Square-vinegar signature scheme

2008, Post-Quantum Cryptography

visibility

…

description

239 pages

link

1 file

Abstract

Three decades ago public-key cryptosystems made a revolutionary breakthrough in cryptography. They have developed into an indispensable part of our modern communication system. In practical applications RSA, DSA, ECDSA, and similar public key cryptosystems are commonly used. Their security depends on assumptions about the difficulty of certain problems in number theory, such as the Integer Prime Factorization Problem or the Discrete Logarithm Problem.

Figures (60)

Fig. 2. Threshold ring signature scheme in the case where the ¢ signers are P,,--- , P; and the leader L = P,, for a group of N members ———e—_——— A | The general idea of our protocol is that each of the t signers performs by himself an instance of Stern’s scheme using matrix H; and a null syndrome as parameters (as in the scheme’s variation proposed in [12]). The results are collected by a leader LZ among the signers in order to form, with the addition of the simulation of the N — ¢ non-signers, a new interactive Stern protocol with the verifier V. The master public matrix H is created as the direct sum of the ring members’ public matrices. Eventually, the prover P, formed by the set of t

Table 1. Number of tries to sign a document Table 2. Signing times for some HFEv™ systems

a choice of vinegar variables whose associated equation in X has a solution. The probability of finding a suitable selection of vinegar variables in a few trials is high. We could confirm this fact with our computer experiments, as evidencec in Table[I] below. We used MAGMA 2.14, the latest version, on a Dell Computer with Windows XP which has an Intel(R) Pentium(R) D CPU 3.00 GHz processo: with 2.00 GB of memory installed, to run the computer experiments. In each case 100 different random documents were signed. We observed that.

Table 3. Public key generation times for some HFEv~ system: Another important consequence of the use of D = 2 is that generation of the public key for this signature scheme is more efficient. We attribute this to the large number of multiplications that are needed over the field K for D > 128. Some results are summarized in Table [3] below.

Fig. 1. Running time and required memory under GB Attack for g = 31, v=4,r=3 and D = 2. No field equations are used in the attack.

As mentioned above, for our choice of g — 13 or 31 — the field equations are somehow useless during the Grobner basis attack. To confirm this, we ran extensive experiments considering this situation, 7.e., including and excluding the field equations from the attack. On Figs. [Jand B] we can see that, in either case, the running time and the required memory under the Grobner bases attack are exponential in n (similar graphs for g = 13 can be seen on Figs. Bland [6] in the Appendix section). i. ff eS ee a: a a: ee i: ee cer eo i my 3 er: |

As observed on the graphs, we could only obtain data for n up to 14, due to memory limitations (any request above 1.2 GB would be immediately rejected by the computer that we used). However, even among the data that we were able to collect, we observed that as n increases, the maximum degree of polynomial used by F4 also increases. Larger scale experiments are being conducted to study systematically how fast this degree increases as n increases; these results will be presented in a future paper.

Table 4. Time comparison of some Square-Vinegar systems and random equations under GB attack. q = 31, d= 2, v=4, andr =3.

Fig. 4. Running time under GB attack for n = 13, r = 3 and D = 2, for several values of v. No field equations are used in the attack.

Fig. 1. Attack cost for n = 1024, n = 2048, n = 4096, n = 8192. Horizontal axis is the code rate (n —t [lgn])/n. Vertical axis is lg(bit operations). As a check we have also performed millions of type-1, type-2, and type-3 simulations and millions of real experiments decoding small numbers of errors. The simulation results are consistent with the experimental results. The type- 1 and type-3 simulation results are consistent with the predictions from our Markov-chain software. Type 1 is slightly slower than type 3, and type 2 is intermediate. Our graphs below use type 3. Our current attack software uses type 2 but we intend to change it to type 3.

