ACM Digital Library home
ACM home
Advanced Search
10.1145/3133956.3133997acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article
Public Access

Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives

CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications SecurityOctober 2017Pages 1825–1842https://doi.org/10.1145/3133956.3133997
Published:30 October 2017Publication History
  • 122citation
  • 1,571
  • Downloads
Metrics
Total Citations122
Total Downloads1,571
Last 12 Months421
Last 6 weeks123

CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives
Pages 1825–1842
PreviousChapterNextChapter

ABSTRACT

We propose a new class of post-quantum digital signature schemes that: (a) derive their security entirely from the security of symmetric-key primitives, believed to be quantum-secure, and (b) have extremely small keypairs, and, (c) are highly parameterizable.

In our signature constructions, the public key is an image y=f(x) of a one-way function f and secret key x. A signature is a non-interactive zero-knowledge proof of x, that incorporates a message to be signed. For this proof, we leverage recent progress of Giacomelli et al. (USENIX'16) in constructing an efficient Σ-protocol for statements over general circuits. We improve this Σ-protocol to reduce proof sizes by a factor of two, at no additional computational cost. While this is of independent interest as it yields more compact proofs for any circuit, it also decreases our signature sizes.

We consider two possibilities to make the proof non-interactive: the Fiat-Shamir transform and Unruh's transform (EUROCRYPT'12, '15,'16). The former has smaller signatures, while the latter has a security analysis in the quantum-accessible random oracle model. By customizing Unruh's transform to our application, the overhead is reduced to 1.6x when compared to the Fiat-Shamir transform, which does not have a rigorous post-quantum security analysis.

We implement and benchmark both approaches and explore the possible choice of f, taking advantage of the recent trend to strive for practical symmetric ciphers with a particularly low number of multiplications and end up using Low MC (EUROCRYPT'15).

