SQIsign

Last updated
SQIsign
General
DesignersJorge Chavez-Saab, Maria Corte-Real Santos, Luca De Feo, Jonathan Komada Eriksen, Basil Hess, David Kohel, Antonin Leroux, Patrick Longa, Michael Meyer, Lorenz Panny, Sikhar Patranabis, Christophe Petit, Francisco Rodríguez Henríquez, Sina Schaeffler, Benjamin Wesolowski [1]
First published1 June 2023(17 months ago) (2023-06-01)
Cipher detail
Key sizes 64, 96 or 128 bytes depending on the NIST parameter set [2]
Structure Supersingular isogeny graph
Best public cryptanalysis
No known attacks. The SQIsign2D-East variant suffers from a specific vulnerability. [3]

SQIsign is a post-quantum signature scheme submitted to first round of the post-quantum standardisation process. It is based around a proof of knowledge of an elliptic curve [a] endomorphism that can be transformed to a signature scheme using the Fiat-Shamir transform.

Contents

It promises small key sizes between 64 and 128 bytes and small signature sizes between 177 and 335 bytes, which outperforms other post-quantum signature schemes that have a trade-off between signature and key sizes. SQIsign, however, has higher signing and verification times. [4] The original paper concluded that their C implementation takes 0.6s for key generation, 2.5s for a sign operation and 0.05s or 50ms for a verification operation. [5]

These times have been improved with new variations like SQIsign-east. [6]

The name stands for "Short Quaternion and Isogeny Signature" as it makes use of isogenies and quaternions.

Security

SQIsign's security relies on the hardness of the endomorphism ring problem, which is currently considered hard. [7] [8]

The authors also provide a rationale for the chosen parameters in the last chapter of the specification. [1]

While SQIsign makes use of a similar construction, the weaknesses of SIDH do not translate to it. [1]

Implementations

There is a reference implementation hosted on GitHub.

Variants

There are a couple of variants based on the original SQIsign: [9]

Related Research Articles

<span class="mw-page-title-main">Diffie–Hellman key exchange</span> Method of exchanging cryptographic keys

Diffie–Hellman (DH) key exchange is a mathematical method of securely generating a symmetric cryptographic key over a public channel and was one of the first public-key protocols as conceived by Ralph Merkle and named after Whitfield Diffie and Martin Hellman. DH is one of the earliest practical examples of public key exchange implemented within the field of cryptography. Published in 1976 by Diffie and Hellman, this is the earliest publicly known work that proposed the idea of a private key and a corresponding public key.

Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC allows smaller keys to provide equivalent security, compared to cryptosystems based on modular exponentiation in Galois fields, such as the RSA cryptosystem and ElGamal cryptosystem.

Articles related to cryptography include:

NTRU is an open-source public-key cryptosystem that uses lattice-based cryptography to encrypt and decrypt data. It consists of two algorithms: NTRUEncrypt, which is used for encryption, and NTRUSign, which is used for digital signatures. Unlike other popular public-key cryptosystems, it is resistant to attacks using Shor's algorithm. NTRUEncrypt was patented, but it was placed in the public domain in 2017. NTRUSign is patented, but it can be used by software under the GPL.

In mathematics, a unipotent elementr of a ring R is one such that r − 1 is a nilpotent element; in other words, (r − 1)n is zero for some n.

Multivariate cryptography is the generic term for asymmetric cryptographic primitives based on multivariate polynomials over a finite field . In certain cases those polynomials could be defined over both a ground and an extension field. If the polynomials have the degree two, we talk about multivariate quadratics. Solving systems of multivariate polynomial equations is proven to be NP-complete. That's why those schemes are often considered to be good candidates for post-quantum cryptography. Multivariate cryptography has been very productive in terms of design and cryptanalysis. Overall, the situation is now more stable and the strongest schemes have withstood the test of time. It is commonly admitted that Multivariate cryptography turned out to be more successful as an approach to build signature schemes primarily because multivariate schemes provide the shortest signature among post-quantum algorithms.

A BLS digital signature, also known as Boneh–Lynn–Shacham (BLS), is a cryptographic signature scheme which allows a user to verify that a signer is authentic.

