Proof-of-Possession for KEM Certificates using Verifiable Generation

Certificate authorities in public key infrastructures typically require entities to prove possession of the secret key corresponding to the public key they want certified. While this is straightforward for digital signature schemes, the most efficient solution for public key encryption and key encapsulation mechanisms (KEMs) requires an interactive challenge-response protocol, requiring a departure from current issuance processes. In this work we investigate how to non-interactively prove possession of a KEM secret key, specifically for lattice-based KEMs, motivated by the recently proposed KEMTLS protocol which replaces signature-based authentication in TLS 1.3 with KEM-based authentication. Although there are various zero-knowledge (ZK) techniques that can be used to prove possession of a lattice key, they yield large proofs or are inefficient to generate. We propose a technique called verifiable generation, in which a proof of possession is generated at the same time as the key itself is generated. Our technique is inspired by the Picnic signature scheme and uses the multi-party-computation-in-the-head (MPCitH) paradigm; this similarity to a signature scheme allows us to bind attribute data to the proof of possession, as required by certificate issuance protocols. We show how to instantiate this approach for two lattice-based KEMs in Round 3 of the NIST post-quantum cryptography standardization project, Kyber and FrodoKEM, and achieve reasonable proof sizes and performance. Our proofs of possession are faster and an order of magnitude smaller than the previous best MPCitH technique for knowledge of a lattice key, and in size-optimized cases can be comparable to even state-of-the-art direct lattice-based ZK proofs for Kyber. Our approach relies on a new result showing the uniqueness of Kyber and FrodoKEM secret keys, even if the requirement that all secret key components are small is partially relaxed, which may be of independent interest for improving efficiency of zero-knowledge proofs for other lattice-based statements.

[1]  Daniel Kales,et al.  Shorter Signatures Based on Tailor-Made Minimalist Symmetric-Key Crypto , 2022, IACR Cryptol. ePrint Arch..

[2]  Christian Schaffner,et al.  Efficient NIZKs and Signatures from Commit-and-Open Protocols in the QROM , 2022, IACR Cryptol. ePrint Arch..

[3]  Emmanuela Orsini,et al.  Limbo: Efficient Zero-knowledge MPCitH-based Arguments , 2021, IACR Cryptol. ePrint Arch..

[4]  Vadim Lyubashevsky,et al.  Practical Lattice-Based Zero-Knowledge Proofs for Integer Relations , 2020, IACR Cryptol. ePrint Arch..

[5]  Peter Schwabe,et al.  Post-Quantum TLS Without Handshake Signatures , 2020, IACR Cryptol. ePrint Arch..

[6]  Daniel Kales,et al.  Improving the Performance of the Picnic Signature Scheme , 2020, IACR Cryptol. ePrint Arch..

[7]  Marcel Keller,et al.  Improved Primitives for MPC over Mixed Arithmetic-Binary Circuits , 2020, IACR Cryptol. ePrint Arch..

[8]  Carsten Baum,et al.  Concretely-Efficient Zero-Knowledge Arguments for Arithmetic Circuits and Their Application to Lattice-Based Cryptography , 2020, IACR Cryptol. ePrint Arch..

[9]  Ward Beullens,et al.  LegRoast: Efficient post-quantum signatures from the Legendre PRF , 2020, IACR Cryptol. ePrint Arch..

[10]  Jan Camenisch,et al.  Efficient Post-quantum SNARKs for RSIS and RLWE and Their Applications to Privacy , 2020, PQCrypto.

[11]  Serge Fehr,et al.  The Measure-and-Reprogram Technique 2.0: Multi-Round Fiat-Shamir and More , 2020, IACR Cryptol. ePrint Arch..

[12]  Vadim Lyubashevsky,et al.  Algebraic Techniques for Short(er) Exact Lattice-Based Zero-Knowledge Proofs , 2019, IACR Cryptol. ePrint Arch..

[13]  Emmanuela Orsini,et al.  BBQ: Using AES in Picnic Signatures , 2019, IACR Cryptol. ePrint Arch..

[14]  Eli Ben-Sasson,et al.  Aurora: Transparent Succinct Arguments for R1CS , 2019, IACR Cryptol. ePrint Arch..

[15]  Vadim Lyubashevsky,et al.  Short Discrete Log Proofs for FHE and Ring-LWE Ciphertexts , 2019, IACR Cryptol. ePrint Arch..

[16]  Jim Schaad,et al.  Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Message Specification , 2019, RFC.

[17]  Serge Fehr,et al.  Security of the Fiat-Shamir Transformation in the Quantum Random-Oracle Model , 2019, IACR Cryptol. ePrint Arch..

[18]  Jonathan Katz,et al.  Improved Non-Interactive Zero Knowledge with Applications to Post-Quantum Signatures , 2018, IACR Cryptol. ePrint Arch..

[19]  Huaxiong Wang,et al.  Lattice-Based Zero-Knowledge Arguments for Integer Relations , 2018, CRYPTO.

[20]  Hong Wang,et al.  IND-CCA-Secure Key Encapsulation Mechanism in the Quantum Random Oracle Model, Revisited , 2018, CRYPTO.

