513 research outputs found
Security of the Fiat-Shamir Transformation in the Quantum Random-Oracle Model
The famous Fiat-Shamir transformation turns any public-coin three-round
interactive proof, i.e., any so-called sigma-protocol, into a non-interactive
proof in the random-oracle model. We study this transformation in the setting
of a quantum adversary that in particular may query the random oracle in
quantum superposition.
Our main result is a generic reduction that transforms any quantum dishonest
prover attacking the Fiat-Shamir transformation in the quantum random-oracle
model into a similarly successful quantum dishonest prover attacking the
underlying sigma-protocol (in the standard model). Applied to the standard
soundness and proof-of-knowledge definitions, our reduction implies that both
these security properties, in both the computational and the statistical
variant, are preserved under the Fiat-Shamir transformation even when allowing
quantum attacks. Our result improves and completes the partial results that
have been known so far, but it also proves wrong certain claims made in the
literature.
In the context of post-quantum secure signature schemes, our results imply
that for any sigma-protocol that is a proof-of-knowledge against quantum
dishonest provers (and that satisfies some additional natural properties), the
corresponding Fiat-Shamir signature scheme is secure in the quantum
random-oracle model. For example, we can conclude that the non-optimized
version of Fish, which is the bare Fiat-Shamir variant of the NIST candidate
Picnic, is secure in the quantum random-oracle model.Comment: 20 page
Revisiting Post-Quantum Fiat-Shamir
The Fiat-Shamir transformation is a useful approach to building non-interactive arguments (of knowledge) in the random oracle model. Unfortunately, existing proof techniques are incapable of proving the security of Fiat-Shamir in the quantum setting. The problem stems from (1) the difficulty of quantum rewinding, and (2) the inability of current techniques to adaptively program random oracles in the quantum setting.
In this work, we show how to overcome the limitations above in many settings. In particular, we give mild conditions under which Fiat-Shamir is secure in the quantum setting. As an application, we show that existing lattice signatures based on Fiat-Shamir are secure without any modifications
The Measure-and-Reprogram Technique 2.0: Multi-Round Fiat-Shamir and More
We revisit recent works by Don, Fehr, Majenz and Schaffner and by Liu and
Zhandry on the security of the Fiat-Shamir transformation of -protocols
in the quantum random oracle model (QROM). Two natural questions that arise in
this context are: (1) whether the results extend to the Fiat-Shamir
transformation of multi-round interactive proofs, and (2) whether Don et al.'s
loss in security is optimal.
Firstly, we answer question (1) in the affirmative. As a byproduct of solving
a technical difficulty in proving this result, we slightly improve the result
of Don et al., equipping it with a cleaner bound and an even simpler proof. We
apply our result to digital signature schemes showing that it can be used to
prove strong security for schemes like MQDSS in the QROM. As another
application we prove QROM-security of a non-interactive OR proof by Liu, Wei
and Wong.
As for question (2), we show via a Grover-search based attack that Don et
al.'s quadratic security loss for the Fiat-Shamir transformation of
-protocols is optimal up to a small constant factor. This extends to
our new multi-round result, proving it tight up to a factor that depends on the
number of rounds only, i.e. is constant for any constant-round interactive
proof.Comment: 22 page
Making Existential-Unforgeable Signatures Strongly Unforgeable in the Quantum Random-Oracle Model
Strongly unforgeable signature schemes provide a more stringent security
guarantee than the standard existential unforgeability. It requires that not
only forging a signature on a new message is hard, it is infeasible as well to
produce a new signature on a message for which the adversary has seen valid
signatures before. Strongly unforgeable signatures are useful both in practice
and as a building block in many cryptographic constructions.
This work investigates a generic transformation that compiles any
existential-unforgeable scheme into a strongly unforgeable one, which was
proposed by Teranishi et al. and was proven in the classical random-oracle
model. Our main contribution is showing that the transformation also works
against quantum adversaries in the quantum random-oracle model. We develop
proof techniques such as adaptively programming a quantum random-oracle in a
new setting, which could be of independent interest. Applying the
transformation to an existential-unforgeable signature scheme due to Cash et
al., which can be shown to be quantum-secure assuming certain lattice problems
are hard for quantum computers, we get an efficient quantum-secure strongly
unforgeable signature scheme in the quantum random-oracle model.Comment: 15 pages, to appear in Proceedings TQC 201
Verifiable Random Oracles
Ziel dieser Arbeit ist es, Random Oracle zu instanziieren, ohne dabei Sicherheit zu verlieren,
die im Random Oracle Modell bewiesen wurde. Das dies mit Funktionsfamilien nicht geht
ist eine wohl bekannte Aussage, die zuerst von Halevi et al. (IACR’1998) gezeigt wurde. Wir
werden aus diesem Grund auf Interaktion zurĂĽckgreifen, aber versuchen, den erzeugten
Overhead möglichst zu reduzieren.
Um möglichst wenig zu Interagieren führen wir ein neues ideales Modell mit Namen
Verifiable Random Oracle ein. Dieses Modell bietet zusätzlich zum Random Oracle ein
Verifikations-Orakel, welches bei Eingabe (x, h) 1 ausgibt, falls RO(x) = h und anderenfalls
0. Wir stellen danach zwei konkrete Instanziierungen fĂĽr Verifiable Random Oracle vor,
von denen eine keine vertrauenswürdige Party benötigt. Zusätzlich reduzieren wir den
Netzwerk-Overhead (also die Gesamtgröße der verwendeten Nachrichten).
Wenn wir unsere Instanziierungen zusammen mit der Fiat-Shamir Transformation verwen-
den, bleibt die Simulation-Soundness Extractability Eigenschaft erhalten. Der Beweiser der
Fiat-Shamir Transformation verliert leider seine nicht-Interaktivität. Der Verifizierer bleibt
jedoch Nicht-interaktiv, da die Instanziierungen des Verifikations-Orakels nicht-interaktiv
sind. Die Beweise fĂĽr diese Behauptungen bilden einen signifikanten Teil dieser Arbeit
Non-interactive classical verification of quantum computation
In a recent breakthrough, Mahadev constructed an interactive protocol that
enables a purely classical party to delegate any quantum computation to an
untrusted quantum prover. In this work, we show that this same task can in fact
be performed non-interactively and in zero-knowledge.
Our protocols result from a sequence of significant improvements to the
original four-message protocol of Mahadev. We begin by making the first message
instance-independent and moving it to an offline setup phase. We then establish
a parallel repetition theorem for the resulting three-message protocol, with an
asymptotically optimal rate. This, in turn, enables an application of the
Fiat-Shamir heuristic, eliminating the second message and giving a
non-interactive protocol. Finally, we employ classical non-interactive
zero-knowledge (NIZK) arguments and classical fully homomorphic encryption
(FHE) to give a zero-knowledge variant of this construction. This yields the
first purely classical NIZK argument system for QMA, a quantum analogue of NP.
We establish the security of our protocols under standard assumptions in
quantum-secure cryptography. Specifically, our protocols are secure in the
Quantum Random Oracle Model, under the assumption that Learning with Errors is
quantumly hard. The NIZK construction also requires circuit-private FHE.Comment: 37 page
- …