Hybrid Post-quantum Signatures in Hardware Security Keys

Abstract

Recent advances in quantum computing are increasingly jeopardizing the security of cryptosystems currently in widespread use, such as RSA or elliptic-curve signatures. To address this threat, researchers and standardization institutes have accelerated the transition to quantum-resistant cryptosystems, collectively known as Post-Quantum Cryptography (PQC). These PQC schemes present new challenges due to their larger memory and computational footprints and their higher chance of latent vulnerabilities.

In this work, we address these challenges by introducing a scheme to upgrade the digital signatures used by security keys to PQC. We introduce a hybrid digital signature scheme based on two building blocks: a classically-secure scheme, ECDSA, and a post-quantum secure one, Dilithium. Our hybrid scheme maintains the guarantees of each underlying building block even if the other one is broken, thus being resistant to classical and quantum attacks. We experimentally show that our hybrid signature scheme can successfully execute on current security keys, even though secure PQC schemes are known to require substantial resources.

We publish an open-source implementation of our scheme at https://github.com/google/OpenSK/releases/tag/hybrid-pqc so that other researchers can reproduce our results on a nRF52840 development kit.

A Appendix

We include the formal proof that was omitted in the main body of the paper.

Lemma 3 . If \(\varSigma _2\) is X -EUF-CMA secure (resp. X -SUF-CMA) secure, it follows that \(\mathcal {H}(\varSigma _1, \varSigma _2)\) is X -EUF-CMA secure (resp. X -SUF-CMA) as well.

Proof

We show that, for every X-adversary \(\mathcal {A}\) that wins the X-EUF-CMA (resp. X-SUF-CMA) security game for \(\mathcal {H}(\varSigma _1, \varSigma _2)\) with probability \(p_\mathcal {A}\), there is an adversary \(\mathcal {B}\) that wins \(\varSigma _2\)’s X-EUF-CMA (resp. X-SUF-CMA) security game with probability \(p_{\mathcal {B}} \ge p_\mathcal {A}\).

The adversary \(\mathcal {B}\) can be constructed as follows:

• \(\mathcal {B}\) receives the \(\varSigma _2\) public key \(\textsf{pk}_2\) from the challenger \(\mathcal {C}_{\varSigma _2}\).

  Since \(\mathcal {A}\) expects a hybrid public key, \(\mathcal {B}\) generates its own pair of \(\varSigma _1\) keys , and then sends \(\textsf{pk}= (\textsf{pk}_1, \textsf{pk}_2)\) to \(\mathcal {A}\).

  Note that the keys received by \(\mathcal {A}\) are generated from the same probability distribution as in \(\mathcal {H}(\varSigma _1, \varSigma _2)\)’s security game.

• When receiving a message query \(m_i\) from \(\mathcal {A}\), \(\mathcal {B}\) uses its own secret key \(\textsf{sk}_1\) to compute the first part of the hybrid signature: .

  Afterwards, to obtain the \(\varSigma _2\)-component of the hybrid signature, \(\mathcal {B}\) sends \(m'_i := ( m_i, \sigma _1)\) as a signing query to the challenger \(\mathcal {C}_{\varSigma _2}\) and obtains \(\sigma _{2,i} = \varSigma _2.\mathtt {Sign(}m_i',\textsf{sk}_2\mathtt {)}\).

  When receiving \(\sigma _{2, i}\) from \(\mathcal {C}_{\varSigma _2}\), \(\mathcal {B}\) computes \(\sigma _i := (\sigma _{1,i}, \sigma _{2,i})\) and sends it to \(\mathcal {A}\). Note that \(\sigma _i\) is a valid hybrid signature:

  \(\mathcal {H}(\varSigma _1, \varSigma _2).\mathtt {Verify(}m_i,\sigma _i,\textsf{pk}\mathtt {)} = \textsf{true}\)

• When receiving the forgery \(\left( m^*, \sigma ^* = (\sigma ^*_1, \sigma ^*_2) \right) \) from the adversary \(\mathcal {A}\), \(\mathcal {B}\) obtains its own forgery \(\left( ( m^*, \sigma ^*_1), \sigma ^*_2 \right) \) and sends it to \(\mathcal {C}_{\varSigma _2}\).

Since \(\mathcal {B}\) simulates the X-EUF-CMA (resp. X-SUF-CMA) security game for \(\mathcal {H}\) perfectly towards \(\mathcal {A}\), \(\mathcal {A}\) maintains its success probability \(p_\mathcal {A}\).

We show that, whenever \(\mathcal {A}\) wins the simulated game, \(\mathcal {B}\) wins the X-EUF-CMA (resp. X-SUF-CMA) security game for \(\varSigma _2\).

If \(\mathcal {A}\) wins the simulated X-EUF-CMA security game, \(m^* \notin \{\text {queries } m_i\}\). It immediately follows that \((m^*, \sigma _1^\star ) \notin \{\text {queries } m_i'\}\).

If \(\mathcal {A}\) wins the simulated X-SUF-CMA security game, \((m^*, \sigma ^*) \notin \{(m_i, \sigma _i) \mid m_i \text { query}, \sigma _i \text { response}\}\). If this is the case, we need to show that \(\mathcal {B}\) has never received \(\sigma _2^*\) as a response from \(\mathcal {C}_2\) to the signing query \(( m^*, \sigma ^*_1)\). Assuming that \(\left( ( m^*, \sigma ^*_1), \sigma ^*_2\right) = (m'_i, \sigma _{2, i})\) for some query-response pair \((m'_i, \sigma _{2, i})\) in \(\mathcal {B}\)’s interaction with \(\mathcal {C}_2\), we obtain that \((m^*, \sigma ^*) = (m_i, \sigma _i)\), which contradicts that \(\mathcal {A}\)’s forgery was successful.

Both in the X-EUF-CMA case and in the X-SUF-CMA case, if \(\mathcal {A}\) has sent a successful forgery, then \(\mathcal {H}(\varSigma _1, \varSigma _2).\mathtt {Verify(}m^*,\sigma ^*,\textsf{pk}\mathtt {)} = \textsf{true}\) holds, and hence \(\varSigma _2.\mathtt {Verify(}(m^*, \sigma ^*_1),\sigma ^*_2,\textsf{pk}_2\mathtt {)}\) holds as well.

It follows that \(\mathcal {B}\) wins the X-EUF-CMA (resp. X-SUF-CMA) security game for \(\varSigma _2\) with probability \(p_\mathcal {B} \ge p_{\mathcal {A}}\).

Finally, as \(\varSigma _2\) is X-EUF-CMA (resp. X-SUF-CMA) secure, , and therefore .

Since \(\mathcal {A}\) was chosen arbitrarily, we obtain that every X-adversary has negligible probability in winning \(\mathcal {H}(\varSigma _1, \varSigma _2)\)’s X-EUF-CMA (resp. X-SUF-CMA) security game.    \(\square \)