a practical multivariate blind signature scheme · mohamed saied emam mohamed. 2/13 1 blind...
TRANSCRIPT
1/13
APractical MultivariateBlind Signature Scheme
April 2017
Albrecht Petzoldt, Alan Szepieniec,Mohamed Saied Emam Mohamed
2/13
1 Blind Signatures
2 MQ SignaturesRainbowMQDSS
3 Multivariate Blind Signature SchemeSchemeNumbers
3/13
Blind Signature
Alice Bank
(sk), pk
Merchant
αemmodn
αdemd modn
md
md
3/13
Blind Signature
Alice Bank
(sk), pk
Merchant
αemmodn
αdemd modn
md
md
3/13
Blind Signature
Alice Bank
(sk), pk
Merchant
αemmodn
αdemd modn
md
md
3/13
Blind Signature
Alice Bank
(sk), pk
Merchant
αemmodn
αdemd modn
md
md
3/13
Blind Signature
Alice Bank
(sk), pk
Merchant
αemmodn
αdemd modn
md
md
4/13
MQ Signature Scheme
• EIP-based• HFEv-, UOV, Rainbow• P = T ◦ F ◦ S• verify s : P(s) ?
= H(m)
S F T
Ppublic knowledge
private knowledge
encryption or signature verification
decryption or signature generation
• ZKPoK-based• SSH (crypto’11), MQDSS (asiacrypt’16)• verify NIZKPoK{(x) : P(x) = y}
• Blind Signature: EIP + ZKPoK
4/13
MQ Signature Scheme
• EIP-based• HFEv-, UOV, Rainbow• P = T ◦ F ◦ S• verify s : P(s) ?
= H(m)
S F T
Ppublic knowledge
private knowledge
encryption or signature verification
decryption or signature generation
• ZKPoK-based• SSH (crypto’11), MQDSS (asiacrypt’16)• verify NIZKPoK{(x) : P(x) = y}
• Blind Signature: EIP + ZKPoK
4/13
MQ Signature Scheme
• EIP-based• HFEv-, UOV, Rainbow• P = T ◦ F ◦ S• verify s : P(s) ?
= H(m)
S F T
Ppublic knowledge
private knowledge
encryption or signature verification
decryption or signature generation
• ZKPoK-based• SSH (crypto’11), MQDSS (asiacrypt’16)• verify NIZKPoK{(x) : P(x) = y}
• Blind Signature: EIP + ZKPoK
5/13
UOV
• Unbalanced Oil and Vinegar: precursor to Rainbow
• v vinegar variables and o oil variables (v ≈ 2o)
• vinegar mixes with anything; oil never mixes with oil
• F ,P : Fv+oq → Fo
q with P = F ◦ S
• fi(x) = fi(xv;xo) = (xTv ,x
To )
( )(xv
xo
), i = 1, . . . , o
• signature generation:
• choose xv$←− Fv
q
• solve linear system to obtain xo (#eqns = #vars = o)• invert linear transformation S
5/13
UOV
• Unbalanced Oil and Vinegar: precursor to Rainbow
• v vinegar variables and o oil variables (v ≈ 2o)
• vinegar mixes with anything; oil never mixes with oil
• F ,P : Fv+oq → Fo
q with P = F ◦ S
• fi(x) = fi(xv;xo) = (xTv ,x
To )
( )(xv
xo
), i = 1, . . . , o
• signature generation:
• choose xv$←− Fv
q
• solve linear system to obtain xo (#eqns = #vars = o)• invert linear transformation S
5/13
UOV
• Unbalanced Oil and Vinegar: precursor to Rainbow
• v vinegar variables and o oil variables (v ≈ 2o)
• vinegar mixes with anything; oil never mixes with oil
