Computationally secure digital signatures

In this section we compare the hash scheme to some of the most popular computa- tionally secure digital signature schemes. The comparison is fraught with difficulties since, in many respects, USS schemes are fundamentally different to digital signa- tures. Nevertheless, we think the comparison is worth a try.

In Table 8.2 we state the signature length as well as the public and private key sizes for various common digital signature schemes. For comparison, Table 8.3 gives the secret key requirements and signature length of the hash scheme for the same

4_{This choice is somewhat arbitrary, but is chosen to minimise the required signature lengths.} 5_{Signing the message as a whole would require participants to share secret keys of size O(|M|) =}

security level.

Algorithm Public key Private key Signature size

RSA [12] 3, 072 24, 576 3, 072

DSA [13] 3, 072 3, 328 3, 072

ECDSA [14] 512 768 512

XMSS (Hash based) [27] 7, 296 152 19, 608

Bliss (Lattice based) [19] 7, 000 2, 000 5, 600

Rainbow (Multivariate) [22] 842, 400 561, 352 264

Table 8.2: This table shows the public key length, private key length, and signature size of various common digital signature schemes [26]. The schemes on rows 1-3 are computationally secure in the classical setting but not quantum-safe. The schemes on rows 4-6 are quantum-safe. The figures are quoted in bits, and are the lengths required for 128-bit security, i.e. a security level of 2−128.

Algorithm Secret shared key Signature size

Hash scheme 45, 250, 100 43, 500, 000

Trusted Authority 95, 200 220, 000

Table 8.3: This table shows the secret key requirements (per participant) and signature size needed to sign a single 1 Mb message between 51 participants with 128-bit security using the hash scheme. The figures are quoted in bits. The first row is for the protocol as described in Section 8.2, while the second row allows for a trusted authority as described in Section 8.5.

Recall that digital signatures are believed to provide computational security, rather than the unconditional security provided by USS schemes. The top three lines of Table 8.2 show the schemes that are most commonly used in the real world. These schemes are not quantum-safe, i.e. in the presence of quantum adversaries the schemes are proven to be completely insecure [15]. The bottom three lines of Table 8.2 show the most likely successors to the current digital signature schemes. These schemes are believed to be quantum-safe, which means they are believed to provide computational security even in the presence of quantum adversaries. As a consequence of the lower security level provided, digital signatures also enjoy some additional advantages not explicitly stated in the tables above. Namely,

1. Digital signatures are public-key schemes and do not require any secret shared key between participants.

2. Digital signatures are universally verifiable.

3. The signature length and public/private-key sizes do not depend on the num- ber of participants in the scheme.

4. Public and private keys can be reused to sign many messages6.

Clearly, the tables and the points above show that the hash scheme is still less efficient than the competing quantum-safe digital signature schemes, though the difference is perhaps not as large as expected, particularly if one allows for a trusted authority.

Nevertheless, even without the trusted authority, the hash scheme requires par- ticipants to share a total of 4.35 × 107 secret bits (spread across the other partici- pants) in order to send/receive a 1 Mb message with 128-bit security, or 7.69 × 106 if the security level is reduced to 10−10. While this might sound like a lot, it is worth noting that standard QKD systems can already distribute secret key at a rate in excess of 1 Mbps [151] and this rate is constantly increasing. As such, the hash scheme can certainly be considered practical and within the reach of current technology.

A potential advantage of the hash scheme is the computational efficiency of generating the signatures and the verification keys. To varying degrees, all of the digital signature schemes above are quite computationally intensive when it comes to creating a signature. In many applications this is not an issue, but for settings where there are limited computational resources available, creating the signatures may cause a noticeable slowdown of the application. The hash scheme on the other hand requires only the evaluation of universal hash functions, something which is often computationally cheap. For example, many commonly used -ASU2 sets are created

from Toeplitz matrices (e.g. [99, 152]) whose evaluation is simple and efficient. It should be stressed that in real-world applications, the requirement of shared secret keys mean that USS schemes should not be considered a stand-alone product. Rather, they should be thought of as a complement to existing QKD networks. Clearly, any system connected via a network of QKD links values high security. In this case, the additional security guarantees offered by USS schemes over digital signatures may be a significant incentive for their use. Further, the implementation of USS schemes in existing QKD networks would come at a very small additional cost, since the infrastructure necessary to distribute secret keys would already be in place.

6_{There are limits on how many messages can be signed using XMSS, but the number is very}

8.7

Conclusion

In this chapter we introduced a classical USS scheme which required fewer resources than all previous classical USS schemes proposed in the literature – namely, we presented a secure scheme that did not rely on either a trusted authority, broadcast channels or anonymous channels. Further, to sign an n-bit message, the hash scheme used secret channels only to send communications O(log n) in size, as opposed to O(n) as is necessary in P2 [1], GP2 [34] and all known quantum USS schemes. As such, our scheme has smaller resource requirements than all known quantum USS schemes. Despite this, we show that in comparison to all quantum USS schemes, the hash scheme is far superior, achieving efficiency improvements of at least six orders of magnitude. As such, it is unclear what advantages quantum USS schemes may provide over classical USS schemes, and additional motivation is necessary if further quantum schemes are proposed.

In comparison to existing classical USS schemes, the hash scheme is again more efficient both in terms of the signature length and the secret key requirements. In fact, it is shown that the cost of implementing the hash scheme scales in the same way as message authentication, and the hash scheme can therefore be considered cheap.

Lastly, we compared the hash scheme to a selection of some of the most common public-key digital signature schemes, both quantum-safe and not. We found that, overall, the efficiency shortcomings of USS schemes mean they are certainly not going to replace quantum-safe digital signatures in most real world applications. Nevertheless, the hash scheme can be considered practical with current technology, and can be implemented within existing QKD networks for a low additional cost. Therefore, for systems requiring very high levels of security, the hash scheme could well find commercial application.

Chapter 9

Imperfect oblivious transfer

9.1

Introduction

The results of the previous chapter show that classical USS schemes can be drasti- cally more efficient than all known quantum USS schemes. Importantly, this is the case even for classical schemes requiring the same (or fewer) resources than quantum schemes. As such, it is unclear whether quantum mechanics is necessary or useful in creating USS schemes.

One potential advantage of quantum schemes, highlighted in Section 8.4, is that the same-state schemes described in Section 5.2 may be able to increase the max- imum tolerable number of dishonest participants within a USS protocol. In these same-state schemes, we require the guarantees that:

1. The recipient cannot gain full information on the states Alice sends (to protect against forging), and;

2. Alice does not know what information the recipient receives (to protect against repudiation/non-transferability).

As discussed in Section 3.7, these guarantees are highly reminiscent of 1-out-of-2 oblivious transfer (1-2 OT).

OT is one of the most important primitives in cryptography. Its importance stems from the fact that it can be used as the foundation for all secure two-party computations – with OT, all secure two-party computations are possible [102, 103]. The widespread use and applicability of OT means that, aside from its potential relevance to USS schemes, studying what is achievable with information-theoretic security is independently interesting, and the bounds that we prove may impact a wide range of other cryptographic protocols. The work in this chapter is taken from

Ref. [153] with minor modifications.