Skip Supplemental Material Section

Supplemental Material

stevengoldfeder-postquantumzero.mp4

mp4

2.5 GB

Play streamDownload

References

  1. Abdalla, M., An, J. H., Bellare, M., and Namprempre, C. From identification to signatures via the fiat-shamir transform: Minimizing assumptions for security and forward-security. In EUROCRYPT (2002).Google ScholarGoogle ScholarCross RefCross Ref
  2. Abdalla, M., Fouque, P., Lyubashevsky, V., and Tibouchi, M. Tightly-secure signatures from lossy identification schemes. In EUROCRYPT (2012). Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Akleylek, S., Bindel, N., Buchmann, J. A., Krämer, J., and Marson, G. A. An efficient lattice-based signature scheme with provably secure instantiation. In AFRICACRYPT (2016). Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Albrecht, M., Rechberger, C., Schneider, T., Tiessen, T., and Zohner, M. Ciphers for MPC and FHE. Cryptology ePrint Archive, Report 2016/687, 2016.Google ScholarGoogle Scholar
  5. Albrecht, M. R., Grassi, L., Rechberger, C., Roy, A., and Tiessen, T. MiMC: Efficient encryption and cryptographic hashing with minimal multiplicative complexity. In ASIACRYPT (2016), pp. 191--219.Google ScholarGoogle ScholarCross RefCross Ref
  6. Albrecht, M. R., Rechberger, C., Schneider, T., Tiessen, T., and Zohner, M. Ciphers for MPC and FHE. In EUROCRYPT (2015). Google ScholarGoogle ScholarCross RefCross Ref
  7. Alkim, E., Bindel, N., Buchmann, J., Dagdelen, Ö. , and Schwabe, P. Tesla: Tightly-secure efficient signatures from standard lattices. Cryptology ePrint Archive, Report 2015/755, 2015.Google ScholarGoogle Scholar
  8. Alkim, E., Bindel, N., Buchmann, J. A., Dagdelen, Ö. , Eaton, E., Gutoski, G., Kräamer, J., and Pawlega, F. Revisiting TESLA in the quantum random oracle model. In PQCrypto 2017 (2017), pp. 143--162. Google ScholarGoogle ScholarCross RefCross Ref
  9. Bai, S., and Galbraith, S. D. An improved compression technique for signatures based on learning with errors. In CT-RSA (2014). Google ScholarGoogle ScholarCross RefCross Ref
  10. Bansarkhani, R. E., and Buchmann, J. A. Improvement and efficient implementation of a lattice-based signature scheme. In SAC (2013).Google ScholarGoogle Scholar
  11. Barreto, P. S. L. M., Longa, P., Naehrig, M., Ricardini, J. E., and Zanon, G. Sharper ring-lwe signatures. IACR Cryptology ePrint Archive 2016 (2016), 1026.Google ScholarGoogle Scholar
  12. Bellare, M., Poettering, B., and Stebila, D. From identification to signatures, tightly: A framework and generic transforms. In ASIACRYPT (2016). Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Bellare, M., and Rogaway, P. Random oracles are practical: A paradigm for designing efficient protocols. In ACM CCS (1993). Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Ben-Sasson, E., Chiesa, A., Garman, C., Green, M., Miers, I., Tromer, E., and Virza, M. Zerocash: Decentralized anonymous payments from bitcoin. In IEEE SP (2014).Google ScholarGoogle Scholar
  15. Ben-Sasson, E., Chiesa, A., Genkin, D., Tromer, E., and Virza, M. Snarks for C: verifying program executions succinctly and in zero knowledge. In CRYPTO (2013).Google ScholarGoogle Scholar
  16. Bernstein, D. J. Cost analysis of hash collisions: Will quantum computers make SHARCS obsolete? http://cr.yp.to/hash/collisioncost-20090823.pdf.Google ScholarGoogle Scholar
  17. Bernstein, D. J., Hopwood, D., Hülsing, A., Lange, T., Niederhagen, R., Papachristodoulou, L., Schneider, M., Schwabe, P., and Wilcox-O'Hearn, Z. SPHINCS: practical stateless hash-based signatures. In EUROCRYPT (2015). Google ScholarGoogle ScholarCross RefCross Ref
  18. Boneh, D., Dagdelen, Ö. , Fischlin, M., Lehmann, A., Schaffner, C., and Zhandry, M. Random oracles in a quantum world. In ASIACRYPT (2011). Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Borghoff, J., Canteaut, A., Güneysu, T., Kavun, E. B., Knezevic, M., Knudsen, L. R., Leander, G., Nikov, V., Paar, C., Rechberger, C., Rombouts, P., Thomsen, S. S., and Yalccin, T. PRINCE - a low-latency block cipher for pervasive computing applications - extended abstract. In ASIACRYPT (2012).Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Boyar, J., Matthews, P., and Peralta, R. Logic minimization techniques with applications to cryptology. Journal of Cryptology 26, 2 (2013), 280--312. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Brassard, G., Høyer, P., and Tapp, A. Quantum cryptanalysis of hash and claw-free functions. In LATIN 1998 (Apr. 1998), C. L. Lucchesi and A. V. Moura, Eds., vol. 1380 of LNCS, Springer, Heidelberg, pp. 163--169.Google ScholarGoogle ScholarCross RefCross Ref
