post quantum epid signatures from symmetric primitives
play

Post-Quantum EPID Signatures from Symmetric Primitives Dan Boneh - PowerPoint PPT Presentation

Mar 30, 2024 •151 likes •505 views

Post-Quantum EPID Signatures from Symmetric Primitives Dan Boneh Saba Eskandarian Ben Fisch Hardware Enclaves A trusted component in an untrusted system Protected memory isolates enclave from compromised OS Untrusted System Enclave

  1. Post-Quantum EPID Signatures from Symmetric Primitives Dan Boneh Saba Eskandarian Ben Fisch

  2. Hardware Enclaves A trusted component in an untrusted system ● Protected memory isolates enclave from compromised OS Untrusted System Enclave Adversary who controls OS -Data still can’t see inside enclave -Secrets 2

  3. Hardware Enclaves A trusted component in an untrusted system ● Protected memory isolates enclave from compromised OS ● Proves authenticity via a process called attestation Untrusted System Secure Channel Enclave Adversary who controls OS -Data Attestation/ still can’t see inside enclave -Secrets Communication 3

  4. Hardware Enclaves A trusted component in an untrusted system ● Protected memory isolates enclave from compromised OS ● Proves authenticity via a process called attestation ○ Is it “post-quantum” secure? Untrusted System Secure Channel Enclave Adversary who controls OS -Data Attestation/ still can’t see inside enclave -Secrets Communication 4

  5. EPID Signatures [BL09] Group signature-like primitive that provides two properties: 1. Signatures from any member of a group are indistinguishable from each other 2. Users can have their credentials revoked either by a blacklisted key or a blacklisted signature Intel’s EPID signature scheme relies on pairings and is not post-quantum secure 5

  6. EPID Signatures [BL09] sk i , cert i ←Join( ... ) - interactive protocol between group member and manager to join group σ ←Sign(gpk,sk i ,cert i ,m,SIG-RL) - any user who has joined can sign a message anonymously as a group member 1/0 ←Verify(gpk,m,KEY-RL,SIG-RL,σ) - signatures only verify if signed by a valid, unrevoked group member KEY-RL’←RevokeKey(KEY-RL,sk i ) - revoke a group member by key SIG-RL’←RevokeSig(SIG-RL,σ) - revoke a group member by signature Security properties: Anonymity and Unforgeability 6

  7. EPID Signatures [BL09] sk i , cert i ←Join( ... ) - interactive protocol between group member and manager to join group σ ←Sign(gpk,sk i ,cert i ,m,SIG-RL) - any user who has joined can sign a message anonymously as a group member 1/0 ←Verify(gpk,m,KEY-RL,SIG-RL,σ) - signatures only verify if signed by a valid, unrevoked group member KEY-RL’←RevokeKey(KEY-RL,sk i ) - revoke a group member by key SIG-RL’←RevokeSig(SIG-RL,σ) - revoke a group member by signature Security properties: Anonymity and Unforgeability Our design goal: post-quantum security from symmetric primitives only 7

  8. Picnic Signatures [CDGORRSZ17] Uses ZKB++ MPC-in-the-head type proof system [IKOS07, GMO16] i.e. proof of knowledge from symmetric primitives High-level idea: Signature is proof of knowledge of preimage of a one-way function e.g. I know sk such that f(sk)=y 8

  9. Our Basic Approach [BMW03,CG04] Join User generates pk, sk Group manager signs pk to form cert Sign User signs message with sk User publishes proof of knowledge of signature as σ Additionally need to support revocation 9

  10. Our Basic Approach [BMW03,CG04] Join User Manager pk i sk i , pk i gsk, gpk pk i Sign s = Sign(sk i , m) Proof of Knowledge: I have a certificate on a key sk* and a signature s on message m signed with sk* 10

