MR-DSS – Smaller MinRank-Based (Ring-)Signatures

Abstract

In the light of NIST’s announced reopening of the call for digital signature proposals in 2023 due to lacking diversity, there is a strong need for constructions based on other established hardness assumptions. In this work we construct a new post-quantum secure digital signature scheme based on the MinRank problem, a problem with a long history of applications in cryptanalysis that led to a strong belief in its hardness. Initially following a design by Courtois (Asiacrypt ’01) based on the Fiat–Shamir transform, we make use of several recent developments in the design of sigma protocols to reduce signature size and improve efficiency. This includes the recently introduced sigma protocol with helper paradigm (Eurocrypt ’19) and combinations with cut-and-choose techniques (CCS ’18). Moreover, we introduce several improvements to the core of the scheme to further reduce its signature size.

As a second contribution, we formalize the natural extension of our construction to a ring signature scheme and show that it achieves desired anonymity and unforgeability guarantees. Our ring signature is characterized by a sublinear scaling of the signature size in the number of users. Moreover, we achieve competitive practical signature sizes for moderate amount of users in comparison to recent ring signature proposals.

C. Sanna is a member of GNSAGA of INdAM, and of CrypTO, the group of Cryptography and Number Theory of Politecnico di Torino.

Appendices

A A Commitment Scheme

In this section we give the formal definition of a computation hiding and computation binding commitment scheme.

Definition 3 (Computational hiding)

We say that \(\textsf{Com}\) is computationally hiding if for all polynomial time algorithms \(\mathcal {A}\), and every pair of messages m, \(m^\prime \) the advantage \(\textsf{Adv}^\textrm{hiding}_{\textsf{Com}}(\mathcal {A}, m, m^\prime )\) is a negligible function of the security parameter \(\lambda \), where

$$\begin{aligned} \displaystyle \textsf{Adv}^\textrm{hiding}_{\textsf{Com}}(\mathcal {A}, m, m^\prime ) := \left| \Pr _{\textsf{bits}\,{\mathop {\leftarrow }\limits ^{\,\$}}\, \{0,1\}^\lambda }\left[ \mathcal {A}\big (\textsf{Com}(\textsf{bits}, m)\big ) = 1\right] - \Pr _{\textsf{bits}\,{\mathop {\leftarrow }\limits ^{\,\$}}\, \{0,1\}^\lambda }\left[ \mathcal {A}\big (\textsf{Com}(\textsf{bits}, m^\prime )\big ) = 1\right] \right| . \end{aligned}$$

Definition 4 (Computational binding)

We say that \(\textsf{Com}\) is computationally binding if for all polynomial time algorithms \(\mathcal {A}\), the advantage \(\textsf{Adv}^\textrm{binding}_{\textsf{Com}}(\mathcal {A})\) is a negligible function of the security parameter \(\lambda \), where

$$\begin{aligned} \textsf{Adv}^\textrm{binding}_{\textsf{Com}}(\mathcal {A}) = \Pr \left[ \textsf{Com}(\textsf{bits}, m) = \textsf{Com}(\textsf{bits}^\prime , m^\prime ) \mid (\textsf{bits}, m, \textsf{bits}^\prime , m^\prime ) \leftarrow \mathcal {A}(1^\lambda ) \right] . \end{aligned}$$

B B Ring Signatures

In the following we give the formal definition of a ring signature scheme.

Definition 5 (Ring signature scheme)

A ring signature scheme is a triple of polynomial time algorithms \((\textsf {Gen}, \textsf {Sign}, \textsf {Verify})\) that generates keys, sign a message, and verify the signature of a message, respectively. Formally:

• \(\textsf {Gen}(1^\lambda )\) outputs a key pair \((\textsf{pk}, \textsf{sk})\), where \(\textsf{pk}\) denotes the public key and \(\textsf{sk}\) its corresponding secret key.

• \(\textsf {Sign}_{\textsf{sk}_{i}}(\textsf {msg}, \textsf {R})\) outputs a signature \(\sigma \) of the message \(\textsf {msg}\) with respect to the ring \(\textsf {R}= (\textsf{pk}_1,\ldots , \textsf{pk}_u)\). Here it is assumed that: (1) \((\textsf{pk}_{i}, \textsf{sk}_{i})\) is a valid key-pair output by \(\textsf {Gen}\); (2) \(| \textsf {R}| \ge 2\); and (3) each public key in the ring is distinct.

• \(\textsf {Verify}_{\textsf {R}}(\textsf {msg}, \sigma )\) verifies a signature \(\sigma \) of the message \(\textsf {msg}\) with respect to \(\textsf {R}\).

