FAEST: Post-Quantum Signatures and Zero-Knowledge Proofs
Emmanuela Orsini
Lennart Braun
Lawrence Roy
(Lance)
Peter Scholl
Carsten Baum
Christian Majenz
Shibam Mukherjee
Christian Rechberger
Sebastian Ramacher
Michael Klooß
Cyprien Delpech
de Saint Guilhem
FAEST
1
(post-quantum) Signature dishes
Picnic
BBQ
Banquet
2
Bringing to you: The FAEST
3
Based on
Publicly Verifiable Zero-Knowledge and Post-Quantum Signatures From VOLE-in-the-Head
Carsten Baum, Lennart Braun, Cyprien Delpech de Saint Guilhem, Michael Klooß,
Emmanuela Orsini, Lawrence Roy, Peter Scholl
CRYPTO 2023
No
VOLEs
were harmed while making this presentation
4
Families of ZK
Proofs
5
Proof size
Prover
runtime
...
STARKs
Ligero
MPC-in-the-head
VOLE-ZK
Succinct
Linear
Size:
≈1×
bit per AND gate
designated verifier
VOLE-in-the-Head: a general tool for making
VOLE-ZK proofs
publicly verifiable
Application: FAEST post-quantum
signature scheme
6
Speed
Security
AES/SHA
Linear size
11-16x witness
7
V
O
L
E
-
Z
K
–
in the
designated
verifier
setting
𝑞
𝑞
=
𝑢
𝑢
Δ
+
𝑣
𝑣
𝑢
𝑢
∈
𝔽 𝑛
𝔽 𝑛
𝔽 𝑛
𝑣
𝑣
←
𝔽 𝑛
𝔽 𝑛
𝔽 𝑛
Background: VOLE
(vector oblivious linear evaluation)
𝑝(𝑥)=
𝑢
𝑥
+
𝑣
Δ
𝑞
VOLE
Δ
←
𝔽
Prover
Verifier
Can be instantiated with OT, HE, LPN…
8
ZK from VOLE (designated verifier)
Use VOLE as a
linear commitment
to
𝑢
𝑢
To open
•
Prover
sends
(𝑢,𝑣
)
, Veri
fier checks if
𝑞
=
𝑢
Δ
+
𝑣
•
Hiding
:
since
𝑣
is
random
•
Binding:
openi
ng to
𝑢 ′
𝑢 ′
𝑢 ′
≠
𝑢
re
quires guessing
Δ
—
prob.
1/
|
𝔽
|
(as
lon
g as
Δ
is kept secret from P
rover
⟶
D.V.
)
Commitments
are
linearly homomorphic
𝑝′(𝑥)
[BMRS 21, WYKW 21]
9
ZK from VOLE via Commit-and-Prove
•
Commit to witness
𝑢
𝑢
•
E
valu
ate
𝐶
gat
e-by-gate:
Linear gates: easy
Multiplication: ???
