The Measure-and-Reprogram Technique 2.0: Multi-Round Fiat-Shamir and More

We revisit recent works by Don, Fehr, Majenz and Schaffner and by Liu and Zhandry on the security of the Fiat-Shamir transformation of $\Sigma$-protocols in the quantum random oracle model (QROM). Two natural questions that arise in this context are: (1) whether the results extend to the Fiat-Shamir transformation of multi-round interactive proofs, and (2) whether Don et al.'s $O(q^2)$ loss in security is optimal. Firstly, we answer question (1) in the affirmative. As a byproduct of solving a technical difficulty in proving this result, we slightly improve the result of Don et al., equipping it with a cleaner bound and an even simpler proof. We apply our result to digital signature schemes showing that it can be used to prove strong security for schemes like MQDSS in the QROM. As another application we prove QROM-security of a non-interactive OR proof by Liu, Wei and Wong. As for question (2), we show via a Grover-search based attack that Don et al.'s quadratic security loss for the Fiat-Shamir transformation of $\Sigma$-protocols is optimal up to a small constant factor. This extends to our new multi-round result, proving it tight up to a factor that depends on the number of rounds only, i.e. is constant for any constant-round interactive proof.Comment: 22 page

Online-Extractability in the Quantum Random-Oracle Model

We show the following generic result. Whenever a quantum query algorithm in the quantum random-oracle model outputs a classical value $t$ that is promised to be in some tight relation with $H(x)$ for some $x$, then $x$ can be efficiently extracted with almost certainty. The extraction is by means of a suitable simulation of the random oracle and works online, meaning that it is straightline, i.e., without rewinding, and on-the-fly, i.e., during the protocol execution and without disturbing it. The technical core of our result is a new commutator bound that bounds the operator norm of the commutator of the unitary operator that describes the evolution of the compressed oracle (which is used to simulate the random oracle above) and of the measurement that extracts $x$. We show two applications of our generic online extractability result. We show tight online extractability of commit-and-open $\Sigma$-protocols in the quantum setting, and we offer the first non-asymptotic post-quantum security proof of the textbook Fujisaki-Okamoto transformation, i.e, without adjustments to facilitate the proof

On the (In)Security of the BUFF Transform

The BUFF transform is a generic transformation for digital signature schemes, with the purpose of obtaining additional security properties beyond standard unforgeability, e.g., exclusive ownership and non-resignability. In the call for additional post-quantum signatures, these were explicitly mentioned by the NIST as ``additional desirable security properties\u27\u27, and some of the submissions indeed refer to the BUFF transform with the purpose of achieving them, while some other submissions follow the design of the BUFF transform without mentioning it explicitly. In this work, we show the following negative results regarding the non-resignability property in general, and the BUFF transform in particular. In the plain model, we observe by means of a simple attack that any signature scheme for which the message has a high entropy given the signature does not satisfy the non-resignability property (while non-resignability is trivially not satisfied if the message can be efficiently computed from its signature). Given that the BUFF transform has high entropy in the message given the signature, it follows that the BUFF transform does not achieve non-resignability whenever the random oracle is instantiated with a hash function, no matter what hash function. When considering the random oracle model (ROM), the matter becomes slightly more delicate since prior works did not rigorously define the non-resignability property in the ROM. For the natural extension of the definition to the ROM, we observe that our impossibility result still holds, despite there having been positive claims about the non-resignability of the BUFF transform in the ROM. Indeed, prior claims of the non-resignability of the BUFF transform rely on faulty argumentation. On the positive side, we prove that a salted version of the BUFF transform satisfies a slightly weaker variant of non-resignability in the ROM, covering both classical and quantum attacks, if the entropy requirement in the (weakened) definition of non-resignability is statistical; for the computational variant, we show yet another negative result

Adaptive versus static multi-oracle algorithms, and quantum security of a split-key PRF

In the first part of the paper, we show a generic compiler that transforms any oracle algorithm that can query multiple oracles adaptively, i.e., can decide on which oracle to query at what point dependent on previous oracle responses, into a static algorithm that fixes these choices at the beginning of the execution. Compared to naive ways of achieving this, our compiler controls the blow-up in query complexity for each oracle individually, and causes a very mild blow-up only. In the second part of the paper, we use our compiler to show the security of the very efficient hash-based split-key PRF proposed by Giacon, Heuer and Poettering (PKC 2018), in the quantum random-oracle model. Using a split-key PRF as the key-derivation function gives rise to a secure KEM combiner. Thus, our result shows that the hash-based construction of Giacon et al. can be safely used in the context of quantum attacks, for instance to combine a well-established but only classically-secure KEM with a candidate KEM that is believed to be quantum-secure. Our security proof for the split-key PRF crucially relies on our adaptive-to-static compiler, but we expect our compiler to be useful beyond this particular application. Indeed, we discuss a couple of other, known results from the literature that would have profitted from our compiler, in that these works had to go though serious complications in order to deal with adaptivity

The Lateral Membrane Organization and Dynamics of Myelin Proteins PLP and MBP Are Dictated by Distinct Galactolipids and the Extracellular Matrix

