MPC-in-the-Head后量子签名方案:公私钥size小,但签名size过大

1. 引言

前序博客:

  • 未来的数字签名方案:Dilithium、FALCON 和 SPHINCS+

NIST已设立了PQC Additional Signatures Round 1,具体见:

  • Post-Quantum Cryptography: Digital Signature Schemes - Round 1 Additional Signatures

当前的入围者有:

  • 1)基于多变量的签名方案10个:
    • 3WISE
    • DME-Sign
    • HPPC (Hidden Product of Polynomial Composition)
    • MAYO
    • PROV (PRovable unbalanced Oil and Vinegar)
    • QR-UOV
    • SNOVA
    • TUOV (Triangular Unbalanced Oil and Vinegar)
    • UOV (Unbalanced Oil and Vinegar)
    • VOX
  • 2)基于MPC-in-the-Head的签名方案7个:
    • Biscuit
    • MIRA
    • MiRitH (MinRank in the Head)
    • MQOM (MQ on my Mind)
    • PERK
    • RYDE
    • SDitH (Syndrome Decoding in the Head)
  • 3)基于Lattice的签名方案6个:
    • EagleSign
    • EHTv3 and EHTv4
    • HAETAE
    • HAWK
    • HuFu (Hash-and-Sign Signatures From Powerful Gadgets)
    • SQUIRRELS ( Square Unstructured Integer Euclidean Lattice Signature)
  • 4)基于Code的签名方案5个:
    • CROSS (Codes and Restricted Objects Signature)
    • Enhanced pqsigRM
    • FuLeeca
    • LESS (Linear Equivalence)
    • MEDS (Matrix Equivalence Digital Signature)
  • 5)基于Symmetric的签名方案4个:
    • AIMer
    • Ascon-Sign
    • FAEST
    • SPHINCS-alpha
  • 6)基于Isogeny的签名方案1个:
    • SQIsign
  • 7)其它签名方案5个:
    • ALTEQ
    • eMLE-Sig 2.0 (Embedded Multilayer Equations with Heavy Layer Randomization)
    • KAZ-SIGN (Kriptografi Atasi Zarah)
    • Preon
    • Xifrat1-Sign.I

在第一轮中,已选中了2个lattice签名方案(Dilithium 和 FALCON)以及1个基域哈希的签名方案(SPHINCS+)。
而本轮中已有6个基于Lattice的签名方案。NIST可能将寻找非lattice方案来提供additional signatures。目前有2大流行方案:

  • 基于多变量的签名方案:详情见Multivariate Cryptography Comes Storming Back for PQC【看好这个】
  • 基于MPC-in-the-head的签名方案:以Picnic为例,私钥和公钥size都小,但签名size大。若用于替换TLS中的RSA或ECDSA,则对于34K签名,需要超过23个packets来发送该签名,开销巨大。

2. 基于MPC-in-the-head的签名方案

前一轮中,Picnic为基于MPC-in-the-head的签名方案。
Picnic采用:

  • ZKP
  • + MPC:可将某problem切分为多个计算要素,然后协作生成结果,中间阶段不暴露任何要素。

Picnic方案的优点是:其仅需要使用对称密钥方案(块加密和哈希函数)。
MPC-in-the-Head后量子签名方案:公私钥size小,但签名size过大_第1张图片
如上图所示,Peggy(Prover):

  • 为生成签名密钥,需生成一个随机对称密钥作为其私钥sk。
  • 创建一个公开可得的明文块,使用其对称密钥对该明文块进行加密获得 公开加密块。
  • 将私钥sk 和 公开加密块 用作Peggy的公钥。

尽管许多ZKP方案使用Fiat-Shamir或Schnorr,Picnic采用了MPC-in-the-head方案,通过某MPC方案:

