Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Bücher
Zeitschriften
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
SLX-Digitalkonferenz: Zukunftswerkstatt 2024

Mehr Umsatz mit Top-Kontakten

Am 7. Mai erfahren Sie, wie Vertriebsteams Leadgenerierung, Leadnurturing und Leadstrategien effizient steuern können.
Erweiterte Suche
Anmelden
nach oben
Erschienen in:
On ELFs, Deterministic Encryption, and Correlated-Input Security Kapitel lesen Erstes Kapitel lesen

2019 | OriginalPaper | Buchkapitel

Multi-target Attacks on the Picnic Signature Scheme and Related Protocols

verfasst von : Itai Dinur, Niv Nadler

Erschienen in: Advances in Cryptology – EUROCRYPT 2019

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config
loading …

Abstract

Picnic is a signature scheme that was presented at ACM CCS 2017 by Chase et al. and submitted to NIST’s post-quantum standardization project. Among all submissions to NIST’s project, Picnic is one of the most innovative, making use of recent progress in construction of practically efficient zero-knowledge (ZK) protocols for general circuits.
In this paper, we devise multi-target attacks on Picnic and its underlying ZK protocol, ZKB++. Given access to S signatures, produced by a single or by several users, our attack can (information theoretically) recover the \(\kappa \)-bit signing key of a user in complexity of about \(2^{\kappa - 7}/S\). This is faster than Picnic’s claimed \(2^{\kappa }\) security against classical (non-quantum) attacks by a factor of \(2^7 \cdot S\) (as each signature contains about \(2^7\) attack targets).
Whereas in most multi-target attacks, the attacker can easily sort and match the available targets, this is not the case in our attack on Picnic, as different bits of information are available for each target. Consequently, it is challenging to reach the information theoretic complexity in a computational model, and we had to perform cryptanalytic optimizations by carefully analyzing ZKB++ and its underlying circuit. Our best attack for \(\kappa = 128\) has time complexity of \(T = 2^{77}\) for \(S = 2^{64}\). Alternatively, we can reach the information theoretic complexity of \(T = 2^{64}\) for \(S = 2^{57}\), given that all signatures are produced with the same signing key.
Our attack exploits a weakness in the way that the Picnic signing algorithm uses a pseudo-random generator. The weakness is fixed in the recent Picnic 2.0 version.
In addition to our attack on Picnic, we show that a recently proposed improvement of the ZKB++ protocol (due to Katz, Kolesnikov and Wang) is vulnerable to a similar multi-target attack.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Jetzt informieren
Vorheriges Kapitel Distributional Collision Resistance Beyond One-Way Functions
Nächstes Kapitel Durandal: A Rank Metric Based Signature Scheme
Fußnoten
1
If the keys are not generated uniformly, the workload of the attack could be lower.
 
2
Throughout this paper, we focus on attacks run on classical computers, but our analysis can be extended to deal with attacks on quantum computers.
 
3
Our model is related to the one of [12], but our classification is at a higher level.
 
4
The ACM CCS 2017 paper [6] introduced two signature scheme variants: Fish (which uses the Fiat-Shamir transform [10]), with claimed security against classical computer attacks, and Picnic (which uses Unruh’s transform [22]), with claimed security against quantum computer attacks. In the NIST submission [5], these variants were renamed to Picnic-FS and Picnic-UR, respectively. Our analysis applies to both variants, but we focus on Picnic-FS for simplicity.
 
5
Internally, Picnic uses a block cipher encryption \(f_i(x) = \mathrm {Enc}_{x}(p(i))\), where a different plaintext \(p = p(i)\) is used for each public key owner (defining a different encryption function).
 
6
We thank an anonymous reviewer for pointing out the link between [7] and our paper.
 
7
As the attacker may acquire signatures produced with various signing keys, our model is somewhat more restrictive than NIST’s.
 
8
The attack can also be applied to \(\kappa \in \{192,256\}\), but it requires significantly more than \(2^{64}\) signatures.
 
