#### DMCA

## Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives *

### Citations

1636 | Random oracles are practical: A paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...ing a key from it (cf. [45]) 1http://csrc.nist.gov/groups/ST/post-quantum-crypto/ 1 along with other optimizations, yields practical stateless hash-based signatures [16]. There are also existing schemes that make structured (or number-theoretic) assumptions. Code-based signature schemes can be obtained from identification schemes based on the syndrome decoding (SD) problem [68, 79, 83] by applying a variant of the well-known Fiat-Shamir (FS) transform [38]. Lattice-based signature schemes secure under the short integer solution (SIS) problem on lattices following the Full-Domain-Hash paradigm [12] have been introduced in [41]. More efficient approaches [7, 8, 63, 64] rely on the FS transform instead of FDH. BLISS [34], a very practical scheme, also relies on the FS transform, but buys efficiency at the cost of more pragmatic assumptions – i.e. a ring version of the SIS problem. For signatures based on problems related to multivariate systems of quadratic equations only recently have provably secure variants relying on the FS transform been proposed [54]. When it comes to confidence in the underlying assumptions, hash-based signatures are arguably the preferred candidate among all exist... |

1124 | A fast quantum mechanical algorithm for database search
- Grover
- 1996
(Show Context)
Citation Context .... The deadline for proposals is fall 2017. In this paper we are concerned with constructing signature schemes for the post-quantum era. The building blocks of our schemes are interactive honest-verifier zero-knowledge proof systems (Σ-protocols) for statements over general circuits and symmetric-key primitives, which are conjectured to remain secure in a postquantum world. Post-Quantum Signatures. Perhaps the oldest signature scheme with post-quantum security are one-time Lamport [61] signatures, built using hash functions. As Grover’s quantum search algorithm can invert any blackbox function [50] with a quadratic speed-up over classical algorithms, this requires doubling the bit size of the hash function’s domain, but requires no additional assumptions to provably achieve post-quantum security. Combined with Merkle-trees, this approach yields stateful signatures for any polynomial number of messages [69], where the state ensures that a one-time signature key from the tree is not reused. By making the tree very large, and randomly selecting a key from it (cf. [45]) 1http://csrc.nist.gov/groups/ST/post-quantum-crypto/ 1 along with other optimizations, yields practical stateless hash-bas... |

735 |
Efficient signature generation by smart cards
- Schnorr
- 1991
(Show Context)
Citation Context ...ith et al. [39] published a preprint containing one conceptually identitcal isogenybased construction, and one based on endomorphism rings. They report improved signature sizes using a timespace tradeoff and only present their improvements in term of classical security parameters. Zero-Knowledge for Arithmetic Circuits. Zeroknowledge (ZK) proofs [47] are a powerful tool and exist for any language in NP [46]. Nevertheless, practically efficient proofs were until recently only known for restricted languages covering algebraic statements in certain algebraic structures, e.g., discrete logarithms [77, 26] or equations over bilinear groups [49]. Expressing any NP language as a combination of algebraic circuits could be done for example by expressing the relation as a circuit, however for circuits of practical interest (such as hash functions or block ciphers), this gets prohibitive. Even SNARKS, where proof size can be made small (and constant) and verification is highly efficient, have very costly proofs (cf. [40, 14, 24] and the references therein).3 Unfortunately, signatures require small proof computation times (efficient signing procedures), and this direction is not suitable. Quite recent... |

437 |
A certified digital signature
- Merkle
- 1989
(Show Context)
Citation Context ...hich are conjectured to remain secure in a postquantum world. Post-Quantum Signatures. Perhaps the oldest signature scheme with post-quantum security are one-time Lamport [61] signatures, built using hash functions. As Grover’s quantum search algorithm can invert any blackbox function [50] with a quadratic speed-up over classical algorithms, this requires doubling the bit size of the hash function’s domain, but requires no additional assumptions to provably achieve post-quantum security. Combined with Merkle-trees, this approach yields stateful signatures for any polynomial number of messages [69], where the state ensures that a one-time signature key from the tree is not reused. By making the tree very large, and randomly selecting a key from it (cf. [45]) 1http://csrc.nist.gov/groups/ST/post-quantum-crypto/ 1 along with other optimizations, yields practical stateless hash-based signatures [16]. There are also existing schemes that make structured (or number-theoretic) assumptions. Code-based signature schemes can be obtained from identification schemes based on the syndrome decoding (SD) problem [68, 79, 83] by applying a variant of the well-known Fiat-Shamir (FS) transform [38]. Lat... |

334 | B.: Proofs of partial knowledge and simplified design of witness hiding protocols
- Cramer, Damgård, et al.
- 1994
(Show Context)
Citation Context ...ith et al. [39] published a preprint containing one conceptually identitcal isogenybased construction, and one based on endomorphism rings. They report improved signature sizes using a timespace tradeoff and only present their improvements in term of classical security parameters. Zero-Knowledge for Arithmetic Circuits. Zeroknowledge (ZK) proofs [47] are a powerful tool and exist for any language in NP [46]. Nevertheless, practically efficient proofs were until recently only known for restricted languages covering algebraic statements in certain algebraic structures, e.g., discrete logarithms [77, 26] or equations over bilinear groups [49]. Expressing any NP language as a combination of algebraic circuits could be done for example by expressing the relation as a circuit, however for circuits of practical interest (such as hash functions or block ciphers), this gets prohibitive. Even SNARKS, where proof size can be made small (and constant) and verification is highly efficient, have very costly proofs (cf. [40, 14, 24] and the references therein).3 Unfortunately, signatures require small proof computation times (efficient signing procedures), and this direction is not suitable. Quite recent... |

294 |
A public-key cryptosystem based on algebraic coding theory
- McEliece
- 1978
(Show Context)
Citation Context ...On a 128 bit post-quantum security level, signatures are about 41 kB in size, and keys are of size about 1 kB each. Code-Based Signatures (ROM). In the code-based setting the most prominent and provably secure approach is to convert identification schemes due to Stern [79] and Veron [83] to signatures using FS. For the 128 bit security level and accounting for Grover one obtains signature sizes of around≈ 129 kB (in the best case) and public key size of ≈ 160 bytes.2 We note that there are also other code-based signatures [25] based on the Niederreither [70] dual of the McEliece cryptosystem [65], which do not come with a security reduction, have shown to be insecure [36] and also do not seem practical [62]. There is a more recent provably secure approach [35], however, it is not immediate if this leads to efficient signatures. Lattice-Based Signatures (ROM). For lattice based signatures there are two major directions. The first are schemes that rely on the hardness of worst-to-averagecase problems in standard lattices [41, 64, 8, 28, 7]. Although they are desirable from a security point of view, they suffers from huge public keys, i.e., in the orders of a few to some 10 MBs. TESLA [7... |

260 | Security proofs for signature schemes
- Pointcheval, Stern
- 1996
(Show Context)
Citation Context ...a′(t)). If, e′ = e, output Accept, otherwise output Reject. Scheme 1: The ZKB++ proof system, made non-interactive using the Fiat-Shamir transform. to (2-)special soundness, and the 3-special soundness of ZKBOO requires an additional rewind. In particular, an adapted version of the proof of [59, Theorem 8.2] which considers this additional rewind attests the security of Scheme 2. The security reduction, however, is a nontight one, like most signature schemes constructed from Σ-protocols.5 We obtain the following: 5There are numerous works on signatures from (three move) identification schemes [71, 75, 1, 2, 60, 11, 30]. Unfortunately existing proof Corollary 1 Scheme 2 instantiated with ZKB++ and a secure pseudorandom function yields an EUF-CMA secure signature scheme in the ROM. techniques do not give tight security reductions. 8 Gen(1κ) : Choose x←R D, k←R K, compute y← fk(x), set pk← (y,x) and sk← (pk,k) and return (sk,pk). Sign(sk,m) : Parse sk as (pk,k), compute p = (r,s)← ProveH((y,x,m),k) and return σ ← p, where internally the challenge is computed as c← H(r,m). Verify(pk,m,σ) : Parse pk as (y,x), and σ as p = (r,s). Return 1 if the following holds, and 0 otherwise: VerifyH((y,x,m), p) = 1, where int... |