  • Peggy获得由AND和XOR门构成的任意电路LowMC,然后在MPC中运行该电路主流程,再将运行结果发送给Victor(Verifier)。
  • 所选中的LowMC电路应支持Peggy为Victor计算ZKP,来展示Peggy知道其私钥sk。
  • LowMC电路中定义了块加密族,该块加密族可用于MPC和全同态加密中。

2.1 密钥对生成和签名

MPC-in-the-Head后量子签名方案:公私钥size小,但签名size过大_第2张图片

如上图所示,基本流程为:

  • 生成随机明文块p,和随机私钥sk。
  • 计算 C = L o w M C ( s k , p ) C=LowMC(sk,p) C=LowMC(sk,p),并定义公钥为pk=(C,p)。
  • 签名:签名为将message看成是nonce值,其知悉相应的私钥sk的proof:
    • 定义知悉sk,使得 C = L o w M C ( s k , p ) C=LowMC(sk,p) C=LowMC(sk,p)
    • 定义知悉签名中的消息m和公钥pk对应的sk。

2.2 速度对比

密钥生成阶段,Picnic的速度最快,但其签名和验签速度稍弱,而其中的基于Lattice的Dilithium方案为全能选手:
MPC-in-the-Head后量子签名方案:公私钥size小,但签名size过大_第3张图片
同时,Picnic的密钥size最小。其中Picnic_L1_FS的公钥为33个字节,私钥为49个字节,但其签名为34036个字节。

MPC-in-the-Head后量子签名方案:公私钥size小,但签名size过大_第4张图片
Picnic和SPHINCS+ 均具有小的公钥和私钥。以Picnic_L3_FS为例,其公钥为49字节,私钥为73字节,可轻松打败Dilithium、Falcon 和 Rainbow。Picnic的主要弱点在于其签名size大,需要71kB,而Dilithium仅需要2kB到4kB。
MPC-in-the-Head后量子签名方案:公私钥size小,但签名size过大_第5张图片
Picnic代码示例为:

#include stdio.h
#include stdint.h
#include stdlib.h
#include time.h
#include "api.h"
#include "picnic.h"

#define MLEN 59

char *showhex(uint8_t a[], int size) ;
int randombytes (unsigned char* random_array, unsigned long long num_bytes);
char *showhex(uint8_t a[], int size) {

    char *s = malloc(size * 2 + 1);
    for (int i = 0; i < size; i++)
        sprintf(s + i * 2, "%02x", a[i]);
    return(s);
}
int main(void)
{
  size_t j;
  int ret;
  uint8_t m[MLEN + CRYPTO_BYTES];
  uint8_t m2[MLEN + CRYPTO_BYTES];
 // uint8_t sm[MLEN + CRYPTO_BYTES];
  uint8_t pk[CRYPTO_PUBLICKEYBYTES];
  uint8_t sk[CRYPTO_SECRETKEYBYTES];
 unsigned char sm[sizeof(m) + CRYPTO_BYTES];
 long long unsigned int smlen = sizeof(sm);
    unsigned char mprime[50] = { 0 };
 
    long long unsigned int mlen = sizeof(mprime);

    randombytes(m, MLEN);
    crypto_sign_keypair(pk, sk);
  printf("NAME: %s\n", CRYPTO_ALGNAME);
  printf("CRYPTO_PUBLICKEYBYTES = %d\n", CRYPTO_PUBLICKEYBYTES);
  printf("CRYPTO_SECRETKEYBYTES = %d\n", CRYPTO_SECRETKEYBYTES);
  printf("CRYPTO_BYTES = %d\n", CRYPTO_BYTES);
//  printf("Signature Length + Msg = %ld\n", smlen);
  printf("\nAlice Public key: %s\n",showhex(pk,CRYPTO_PUBLICKEYBYTES));
  printf("Alice Secret key: %s\n",showhex(sk,CRYPTO_SECRETKEYBYTES));
  printf("\nMessage: %s\n",showhex(m,MLEN));

    crypto_sign(sm, &smlen, m, MLEN, sk);
    ret = crypto_sign_open(m2, &mlen, sm, smlen, pk);

