Abstract
Recent advances in quantum computing are increasingly jeopardizing the security of cryptosystems currently in widespread use, such as RSA or elliptic-curve signatures. To address this threat, researchers and standardization institutes have accelerated the transition to quantum-resistant cryptosystems, collectively known as Post-Quantum Cryptography (PQC). These PQC schemes present new challenges due to their larger memory and computational footprints and their higher chance of latent vulnerabilities.
In this work, we address these challenges by introducing a scheme to upgrade the digital signatures used by security keys to PQC. We introduce a hybrid digital signature scheme based on two building blocks: a classically-secure scheme, ECDSA, and a post-quantum secure one, Dilithium. Our hybrid scheme maintains the guarantees of each underlying building block even if the other one is broken, thus being resistant to classical and quantum attacks. We experimentally show that our hybrid signature scheme can successfully execute on current security keys, even though secure PQC schemes are known to require substantial resources.
We publish an open-source implementation of our scheme at https://github.com/google/OpenSK/releases/tag/hybrid-pqc so that other researchers can reproduce our results on a nRF52840 development kit.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We have used a MacBook Pro (13-inch, 2020), with processor 2.3 GHz Quad-Core Intel Core i7, and memory 16 GB 3733 MHz LPDDR4X.
References
Abdulrahman, A., Hwang, V., Kannwischer, M.J., Sprenkels, D.: Faster kyber and dilithium on the cortex-M4. In: Ateniese, G., Venturi, D. (eds.) ACNS 2022. LNCS, vol. 13269, pp. 853–871. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-09234-3_42
Azarderakhsh, R., Elkhatib, R., Koziel, B., Langenberg, B.: Hardware deployment of hybrid PQC: SIKE+ECDH. In: Garcia-Alfaro, J., Li, S., Poovendran, R., Debar, H., Yung, M. (eds.) SecureComm 2021. LNICST, vol. 399, pp. 475–491. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-90022-9_26
Bernstein, D.J., Hülsing, A., Kölbl, S., Niederhagen, R., Rijneveld, J., Schwabe, P.: Leveraging secondary storage to simulate deep 54-qubit sycamore circuits. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 2129–2146 (2019)
Beullens, W.: Improved cryptanalysis of UOV and rainbow. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021, Part I. LNCS, vol. 12696, pp. 348–373. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_13
Bindel, N., Cremers, C., Zhao, M.: FIDO2, CTAP 2.1, and WebAuthn 2: provable security and post-quantum instantiation. In: 2023 IEEE Symposium on Security and Privacy (SP), Los Alamitos, CA, USA, pp. 674–693. IEEE Computer Society (2023). https://doi.org/10.1109/SP46215.2023.00039
Bindel, N., Herath, U., McKague, M., Stebila, D.: Transitioning to a quantum-resistant public key infrastructure. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 384–405. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59879-6_22
Bos, J.W., Renes, J., Sprenkels, A.: Dilithium for memory constrained devices. In: Batina, L., Daemen, J. (eds.) AFRICACRYPT 2022. LNCS, vol. 13503, pp. 217–235. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-17433-9_10
Brendel, J., Cremers, C., Jackson, D., Zhao, M.: The provable security of Ed25519: theory and practice. Cryptology ePrint Archive, Paper 2020/823 (2020). https://eprint.iacr.org/2020/823
Castryck, W., Decru, T.: An efficient key recovery attack on SIDH. In: Hazay, C., Stam, M. (eds.) EUROCRYPT 2023. LNCS, vol. 14008, pp. 423–447. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-30589-4_15
CRYSTALS-Dilithium Algorithm Specifications and Supporting Documentation. https://pq-crystals.org/dilithium/data/dilithium-specification-round3-20210208.pdf. Accessed 08 Feb 2023
Client to Authenticator Protocol (CTAP). https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html. Accessed 05 Feb 2023
Dowling, B., Hansen, T.B., Paterson, K.G.: Many a mickle makes a muckle: a framework for provably quantum-secure hybrid key exchange. In: Ding, J., Tillich, J.-P. (eds.) PQCrypto 2020. LNCS, vol. 12100, pp. 483–502. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-44223-1_26
Ducas, L., et al.: CRYSTALS-dilithium: a lattice-based digital signature scheme. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(1), 238–268 (2018). https://doi.org/10.13154/tches.v2018.i1.238-268. https://tches.iacr.org/index.php/TCHES/article/view/839
Fersch, M., Kiltz, E., Poettering, B.: On the provable security of (EC)DSA signatures. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, pp. 1651–1662. Association for Computing Machinery, New York (2016). https://doi.org/10.1145/2976749.2978413