179 |
A cryptanalytic time-memory trade-off.
- Hellman
- 1980
(Show Context)
Citation Context ...ed signature scheme the public verification key pk contains the image y, the input x (and a description of f ) and the secret signing key sk is a random key k from K. The corresponding signature scheme, dubbed Fish, is illustrated in Scheme 2. The function f could be any one-way function, but since we found block ciphers gave the most efficient signatures, we tailor our description to this choice of f . The rationale for using a random block x as input to fk when creating the key pair is to improve security against multi-user key recovery attacks and generic time-memory trade-off attacks like [52]. To reduce the size of the public key, one could choose a smaller value that is unique per user, or use a fixed value (with a potential decrease in security). Since public keys in our schemes are small (at most 64 bytes), our design uses a full random block. If we view ZKBOO as a canonical identification scheme that is secure against passive adversaries one just needs to keep in mind that most definitions are tailored 7 For public φ and y ∈ Lφ , the prover has x such that y = φ(x). The prover and verifier use the hash functions G(·) and H(·) and H ′(·) which will be modeled as random oracles ... |

136 |
Constructing digital signatures from a one-way function
- Lamport
- 1979
(Show Context)
Citation Context ...ect is seeking proposals for public key encryption, key exchange and digital signatures thought to have PQ security. The deadline for proposals is fall 2017. In this paper we are concerned with constructing signature schemes for the post-quantum era. The building blocks of our schemes are interactive honest-verifier zero-knowledge proof systems (Σ-protocols) for statements over general circuits and symmetric-key primitives, which are conjectured to remain secure in a postquantum world. Post-Quantum Signatures. Perhaps the oldest signature scheme with post-quantum security are one-time Lamport [61] signatures, built using hash functions. As Grover’s quantum search algorithm can invert any blackbox function [50] with a quadratic speed-up over classical algorithms, this requires doubling the bit size of the hash function’s domain, but requires no additional assumptions to provably achieve post-quantum security. Combined with Merkle-trees, this approach yields stateful signatures for any polynomial number of messages [69], where the state ensures that a one-time signature key from the tree is not reused. By making the tree very large, and randomly selecting a key from it (cf. [45]) 1http:/... |

125 | A.: Efficient non-interactive proof systems for bilinear groups.
- Groth, Sahai
- 2008
(Show Context)
Citation Context ...ning one conceptually identitcal isogenybased construction, and one based on endomorphism rings. They report improved signature sizes using a timespace tradeoff and only present their improvements in term of classical security parameters. Zero-Knowledge for Arithmetic Circuits. Zeroknowledge (ZK) proofs [47] are a powerful tool and exist for any language in NP [46]. Nevertheless, practically efficient proofs were until recently only known for restricted languages covering algebraic statements in certain algebraic structures, e.g., discrete logarithms [77, 26] or equations over bilinear groups [49]. Expressing any NP language as a combination of algebraic circuits could be done for example by expressing the relation as a circuit, however for circuits of practical interest (such as hash functions or block ciphers), this gets prohibitive. Even SNARKS, where proof size can be made small (and constant) and verification is highly efficient, have very costly proofs (cf. [40, 14, 24] and the references therein).3 Unfortunately, signatures require small proof computation times (efficient signing procedures), and this direction is not suitable. Quite recently, dedicated ZK proof systems for stat... |

95 |
Knapsack-type cryptosystems and algebraic coding theory
- Niederreiter
- 1986
(Show Context)
Citation Context ..., i.e., hash functions, PRGs and PRFs. On a 128 bit post-quantum security level, signatures are about 41 kB in size, and keys are of size about 1 kB each. Code-Based Signatures (ROM). In the code-based setting the most prominent and provably secure approach is to convert identification schemes due to Stern [79] and Veron [83] to signatures using FS. For the 128 bit security level and accounting for Grover one obtains signature sizes of around≈ 129 kB (in the best case) and public key size of ≈ 160 bytes.2 We note that there are also other code-based signatures [25] based on the Niederreither [70] dual of the McEliece cryptosystem [65], which do not come with a security reduction, have shown to be insecure [36] and also do not seem practical [62]. There is a more recent provably secure approach [35], however, it is not immediate if this leads to efficient signatures. Lattice-Based Signatures (ROM). For lattice based signatures there are two major directions. The first are schemes that rely on the hardness of worst-to-averagecase problems in standard lattices [41, 64, 8, 28, 7]. Although they are desirable from a security point of view, they suffers from huge public keys, i.e., in the o... |

87 | N.: How to Achieve a McEliece-Based Digital Signature Scheme
- Courtois, Finiasz, et al.
(Show Context)
Citation Context ...tion to the used building blocks, i.e., hash functions, PRGs and PRFs. On a 128 bit post-quantum security level, signatures are about 41 kB in size, and keys are of size about 1 kB each. Code-Based Signatures (ROM). In the code-based setting the most prominent and provably secure approach is to convert identification schemes due to Stern [79] and Veron [83] to signatures using FS. For the 128 bit security level and accounting for Grover one obtains signature sizes of around≈ 129 kB (in the best case) and public key size of ≈ 160 bytes.2 We note that there are also other code-based signatures [25] based on the Niederreither [70] dual of the McEliece cryptosystem [65], which do not come with a security reduction, have shown to be insecure [36] and also do not seem practical [62]. There is a more recent provably secure approach [35], however, it is not immediate if this leads to efficient signatures. Lattice-Based Signatures (ROM). For lattice based signatures there are two major directions. The first are schemes that rely on the hardness of worst-to-averagecase problems in standard lattices [41, 64, 8, 28, 7]. Although they are desirable from a security point of view, they suffers from ... |

82 | A New Identification Scheme Based on Syndrome Decoding
- Stern
- 1993
(Show Context)
Citation Context ...rees, this approach yields stateful signatures for any polynomial number of messages [69], where the state ensures that a one-time signature key from the tree is not reused. By making the tree very large, and randomly selecting a key from it (cf. [45]) 1http://csrc.nist.gov/groups/ST/post-quantum-crypto/ 1 along with other optimizations, yields practical stateless hash-based signatures [16]. There are also existing schemes that make structured (or number-theoretic) assumptions. Code-based signature schemes can be obtained from identification schemes based on the syndrome decoding (SD) problem [68, 79, 83] by applying a variant of the well-known Fiat-Shamir (FS) transform [38]. Lattice-based signature schemes secure under the short integer solution (SIS) problem on lattices following the Full-Domain-Hash paradigm [12] have been introduced in [41]. More efficient approaches [7, 8, 63, 64] rely on the FS transform instead of FDH. BLISS [34], a very practical scheme, also relies on the FS transform, but buys efficiency at the cost of more pragmatic assumptions – i.e. a ring version of the SIS problem. For signatures based on problems related to multivariate systems of quadratic equations only rece... |

44 | Lattice Signatures without Trapdoors
- Lyubashevsky
- 2012
(Show Context)
Citation Context ...post-quantum-crypto/ 1 along with other optimizations, yields practical stateless hash-based signatures [16]. There are also existing schemes that make structured (or number-theoretic) assumptions. Code-based signature schemes can be obtained from identification schemes based on the syndrome decoding (SD) problem [68, 79, 83] by applying a variant of the well-known Fiat-Shamir (FS) transform [38]. Lattice-based signature schemes secure under the short integer solution (SIS) problem on lattices following the Full-Domain-Hash paradigm [12] have been introduced in [41]. More efficient approaches [7, 8, 63, 64] rely on the FS transform instead of FDH. BLISS [34], a very practical scheme, also relies on the FS transform, but buys efficiency at the cost of more pragmatic assumptions – i.e. a ring version of the SIS problem. For signatures based on problems related to multivariate systems of quadratic equations only recently have provably secure variants relying on the FS transform been proposed [54]. When it comes to confidence in the underlying assumptions, hash-based signatures are arguably the preferred candidate among all existing approaches. All other practical signatures require an additional st... |

