TY - GEN
T1 - Multi-target attacks on the picnic signature scheme and related protocols
AU - Dinur, Itai
AU - Nadler, Niv
N1 - Publisher Copyright:
© International Association for Cryptologic Research 2019.
PY - 2019/1/1
Y1 - 2019/1/1
N2 - Picnic is a signature scheme that was presented at ACM CCS 2017 by Chase et al. and submitted to NIST’s post-quantum standardization project. Among all submissions to NIST’s project, Picnic is one of the most innovative, making use of recent progress in construction of practically efficient zero-knowledge (ZK) protocols for general circuits. In this paper, we devise multi-target attacks on Picnic and its underlying ZK protocol, ZKB++. Given access to S signatures, produced by a single or by several users, our attack can (information theoretically) recover the κ-bit signing key of a user in complexity of about 2κ-7/S. This is faster than Picnic’s claimed 2κ security against classical (non-quantum) attacks by a factor of 27 S (as each signature contains about 27 attack targets). Whereas in most multi-target attacks, the attacker can easily sort and match the available targets, this is not the case in our attack on Picnic, as different bits of information are available for each target. Consequently, it is challenging to reach the information theoretic complexity in a computational model, and we had to perform cryptanalytic optimizations by carefully analyzing ZKB++ and its underlying circuit. Our best attack for κ=128 has time complexity of T=277 for S=264. Alternatively, we can reach the information theoretic complexity of T=277 for S=257, given that all signatures are produced with the same signing key. Our attack exploits a weakness in the way that the Picnic signing algorithm uses a pseudo-random generator. The weakness is fixed in the recent Picnic 2.0 version. In addition to our attack on Picnic, we show that a recently proposed improvement of the ZKB++ protocol (due to Katz, Kolesnikov and Wang) is vulnerable to a similar multi-target attack.
AB - Picnic is a signature scheme that was presented at ACM CCS 2017 by Chase et al. and submitted to NIST’s post-quantum standardization project. Among all submissions to NIST’s project, Picnic is one of the most innovative, making use of recent progress in construction of practically efficient zero-knowledge (ZK) protocols for general circuits. In this paper, we devise multi-target attacks on Picnic and its underlying ZK protocol, ZKB++. Given access to S signatures, produced by a single or by several users, our attack can (information theoretically) recover the κ-bit signing key of a user in complexity of about 2κ-7/S. This is faster than Picnic’s claimed 2κ security against classical (non-quantum) attacks by a factor of 27 S (as each signature contains about 27 attack targets). Whereas in most multi-target attacks, the attacker can easily sort and match the available targets, this is not the case in our attack on Picnic, as different bits of information are available for each target. Consequently, it is challenging to reach the information theoretic complexity in a computational model, and we had to perform cryptanalytic optimizations by carefully analyzing ZKB++ and its underlying circuit. Our best attack for κ=128 has time complexity of T=277 for S=264. Alternatively, we can reach the information theoretic complexity of T=277 for S=257, given that all signatures are produced with the same signing key. Our attack exploits a weakness in the way that the Picnic signing algorithm uses a pseudo-random generator. The weakness is fixed in the recent Picnic 2.0 version. In addition to our attack on Picnic, we show that a recently proposed improvement of the ZKB++ protocol (due to Katz, Kolesnikov and Wang) is vulnerable to a similar multi-target attack.
KW - Block cipher
KW - Cryptanalysis
KW - LowMC
KW - MPC
KW - Multi-target attack
KW - Picnic
KW - Signature scheme
KW - ZKB++
KW - Zero-knowledge protocol
UR - http://www.scopus.com/inward/record.url?scp=85065904547&partnerID=8YFLogxK
U2 - 10.1007/978-3-030-17659-4_24
DO - 10.1007/978-3-030-17659-4_24
M3 - Conference contribution
AN - SCOPUS:85065904547
SN - 9783030176587
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 699
EP - 727
BT - Advances in Cryptology – EUROCRYPT 2019 - 38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings
A2 - Ishai, Yuval
A2 - Rijmen, Vincent
PB - Springer Verlag
T2 - 38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Eurocrypt 2019
Y2 - 19 May 2019 through 23 May 2019
ER -