FIDO Alliance. https://fidoalliance.org/. Accessed 05 Feb 2023
FIDO Alliance security reference. https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-security-ref-v2.0-id-20180227.html. Accessed 05 Feb 2023
Greconici, D.O.C., Kannwischer, M.J., Sprenkels, D.: Compact dilithium implementations on Cortex-M3 and Cortex-M4. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2021(1), 1–24 (2020). https://doi.org/10.46586/tches.v2021.i1.1-24
Kannwischer, M.J., Rijneveld, J., Schwabe, P., Stoffelen, K.: pqm4: testing and benchmarking NIST PQC on ARM Cortex-M4. Cryptology ePrint Archive, Paper 2019/844 (2019). https://eprint.iacr.org/2019/844
Kiltz, E., Lyubashevsky, V., Schaffner, C.: A concrete treatment of Fiat-Shamir signatures in the quantum random-oracle model. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 552–586. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_18
Koblitz, N.: Elliptic curve cryptosystems. Math. Comput. 48, 203–209 (1987)
Information Technology Laboratory: Digital Signature Standard (DSS). Technical report, National Institute of Standards and Technology (2013). https://doi.org/10.6028/nist.fips.186-4
Lang, J., Czeskis, A., Balfanz, D., Schilder, M., Srinivas, S.: Security keys: practical cryptographic second factors for the modern web. In: Grossklags, J., Preneel, B. (eds.) FC 2016. LNCS, vol. 9603, pp. 422–440. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54970-4_25
Levy, A., et al.: Multiprogramming a 64kB computer safely and efficiently. In: Proceedings of the 26th Symposium on Operating Systems Principles, SOSP 2017, pp. 234–251. ACM, New York (2017). https://doi.org/10.1145/3132747.3132786
Li, S., et al.: FALCON: a Fourier transform based approach for fast and secure convolutional neural network predictions. CoRR abs/1811.08257 (2018). http://arxiv.org/abs/1811.08257
Lipp, B.: An analysis of hybrid public key encryption. Cryptology ePrint Archive, Paper 2020/243 (2020). https://eprint.iacr.org/2020/243
Marzougui, S., Ulitzsch, V., Tibouchi, M., Seifert, J.P.: Profiling side-channel attacks on dilithium: a small bit-fiddling leak breaks it all. Cryptology ePrint Archive, Paper 2022/106 (2022). https://eprint.iacr.org/2022/106
Migliore, V., Gérard, B., Tibouchi, M., Fouque, P.-A.: Masking dilithium. In: Deng, R.H., Gauthier-Umaña, V., Ochoa, M., Yung, M. (eds.) ACNS 2019. LNCS, vol. 11464, pp. 344–362. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-21568-2_17
NIST Announces First Four Quantum-Resistant Cryptographic Algorithms. https://www.nist.gov/news-events/news/2022/07/nist-announces-first-four-quantum-resistant-cryptographic-algorithms. Accessed 07 Feb 2023
NIST Post-Quantum Cryptography FAQs. https://csrc.nist.gov/Projects/post-quantum-cryptography/faqs. Accessed 13 Feb 2023
Nordic nrf52840. https://www.nordicsemi.com/Products/Development-hardware/nrf52840-dk. Accessed 05 Feb 2023
OpenSK. https://github.com/google/OpenSK. Accessed 05 Feb 2023
PQCrystals: Dilithium. https://github.com/pq-crystals/dilithium. Accessed 10 Feb 2023
Raavi, M., Wuthier, S., Chandramouli, P., Balytskyi, Y., Zhou, X., Chang, S.-Y.: Security comparisons and performance analyses of post-quantum signature algorithms. In: Sako, K., Tippenhauer, N.O. (eds.) ACNS 2021. LNCS, vol. 12727, pp. 424–447. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-78375-4_17
Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public key cryptosystems. Commun. ACM 21(2), 120–126 (1978). https://doi.org/10.1145/359340.359342
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Appendix
A Appendix
We include the formal proof that was omitted in the main body of the paper.
Lemma 3 . If \(\varSigma _2\) is X -EUF-CMA secure (resp. X -SUF-CMA) secure, it follows that \(\mathcal {H}(\varSigma _1, \varSigma _2)\) is X -EUF-CMA secure (resp. X -SUF-CMA) as well.
Proof
We show that, for every X-adversary \(\mathcal {A}\) that wins the X-EUF-CMA (resp. X-SUF-CMA) security game for \(\mathcal {H}(\varSigma _1, \varSigma _2)\) with probability \(p_\mathcal {A}\), there is an adversary \(\mathcal {B}\) that wins \(\varSigma _2\)’s X-EUF-CMA (resp. X-SUF-CMA) security game with probability \(p_{\mathcal {B}} \ge p_\mathcal {A}\).
The adversary \(\mathcal {B}\) can be constructed as follows:
-
\(\mathcal {B}\) receives the \(\varSigma _2\) public key \(\textsf{pk}_2\) from the challenger \(\mathcal {C}_{\varSigma _2}\).
Since \(\mathcal {A}\) expects a hybrid public key, \(\mathcal {B}\) generates its own pair of \(\varSigma _1\) keys , and then sends \(\textsf{pk}= (\textsf{pk}_1, \textsf{pk}_2)\) to \(\mathcal {A}\).
