Improved Secure Implementation of Code-Based Signature Schemes on Embedded Devices

Amongst areas of cryptographic research, there has recently been a widening interest for code-based cryptosystems and their implementations. Besides the {\it a priori} resistance to quantum computer attacks, they represent a real alternative to the currently used cryptographic schemes. In this paper we consider the implementation of the Stern authentication scheme and one recent variation of this scheme by Aguilar {\it et al.}. These two schemes allow public authentication and public signature with public and private keys of only a few hundreds bits. The contributions of this paper are twofold: first, we describe how to implement a code-based signature in a constrained device through the Fiat-Shamir paradigm, in particular we show how to deal with long signatures. Second, we implement and explain new improvements for code-based zero-knowledge signature schemes. We describe implementations for these signature and authentication schemes, secured against side channel attacks, which drastically improve the previous implementation presented at Cardis 2008 by Cayrel {\it et al.}. We obtain a factor 3 reduction of speed and a factor of about 2 for the length of the signature. We also provide an extensive comparison with RSA signatures

Post-Quantum Authentication with Lightweight Cryptographic Primitives

We propose to adapt ”low-algebra” digital signature schemes SPHINCS+ and PICNIC, present in the NIST-PQC contest, to the limitations of resource-bounded low-end devices. For this, we replaced the cryptographic primitives (hash functions and symmetric ciphers) of these schemes with lightweight alternatives presented in the NIST-LWC contest. With these specifically conceived primitives, we improve the performance of the signature schemes and still preserve the NIST’s security levels. Regarding SPHINCS+, besides replacing the hash function, we also take into consideration relaxing some parameters and introduce a new notion: security as life expectancy. Furthermore, we also introduce an attack to the SPHINCS+ scheme that takes advantage of the usage of FORS on this scheme and the way its leaves are calculated. Also, we give some solutions on how to avoid this attack. Additionally, a modification of PICNIC is introduced as PICNIC+WOTS where PICNIC is used to generate the secret keys for several WOTS+ signatures significantly reducing the size and signature time of each signature

DAA-related APIs in TPM2.0 Revisited

In TPM2.0, a single signature primitive is proposed to support various signature schemes including Direct Anonymous Attestation (DAA), U-Prove and Schnorr signature. This signature primitive is implemented by several APIs which can be utilized as a static Diffie-Hellman oracle. In this paper, we measure the practical impact of the SDH oracle in TPM2.0 and show the security strength of these signature schemes can be weakened by 14-bit. We propose a novel property of DAA called forward anonymity and show how to utilize these DAA-related APIs to break forward anonymity. Then we propose new APIs which not only remove the Static Diffie-Hellman oracle but also support the foward anonymity, thus significantly improve the security of DAA and the other signature schemes supported by TPM2.0. We prove the security of our new APIs under the discrete logarithm assumption in the random oracle model. We prove that DAA satisfy forward anonymity using the new APIs under the Decision Diffie-Hellman assumption. Our new APIs are almost as efficient as the original APIs in TPM2.0 specification and can support LRSW-DAA and SDH-DAA together with U-Prove as the original APIs

Rai-Choo! Evolving Blind Signatures to the Next Level

Blind signatures are a fundamental tool for privacy-preserving applications. Known constructions of concurrently secure blind signature schemes either are prohibitively inefficient or rely on non-standard assumptions, even in the random oracle model. A recent line of work (ASIACRYPT `21, CRYPTO `22) initiated the study of concretely efficient schemes based on well-understood assumptions in the random oracle model. However, these schemes still have several major drawbacks: 1) The signer is required to keep state; 2) The computation grows linearly with the number of signing interactions, making the schemes impractical; 3) The schemes require at least five moves of interaction. In this paper, we introduce a blind signature scheme that eliminates all of the above drawbacks at the same time. Namely, we show a round-optimal, concretely efficient, concurrently secure, and stateless blind signature scheme in which communication and computation are independent of the number of signing interactions. Our construction also naturally generalizes to the partially blind signature setting. Our scheme is based on the CDH assumption in the asymmetric pairing setting and can be instantiated using a standard BLS curve. We obtain signature and communication sizes of 9KB and 36KB, respectively. To further improve the efficiency of our scheme, we show how to obtain a scheme with better amortized communication efficiency. Our approach batches the issuing of signatures for multiple messages

