Advertisement

Revisiting TESLA in the Quantum Random Oracle Model

  • Erdem Alkim
  • Nina Bindel
  • Johannes Buchmann
  • Özgür Dagdelen
  • Edward Eaton
  • Gus Gutoski
  • Juliane Krämer
  • Filip Pawlega
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10346)

Abstract

We study a scheme of Bai and Galbraith (CT-RSA’14), also known as TESLA. TESLA was thought to have a tight security reduction from the learning with errors problem (LWE) in the random oracle model (ROM). Moreover, a variant using chameleon hash functions was lifted to the quantum random oracle model (QROM). However, both reductions were later found to be flawed and hence it remained unresolved until now whether TESLA can be proven to be tightly secure in the (Q)ROM.

In the present paper we provide an entirely new, tight security reduction for TESLA from LWE in the QROM (and thus in the ROM). Our security reduction involves the adaptive re-programming of a quantum oracle. Furthermore, we propose parameter sets targeting 128 bits of security against both classical and quantum adversaries and compare TESLA’s performance with state-of-the-art signature schemes.

Keywords

Quantum random oracle Post quantum cryptography Lattice-based cryptography Signature scheme Tight security reduction 

Notes

Acknowledgments

We are especially grateful to Peter Schwabe for contributions to our software implementation and to the presentation of the paper. We thank Chris Peikert for pointing out a flaw in previous security reductions for TESLA in the random oracle model. We thank Steven Galbraith and anonymous reviewers for valuable feedback on an earlier version of this manuscript.

This work has been supported by the German Research Foundation (DFG) as part of project P1 within the CRC 1119 CROSSING, by TÜBITAK under 2214-A Doctoral Research Program Grant and 2211-C PhD Scholarship, by Ege University under project 2014-FEN-065, and by CryptoWorks21.

