CANDIDATE FOR PRACTICAL POST-QUANTUM SIGNATURE SCHEME Текст научной статьи по специальности «Математика»

UDC 512.552.18+003.26 Вестник СПбГУ. Прикладная математика. Информатика... 2020. Т. 16. Вып. 4 MSC 16P10

Candidate for practical post-quantum signature scheme

N. A. Moldovyan, A. A. Moldovyan

St. Petersburg Federal Research Center of the Russian Academy of Sciences, 39, 14-ia linia, St. Petersburg, 199178, Russian Federation

For citation: Moldovyan N. A., Moldovyan A. A. Candidate for practical post-quantum signature scheme. Vestnik of Saint Petersburg University. Applied Mathematics. Computer Science. Control Processes, 2020, vol. 16, iss. 4, pp. 455-461. https://doi.org/10.21638/11701/spbu10.2020.410

A new criterion of post-quantum security is used to design a practical signature scheme based on the computational complexity of the hidden discrete logarithm problem. A 4-di-mensional finite non-commutative associative algebra is applied as algebraic support of the cryptoscheme. The criterion is formulated as computational intractability of the task of constructing a periodic function containing a period depending on the discrete logarithm value. To meet the criterion, the hidden commutative group possessing the 2-dimensional cyclicity is exploited in the developed signature scheme. The public-key elements are computed depending on two vectors that are generators of two different cyclic groups contained in the hidden group. When computing the public key two types of masking operations are used: i) possessing the property of mutual commutativity with the exponentiation operation and ii) being free of such property. The signature represents two integers and one vector S used as a multiplier in the verification equation. To prevent attacks using the value S as a fitting element the signature verification equation is doubled.

Keywords: digital signature, post-quantum cryptoscheme, public key, hidden logarithm problem, finite non-commutative algebra, associative algebra.

1. Introduction. Current cryptographic standards of the digital signature algorithms and public key-agreement protocols do not provide post-quantum resistance, since they are based on the computational difficulty of the factoring problem and of the discrete logarithm problem which can be solved on a hypothetic quantum computer in polynomial time [1, 2]. The development of practical public-key post-quantum cryptoschemes attracts much attention of the cryptographic community [3, 4].

One of the attractive approches to the development of post-quantum signature schemes is applying the hidden discrete logarithm problem (HDLP) as the base cryptographic primitive [5-7]. The rationale of the post-quantum security of the known signature algorithms based on the HDLP takes into account that the quantum algorithm for finding the discrete logarithm value exploits the extremely high efficiency of quantum computer to perform a discrete Fourier transform for a function that takes values in a finite cyclic group [1, 8]. To solve the problem of finding the logarithm value x, i. e., to solve the equation Y = Gx, where x < q is the unknown integer; Y and G are known elements of a finite cyclic group of the prime order q, one constructs a periodic function F(i,j) = Yг о Gj in two integer variables i and j, which contains a period with the length ( — 1,x): F(i,j) = YlGj = Yl-iGj+x = F(i — 1,j + x). From the discrete Fourier transform results the perion length ( — 1,x) is easily computed.

For the case of the HDLP-based signature schemes considered in papers [5-7] one can construct the periodic function F(i,j) = Y% о T о Zj, where Y, T and Z are m-dimensional

© Санкт-Петербургский государственный университет, 2020

vectors; o is the multiplication operation in the finite non-commutative associative algebra (FNAA) used as algebraic support of the signature scheme. This function includes period with the length ( — 1, x), however, the function F(i,j) takes on the values that lie in different cyclic groups and there is no preferable cyclic group for the values of this function.

Thus, the design criterion related to the know HDLP-based signature algorithms can be formulated as the following one.

Criterion 1. The periodic functions F(i,j) constructed on the base of public parameters of the signature scheme and containing a period with the length depending on the discrete logarithm value should take on values in different finite cyclic groups contained in the FNAA. Besides, no cyclic group can be pointed out as a preferable finite group for the values of the function F(i,j).