[BMRS 21, WYKW 21]
10
Multiplication check (QuickSilver)
•
Multiply two lines
⇒
quadratic
polynomial
𝑝 𝑎𝑏
𝑝
𝑝 𝑎𝑏
𝑎𝑏
𝑝 𝑎𝑏
𝑥
𝑥
𝑥
=
𝑑 0
𝑑
𝑑 0
0
𝑑 0
+
𝑑 1
𝑑
𝑑 1
1
𝑑 1
𝑥+𝑎𝑏
𝑥 2
𝑥
𝑥 2
2
𝑥 2
•
Commit to output
𝑐
⇒
𝑝 𝑐
𝑝
𝑝 𝑐
𝑐
𝑝 𝑐
𝑥
𝑥
𝑥
=𝑣
+𝑐𝑥
•
𝑝 𝑎𝑏
𝑝
𝑝 𝑎𝑏
𝑎𝑏
𝑝 𝑎𝑏
𝑥
𝑥
𝑥
−𝑥
𝑝 𝑐
𝑝
𝑝 𝑐
𝑐
𝑝 𝑐
(𝑥)
should be
degree-1
Open
and check
First,
mask
with random deg-1
commitment
𝑝 𝑎
𝑝
𝑝 𝑎
𝑎
𝑝 𝑎
(𝑥)
Δ
𝑞 1
𝑞
𝑞 1
1
𝑞 1
𝑞 2
𝑞
𝑞 2
2
𝑞 2
𝑎
𝑏
𝑐
𝑞 3
𝑞
𝑞 3
3
𝑞 3
=
𝑝 𝑎𝑏
𝑝
𝑝 𝑎𝑏
𝑎𝑏
𝑝 𝑎𝑏
(
Δ
)
𝑝 𝑏
𝑝
𝑝 𝑏
𝑏
𝑝 𝑏
(𝑥)
𝑝 𝑎𝑏
𝑝
𝑝 𝑎𝑏
𝑎𝑏
𝑝 𝑎𝑏
(𝑥)
[DIO 21, YSWW 21]
11
Cost analysis for VOLE-ZK
•
Per multiplication gate:
Commit to
𝑐
o
1×
VOLE element
Open masked commitment
o
Can be amortized to constant size (check random combination of polynomials)
•
For circuit:
𝑚+𝑛
field elements for
𝑚
inputs and
𝑛
mult. gates (assuming LPN-based VOLE)
Improvements:
o
General deg-2 and higher degree gates; branching; field switching…
12
V
O
L
E
-
i
n
-
t
h
e
-
H
e
a
d
–
Adding public
verifiability
13
MPC-in-the-Head vs VOLE-in-the-head:
high-level differences
⋮
𝑢=
𝑢 1
𝑢
𝑢 1
1
𝑢 1
+⋯+
𝑢 𝑛
𝑢
𝑢 𝑛
𝑛
𝑢 𝑛
MPC protocol
Π
for
𝐶(
𝑢 1
𝑢
𝑢 1
1
𝑢 1
+⋯+
𝑢 𝑛
𝑢
𝑢 𝑛
𝑛
𝑢 𝑛
)
𝑛−1
views from
Π
challenge
14
How to do VOLE? Warm-up: using OT
Key observation:
𝑛
-out-of-
𝑛
secret sharing + OT
⇒
VOLE in
𝔽 𝑛
𝔽
𝔽 𝑛
𝑛
𝔽 𝑛
(from SoftSpokenOT
[Roy 22]
)
⋮
𝑢
=
𝑢 1
𝑢
𝑢 1
1
𝑢 1
+⋯+
𝑢 𝑛
𝑢
𝑢 𝑛
𝑛
𝑢 𝑛
𝑣
=−1⋅
𝑢 1
𝑢
𝑢 1
1
𝑢 1
−⋯−𝑛⋅
𝑢 𝑛
𝑢
𝑢 𝑛
𝑛
𝑢 𝑛
(in
𝔽 𝑛
𝔽
𝔽 𝑛
𝑛
𝔽 𝑛
)
𝑢 𝑖
𝑢
𝑢 𝑖
𝑖
𝑢 𝑖
for
𝑖≠
Δ
Pick
Δ
←
𝔽 𝑛
𝔽
𝔽 𝑛
𝑛
𝔽 𝑛
(𝑛−1)
-out-
of-
𝑛
OT
𝑞=
𝑖 𝑢 𝑖 ⋅(Δ−𝑖)
𝑖
𝑖 𝑢 𝑖 ⋅(Δ−𝑖)
𝑖 𝑢 𝑖 ⋅(Δ−𝑖)
𝑢 𝑖
𝑢
𝑢 𝑖
𝑖
𝑢 𝑖
⋅(
Δ
−𝑖)
𝑖 𝑢 𝑖 ⋅(Δ−𝑖)
=
𝑢
Δ
+
𝑣
⋮
15
0 when
𝑖=
Δ
How to do VOLE-in-the-head?
