Reducing keys in Rainbow-like signature schemes

TCC (graduação) - Universidade Federal de Santa Catarina. Centro Tecnológico. Ciências da Computação.Os algoritmos clássicos de assinatura digital como RSA e ECDSA baseiam sua segurança na dificuldade da fatoração de inteiros, e no logaritmo discreto, respectivamente. Esses problemas já possuem algoritmos quânticos que os resolvem em tempo polinomial, ou seja, com computadores quânticos poderosos o suficiente, o uso dos algoritmos de assinatura digital mais difundidos tornará-se impraticável. Naturalmente, com o aumento do poder computacional quântico, o interesse por criptossistemas resistentes a ataques que utilizam-se de tais computadores também cresceu. A área que estuda esses criptossistemas é chamada de criptografia pós-quântica. Particularmente, esses algoritmos baseiam-se numa série de problemas que, por enquanto, permanecem difíceis, mesmo que computadores quânticos poderosos sejam utilizados, logo, despertam o interesse para substituir os criptossistemas clássicos. Este trabalho aborda criptossistemas baseados em sistemas de polinômios multivariados, que, baseiam-se em problemas como a solução de sistemas de polinômios e o isomorfismo de polinômios, os quais ainda são resistentes a algoritmos quânticos, e portanto, são candidatos para criptografia pós-quântica. Tais esquemas possuem tamanhos de chaves muito maiores que os algoritmos clássicos. Neste trabalho um novo método para redução de chaves privadas do esquema de assinatura digital Rainbow é proposto. Usando este método as chaves privadas podem ser reduzidas em até 84\%. Ainda, este método pode ser combinado com outros de forma a reduzir tanto a chave privada como a chave pública.Classic digital signature algorithms base their security upon the difficulty of the integer factorization problem, and the discrete logarithm problem, respectively. These problems already have quantum algorithms that solve them in polynomial time, consequently, with sufficiently powerful quantum computers, the use of the most common digital signature algorithms would become impractical. Naturally, with the rise in quantum computational power, the interest in cryptosystems resistant to attacks that make use of such computers has raised as well. The area that studies such cryptosystems is called post-quantum cryptography. Particularly, these algorithms are based upon a series of problems that, at this time, continue to be hard, even with quantum computers available, hence, provoke interest to substitute the classical schemes. This work approaches cryptosystems based on systems of multivariate polynomials. They base their security upon problems like the polynomial system solving and the isomorphism of polynomials, which are still resistant to quantum computers, henceforth are candidates to post-quantum cryptography. Such schemes have much larger keys than classical algorithms. In this work a new method that allows the reduction of private keys of the Rainbow digital signature scheme is proposed. Using this method, private keys can be reduced by up to 84\%. Still, this method can be combined with others to reduce the private key and the public key simultaneously