In present paper we use another design criterion for providing post-quantum resistance of the HDLP-based signature algorithms. To meet the accepted criterion, a new method of setting the HDLP is used, which is characterized by the use of a hidden commutative group with two-dimensional cyclicity and masking operations of the following types: i) having the property of mutual commutativity with the exponentiation operation in the hidden group; ii) not having such a property.

2. Advanced criterion of post-quantum resistance. Criterion 1 takes into account the currently known quantum algorithm for finding the period length for a periodic function which values lie in some fixed finite cyclic group. However, one can assume that in the future, novel quantum algorithms will be developed that will effectively find the period length for functions that take on values within the framework of the whole FNAA used as algebraic support of the signature scheme. Taking into account such potential possibility the following advanced criterion of the post-quantum resistance is applied in this paper for the development of a post-quantum signature scheme.

Criterion 2. Based on the public parameters of the signature scheme, the construction of a periodic function containing a period with the length depending on the discrete logarithm value should be a computationally intractable task.

To design a signature scheme satisfying this criterion it is used the idea of masking periodicity depending on the discrete logarithm value. To implement this idea, we propose to perform the exponentiation operation, which introduces the main contribution to the security, in a cyclic group (called basic cyclic group) that is a subgroup of a hidden commutative group having two-dimensional cyclicity. (A finite commutative group is called group with the ^-dimensional cyclicity, if its minimum generator system includes ^ elements possessing the same order value [9].)

To implement the said idea, there is used a hidden commutative group having order q2, in which every element (except the unit) possesses order equal to the prime q. The public-key elements are calculated based on two independent elements of the hidden group. One of the latter is the generator of the base cyclic group, and the second is used as a masking multiplier that imposes a periodicity having length equal to the value q.

3. The used FNAA. Consider a finite m-dimensional vector space defined over the field GF(p). Defining additionally the vector multiplication operation that is distributive at the right and at the left relatively the addition operation, one gets the m-dimensional finite algebra. Some vector A can be represented in two forms: A = (a0, a1,..., am_i) and A = m—1 a%ei, where a0,a1,... ,am_1 G GF(p) are called coordinates; eo, e1, ... , em-1 are basis vectors. The vector multiplication operation (o) of two m-dimensional vectors A and B is set as follows:

m_ 1 m_1

A o B = ^^ ^^ aibj(ei o ej),

i=0 j=0

where every of the products ei o ej is to be replaced by a single-component vector Aek, here A g GF (p), indicated in the cell at the intersection of the i-th row and j-th column of so called basis vector multiplication table (BVMT), like Table 1. To define associative vector multiplication operation one should construct the BVMT that defines associative multiplication of all possible triples of the basis vectors (ei, ej, ek): (ei o ej) o ek = ei o (ej o ek).

Table 1. The BVMT defining the used FNAA (A = 1; A = 0)

о ео ei ег ез

ео ео ез ео ез

ei Лег ei ег Лех

ei ег ei ег ei

ео Ле0 ез ео Ле3

To develop the signature scheme that meets Criterion 2 we have used the 4-dimen-sional FNAA with the multiplication operation defined by the BVMT shown in Table 1, where A = 1; A = 0 [5]. This FNAA contains global two-sided unit E that can be computed as

11 A 1

E

1 — A 1 — A A — V A — 1/

The vectors A satisfying the condition a0a1 = a2a3 are invertible. The vectors N satisfying condition n0n1 = n2n3 are non-invertible.

Proposition. The number of the invertible vectors in the considered 4-dimensional FNAA is equal to Q = p (p + 1) (p — 1)2.

