A Practical Multivariate Blind Signature Scheme · Mohamed Saied Emam Mohamed. 2/13 1 Blind...

APractical MultivariateBlind Signature Scheme

April 2017

Albrecht Petzoldt, Alan Szepieniec,Mohamed Saied Emam Mohamed

1 Blind Signatures

2 MQ SignaturesRainbowMQDSS

3 Multivariate Blind Signature SchemeSchemeNumbers

Blind Signature

Alice Bank

(sk), pk

Merchant

αemmodn

αdemd modn

Blind Signature

Alice Bank

(sk), pk

Merchant

αemmodn

αdemd modn

Blind Signature

Alice Bank

(sk), pk

Merchant

αemmodn

αdemd modn

Blind Signature

Alice Bank

(sk), pk

Merchant

αemmodn

αdemd modn

Blind Signature

Alice Bank

(sk), pk

Merchant

αemmodn

αdemd modn

MQ Signature Scheme

• EIP-based• HFEv-, UOV, Rainbow• P = T ◦ F ◦ S• verify s : P(s) ?

= H(m)

Ppublic knowledge

private knowledge

encryption or signature verification

decryption or signature generation

• ZKPoK-based• SSH (crypto’11), MQDSS (asiacrypt’16)• verify NIZKPoK{(x) : P(x) = y}

• Blind Signature: EIP + ZKPoK

MQ Signature Scheme

= H(m)

Ppublic knowledge

private knowledge

MQ Signature Scheme

= H(m)

Ppublic knowledge

private knowledge

• Unbalanced Oil and Vinegar: precursor to Rainbow

• v vinegar variables and o oil variables (v ≈ 2o)

• vinegar mixes with anything; oil never mixes with oil

• F ,P : Fv+oq → Fo

q with P = F ◦ S

• fi(x) = fi(xv;xo) = (xTv ,x

( )(xv

), i = 1, . . . , o

• signature generation:

• choose xv$←− Fv

• solve linear system to obtain xo (#eqns = #vars = o)• invert linear transformation S

q with P = F ◦ S

( )(xv

), i = 1, . . . , o

q with P = F ◦ S

( )(xv

), i = 1, . . . , o

Rainbow

• two layers of UOV

• partition xT = (xTv ,x

To1 ,x

• P,F : Fv+o1+o2q → Fo1+o2

q with P = T ◦ F ◦ S

• fi(x) = (xTv ,x

To1 ,x

, i = 1, . . . , o1

• fi(x) = (xTv ,x

To1 ,x

, i = o1 + 1, . . . , o1 + o2

• signature generation:• invert linear transformation T• choose xv

$←− Fvq

• solve o1 linear equations to obtain xo1

• treat (xv;xo1) as vinegar variables• solve o2 linear equations to obtain xo2

• invert linear transformation S

Rainbow

To1 ,x

• P,F : Fv+o1+o2q → Fo1+o2

• fi(x) = (xTv ,x

To1 ,x

, i = 1, . . . , o1

• fi(x) = (xTv ,x

To1 ,x

, i = o1 + 1, . . . , o1 + o2

$←− Fvq

Rainbow

To1 ,x

• P,F : Fv+o1+o2q → Fo1+o2

• fi(x) = (xTv ,x

To1 ,x

, i = 1, . . . , o1

• fi(x) = (xTv ,x

To1 ,x

, i = o1 + 1, . . . , o1 + o2

$←− Fvq

Rainbow

To1 ,x

• P,F : Fv+o1+o2q → Fo1+o2

• fi(x) = (xTv ,x

To1 ,x

, i = 1, . . . , o1

• fi(x) = (xTv ,x

To1 ,x

, i = o1 + 1, . . . , o1 + o2

$←− Fvq

SSH Protocol

• ZKPoK{(s) : P(s) = v}• uses polar form: G(x,y) = P(x+ y)− P(x)− P(y) + P(0)

