = 1137542561586761230770585345256092841 ∈ P

Innovation Centre c 2019 OneSpan Innovation Centre 12

SECURITY ANALYSIS Theorem

Signature scheme is EUF-CMA secure assuming the hardness of inverting F1, in the random

• racle model

Innovation Centre c 2019 OneSpan Innovation Centre 13

GENERALIZED SIGNATURES

Replace Jacobi symbol ·

·

• with higher-order power residue symbol

·

·

• r

shorter signatures

Definition (rth-order Imprint)

Fix ζ a primitive rth root of unity. For an integer α ∈ Z[ζ] and a vector

• ν = (ν0, . . . , νk−1) ∈ Z[ζ]k, such that α and νj (with 0 ≤ j ≤ k − 1) are co-prime, the

rth-order imprint of α w.r.t. ν is the integer I

(r)

• ν (α) ∈ Z given by

I

(r)

• ν (α) =

k−1

• i=0

α νi

• r

ri where α νi

• r

= j ⇐ ⇒ α νi

• r

= ζj

Innovation Centre c 2019 OneSpan Innovation Centre 14

PARAMETER SELECTION

• Key lengths and bit security for moduli of the form ni = pirqi

Type Bit-security Modulus level

(bit size)

Legacy 80 1024 Basic 112 2048 Normal 128 3072 High 192 7680 Very high 256 15360

Innovation Centre c 2019 OneSpan Innovation Centre 15

PARAMETER SELECTION

• Key lengths and bit security for moduli of the form ni = pirqi

Type Bit-security Modulus level

(bit size)

Legacy 80 1024 Basic 112 2048 Normal 128 3072 High 192 7680 Very high 256 15360

• Select r as a parameter ranging from 2 up to 5
• Ring Z[ζr] is known to be norm-Euclidean with

r = 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 18, 20, 22, 24, 26, 30 each r gives rise to a new signature scheme

Innovation Centre c 2019 OneSpan Innovation Centre 15

NEW SPECIES IN THE SIGNATURE ZOO

Quadratapus* r = 2 legacy (80 bits) Cubapus-112 r = 3 basic security (112 bits) Cubapus-128 r = 3 normal security (128 bits) Quartapus r = 4 high security (192 bits) Pentapus r = 5 very high security (256 bits) Detailed implementation is provided for Quartapus (quartic residue symbols)

*Quadratapus is an endangered species

Innovation Centre c 2019 OneSpan Innovation Centre 16

THANKS!

Innovation Centre c 2019 OneSpan Innovation Centre 17