  11. Post-Quantum EPID Signature Join User Manager sk i gsk, gpk 11

  12. Post-Quantum EPID Signature Join User Manager sk i gsk, gpk c 12

  13. Post-Quantum EPID Signature Join User Manager sk i gsk, gpk c t join = f(sk i , c) t join 13

  14. Post-Quantum EPID Signature Join User Manager sk i gsk, gpk c t join = f(sk i , c) t join t join , c 14

  15. Post-Quantum EPID Signature Sign r ← {0,1} λ t = f(sk i , r), r 15

  16. Post-Quantum EPID Signature Sign r ← {0,1} λ t = f(sk i , r), r Proof of Knowledge: 1. I know a valid certificate for t join , c 16

  17. Post-Quantum EPID Signature Sign r ← {0,1} λ t = f(sk i , r), r Proof of Knowledge: 1. I know a valid certificate for t join , c 2. I know sk i such that t = f(sk i , r) and t join = f(sk i , c) 17

  18. Post-Quantum EPID Signature Sign r ← {0,1} λ t = f(sk i , r), r Proof of Knowledge: 1. I know a valid certificate for t join , c 2. I know sk i such that t = f(sk i , r) and t join = f(sk i , c) 3. There is no signature in SIG-RL such that f(sk i , r’)=t’ publish proof and t as signature 18

  19. Instantiation Need Choices Zero Knowledge PoK ZKB++, Ligero, zk-STARK PRF/CRHF Post-Quantum Signature from symmetric primitives 19

  20. Instantiation Need Choices Zero Knowledge PoK ZKB++ , Ligero, zk-STARK PRF/CRHF Post-Quantum Signature from symmetric primitives 20

  21. Instantiation Need Choices Zero Knowledge PoK ZKB++ , Ligero, zk-STARK PRF/CRHF AES, MiMC, LowMC Post-Quantum Signature from symmetric primitives 21

  22. Instantiation Need Choices Zero Knowledge PoK ZKB++ , Ligero, zk-STARK PRF/CRHF AES, MiMC, LowMC Post-Quantum Signature from symmetric primitives 22

  23. Instantiation Need Choices Zero Knowledge PoK ZKB++ , Ligero, zk-STARK PRF/CRHF AES, MiMC, LowMC Post-Quantum Signature Tree-based, SPHINCS, Fish from symmetric primitives 23

  24. Instantiation Need Choices Zero Knowledge PoK ZKB++ , Ligero, zk-STARK PRF/CRHF AES, MiMC, LowMC Post-Quantum Signature Tree-based , SPHINCS , Fish from symmetric primitives 24

  25. Instantiation Need Choices Zero Knowledge PoK ZKB++ , Ligero, zk-STARK PRF/CRHF AES, MiMC, LowMC Post-Quantum Signature Tree-based , SPHINCS , Fish from symmetric primitives Post-quantum EPID signature size (group size 2 30 ): 25

  26. Instantiation Need Choices Zero Knowledge PoK ZKB++ , Ligero, zk-STARK PRF/CRHF AES, MiMC, LowMC Post-Quantum Signature Tree-based , SPHINCS , Fish from symmetric primitives Post-quantum EPID signature size (group size 2 30 ): 217MB Way too big!! Culprit: signature verification inside PoK 26

  27. Post-Quantum EPID Signature Requires signature verification! Sign How can we remove this? r ← {0,1} λ t = f(sk i , r), r Proof of Knowledge: 1. I know a valid certificate for t join , c 2. I know sk i such that t = f(sk i , r) and t join = f(sk i , c) 3. There is no signature in SIG-RL such that f(sk i , r’)=t’ publish proof and t as signature 27

  28. The Attestation Setting Each Intel SGX attestation involves contacting Intel, who verifies the attestation for you. Enclave -Data -Secrets How can we leverage this to reduce signature sizes? 28 28

  29. The Attestation Setting Each Intel SGX attestation involves contacting Intel, who verifies the attestation for you. Enclave -Data -Secrets How can we leverage this to reduce signature sizes? Idea: If group manager has to be online, maybe it can update users’ certificates User anonymity sets relative to last certificate update 29 29