[21]  Dan Boneh,et al.  Bulletproofs: Short Proofs for Confidential Transactions and More , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[22]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.3 , 2018, RFC.

[23]  Eike Kiltz,et al.  A Modular Analysis of the Fujisaki-Okamoto Transformation , 2017, TCC.

[24]  Yuval Ishai,et al.  Ligero: Lightweight Sublinear Arguments Without a Trusted Setup , 2017, Designs, Codes and Cryptography.

[25]  Daniel Slamanig,et al.  Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives , 2017, CCS.

[26]  Vincent Cheval,et al.  Secure Composition of PKIs with Public Key Protocols , 2017, 2017 IEEE 30th Computer Security Foundations Symposium (CSF).

[27]  Damien Stehlé,et al.  CRYSTALS - Kyber: A CCA-Secure Module-Lattice-Based KEM , 2017, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[28]  Craig Costello,et al.  Frodo: Take off the Ring! Practical, Quantum-Secure Key Exchange from LWE , 2016, IACR Cryptol. ePrint Arch..

[29]  Morris Dworkin,et al.  SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions , 2015 .

[30]  Damien Stehlé,et al.  Worst-case to average-case reductions for module lattices , 2014, Designs, Codes and Cryptography.

[31]  Stefan Katzenbeisser,et al.  From Patches to Honey-Patches: Lightweight Attacker Misdirection, Deception, and Disinformation , 2014, CCS.

[32]  Dan Harkins,et al.  Enrollment over Secure Transport , 2013, RFC.

[33]  Damien Stehlé,et al.  Improved Zero-Knowledge Proofs of Knowledge for the ISIS Problem, and Applications , 2013, Public Key Cryptography.

[34]  Nir Bitansky,et al.  From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again , 2012, ITCS '12.

[35]  Tanja Lange,et al.  High-speed high-security signatures , 2011, Journal of Cryptographic Engineering.

[36]  Chris Peikert,et al.  Better Key Sizes (and Attacks) for LWE-Based Encryption , 2011, CT-RSA.

[37]  Rafail Ostrovsky,et al.  Zero-Knowledge Proofs from Secure Multiparty Computation , 2009, SIAM J. Comput..

[38]  Sujata Garera,et al.  Challenges in teaching a graduate course in applied cryptography , 2009, SGCS.

[39]  Keisuke Tanaka,et al.  Concurrently Secure Identification Schemes Based on the Worst-Case Hardness of Lattice Problems , 2008, ASIACRYPT.

[40]  Vadim Lyubashevsky,et al.  Lattice-Based Identification Schemes Secure Under Active Attacks , 2008, Public Key Cryptography.

[41]  Oded Regev,et al.  New lattice based cryptographic constructions , 2003, STOC '03.

[42]  Daniele Micciancio,et al.  Statistical Zero-Knowledge Proofs with Efficient Provers: Lattice Problems and More , 2003, CRYPTO.

[43]  Oded Goldreich,et al.  Foundations of Cryptography: Volume 1, Basic Tools , 2001 .

[44]  Burton S. Kaliski,et al.  PKCS #10: Certification Request Syntax Specification Version 1.7 , 2000, RFC.

[45]  Charles Adams,et al.  Understanding Public-Key Infra-structure: Concepts, Standards, and Deployment Con-siderations , 1999 .

[46]  T. Okamoto,et al.  Secure Integration of Asymmetric and Symmetric Encryption Schemes , 1999, Journal of Cryptology.

[47]  Warwick Ford,et al.  Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework , 2003, RFC.

[48]  Jacques Stern,et al.  A new paradigm for public key identification , 1996, IEEE Trans. Inf. Theory.

[49]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[50]  Vadim Lyubashevsky,et al.  Efficient Lattice-Based Blind Signatures via Gaussian One-Time Signatures , 2022, IACR Cryptology ePrint Archive.

[51]  A. Joux,et al.  Syndrome Decoding in the Head: Shorter Signatures from Zero-Knowledge Proofs , 2022, IACR Cryptol. ePrint Arch..

[52]  Emmanuela Orsini,et al.  Banquet: Short and Fast Signatures from AES , 2021, IACR Cryptol. ePrint Arch..

[53]  Vadim Lyubashevsky,et al.  Shorter Lattice-Based Zero-Knowledge Proofs via One-Time Commitments , 2020, IACR Cryptol. ePrint Arch..

[54]  Kasteelpark Arenberg,et al.  Sigma protocols for MQ, PKP and SIS, and fishy signature schemes , 2020 .

[55]  Ngoc Khanh Nguyen,et al.  Practical Exact Proofs from Lattices: New Techniques to Exploit Fully-Splitting Rings , 2020, IACR Cryptol. ePrint Arch..

[56]  Jesper Madsen,et al.  ZKBoo: Faster Zero-Knowledge for Boolean Circuits , 2016, USENIX Security Symposium.

[57]  Carl Eklund,et al.  National Institute for Standards and Technology , 2009, Encyclopedia of Biometrics.

[58]  Stephen Farrell,et al.  Internet X.509 Public Key Infrastructure Certificate Management Protocol (CMP) , 2005, RFC.

[59]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.