CsiIBS: A post-quantum identity-based signature scheme based on isogenies

Abstract

Digital signatures are important cryptographic primitive for authentication. To resist quantum attacks, many post-quantum signature schemes have been proposed. Among them, isogeny-based signature schemes, such as SeaSign, rapid development in recent years along with the proposed CSIDH construction. In this paper, inspired by the Fiat-Shamir transform, we construct the first identity-based signature scheme based on isogenies from the isogeny-based identification scheme. Then, we analyze its security in the random oracle model under the hardness of the isogeny problem, and demonstrate that it achieves the required security properties. Finally, we evaluate the performance and give the corresponding computational and storage costs.

Introduction

Digital signatures are a major cryptographic primitive used to provide authentication functions and have been used as a security cornerstone in e-business, e-government, privacy protecting, blockchain systems, and the Internet of Things [1], [2], [3]. Moreover, as the electronic world carries more and more information/tasks, the security risks it faces are expanding, making signature technology more and more important. In the traditional standard signature scheme, the signer has its own private key and corresponding public key, which are both bit strings, and he/she also has a witness to prove that this public key is related to his/her identity. Before verifying a signature, the verifier must obtain the signer’s public key and verify its legitimacy, that is, the binding relationship between the public key and the identity. Therefore, the verifier must trust the unique binding relationship between the signer and its public key by the public key authentication framework, like Public Key Infrastructure (PKI) that provides public key certificates or directories. However, the associated costs of maintaining public key certificates or directories are enormous. In addition to using certificates, many signature systems that do not rely on certificate mechanisms have been proposed, such as identity-based cryptography and certificate-less cryptography.

Identity-based cryptography (IBC) is a very important component of modern public-key cryptosystem currently in use which enables the user to directly use the identity of the interacting party as his/her public key without the need for witnesses to prove the legitimacy of the public key, such as a certificate. The concept of identity-based cryptography was first introduced by Adi Shamir [4] at CRYPTO’84. In this scheme, the Key Generate Center (KGC) is a trusted third party that securely holds a randomly generated system master secret key and publishes the corresponding system master public key. The user needs to request KGC with his/her identity (such as institution name, e-mail address) to obtain the user secret key. After receiving a signed message, the verifier only needs to use the system master public key and the signer’s identity to verify the authenticity of the signature.

The first identity-based signature (IBS) scheme based on the hardness of factoring large integers was also proposed by Shamir, but it was not practical. With the development of Pairing-based cryptography, many bilinear-paring-based IBS schemes [5], [6], [7], [8], [9], [10] have been constructed to against classical attacks. Although these schemes are very efficient for practical applications, however, most of them are based on the hardness of discrete logarithm problem and large integer factoring problem, which will be efficiently broken by some quantum algorithms, such as Shor’s algorithm [11], with large-scale quantum computers. In order to overcome the challenges caused by quantum computing, it is crucial to find some practical IBS schemes that can resist the attacks of quantum algorithms. So far, common post-quantum cryptographic primitives include the following categories: lattice-based cryptography, code-based cryptography, hash-based cryptography, and multivariate cryptography. Especially, lattice-based cryptography is the most competitive post-quantum research hotspot. Many lattice-based IBS schemes [12], [13], [14], [15] had been proposed while the large size of key and signature limits its wide application to some extent.

Isogeny-based cryptography is another promising approach to achieving security against classical and quantum attacks. It started in 2006, but some recent research shows its advantages. For example, the size of public keys and signatures can be close to that of current practical signature schemes. Especially in key exchange or public key encryption, the low communication cost gives the cryptography a great advantage in the post-quantum cryptography competition. However, some isogeny-based signature schemes [16], [17] often make use of transform schemes, such as Fiat-Shamir [18] or Unruh [19], which makes the signature efficiency and size difficult to be practical. Fortunately, a new signature scheme called ”SeaSign” was introduced by De Feo and Galbraith [20] based on a special parameter set. After, Beullens et al. [21] introduced a new method to compute group action based on the related lattice and proposed a new signature scheme such that three messages can be signed per second with 263 bytes per signature.

As far as we know, there is no IBS scheme based on elliptic curves isogenies. Therefore, on the basis of previous work, we try to construct an isogeny-based IBS scheme for practical use.

In this paper, we proposed a new isogeny-based IBS scheme, which is the first known identity-based signature scheme on isogenies. To be specific, we make contributions in the following four folds:

First, we review the identification scheme based on isogenies and extend it to a variant, called multi-challenge isogeny identification scheme, which can reduce the communication cost and improve computational efficiency per authentication.

Second, we introduce the proposed scheme CsiIBS which security is based on the isogeny problem, and also show how to use two transforms to construct the signature with the isogeny identification scheme.

Third, through security analysis, we prove that the IBS scheme is the existential unforgeability under chosen-identity and chosen message attack (UF-CMA) secure under the complexity assumption of the group action inverse problem. Moreover, we optimize the configuration of the parameter set under the premise of ensuring security.