  30. Signatures for Attestation Manager puts user credentials in a Merkle tree and signs root Users get newest Merkle root/inclusion proof when they connect to the manager 30

  31. Signatures for Attestation Manager puts user credentials in a Merkle tree and signs root Users get newest Merkle root/inclusion proof when they connect to the manager Signature on Merkle tree root can be verified outside PoK Only need much smaller Merkle inclusion proof inside PoK 31

  32. Signatures for Attestation r ← {0,1} λ t = f(sk i , r), r Proof of Knowledge: 1. I know an inclusion proof for t join , c 2. I know sk i such that t = f(sk i , r) and t join = f(sk i , c) 3. There is no signature in SIG-RL such that f(sk i , r’)=t’ publish proof, t, and signed Merkle root as signature Similar to post-quantum Ring signatures of Derler et al [DRS17] 32

  33. Signature Sizes Group Size RO Model* QRO Model* 2 7 1.37MB 2.64MB 2 10 1.85MB 3.59MB 2 20 3.45MB 6.74MB 2 30 5.05MB 9.89MB 2 40 6.65MB 13.0MB Potential application: large data transfer, e.g. streaming movies *under ideal cipher assumption on LowMC 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from

Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from

Post-Quantum Zero-Knowledge Proofs for Accumulators with Applications to Ring Signatures from Symmetric-Key Primitives David Derler , Sebastian Ramacher , Daniel Slamanig PQC rypto 18, April 9, 2018 1 Ring Signatures P

612 views • 27 slides
Digital Signatures from Symmetric-Key Primitives Christian Rechberger IAIK, TU Graz and DTU

Digital Signatures from Symmetric-Key Primitives Christian Rechberger IAIK, TU Graz and DTU

Digital Signatures from Symmetric-Key Primitives Christian Rechberger IAIK, TU Graz and DTU Compute, DTU March 7, 2017 Based on Joint Work With David Derler Claudio Orlandi Sebastian Ramacher Daniel Slamanig TU Graz Aarhus University TU

187 views • 14 slides
(post-)quantum security of symmetric key schemes NTT Secure Platform Laboratories (and Nagoya

(post-)quantum security of symmetric key schemes NTT Secure Platform Laboratories (and Nagoya

Towards a better understanding of (post-)quantum security of symmetric key schemes NTT Secure Platform Laboratories (and Nagoya University) Akinori Hosoyamada @ASK 2019 (2019.12.13) Introduction Quantum Attacks against Symmetric

738 views • 56 slides
To BLISS-B or not to be - Attacking strongSwans Implementation of Post-Quantum Signatures

To BLISS-B or not to be - Attacking strongSwans Implementation of Post-Quantum Signatures

S C I E N C E P A S S I O N T E C H N O L O G Y To BLISS-B or not to be - Attacking strongSwans Implementation of Post-Quantum Signatures Peter Pessl 1 , Leon Groot Bruinderink 2 , Yuval Yarom 3 1 Graz University of

416 views • 27 slides
A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation

A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation

A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM Qian Guo, Thomas Johansson, Alexander Nilsson August 10, 2020 Preliminaries Implementing Crypto Is Hard

994 views • 80 slides
Open-Source FPGA Implementation of Post-Quantum Cryptographic Hardware Primitives Rashmi Agrawal

Open-Source FPGA Implementation of Post-Quantum Cryptographic Hardware Primitives Rashmi Agrawal

Open-Source FPGA Implementation of Post-Quantum Cryptographic Hardware Primitives Rashmi Agrawal , Bu Lake, Alan Ehret, and Michel Kinsy Adaptive & Secure Computing Systems Lab Department of Electrical & Computer Engineering Boston

964 views • 48 slides
Hash-based Signatures Andreas Hlsing Eindhoven University of Technology Executive School on

Hash-based Signatures Andreas Hlsing Eindhoven University of Technology Executive School on

