Paper 2020/1184

Constant-time verification for cut-and-choose-based signatures

Robert Ransom

Abstract

In most post-quantum signature protocols, the verification procedure leaks information about which signature is being verified, and/or which public key is being used to verify the signature, to timing and other side-channel attacks. In some applications, this information leak is a breach of user privacy or system security. One class of signature protocols, based on the parallel composition of many runs of one or more interactive cut-and-choose protocols, can be modified to enable constant-time verification at low cost by fixing the multiset of challenges which will be chosen at the cut-and-choose step and randomizing only their order based on the hash of the input message. As a side benefit, this technique naturally makes the size and structure of signatures a fixed system parameter, even if the underlying cut-and-choose protocol has different response sizes for each possible challenge at the cut-and-choose step. When applied to a 5-pass “$q2$” interactive protocol, this technique requires essentially no extra rounds due to how fixed-weight binary vectors interact with the Kales--Zaverucha structural attack. Alternatively, when the data which must be transmitted for one of the two possible challenge values is significantly shorter than the other, or can be made so using standard and/or specialized compression techniques, a longer, lower-weight challenge vector can be used to obtain shorter signatures at the cost of more rounds of the underlying interactive protocol, with a much shallower computation-vs.-size tradeoff than the precomputation tree approach used in Picnic2, MUDFISH, and SUSHSYFISH. As an example, these techniques reduce MQDSS signatures to under 15 kB and PKP-DSS signatures to under 14 kB with NIST Category 1 security against both secret key recovery and signature forgery. Further improvements in design and parameters allow PKP-DSS signatures under 10 kB with a security level and performance acceptable for almost all interactive authentication. The asymptotic ROM proof of security published with MQDSS remains applicable to the optimized system, but the QROM proofs by Don et al. turn out to be invalid even for unmodified MQDSS.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Published elsewhere. will be sent to NIST pqc-forum mailing list
Keywords
digital signatures
Contact author(s)
rransom 8774 @ gmail com
History
2020-09-30: received
Short URL
https://ia.cr/2020/1184
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2020/1184,
      author = {Robert Ransom},
      title = {Constant-time verification for cut-and-choose-based signatures},
      howpublished = {Cryptology {ePrint} Archive, Paper 2020/1184},
      year = {2020},
      url = {https://eprint.iacr.org/2020/1184}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.