44 | On concrete security treatment of signatures derived from identification
- Ohta, Okamoto
- 1998
(Show Context)
Citation Context ...a′(t)). If, e′ = e, output Accept, otherwise output Reject. Scheme 1: The ZKB++ proof system, made non-interactive using the Fiat-Shamir transform. to (2-)special soundness, and the 3-special soundness of ZKBOO requires an additional rewind. In particular, an adapted version of the proof of [59, Theorem 8.2] which considers this additional rewind attests the security of Scheme 2. The security reduction, however, is a nontight one, like most signature schemes constructed from Σ-protocols.5 We obtain the following: 5There are numerous works on signatures from (three move) identification schemes [71, 75, 1, 2, 60, 11, 30]. Unfortunately existing proof Corollary 1 Scheme 2 instantiated with ZKB++ and a secure pseudorandom function yields an EUF-CMA secure signature scheme in the ROM. techniques do not give tight security reductions. 8 Gen(1κ) : Choose x←R D, k←R K, compute y← fk(x), set pk← (y,x) and sk← (pk,k) and return (sk,pk). Sign(sk,m) : Parse sk as (pk,k), compute p = (r,s)← ProveH((y,x,m),k) and return σ ← p, where internally the challenge is computed as c← H(r,m). Verify(pk,m,σ) : Parse pk as (y,x), and σ as p = (r,s). Return 1 if the following holds, and 0 otherwise: VerifyH((y,x,m), p) = 1, where int... |

37 | Quantum cryptanalysis of hash and claw-free functions
- Brassard, Høyer, et al.
- 1998
(Show Context)
Citation Context ...ions support multiple LOWMC parameter sets. Function G. As explained in Section 5, G may be implemented with a random function with the same domain and range. We implement G(x) as h(0‖x)‖h(1‖x) . . ., where h is SHA-256 and the output length is |x|. Hash function security. We make the following concrete assumptions for the security of our schemes. We assume that SHA-256 provides 128 bits of pre-image resistance against quantum adversaries. For collision resistance, when considering quantum algorithms, in theory it may be possible to find collisions using a generic algorithm of Brassard et al. [20] with cost O(2n/3). A detailed analysis of the costs of the algorithm in [20] by Bernstein [15] found that in practice the quantum algorithm is unlikely to outperform the O(2n/2) classical algorithm. Multiple cryptosystems have since made the assumption that standard hash functions with n-bit digests provide n/2 bits of collision resistance against quantum attacks (for examples, see papers citing [15]). We make this assumption as well, and in particular, that SHA-256 provides 128 bits of PQ collision-resistance. 7.2 Circuit for LOWMC For the linear (2,3)-decomposition we view LOWMC as circuit ... |

28 | SNARKs for C: Verifying program executions succinctly and in zero knowledge
- Ben-Sasson, Chiesa, et al.
- 2013
(Show Context)
Citation Context ...ess, practically efficient proofs were until recently only known for restricted languages covering algebraic statements in certain algebraic structures, e.g., discrete logarithms [77, 26] or equations over bilinear groups [49]. Expressing any NP language as a combination of algebraic circuits could be done for example by expressing the relation as a circuit, however for circuits of practical interest (such as hash functions or block ciphers), this gets prohibitive. Even SNARKS, where proof size can be made small (and constant) and verification is highly efficient, have very costly proofs (cf. [40, 14, 24] and the references therein).3 Unfortunately, signatures require small proof computation times (efficient signing procedures), and this direction is not suitable. Quite recently, dedicated ZK proof systems for statements expressed as Boolean circuits by Jawurek et al. [56] and statements expressed as RAM programs by Hu et al. [53] have been proposed. As we exclusively focus on circuits, let us take a look at [56]. They proposed to use garbled circuits to obtain ZK proofs, which allow to efficiently prove statements like knowledge of x for y = SHA-256(x). Unfortunately, this approach is inheren... |

28 | T.: Practical lattice-based cryptography: A signature scheme for embedded systems
- Güneysu, Lyubashevsky, et al.
(Show Context)
Citation Context ...to efficient signatures. Lattice-Based Signatures (ROM). For lattice based signatures there are two major directions. The first are schemes that rely on the hardness of worst-to-averagecase problems in standard lattices [41, 64, 8, 28, 7]. Although they are desirable from a security point of view, they suffers from huge public keys, i.e., in the orders of a few to some 10 MBs. TESLA [7] (based upon [8, 64]) improves all aspects in the performance of GPV [41], but still has keys in the order of 1 MB. More efficient lattice-based schemes are based on ring analogues of classical lattice problems [51, 34, 9, 3, 10] whose security is related to hardness assumptions in ideal lattices. These constructions allow to drop key sizes to the order of a few kBs. Most notable is BLISS [34, 33], which achieves performance nearly comparable to RSA. However, it must be noted, that ideal lattices have not been investigated nearly as deeply as standard lattices and thus there is less confidence in the assumptions (cf. [73]). MQ-Based Signatures (ROM). Recently, Hulsing et al. in [54] proposed a post-quantum signature scheme (MQDSS) whose security is based on the problem of solving a multivariate system of quadratic eq... |

24 | a low-latency block cipher for pervasive computing applications – extended abstract, in:
- Borghoff, Canteaut, et al.
- 2012
(Show Context)
Citation Context ...functions like SHA-256 are a popular choice for proof-of-concept implementations. The number of AND gates of a single call to the SHA-256 compression function is about 25000 and a single call to the permutation underlying SHA-3 is 38400. Lightweight Ciphers. Most early designs in this domain focused on small area when implemented in hardware where an XOR gate is by a small factor larger than an AND or NAND gate. Notable designs with a low number of AND gates at the 128-bit security level are the block ciphers Noekeon [27] (2048) and Fantomas [48] (2112). Furthermore, one should mention Prince [18] (1920), or the stream cipher Trivium [31] (1536 AND gates to compute 128 output bits) with 80-bit security. Custom Ciphers with a Low Number of Multiplications. Motivated by applications in SHE/FHE schemes, MPC protocols and SNARKs, recently a trend to design symmetric encryption primitives with a low number of multiplications or a low multiplicative depth started to evolve. This is a trend we can take advantage of. We start with the LOWMC [6] block cipher family. In the most recent version of the proposal [4], the number of AND gates can be below 500 for 80-bit security, below 800 for 128-bi... |

24 | Fiat-Shamir with aborts: Applications to lattice and factoring-based signatures
- Lyubashevsky
- 2009
(Show Context)
Citation Context ...post-quantum-crypto/ 1 along with other optimizations, yields practical stateless hash-based signatures [16]. There are also existing schemes that make structured (or number-theoretic) assumptions. Code-based signature schemes can be obtained from identification schemes based on the syndrome decoding (SD) problem [68, 79, 83] by applying a variant of the well-known Fiat-Shamir (FS) transform [38]. Lattice-based signature schemes secure under the short integer solution (SIS) problem on lattices following the Full-Domain-Hash paradigm [12] have been introduced in [41]. More efficient approaches [7, 8, 63, 64] rely on the FS transform instead of FDH. BLISS [34], a very practical scheme, also relies on the FS transform, but buys efficiency at the cost of more pragmatic assumptions – i.e. a ring version of the SIS problem. For signatures based on problems related to multivariate systems of quadratic equations only recently have provably secure variants relying on the FS transform been proposed [54]. When it comes to confidence in the underlying assumptions, hash-based signatures are arguably the preferred candidate among all existing approaches. All other practical signatures require an additional st... |

