MPC-in-the-Head后量子签名方案:公私钥size小,但签名size过大
1. 引言
前序博客:
- 未来的数字签名方案:Dilithium、FALCON 和 SPHINCS+
NIST已设立了PQC Additional Signatures Round 1,具体见:
- Post-Quantum Cryptography: Digital Signature Schemes - Round 1 Additional Signatures
当前的入围者有:
- 1)基于多变量的签名方案10个:
- 3WISE
- DME-Sign
- HPPC (Hidden Product of Polynomial Composition)
- MAYO
- PROV (PRovable unbalanced Oil and Vinegar)
- QR-UOV
- SNOVA
- TUOV (Triangular Unbalanced Oil and Vinegar)
- UOV (Unbalanced Oil and Vinegar)
- VOX
- 2)基于MPC-in-the-Head的签名方案7个:
- Biscuit
- MIRA
- MiRitH (MinRank in the Head)
- MQOM (MQ on my Mind)
- PERK
- RYDE
- SDitH (Syndrome Decoding in the Head)
- 3)基于Lattice的签名方案6个:
- EagleSign
- EHTv3 and EHTv4
- HAETAE
- HAWK
- HuFu (Hash-and-Sign Signatures From Powerful Gadgets)
- SQUIRRELS ( Square Unstructured Integer Euclidean Lattice Signature)
- 4)基于Code的签名方案5个:
- CROSS (Codes and Restricted Objects Signature)
- Enhanced pqsigRM
- FuLeeca
- LESS (Linear Equivalence)
- MEDS (Matrix Equivalence Digital Signature)
- 5)基于Symmetric的签名方案4个:
- AIMer
- Ascon-Sign
- FAEST
- SPHINCS-alpha
- 6)基于Isogeny的签名方案1个:
- SQIsign
- 7)其它签名方案5个:
- ALTEQ
- eMLE-Sig 2.0 (Embedded Multilayer Equations with Heavy Layer Randomization)
- KAZ-SIGN (Kriptografi Atasi Zarah)
- Preon
- Xifrat1-Sign.I
在第一轮中,已选中了2个lattice签名方案(Dilithium 和 FALCON)以及1个基域哈希的签名方案(SPHINCS+)。
而本轮中已有6个基于Lattice的签名方案。NIST可能将寻找非lattice方案来提供additional signatures。目前有2大流行方案:
- 基于多变量的签名方案:详情见Multivariate Cryptography Comes Storming Back for PQC【看好这个】
- 基于MPC-in-the-head的签名方案:以Picnic为例,私钥和公钥size都小,但签名size大。若用于替换TLS中的RSA或ECDSA,则对于34K签名,需要超过23个packets来发送该签名,开销巨大。
2. 基于MPC-in-the-head的签名方案
前一轮中,Picnic为基于MPC-in-the-head的签名方案。
Picnic采用:
- ZKP
- + MPC:可将某problem切分为多个计算要素,然后协作生成结果,中间阶段不暴露任何要素。
Picnic方案的优点是:其仅需要使用对称密钥方案(块加密和哈希函数)。
如上图所示,Peggy(Prover):
- 为生成签名密钥,需生成一个随机对称密钥作为其私钥sk。
- 创建一个公开可得的明文块,使用其对称密钥对该明文块进行加密获得 公开加密块。
- 将私钥sk 和 公开加密块 用作Peggy的公钥。
尽管许多ZKP方案使用Fiat-Shamir或Schnorr,Picnic采用了MPC-in-the-head方案,通过某MPC方案:
- Peggy获得由AND和XOR门构成的任意电路LowMC,然后在MPC中运行该电路主流程,再将运行结果发送给Victor(Verifier)。
- 所选中的LowMC电路应支持Peggy为Victor计算ZKP,来展示Peggy知道其私钥sk。
- LowMC电路中定义了块加密族,该块加密族可用于MPC和全同态加密中。
2.1 密钥对生成和签名
如上图所示,基本流程为:
- 生成随机明文块p,和随机私钥sk。
- 计算 C = L o w M C ( s k , p ) C=LowMC(sk,p) C=LowMC(sk,p),并定义公钥为pk=(C,p)。
- 签名:签名为将message看成是nonce值,其知悉相应的私钥sk的proof:
- 定义知悉sk,使得 C = L o w M C ( s k , p ) C=LowMC(sk,p) C=LowMC(sk,p)。
- 定义知悉签名中的消息m和公钥pk对应的sk。
2.2 速度对比
密钥生成阶段,Picnic的速度最快,但其签名和验签速度稍弱,而其中的基于Lattice的Dilithium方案为全能选手:
同时,Picnic的密钥size最小。其中Picnic_L1_FS的公钥为33个字节,私钥为49个字节,但其签名为34036个字节。
Picnic和SPHINCS+ 均具有小的公钥和私钥。以Picnic_L3_FS为例,其公钥为49字节,私钥为73字节,可轻松打败Dilithium、Falcon 和 Rainbow。Picnic的主要弱点在于其签名size大,需要71kB,而Dilithium仅需要2kB到4kB。
Picnic代码示例为:
#include stdio.h
#include stdint.h
#include stdlib.h
#include time.h
#include "api.h"
#include "picnic.h"
#define MLEN 59
char *showhex(uint8_t a[], int size) ;
int randombytes (unsigned char* random_array, unsigned long long num_bytes);
char *showhex(uint8_t a[], int size) {
char *s = malloc(size * 2 + 1);
for (int i = 0; i < size; i++)
sprintf(s + i * 2, "%02x", a[i]);
return(s);
}
int main(void)
{
size_t j;
int ret;
uint8_t m[MLEN + CRYPTO_BYTES];
uint8_t m2[MLEN + CRYPTO_BYTES];
// uint8_t sm[MLEN + CRYPTO_BYTES];
uint8_t pk[CRYPTO_PUBLICKEYBYTES];
uint8_t sk[CRYPTO_SECRETKEYBYTES];