  22. Buchmann, J. A., Dahmen, E., and Hülsing, A. XMSS - A practical forward secure signature scheme based on minimal security assumptions. In PQCrypto (2011). Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Campanelli, M., Gennaro, R., Goldfeder, S., and Nizzardo, L. Zero-knowledge contingent payments revisited: Attacks and payments for services. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (2017), ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Canteaut, A., Carpov, S., Fontaine, C., Lepoint, T., Naya-Plasencia, M., Paillier, P., and Sirdey, R. Stream ciphers: A practical solution for efficient homomorphic-ciphertext compression. In FSE (2016). Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Carlet, C., Goubin, L., Prouff, E., Quisquater, M., and Rivain, M. Higher-order masking schemes for s-boxes. In FSE (2012). Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Costello, C., Fournet, C., Howell, J., Kohlweiss, M., Kreuter, B., Naehrig, M., Parno, B., and Zahur, S. Geppetto: Versatile verifiable computation. In IEEE SP (2015).Google ScholarGoogle Scholar
  27. Courtois, N., Finiasz, M., and Sendrier, N. How to achieve a mceliece-based digital signature scheme. In ASIACRYPT (2001). Google ScholarGoogle ScholarCross RefCross Ref
  28. Cramer, R., Damgård, I., and Schoenmakers, B. Proofs of partial knowledge and simplified design of witness hiding protocols. In CRYPTO (1994). Google ScholarGoogle ScholarCross RefCross Ref
  29. Daemen, J., Peeters, M., Van Assche, G., and Rijmen, V. Nessie proposal: Noekeon. In First Open NESSIE Workshop (2000).Google ScholarGoogle Scholar
  30. Dagdelen, Ö. , Bansarkhani, R. E., Göpfert, F., Güneysu, T., Oder, T., Pöppelmann, T., Sánchez, A. H., and Schwabe, P. High-speed signatures from standard lattices. In LATINCRYPT (2014).Google ScholarGoogle Scholar
  31. Dagdelen, Ö. , Fischlin, M., and Gagliardoni, T. The fiat-shamir transformation in a quantum world. In ASIACRYPT (2013). Google ScholarGoogle ScholarCross RefCross Ref
  32. Dagdelen, Ö., Galindo, D., Véron, P., Alaoui, S. M. E. Y., and Cayrel, P. Extended security arguments for signature schemes. Des. Codes Cryptography 78, 2 (2016), 441--461. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. De Cannière, C., and Preneel, B. Trivium. In New Stream Cipher Designs - The eSTREAM Finalists. 2008.Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Derler, D., Orlandi, C., Ramacher, S., Rechberger, C., and Slamanig, D. Digital signatures from symmetric-key primitives. Cryptology ePrint Archive, Report 2016/1085, 2016. http://eprint.iacr.org/2016/1085.Google ScholarGoogle Scholar
  35. Ducas, L. Accelerating bliss: the geometry of ternary polynomials. IACR Cryptology ePrint Archive 2014 (2014).Google ScholarGoogle Scholar
  36. Ducas, L., Durmus, A., Lepoint, T., and Lyubashevsky, V. Lattice signatures and bimodal gaussians. In CRYPTO (2013). Google ScholarGoogle ScholarCross RefCross Ref
  37. Ezerman, M. F., Lee, H. T., Ling, S., Nguyen, K., and Wang, H. A provably secure group signature scheme from code-based assumptions. In Advances in Cryptology - ASIACRYPT (2015), pp. 260--285. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Faugère, J., Gauthier-Uma na, V., Otmani, A., Perret, L., and Tillich, J. A distinguisher for high-rate mceliece cryptosystems. IEEE Trans. Information Theory 59, 10 (2013), 6830--6844. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Feo, L. D., Jao, D., and Plût, J. Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Mathematical Cryptology 8, 3 (2014), 209--247.Google ScholarGoogle Scholar
  40. Fiat, A., and Shamir, A. How to prove yourself: Practical solutions to identification and signature problems. In CRYPTO (1986), pp. 186--194.Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. Galbraith, S. D., Petit, C., and Silva, J. Signature schemes based on supersingular isogeny problems. IACR Cryptology ePrint Archive 2016 (2016), 1154.Google ScholarGoogle Scholar