Performance Analysis of Rainbow on ARM Cortex-M4

The risk posed by a fully operational quantum computer has anticipated a revolution in the way to approach the level of security provided by a cryptographic algorithm. Public keybased solutions such as RSA or ECC will be easily broken once we enter the post-quantum era. Multivariate quadratic cryptosystems are a promising candidate for the need of quantum resistant digital signature schemes. In order to estimate if these approach will someday be able to replace current standards, it is necessary to determine how ef?ciently can they operate on diverse platforms and at which level of security can they do it. This aspects are particularly relevant for reduced size devices with restricted energy, memory or computational power. In this work, a theoretical description of the so-called Rainbow multivariate signature algorithm is given, which is later implemented on a memory-constrained environment. An optimization approach is proposed in order to improve the ef?ciency of the scheme, in terms of message signature and veri?cation speed. A performance comparison is also presented between various state-of-the-art post-quantum signature cryptosystems and the optimized instances of Rainbow, in order to study its characteristics from a wider perspective.El riesgo que supone un futuro ordenador cuántico con suficientes recursos computacionales ha anticipado una revolución en la manera de enfocar la seguridad de la información. Varias técnicas de clave pública empleados tradicionalmente, como el RSA o el ECC resultarán totalmente desprotegidos en cuanto la sociedad moderna entre en la era cuántica. Algoritmos de encriptación basados ??en ecuaciones polinómicas multivariable son actualmente un potencial candidato para producir firmas digitales suficientemente robustas contra sistemas de computación cuántica. Para evaluar las capacidades de esta técnica y estudiar la posibilidad de sustituir los sistemas tradicionales de encriptación en un futuro próximo, es necesario cuantificar por un lado la eficiencia a la que pueden operar en diferentes plataformas y por otro lado el nivel de seguridad que pueden llegar a ofrecer. Estos aspectos son especialmente clave en dispositivos de tamaño reducido con restricciones sobre el consumo de energía, la cantidad de memoria disponible o la potencia computacional. En este trabajo, se da una descripción teórica del algoritmo Rainbow, basado en ecuaciones polinómicas multivariable, el cual es posteriormente implementado sobre un sistema limitado en memoria. Adicionalmente se propone una modificación en el algoritmo original, con el fin de de reducir el tiempo de ejecución de firma y verificación de mensajes. Finalmente, se presenta una comparación de rendimiento entre diversas técnicas criptográficas dedicadas a firma digital y las instancias que se implementan en esta disertación, para así analizar las características de los sistemas de encriptación basados ??en ecuaciones polinómicas multivariable desde una perspectiva más amplia.El risc que suposa un futur ordinador quàntic amb suficients recursos computacionals ha anticipat una revolució en la manera d'enfocar la seguretat de la informació. Diverses tècniques de clau pública emprats tradicionalment, com l'RSA o l'ECC esdevindràn totalment vulnerables tant bon punt la societat moderna entri en l'era quàntica. Sistemes d'encriptació basats en equacions polinòmiques multivariable són actualment un potencial candidat per produïr firmes digitals suficientment robustes contra sistemes de computació quàntica. Per avaluar les capacitats d'aquesta tècnica i estudiar la possibilitat de substituir els sistemes tradicionals d'encriptació en un futur pròxim, és necessari quantificar d'una banda la eficiència a la que poden operar en diferents plataformes i d'altra banda el nivell de seguretat que poden arribar a oferir. Aquests aspectes són especialment clau en dispositius de mida reduïda amb restriccions sobre el consum d'energia, la quantitat de memòria disponible o la potència computacional. En aquest treball, es dóna una descripció teòrica de l'algoritme Rainbow, basat en equacions polinòmiques multivariable, el qual és posteriorment implementat sobre un sistema limitat en memòria. Adicionalment es proposa una modificació a l'algoritme original, per tal de de reduïr el temps d'execució de firma i verificació de missatges. Finalment, es presenta una comparació de rendiment entre diverses tècniques criptogràfiques dedicades a firma digital i les instàncies que s'implementen en aquesta dissertació, per així analitzar les característiques dels sistemes d'encriptació basats en equacions polinòmiques multivariable des d'una perspectiva més amplia

MQ on my Mind: Post-Quantum Signatures from the Non-Structured Multivariate Quadratic Problem

This paper presents MQ on my Mind (MQOM), a digital signature scheme based on the difficulty of solving multivariate systems of quadratic equations (MQ problem). MQOM has been submitted to the NIST call for additional post-quantum signature schemes. MQOM relies on the MPC-in-the-Head (MPCitH) paradigm to build a zero-knowledge proof of knowledge (ZK-PoK) for MQ which is then turned into a signature scheme through the Fiat-Shamir heuristic. The underlying MQ problem is non-structured in the sense that the system of quadratic equations defining an instance is drawn uniformly at random. This is one of the hardest and most studied problems from multivariate cryptography which hence constitutes a conservative choice to build candidate post-quantum cryptosystems. For the efficient application of the MPCitH paradigm, we design a specific MPC protocol to verify the solution of an MQ instance. Compared to other multivariate signature schemes based on non-structured MQ instances, MQOM achieves the shortest signatures (6.3-7.8 KB) while keeping very short public keys (few dozen of bytes). Other multivariate signature schemes are based on structured MQ problems (less conservative) which either have large public keys (e.g. UOV) or use recently proposed variants of these MQ problems (e.g. MAYO)