• F ,P : Fv+oq → Fo
q with P = F ◦ S
• fi(x) = fi(xv;xo) = (xTv ,x
To )
( )(xv
xo
), i = 1, . . . , o
• signature generation:
• choose xv$←− Fv
q
• solve linear system to obtain xo (#eqns = #vars = o)• invert linear transformation S
6/13
Rainbow
• two layers of UOV
• partition xT = (xTv ,x
To1 ,x
To2)
• P,F : Fv+o1+o2q → Fo1+o2
q with P = T ◦ F ◦ S
• fi(x) = (xTv ,x
To1 ,x
To2)
( )xv
xo1
xo2
, i = 1, . . . , o1
• fi(x) = (xTv ,x
To1 ,x
To2)
( )xv
xo1
xo2
, i = o1 + 1, . . . , o1 + o2
• signature generation:• invert linear transformation T• choose xv
$←− Fvq
• solve o1 linear equations to obtain xo1
• treat (xv;xo1) as vinegar variables• solve o2 linear equations to obtain xo2
• invert linear transformation S
6/13
Rainbow
• two layers of UOV
• partition xT = (xTv ,x
To1 ,x
To2)
• P,F : Fv+o1+o2q → Fo1+o2
q with P = T ◦ F ◦ S
• fi(x) = (xTv ,x
To1 ,x
To2)
( )xv
xo1
xo2
, i = 1, . . . , o1
• fi(x) = (xTv ,x
To1 ,x
To2)
( )xv
xo1
xo2
, i = o1 + 1, . . . , o1 + o2
• signature generation:• invert linear transformation T• choose xv
$←− Fvq
• solve o1 linear equations to obtain xo1
• treat (xv;xo1) as vinegar variables• solve o2 linear equations to obtain xo2
• invert linear transformation S
6/13
Rainbow
• two layers of UOV
• partition xT = (xTv ,x
To1 ,x
To2)
• P,F : Fv+o1+o2q → Fo1+o2
q with P = T ◦ F ◦ S
• fi(x) = (xTv ,x
To1 ,x
To2)
( )xv
xo1
xo2
, i = 1, . . . , o1
• fi(x) = (xTv ,x
To1 ,x
To2)
( )xv
xo1
xo2
, i = o1 + 1, . . . , o1 + o2
• signature generation:• invert linear transformation T• choose xv
$←− Fvq
• solve o1 linear equations to obtain xo1
• treat (xv;xo1) as vinegar variables• solve o2 linear equations to obtain xo2
• invert linear transformation S
6/13
Rainbow
• two layers of UOV
• partition xT = (xTv ,x
To1 ,x
To2)
• P,F : Fv+o1+o2q → Fo1+o2
q with P = T ◦ F ◦ S
• fi(x) = (xTv ,x
To1 ,x
To2)
( )xv
xo1
xo2
, i = 1, . . . , o1
• fi(x) = (xTv ,x
To1 ,x
To2)
( )xv
xo1
xo2
, i = o1 + 1, . . . , o1 + o2
• signature generation:• invert linear transformation T• choose xv
$←− Fvq
• solve o1 linear equations to obtain xo1
• treat (xv;xo1) as vinegar variables• solve o2 linear equations to obtain xo2
• invert linear transformation S
7/13
SSH Protocol
• ZKPoK{(s) : P(s) = v}• uses polar form: G(x,y) = P(x+ y)− P(x)− P(y) + P(0)
Prover: P, s,v Verifier: P,vr0, t0
$←− Fnq ; e0
$←− Fmq ; r1 ← s− r0
c0 = Com(r0, t0, e0)
c1 = Com(r1,G(t0, r1) + e0)c0, c1
α$←− Fqα
t1 ← αr0 − t0e1 ← αP(r0)− e0 t1, e1
ch$←− {0, 1}ch
rch
ch = 0→ c0?= Com(·)
ch = 1→ c1?= Com(·)
8/13
MQDSS
• turns SSH protocol into signature scheme
• non-interactive using Fiat-Shamir (sort of)
• optimization for speed and size
• 2.43 ms for signature generation (256 bits security)