Hash-based Signatures Andreas Hlsing Eindhoven University of Technology Executive School on Post-Quantum Cryptography July 2019, TU Eindhoven Post-Quantum Signatures Lattice, MQ, Coding Signature and/or key sizes 2 y

1.22k views • 101 slides
Fast Zero-Knowledge Proofs and Post-Quantum Signatures Claudio Orlandi Aarhus University

Fast Zero-Knowledge Proofs and Post-Quantum Signatures Claudio Orlandi Aarhus University

Fast Zero-Knowledge Proofs and Post-Quantum Signatures Claudio Orlandi Aarhus University @claudiorlandi Based on joint work with: Meliisa Chase (Microsoft) David Derler (TU Graz) Tore Frederiksen (BIU) Irene Giacomelli

1.21k views • 77 slides
Picnic Post-Quantum Signatures from Zero Knowledge Proofs MELISSA CHASE, MSR THE PICNIC TEAM

Picnic Post-Quantum Signatures from Zero Knowledge Proofs MELISSA CHASE, MSR THE PICNIC TEAM

Picnic Post-Quantum Signatures from Zero Knowledge Proofs MELISSA CHASE, MSR THE PICNIC TEAM DAVID DERLER SEBASTIAN RAMACHER STEVEN GOLDFEDER CHRISTIAN RECHBERGER JONATHAN KATZ DANIEL SLAMANIG VLAD KOLESNIKOV XIAO WANG CLAUDIO ORLANDI

577 views • 37 slides
Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Klbl June 20th, 2017 DTU Compute, Technical University of Denmark Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do? Authentication

711 views • 47 slides
Saturnin A suite of lightweight symmetric algorithms for post-quantum security Anne Canteaut 1

Saturnin A suite of lightweight symmetric algorithms for post-quantum security Anne Canteaut 1

Saturnin A suite of lightweight symmetric algorithms for post-quantum security Anne Canteaut 1 Sbastien Duval 2 Gatan Leurent 1 Mara Naya-Plasencia 1 Lo Perrin 1 Thomas Pornin 3 Andr Schrottenloher 1 1 Inria, France 2 UCL Crypto Group,

750 views • 26 slides
Threshold Ring Signatures: New Security Definitions and Post-Quantum Security Abida Haque ,

Threshold Ring Signatures: New Security Definitions and Post-Quantum Security Abida Haque ,

Problem Description Current State of the Art Our Contribution Our Scheme Summary References Threshold Ring Signatures: New Security Definitions and Post-Quantum Security Abida Haque , Alessandra Scafuro North Carolina State University May

736 views • 61 slides
Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security

PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Klbl June 19th, 2017 DTU Compute, Technical University of Denmark Symmetric Key Cryptography Introduction to Symmetric Key Cryptography Myth Where does security fail?

758 views • 72 slides
The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum

The Quantum Risk & Post-Quantum Crypto JP Aumasson The Quantum Risk & Post-Quantum Crypto JP Aumasson uantum /me 15 years experience in applied cryptography (PhD, industry, consulting) Designed widely used algorithms Author of the

816 views • 52 slides
Out of Oddity New Cryptanalytic Techniques against Symmetric Primitives Optimized for

Out of Oddity New Cryptanalytic Techniques against Symmetric Primitives Optimized for

Out of Oddity New Cryptanalytic Techniques against Symmetric Primitives Optimized for Integrity Proof Systems Tim Beyne, Anne Canteaut, Itai Dinur, Maria Eichlseder, Gregor Leander, Ga etan Leurent, L eo Perrin, Mar a Naya

488 views • 34 slides
New Algorithms for Quantum (Symmetric) Cryptanalysis Mara Naya-Plasencia 2 , Andr

New Algorithms for Quantum (Symmetric) Cryptanalysis Mara Naya-Plasencia 2 , Andr

Quantum-safe (Symmetric) Cryptography Quantum Collision Search Quantum k-xor Algorithms New Algorithms for Quantum (Symmetric) Cryptanalysis Mara Naya-Plasencia 2 , Andr Schrottenloher 2 Joint work with Andr Chailloux 2 and Lorenzo Grassi