Proof. The number of the locally invertible vectors is equal to the number of all elements of the algebra (p4) minus the number on non-invertible vectors N. Let us compute the number of the vectors N for which we have n0n1 = n2n3. For the case n1 = 0 (p — 1 different values of n1) the coordinades n2 and n3 are arbitrary (p2 variants) and n0 = n2n3n_1, therefore, we have (p — 1)p2 non-invertible vectors related to this case. For the case n1 = 0, at least, one of the values n2 and n3 should be equal to 0 (2p — 1 variants) and in every of such variants the coordinate n0 is arbitrary. Therefore, the last case gives p(2p — 1) more non-invertible vectors. Totally, there exists (p — 1)p2 + p(2p — 1) = p3+ p2 — p different non-invertible vectors. For the value ^ we get: ^ = p4 — p3 — p2 + p = p (p +1)(p — 1)2. □

The value Q is the order of multiplicative group of the algebra. The maximum possible order of the invertible vectors in the considered algebra is equal to {p2 — 1). To have possibility to define the hidden commutative group containing cyclic groups of the prime order q having sufficiently large size, we suppose the considered FNAA is defined over the finite field GF(p) with 256-bit characteristic p = 2q +1, where q is a 255-bit prime.

A commutative group of the order q2 can be set as computation of its basis < G,Q > including two independent vectors of the same order q. The procedure of setting the basis < G,Q > is as follows:

a) select a random invertible vector R1 and compute G1 = = E;

b) select a random invertible vector R2 and compute G2 = R^^1 = E;

c) if G1 o G2 = G2 o G1, then go to step 1. Otherwise take G = G\\

d) select a random integer r and compute b = r2(p+1) mod p = 1;

e) performing scalar multiplication, compute the vector Q = bG.

At the output of this procedure we have the basis < G,Q > of the commutative group of the order q2 which possesses the 2-dimensional cyclicity. One can easily see that the order of each of the vectors G and Q is equal to the prime q.

4. Computation of the public-key. The public-key represents two triples of the 4-dimensional vectors (U1,Y1,Z1) and (U2,Y2,Z2) that are computed as follows.

1. Generate at random the basis < G,Q > of the hidden commutative group r possessing the 2-dimensional cyclicity.

2. Select two random integers r1 and r2 and compute the vector J = Gri o Qr2 e r.

3. Generate at random the invertible vector B1 and compute the vector Y1 = B1 o G o B-1.

4. Generate at random the invertible vector A1 and the integer x (1 < x < q). Then compute the vectors U1 = A1 o Gx o B-1 and Z1 = B1 o Q o A-1.

5. Generate at random the invertible vector B2 and compute the vector Y2 = B2 o J o B-1.

6. Generate at random integer w (1 < w < q). Then compute the vectors W = Qw, A2 = A1 o W, U2 = A2 o Jx o B-1, and Z2 = B2 o Q o A-1.

The integers x, w and the vectors G, Q, J, A1, B1, A2, B2, and W are private elements. The private key represents the subset {x, G, Q, J, A1,A2, W} of private elements that are used when computing a signature. The size of the public-key (U1,Y1,Z1); (U2,Y2,Z2) is equal to 768 bytes.

Signature generation procedure:

• Generate at random the integer k (1 < k < q) and the invertible vector K. Then compute V1 = A1 o Gk o K and V2 = A2 o Jk o W-1 o K.

• Using a specified hash function fH, compute the first signature element e: e = fH (M, V1,V2), where M is a document to be signed.

• Compute the second signature element s as one of two solutions of the equation s2 + xs = k mod q. If the equation has no solution, then go to step 1.

• Compute the third signature element S = A1 o Q-s o K. (Note S = A2 o W-1 o Q-s o K.)

On the average, computation of one 192-byte signature (e, s, S) requires performing the signature generation procedure two times. On the whole the computational difficulty of the signature generation procedure is roughly equal to four exponentiation operations in the 4-dimensional in FNAA.

Signature verification procedure:

• Using the signature (e,s,S) and the public-key (Y1 ,Z1,T1); (Y2,Z2,T2) compute the vectors V{ = (U1 o Yfs o Z1)s o S and V2 = (U2 o Y2es o Z2)s o S.

• Compute the hash-function value e' = fH (M, V{, V2).

• If e' = e and S = (so,s1,s2,s3) is such that s0s1 = s2s3, then the signature is genuine. Otherwise the signature is rejected.

