Multi-target attacks on the picnic signature scheme and related protocols

Itai Dinur; Niv Nadler

doi:10.1007/978-3-030-17659-4_24

Multi-target attacks on the picnic signature scheme and related protocols

Itai Dinur, Niv Nadler

Department of Computer Science

Ben-Gurion University of the Negev

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Picnic is a signature scheme that was presented at ACM CCS 2017 by Chase et al. and submitted to NIST’s post-quantum standardization project. Among all submissions to NIST’s project, Picnic is one of the most innovative, making use of recent progress in construction of practically efficient zero-knowledge (ZK) protocols for general circuits. In this paper, we devise multi-target attacks on Picnic and its underlying ZK protocol, ZKB++. Given access to S signatures, produced by a single or by several users, our attack can (information theoretically) recover the κ-bit signing key of a user in complexity of about 2^κ-7/S. This is faster than Picnic’s claimed 2^κ security against classical (non-quantum) attacks by a factor of 2⁷ S (as each signature contains about 2⁷ attack targets). Whereas in most multi-target attacks, the attacker can easily sort and match the available targets, this is not the case in our attack on Picnic, as different bits of information are available for each target. Consequently, it is challenging to reach the information theoretic complexity in a computational model, and we had to perform cryptanalytic optimizations by carefully analyzing ZKB++ and its underlying circuit. Our best attack for κ=128 has time complexity of T=2⁷⁷ for S=2⁶⁴. Alternatively, we can reach the information theoretic complexity of T=2⁷⁷ for S=2⁵⁷, given that all signatures are produced with the same signing key. Our attack exploits a weakness in the way that the Picnic signing algorithm uses a pseudo-random generator. The weakness is fixed in the recent Picnic 2.0 version. In addition to our attack on Picnic, we show that a recently proposed improvement of the ZKB++ protocol (due to Katz, Kolesnikov and Wang) is vulnerable to a similar multi-target attack.

Original language	American English
Title of host publication	Advances in Cryptology – EUROCRYPT 2019 - 38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings
Editors	Yuval Ishai, Vincent Rijmen
Publisher	Springer Verlag
Pages	699-727
Number of pages	29
ISBN (Print)	9783030176587
DOIs	https://doi.org/10.1007/978-3-030-17659-4_24
State	Published - 1 Jan 2019
Event	38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Eurocrypt 2019 - Darmstadt, Germany Duration: 19 May 2019 → 23 May 2019

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	11478 LNCS

Conference

Conference	38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Eurocrypt 2019
Country/Territory	Germany
City	Darmstadt
Period	19/05/19 → 23/05/19

Keywords

Block cipher
Cryptanalysis
LowMC
MPC
Multi-target attack
Picnic
Signature scheme
ZKB++
Zero-knowledge protocol

All Science Journal Classification (ASJC) codes

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-3-030-17659-4_24

Cite this

Dinur, I., & Nadler, N. (2019). Multi-target attacks on the picnic signature scheme and related protocols. In Y. Ishai, & V. Rijmen (Eds.), Advances in Cryptology – EUROCRYPT 2019 - 38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings (pp. 699-727). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 11478 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-030-17659-4_24

Dinur, Itai ; Nadler, Niv. / Multi-target attacks on the picnic signature scheme and related protocols. Advances in Cryptology – EUROCRYPT 2019 - 38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings. editor / Yuval Ishai ; Vincent Rijmen. Springer Verlag, 2019. pp. 699-727 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{4c40ca4c555d4c5997fece31f946d105,

title = "Multi-target attacks on the picnic signature scheme and related protocols",

abstract = "Picnic is a signature scheme that was presented at ACM CCS 2017 by Chase et al. and submitted to NIST{\textquoteright}s post-quantum standardization project. Among all submissions to NIST{\textquoteright}s project, Picnic is one of the most innovative, making use of recent progress in construction of practically efficient zero-knowledge (ZK) protocols for general circuits. In this paper, we devise multi-target attacks on Picnic and its underlying ZK protocol, ZKB++. Given access to S signatures, produced by a single or by several users, our attack can (information theoretically) recover the κ-bit signing key of a user in complexity of about 2κ-7/S. This is faster than Picnic{\textquoteright}s claimed 2κ security against classical (non-quantum) attacks by a factor of 27 S (as each signature contains about 27 attack targets). Whereas in most multi-target attacks, the attacker can easily sort and match the available targets, this is not the case in our attack on Picnic, as different bits of information are available for each target. Consequently, it is challenging to reach the information theoretic complexity in a computational model, and we had to perform cryptanalytic optimizations by carefully analyzing ZKB++ and its underlying circuit. Our best attack for κ=128 has time complexity of T=277 for S=264. Alternatively, we can reach the information theoretic complexity of T=277 for S=257, given that all signatures are produced with the same signing key. Our attack exploits a weakness in the way that the Picnic signing algorithm uses a pseudo-random generator. The weakness is fixed in the recent Picnic 2.0 version. In addition to our attack on Picnic, we show that a recently proposed improvement of the ZKB++ protocol (due to Katz, Kolesnikov and Wang) is vulnerable to a similar multi-target attack.",

keywords = "Block cipher, Cryptanalysis, LowMC, MPC, Multi-target attack, Picnic, Signature scheme, ZKB++, Zero-knowledge protocol",

author = "Itai Dinur and Niv Nadler",

note = "Publisher Copyright: {\textcopyright} International Association for Cryptologic Research 2019.; 38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Eurocrypt 2019 ; Conference date: 19-05-2019 Through 23-05-2019",

year = "2019",

month = jan,

day = "1",

doi = "10.1007/978-3-030-17659-4\_24",

language = "American English",

isbn = "9783030176587",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "699--727",

editor = "Yuval Ishai and Vincent Rijmen",

booktitle = "Advances in Cryptology – EUROCRYPT 2019 - 38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings",

address = "Germany",

}

Dinur, I & Nadler, N 2019, Multi-target attacks on the picnic signature scheme and related protocols. in Y Ishai & V Rijmen (eds), Advances in Cryptology – EUROCRYPT 2019 - 38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 11478 LNCS, Springer Verlag, pp. 699-727, 38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Eurocrypt 2019, Darmstadt, Germany, 19/05/19. https://doi.org/10.1007/978-3-030-17659-4_24