Selecting and Reducing Key Sizes for Multivariate Cryptography

Cryptographic techniques are essential for the security of communication in modern society. As more and more business processes are performed via the Internet, the need for efficient cryptographic solutions will further increase in the future. Today, nearly all cryptographic schemes used in practice are based on the two problems of factoring large integers and solving discrete logarithms. However, schemes based on these problems will become insecure when large enough quantum computers are built. The reason for this is Shor's algorithm, which solves number theoretic problems such as integer factorization and discrete logarithms in polynomial time on a quantum computer. Therefore one needs alternatives to those classical public key schemes. Besides lattice, code and hash based cryptosystems, multivariate cryptography seems to be a candidate for this. Additional to their (believed) resistance against quantum computer attacks, multivariate schemes are very fast and require only modest computational resources, which makes them attractive for the use on low cost devices such as RFID chips and smart cards. However, there remain some open problems to be solved, such as the unclear parameter choice of multivariate schemes, the large key sizes and the lack of more advanced multivariate schemes like signatures with special properties and key exchange protocols. In this dissertation we address two of these open questions in the area of multivariate cryptography. In the first part we consider the question of the parameter choice of multivariate schemes. We start with the security model of Lenstra and Verheul, which, on the basis of certain assumptions like the development of the computing environment and the budget of an attacker, proposes security levels for now and the near future. Based on this model we study the known attacks against multivariate schemes in general and the Rainbow signature scheme in particular and use this analysis to propose secure parameter sets for these schemes for the years 2012 - 2050. In the second part of this dissertation we present an approach to reduce the public key size of certain multivariate signature schemes such as UOV and Rainbow. We achieve the reduction by inserting a structured matrix into the coefficient matrix of the public key, which enables us to store the public key in an efficient way. We propose several improved versions of UOV and Rainbow which reduce the size of the public key by factors of 8 and 3 respectively. Using the results of the first part, we show that using structured public keys does not weaken the security of the underlying schemes against known attacks. Furthermore we show how the structure of the public key can be used to speed up the verification process of the schemes. Hereby we get a speed up of factors of 6 for UOV and 2 for Rainbow. Finally we show how to apply our techniques to the QUAD stream cipher. By doing so we can increase the data throughput of QUAD by a factor of 7

International Symposium on Mathematics, Quantum Theory, and Cryptography

This open access book presents selected papers from International Symposium on Mathematics, Quantum Theory, and Cryptography (MQC), which was held on September 25-27, 2019 in Fukuoka, Japan. The international symposium MQC addresses the mathematics and quantum theory underlying secure modeling of the post quantum cryptography including e.g. mathematical study of the light-matter interaction models as well as quantum computing. The security of the most widely used RSA cryptosystem is based on the difficulty of factoring large integers. However, in 1994 Shor proposed a quantum polynomial time algorithm for factoring integers, and the RSA cryptosystem is no longer secure in the quantum computing model. This vulnerability has prompted research into post-quantum cryptography using alternative mathematical problems that are secure in the era of quantum computers. In this regard, the National Institute of Standards and Technology (NIST) began to standardize post-quantum cryptography in 2016. This book is suitable for postgraduate students in mathematics and computer science, as well as for experts in industry working on post-quantum cryptography

International Symposium on Mathematics, Quantum Theory, and Cryptography

This open access book presents selected papers from International Symposium on Mathematics, Quantum Theory, and Cryptography (MQC), which was held on September 25-27, 2019 in Fukuoka, Japan. The international symposium MQC addresses the mathematics and quantum theory underlying secure modeling of the post quantum cryptography including e.g. mathematical study of the light-matter interaction models as well as quantum computing. The security of the most widely used RSA cryptosystem is based on the difficulty of factoring large integers. However, in 1994 Shor proposed a quantum polynomial time algorithm for factoring integers, and the RSA cryptosystem is no longer secure in the quantum computing model. This vulnerability has prompted research into post-quantum cryptography using alternative mathematical problems that are secure in the era of quantum computers. In this regard, the National Institute of Standards and Technology (NIST) began to standardize post-quantum cryptography in 2016. This book is suitable for postgraduate students in mathematics and computer science, as well as for experts in industry working on post-quantum cryptography