20 |
Zerocash: Decentralized anonymous payments from Bitcoin
- Ben-Sasson, Chiesa, et al.
- 2014
(Show Context)
Citation Context ...3] have been proposed. As we exclusively focus on circuits, let us take a look at [56]. They proposed to use garbled circuits to obtain ZK proofs, which allow to efficiently prove statements like knowledge of x for y = SHA-256(x). Unfortunately, this approach is inherently interactive and thus not suitable for the design of practical signature schemes. The very recent ZKBOO protocol due to Giacomelli et al. [42], which 3Using SNARKS is reasonable in scenarios where provers are extremely powerful (such as verifiable computing [40]) or the runtime of the prover is not critical (such as Zerocash [13]). 3 we build upon, for the first time, allows to construct noninteractive zero-knowledge (NIZK) proofs with performance being of interest for practical applications. QROM vs ROM. One way of arguing security for signatures obtained via the FS heuristic in the stronger QROM is to assume that it simply holds as long as the underlying protocol and the hash function used to instantiate the random oracle (RO) are quantum-secure. It is, however, known [17] that there are signature schemes secure in the ROM that are trivially insecure in the quantumaccessible ROM (QROM), i.e., when the adversary can ... |

17 | Random oracles in a quantum world
- Boneh, Dagdelen, et al.
- 2011
(Show Context)
Citation Context ...ng: • We improve ZKBOO [42], a recent Σ-protocol for proving statements over general circuits. We reduce the transcript size of by more than half without increasing the computational cost. We call the improved protocol ZKB++. This improvement is of general interest outside of our application to postquantum signatures as it yields significantly more concise zero knowledge proofs even, in the classical setting. • We also show how to apply Unruh’s generic transform [80, 81, 82] to obtain a non-interactive counterpart of ZKB++ that is secure in the quantumaccessible random oracle model (QROM; see [17]). To our knowledge, we are the first to apply Unruh’s transform in an efficient signature scheme. • Unruh’s construction is generic, and does not immediately yield compact proofs. However, we specialize the construction to our application, and we find the overhead was surprisingly low – whereas a generic application of Unruh’s transform incurs a 4x increase in size when compared to FS, we were able to reduce the size overhead of Unruh’s transform to only 1.6x. Again, this has applications wider than our signature protocol as the protocol can be used for non-interactive post-quantum zero knowl... |

17 |
Improved identification schemes based on errorcorrecting codes.
- VERON
- 1996
(Show Context)
Citation Context ...rees, this approach yields stateful signatures for any polynomial number of messages [69], where the state ensures that a one-time signature key from the tree is not reused. By making the tree very large, and randomly selecting a key from it (cf. [45]) 1http://csrc.nist.gov/groups/ST/post-quantum-crypto/ 1 along with other optimizations, yields practical stateless hash-based signatures [16]. There are also existing schemes that make structured (or number-theoretic) assumptions. Code-based signature schemes can be obtained from identification schemes based on the syndrome decoding (SD) problem [68, 79, 83] by applying a variant of the well-known Fiat-Shamir (FS) transform [38]. Lattice-based signature schemes secure under the short integer solution (SIS) problem on lattices following the Full-Domain-Hash paradigm [12] have been introduced in [41]. More efficient approaches [7, 8, 63, 64] rely on the FS transform instead of FDH. BLISS [34], a very practical scheme, also relies on the FS transform, but buys efficiency at the cost of more pragmatic assumptions – i.e. a ring version of the SIS problem. For signatures based on problems related to multivariate systems of quadratic equations only rece... |

16 | XMSS - a practical forward secure signature scheme based on minimal security assumptions
- Buchmann, Dahmen, et al.
- 2011
(Show Context)
Citation Context ...M). The remaining existing schemes rely on structured assumptions related to codes, lattices and multivariate systems of quadratic equations that are assumed to be quantum-immune and have a security proof in the ROM. By the end of the section, we review the state of the art in zero-knowledge proofs for non-algebraic statements. Hash-Based Signatures (SM). Hash-based signatures are attractive as they can be proven secure in the standard 2 model (i.e., without ROs) under well-known properties of hash functions such as second preimage resistance. Unfortunately, highly efficient schemes like XMSS [21] are stateful, which seems to be problematic for practical applications [66] and desirable to omit. Stateless schemes like SPHINCS [16] are thus more desirable, but this comes at reduced efficiency and increased signatures. SPHINCS has a tight security reduction to the used building blocks, i.e., hash functions, PRGs and PRFs. On a 128 bit post-quantum security level, signatures are about 41 kB in size, and keys are of size about 1 kB each. Code-Based Signatures (ROM). In the code-based setting the most prominent and provably secure approach is to convert identification schemes due to Stern [7... |

15 | Logic minimization techniques with applications to cryptology.
- BOYAR, MATTHEWS, et al.
- 2013
(Show Context)
Citation Context ...crete requirements, and present our choice, LowMC. 6.1 Survey of Suitable Primitives The signature size depends on constants that are close to the security expectation (cf. Section 7 for our choices). The only exceptions are the number of binary multiplication gates, and the size of the rings, which all depend on the choice of the primitive. Hence we survey existing designs that can serve as a one-way function subsequently. Standardized General-Purpose Primitives. The smallest known Boolean circuit of AES-128 needs 5440 AND gates, AES-192 needs 6528 AND gates, and AES-256 needs 7616 AND gates [19]. An AES circuit in F24 might be more efficient in our setting, as in this case the number of multiplications is lower than 1000 [23]. This results in an impact on the signature size that is equivalent to 4000 AND gates. Even though collision resistance is often not required, hash functions like SHA-256 are a popular choice for proof-of-concept implementations. The number of AND gates of a single call to the SHA-256 compression function is about 25000 and a single call to the permutation underlying SHA-3 is 38400. Lightweight Ciphers. Most early designs in this domain focused on small area whe... |

11 | Zero-knowledge using garbled circuits: how to prove non-algebraic statements efficiently
- Jawurek, Kerschbaum, et al.
- 2013
(Show Context)
Citation Context ...aic circuits could be done for example by expressing the relation as a circuit, however for circuits of practical interest (such as hash functions or block ciphers), this gets prohibitive. Even SNARKS, where proof size can be made small (and constant) and verification is highly efficient, have very costly proofs (cf. [40, 14, 24] and the references therein).3 Unfortunately, signatures require small proof computation times (efficient signing procedures), and this direction is not suitable. Quite recently, dedicated ZK proof systems for statements expressed as Boolean circuits by Jawurek et al. [56] and statements expressed as RAM programs by Hu et al. [53] have been proposed. As we exclusively focus on circuits, let us take a look at [56]. They proposed to use garbled circuits to obtain ZK proofs, which allow to efficiently prove statements like knowledge of x for y = SHA-256(x). Unfortunately, this approach is inherently interactive and thus not suitable for the design of practical signature schemes. The very recent ZKBOO protocol due to Giacomelli et al. [42], which 3Using SNARKS is reasonable in scenarios where provers are extremely powerful (such as verifiable computing [40]) or the... |

10 |
Higher-order masking schemes for s-boxes.
- Carlet, Goubin, et al.
- 2012
(Show Context)
Citation Context ... close to the security expectation (cf. Section 7 for our choices). The only exceptions are the number of binary multiplication gates, and the size of the rings, which all depend on the choice of the primitive. Hence we survey existing designs that can serve as a one-way function subsequently. Standardized General-Purpose Primitives. The smallest known Boolean circuit of AES-128 needs 5440 AND gates, AES-192 needs 6528 AND gates, and AES-256 needs 7616 AND gates [19]. An AES circuit in F24 might be more efficient in our setting, as in this case the number of multiplications is lower than 1000 [23]. This results in an impact on the signature size that is equivalent to 4000 AND gates. Even though collision resistance is often not required, hash functions like SHA-256 are a popular choice for proof-of-concept implementations. The number of AND gates of a single call to the SHA-256 compression function is about 25000 and a single call to the permutation underlying SHA-3 is 38400. Lightweight Ciphers. Most early designs in this domain focused on small area when implemented in hardware where an XOR gate is by a small factor larger than an AND or NAND gate. Notable designs with a low number o... |