  42. Gennaro, R., Gentry, C., Parno, B., and Raykova, M. Quadratic span programs and succinct nizks without pcps. In EUROCRYPT (2013). Google ScholarGoogle ScholarCross RefCross Ref
  43. Gentry, C., Peikert, C., and Vaikuntanathan, V. Trapdoors for hard lattices and new cryptographic constructions. In STOC (2008). Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. Giacomelli, I., Madsen, J., and Orlandi, C. ZKBoo: Faster zero-knowledge for boolean circuits. In USENIX Security (2016).Google ScholarGoogle Scholar
  45. Giacomelli, I., Madsen, J., and Orlandi, C. ZKBoo: Faster zero-knowledge for boolean circuits. Cryptology ePrint Archive, Report 2016/163, 2016. http://eprint.iacr.org/2016/163.Google ScholarGoogle Scholar
  46. Goldfeder, S., Chase, M., and Zaverucha, G. Efficient post-quantum zero-knowledge and signatures. Cryptology ePrint Archive, Report 2016/1110, 2016. http://eprint.iacr.org/2016/1110.Google ScholarGoogle Scholar
  47. Goldreich, O. Two remarks concerning the goldwasser-micali-rivest signature scheme. In CRYPTO (1986).Google ScholarGoogle Scholar
  48. Goldreich, O., Micali, S., and Wigderson, A. How to prove all np-statements in zero-knowledge, and a methodology of cryptographic protocol design. In CRYPTO (1986).Google ScholarGoogle Scholar
  49. Goldwasser, S., Micali, S., and Rackoff, C. The knowledge complexity of interactive proof-systems (extended abstract). In STOC (1985).Google ScholarGoogle Scholar
  50. Grosso, V., Leurent, G., Standaert, F., and Varici, K. Ls-designs: Bitslice encryption for efficient masked software implementations. In FSE (2014).Google ScholarGoogle Scholar
  51. Groth, J., and Sahai, A. Efficient Non-interactive Proof Systems for Bilinear Groups. In EUROCRYPT (2008). Google ScholarGoogle ScholarCross RefCross Ref
  52. Grover, L. K. A fast quantum mechanical algorithm for database search. In STOC (1996). Google ScholarGoogle ScholarDigital LibraryDigital Library
  53. Güneysu, T., Lyubashevsky, V., and Pöppelmann, T. Practical lattice-based cryptography: A signature scheme for embedded systems. In CHES (2012). Google ScholarGoogle ScholarDigital LibraryDigital Library
  54. Hellman, M. A cryptanalytic time-memory trade-off. IEEE transactions on Information Theory 26, 4 (1980), 401--406. Google ScholarGoogle ScholarDigital LibraryDigital Library
  55. Hu, Z., Mohassel, P., and Rosulek, M. Efficient zero-knowledge proofs of non-algebraic statements with sublinear amortized cost. In CRYPTO (2015). Google ScholarGoogle ScholarCross RefCross Ref
  56. Hülsing, A., Rijneveld, J., Samardjiska, S., and Schwabe, P. From 5-pass mq-based identification to mq-based signatures. In Cryptology ePrint Archive, Report 2016/708, to appear in Asiacrypt 2016 (2016).Google ScholarGoogle Scholar
  57. Ishai, Y., Kushilevitz, E., Ostrovsky, R., and Sahai, A. Zero-knowledge proofs from secure multiparty computation. SIAM Journal on Computing 39, 3 (2009), 1121--1152. Google ScholarGoogle ScholarDigital LibraryDigital Library
  58. Jawurek, M., Kerschbaum, F., and Orlandi, C. Zero-knowledge using garbled circuits: how to prove non-algebraic statements efficiently. In ACM CCS (2013). Google ScholarGoogle ScholarDigital LibraryDigital Library
  59. Kaplan, M., Leurent, G., Leverrier, A., and Naya-Plasencia, M. Quantum Differential and Linear Cryptanalysis. ArXiv e-prints (Oct. 2015).Google ScholarGoogle Scholar
  60. Kaplan, M., Leurent, G., Leverrier, A., and Naya-Plasencia, M. Breaking symmetric cryptosystems using quantum period finding. In CRYPTO (2016). Google ScholarGoogle ScholarDigital LibraryDigital Library
  61. Katz, J. Digital Signatures. Springer, 2010. Google ScholarGoogle ScholarCross RefCross Ref
  62. Kiltz, E., Masny, D., and Pan, J. Optimal security proofs for signatures from identification schemes. In CRYPTO (2016). Google ScholarGoogle ScholarDigital LibraryDigital Library
  63. Lamport, L. Constructing digital signatures from one-way functions. Tech. Rep. SRI-CSL-98, SRI Intl. Computer Science Laboratory, 1979.Google ScholarGoogle Scholar
  64. Landais, G., and Sendrier, N. Cfs software implementation. Cryptology ePrint Archive, Report 2012/132, 2012.Google ScholarGoogle Scholar
