PKP-Based Signature Scheme

In this document, we introduce \(\textsf {PKP}\hbox {-}\textsf {DSS}\): a Digital Signature Scheme based on the Permuted Kernel Problem (PKP) [23]. PKP is a simple NP-hard [10] combinatorial problem that consists of finding a kernel for a publicly known matrix, such that the kernel vector is a permutation of a publicly known vector. This problem was used to develop an Identification Scheme (IDS) which has a very efficient implementation on low-cost smart cards. From this zero-knowledge identification scheme, we derive \(\textsf {PKP}\hbox {-}\textsf {DSS}\) with the traditional Fiat-Shamir transform [9]. Thus, \(\textsf {PKP}\hbox {-}\textsf {DSS}\) has a security that can be provably reduced, in the (classical) random oracle model, to the hardness of random instances of PKP (or, if wanted, to any specific family of \(\text {PKP}\) instances). We propose parameter sets following the thorough analysis of the State-of-the-art attacks on PKP presented in [17]. We show that \(\textsf {PKP}\hbox {-}\textsf {DSS}\) is competitive with other signatures derived from Zero-Knowledge identification schemes. In particular, PKP-DSS-128 gives a signature size of approximately 20 KBytes for 128 bits of classical security, which is approximately \(30\%\) smaller than MQDSS. Moreover, our proof-of-concept implementation shows that PKP-DSS-128 is an order of magnitude faster than MQDSS which in its turn is faster than Picnic2, SPHINCS, ...

[1]  Daniel Slamanig,et al.  Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives , 2017, CCS.

[2]  Taizo Shirai,et al.  Public-Key Identification Schemes Based on Multivariate Quadratic Polynomials , 2011, CRYPTO.

[3]  Adi Shamir,et al.  An Efficient Identification Scheme Based on Permuted Kernels (Extended Abstract) , 1989, CRYPTO.

[4]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[5]  Antoine Joux,et al.  "Chinese & Match", an alternative to Atkin's "Match and Sort" method used in the SEA algorithm , 2001, Math. Comput..

[6]  Louis Goubin,et al.  Unbalanced Oil and Vinegar Signature Schemes , 1999, EUROCRYPT.

[7]  Hugo Krawczyk,et al.  Strengthening Digital Signatures Via Randomized Hashing , 2006, CRYPTO.

[8]  David Pointcheval,et al.  A New Identification Scheme Based on the Perceptrons Problem , 1995, EUROCRYPT.

[9]  Gilles Brassard,et al.  Strengths and Weaknesses of Quantum Computing , 1997, SIAM J. Comput..

[10]  Serge Fehr,et al.  Security of the Fiat-Shamir Transformation in the Quantum Random-Oracle Model , 2019, IACR Cryptol. ePrint Arch..

[11]  Jean Georgiades Some remarks on the security of the identification scheme based on permuted kernels , 2004, Journal of Cryptology.

[12]  Guillaume Poupard A realistic security analysis of identification schemes based on combinatorial problems , 1997, Eur. Trans. Telecommun..

[13]  Vadim Lyubashevsky,et al.  Fiat-Shamir with Aborts: Applications to Lattice and Factoring-Based Signatures , 2009, ASIACRYPT.

[14]  David S. Johnson,et al.  Computers and Intractability: A Guide to the Theory of NP-Completeness , 1978 .

[15]  Jacques Stern,et al.  On the Length of Cryptographic Hash-Values Used in Identification Schemes , 1994, CRYPTO.

[16]  Dominique Unruh,et al.  Non-Interactive Zero-Knowledge Proofs in the Quantum Random Oracle Model , 2015, EUROCRYPT.

[17]  Jacques Stern,et al.  A New Identification Scheme Based on Syndrome Decoding , 1993, CRYPTO.

[18]  Ivan Damgård,et al.  Commitment Schemes and Zero-Knowledge Protocols , 1998, Lectures on Data Security.

[19]  Henri Gilbert,et al.  On the Security of the Permuted Kernel Identification Scheme , 1992, CRYPTO.

[20]  Jacques Patarin,et al.  Improved Algorithms for the Permuted Kernel Problem , 1993, CRYPTO.

[21]  Jacques Patarin,et al.  Analysis of Some Natural Variants of the PKP Algorithm , 2012, SECRYPT.

[22]  Antoine Joux,et al.  Cryptanalysis of PKP: A New Approach , 2001, Public Key Cryptography.

[23]  Eike Kiltz,et al.  A Concrete Treatment of Fiat-Shamir Signatures in the Quantum Random-Oracle Model , 2018, IACR Cryptol. ePrint Arch..

[24]  Jacques Stern,et al.  Security Proofs for Signature Schemes , 1996, EUROCRYPT.

[25]  Omer Reingold,et al.  Statistically Hiding Commitments and Statistical Zero-Knowledge Arguments from Any One-Way Function , 2009, SIAM J. Comput..

[26]  Dominique Unruh,et al.  Post-quantum Security of Fiat-Shamir , 2017, ASIACRYPT.

[27]  Silvio Micali,et al.  Practical and Provably-Secure Commitment Schemes from Collision-Free Hashing , 1996, CRYPTO.

[28]  Adi Sbamir,et al.  An Efficient Identification Scheme Based on Permuted Kernels ( extended abstract ) , 2022 .

[29]  Valérie Nachef,et al.  Zero-Knowledge for Multivariate Polynomials , 2012, LATINCRYPT.

[30]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[31]  Damien Stehlé,et al.  CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme , 2018, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[32]  Gaëtan Leurent,et al.  How Risky Is the Random-Oracle Model? , 2009, CRYPTO.

[33]  Jacques Patarin,et al.  On the complexity of the Permuted Kernel Problem , 2019, IACR Cryptol. ePrint Arch..

[34]  Ward Beullens On sigma protocols with helper for MQ and PKP, fishy signature schemes and more , 2019, IACR Cryptol. ePrint Arch..

[35]  Peter Schwabe,et al.  From 5-Pass MQ -Based Identification to MQ -Based Signatures , 2016, ASIACRYPT.