SOFIA: MQ-based signatures in the QROM

We propose SOFIA, the first MQ -based signature scheme provably secure in the quantum-accessible random oracle model (QROM). Our construction relies on an extended version of Unruh’s transform for 5-pass identification schemes that we describe and prove secure both in the ROM and QROM. Based on a detailed security analysis, we provide concrete parameters for SOFIA that achieve 128-bit post-quantum security. The result is SOFIA-4-128 with parameters carefully optimized to minimize signature size and maximize performance. SOFIA-4-128 comes with an implementation targeting recent Intel processors with the AVX2 vector-instruction set; the implementation is fully protected against timing attacks.

[1]  Daniel Slamanig,et al.  Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives , 2017, CCS.

[2]  Luk Bettale,et al.  Solving polynomial systems over finite fields: improved analysis of the hybrid approach , 2012, ISSAC.

[3]  J. Faugère A new efficient algorithm for computing Gröbner bases (F4) , 1999 .

[4]  Lei Hu,et al.  Note on Design Criteria for Rainbow-Type Multivariates , 2006, IACR Cryptol. ePrint Arch..

[5]  Andris Ambainis,et al.  Quantum Attacks on Classical Proof Systems: The Hardness of Quantum Rewinding , 2014, 2014 IEEE 55th Annual Symposium on Foundations of Computer Science.

[6]  B. David Saunders,et al.  Certifying inconsistency of sparse linear systems , 1997, SIGS.

[7]  Peter Schwabe,et al.  SPHINCS: Practical Stateless Hash-Based Signatures , 2015, EUROCRYPT.

[8]  Claus Diem,et al.  The XL-Algorithm and a Conjecture from Commutative Algebra , 2004, ASIACRYPT.

[9]  Jean-Charles Faugère,et al.  On the complexity of the F5 Gröbner basis algorithm , 2013, J. Symb. Comput..

[10]  Bo-Yin Yang,et al.  Theoretical Analysis of XL over Small Fields , 2004, ACISP.

[11]  J. Faugère A new efficient algorithm for computing Gröbner bases (F4) , 1999 .

[12]  Dominique Unruh,et al.  Non-Interactive Zero-Knowledge Proofs in the Quantum Random Oracle Model , 2015, EUROCRYPT.

[13]  Sidi Mohamed El Yousfi Alaoui,et al.  Extended Security Arguments for Signature Schemes , 2012, AFRICACRYPT.

[14]  Erdem Alkim,et al.  TESLA: Tightly-Secure Efficient Signatures from Standard Lattices , 2015, IACR Cryptol. ePrint Arch..

[15]  Chen-Mou Cheng,et al.  Operating Degrees for XL vs. F4/F5 for Generic $\mathcal{M}Q$ with Number of Equations Linear in That of Variables , 2013, Number Theory and Cryptography.

[16]  Bo-Yin Yang,et al.  All in the XL Family: Theory and Practice , 2004, ICISC.

[17]  Mark Zhandry,et al.  A Note on Quantum-Secure PRPs , 2016, IACR Cryptol. ePrint Arch..

[18]  Peter Schwabe,et al.  Solving Binary MQ with Grover's Algorithm , 2016, SPACE.

[19]  Adi Shamir,et al.  Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations , 2000, EUROCRYPT.

[20]  Tommaso Gagliardoni,et al.  The Fiat-Shamir Transformation in a Quantum World , 2013, IACR Cryptol. ePrint Arch..

[21]  Jacques Stern,et al.  Security Proofs for Signature Schemes , 1996, EUROCRYPT.

[22]  Nicolas T. Courtois MinRank problem and Zero-knowledge authentication , 2001, IACR Cryptol. ePrint Arch..

[23]  Jean-Charles Faugère,et al.  On the complexity of solving quadratic Boolean systems , 2011, J. Complex..

[24]  Peter Schwabe,et al.  From 5-Pass MQ -Based Identification to MQ -Based Signatures , 2016, ASIACRYPT.