Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives

Melissa Chase, David Derler, Steven Goldfeder, Claudio Orlandi, Sebastian Ramacher, Christian Rechberger, Daniel Slamanig, Greg Zaverucha
2017 Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security - CCS '17  
We propose a new class of post-quantum digital signature schemes that: (a) derive their security entirely from the security of symmetric-key primitives, believed to be quantum-secure, and (b) have extremely small keypairs, and, (c) are highly parameterizable. In our signature constructions, the public key is an image y = f (x) of a one-way function f and secret key x. A signature is a non-interactive zero-knowledge proof of x, that incorporates a message to be signed. For this proof, we
more » ... recent progress of Giacomelli et al. (USENIX'16) in constructing an efficient Σ-protocol for statements over general circuits. We improve this Σprotocol to reduce proof sizes by a factor of two, at no additional computational cost. While this is of independent interest as it yields more compact proofs for any circuit, it also decreases our signature sizes. We consider two possibilities for making the proof non-interactive, the Fiat-Shamir transform, and Unruh's transform (EUROCRYPT'12, '15, '16) . The former has smaller signatures, while the latter has a security analysis in the quantum-accessible random oracle model. By customizing Unruh's transform to our application, the overhead is reduced to 1.6x when compared to the Fiat-Shamir transform, which does not have a rigorous postquantum security analysis. We implement and benchmark both approaches and explore the possible choice of f , taking advantage of the recent trend to strive for practical symmetric ciphers with a particularly low number of multiplications and end up using LowMC. * This paper is a merge of [32, 44] . D. Derler, S. Ramacher, C. Rechberger, and D. Post-Quantum Signatures. Perhaps the oldest signature scheme with post-quantum security are one-time Lamport [61] signatures, built using hash functions. As Grover's quantum search algorithm can invert any blackbox function [50] with a quadratic speed-up over classical algorithms, this requires doubling the bit size of the hash function's domain, but requires no additional assumptions to provably achieve post-quantum security. Combined with Merkle-trees, this approach yields stateful signatures for any polynomial number of messages [69] , where the state ensures that a one-time signature key from the tree is not reused. By making the tree very large, and randomly selecting a key from it (cf. [45]) 1
doi:10.1145/3133956.3133997 dblp:conf/ccs/ChaseDGORRSZ17 fatcat:zz67tvgotzfs7kjhwtj7kmi7ry