Post-Quantum signatures. Johannes Buchmann

Post-Quantum signatures Johannes Buchmann

Thanks to: Carlos Coronado Martin Döring Daniela Engelbert Ulrike Meyer Raphael Overbeck Arthur Schmidt Tobias Straub Ulrich Vollmer Ralf-Philipp Weinmann

Digital signatures are crucial for IT security today

Countries with digital signature legislation Argentina, Australia, Austria, Belgium, Bermuda, Brazil, Bulgaria, Canada, Chile, Colombia, Costa Rica, Croatia, Czech Republic, Denmark, Dominican Republic, Ecuador, Estonia, European Union, Finland, France, Germany, Greece, Hong Kong, Hungary, India, Ireland, Israel, Italy, Japan, Luxembourg, Malaysia, Malta, Mexico, Netherlands, New Zealand, Nicaragua, Norway, OECD, Panama, Peru, Philippines, Poland, Portugal, Puerto Rico, Rumania, Russian Federation, Singapore, Slovak Republic, Slovenia, South Africa, South Korea, Spain, Sweden, Switzerland, Taiwan, Thailand, Trinidad/Tobago Republic, Tunesia, United Kingdom, USA, Uruguay, Venezuela, Vietnam.

Applications are ready to use digital signatures

Netscape Messenger

Outlook Express

MICROSOFT WORD

ADOBE ACROBAT

https

Digital signatures in practice

Mortgage applications online

Air Traffic Control

Transactions between Mexican banks

Digital signatures in practice: RSA DSA ECC

Quantum computers kill all digital signatures

1981 Richard Feynman suggests QC 1985 David Deutsch develops theory 1993 Dan Simon finds first algorithms 1994 Peter Shor finds factoring and DL algorithm

2001 Chuang et al. factor 15

>= 2001 technological progress

We need: Quantum-hard problems Signatures Security Models Proofs and experiments Implementations Standards

Complexity theory Nielsen & Chuang: QC cannot efficiently solve NP-complete problems Brassard: No deterministic signature based on NP-complete problem

Lattice based signatures

γ-closest Vector Problem (γ-cvp) Given: Lattice L Z n x Z n γ > 0 Find: v L : x v γ x w for all w L CVP: γ =1

Arora et al. (1997): γ Complexity of γ-cvp ( n) - CVP is NP - hard for c log c all not NP - hard NP - hard Goldreich, Goldwasser (2000): ( ) ( n/log n )- CVP is not NP - hard or AM Ω conp n

Lattice Signatures Public Key: Bad basis of lattice L Z n Private Key: Reduced basis of L Signature: hash Message m ( ) n x Verification of (m,v): 1. Check v L? 2. Accept iff v close to h(m). solve = h m Z Signature v L γ-cvp

GGH/Micciancio Scheme Attack experiments (C. Ludwig): Signature forgery Public Key is HNF dist(h(m), L) relativ to max. distance SunBlade100 Conclusions: Dimension >780 Key size > 1MByte Time [1000 seconds] 40 35 30 25 20 15 10 5 0 160 180 200 220 240 260 280 Dimension 60% 80% 100% Public Key generation > 10 days Signature > 1 hour Verification < 1 second

Completely determined by NTRUSign (Hoffstein et al.) q q h h h h h h h h h 1 1 0 2 1 2 N 0 1 N 1 N 1 0 0 0 0 0 0 0 0 L O M O L M M L L L O M O NTRU Lattice: ( ). 1,q [X]/ X h N Z Signature and verification: efficient polynomial arithmetic (FFT) Lattice basis never explicit

Standard EESS#1: N = 251 dim(l) = 502 Public Key: 2008 bit Secret Key: 251 bit

McEliece Coding based signatures

McEliece Cryptosystem Plaintext m encode mg Code Word w Add Error Vector of Weight t w y Ciphertext c ( G, t)

Bounded Distance Decoding Problem Given: linear binary code n ciphertext y F2 weight t N n C F2 Find: Codeword x C with dist( x, y) t Only exponential time algorithms are known

Courtois, Finiasz, Sendrier 2001 Counter i Hash of the Document m Hash h( m o i) Hash Value h i decodable? Yes Compute z of Weight t z = H 1 h i No valid/ not valid = Compute s = Hz Signatur ( z, i)

Efficiency of CFS Signature Courtois, Finiasz, Sendrier 2001 Public Key Size Signature Verification Best Attack 524 kbyte 2 36 Ops 2 10 Ops 2 83 Ops

Signatures based on polynomial equations: SFlash, HFE Signatures based on braid groups

Merkle signatures

one-time signatures (OTSS) based on hash functions Webserver authentication requires many key pairs

Merkle signature scheme: One public key Slightly larger signatures

Merkle s tree H(L,R) H(L,R) H(L,R) H(L,R) H(L,R) H(L,R) H(L,R) H(L,R) L R L R L R L R L R L R L R L R H( ) H( ) H( ) H( ) H( ) H( ) H( ) H( ) H( ) H( ) H( ) H( ) H( ) H( ) H( ) H( )

Key generation = H( ) =

Signing =(i,,,,,, ) i

Verification = i =(i,,,,,, )

Coronado experiments 2 16 leaves and SHA-1 public key size 168 bits secret key size 642 bits signature size 2904 bits

N (2 N leaves) 10 11 12 13 14 15 16 Key Generation SHA-1 2.45 sec 4.95 sec 9.31 sec 18.61 sec 37.32 sec 1.24 min 2.49 min RIPEMD160 4.40 sec 8.74 sec 20.80 sec 35.71 sec 1.14 min 2.41 min 4.80 min SunBlade-100 SunOS 5.8 Generic 450 MHz

N N Signature (time in ms) SHA-1 RIPEMD160 N div 2 1 N N div 2 1 10 22.8 11.8 2.8 43.3 21.5 4.9 11 25.2 11.8 2.9 46.7 21.8 5.1 12 27.4 14.0 3.2 50.7 26.3 4.9 13 29.7 14.7 3.1 55.1 26.2 5.1 14 31.9 16.9 3.1 59.6 30.9 5.1 15 35.3 16.6 3.2 64.2 30.2 5.2 16 38.0 18.8 3.3 68.9 34.1 5.3

Verification (time in ms) N SHA-1 RIPEMD160 10 0.88 0.97 11 0.94 1.06 12 1.00 1.12 13 1.07 1.18 14 1.13 1.25 15 1.20 1.33 16 1.27 1.40

Security status Secure if OTS and hash secure Coronado 2004: forward secure

Open problems Provably secure and efficient signature scheme based on lattices, coding theory, HFE Application integration of Merkle

FlexiTrust Registration RA Datenbank KA Keys PKI-Teilnehmer Clients CMA LDAP-Server FlexiProvider Certificate managment FlexiTrust Crypto Internet

Thank You!