We say that a ring signature scheme is correct if it satisfy the following correctness condition: for every \(\lambda \) and for every set of outputs \(\{(\textsf{pk}_i, \textsf{sk}_i)\}_{i=1}^{u}\) of \(\textsf {Gen}(1^\lambda )\) it holds

$$\begin{aligned} \textsf {Verify}_{\textsf {R}}(\textsf {msg}, \textsf {Sign}_{\textsf{sk}_{i}}(\textsf {msg}, \textsf {R})) = 1, \end{aligned}$$

where \(\textsf {R}= (\textsf{pk}_1,\ldots , \textsf{pk}_u)\).

1.1 A.1 B.1 Security Definitions

Next we give the security definitions for ring signatures following Bender, Katz, and Morselli [13].

Definition 6 (Anonymity w.r.t adversarially-chosen keys)

Let \((\textsf {Gen}, \textsf {Sign}, \textsf {Verify})\) be a ring signature scheme, \(u(\cdot )\) a polynomial, and let \(\mathcal {A}\) be a PPT adversary. Consider the following game:

1. 1.

   The key pairs \(\{(\textsf{pk}_{i}, \textsf{sk}_{i})\}_{i=1}^{u(\lambda )}\) are generated using \(\textsf {Gen}(1^\lambda )\), and the set of public keys \(S := \{\textsf{pk}_{i}\}_{i=1}^{u(\lambda )}\) is given to \(\mathcal {A}\).

2. 2.

   \(\mathcal {A}\) is given access to an oracle \(\textsf {OSign}(\cdot , \cdot , \cdot )\) such that for every \(\textsf {R}\) and \(1\le i\le u(\lambda )\) it holds \(\textsf {OSign}(i, \textsf {msg}, \textsf {R}):= \textsf {Sign}_{\textsf{sk}_{i}}(\textsf {msg}, \textsf {R})\), where \(\textsf{pk}_{i} \in \textsf {R}\).

3. 3.

   \(\mathcal {A}\) outputs a message \(\textsf {msg}\) and a ring \(\textsf {R}\) that contains at least two public keys \(\textsf{pk}_{i_0}, \textsf{pk}_{i_1}\in S\).

4. 4.

   A challenge signature \(\sigma \leftarrow \textsf {Sign}_{\textsf{sk}_{i_b}}(\textsf {msg}, \textsf {R})\), where \(b {\mathop {\leftarrow }\limits ^{\,\$}}\{0,1\}\) is a random bit, is given to \(\mathcal {A}\).

5. 5.

   \(\mathcal {A}\) outputs a bit \(b'\), and it succeeds if \(b ' = b\).

We say \((\textsf {Gen}, \textsf {Sign}, \textsf {Verify})\) achieves Anonymity w.r.t adversarially-chosen keys if, for any PPT \(\mathcal {A}\) and any polynomial \(u(\cdot )\), the success probability of \(\mathcal {A}\) in the aforementioned game is negligibly close to \(\frac{1}{2}\).

Note that in contrast to the weaker security notion of basic anonymity the property of anonymity w.r.t adversarially-chosen keys allows the adversary to inject own public keys in \(\textsf {R}\). This holds for the usage of the oracle in step 2 as well as when providing the challenge data in step 3.

Definition 7 (Unforgeability against fixed-ring attacks)

We say that a ring signature \((\textsf {Gen}, \textsf {Sign}, \textsf {Verify})\) is unforgeable against fixed-ring attacks if for any \(\textsf {PPT}\) adversary \(\mathcal {A}\) and for any polynomial \(u(\cdot )\), the probability that \(\mathcal {A}\) succeeds in the following game is negligible:

1. 1.

   The key pairs \(\{(\textsf{pk}_{i}, \textsf{sk}_{i})\}_{i=1}^{u(\lambda )}\) are generated using \(\textsf {Gen}(1^\lambda )\), and the set of public keys \(\textsf {R}:=\{\textsf{pk}_{i}\}_{i=1}^{u(\lambda )} \) is given to \(\mathcal {A}\).

2. 2.

   \(\mathcal {A}\) is given access to a signing oracle \(\textsf {OSign}(\cdot , \cdot )\), where \(\textsf {OSign}(i, \textsf {msg})\) outputs \(\textsf {Sign}_{\textsf{sk}_{i}}(\textsf {msg}, \textsf {R})\).

3. 3.

   \(\mathcal {A}\) outputs \((\textsf {msg}^*, \sigma ^*)\), and succeeds if \(\textsf {Verify}(\textsf {msg}^*, \sigma ^*) = 1\) and also \(\mathcal {A}\) never made a query of the form \(\textsf {OSign}(*, \textsf {msg}^*)\).

1.2 B.2 B.2 Proofs

In the following we prove the correctness, anonymity, and unforgeability of our ring-signature scheme defined in Sect. 5.1.