All-but-one
vector commitment
Commit to
𝑛
random strings
Open
𝑛−1
Convert to VOLE
Challenge
Δ
𝑢
𝑢
𝑢
,
𝑣
𝑣
𝑣
𝑞
𝑞
𝑞
=
𝑢
𝑢
𝑢
Δ
+
𝑣
𝑣
𝑣
⋮
Run VOLE-ZK proof
16
GGM tree
(similarly to
hypercube)
VOLE-in-the-head: some details
•
(𝑛−1)
-out-of-
𝑛
vector commit
⇒
VOLE in
𝔽 𝑛
𝔽
𝔽 𝑛
𝑛
𝔽 𝑛
Commitments have soundness error
1 𝑛
1
1 𝑛
𝑛
1 𝑛
What about
𝔽 𝑚
𝔽
𝔽 𝑚
𝑚
𝔽 𝑚
for large
𝑚
?
•
For extension fields,
𝑚=
𝑛 𝜏
𝑛
𝑛 𝜏
𝜏
𝑛 𝜏
:
Repeat
𝜏
times, with same
𝑢
∈
𝔽 𝑛
𝔽
𝔽 𝑛
𝑛
𝔽 𝑛
Cost over
𝔽 2
𝔽
𝔽 2
2
𝔽 2
,
11-16 bits per AND
(for 128-bit security)
Needs consistency check
17
More details: consistency checking
•
When repeating
𝜏
times:
Need to ensure prover uses
consistent
𝑢
•
Consistency check from
[Roy 22]
:
•
Security:
Needs new analysis for round-by-round soundness with Fiat-Shamir
Universal hash function
𝑅
𝑢
𝑢
𝑢
=
𝑅
𝑢
𝑢
𝑢
,
𝑣
𝑣
𝑣
=
𝑅
𝑣
𝑣
𝑣
Check
𝑅
𝑞
𝑞
𝑞
=
𝑢
𝑢
𝑢
Δ
+
𝑣
𝑣
𝑣
18
F
A
E
S
T
–
Post-quantum
signature
19
Paradigm for ZK-based signatures
•
Signature:
NIZK proof of knowledge of
s
𝑘
, such that
𝑝𝑘=
Enc 𝑠𝑘
Enc
Enc 𝑠𝑘
𝑠𝑘
Enc 𝑠𝑘
𝑥
𝑥
𝑥
•
Challenge: finding a
ZK-friendly
Enc
Custom ciphers: e.g. LowMC, MiMC
Other assumptions: code-based, multivariate…
20
AES: a ZK-friendly OWF?
ShiftRows, MixColumns, AddRoundKey:
All
linear
over
𝔽 2
𝔽
𝔽 2
2
𝔽 2
S-Box:
Inversion in
𝔽 2 8
𝔽
𝔽 2 8
2 8
2
2 8
8
2 8
𝔽 2 8
Prove in ZK as
1 multiplication constraint
21
Proving AES-128 in FAEST
Witness: key + internal state of each round (+ key schedule)
•
1600 bits (in
𝔽 2
𝔽
𝔽 2
2
𝔽 2
)
200 constraints over
𝔽 2 8
𝔽
𝔽 2 8
2 8
2
2 8
8
2 8
𝔽 2 8
:
•
1 per S-box:
degree-2 polynomial:
𝑥𝑦=1
What if
𝑥=0
?
Sample
𝑘
such that
this
never happens
1-2 bits less security
(for AES-128)
0
if
𝑥=0
𝑥 −1
𝑥
𝑥 −1
−1
𝑥 −1
o.w.