unsigned char sm[sizeof(m) + CRYPTO_BYTES];
long long unsigned int smlen = sizeof(sm);
unsigned char mprime[50] = { 0 };
long long unsigned int mlen = sizeof(mprime);
randombytes(m, MLEN);
crypto_sign_keypair(pk, sk);
printf("NAME: %s\n", CRYPTO_ALGNAME);
printf("CRYPTO_PUBLICKEYBYTES = %d\n", CRYPTO_PUBLICKEYBYTES);
printf("CRYPTO_SECRETKEYBYTES = %d\n", CRYPTO_SECRETKEYBYTES);
printf("CRYPTO_BYTES = %d\n", CRYPTO_BYTES);
// printf("Signature Length + Msg = %ld\n", smlen);
printf("\nAlice Public key: %s\n",showhex(pk,CRYPTO_PUBLICKEYBYTES));
printf("Alice Secret key: %s\n",showhex(sk,CRYPTO_SECRETKEYBYTES));
printf("\nMessage: %s\n",showhex(m,MLEN));
crypto_sign(sm, &smlen, m, MLEN, sk);
ret = crypto_sign_open(m2, &mlen, sm, smlen, pk);
if(ret) {
fprintf(stderr, "Verification failed\n");
return -1;
}
/*
if(smlen != MLEN + CRYPTO_BYTES) {
fprintf(stderr, "Signed message lengths wrong\n");
return -1;
} */
if(mlen != MLEN) {
fprintf(stderr, "Message lengths wrong\n");
return -1;
}
for(j = 0; j < MLEN; ++j) {
if(m2[j] != m[j]) {
fprintf(stderr, "Messages don't match\n");
return -1;
}
}
printf("Signature (Showing 1/128th of signature): %s\n",showhex(sm,smlen/128));
return 0;
}
int randombytes (unsigned char* random_array, unsigned long long num_bytes)
{
// unsigned char *random_array = malloc (num_bytes);
size_t i;
srand ((unsigned int) time (NULL));
for (i = 0; i < num_bytes; i++)
{
random_array[i] = rand ();
}
return 0;
}
运行结果为:
NAME: picnicl3full
CRYPTO_PUBLICKEYBYTES = 49
CRYPTO_SECRETKEYBYTES = 73
CRYPTO_BYTES = 71179
Alice Public key: 0befe6cd9b6298fb28b875877bd0197f1f0306846d6acfcf490c17dec49021434b1778b7c957ceb31ebdab2bbd02b5c40e
Alice Secret key: 0b0c17dec49021434b1778b7c957ceb31ebdab2bbd02b5c40eefe6cd9b6298fb28b875877bd0197f1f0306846d6acfcf490c17dec49021434b1778b7c957ceb31ebdab2bbd02b5c40e
Message: 0c17dec49021434b1778b7c957ceb31ebdab2bbd02b5c40eff304211c2c13f45e17723c80e0b50bfec679df8226606ceaddba24d7ad4d5973420c6
Signature (Showing 1/128th of signature): 3b0d01000c17dec49021434b1778b7c957ceb31ebdab2bbd02b5c40eff304211c2c13f45e17723c80e0b50bfec679df8226606ceaddba24d7ad4d5973420c699185102220a6a94a04222064298054622469652911926a189665595aa5a068a0818291a0a4416614860502659552996666282151692a666a86a0a92486954282522809a11a4606418664665a4281856969140c99a5ce4f10595cc914919cbb542f391d5a3b603942cb1cbc0c2413e5c9e7f92a3f03b2e9733773beecdaadf9d89195c4548dc011be0a67ed282a1c10e09fc5285ebf68936196c058fdc0805b5695eb54daeb50ef5f8c550dda600173f344c7fd29f2b17821d7aa662c10b8cfbdedff941d2ed143c512e4732e1932a28cab803bcf4455e83401e1cef9684fcebb29cef2b05f39491b7d8499099e4e824504273cd59a47f0eed02fada506e2fc93f465fa799e022f593fdbaa16f9b7504c8ddc0c90a873588ae3b61bd2c81fd86c4c9f9200fb4876a37de821bc80191304f0d5509ec8828def45e2a14c49bab2f3a3649a2d6dcf36a67a06188730d4c5e667fb2bd691073e9e13e62fee98a8501f789d23b3ed8858d333ff89085c9152992c384984cf39f38be3b05b10b4fb20a79b54183be611e7668df5b02b28cfc1829a60ed02d3b8c65d2db619c1e12a53198a924c34978efdfd284b5b5b35a7867d8b3b415dfb349f4a80a7b5e0aad036b9d132aa2488653297d69f6835b2d478969c180a4d1ceec282ee087
参考资料
[1] Prof Bill Buchanan OBE 2023年9月博客 MPC-in-the-Head In Contention To Replace RSA, ECDSA and EdDSA For Signatures——Small keys and a relatively large signature