Note that the keys received by \(\mathcal {A}\) are generated from the same probability distribution as in \(\mathcal {H}(\varSigma _1, \varSigma _2)\)’s security game.
-
When receiving a message query \(m_i\) from \(\mathcal {A}\), \(\mathcal {B}\) uses its own secret key \(\textsf{sk}_1\) to compute the first part of the hybrid signature: .
Afterwards, to obtain the \(\varSigma _2\)-component of the hybrid signature, \(\mathcal {B}\) sends \(m'_i := ( m_i, \sigma _1)\) as a signing query to the challenger \(\mathcal {C}_{\varSigma _2}\) and obtains \(\sigma _{2,i} = \varSigma _2.\mathtt {Sign(}m_i',\textsf{sk}_2\mathtt {)}\).
When receiving \(\sigma _{2, i}\) from \(\mathcal {C}_{\varSigma _2}\), \(\mathcal {B}\) computes \(\sigma _i := (\sigma _{1,i}, \sigma _{2,i})\) and sends it to \(\mathcal {A}\). Note that \(\sigma _i\) is a valid hybrid signature:
\(\mathcal {H}(\varSigma _1, \varSigma _2).\mathtt {Verify(}m_i,\sigma _i,\textsf{pk}\mathtt {)} = \textsf{true}\)
-
When receiving the forgery \(\left( m^*, \sigma ^* = (\sigma ^*_1, \sigma ^*_2) \right) \) from the adversary \(\mathcal {A}\), \(\mathcal {B}\) obtains its own forgery \(\left( ( m^*, \sigma ^*_1), \sigma ^*_2 \right) \) and sends it to \(\mathcal {C}_{\varSigma _2}\).
Since \(\mathcal {B}\) simulates the X-EUF-CMA (resp. X-SUF-CMA) security game for \(\mathcal {H}\) perfectly towards \(\mathcal {A}\), \(\mathcal {A}\) maintains its success probability \(p_\mathcal {A}\).
We show that, whenever \(\mathcal {A}\) wins the simulated game, \(\mathcal {B}\) wins the X-EUF-CMA (resp. X-SUF-CMA) security game for \(\varSigma _2\).
If \(\mathcal {A}\) wins the simulated X-EUF-CMA security game, \(m^* \notin \{\text {queries } m_i\}\). It immediately follows that \((m^*, \sigma _1^\star ) \notin \{\text {queries } m_i'\}\).
If \(\mathcal {A}\) wins the simulated X-SUF-CMA security game, \((m^*, \sigma ^*) \notin \{(m_i, \sigma _i) \mid m_i \text { query}, \sigma _i \text { response}\}\). If this is the case, we need to show that \(\mathcal {B}\) has never received \(\sigma _2^*\) as a response from \(\mathcal {C}_2\) to the signing query \(( m^*, \sigma ^*_1)\). Assuming that \(\left( ( m^*, \sigma ^*_1), \sigma ^*_2\right) = (m'_i, \sigma _{2, i})\) for some query-response pair \((m'_i, \sigma _{2, i})\) in \(\mathcal {B}\)’s interaction with \(\mathcal {C}_2\), we obtain that \((m^*, \sigma ^*) = (m_i, \sigma _i)\), which contradicts that \(\mathcal {A}\)’s forgery was successful.
Both in the X-EUF-CMA case and in the X-SUF-CMA case, if \(\mathcal {A}\) has sent a successful forgery, then \(\mathcal {H}(\varSigma _1, \varSigma _2).\mathtt {Verify(}m^*,\sigma ^*,\textsf{pk}\mathtt {)} = \textsf{true}\) holds, and hence \(\varSigma _2.\mathtt {Verify(}(m^*, \sigma ^*_1),\sigma ^*_2,\textsf{pk}_2\mathtt {)}\) holds as well.
It follows that \(\mathcal {B}\) wins the X-EUF-CMA (resp. X-SUF-CMA) security game for \(\varSigma _2\) with probability \(p_\mathcal {B} \ge p_{\mathcal {A}}\).
Finally, as \(\varSigma _2\) is X-EUF-CMA (resp. X-SUF-CMA) secure, , and therefore .
Since \(\mathcal {A}\) was chosen arbitrarily, we obtain that every X-adversary has negligible probability in winning \(\mathcal {H}(\varSigma _1, \varSigma _2)\)’s X-EUF-CMA (resp. X-SUF-CMA) security game. \(\square \)
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Ghinea, D. et al. (2023). Hybrid Post-quantum Signatures in Hardware Security Keys. In: Zhou, J., et al. Applied Cryptography and Network Security Workshops. ACNS 2023. Lecture Notes in Computer Science, vol 13907. Springer, Cham. https://doi.org/10.1007/978-3-031-41181-6_26
Download citation
DOI: https://doi.org/10.1007/978-3-031-41181-6_26
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-41180-9
Online ISBN: 978-3-031-41181-6
eBook Packages: Computer ScienceComputer Science (R0)