(in
𝔽 2 8
𝔽
𝔽 2 8
2 8
2
2 8
8
2 8
𝔽 2 8
)
22
FAEST summary: proving
𝑝𝑘=
AE
S 𝑠𝑘
S
S 𝑠𝑘
𝑠𝑘
S 𝑠𝑘
(𝑥)
Commit to
𝑠𝑘
and
𝑠𝑡𝑎𝑡𝑒
after each round
Mult. check
VOLE consistency check
Open VOLE outputs
chal
l 1
l
l 1
1
l 1
chal
l 2
l
l 2
2
l 2
chal
l 3
l
l 3
3
l 3
𝑞
𝑞
𝑞
=
𝑢
𝑢
𝑢
Δ
+
𝑣
𝑣
𝑣
23
FAEST performance (AVX2 + AES-NI)
•
Timings are from my laptop:
AMD Ryzen 7 5800H
, 3.2
–
4.4 GHz
•
Signature sizes:
Smaller than SPHINCS+ and most code-based candidates
Faster signing, slower verification
•
Even-Mansour variant:
En
c 𝑘
c
c 𝑘
𝑘
c 𝑘
𝑥
𝑥
𝑥
=
AE
S 𝑥
S
S 𝑥
𝑥
S 𝑥
𝑘
𝑘
𝑘
⊕𝑘
10-15% smaller
because of fixed key schedule
24
Work in progress
•
Better domain separation
•
Tighter proofs
•
Parameter tweaking:
Smaller signatures
Faster verification
•
Other OWFs:
Pure MQ
: size
≈3
kB
Rain cipher
25
Conclusion
VOLE-ZK proofs:
•
Lightweight
and
fast
with linear size
•
VOLE-in-the-head:
publicly verifiable
FAEST signature:
•
Conservative security
•
Reasonable performance
Thank you!
26
Delve into the world of FAEST, a post-quantum signature scheme, with a focus on publicly verifiable zero-knowledge proofs. The presentation covers VOLE-in-the-Head, families of ZK proofs, and the application of VOLE in creating VOLE-ZK proofs. Learn about the background of VOLE, its use in the designated verifier setting, and how it enables ZK proofs through linear commitment and commitment-prove methods.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
FAEST Emmanuela Orsini Carsten Baum Christian Majenz Lennart Braun Lawrence Roy (Lance) Peter Scholl Sebastian Ramacher Cyprien Delpech de Saint Guilhem Shibam Mukherjee Christian Rechberger Michael Kloo 1
Banquet (post-quantum) Signature dishes Picnic BBQ 2
Based on Publicly Verifiable Zero-Knowledge and Post-Quantum Signatures From VOLE-in-the-Head Carsten Baum, Lennart Braun, Cyprien Delpech de Saint Guilhem, Michael Kloo , Emmanuela Orsini, Lawrence Roy, Peter Scholl CRYPTO 2023 No VOLEs were harmed while making this presentation 4
Families of ZK Proofs Linear MPC-in-the-head VOLE-ZK Proof size Ligero Size: 1 bit per AND gate designated verifier STARKs ... Prover runtime 5
VOLE-in-the-Head: a general tool for making VOLE-ZK proofs publicly verifiable Speed Security Linear size AES/SHA 11-16x witness Application: FAEST post-quantum signature scheme 6
VOLE VOLE- -ZK in the designated verifier setting ZK 7
Background: VOLE (vector oblivious linear evaluation) ?(?) = ?? + ? Prover Verifier ? ? ?? ? VOLE ? ?? ? = ? + ? Can be instantiated with OT, HE, LPN 8
ZK from VOLE (designated verifier) [BMRS 21, WYKW 21] Use VOLE as a linear commitment to ? To open Prover sends (?,?), Verifier checks if? = ? + ? Hiding: since ? is random Binding: opening to ? ? requires guessing prob. 1/|?| (as long as is kept secret from Prover D.V.) ?(?) = ?? + ? ? ? (?) Commitments are linearly homomorphic 9
ZK from VOLE via Commit-and-Prove [BMRS 21, WYKW 21] Commit to witness ? Evaluate ? gate-by-gate: Linear gates: easy Multiplication: ??? 10
Multiplication check (QuickSilver) [DIO 21, YSWW 21] ? ? ? Multiply two lines quadratic polynomial ???? = ?0+ ?1? + ???2 Commit to output ? ??? = ? + ?? ???? ???(?) should be degree-1 Open and check First, mask with random deg-1 commitment ??(?) ?1 ?3= ???( ) ???(?) ?2 ??(?) 11