10 | Quantum proofs of knowledge,
- Unruh
- 2010
(Show Context)
Citation Context ...ature schemes, we make several contributions of general interest to zeroknowledge proofs both in the classical and post-quantum setting: • We improve ZKBOO [42], a recent Σ-protocol for proving statements over general circuits. We reduce the transcript size of by more than half without increasing the computational cost. We call the improved protocol ZKB++. This improvement is of general interest outside of our application to postquantum signatures as it yields significantly more concise zero knowledge proofs even, in the classical setting. • We also show how to apply Unruh’s generic transform [80, 81, 82] to obtain a non-interactive counterpart of ZKB++ that is secure in the quantumaccessible random oracle model (QROM; see [17]). To our knowledge, we are the first to apply Unruh’s transform in an efficient signature scheme. • Unruh’s construction is generic, and does not immediately yield compact proofs. However, we specialize the construction to our application, and we find the overhead was surprisingly low – whereas a generic application of Unruh’s transform incurs a 4x increase in size when compared to FS, we were able to reduce the size overhead of Unruh’s transform to only 1.6x. Again, th... |

8 |
In New Stream Cipher Designs - The eSTREAM Finalists.
- CANNIERE, PRENEEL
- 2008
(Show Context)
Citation Context ...e for proof-of-concept implementations. The number of AND gates of a single call to the SHA-256 compression function is about 25000 and a single call to the permutation underlying SHA-3 is 38400. Lightweight Ciphers. Most early designs in this domain focused on small area when implemented in hardware where an XOR gate is by a small factor larger than an AND or NAND gate. Notable designs with a low number of AND gates at the 128-bit security level are the block ciphers Noekeon [27] (2048) and Fantomas [48] (2112). Furthermore, one should mention Prince [18] (1920), or the stream cipher Trivium [31] (1536 AND gates to compute 128 output bits) with 80-bit security. Custom Ciphers with a Low Number of Multiplications. Motivated by applications in SHE/FHE schemes, MPC protocols and SNARKs, recently a trend to design symmetric encryption primitives with a low number of multiplications or a low multiplicative depth started to evolve. This is a trend we can take advantage of. We start with the LOWMC [6] block cipher family. In the most recent version of the proposal [4], the number of AND gates can be below 500 for 80-bit security, below 800 for 128-bit security, and below 1400 for 256-bit sec... |

8 | Digital Signatures. - KATZ - 2010 |

8 |
128-bit long digital signatures.
- PATARIN, COURTOIS, et al.
- 2001
(Show Context)
Citation Context ...em of solving a multivariate system of quadratic equations. Their scheme is obtained by building upon the 5-pass (or 3-pass) identification scheme in [76] and applying the FS transform. For 128 bit post-quantum security signature sizes are about 40 kB, public key sizes are 72 bytes and 2The given estimations are taken from a recent talk of Nicolas Sendrier (available at https://pqcrypto.eu.org/mini.html), as, unfortunately, there are no free implementations available. secret key sizes are 64 bytes. We note that there are other MQ-based approaches like Unbalanced Oil-and-Vinegar (UOV) variants [72] or FHEv− variants (cf. [74]), having somewhat larger keys (order of kBs) but much shorter signatures. However, they have no provable security guarantees, the parameter choice seems very aggressive, there are no parameters for conservative (post-quantum) security levels, and no implementations are available. Supersingular Isogenies (QROM). Yoo et al. in [84] proposed a post-quantum signature scheme whose security is based on supersingular isogeny problems. The scheme is obtained by building upon the identification scheme in [37] and applying the Unruh transform. For 128 bit post-quantum securi... |

8 |
Public-key identification schemes based on multivariate quadratic polynomials.
- SAKUMOTO, SHIRAI, et al.
- 2011
(Show Context)
Citation Context ...drop key sizes to the order of a few kBs. Most notable is BLISS [34, 33], which achieves performance nearly comparable to RSA. However, it must be noted, that ideal lattices have not been investigated nearly as deeply as standard lattices and thus there is less confidence in the assumptions (cf. [73]). MQ-Based Signatures (ROM). Recently, Hulsing et al. in [54] proposed a post-quantum signature scheme (MQDSS) whose security is based on the problem of solving a multivariate system of quadratic equations. Their scheme is obtained by building upon the 5-pass (or 3-pass) identification scheme in [76] and applying the FS transform. For 128 bit post-quantum security signature sizes are about 40 kB, public key sizes are 72 bytes and 2The given estimations are taken from a recent talk of Nicolas Sendrier (available at https://pqcrypto.eu.org/mini.html), as, unfortunately, there are no free implementations available. secret key sizes are 64 bytes. We note that there are other MQ-based approaches like Unbalanced Oil-and-Vinegar (UOV) variants [72] or FHEv− variants (cf. [74]), having somewhat larger keys (order of kBs) but much shorter signatures. However, they have no provable security guarant... |

7 | The Fiat-Shamir transformation in a quantum world
- Dagdelen, Fischlin, et al.
- 2013
(Show Context)
Citation Context ...M vs ROM. One way of arguing security for signatures obtained via the FS heuristic in the stronger QROM is to assume that it simply holds as long as the underlying protocol and the hash function used to instantiate the random oracle (RO) are quantum-secure. It is, however, known [17] that there are signature schemes secure in the ROM that are trivially insecure in the quantumaccessible ROM (QROM), i.e., when the adversary can issue quantum queries to the RO. This is particularly true for handling the rewinding of adversaries within security reductions as it is the case within the FS transform [29]. Possibilities to circumvent this issue are via history-free reductions [17] or the use of oblivious commitments within the FS transform, which is not applicable to our approach. Although many existing schemes ignore QROM security, given the general uncertainty of the capabilities of quantum adversaries, we prefer to avoid this assumption. Building upon results from Unruh [80, 81, 82], we achieve provable security in the QROM under reasonable assumptions. 2 Building Blocks Below, we informally recall the notion of Σ-protocols and other standard primitives. Sigma Protocol. A sigma protocol (eq... |

7 |
A new zero-knowledge code based identification scheme with reduced communication
- Melchor, Gaborit, et al.
- 2011
(Show Context)
Citation Context ...rees, this approach yields stateful signatures for any polynomial number of messages [69], where the state ensures that a one-time signature key from the tree is not reused. By making the tree very large, and randomly selecting a key from it (cf. [45]) 1http://csrc.nist.gov/groups/ST/post-quantum-crypto/ 1 along with other optimizations, yields practical stateless hash-based signatures [16]. There are also existing schemes that make structured (or number-theoretic) assumptions. Code-based signature schemes can be obtained from identification schemes based on the syndrome decoding (SD) problem [68, 79, 83] by applying a variant of the well-known Fiat-Shamir (FS) transform [38]. Lattice-based signature schemes secure under the short integer solution (SIS) problem on lattices following the Full-Domain-Hash paradigm [12] have been introduced in [41]. More efficient approaches [7, 8, 63, 64] rely on the FS transform instead of FDH. BLISS [34], a very practical scheme, also relies on the FS transform, but buys efficiency at the cost of more pragmatic assumptions – i.e. a ring version of the SIS problem. For signatures based on problems related to multivariate systems of quadratic equations only rece... |