5. Correctness proof. Correctness proof of the sigature scheme consists in proving that the signature (e, s, S) computed correctly will pass the verification procedure as genuine signature:

V' = (U1 o Yfs o Z1)s o S = = (a1 o Gx o B-1 o (B1 o G o B-1 )es o B1 o Q o A-1js o A1 o Q-s o K =

= A1 o Gxs o Ges2 o Qs o A-1 o A1 o Q-s o K = = A1 o Ges2 +xs o K = A1 o Gk o K = V1;

V' = (U2 o Y2es o Z2)s o S =

= (a2 o Jx o B-1 o (B2 o J o B-1)es o B2 o Q o A-1^j s o A2 o W-1 o Q-s o K =

= A2 o Jxs o Jes2 o Qs o A-1 o A2 o Q-w o Q-s o K = = A2 o Jes2 +xs o Q-w o K = A2 o Jk o W-1 o K = V2.

Since V[ = V1 and V2' = V2, the equality e' = e holds true. Besides, in the signature (e, s, S) computed correctly the invertibility condition s0s1 = s2s3 is satisfied for the vector S = (so, S1, S2, S3).

6. Discussion. Among nine post-quantum signature schemes developed in framework of the NIST competition the algorithms Falcon [https://falcon-sign.info/] and Dilithium [https://pq-crystals.org/dilithium/index.shtml] attracts attention from the view point of the trade off between performance and size of the public-key and the signature. Table 2 presents a rough comparison of the proposed signature scheme with Falcon-512 and Dilithium-1024x768 (versions related to the 128-bit security level). The algorithm proposed in this article has a significant advantage in the size of the signature. Besides, it has higher performance of the signature verification procedure.

Table 2. Comparison with the signature schemes Falcon-512, Dilithium-1024x768, RSA-2048

Signature scheme Signature size, bytes Public-key size, bytes Signature generation rate, arbitrary units Signature verification rate, arbitrary units

Falcon-512 657 897 50 25

Dilithium-1024x768 2044 1184 15 10

RSA-2048 256 256 10 > 50

Proposed 192 768 40 60

Consider construction of some periodic functions on the base of public parameters of the proposed signature algorithm.

1. Suppose the function F1 (i,j) = Y{ (Z1 o U1)j = B1 o Gi+xj o Qj o B-1 contains a period with the length (Si, Sj). Then, takin into account that G and Q are generators of different cyclic groups of the same order q, we have: Si + xSj = 0 mod q and Sj = 0 mod q ^ Si = Sj = 0 mod q. The last means the function F1 (i,j) possesses only the periodicity connected with the value q that is order of cyclic groups contained in the hidden commutative group with 2-dimensional cyclicity.

2. Suppose the function F2(i,j) = (U2 o Z2)i o (U2 o Y2 o Z2)j = A2 oGxi+xj+j oQi+j o A-1 includes a period with the length (Si, Sj). Then, we have xSi + xSj + Sj = 0 mod q and Si + Sj = 0 mod q ^ Si = Sj = 0 mod q. Thus, the function F1(i,j) possesses only the periodicity connected with the value q.

3. Suppose the function F3(i,j, k) = (U2 o Z2)i o (U2 o Yj o Z^j = A2 o Gxi+xj+jk o

Qi+j o A-1 includes a period with the length (Si, Sj,Sk). Then, we have xSi + xSj + jSi — iSj — SiSj = 0 mod q and Si + Sj = 0 mod q. When solving simultaneously the last two congruencies relatively the unknowns Si and Sj, one will obtain solutions that depends on the values i and j, except the solution (Si,Sj) = (0,0). This means that the function F3(i,j, k) possesses only the periodicity with the length (q, q).

7. Conclusion. An advanced criterion of post-quantum security has been applied to develop a new HDLP-based digital signature schemes that is a candidate for practical post-

quantum signature algorithms. The proposed design is characterized in applying the hidden commutative group possessing 2-dimensional cyclicity and masking operations that are not mutually commutative with the exponentiation operation. Besides, a doubled verification equation had been applied to prevent attacks using the signature element S as a fitting parameter.

References

1. Shor P. W. Polynomial-time algorithms for prime factorization and discrete logarithms on quantum computer. SIAM Journal of Computing, 1997, vol. 26, pp. 1484—1509.