Fig. 1. Work factor of Canteaut-Chabaud algorithm with Goppa parameters

Fig. 6. Encryption cost vs binary work factor for different extension degrees

Table 1. McEliece: selected parameters at a glance

Fig. 7. Decryption cost vs binary work factor for different extension degrees 1 Comparison with Other Systems

Fig. 1. The height of the first parent of leaf y that is a left node is 7 = 2. The dashed nodes denote the authentication path for leaf y. The arrows indicate the path from leaf y to the root. Definitions and notations. In the following, H > 2 denotes the height of the Merkle tree. The index of the current leaf is denoted by y € {0,...,2/7—1}. The nodes in the Merkle tree are denoted by yp[j], where h = 0,...,H denotes the height of the node in the tree (leaves have height 0 and the root has height H) and j = 0,...,2%-" — 1 denotes the position of this node in the tree counting from left to right. Further, let f : {0,1}* — {0,1}” be a cryptographic hash function. Using this notation, inner nodes of a Merkle tree are computed as Computing inner nodes. A basic tool to compute inner nodes of a Merkle tree is the treehash algorithm shown in Algorithm[] This algorithm uses a stack STACK with the usual push_and pop operations and the LEAFCALC(y) routine which computes the yth leaf, To compute a node on height h, Algorithm be executed 2” times and requires the leaf indices to be input successive T]must y from

Fig. 2. Initialization of our algorithm. Dashed nodes denote the authentication path for leaf (y = 0). Dash-dotted nodes denote the nodes stored in the treehash instances and the single node RETAIN. Initialization. The initialization of our algorithm is done during the MSS key pair generation. We store the authentication path for the first leaf (g=0): AUTH), = yp(1],h = 0,...,H — 1. We also store the next right authentication node in the treehash instances: TREEHASH,, node = y;,[3], for h = 0,...,H — 3. Finally we store the single next right authentication node on height H — 2: RETAIN = YH —2(3]. Figure 2]shows which nodes are stored during the initialization.

The next step is to show that the above mentioned case is indeed the worst case. If a treehash instance on height < H — 3 receives all updates and is completed in this round, less than B hashes are required. The same holds if the treehash instance receives all updates but is not completed in this round. The last case to consider is the one where the wu available updates are spend on treehash instances on different heights. If the active treehash instance TREEHASH,, stores a tail node v on height 7, it will receive updates until it has a tail node on height j +1. This requires 2/ updates and the computation of 2/ inner nodes. Additional Inner nodes computed by treehash. For now we assume that the maximum number of inner nodes is computed in the following case: TTREEHASH 773 receives all u = H/2—1 updates and is completed in this round. On input an index y, the number of inner nodes computed by treehash in the worst case equals the height of the first parent of leaf y which is a left node, if the corresponding tail nodes are stored on the stack. On height h, a left node occurs every 2” leaves, which means that every 2” updates at most h inner nodes are computed by treehash. This implies that during the u available updates, at most one inner node on height h is computed every [u/2”] updates for h = 1,..., [logy u]. The ast update requires the computation of H —3 = 2u—1 inner nodes to obtain the desired node on height H — 3, i.e. completing this treehash instance. So far only [log, uv] inner nodes were counted, so additional 2u — 1 — [logy u] inner nodes must be added. In total, we get the following upper bound for the number of inner nodes computed per round.

Let I, be the m-dimensional identity matrix. We start with the matrix

Fig. 2. Performance of LLL-type lattice reduction with comparable parameters

ywever, the approximation results of all LLL-type algorithms seem to converge, hereas the running time performance of fpLLL is significantly surpassed by that ‘the other two. Note that we use the default wrapper method of fpLLL. Damien ehlé pointed out that one should rather use its faster heuristics (see (3h). In Figure Bh, observe that BKZ and PSR perform slightly better than PD, hich is mostly due to the internal sLLL step in PD. Accordingly, the graphs em to converge at the right end, similarly to those in Figure Bh. While the »proximation performance of block-type algorithms can be further improved sing higher block sizes, this approach is limited by the resulting running time. xtrapolating to higher dimensions, it becomes obvious that finding sufficiently ort vectors in L,, requires a significantly larger effort for dimensions that are ymewhat higher than 600. This coincides with our observation on the Hermite ctor in Section 4] As for the running time performance of the block-type schemes, observe in