  65. Lyubashevsky, V. Fiat-shamir with aborts: Applications to lattice and factoring-based signatures. In ASIACRYPT (2009).Google ScholarGoogle ScholarDigital LibraryDigital Library
  66. Lyubashevsky, V. Lattice signatures without trapdoors. In EUROCRYPT (2012). Google ScholarGoogle ScholarDigital LibraryDigital Library
  67. McEliece, R. J. A public-key cryptosystem based on algebraic coding theory. Tech. Rep. DSN PR 42--44, 1978.Google ScholarGoogle Scholar
  68. McGrew, D. A., Kampanakis, P., Fluhrer, S. R., Gazdag, S., Butin, D., and Buchmann, J. A. State management for hash-based signatures. In Security Standardisation Research (2016). Google ScholarGoogle ScholarCross RefCross Ref
  69. Méaux, P., Journault, A., Standaert, F., and Carlet, C. Towards stream ciphers for efficient FHE with low-noise ciphertexts. In EUROCRYPT (2016). Google ScholarGoogle ScholarDigital LibraryDigital Library
  70. Melchor, C. A., Gaborit, P., and Schrek, J. A new zero-knowledge code based identification scheme with reduced communication. In ITW (2011).Google ScholarGoogle Scholar
  71. Merkle, R. C. A certified digital signature. In CRYPTO (1989).Google ScholarGoogle ScholarDigital LibraryDigital Library
  72. Niederreiter, H. Knapsack-type cryptosystems and algebraic coding theory. Problems of Control and Information Theory (1986).Google ScholarGoogle Scholar
  73. Ohta, K., and Okamoto, T. On concrete security treatment of signatures derived from identification. In CRYPTO (1998). Google ScholarGoogle ScholarCross RefCross Ref
  74. Patarin, J., Courtois, N., and Goubin, L. Quartz, 128-bit long digital signatures. In CT-RSA (2001).Google ScholarGoogle ScholarCross RefCross Ref
  75. Peikert, C. A decade of lattice cryptography. Foundations and Trends in Theoretical Computer Science 10, 4 (2016). Google ScholarGoogle ScholarDigital LibraryDigital Library
  76. Petzoldt, A., Chen, M., Yang, B., Tao, C., and Ding, J. Design principles for hfev- based multivariate signature schemes. In ASIACRYPT (2015).Google ScholarGoogle ScholarDigital LibraryDigital Library
  77. Pointcheval, D., and Stern, J. Security proofs for signature schemes. In EUROCRYPT (1996). Google ScholarGoogle ScholarCross RefCross Ref
  78. S. Ames, C. Hazay, Y. I., and Venkitasubramaniam, M. Ligero: Lightweight sublinear arguments without a trusted setup. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (2017), ACM.Google ScholarGoogle ScholarDigital LibraryDigital Library
  79. Sakumoto, K., Shirai, T., and Hiwatari, H. Public-key identification schemes based on multivariate quadratic polynomials. In CRYPTO (2011). Google ScholarGoogle ScholarCross RefCross Ref
  80. Schnorr, C. Efficient signature generation by smart cards. J. Cryptology 4, 3 (1991). Google ScholarGoogle ScholarDigital LibraryDigital Library
  81. Shor, P. W. Polynominal time algorithms for discrete logarithms and factoring on a quantum computer. In ANTS-I (1994).Google ScholarGoogle Scholar
  82. Stern, J. A new identification scheme based on syndrome decoding. In CRYPTO (1993).Google ScholarGoogle Scholar
  83. Unruh, D. Quantum proofs of knowledge. In EUROCRYPT 2012 (Apr. 2012), D. Pointcheval and T. Johansson, Eds., vol. 7237 of LNCS, Springer, Heidelberg, pp. 135--152.Google ScholarGoogle ScholarDigital LibraryDigital Library
  84. Unruh, D. Non-interactive zero-knowledge proofs in the quantum random oracle model. In EUROCRYPT 2015, Part II (Apr. 2015), E. Oswald and M. Fischlin, Eds., vol. 9057 of LNCS, Springer, Heidelberg, pp. 755--784.Google ScholarGoogle ScholarCross RefCross Ref
  85. Unruh, D. Computationally binding quantum commitments. In EUROCRYPT (2016). Google ScholarGoogle ScholarDigital LibraryDigital Library
  86. Véron, P. Improved identification schemes based on error-correcting codes. Appl. Algebra Eng. Commun. Comput. 8, 1 (1996).Google ScholarGoogle Scholar
  87. Yoo, Y., Azarderakhsh, R., Jalali, A., Jao, D., and Soukharev, V. A post-quantum digital signature scheme based on supersingular isogenies. Cryptology ePrint Archive, Report 2017/186, 2017. http://eprint.iacr.org/2017/186.Google ScholarGoogle Scholar

Index Terms

  1. Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      Get this Publication

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      View Table of Contents
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!