2. Yan S. Y. Quantum attacks on public-key cryptosystems. Boston, Springer Publ., 2013, 207 p.

3. Post-Quantum Cryptography. 9th International Conference, PQCrypto 2018 Proceedings. Fort Lauderdale, FL, USA, April 9-11, 2018. (Lecture Notes in Computer Science, 2018, vol. 10786.)

4. Post-Quantum Cryptography. 10th International Conference, PQCrypto 2019 Proceedings. Chongqing, China, May 8-10, 2019. (Lecture Notes in Computer Science, 2019, vol. 11505.)

5. Moldovyan A. A., Moldovyan N. A. Post-quantum signature algorithms based on the hidden discrete logarithm problem. Computer Science Journal of Moldova, 2018, vol. 26, no. 3(78), pp. 301-313.

6. Moldovyan A. A., Moldovyan N. A. Finite non-commutative associative algebras as carriers of hidden discrete logarithm problem. Bulletin of the South Ural State University. Series Mathematical Modelling, Programming & Computer Software, 2019, vol. 12, no. 1, pp. 66-81.

7. Moldovyan N. A. Finite non-commutative associative algebras for setting the hidden discrete logarithm problem and post-quantum cryptoschemes on its base. Bulletin of Academy of Sciences of Moldova. Mathematics, 2019, no. 1(89), pp. 71-78.

8. Jozsa R. Quantum algorithms and the fourier transform. Proc. Roy. Soc. London. Series A, 1998, vol. 454, pp. 323-337.

9. Moldovyan N. A. Fast signatures based on non-cyclic finite groups. Quasigroups and Related, Systems, 2010, vol. 18, no. 1, pp. 83-94.

Received: January 27, 2020.

Accepted: October 23, 2020.

Authors' information:

Nikolay A. Moldovyan — Dr. Sci. in Technics, Professor, Chief Researcher; nmold@mail.ru

Alexandr A. Moldovyan — Dr. Sci. in Technics, Professor, Chief Researcher; maa1305@yandex.ru

Практичная постквантовая схема подписи

Н. А. Молдовян, А. А. Молдовян

Санкт-Петербургский федеральный исследовательский центр Российской академии наук, Российская Федерация, 199178, Санкт-Петербург, 14-я линия, 39

Для цитирования: Moldovyan N. A., Moldovyan A. A. Candidate for practical post-quantum signature scheme // Вестник Санкт-Петербургского университета. Прикладная математика. Информатика. Процессы управления. 2020. Т. 16. Вып. 4. С. 455-461. https://doi.org/10.21638/11701/spbu10.2020.410

Для построения практичной схемы подписи, основанной на вычислительной сложности скрытой задачи дискретного логарифмирования, использован новый критерий постквантовой стойкости. В качестве алгебраического носителя криптосхемы применена четырехмерная конечная некоммутативная ассоциативная алгебра. Критерий сформулирован как вычислительная невозможность построения периодической функции, содержащей период, длина которого зависит от значения дискретного логарифма. Для выполнения критерия в разработанной схеме подписи используется скрытая коммутативная группа с двухмерной цикличностью. Элементы открытого ключа определяют-

ся в зависимости от двух векторов, которые являются генераторами двух различных циклических групп, содержащихся в скрытой группе. При вычислении открытого ключа применяются следующие типы маскирующих операций: 1) обладающих свойством взаимной коммутативности с операцией возведения в степень; 2) свободные от этого свойства. Подпись представляет собой два целых числа и вектор 5, используемый в проверочном уравнении как множитель. Для предотвращения атак, применяющих значение 5 в качестве подгоночного параметра, проверочное уравнение удваивается.

Ключевые слова: цифровая подпись, постквантовая криптосхема, открытый ключ, скрытая задача логарифмирования, конечная некоммутативная алгебра, ассоциативная алгебра.

Контактная информация:

Молдовян Николай Андреевич — д-р техн. наук, проф., гл. науч. сотр.; nmold@mail.ru Молдовян Александр Андреевич — д-р техн. наук, проф., гл. науч. сотр.; maa1305@yandex.ru