Fig. 5. Ratio between challenge dimension m and reference dimension n § Ratio between m and n

The shortest vector in the respective lattice is = ni The following low-dimensional example gives an idea of what the challenge lat tices, and the short vectors in them, essentially look like. Its block structure is similar to the one found by Coppersmith and Shamir for NTRU lattices (1 . This is not surprising because both belong to the class of modular lattices.

Table 2. Lattice parameters with the necessary Hermite factor

Table 2. Comparison on One core of an Intel Core 2 (C2) Table 3. Comparison on One Core of an Opteron/Athlon64 (K8

Fig. 1. XOR construction for the SPR-Merkle tree Key Pair Generation. The key pair generation of our scheme works as follow First choose h > 1, to determine the number of signatures that can be generate with this key pair, ie. 2” many. Next compute 2” OTS key pairs (Xj,Y;), f j =0,...,2”—1. We assume that each signature key and verification key consis of 2! bit strings each of length n. Then choose a key for the hash function k €p - and masks v;[0], v;{1] Er {0,1}" uniformly at random for i = 0,...,h+1—1. Tl 2.2! n-bit strings from the verification keys form the leaves of the SPR-Merk bree, which in total yields a tree of height h +1. The nodes are denoted by y;|j where i = 0,...,4+1 denotes the height of the node in the tree (the root h: height 0 and the leaves have height h +1) and j = 0,...,2* — 1 denotes tl position of the node on that height, counting from left to right. The inner nod are computed as

Table 1. Security level of SPR-MSS and CR-MSS using the LD-OTS

Table 2. Sizes of SPR-MSS and CR-MSS using the LD-OTS Signing Arbitrarily Long Data

eTCR hash function can be instantiated by a real-world hash function, where the blocks of the input message are randomized with a single key, and the key is appended to the message [5]. Their proof assumes that the underlying com- pression function has second-preimage resistance-like properties, which they call eSPR (evaluated second-preimage resistance). Using an eT CR, hash function and assuming eSPR for the underlying compression function, our scheme yields sig- natures of only about n? bits.

Step 2 clearly comprises the bulk of the run time. Finding of the exact denom- inator of F’ takes almost all of this time, requiring 3; 34 (16n® + 131n° + 440n4 + 595n° + 419n? + 114n) operations. However, step 1 has computational complex- ity of O(n") and step 3 has computational complexity of O(n) so eventually at higher values for n step 3 will comprise the bulk of the run time.

Table 1. Computational times of the GB attack for PMI+ the security by the NLPHPV method proposed in the previous section. Recently, Faugere and Joux (3) showed in an experimental manner that com- puting a Grobner basis (GB, for short) of the public key is likely to be an efficient attack to HFE [oii which is one of major MPKCs. In fact, they broke the first HFE challenge (80bits) proposed by Patarin. The attack used by them is to compute a Grobner basis for the ideal generated by polynomial components in E —c, where E is a public key and c is a cipher text vector.

Table 2. Computational times of the GB attack for the enhanced MI by the NLPHPV method

High Rank Attack. In the high rank attack against the gSTS, to separate the part of Step 3 in (2) from the public key, the attacker searches vectors v =(v1,-..,Ug)? € Fq%. The vectors form together an invertible matrix whose row is a row of the secret key B ~! or its linear equivalent copy, since multiplying B~! to the public key E separates their layers. The attacker can find each of the vectors v with a probability 1/q” by checking whether

Table 3. Parameter Setting

Fig. 1. Quantum asymmetric-key cryptosystem model. Bob and Charlie hold copies of Alice’s encryption key p,. To send her a message, they encrypt it with the key and a given QSR scheme, and send the resulting cipher to her. An eavesdropper, Eve, may intercept the ciphers as well as possess some copies of the encryption key herself.