References

  1. 1.
    Abdalla, M., Fouque, P.-A., Lyubashevsky, V., Tibouchi, M.: Tightly-secure signatures from lossy identification schemes. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 572–590. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-29011-4_34 CrossRefGoogle Scholar
  2. 2.
    Akleylek, S., Bindel, N., Buchmann, J., Krämer, J., Marson, G.A.: An efficient lattice-based signature scheme with provably secure instantiation. In: Pointcheval, D., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2016. LNCS, vol. 9646, pp. 44–60. Springer, Cham (2016). doi: 10.1007/978-3-319-31517-1_3 CrossRefGoogle Scholar
  3. 3.
    Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9, 169–203 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  4. 4.
    Alkim, E., Bindel, N., Buchmann, J., Dagdelen, Ö., Schwabe, P.: TESLA: tightly-secure efficient signatures from standard lattices. Cryptology ePrint Archive, Report 2015/755, version 20161117:055833 (2015)Google Scholar
  5. 5.
    Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange–a new hope. In: 25th USENIX Security Symposium. USENIX Association (2016)Google Scholar
  6. 6.
    Bai, S., Galbraith, S.D.: An improved compression technique for signatures based on learning with errors. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 28–47. Springer, Cham (2014). doi: 10.1007/978-3-319-04852-9_2 CrossRefGoogle Scholar
  7. 7.
    El Bansarkhani, R., Buchmann, J.: Improvement and efficient implementation of a lattice-based signature scheme. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 48–67. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-43414-7_3 CrossRefGoogle Scholar
  8. 8.
    Barreto, P.S.L.M., Longa, P., Naehrig, M., Ricardini, J.E., Zanon, G.: Sharper ring-LWE signatures. Cryptology ePrint Archive, Report 2016/1026 (2016)Google Scholar
  9. 9.
    Barwood, G.: Digital signatures using elliptic curves. message 32f519ad.19609226@news.dial.pipex.com posted to sci.crypt (1997). http://groups.google.com/group/sci.crypt/msg/b28aba37180dd6c6
  10. 10.
    Bellare, M., Hofheinz, D., Yilek, S.: Possibility and impossibility results for encryption and commitment secure under selective opening. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 1–35. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-01001-9_1 CrossRefGoogle Scholar
  11. 11.
    Bennett, C.H., Bernstein, E., Brassard, G., Vazirani, U.: Strengths and weaknesses of quantum computing. SIAM J. Comput. 26(5), 1510–1523 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.-Y.: High-speed high-security signatures. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 124–142. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-23951-9_9 CrossRefGoogle Scholar
  13. 13.
    Bernstein, D.J., Hopwood, D., Hülsing, A., Lange, T., Niederhagen, R., Papachristodoulou, L., Schneider, M., Schwabe, P., Wilcox-O’Hearn, Z.: SPHINCS: practical stateless hash-based signatures. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 368–397. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46800-5_15 Google Scholar
  14. 14.
    Bernstein, D.J., Lange, T.: eBACS: ECRYPT benchmarking of cryptographic systems. http://bench.cr.yp.to. Accessed 19 May 2015
  15. 15.
    Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-25385-0_3 CrossRefGoogle Scholar
  16. 16.
    Bos, J.W., Costello, C., Ducas, L., Mironov, I., Naehrig, M., Nikolaenko, V., Raghunathan, A., Stebila, D.: Frodo: take off the ring! practical, quantum-secure key exchange from LWE. In: CCS 2016. ACM (2016)Google Scholar
  17. 17.
    Boyen, X., Li, Q.: Towards tightly secure lattice short signature and id-based encryption. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 404–434. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-53890-6_14 CrossRefGoogle Scholar
  18. 18.
    Chatterjee, S., Koblitz, N., Menezes, A., Sarkar, P.: Another look at tightness II: practical issues in cryptography. Cryptology ePrint Archive, Report 2016/360 (2016)Google Scholar
  19. 19.
    Chen, A.I.-T., Chen, M.-S., Chen, T.-R., Cheng, C.-M., Ding, J., Kuo, E.L.-H., Lee, F.Y.-S., Yang, B.-Y.: SSE implementation of multivariate PKCs on modern x86 CPUs. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 33–48. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-04138-9_3 CrossRefGoogle Scholar
  20. 20.
    Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-25385-0_1 CrossRefGoogle Scholar
  21. 21.
    Ding, J., Schmidt, D.: Rainbow, a new multivariable polynomial signature scheme. In: Ioannidis, J., Keromytis, A., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 164–175. Springer, Heidelberg (2005). doi: 10.1007/11496137_12 CrossRefGoogle Scholar
  22. 22.
    Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 40–56. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-40041-4_3 CrossRefGoogle Scholar
  23. 23.
    Ducas, L.: Accelerating bliss: the geometry of ternary polynomials. Cryptology ePrint Archive, Report 2014/874 (2014)Google Scholar
  24. 24.