Lattice-based cryptography is the generic term for constructions of cryptographic primitives that involve lattices, either in the construction itself or in the security proof. Lattice-based constructions support important standards of post-quantum cryptography. Unlike more widely used and known public-key schemes such as the RSA, Diffie-Hellman or elliptic-curve cryptosystems — which could, theoretically, be defeated using Shor's algorithm on a quantum computer — some lattice-based constructions appear to be resistant to attack by both classical and quantum computers. Furthermore, many lattice-based constructions are considered to be secure under the assumption that certain well-studied computational lattice problems cannot be solved efficiently.

Post-quantum cryptography (PQC), sometimes referred to as quantum-proof, quantum-safe, or quantum-resistant, is the development of cryptographic algorithms that are currently thought to be secure against a cryptanalytic attack by a quantum computer. Most widely-used public-key algorithms rely on the difficulty of one of three mathematical problems: the integer factorization problem, the discrete logarithm problem or the elliptic-curve discrete logarithm problem. All of these problems could be easily solved on a sufficiently powerful quantum computer running Shor's algorithm or even faster and less demanding alternatives.

Supersingular isogeny Diffie–Hellman key exchange is an insecure proposal for a post-quantum cryptographic algorithm to establish a secret key between two parties over an untrusted communications channel. It is analogous to the Diffie–Hellman key exchange, but is based on walks in a supersingular isogeny graph and was designed to resist cryptanalytic attack by an adversary in possession of a quantum computer. Before it was broken, SIDH boasted one of the smallest key sizes of all post-quantum key exchanges; with compression, SIDH used 2688-bit public keys at a 128-bit quantum security level. SIDH also distinguishes itself from similar systems such as NTRU and Ring-LWE by supporting perfect forward secrecy, a property that prevents compromised long-term keys from compromising the confidentiality of old communication sessions. These properties seemed to make SIDH a natural candidate to replace Diffie–Hellman (DHE) and elliptic curve Diffie–Hellman (ECDHE), which are widely used in Internet communication. However, SIDH is vulnerable to a devastating key-recovery attack published in July 2022 and is therefore insecure. The attack does not require a quantum computer.

Digital signatures are a means to protect digital information from intentional modification and to authenticate the source of digital information. Public key cryptography provides a rich set of different cryptographic algorithms the create digital signatures. However, the primary public key signatures currently in use will become completely insecure if scientists are ever able to build a moderately sized quantum computer. Post quantum cryptography is a class of cryptographic algorithms designed to be resistant to attack by a quantum cryptography. Several post quantum digital signature algorithms based on hard problems in lattices are being created replace the commonly used RSA and elliptic curve signatures. A subset of these lattice based scheme are based on a problem known as Ring learning with errors. Ring learning with errors based digital signatures are among the post quantum signatures with the smallest public key and signature sizes

In cryptography, a public key exchange algorithm is a cryptographic algorithm which allows two parties to create and share a secret key, which they can use to encrypt messages between themselves. The ring learning with errors key exchange (RLWE-KEX) is one of a new class of public key exchange algorithms that are designed to be secure against an adversary that possesses a quantum computer. This is important because some public key algorithms in use today will be easily broken by a quantum computer if such computers are implemented. RLWE-KEX is one of a set of post-quantum cryptographic algorithms which are based on the difficulty of solving certain mathematical problems involving lattices. Unlike older lattice based cryptographic algorithms, the RLWE-KEX is provably reducible to a known hard problem in lattices.

Hash-based cryptography is the generic term for constructions of cryptographic primitives based on the security of hash functions. It is of interest as a type of post-quantum cryptography.

Post-Quantum Cryptography Standardization is a program and competition by NIST to update their standards to include post-quantum cryptography. It was announced at PQCrypto 2016. 23 signature schemes and 59 encryption/KEM schemes were submitted by the initial submission deadline at the end of 2017 of which 69 total were deemed complete and proper and participated in the first round. Seven of these, of which 3 are signature schemes, have advanced to the third round, which was announced on July 22, 2020.

In mathematics, the supersingular isogeny graphs are a class of expander graphs that arise in computational number theory and have been applied in elliptic-curve cryptography. Their vertices represent supersingular elliptic curves over finite fields and their edges represent isogenies between curves.