6 |
Polynomial time algorithms for discrete logarithms and factoring on a quantum computer.
- Shor
- 1994
(Show Context)
Citation Context ...of the recent trend to strive for practical symmetric ciphers with a particularly low number of multiplications and end up using LowMC. ∗This paper is a merge of [32, 44]. D. Derler, S. Ramacher, C. Rechberger, and D. Slamanig have been supported by H2020 project PRISMACLOUD, grant agreement n◦644962. C. Rechberger has additionally been supported by EU H2020 project PQCRYPTO, grant agreement n◦645622. C. Orlandi has been supported by COST Action IC1306. 1 Introduction More than two decades ago Shor published his polynomial-time quantum algorithm for factoring and computing discrete logarithms [78]. Since then, we know that a sufficiently powerful quantum computer is able to break nearly all public key cryptography used in practice today. This motivates the invention of cryptographic schemes with post quantum (PQ) security, i.e., security against attacks by a quantum computer. While no sufficiently powerful quantum computer currently exists, to avoid a rushed transition from current cryptographic algorithms to PQ secure algorithms, NIST recently announced a post-quantum crypto project.1 The project is seeking proposals for public key encryption, key exchange and digital signatures thoug... |

4 |
Zero-knowledge proofs from secure multiparty computation.
- ISHAI, KUSHILEVITZ, et al.
- 2009
(Show Context)
Citation Context ... here, and present ZKB++, an improved version of ZKBOO with proofs that are less than half the size. 3.1 ZKBOO We now present the details of of the ZKBOO protocol. While ZKBOO is presented with various possible parameter options, we present only the final version from [43] with the best parameters. Moreover, while ZKBOO presents both interactive and non-interactive protocol versions, we present only the non-interactive version since our main goal is building a signature scheme for which we need the non-interactive version. Overview. ZKBOO builds on the MPC-in-the-head paradigm of Ishai et al. [55], that we describe only informally here. The multiparty computation protocol (MPC) will implement the relation, and the input is the witness. For example, the MPC could compute y = SHA-256(x) where players each have a share of x and y is public. The idea is to have the prover simulate a multiparty computation protocol “in their head”, commit to the state and transcripts of all players, then have the verifier “corrupt” a random subset of the simulated players by seeing their complete state. The verifier then checks that the computation was done correctly from the perspective of the corrupted pl... |

4 |
Non-interactive zero-knowledge proofs in the quantum random oracle model.
- UNRUH
- 2015
(Show Context)
Citation Context ...ature schemes, we make several contributions of general interest to zeroknowledge proofs both in the classical and post-quantum setting: • We improve ZKBOO [42], a recent Σ-protocol for proving statements over general circuits. We reduce the transcript size of by more than half without increasing the computational cost. We call the improved protocol ZKB++. This improvement is of general interest outside of our application to postquantum signatures as it yields significantly more concise zero knowledge proofs even, in the classical setting. • We also show how to apply Unruh’s generic transform [80, 81, 82] to obtain a non-interactive counterpart of ZKB++ that is secure in the quantumaccessible random oracle model (QROM; see [17]). To our knowledge, we are the first to apply Unruh’s transform in an efficient signature scheme. • Unruh’s construction is generic, and does not immediately yield compact proofs. However, we specialize the construction to our application, and we find the overhead was surprisingly low – whereas a generic application of Unruh’s transform incurs a 4x increase in size when compared to FS, we were able to reduce the size overhead of Unruh’s transform to only 1.6x. Again, th... |

3 | SPHINCS: practical stateless hash-based signatures.
- BERNSTEIN, HOPWOOD, et al.
- 2015
(Show Context)
Citation Context ...tic speed-up over classical algorithms, this requires doubling the bit size of the hash function’s domain, but requires no additional assumptions to provably achieve post-quantum security. Combined with Merkle-trees, this approach yields stateful signatures for any polynomial number of messages [69], where the state ensures that a one-time signature key from the tree is not reused. By making the tree very large, and randomly selecting a key from it (cf. [45]) 1http://csrc.nist.gov/groups/ST/post-quantum-crypto/ 1 along with other optimizations, yields practical stateless hash-based signatures [16]. There are also existing schemes that make structured (or number-theoretic) assumptions. Code-based signature schemes can be obtained from identification schemes based on the syndrome decoding (SD) problem [68, 79, 83] by applying a variant of the well-known Fiat-Shamir (FS) transform [38]. Lattice-based signature schemes secure under the short integer solution (SIS) problem on lattices following the Full-Domain-Hash paradigm [12] have been introduced in [41]. More efficient approaches [7, 8, 63, 64] rely on the FS transform instead of FDH. BLISS [34], a very practical scheme, also relies on ... |

3 |
Geppetto: Versatile verifiable computation.
- Costello, Fournet, et al.
- 2015
(Show Context)
Citation Context ...ess, practically efficient proofs were until recently only known for restricted languages covering algebraic statements in certain algebraic structures, e.g., discrete logarithms [77, 26] or equations over bilinear groups [49]. Expressing any NP language as a combination of algebraic circuits could be done for example by expressing the relation as a circuit, however for circuits of practical interest (such as hash functions or block ciphers), this gets prohibitive. Even SNARKS, where proof size can be made small (and constant) and verification is highly efficient, have very costly proofs (cf. [40, 14, 24] and the references therein).3 Unfortunately, signatures require small proof computation times (efficient signing procedures), and this direction is not suitable. Quite recently, dedicated ZK proof systems for statements expressed as Boolean circuits by Jawurek et al. [56] and statements expressed as RAM programs by Hu et al. [53] have been proposed. As we exclusively focus on circuits, let us take a look at [56]. They proposed to use garbled circuits to obtain ZK proofs, which allow to efficiently prove statements like knowledge of x for y = SHA-256(x). Unfortunately, this approach is inheren... |

3 |
Nessie proposal: Noekeon.
- DAEMEN, PEETERS, et al.
- 2000
(Show Context)
Citation Context ...4000 AND gates. Even though collision resistance is often not required, hash functions like SHA-256 are a popular choice for proof-of-concept implementations. The number of AND gates of a single call to the SHA-256 compression function is about 25000 and a single call to the permutation underlying SHA-3 is 38400. Lightweight Ciphers. Most early designs in this domain focused on small area when implemented in hardware where an XOR gate is by a small factor larger than an AND or NAND gate. Notable designs with a low number of AND gates at the 128-bit security level are the block ciphers Noekeon [27] (2048) and Fantomas [48] (2112). Furthermore, one should mention Prince [18] (1920), or the stream cipher Trivium [31] (1536 AND gates to compute 128 output bits) with 80-bit security. Custom Ciphers with a Low Number of Multiplications. Motivated by applications in SHE/FHE schemes, MPC protocols and SNARKs, recently a trend to design symmetric encryption primitives with a low number of multiplications or a low multiplicative depth started to evolve. This is a trend we can take advantage of. We start with the LOWMC [6] block cipher family. In the most recent version of the proposal [4], the n... |

2 | High-speed signatures from standard lattices.
- DAGDELEN, BANSARKHANI, et al.
- 2014
(Show Context)
Citation Context ...and public key size of ≈ 160 bytes.2 We note that there are also other code-based signatures [25] based on the Niederreither [70] dual of the McEliece cryptosystem [65], which do not come with a security reduction, have shown to be insecure [36] and also do not seem practical [62]. There is a more recent provably secure approach [35], however, it is not immediate if this leads to efficient signatures. Lattice-Based Signatures (ROM). For lattice based signatures there are two major directions. The first are schemes that rely on the hardness of worst-to-averagecase problems in standard lattices [41, 64, 8, 28, 7]. Although they are desirable from a security point of view, they suffers from huge public keys, i.e., in the orders of a few to some 10 MBs. TESLA [7] (based upon [8, 64]) improves all aspects in the performance of GPV [41], but still has keys in the order of 1 MB. More efficient lattice-based schemes are based on ring analogues of classical lattice problems [51, 34, 9, 3, 10] whose security is related to hardness assumptions in ideal lattices. These constructions allow to drop key sizes to the order of a few kBs. Most notable is BLISS [34, 33], which achieves performance nearly comparable to... |