Multi-target attacks on the picnic signature scheme and related protocols. / Dinur, Itai; Nadler, Niv.
Advances in Cryptology – EUROCRYPT 2019 - 38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings. ed. / Yuval Ishai; Vincent Rijmen. Springer Verlag, 2019. p. 699-727 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 11478 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Multi-target attacks on the picnic signature scheme and related protocols

AU - Dinur, Itai

AU - Nadler, Niv

N1 - Publisher Copyright: © International Association for Cryptologic Research 2019.

PY - 2019/1/1

Y1 - 2019/1/1

N2 - Picnic is a signature scheme that was presented at ACM CCS 2017 by Chase et al. and submitted to NIST’s post-quantum standardization project. Among all submissions to NIST’s project, Picnic is one of the most innovative, making use of recent progress in construction of practically efficient zero-knowledge (ZK) protocols for general circuits. In this paper, we devise multi-target attacks on Picnic and its underlying ZK protocol, ZKB++. Given access to S signatures, produced by a single or by several users, our attack can (information theoretically) recover the κ-bit signing key of a user in complexity of about 2κ-7/S. This is faster than Picnic’s claimed 2κ security against classical (non-quantum) attacks by a factor of 27 S (as each signature contains about 27 attack targets). Whereas in most multi-target attacks, the attacker can easily sort and match the available targets, this is not the case in our attack on Picnic, as different bits of information are available for each target. Consequently, it is challenging to reach the information theoretic complexity in a computational model, and we had to perform cryptanalytic optimizations by carefully analyzing ZKB++ and its underlying circuit. Our best attack for κ=128 has time complexity of T=277 for S=264. Alternatively, we can reach the information theoretic complexity of T=277 for S=257, given that all signatures are produced with the same signing key. Our attack exploits a weakness in the way that the Picnic signing algorithm uses a pseudo-random generator. The weakness is fixed in the recent Picnic 2.0 version. In addition to our attack on Picnic, we show that a recently proposed improvement of the ZKB++ protocol (due to Katz, Kolesnikov and Wang) is vulnerable to a similar multi-target attack.

AB - Picnic is a signature scheme that was presented at ACM CCS 2017 by Chase et al. and submitted to NIST’s post-quantum standardization project. Among all submissions to NIST’s project, Picnic is one of the most innovative, making use of recent progress in construction of practically efficient zero-knowledge (ZK) protocols for general circuits. In this paper, we devise multi-target attacks on Picnic and its underlying ZK protocol, ZKB++. Given access to S signatures, produced by a single or by several users, our attack can (information theoretically) recover the κ-bit signing key of a user in complexity of about 2κ-7/S. This is faster than Picnic’s claimed 2κ security against classical (non-quantum) attacks by a factor of 27 S (as each signature contains about 27 attack targets). Whereas in most multi-target attacks, the attacker can easily sort and match the available targets, this is not the case in our attack on Picnic, as different bits of information are available for each target. Consequently, it is challenging to reach the information theoretic complexity in a computational model, and we had to perform cryptanalytic optimizations by carefully analyzing ZKB++ and its underlying circuit. Our best attack for κ=128 has time complexity of T=277 for S=264. Alternatively, we can reach the information theoretic complexity of T=277 for S=257, given that all signatures are produced with the same signing key. Our attack exploits a weakness in the way that the Picnic signing algorithm uses a pseudo-random generator. The weakness is fixed in the recent Picnic 2.0 version. In addition to our attack on Picnic, we show that a recently proposed improvement of the ZKB++ protocol (due to Katz, Kolesnikov and Wang) is vulnerable to a similar multi-target attack.

KW - Block cipher

KW - Cryptanalysis

KW - LowMC

KW - MPC

KW - Multi-target attack

KW - Picnic

KW - Signature scheme

KW - ZKB++

KW - Zero-knowledge protocol

UR - http://www.scopus.com/inward/record.url?scp=85065904547&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-17659-4_24

DO - 10.1007/978-3-030-17659-4_24

M3 - Conference contribution

SN - 9783030176587

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 699

EP - 727

BT - Advances in Cryptology – EUROCRYPT 2019 - 38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings

A2 - Ishai, Yuval

A2 - Rijmen, Vincent

PB - Springer Verlag

T2 - 38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Eurocrypt 2019

Y2 - 19 May 2019 through 23 May 2019

ER -

Dinur I, Nadler N. Multi-target attacks on the picnic signature scheme and related protocols. In Ishai Y, Rijmen V, editors, Advances in Cryptology – EUROCRYPT 2019 - 38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings. Springer Verlag. 2019. p. 699-727. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-030-17659-4_24

Multi-target attacks on the picnic signature scheme and related protocols

Abstract

Publication series

Conference

Keywords

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this