9/13
Blind Signature Scheme: General Idea
dedicated signature scheme
+ basic algebraic properties
+ zero-knowledge proof
blind signature scheme
9/13
Blind Signature Scheme: General Idea
dedicated signature scheme
+ basic algebraic properties
+ zero-knowledge proof
blind signature scheme
10/13
Multivariate Blind Signature
Alice Bank
(sk = (T,F , S))pk = (P,R)
Merchant
w∗ = H(m)−R(z)
z$←− Fn
q
w∗
z∗ st. P(z∗) = w∗
NIZK NIZK
NIZKPoK{(z, z∗) : P(z∗) +R(z) = H(m)}
10/13
Multivariate Blind Signature
Alice Bank
(sk = (T,F , S))pk = (P,R)
Merchant
w∗ = H(m)−R(z)
z$←− Fn
q
w∗
z∗ st. P(z∗) = w∗
NIZK NIZK
NIZKPoK{(z, z∗) : P(z∗) +R(z) = H(m)}
10/13
Multivariate Blind Signature
Alice Bank
(sk = (T,F , S))pk = (P,R)
Merchant
w∗ = H(m)−R(z)
z$←− Fn
q
w∗
z∗ st. P(z∗) = w∗
NIZK NIZK
NIZKPoK{(z, z∗) : P(z∗) +R(z) = H(m)}
10/13
Multivariate Blind Signature
Alice Bank
(sk = (T,F , S))pk = (P,R)
Merchant
w∗ = H(m)−R(z)
z$←− Fn
q
w∗
z∗ st. P(z∗) = w∗
NIZK NIZK
NIZKPoK{(z, z∗) : P(z∗) +R(z) = H(m)}
11/13
Security Quirks
• need perfectly hiding commitments for blindness
• classical random oracle model
• universal one-more unforgeability• generalization of UUF-CMA to one-more-unforgeability
C Apk
w∗
z∗ d×blind{
m
bs
11/13
Security Quirks
• need perfectly hiding commitments for blindness
• classical random oracle model
• universal one-more unforgeability• generalization of UUF-CMA to one-more-unforgeability
C Apk
w∗
z∗ d×blind{
m
bs
11/13
Security Quirks
• need perfectly hiding commitments for blindness
• classical random oracle model
• universal one-more unforgeability• generalization of UUF-CMA to one-more-unforgeability
C Apk
w∗
z∗ d×blind{
m
bs
12/13
parameters, comparison
security parameters # rounds public key private key blind sig.level (bit) (F, (v1, o1, o2)) size (kB) size (kB) size (kB)
80 (GF(31),(16,18,17)) 84 29.4 20.1 11.5
100 (GF(31),(20,22,21)) 105 54.6 36.6 17.6
128 (GF(31),(25,27,27)) 135 106.8 70.2 28.5
192 (GF(31),(37,35,35)) 202 342.8 219.0 63.2
256 (GF(31),(50,53,53)) 269 802.4 507.1 111.9
Table: Proposed parameters for our blind signature scheme (GF(31)).
Security Scheme comm. Pub. key Sig. size Post-lvl. (bit) size (kB) (kB) quantum?
76RSA-1229 2 1.2 1.2 ×
Lattice-1024 4 10.2 66.9 XOur scheme 2 29.4 11.5 X
102RSA-3313 2 3.3 3.3 ×
Lattice-2048 4 23.6 89.4 XOur scheme 2 54.6 17.6 X
Table: Comparison of blind signature schemes — RSA / Ruckert / ours
13/13
Sage implementation
sec. lvl. Key Gen. Sign (Signer) Sig. Gen. (User) Sig. Verification
80 4,007 7 2,018 1,424
100 9,392 13 3,649 2,656
128 25,517 19 7,760 5,505
192 87,073 41 23,692 16,040
256 613,968 103 86,540 59,669
Table: Operational speed (milliseconds)