2 |
Quantum Differential and Linear Cryptanalysis. ArXiv e-prints
- KAPLAN, LEURENT, et al.
- 2015
(Show Context)
Citation Context ...es of such an approach are already given in the document describing version 2 of the design [4]. In our setting, this approach may not lead to the best results, as it ignores the impact of the large amount of XOR operations it requires. To find the most suitable parameters, we thus explore a larger range of values for m. Whenever we want to instantiate our signature scheme with LOWMC with s-bit security, we set k = n = 2 · s. This choice to double the parameter in the quantum setting takes into account current knowledge of quantumcryptanalysis for models that are very generous to the attacker [58, 57]. In Appendix D, we prove that a block 11 cipher with k = n = 2s gives 2s-bit classical security, and thus gives us the s-bit post-quantum security that we desire. Furthermore, we observe that the adversary only ever sees a single plaintext-ciphertext pair, and in the security proof given in Appendix D, we build a distinguisher that needs to see one additional pair. This is why we can set the data complexity d = 18. As LowMC is explicitly specified without a security margin against yet unknown attacks, we increase the number of rounds output by the LOWMC parameterization script (provided by th... |

2 | Cfs software implementation.
- LANDAIS, SENDRIER
- 2012
(Show Context)
Citation Context ...h. Code-Based Signatures (ROM). In the code-based setting the most prominent and provably secure approach is to convert identification schemes due to Stern [79] and Veron [83] to signatures using FS. For the 128 bit security level and accounting for Grover one obtains signature sizes of around≈ 129 kB (in the best case) and public key size of ≈ 160 bytes.2 We note that there are also other code-based signatures [25] based on the Niederreither [70] dual of the McEliece cryptosystem [65], which do not come with a security reduction, have shown to be insecure [36] and also do not seem practical [62]. There is a more recent provably secure approach [35], however, it is not immediate if this leads to efficient signatures. Lattice-Based Signatures (ROM). For lattice based signatures there are two major directions. The first are schemes that rely on the hardness of worst-to-averagecase problems in standard lattices [41, 64, 8, 28, 7]. Although they are desirable from a security point of view, they suffers from huge public keys, i.e., in the orders of a few to some 10 MBs. TESLA [7] (based upon [8, 64]) improves all aspects in the performance of GPV [41], but still has keys in the order of 1 ... |

1 |
Sharper ring-lwe signatures.
- BARRETO, LONGA, et al.
- 2016
(Show Context)
Citation Context ...to efficient signatures. Lattice-Based Signatures (ROM). For lattice based signatures there are two major directions. The first are schemes that rely on the hardness of worst-to-averagecase problems in standard lattices [41, 64, 8, 28, 7]. Although they are desirable from a security point of view, they suffers from huge public keys, i.e., in the orders of a few to some 10 MBs. TESLA [7] (based upon [8, 64]) improves all aspects in the performance of GPV [41], but still has keys in the order of 1 MB. More efficient lattice-based schemes are based on ring analogues of classical lattice problems [51, 34, 9, 3, 10] whose security is related to hardness assumptions in ideal lattices. These constructions allow to drop key sizes to the order of a few kBs. Most notable is BLISS [34, 33], which achieves performance nearly comparable to RSA. However, it must be noted, that ideal lattices have not been investigated nearly as deeply as standard lattices and thus there is less confidence in the assumptions (cf. [73]). MQ-Based Signatures (ROM). Recently, Hulsing et al. in [54] proposed a post-quantum signature scheme (MQDSS) whose security is based on the problem of solving a multivariate system of quadratic eq... |

1 |
From identification to signatures, tightly: A framework and generic transforms.
- BELLARE, POETTERING, et al.
- 2016
(Show Context)
Citation Context ...a′(t)). If, e′ = e, output Accept, otherwise output Reject. Scheme 1: The ZKB++ proof system, made non-interactive using the Fiat-Shamir transform. to (2-)special soundness, and the 3-special soundness of ZKBOO requires an additional rewind. In particular, an adapted version of the proof of [59, Theorem 8.2] which considers this additional rewind attests the security of Scheme 2. The security reduction, however, is a nontight one, like most signature schemes constructed from Σ-protocols.5 We obtain the following: 5There are numerous works on signatures from (three move) identification schemes [71, 75, 1, 2, 60, 11, 30]. Unfortunately existing proof Corollary 1 Scheme 2 instantiated with ZKB++ and a secure pseudorandom function yields an EUF-CMA secure signature scheme in the ROM. techniques do not give tight security reductions. 8 Gen(1κ) : Choose x←R D, k←R K, compute y← fk(x), set pk← (y,x) and sk← (pk,k) and return (sk,pk). Sign(sk,m) : Parse sk as (pk,k), compute p = (r,s)← ProveH((y,x,m),k) and return σ ← p, where internally the challenge is computed as c← H(r,m). Verify(pk,m,σ) : Parse pk as (y,x), and σ as p = (r,s). Return 1 if the following holds, and 0 otherwise: VerifyH((y,x,m), p) = 1, where int... |

1 | Stream ciphers: A practical solution for efficient homomorphicciphertext compression.
- CANTEAUT, CARPOV, et al.
- 2016
(Show Context)
Citation Context ...tput bits) with 80-bit security. Custom Ciphers with a Low Number of Multiplications. Motivated by applications in SHE/FHE schemes, MPC protocols and SNARKs, recently a trend to design symmetric encryption primitives with a low number of multiplications or a low multiplicative depth started to evolve. This is a trend we can take advantage of. We start with the LOWMC [6] block cipher family. In the most recent version of the proposal [4], the number of AND gates can be below 500 for 80-bit security, below 800 for 128-bit security, and below 1400 for 256-bit security. The stream cipher Kreyvium [22] needs similarly to Trivium 1536 AND gates to compute 128 output bits, but offers a higher security level of 128 bit. Even though FLIP [67] was designed to have especially low depth, it needs hundreds of AND gates per bit and is hence not competitive in our setting. Last but not least there are the block ciphers and hash functions around MiMC [5] which need less than 2 · s multiplications for s-bit security in a field of size close to 2s. Note that MiMC is the only design in this category which aims at minimizing multiplications in a field larger than F2. However, since the size of the signatu... |

1 |
Extended security arguments for signature schemes.
- DAGDELEN, GALINDO, et al.
- 2016
(Show Context)
Citation Context |

1 | Efficient zeroknowledge proofs of non-algebraic statements with sublinear amortized cost.
- HU, MOHASSEL, et al.
- 2015
(Show Context)
Citation Context ...lation as a circuit, however for circuits of practical interest (such as hash functions or block ciphers), this gets prohibitive. Even SNARKS, where proof size can be made small (and constant) and verification is highly efficient, have very costly proofs (cf. [40, 14, 24] and the references therein).3 Unfortunately, signatures require small proof computation times (efficient signing procedures), and this direction is not suitable. Quite recently, dedicated ZK proof systems for statements expressed as Boolean circuits by Jawurek et al. [56] and statements expressed as RAM programs by Hu et al. [53] have been proposed. As we exclusively focus on circuits, let us take a look at [56]. They proposed to use garbled circuits to obtain ZK proofs, which allow to efficiently prove statements like knowledge of x for y = SHA-256(x). Unfortunately, this approach is inherently interactive and thus not suitable for the design of practical signature schemes. The very recent ZKBOO protocol due to Giacomelli et al. [42], which 3Using SNARKS is reasonable in scenarios where provers are extremely powerful (such as verifiable computing [40]) or the runtime of the prover is not critical (such as Zerocash [1... |

