Improving the Performance of the Picnic Signature Scheme

Kales, Daniel; Zaverucha, Greg

doi:10.46586/tches.v2020.i4.154-188

Cited by 28 publications

(17 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…We use our modified version of Reverie to implement post-quantum ring signatures. Our ring signatures, based on the postquantum signatures presented in [15,34,35], are the smallest known post-quantum ring signatures from symmetric key assumptions, and can be nearly an order of magnitude smaller than those based on the same assumptions generated in [35].…”

Section: Our Contributionsmentioning

confidence: 98%

Efficient Set Membership Proofs using MPC-in-the-Head

Goel

Green

Hall-Andersen

et al. 2022

Proceedings on Privacy Enhancing Technologies

View full text Add to dashboard Cite

Set membership proofs are an invaluable part of privacy preserving systems. These proofs allow a prover to demonstrate knowledge of a witness w corresponding to a secret element x of a public set, such that they jointly satisfy a given NP relation, i.e. ℛ(w, x) = 1 and x is a member of a public set {x 1, . . . , x𝓁}. This allows the identity of the prover to remain hidden, eg. ring signatures and confidential transactions in cryptocurrencies. In this work, we develop a new technique for efficiently adding logarithmic-sized set membership proofs to any MPC-in-the-head based zero-knowledge protocol (Ishai et al. [STOC’07]). We integrate our technique into an open source implementation of the state-of-the-art, post quantum secure zero-knowledge protocol of Katz et al. [CCS’18].We find that using our techniques to construct ring signatures results in signatures (based only on symmetric key primitives) that are between 5 and 10 times smaller than state-of-the-art techniques based on the same assumptions. We also show that our techniques can be used to efficiently construct post-quantum secure RingCT from only symmetric key primitives.

show abstract

Section: Our Contributionsmentioning

confidence: 98%

Efficient Set Membership Proofs using MPC-in-the-Head

Goel

Green

Hall-Andersen

et al. 2022

Proceedings on Privacy Enhancing Technologies

View full text Add to dashboard Cite

show abstract

“…Katz, Kolesnikov, and Wang [KKW18] extended the paradigm to MPCitH-PP and corresponding version, Picnic2, was added during Round 2. Kales and Zaverucha [KZ20] further optimized Picnic2 from various implementation aspects and accordingly proposed Picnic3. Although our masked implementation focuses on Picnic3, which is instantiated with KKW and the LowMC circuit [ARS + 15], our generic approach in Section 4 also applies to BBQ (KKW instantiated with the AES circuit) [dDOS19] and Baum and Nof's variant of KKW (instantiated over an arithmetic circuit for proving SIS instances) [BN20].…”

Section: Related Workmentioning

confidence: 99%

“…MPC in the preprocessing model. Following [GMO16, CDG + 17], Katz, Kolesnikov, and Wang [KKW18] showed that a particular communication-efficient MPC protocol in the preprocessing model is well suited to MPCitH proofs, and variants of their protocol appear in subsequent work [BN20,Beu20,dDOS19,KZ20]. The core idea of MPC in the preprocessing model is to split the protocol Π C into an offline phase Π off C and an online phase Π on C .…”

Section: Mpc-in-the-head With Preprocessingmentioning

confidence: 99%

“…Here we provide a rough estimate of the overhead introduced by masking the SHAKE calls in Picnic3, which will have a high impact on the cost of signing since hashing is a large portion of the signing time (e.g., at L1 it is about 57% of the signing time on x64 [KZ20], and for our ARM M4 implementation it is about 71%).…”

Section: Estimated Overhead Of Hash Function Masking In Picnicmentioning

confidence: 99%

“…To the best of our knowledge, no previous work explored the possibility of masking the newer MPC-in-the-head with preprocessing (MPCitH-PP) paradigm of Katz, Kolesnikov, and Wang (KKW, [KKW18]), which produces much more compact proofs (and shorter signatures in turn). KKW is used in the latest version of Picnic, Picnic3 [KZ20], and in a similar signature scheme BBQ [dDOS19]. The preprocessing phase is independent of the witness, and is used by the parties to establish correlated random values, such as multiplication triples, that they can use during the MPC protocol to improve efficiency.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Side-Channel Protections for Picnic Signatures

Aranha

Berndt

Eisenbarth

et al. 2021

TCHES

Self Cite

View full text Add to dashboard Cite

We study masking countermeasures for side-channel attacks against signature schemes constructed from the MPC-in-the-head paradigm, specifically when the MPC protocol uses preprocessing. This class of signature schemes includes Picnic, an alternate candidate in the third round of the NIST post-quantum standardization project. The only previously known approach to masking MPC-in-the-head signatures suffers from interoperability issues and increased signature sizes. Further, we present a new attack to demonstrate that known countermeasures are not sufficient when the MPC protocol uses a preprocessing phase, as in Picnic3.We overcome these challenges by showing how to mask the underlying zero-knowledge proof system due to Katz–Kolesnikov–Wang (CCS 2018) for any masking order, and by formally proving that our approach meets the standard security notions of non-interference for masking countermeasures. As a case study, we apply our masking technique to Picnic. We then implement different masked versions of Picnic signing providing first order protection for the ARM Cortex M4 platform, and quantify the overhead of these different masking approaches. We carefully analyze the side-channel risk of hashing operations, and give optimizations that reduce the CPU cost of protecting hashing in Picnic by a factor of five. The performance penalties of the masking countermeasures ranged from 1.8 to 5.5, depending on the degree of masking applied to hash function invocations.

show abstract