Prover: P, s,v Verifier: P,vr0, t0

$←− Fnq ; e0

$←− Fmq ; r1 ← s− r0

c0 = Com(r0, t0, e0)

c1 = Com(r1,G(t0, r1) + e0)c0, c1

α$←− Fqα

t1 ← αr0 − t0e1 ← αP(r0)− e0 t1, e1

ch$←− {0, 1}ch

ch = 0→ c0?= Com(·)

ch = 1→ c1?= Com(·)

• turns SSH protocol into signature scheme

• non-interactive using Fiat-Shamir (sort of)

• optimization for speed and size

• 2.43 ms for signature generation (256 bits security)

Blind Signature Scheme: General Idea

dedicated signature scheme

+ basic algebraic properties

+ zero-knowledge proof

blind signature scheme

Blind Signature Scheme: General Idea

dedicated signature scheme

+ basic algebraic properties

+ zero-knowledge proof

blind signature scheme

Multivariate Blind Signature

Alice Bank

(sk = (T,F , S))pk = (P,R)

Merchant

w∗ = H(m)−R(z)

z$←− Fn

z∗ st. P(z∗) = w∗

NIZK NIZK

NIZKPoK{(z, z∗) : P(z∗) +R(z) = H(m)}

Alice Bank

(sk = (T,F , S))pk = (P,R)

Merchant

w∗ = H(m)−R(z)

z$←− Fn

z∗ st. P(z∗) = w∗

NIZK NIZK

Alice Bank

(sk = (T,F , S))pk = (P,R)

Merchant

w∗ = H(m)−R(z)

z$←− Fn

z∗ st. P(z∗) = w∗

NIZK NIZK

Alice Bank

(sk = (T,F , S))pk = (P,R)

Merchant

w∗ = H(m)−R(z)

z$←− Fn

z∗ st. P(z∗) = w∗

NIZK NIZK

Security Quirks

• need perfectly hiding commitments for blindness

• classical random oracle model

• universal one-more unforgeability• generalization of UUF-CMA to one-more-unforgeability

z∗ d×blind{

Security Quirks

z∗ d×blind{

Security Quirks

z∗ d×blind{

parameters, comparison

security parameters # rounds public key private key blind sig.level (bit) (F, (v1, o1, o2)) size (kB) size (kB) size (kB)

80 (GF(31),(16,18,17)) 84 29.4 20.1 11.5

100 (GF(31),(20,22,21)) 105 54.6 36.6 17.6

128 (GF(31),(25,27,27)) 135 106.8 70.2 28.5

192 (GF(31),(37,35,35)) 202 342.8 219.0 63.2

256 (GF(31),(50,53,53)) 269 802.4 507.1 111.9

Table: Proposed parameters for our blind signature scheme (GF(31)).

Security Scheme comm. Pub. key Sig. size Post-lvl. (bit) size (kB) (kB) quantum?

76RSA-1229 2 1.2 1.2 ×

Lattice-1024 4 10.2 66.9 XOur scheme 2 29.4 11.5 X

102RSA-3313 2 3.3 3.3 ×

Lattice-2048 4 23.6 89.4 XOur scheme 2 54.6 17.6 X

Table: Comparison of blind signature schemes — RSA / Ruckert / ours

Sage implementation

sec. lvl. Key Gen. Sign (Signer) Sig. Gen. (User) Sig. Verification

80 4,007 7 2,018 1,424

100 9,392 13 3,649 2,656

128 25,517 19 7,760 5,505

192 87,073 41 23,692 16,040

256 613,968 103 86,540 59,669

Table: Operational speed (milliseconds)

A Practical Multivariate Blind Signature Scheme · Mohamed Saied Emam Mohamed. 2/13 1 Blind...

Documents

Transcript of A Practical Multivariate Blind Signature Scheme · Mohamed Saied Emam Mohamed. 2/13 1 Blind...