9
In the NIST submission, the public key is hashed as well.
 
10
In general, \(\kappa \) bits are sufficient to uniquely determine the key on average. However, even if several candidate keys are recovered, they can be filtered against the public key.
 
11
We assume here for that sake of simplicity that \(\tau \) is constant and does not depend on the analyzed run (although as we will see later, this does not necessarily hold).
 
12
The Picnic specification recommends to generate the seeds based on the (high-entropy) private key, but does not (and cannot) enforce this.
 
Literatur
1.
Albrecht, M.R., Rechberger, C., Schneider, T., Tiessen, T., Zohner, M.: Ciphers for MPC and FHE. In: Oswald and Fischlin [21], pp. 430–454CrossRef
2.
Behnia, R., Ozmen, M.O., Yavuz, A.A., Rosulek, M.: TACHYON: fast signatures from compact knapsack. In: Lie et al. [16], pp. 1855–1867
3.
Bernstein, D.J., et al.: SPHINCS: practical stateless hash-based signatures. In: Oswald and Fischlin [21], pp. 368–397CrossRef
4.
Boneh, D., Eskandarian, S., Fisch, B.: Post-quantum group signatures from symmetric primitives. IACR Cryptology ePrint Archive 2018:261 (2018)
5.
6.
Chase, M., et al.: Post-quantum zero-knowledge and signatures from symmetric-key primitives. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.) Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, 30 October–03 November 2017, pp. 1825–1842. ACM (2017)
7.
Checkoway, S., et al.: On the practical exploitability of dual EC in TLS implementations. In: Fu, K., Jung, J. (eds.) Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, 20–22 August 2014, pp. 319–335. USENIX Association (2014)
8.
9.
Dinur, I., Nadler, N.: Multi-target attacks on the picnic signature scheme and related protocols. IACR Cryptology ePrint Archive 2018:1212 (2018)
10.
11.
Giacomelli, I., Madsen, J., Orlandi, C.: ZKBoo: faster zero-knowledge for Boolean circuits. In: Holz, T., Savage, S. (eds.) 25th USENIX Security Symposium, USENIX Security 2016, Austin, TX, USA, 10–12 August 2016, pp. 1069–1083. USENIX Association (2016)
12.
13.
Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Zero-knowledge from secure multiparty computation. In: Johnson, D.S., Feige, U. (eds.) Proceedings of the 39th Annual ACM Symposium on Theory of Computing, San Diego, California, USA, 11–13 June 2007, pp. 21–30. ACM (2007)
14.
Katz, J., Kolesnikov, V., Wang, X.: Improved non-interactive zero knowledge with applications to post-quantum signatures. In: Lie et al. [16], pp. 525–537
15.
Lamport, L.: Constructing digital signatures from a one way function. Technical report SRI-CSL-98, SRI International Computer Science Laboratory (1979)
16.
Lie, D., Mannan, M., Backes, M., Wang, X. (eds.): Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, 15–19 October 2018. ACM (2018)
17.
Lindell, Y., Riva, B.: Blazing fast 2PC in the offline/online setting with security for malicious adversaries. In: Ray, I., Li, N., Kruegel, C. (eds.) Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, 12–16 October 2015, pp. 579–590. ACM (2015)
18.
May, A., Ozerov, I.: On computing nearest neighbors with applications to decoding of binary linear codes. In: Oswald and Fischlin [21], pp. 203–228CrossRef
19.
20.
21.
22.
23.
Valiant, G.: Finding correlations in subquadratic time, with applications to learning parities and the closest pair problem. J. ACM 62(2), 13:1–13:45 (2015)MathSciNetCrossRef
Metadaten
Titel
Multi-target Attacks on the Picnic Signature Scheme and Related Protocols
verfasst von
Itai Dinur
Niv Nadler
Copyright-Jahr
2019
Buch
Advances in Cryptology – EUROCRYPT 2019

Print ISBN: 978-3-030-17658-7

Electronic ISBN: 978-3-030-17659-4

Copyright-Jahr: 2019

DOI
https://doi.org/10.1007/978-3-030-17659-4_24

Premium Partner

    Bildnachweise