1.63k views • 65 slides
That Wasn't Part of the Plan! Reducing effort through stopping rules to place CAPI cases on hold

That Wasn't Part of the Plan! Reducing effort through stopping rules to place CAPI cases on hold

That Wasn't Part of the Plan! Reducing effort through stopping rules to place CAPI cases on hold and work plans to set them free Ryan Hubbard, Westat AAPOR 2018 Taking Survey and Public Opinion Research to New Heights Background What are

546 views • 16 slides
OUR GREAT POWER PEOPLE Your employees already know who should be working for you - help them

OUR GREAT POWER PEOPLE Your employees already know who should be working for you - help them

OUR GREAT POWER PEOPLE Your employees already know who should be working for you - help them make the introduction! TEAM F EIT DIGITAL Summer School FUTURE CLOUD Everybody is a genius. But if you judge a fish by its ability to

466 views • 18 slides
Too Many People in Britain? Immigration and the Housing Problem Stephen Nickell Nuffield

Too Many People in Britain? Immigration and the Housing Problem Stephen Nickell Nuffield

Too Many People in Britain? Immigration and the Housing Problem Stephen Nickell Nuffield College, Oxford June, 2011 Immigration into and out of the United Kingdom Thousands 700 600 Gross Inflow 500 400 Gross Outflow 300 200 100 Net

261 views • 8 slides
Reducing marine litter by addressing the management of the plastic value chain in South East Asia

Reducing marine litter by addressing the management of the plastic value chain in South East Asia

Reducing marine litter by addressing the management of the plastic value chain in South East Asia SEA CIRCULAR PROJECT WITH MESTECC AS COUNTRY FOCAL POINT NATIONAL CONSULTATION WITH MALAYSIAN STAKEHOLDERS Dewan Utama, Klana Beach Resort Hotel,

701 views • 43 slides
MODERN SYSTEMS: SECURITY Hakim Weatherspoon CS6410 Slides borrowed liberally from past

MODERN SYSTEMS: SECURITY Hakim Weatherspoon CS6410 Slides borrowed liberally from past

1 MODERN SYSTEMS: SECURITY Hakim Weatherspoon CS6410 Slides borrowed liberally from past presentations from Sai Krishna Deepak Maram Move to a Cloud-based model User apps User apps PaaS Software Software Cloud Provider manages the

474 views • 31 slides
Guaranteed Energy Savings Program (GESP) Peter Berger, GESP Manager Guaranteed Energy Savings

Guaranteed Energy Savings Program (GESP) Peter Berger, GESP Manager Guaranteed Energy Savings

Guaranteed Energy Savings Program (GESP) Peter Berger, GESP Manager Guaranteed Energy Savings Program (GESP) Master Contract and Technical Assistance Program Provided by the Minnesota Department of Commerce Including 11 Energy

225 views • 10 slides
Local rules associated to k -communities in an attributed graph Henry Soldano 1 , 2 , Guillaume

Local rules associated to k -communities in an attributed graph Henry Soldano 1 , 2 , Guillaume

Local rules associated to k -communities in an attributed graph Henry Soldano 1 , 2 , Guillaume Santini 1 , Dominique Bouthinon 1 1 LIPN, Universit Paris 13, Sorbonne Paris Cit, France 2 Atelier de Bio-Informatique, ISYEB, Museum dHistoire

483 views • 36 slides
Further Topics in Statistics Coll` ege dEconomie 2 Christina Pawlowitsch Ma tre de

Further Topics in Statistics Coll` ege dEconomie 2 Christina Pawlowitsch Ma tre de

Further Topics in Statistics Coll` ege dEconomie 2 Christina Pawlowitsch Ma tre de conf erences Universit e Panth eon-Assas, Paris II October 2020 Motivation The starting point Weas individuals participating in

765 views • 53 slides

More recommend