In cryptography, FourQ is an elliptic curve developed by Microsoft Research. It is designed for key agreements schemes and digital signatures (Schnorr), and offers about 128 bits of security. It is equipped with a reference implementation made by the authors of the original paper. The open source implementation is called FourQlib and runs on Windows and Linux and is available for x86, x64, and ARM. It is licensed under the MIT License and the source code is available on GitHub.

Oded Regev is an Israeli-American theoretical computer scientist and mathematician. He is a professor of computer science at the Courant institute at New York University. He is best known for his work in lattice-based cryptography, and in particular for introducing the learning with errors problem.

<span class="mw-page-title-main">Commercial National Security Algorithm Suite</span> Set of cryptographic algorithms by the NSA

The Commercial National Security Algorithm Suite (CNSA) is a set of cryptographic algorithms promulgated by the National Security Agency as a replacement for NSA Suite B Cryptography algorithms. It serves as the cryptographic base to protect US National Security Systems information up to the top secret level, while the NSA plans for a transition to quantum-resistant cryptography.

<span class="mw-page-title-main">PALISADE (software)</span>

PALISADE is an open-source cross platform software library that provides implementations of lattice cryptography building blocks and homomorphic encryption schemes.

An oblivious pseudorandom function (OPRF) is a cryptographic function, similar to a keyed-hash function, but with the distinction that in an OPRF two parties cooperate to securely compute a pseudorandom function (PRF).

References

  1. 1 2 3 "SQIsign - Algorithm specifications and supporting documentation - Version 1.0" (PDF). Retrieved 2024-11-15.
  2. "SQIsign - Algorithm specifications and supporting documentation - Version 1.0" (PDF). p. 4. Retrieved 2024-11-15.
  3. 1 2 Nakagawa, Kohei; Onuki, Hiroshi (2024). "SQIsign2D-East: A New Signature Scheme Using 2-dimensional Isogenies". Cryptology ePrint Archive. Retrieved 2024-11-17.
  4. Westerbaan, Bas; Larisch, James; Ahmad, Suleman; Fayed, Marwan; Westerbaan, Bas; Valenta, Luke; Krivit, Alex (2021-11-08). "Sizing Up Post-Quantum Signatures". The Cloudflare Blog. Retrieved 2024-11-15.
  5. Feo, Luca De; Kohel, David; Leroux, Antonin; Petit, Christophe; Wesolowski, Benjamin (2020). "SQISign: compact post-quantum signatures from quaternions and isogenies". Cryptology ePrint Archive. Retrieved 2024-11-18.
  6. Nakagawa, Kohei; Onuki, Hiroshi (2024). "SQIsign2D-East: A New Signature Scheme Using 2-dimensional Isogenies". Cryptology ePrint Archive. Retrieved 2024-11-15.
  7. Page, Aurel; Wesolowski, Benjamin (2023). "The supersingular Endomorphism Ring and One Endomorphism problems are equivalent". Cryptology ePrint Archive. Retrieved 2024-11-15.
  8. "THE SUPERSINGULAR ENDOMORPHISM RING PROBLEM GIVEN ONE ENDOMORPHISM" (PDF). Retrieved 2024-11-15.
  9. "SQIsign". SQIsign. 2023-06-01. Retrieved 2024-11-17.
  10. Dartois, Pierrick; Leroux, Antonin; Robert, Damien; Wesolowski, Benjamin (2023). "SQISignHD: New Dimensions in Cryptography". Cryptology ePrint Archive. Retrieved 2024-11-17.
  11. Basso, Andrea; Feo, Luca De; Dartois, Pierrick; Leroux, Antonin; Maino, Luciano; Pope, Giacomo; Robert, Damien; Wesolowski, Benjamin (2024). "SQIsign2D-West: The Fast, the Small, and the Safer". Cryptology ePrint Archive. Retrieved 2024-11-17.
  12. Duparc, Max; Fouotsa, Tako Boris (2024). "SQIPrime: A dimension 2 variant of SQISignHD with non-smooth challenge isogenies". Cryptology ePrint Archive. Retrieved 2024-11-17.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.