1 |
From 5-pass mq-based identification to mq-based signatures. In Cryptology ePrint Archive, Report 2016/708, to appear in Asiacrypt
- HULSING, RIJNEVELD, et al.
- 2016
(Show Context)
Citation Context ...tice-based signature schemes secure under the short integer solution (SIS) problem on lattices following the Full-Domain-Hash paradigm [12] have been introduced in [41]. More efficient approaches [7, 8, 63, 64] rely on the FS transform instead of FDH. BLISS [34], a very practical scheme, also relies on the FS transform, but buys efficiency at the cost of more pragmatic assumptions – i.e. a ring version of the SIS problem. For signatures based on problems related to multivariate systems of quadratic equations only recently have provably secure variants relying on the FS transform been proposed [54]. When it comes to confidence in the underlying assumptions, hash-based signatures are arguably the preferred candidate among all existing approaches. All other practical signatures require an additional structured assumption (in addition to assumptions related to hash functions). Our approach, like hash-based signatures, only requires security from symmetric primitives like hash functions and pseudorandom functions (PRFs) and we also require no additional structured assumptions. 1.1 Contributions We contribute a novel class of practical post-quantum signature schemes. Our approach only requir... |

1 |
Breaking symmetric cryptosystems using quantum period finding.
- KAPLAN, LEURENT, et al.
- 2016
(Show Context)
Citation Context ...es of such an approach are already given in the document describing version 2 of the design [4]. In our setting, this approach may not lead to the best results, as it ignores the impact of the large amount of XOR operations it requires. To find the most suitable parameters, we thus explore a larger range of values for m. Whenever we want to instantiate our signature scheme with LOWMC with s-bit security, we set k = n = 2 · s. This choice to double the parameter in the quantum setting takes into account current knowledge of quantumcryptanalysis for models that are very generous to the attacker [58, 57]. In Appendix D, we prove that a block 11 cipher with k = n = 2s gives 2s-bit classical security, and thus gives us the s-bit post-quantum security that we desire. Furthermore, we observe that the adversary only ever sees a single plaintext-ciphertext pair, and in the security proof given in Appendix D, we build a distinguisher that needs to see one additional pair. This is why we can set the data complexity d = 18. As LowMC is explicitly specified without a security margin against yet unknown attacks, we increase the number of rounds output by the LOWMC parameterization script (provided by th... |

1 |
Optimal security proofs for signatures from identification schemes.
- KILTZ, MASNY, et al.
- 2016
(Show Context)
Citation Context |

1 |
State management for hash-based signatures.
- MCGREW, KAMPANAKIS, et al.
- 2016
(Show Context)
Citation Context ... codes, lattices and multivariate systems of quadratic equations that are assumed to be quantum-immune and have a security proof in the ROM. By the end of the section, we review the state of the art in zero-knowledge proofs for non-algebraic statements. Hash-Based Signatures (SM). Hash-based signatures are attractive as they can be proven secure in the standard 2 model (i.e., without ROs) under well-known properties of hash functions such as second preimage resistance. Unfortunately, highly efficient schemes like XMSS [21] are stateful, which seems to be problematic for practical applications [66] and desirable to omit. Stateless schemes like SPHINCS [16] are thus more desirable, but this comes at reduced efficiency and increased signatures. SPHINCS has a tight security reduction to the used building blocks, i.e., hash functions, PRGs and PRFs. On a 128 bit post-quantum security level, signatures are about 41 kB in size, and keys are of size about 1 kB each. Code-Based Signatures (ROM). In the code-based setting the most prominent and provably secure approach is to convert identification schemes due to Stern [79] and Veron [83] to signatures using FS. For the 128 bit security level an... |

1 |
Towards stream ciphers for efficient FHE with low-noise ciphertexts.
- MEAUX, JOURNAULT, et al.
- 2016
(Show Context)
Citation Context ...tocols and SNARKs, recently a trend to design symmetric encryption primitives with a low number of multiplications or a low multiplicative depth started to evolve. This is a trend we can take advantage of. We start with the LOWMC [6] block cipher family. In the most recent version of the proposal [4], the number of AND gates can be below 500 for 80-bit security, below 800 for 128-bit security, and below 1400 for 256-bit security. The stream cipher Kreyvium [22] needs similarly to Trivium 1536 AND gates to compute 128 output bits, but offers a higher security level of 128 bit. Even though FLIP [67] was designed to have especially low depth, it needs hundreds of AND gates per bit and is hence not competitive in our setting. Last but not least there are the block ciphers and hash functions around MiMC [5] which need less than 2 · s multiplications for s-bit security in a field of size close to 2s. Note that MiMC is the only design in this category which aims at minimizing multiplications in a field larger than F2. However, since the size of the signature depends on both the number of multiplications and the size of the field, this leads to a factor 2s2 which, for all arguably secure insta... |

1 | A decade of lattice cryptography.
- PEIKERT
- 2016
(Show Context)
Citation Context ...roves all aspects in the performance of GPV [41], but still has keys in the order of 1 MB. More efficient lattice-based schemes are based on ring analogues of classical lattice problems [51, 34, 9, 3, 10] whose security is related to hardness assumptions in ideal lattices. These constructions allow to drop key sizes to the order of a few kBs. Most notable is BLISS [34, 33], which achieves performance nearly comparable to RSA. However, it must be noted, that ideal lattices have not been investigated nearly as deeply as standard lattices and thus there is less confidence in the assumptions (cf. [73]). MQ-Based Signatures (ROM). Recently, Hulsing et al. in [54] proposed a post-quantum signature scheme (MQDSS) whose security is based on the problem of solving a multivariate system of quadratic equations. Their scheme is obtained by building upon the 5-pass (or 3-pass) identification scheme in [76] and applying the FS transform. For 128 bit post-quantum security signature sizes are about 40 kB, public key sizes are 72 bytes and 2The given estimations are taken from a recent talk of Nicolas Sendrier (available at https://pqcrypto.eu.org/mini.html), as, unfortunately, there are no free imple... |

1 |
Design principles for hfev- based multivariate signature schemes.
- PETZOLDT, CHEN, et al.
- 2015
(Show Context)
Citation Context ... system of quadratic equations. Their scheme is obtained by building upon the 5-pass (or 3-pass) identification scheme in [76] and applying the FS transform. For 128 bit post-quantum security signature sizes are about 40 kB, public key sizes are 72 bytes and 2The given estimations are taken from a recent talk of Nicolas Sendrier (available at https://pqcrypto.eu.org/mini.html), as, unfortunately, there are no free implementations available. secret key sizes are 64 bytes. We note that there are other MQ-based approaches like Unbalanced Oil-and-Vinegar (UOV) variants [72] or FHEv− variants (cf. [74]), having somewhat larger keys (order of kBs) but much shorter signatures. However, they have no provable security guarantees, the parameter choice seems very aggressive, there are no parameters for conservative (post-quantum) security levels, and no implementations are available. Supersingular Isogenies (QROM). Yoo et al. in [84] proposed a post-quantum signature scheme whose security is based on supersingular isogeny problems. The scheme is obtained by building upon the identification scheme in [37] and applying the Unruh transform. For 128 bit post-quantum securit signature sizes are about ... |

1 |
Computationally binding quantum commitments.
- UNRUH
- 2016
(Show Context)
Citation Context ...ature schemes, we make several contributions of general interest to zeroknowledge proofs both in the classical and post-quantum setting: • We improve ZKBOO [42], a recent Σ-protocol for proving statements over general circuits. We reduce the transcript size of by more than half without increasing the computational cost. We call the improved protocol ZKB++. This improvement is of general interest outside of our application to postquantum signatures as it yields significantly more concise zero knowledge proofs even, in the classical setting. • We also show how to apply Unruh’s generic transform [80, 81, 82] to obtain a non-interactive counterpart of ZKB++ that is secure in the quantumaccessible random oracle model (QROM; see [17]). To our knowledge, we are the first to apply Unruh’s transform in an efficient signature scheme. • Unruh’s construction is generic, and does not immediately yield compact proofs. However, we specialize the construction to our application, and we find the overhead was surprisingly low – whereas a generic application of Unruh’s transform incurs a 4x increase in size when compared to FS, we were able to reduce the size overhead of Unruh’s transform to only 1.6x. Again, th... |