    if(ret) {
      fprintf(stderr, "Verification failed\n");
      return -1;
    }
/*
    if(smlen != MLEN + CRYPTO_BYTES) {
      fprintf(stderr, "Signed message lengths wrong\n");
      return -1;
    }  */
    if(mlen != MLEN) {
      fprintf(stderr, "Message lengths wrong\n");
      return -1;
    }
    for(j = 0; j < MLEN; ++j) {
      if(m2[j] != m[j]) {
        fprintf(stderr, "Messages don't match\n");
        return -1;
      }
    }

 
  
  printf("Signature (Showing 1/128th of signature): %s\n",showhex(sm,smlen/128));
  return 0;
}
int randombytes (unsigned char* random_array, unsigned long long num_bytes)
{
 // unsigned char *random_array = malloc (num_bytes);
  size_t i;
srand ((unsigned int) time (NULL));
  for (i = 0; i < num_bytes; i++)
  {
    random_array[i] = rand ();
  }
  return 0;
}

运行结果为:

NAME: picnicl3full
CRYPTO_PUBLICKEYBYTES = 49
CRYPTO_SECRETKEYBYTES = 73
CRYPTO_BYTES = 71179
Alice Public key: 0befe6cd9b6298fb28b875877bd0197f1f0306846d6acfcf490c17dec49021434b1778b7c957ceb31ebdab2bbd02b5c40e
Alice Secret key: 0b0c17dec49021434b1778b7c957ceb31ebdab2bbd02b5c40eefe6cd9b6298fb28b875877bd0197f1f0306846d6acfcf490c17dec49021434b1778b7c957ceb31ebdab2bbd02b5c40e
Message: 0c17dec49021434b1778b7c957ceb31ebdab2bbd02b5c40eff304211c2c13f45e17723c80e0b50bfec679df8226606ceaddba24d7ad4d5973420c6
Signature (Showing 1/128th of signature): 3b0d01000c17dec49021434b1778b7c957ceb31ebdab2bbd02b5c40eff304211c2c13f45e17723c80e0b50bfec679df8226606ceaddba24d7ad4d5973420c699185102220a6a94a04222064298054622469652911926a189665595aa5a068a0818291a0a4416614860502659552996666282151692a666a86a0a92486954282522809a11a4606418664665a4281856969140c99a5ce4f10595cc914919cbb542f391d5a3b603942cb1cbc0c2413e5c9e7f92a3f03b2e9733773beecdaadf9d89195c4548dc011be0a67ed282a1c10e09fc5285ebf68936196c058fdc0805b5695eb54daeb50ef5f8c550dda600173f344c7fd29f2b17821d7aa662c10b8cfbdedff941d2ed143c512e4732e1932a28cab803bcf4455e83401e1cef9684fcebb29cef2b05f39491b7d8499099e4e824504273cd59a47f0eed02fada506e2fc93f465fa799e022f593fdbaa16f9b7504c8ddc0c90a873588ae3b61bd2c81fd86c4c9f9200fb4876a37de821bc80191304f0d5509ec8828def45e2a14c49bab2f3a3649a2d6dcf36a67a06188730d4c5e667fb2bd691073e9e13e62fee98a8501f789d23b3ed8858d333ff89085c9152992c384984cf39f38be3b05b10b4fb20a79b54183be611e7668df5b02b28cfc1829a60ed02d3b8c65d2db619c1e12a53198a924c34978efdfd284b5b5b35a7867d8b3b415dfb349f4a80a7b5e0aad036b9d132aa2488653297d69f6835b2d478969c180a4d1ceec282ee087

参考资料

[1] Prof Bill Buchanan OBE 2023年9月博客 MPC-in-the-Head In Contention To Replace RSA, ECDSA and EdDSA For Signatures——Small keys and a relatively large signature

你可能感兴趣的:(量子密码学,量子密码学)