1,198 research outputs found
Security of the Fiat-Shamir Transformation in the Quantum Random-Oracle Model
The famous Fiat-Shamir transformation turns any public-coin three-round
interactive proof, i.e., any so-called sigma-protocol, into a non-interactive
proof in the random-oracle model. We study this transformation in the setting
of a quantum adversary that in particular may query the random oracle in
quantum superposition.
Our main result is a generic reduction that transforms any quantum dishonest
prover attacking the Fiat-Shamir transformation in the quantum random-oracle
model into a similarly successful quantum dishonest prover attacking the
underlying sigma-protocol (in the standard model). Applied to the standard
soundness and proof-of-knowledge definitions, our reduction implies that both
these security properties, in both the computational and the statistical
variant, are preserved under the Fiat-Shamir transformation even when allowing
quantum attacks. Our result improves and completes the partial results that
have been known so far, but it also proves wrong certain claims made in the
literature.
In the context of post-quantum secure signature schemes, our results imply
that for any sigma-protocol that is a proof-of-knowledge against quantum
dishonest provers (and that satisfies some additional natural properties), the
corresponding Fiat-Shamir signature scheme is secure in the quantum
random-oracle model. For example, we can conclude that the non-optimized
version of Fish, which is the bare Fiat-Shamir variant of the NIST candidate
Picnic, is secure in the quantum random-oracle model.Comment: 20 page
Post-Quantum Security of Fiat-Shamir
The Fiat-Shamir construction (Crypto 1986) is an efficient
transformation in the random oracle model for creating non-interactive
proof systems and signatures from sigma-protocols. In classical
cryptography, Fiat-Shamir is a zero-knowledge proof of knowledge
assuming that the underlying sigma-protocol has the zero-knowledge and
special soundness properties. Unfortunately, Ambainis, Rosmanis, and
Unruh (FOCS 2014) ruled out non-relativizing proofs under those
conditions in the quantum setting.
In this paper, we show under which strengthened conditions the
Fiat-Shamir proof system is still post-quantum secure. Namely, we show
that if we require the sigma-protocol to have computational
zero-knowledge and statistical soundness, then Fiat-Shamir is a
zero-knowledge simulation-sound proof system (but not a proof of
knowledge!). Furthermore, we show that Fiat-Shamir leads to a
post-quantum secure unforgeable signature scheme when additionally
assuming a dual-mode hard instance generator for generating key
pairs.
Finally, we study the extractability (proof of knowledge) property of
Fiat-Shamir. While we have no proof of the extractability itself, we
show that if we can prove extractability, then other desired
properties such as simulation-sound extractability (i.e.,
non-malleability), and unforgeable signatures follow
Tight adaptive reprogramming in the QROM
The random oracle model (ROM) enjoys widespread popularity, mostly because it tends to allow for tight and conceptually simple proofs where provable security in the standard model is elusive or costly. While being the adequate replacement of the ROM in the post-quantum security setting, the quantum-accessible random oracle model (QROM) has thus far failed to provide these advantages in many settings. In this work, we focus on adaptive reprogrammability, a feature of the ROM enabling tight and simple proofs in many settings. We show that the straightforward quantum-accessible generalization of adaptive reprogramming is feasible by proving a bound on the adversarial advantage in distinguishing whether a random oracle has been reprogrammed or not. We show that our bound is tight by providing a matching attack. We go on to demonstrate that our technique recovers the mentioned advantages of the ROM in three QROM applications:
1) We give a tighter proof of security of the message compression routine as used by XMSS.
2) We show that the standard ROM proof of chosen-message security for Fiat-Shamir signatures can be lifted to the QROM, straightforwardly, achieving a tighter reduction than previously known.
3) We give the first QROM proof of security against fault injection and nonce attacks for the hedged Fiat-Shamir transform
Making Existential-Unforgeable Signatures Strongly Unforgeable in the Quantum Random-Oracle Model
Strongly unforgeable signature schemes provide a more stringent security
guarantee than the standard existential unforgeability. It requires that not
only forging a signature on a new message is hard, it is infeasible as well to
produce a new signature on a message for which the adversary has seen valid
signatures before. Strongly unforgeable signatures are useful both in practice
and as a building block in many cryptographic constructions.
This work investigates a generic transformation that compiles any
existential-unforgeable scheme into a strongly unforgeable one, which was
proposed by Teranishi et al. and was proven in the classical random-oracle
model. Our main contribution is showing that the transformation also works
against quantum adversaries in the quantum random-oracle model. We develop
proof techniques such as adaptively programming a quantum random-oracle in a
new setting, which could be of independent interest. Applying the
transformation to an existential-unforgeable signature scheme due to Cash et
al., which can be shown to be quantum-secure assuming certain lattice problems
are hard for quantum computers, we get an efficient quantum-secure strongly
unforgeable signature scheme in the quantum random-oracle model.Comment: 15 pages, to appear in Proceedings TQC 201
LegRoast: Efficient post-quantum signatures from the Legendre PRF
We introduce an efficient post-quantum signature scheme that relies on the one-wayness of the Legendre PRF. This LEGendRe One-wAyness SignaTure (LegRoast) builds upon the MPC-in-the-head technique to construct an efficient zero-knowledge proof, which is then turned into a signature scheme with the Fiat-Shamir transform. Unlike many other Fiat-Shamir signatures, the security of LegRoast can be proven without using the forking lemma, and this leads to a tight (classical) ROM proof. We also introduce a generalization that relies on the one-wayness of higher-power residue characters; the POwer Residue ChaRacter One-wAyness SignaTure (PorcRoast).
LegRoast outperforms existing MPC-in-the-head-based signatures (most notably Picnic/Picnic2) in terms of signature size and speed. Moreover, PorcRoast outperforms LegRoast by a factor of 2 in both signature size and signing time. For example, one of our parameter sets targeting NIST security level I results in a signature size of 7.2 KB and a signing time of 2.8ms. This makes PorcRoast the most efficient signature scheme based on symmetric primitives in terms of signature size and signing time
- …