    Eaton, E., Song, F.: Making existential-unforgeable signatures strongly unforgeable in the quantum random-oracle model. In: 10th Conference on the Theory of Quantum Computation, Communication and Cryptography, TQC 2015 (2015)Google Scholar
  25. 25.
    Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC 2008. ACM (2008)Google Scholar
  26. 26.
    Güneysu, T., Lyubashevsky, V., Pöppelmann, T.: Practical lattice-based cryptography: a signature scheme for embedded systems. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 530–547. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-33027-8_31 CrossRefGoogle Scholar
  27. 27.
    Güneysu, T., Oder, T., Pöppelmann, T., Schwabe, P.: Software speed records for lattice-based signatures. In: Gaborit, P. (ed.) PQCrypto 2013. LNCS, vol. 7932, pp. 67–82. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-38616-9_5 CrossRefGoogle Scholar
  28. 28.
    Katz, J., Wang, N.: Efficiency improvements for signature schemes with tight security reductions. In: CCS 2003. ACM (2003)Google Scholar
  29. 29.
    Kaye, P., Laflamme, R., Mosca, M.: An Introduction to Quantum Computing. Oxford University Press Inc., New York (2007)zbMATHGoogle Scholar
  30. 30.
    Koblitz, N., Menezes, A.: Another look at “provable security”. II. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 148–175. Springer, Heidelberg (2006). doi: 10.1007/11941378_12 CrossRefGoogle Scholar
  31. 31.
    Koblitz, N., Menezes, A.: The random oracle model: a twenty-year retrospective. Des. Codes Crypt. 77(2), 587–610 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  32. 32.
    Laarhoven, T., Mosca, M., van de Pol, J.: Finding shortest lattice vectors faster using quantum search. Des. Codes Crypt. 77(2), 375–400 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  33. 33.
    Lyubashevsky, V.: Lattice signatures without trapdoors. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 738–755. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-29011-4_43 CrossRefGoogle Scholar
  34. 34.
    Micciancio, D., Walter, M.: Fast lattice point enumeration with minimal overhead. In: SODA 2015. SIAM (2015)Google Scholar
  35. 35.
    Montanaro, A.: Quantum walk speedup of backtracking algorithms. arXiv preprint arXiv:1509.02374 (2016)
  36. 36.
    M’Raïhi, D., Naccache, D., Pointcheval, D., Vaudenay, S.: Computational alternatives to random number generators. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 72–80. Springer, Heidelberg (1999). doi: 10.1007/3-540-48892-8_6 CrossRefGoogle Scholar
  37. 37.
    Nielsen, M.A., Chuang, I.L.: Quantum Computation and Quantum Information. Cambridge University Press, Cambridge, New York (2000)zbMATHGoogle Scholar
  38. 38.
    Peikert, C.: A decade of lattice cryptography. Cryptology ePrint Archive, Report 2015/939 (2015)Google Scholar
  39. 39.
    Peikert, C., Vaikuntanathan, V., Waters, B.: A framework for efficient and composable oblivious transfer. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 554–571. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-85174-5_31 CrossRefGoogle Scholar
  40. 40.
    Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. In: STOC 2008. ACM (2008)Google Scholar
  41. 41.
    Pointcheval, D., Stern, J.: Security proofs for signature schemes. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 387–398. Springer, Heidelberg (1996). doi: 10.1007/3-540-68339-9_33 Google Scholar
  42. 42.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC 2005. ACM (2005)Google Scholar
  43. 43.
    Schmidt, M.: Estimation of the hardness of the learning with errors problem with a restricted number of samples. GitHub (2017). https://bitbucket.org/Ma_Schmidt/lwe-estimator
  44. 44.
    Schmidt, M., Bindel, N.: Estimation of the hardness of the learning with errors problem with a restricted number of samples. Cryptology ePrint Archive, Report 2017/140 (2017)Google Scholar
  45. 45.
    Unruh, D.: Quantum position verification in the random oracle model. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 1–18. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-44381-1_1 CrossRefGoogle Scholar
  46. 46.
    Wigley, J.: Removing need for RNG in signatures. message 5gov5dpad@wapping.ecs.soton.ac.uk posted to sci.crypt (1997). http://groups.google.com/group/sci.crypt/msg/a6da45bcc8939a89
  47. 47.
    Dagdelen, Ö., El Bansarkhani, R., Göpfert, F., Güneysu, T., Oder, T., Pöppelmann, T., Sánchez, A.H., Schwabe, P.: High-speed signatures from standard lattices. In: Aranha, D.F., Menezes, A. (eds.) LATINCRYPT 2014. LNCS, vol. 8895, pp. 84–103. Springer, Cham (2015). doi: 10.1007/978-3-319-16295-9_5 Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Erdem Alkim
    • 1
  • Nina Bindel
    • 2
  • Johannes Buchmann
    • 2
  • Özgür Dagdelen
    • 3
  • Edward Eaton
    • 4
    • 5
  • Gus Gutoski
    • 4
  • Juliane Krämer
    • 2
  • Filip Pawlega
    • 4
    • 5
  1. 1.Ege UniversityİzmirTurkey
  2. 2.Technische Universität DarmstadtDarmstadtGermany
  3. 3.BridgingIT GmbHMannheimGermany
  4. 4.ISARA CorporationWaterlooCanada
  5. 5.University of WaterlooWaterlooCanada

Personalised recommendations