Rai-Choo! Evolving Blind Signatures to the Next Level

Blind signatures are a fundamental tool for privacy-preserving applications. Known constructions of concurrently secure blind signature schemes either are prohibitively inefficient or rely on non-standard assumptions, even in the random oracle model. A recent line of work (ASIACRYPT `21, CRYPTO `22) initiated the study of concretely efficient schemes based on well-understood assumptions in the random oracle model. However, these schemes still have several major drawbacks: 1) The signer is required to keep state; 2) The computation grows linearly with the number of signing interactions, making the schemes impractical; 3) The schemes require at least five moves of interaction. In this paper, we introduce a blind signature scheme that eliminates all of the above drawbacks at the same time. Namely, we show a round-optimal, concretely efficient, concurrently secure, and stateless blind signature scheme in which communication and computation are independent of the number of signing interactions. Our construction also naturally generalizes to the partially blind signature setting. Our scheme is based on the CDH assumption in the asymmetric pairing setting and can be instantiated using a standard BLS curve. We obtain signature and communication sizes of 9KB and 36KB, respectively. To further improve the efficiency of our scheme, we show how to obtain a scheme with better amortized communication efficiency. Our approach batches the issuing of signatures for multiple messages

Performance optimization of checkpointing schemes with task duplication

In checkpointing schemes with task duplication, checkpointing serves two purposes: detecting faults by comparing the processors' states at checkpoints, and reducing fault recovery time by supplying a safe point to rollback to. In this paper, we show that, by tuning the checkpointing schemes to a given architecture, a significant reduction in the execution time can be achieved. The main idea is to use two types of checkpoints: compare-checkpoints (comparing the states of the redundant processes to detect faults) and store-checkpoints (storing the states to reduce recovery time). With two types of checkpoints, we can use both the comparison and storage operations in an efficient way and improve the performance of checkpointing schemes. Results we obtained show that, in some cases, using compare and store checkpoints can reduce the overhead of DMR checkpointing schemes by as much as 30 percent

Enhancing Privacy Protection:Set Membership, Range Proofs, and the Extended Access Control

Privacy has recently gained an importance beyond the field of cryptography. In that regard, the main goal behind this thesis is to enhance privacy protection. All of the necessary mathematical and cryptographic preliminaries are introduced at the start of this thesis. We then show in Part I how to improve set membership and range proofs, which are cryptographic primitives enabling better privacy protection. Part II shows how to improve the standards for Machine Readable Travel Documents (MRTDs), such as biometric passports. Regarding set membership proofs, we provide an efficient protocol based on the Boneh-Boyen signature scheme. We show that alternative signature schemes can be used and we provide a general protocol description that can be applied for any secure signature scheme. We also show that signature schemes in our design can be replaced by cryptographic accumulators. For range proofs, we provide interactive solutions where the range is divided in a base u and the u-ary digits are handled by one of our set membership proofs. A general construction is also provided for any set membership proof. We additionally explain how to handle arbitrary ranges with either two range proofs or with an improved solution based on sumset representation. These efficient solutions achieve, to date, the lowest asymptotical communication load. Furthermore, this thesis shows that the first efficient non-interactive range proof is insecure. This thesis thus provides the first efficient and secure non-interactive range proof. In the case of MRTDs, two standards exist: one produced by the International Civil Aviation Organization (ICAO) and the other by the European Union, which is called the Extended Access Control (EAC). Although this thesis focuses on the EAC, which is supposed to solve all privacy concerns, it shows that both standards fail to provide complete privacy protection. Lastly, we provide several solutions to improve them

On the security of digital signature schemes based on error-correcting codes

We discuss the security of digital signature schemes based on error-correcting codes. Several attacks to the Xinmei scheme are surveyed, and some reasons given to explain why the Xinmei scheme failed, such as the linearity of the signature and the redundancy of public keys. Another weakness is found in the Alabbadi-Wicker scheme, which results in a universal forgery attack against it. This attack shows that the Alabbadi-Wicker scheme fails to implement the necessary property of a digital signature scheme: it is infeasible to find a false signature algorithm D from the public verification algorithm E such that E(D*(m)) = m for all messages m. Further analysis shows that this new weakness also applies to the Xinmei scheme