919 research outputs found
Security of the Fiat-Shamir Transformation in the Quantum Random-Oracle Model
The famous Fiat-Shamir transformation turns any public-coin three-round
interactive proof, i.e., any so-called sigma-protocol, into a non-interactive
proof in the random-oracle model. We study this transformation in the setting
of a quantum adversary that in particular may query the random oracle in
quantum superposition.
Our main result is a generic reduction that transforms any quantum dishonest
prover attacking the Fiat-Shamir transformation in the quantum random-oracle
model into a similarly successful quantum dishonest prover attacking the
underlying sigma-protocol (in the standard model). Applied to the standard
soundness and proof-of-knowledge definitions, our reduction implies that both
these security properties, in both the computational and the statistical
variant, are preserved under the Fiat-Shamir transformation even when allowing
quantum attacks. Our result improves and completes the partial results that
have been known so far, but it also proves wrong certain claims made in the
literature.
In the context of post-quantum secure signature schemes, our results imply
that for any sigma-protocol that is a proof-of-knowledge against quantum
dishonest provers (and that satisfies some additional natural properties), the
corresponding Fiat-Shamir signature scheme is secure in the quantum
random-oracle model. For example, we can conclude that the non-optimized
version of Fish, which is the bare Fiat-Shamir variant of the NIST candidate
Picnic, is secure in the quantum random-oracle model.Comment: 20 page
Making Existential-Unforgeable Signatures Strongly Unforgeable in the Quantum Random-Oracle Model
Strongly unforgeable signature schemes provide a more stringent security
guarantee than the standard existential unforgeability. It requires that not
only forging a signature on a new message is hard, it is infeasible as well to
produce a new signature on a message for which the adversary has seen valid
signatures before. Strongly unforgeable signatures are useful both in practice
and as a building block in many cryptographic constructions.
This work investigates a generic transformation that compiles any
existential-unforgeable scheme into a strongly unforgeable one, which was
proposed by Teranishi et al. and was proven in the classical random-oracle
model. Our main contribution is showing that the transformation also works
against quantum adversaries in the quantum random-oracle model. We develop
proof techniques such as adaptively programming a quantum random-oracle in a
new setting, which could be of independent interest. Applying the
transformation to an existential-unforgeable signature scheme due to Cash et
al., which can be shown to be quantum-secure assuming certain lattice problems
are hard for quantum computers, we get an efficient quantum-secure strongly
unforgeable signature scheme in the quantum random-oracle model.Comment: 15 pages, to appear in Proceedings TQC 201
LegRoast: Efficient post-quantum signatures from the Legendre PRF
We introduce an efficient post-quantum signature scheme that relies on the one-wayness of the Legendre PRF. This LEGendRe One-wAyness SignaTure (LegRoast) builds upon the MPC-in-the-head technique to construct an efficient zero-knowledge proof, which is then turned into a signature scheme with the Fiat-Shamir transform. Unlike many other Fiat-Shamir signatures, the security of LegRoast can be proven without using the forking lemma, and this leads to a tight (classical) ROM proof. We also introduce a generalization that relies on the one-wayness of higher-power residue characters; the POwer Residue ChaRacter One-wAyness SignaTure (PorcRoast).
LegRoast outperforms existing MPC-in-the-head-based signatures (most notably Picnic/Picnic2) in terms of signature size and speed. Moreover, PorcRoast outperforms LegRoast by a factor of 2 in both signature size and signing time. For example, one of our parameter sets targeting NIST security level I results in a signature size of 7.2 KB and a signing time of 2.8ms. This makes PorcRoast the most efficient signature scheme based on symmetric primitives in terms of signature size and signing time
The Measure-and-Reprogram Technique 2.0: Multi-Round Fiat-Shamir and More
We revisit recent works by Don, Fehr, Majenz and Schaffner and by Liu and
Zhandry on the security of the Fiat-Shamir transformation of -protocols
in the quantum random oracle model (QROM). Two natural questions that arise in
this context are: (1) whether the results extend to the Fiat-Shamir
transformation of multi-round interactive proofs, and (2) whether Don et al.'s
loss in security is optimal.
Firstly, we answer question (1) in the affirmative. As a byproduct of solving
a technical difficulty in proving this result, we slightly improve the result
of Don et al., equipping it with a cleaner bound and an even simpler proof. We
apply our result to digital signature schemes showing that it can be used to
prove strong security for schemes like MQDSS in the QROM. As another
application we prove QROM-security of a non-interactive OR proof by Liu, Wei
and Wong.
As for question (2), we show via a Grover-search based attack that Don et
al.'s quadratic security loss for the Fiat-Shamir transformation of
-protocols is optimal up to a small constant factor. This extends to
our new multi-round result, proving it tight up to a factor that depends on the
number of rounds only, i.e. is constant for any constant-round interactive
proof.Comment: 22 page
- …