Cost analysis for VOLE-ZK Per multiplication gate: Commit to ? o 1 VOLE element Open masked commitment o Can be amortized to constant size (check random combination of polynomials) For circuit: ? + ? field elements for ? inputs and ? mult. gates (assuming LPN-based VOLE) Improvements: o General deg-2 and higher degree gates; branching; field switching 12
VOLE VOLE- -in in- -the Adding public verifiability the- -Head Head 13
MPC-in-the-Head vs VOLE-in-the-head: high-level differences ?1 challenge MPC protocol for ?(?1+ + ??) ? 1 views from ? ?? ? = ?1+ + ?? 14
How to do VOLE? Warm-up: using OT Key observation: ?-out-of-? secret sharing + OT VOLE in ?? (from SoftSpokenOT [Roy 22]) ?1 Pick ?? (? 1)-out- of-? OT ? ?? for ? ?? 0 when ? = ? = ?? ( ?) ? = ?1+ + ?? ? = 1 ?1 ? ?? (in ??) ? = ? + ? 15
How to do VOLE-in-the-head? All-but-one vector commitment Commit to ? random strings Run VOLE-ZK proof Challenge Open ? 1 GGM tree (similarly to hypercube) Convert to VOLE ?, ? ? = ? + ? 16
VOLE-in-the-head: some details (? 1)-out-of-? vector commit VOLE in ?? Commitments have soundness error 1 What about ?? for large ?? ? For extension fields, ? = ??: Repeat ? times, with same ? ?? Cost over ?2, 11-16 bits per AND (for 128-bit security) Needs consistency check 17
More details: consistency checking When repeating ? times: Need to ensure prover uses consistent ? Consistency check from[Roy 22]: Universal hash function ? ? = ??, ? = ? ? Check ? ? = ? + ? Security: Needs new analysis for round-by-round soundness with Fiat-Shamir 18
FAEST FAEST Post-quantum signature 19
Paradigm for ZK-based signatures Signature: NIZK proof of knowledge of s?, such that ?? = Enc??? Challenge: finding a ZK-friendly Enc Custom ciphers: e.g. LowMC, MiMC Other assumptions: code-based, multivariate 20
AES: a ZK-friendly OWF? ShiftRows, MixColumns, AddRoundKey: All linear over ?2 S-Box: Inversion in ?28 Prove in ZK as 1 multiplication constraint 21
Proving AES-128 in FAEST Witness: key + internal state of each round (+ key schedule) 1600 bits (in ?2) 200 constraints over ?28: 1 per S-box: degree-2 polynomial: ?? = 1 0 ? 1 (in ?28) if ? = 0 o.w. ? = ? S-Box What if ? = 0? Sample ? such that this never happens 1-2 bits less security (for AES-128) 22
FAEST summary: proving ?? = AES??(?) chall1 chall2 Commit to ?? and ????? after each round ? = ? + ? VOLE consistency check chall3 S-Box Mult. check Open VOLE outputs 23
FAEST performance (AVX2 + AES-NI) Sign/Verify Size 8ms FAEST-128s 5 006 B 1ms FAEST-128f 6 336 B 27ms FAEST-256s 22 100 B 3ms FAEST-256f 28 400 B Timings are from my laptop: AMD Ryzen 7 5800H, 3.2 4.4 GHz Signature sizes: Smaller than SPHINCS+ and most code-based candidates Faster signing, slower verification Even-Mansour variant: Enc?? = AES?? ? 10-15% smaller because of fixed key schedule 24
Work in progress Better domain separation Tighter proofs Parameter tweaking: Smaller signatures Faster verification Other OWFs: Pure MQ: size 3 kB Rain cipher 25
Conclusion Thank you! VOLE-ZK proofs: Lightweight and fast with linear size VOLE-in-the-head: publicly verifiable FAEST signature: Conservative security Reasonable performance 26