For F2, there are many special optimizations made for F4 in MAGMA, so we ran tests at various densities of quadratic terms in version 2.12-20 and 2.13-8. Typical results are given in Fig. il Most of the time the data points are close to each other. In some tests they overlap each other so closely that no difference in the timing is seen in a diagram.

Table 3. Point-by-Point, SPELT vs. QUAD on a K8 or C2

Fig. 1. “Sparsely 2n — 3n F2 quadratics” in MAGMA The idea behind SRQ is that any quadratic map can be written as foL, where f is a standard form and L is an invertible linear map. Now we will choose L to be sparse. A standard form for characteristic 2 fields is the “rank form” which for full-rank quadratics is

Fig. 2. “Sparsely n — 2n F2 quadratics” in MAGMA

Table 1. Random Comparison HFE:=true was used to solve HFE systems. The MXL2 algorithm has been im- plemented in C/C++ based on the latest version of M4RI package [12]. For each oxample, we give the number of equations (##Eq), number of variables (#Var), the degree of the hidden univariate high-degree polynomial for HFE (HUD) and the size of the largest linear system to which Gauss is applied. The ”*’ in the first column for random systems means that, there are some mutants in this system. In all experiments, the highest degree of the polynomials generated by Mu- fantXL and MXL2 is equal to the highest degree of the S-polynomial in Magma. n MXL2 implementation, we use only one matrix from starting to the end of the process by enlarging and extending the initial matrix, the largest matrix is the accumulative of all polynomials that are held in the memory. unfortunately, in Magma we can not know the total accumulative matrices size because it is not an open source.

Table 2. HEE Comparison Table 3. Time Comparison

In Table 2] we also present HFE systems comparison. In all these seven ex- amples for all the three algorithms (Magma’s Fy, MutantXL, and MXL2), all the monomials up to degree bound D appear in Magma, MutantXL, and MXL2. therefore, the number of columns are equal in all the three algorithms. It is clear that MXLZ2 has a smaller number of rows in four cases of seven. In all cases MXL2 outperforms MutantXL.

Table 4. Strategy Comparison implementation for HFE systems by using the HFE:=true parameter, the MXL2 implementation is based on M4RI package which is not in its optimal speed as claimed by M4RI contributors and the MXL2 implementation itself is not optimal at this point. From Table performance for speed compared to Lt hed an. £2 aleial Hiszksez 42x — Eek. 3] it is clear that the MXL2 has a good utantXL. Fn RE Se SOR ae ee Ee Be eee |

4.2 Estimation of the Matrix zP Presenting a possible power analysis attack scenario in Section 4-1] we will now focus upon a possible cache attack [22] scenario. Cache attacks, a specific type of so called microarchitectural attacks, have already been successfully mounted against software implementations [23]. The decryption of a ciphertext may also leak the other private key part, the permutation matrix P. We assume that the permutation matrix itself is not stored directly as a matrix in the memory; it is rather implemented as some lookup-table for the rows and columns to save memory. This lookup-table is used in the decryption phase to compute zP and eP. Tse a stb tacks few) Secu ] peewee * eee ARH 4 Se Gooey LAea ets Si ees Se rere ed See es Dee

Key takeaways

The output of this algorithm is a ring signature σ for the message M .
Unfortunately, even when TCR hash functions are iterated, the signature size is somewhat large: if K 3 has three blocks, the input to the signature scheme has 4n bits, and the signature size is about 4n 2 bits.
Section 4 outlines two other side channel attacks and related countermeasures: a power attack on the construction of the parity check matrix during key generation and a cache attack on the permutation of code words during decryption.
The attack is described in algorithm 1.
The security parameters we used for the attack are m = 11 and t = 50.