Signing Information in the Quantum Era

Signatures are primarily used as a mark of authenticity, to demonstrate that the sender of a message is who they claim to be. In the current digital age, signatures underpin trust in the vast majority of information that we exchange, particularly on public networks such as the internet. However, schemes for signing digital information which are based on assumptions of computational complexity are facing challenges from advances in mathematics, the capability of computers, and the advent of the quantum era. Here we present a review of digital signature schemes, looking at their origins and where they are under threat. Next, we introduce post-quantum digital schemes, which are being developed with the specific intent of mitigating against threats from quantum algorithms whilst still relying on digital processes and infrastructure. Finally, we review schemes for signing information carried on quantum channels, which promise provable security metrics. Signatures were invented as a practical means of authenticating communications and it is important that the practicality of novel signature schemes is considered carefully, which is kept as a common theme of interest throughout this review

Shorter secret keys in multivariate cryptography through optimal subspace representations

La criptografia multivariant (MVQC) és, actualment, una de les famílies d'esquemes criptogràfics més prometedores en l'àmbit postquàntic. Tanmateix, amb freqüència pateix de claus d'una mida excessiva o suposicions de seguretat fetes a mida. En aquesta tesi, tractarem un esquema de MVQC, el "Unbalanced Oil and Vinegar" (UOV), emprant una reformulació d'aquest donada recentment per Beullens, amb l'objectiu d'explorar fins a quin punt és possible reduir la mida de les claus privades sense afectar a la practicalitat. També ens centrem en dues simplificacions freqüentment aplicades a UOV --- habitualment aquestes es justifiquen veient que un pot aplicar-hi les suposicions de seguretat que formen la base de UOV. Demostrem que (amb algunes concessions), es pot demostrar directament que la seva seguretat segueix de la seguretat de UOV tradicional

Challenges of Post-Quantum Digital Signing in Real-world Applications: A Survey

Public key cryptography is threatened by the advent of quantum computers. Using Shor\u27s algorithm on a large-enough quantum computer, an attacker can cryptanalyze any RSA/ECC public key, and generate fake digital signatures in seconds. If this vulnerability is left unaddressed, digital communications and electronic transactions can potentially be without the assurance of authenticity and non-repudiation. In this paper, we study the use of digital signatures in 14 real-world applications across the financial, critical infrastructure, Internet, and enterprise sectors. Besides understanding the digital signing usage, we compare the applications\u27 signing requirements against all 6 NIST\u27s post-quantum cryptography contest round 3 candidate algorithms. This is done through a proposed framework where we map out the suitability of each algorithm against the applications\u27 requirements in a feasibility matrix. Using the matrix, we identify improvements needed for all 14 applications to have a feasible post-quantum secure replacement digital signing algorithm

Will quantum computers be the end of public key encryption?

The emergence of practical quantum computers poses a significant threat to the most popular public key cryptographic schemes in current use. While we know that the well-understood algorithms for factoring large composites and solving the discrete logarithm problem run at best in superpolynomial time on conventional computers, new, less well understood algorithms run in polynomial time on certain quantum computer architectures. Many appear to be heralding this next step in computing as ‘the end of public key encryption’. We argue that this is not the case and that there are many fields of mathematics that can be used for creating ‘quantum resistant’ cryptographic schemes. We present a high-level review of the threat posed by quantum computers, using RSA and Shor’s algorithm as an example but we explain why we feel that the range of quantum algorithms that pose a threat to public key encryption schemes is likely to be limited in future. We discuss some of the other schemes that we believe could form the basis for public key encryption schemes, some of which could enter widespread use in the very near future, and indicate why some are more likely to be adopted