Correctness. Let \(\boldsymbol{\varepsilon }_{i}\) be the i-th canonical vector in \(\mathbb {F}_{q}^{u}\) and \(\textsf{sk}_i\) denote the secret key of the i-th user in the ring \(\textsf {R}\). Clearly, \(\gamma _i:=(\textsf{sk}_i, \boldsymbol{\varepsilon }_{i})\) is a solution to the MinRank problem defined on \(\widetilde{\boldsymbol{M}}:=(\boldsymbol{M}, \textsf {R})\). The correctness of the ring signature scheme now follows from the correctness of our basic signature scheme by observing that

$$ \textsf {Verify}_\textsf {R}\big (\textsf {msg},\textsf {Sign}_{\textsf{sk}_i}(\textsf {msg},\textsf {R})\big )=\textsf {MR\hbox {-}Verify}_{\widetilde{\boldsymbol{M}}}\big (\textsf {msg},\textsf {MR\hbox {-}Sign}_{\gamma _i}(\textsf {msg})\big ). $$

Anonymity w.r.t Adversarially-Chosen Keys. We proof anonymity w.r.t adversarially-chosen keys in the random oracle model by showing the existence of a simulator that, without knowing any of the secret keys corresponding to one of the public keys in the ring, can produce signatures that are indistinguishable from signatures build by a legitimate user.

First note that from the HVZK property of our sigma protocol in the random oracle model it follows that there exists a simulator \(\mathcal {S}'\) which is able to provide values \(\sigma '\) indistinguishable from legitimate signatures produced with MR-Sign. To construct \(\mathcal {S}'\) we simply follow the Fiat–Shamir transform but using the simulator \(\mathcal {S}\) of our sigma protocol whenever a valid transcript is needed.

Now, recall that the signing operation of our ring signature is a call to MR-Sign with adapted public-key \((\boldsymbol{M},\textsf {R})\), where

$$\begin{aligned} \textsf {Sign}_{\textsf {sk}_{i}}(\textsf {msg},\textsf {R})=\textsf {MR\hbox {-}Sign}_{\textsf {sk}_{i}'}(\textsf {msg}). \end{aligned}$$

Therefore we can use \(\mathcal {S}'\) as a simulator to obtain values \(\sigma '\) which are indistinguishable from legitimate ring signatures.

Now, let \(G_0\) denote the game described in Definition 6. We modify step 4 in \(G_0\) to define a new game \(G_1\). Instead of \(\sigma \leftarrow \textsf {Sign}_{\textsf{sk}_{i_b}}(\textsf {msg}, \textsf {R})\), the output of step 4 in \(G_1\) is \(\sigma ' \leftarrow \mathcal {S}'(\textsf {msg},\textsf {R})\). Notice \(G_0\) and \(G_1\) are indistinguishable games. Hence, the advantage of any adversary \(\mathcal {A}\) against \(G_0\) and \(G_1\) is the same. Also, the challenge \(\sigma '\) given in \(G_1\) does not depend on the bit b chosen in step 3. Therefore, the advantage of an adversary \(\mathcal {A}\) against game \(G_1\) is zero.

Unforgeability Against Fixed-Ring Attacks. Forging a signature for a fixed ring \(\textsf {R}\), i.e., winning the game given in Definition 7, directly reduces to forging a signature for MR-Sign with public-key \((\boldsymbol{M},\textsf {R})\). The unforgeability for MR-Sign now follows from the Fiat–Shamir transform applied to the sigma protocol and its HVZK property.

C C A Note on Santoso et al.’s Scheme

The parameters given by Santoso et al. [44] to obtain a security level of \(\lambda \) bits are shown in Table 5.

Table 5. Parameter sets proposed in [44].

Missing Commitments in the Signature Size. The authors of [44] disregard the size of the initial commitments in their analysis of the communication complexity. Taking commitment sizes into account (\(2\lambda \) bits for each hash, to be collision-resistant) the signature size of [44] is given by

$$\begin{aligned} \lambda \left( \frac{29}{2} \lambda + mn \log q + \frac{k}{2} \log q\right) . \end{aligned}$$

(5)

While the signature size of Courtiois’ scheme is given by

$$\begin{aligned} \frac{\lambda }{\log (3/2)} \left( \frac{20}{3}\lambda + \frac{2}{3} mn\log q + \frac{2}{3} k \log q\right) . \end{aligned}$$

(6)

Random Solutions. As stated in Sect. 4.6, a random instance of the MinRank problem with parameters (q, n, m, k, r) has, in expectation, \(n_{sol} := q^{k - (m-r)(n-r)}\) solutions. Some algorithms, as e.g., the kernel search algorithm, can directly benefit from multiple solutions by obtaining a speed-up of magnitude \(n_{sol}>1\) in those cases. It turns out that the parameter sets given in [44] contain a large amount of solutions, affecting security.

New Security Estimates and Signature Size. Table 6 shows the bit-security of the kernel search algorithm for parameters suggested in [44]. Note that all the parameter sets are far below the claimed bit-security, which is 128 for set A, 192 for set B, and 256 for set C. Also, observe that the signature size is larger than the one of standard Courtois for all suggested parameters.

Table 6. Bit-security and signature size for parameter sets proposed in [44].