Finally, we analyze the computation cost and communication cost under different parameter sets and use an optimized algorithm, which uses the related lattice to evaluate group action, to improve the implementation efficiency. In addition, we give a set of optimal parameters so that the signing/verification takes about 1.5s, and the signature size is only about 6KB.

Isogeny-based cryptography is a very young field of public-key cryptography and is a major innovation of elliptic curve cryptography. In 1997, Couveignes [22] first proposed this cryptography in a talk and the same idea was independently rediscovered in 2006 by Rostovtsev and Stolbunov [23]. Both Couveignes, Rostovtsev, and Stolbunov (hereafter CRS) introduced an isogeny-based identification scheme and a isogeny-based Diffie-Hellman scheme (like public-key encryption and key agreement) using the group action of the endomorphism ring of ordinary elliptic curves. However, the computational inefficiency makes it impractical. For example, at 128-bit security level, it takes 229ms to perform a key exchange operation [24]. The worse situation is that a subexponential quantum algorithm for constructing ordinary isogenies was proposed by Childs, Jao, and Soukharev [25]. Therefore, the scheme based on ordinary elliptic curve isogeny is not suitable.

A different approach is consider supersingular elliptic curve isogenies, which has the advantages of fast computation efficiency and resistance to Childs et al.’s attack algorithm. Jao and De Feo [26] successfully constructed cryptography based on supersingular isogenies for public key encryption and key exchange, and proposed a new difficult problem, now known as SIDH (Supersingular Isogeny Diffie-Hellman). Plût [27] extended this work to an identification scheme and optimized the implementation of SIDH so that achieving a runtime of roughly 0.06 seconds per key exchange operation. Subsequent research has proposed some techniques to improve efficiency [28] and compress public keys [29], [30]. SIKE, a candidate of the NIST’s post-quantum standardization project, is a post-quantum key encapsulation scheme based on SIDH.

Various authentication schemes [27], [31], [32] based supersingular isogeny have been proposed. However, these signature schemes are not general-purpose digital signature schemes. Classically, the Fiat-Shamir transform [18] is the generic technology that transforms an interactive zero-knowledge proof to a secure digital signature. Later, some scholars proposed a signature scheme based on transformation construction.

Yoo et al. [16] proposed and implemented an isogeny-based digital signature scheme based on SIDH using Unruh’s transform [19]. The generic post-quantum transformation Unruh’s construction [19] can produce a secure signature scheme from an interactive zero-knowledge proof protocol in the quantum random oracle model (QROM). However, its overhead is generally much larger than the Fiat-Shamir transform making the signature scheme impractical. In addition, their signature scheme inherits the disadvantages of SIDH, i.e. parameters of a particular construct and auxiliary points for the public transmission.

Independent of the work of Yoo et al., Galbraith, Petit, and Silva [17] published the same signature scheme as their first scheme, but they did give an optimized way to compress the signature from 100KB to about 12KB. Furthermore, they constructed a new identification scheme based on the problem of calculating the endomorphism rings of supersingular elliptic curves, and then constructed their second signature scheme based on the Fiat-Shamir transform or Unruh transform.

Recently, Castryck et al. [33] made a major improvement of the CRS scheme by constructing the scheme on supersingular curves over ${\mathbb{F}}_p$ and by restricting the endomorphism ring to ${\mathbb{F}}_p$-rational endomorphisms. The proposed primitive is called CSIDH (pronounced ”sea-side”) for Commutative Supersingular Isogeny Diffie-Hellman. This subring behavior makes the main advantage that the class group action can be computed very efficiently since the supersingular curves have many small rational subgroups in the special construction.

De Feo and Galbraith [20] proposed a new signature (called SeaSign) by employing “Fiat-Shamir with aborts”. Their main idea is using a majorly redundant representation for each class group element instead of using a canonical representation. To prevent signature information from leaking the private key, rejection sampling can be applied to make the class group elements contained in the signature uniformly distributed and independent of the secret key. Simultaneously, several versions of SeaSign were presented offering trade-offs between signature size and public-key size. For the variant of minimum signature sizes, this scheme needs several minutes to sign a message so that it is not practical.

Beullens et al. [21] computed the class group structure and a relation lattice of the class group of the quadratic imaginary field corresponding to the CSIDH-512 parameter. And they proposed an improved signature CSI-FiSh (Commutative Supersingular Isogeny based Fiat-Shamir signatures, pronounce ”sea-fish”), which has optimizations similar to the ones described for Sea-Sign. They optimized the group action calculation method of the original scheme, and transformed the secret key space from multi-dimensional integer space to one-dimensional integer space, so there is no need to use rejection sampling to prevent the private key leakage. In their implementation, the signature size was only 263 bytes and the signature time was only 390ms, which was 300 times faster than SeaSign for the same parameters.

As far as we know, no identity-based signature scheme has been proposed. In general, designing a secure and efficient isogeny-based IBS scheme remains a challenging task. Therefore, our work mainly focuses on the identity-based signature structure of elliptic curves.