In the central nervous system, lipid-protein interactions are pivotal for myelin maintenance, as these interactions regulate protein transport to the myelin membrane as well as the molecular organization within the sheath. To improve our understanding of the fundamental properties of myelin, we focused here on the lateral membrane organization and dynamics of peripheral membrane protein 18.5-kDa myelin basic protein (MBP) and transmembrane protein proteolipid protein (PLP) as a function of the typical myelin lipids galactosylceramide (GalC),and sulfatide, and exogenous factors such as the extracellular matrix proteins laminin-2 and fibronectin, employing an oligodendrocyte cell line, selectively expressing the desired galactolipids. The dynamics of MBP were monitored by z-scan point fluorescence correlation spectroscopy (FCS) and raster image correlation spectroscopy (RICS),while PLP dynamics in living cells were investigated by circular scanning FCS. The data revealed that on an inert substrate the diffusion rate of 18.5-kDa MBP increased in GalC-expressing cells, while the diffusion coefficient of PLP was decreased in sulfatide-containing cells. Similarly, when cells were grown on myelination-promoting laminin-2, the lateral diffusion coefficient of PLP was decreased in sulfatide-containing cells. In contrast, PLP's diffusion rate increased substantially when these cells were grown on myelination-inhibiting fibronectin. Additional biochemical analyses revealed that the observed differences in lateral diffusion coefficients of both proteins can be explained by differences in their biophysical, i.e., galactolipid environment, specifically with regard to their association with lipid rafts. Given the persistence of pathological fibronectin aggregates in multiple sclerosis lesions, this fundamental insight into the nature and dynamics of lipid-protein interactions will be instrumental in developing myelin regenerative strategies

Online-extractability in the quantum random-oracle model

We show the following generic result. Whenever a quantum query algorithm in the quantum random-oracle model outputs a classical value that is promised to be in some tight relation with for some , then can be efficiently extracted with almost certainty. The extraction is by means of a suitable simulation of the random oracle and works *online*, meaning that it is *straightline*, i.e., without rewinding, and *on-the-fly*, i.e., during the protocol execution and without disturbing it. The technical core of our result is a new commutator bound that bounds the operator norm of the commutator of the unitary operator that describes the evolution of the compressed oracle (which is used to simulate the random oracle above) and of the measurement that extracts . We show two applications of our generic online extractability result. We show *tight* online extractability of commit-and-open -protocols in the quantum setting, and we offer the first non-asymptotic post-quantum security proof of the *textbook* Fujisaki-Okamoto transformation, i.e, without adjustments to facilitate the proof.</p

Prospecting for Energy-Rich Renewable Raw Materials: \u3cem\u3eAgave\u3c/em\u3e Leaf Case Study

Plant biomass from different species is heterogeneous, and this diversity in composition can be mined to identify materials of value to fuel and chemical industries. Agave produces high yields of energy-rich biomass, and the sugar-rich stem tissue has traditionally been used to make alcoholic beverages. Here, the compositions of Agave americana and Agave tequilana leaves are determined, particularly in the context of bioethanol production. Agave leaf cell wall polysaccharide content was characterized by linkage analysis, non-cellulosic polysaccharides such as pectins were observed by immuno-microscopy, and leaf juice composition was determined by liquid chromatography. Agave leaves are fruit-like--rich in moisture, soluble sugars and pectin. The dry leaf fiber was composed of crystalline cellulose (47-50% w/w) and non-cellulosic polysaccharides (16-22% w/w), and whole leaves were low in lignin (9-13% w/w). Of the dry mass of whole Agave leaves, 85-95% consisted of soluble sugars, cellulose, non-cellulosic polysaccharides, lignin, acetate, protein and minerals. Juice pressed from the Agave leaves accounted for 69% of the fresh weight and was rich in glucose and fructose. Hydrolysis of the fructan oligosaccharides doubled the amount of fermentable fructose in A. tequilana leaf juice samples and the concentration of fermentable hexose sugars was 41-48 g/L. In agricultural production systems such as the tequila making, Agave leaves are discarded as waste. Theoretically, up to 4000 L/ha/yr of bioethanol could be produced from juice extracted from waste Agave leaves. Using standard Saccharomyces cerevisiae strains to ferment Agave juice, we observed ethanol yields that were 66% of the theoretical yields. These data indicate that Agave could rival currently used bioethanol feedstocks, particularly if the fermentation organisms and conditions were adapted to suit Agave leaf composition

Fixing and Mechanizing the Security Proof of Fiat-Shamir with Aborts and Dilithium

We extend and consolidate the security justification for the Dilithium signature scheme. In particular, we identify a subtle but crucial gap that appears in several ROM and QROM security proofs for signature schemes that are based on the Fiat-Shamir with aborts paradigm, including Dilithium. The gap lies in the CMA-to-NMA reduction and was uncovered when trying to formalize a variant of the QROM security proof by Kiltz, Lyubashevsky, and Schaffner (Eurocrypt 2018). The gap was confirmed by the authors, and there seems to be no simple patch for it. We provide new, fixed proofs for the affected CMA-to-NMA reduction, both for the ROM and the QROM, and we perform a concrete security analysis for the case of Dilithium to show that the claimed security level is still valid after addressing the gap. Furthermore, we offer a fully mechanized ROM proof for the CMA-security of Dilithium in the EasyCrypt proof assistant. Our formalization includes several new tools and techniques of independent interest for future formal verification results

Precision and accuracy of single-molecule FRET measurements - a multi-laboratory benchmark study

Single-molecule Förster resonance energy transfer (smFRET) is increasingly being used to determine distances, structures, and dynamics of biomolecules in vitro and in vivo. However, generalized protocols and FRET standards to ensure the reproducibility and accuracy of measurements of FRET efficiencies are currently lacking. Here we report the results of a comparative blind study in which 20 labs determined the FRET efficiencies (E) of several dye-labeled DNA duplexes. Using a unified, straightforward method, we obtained FRET efficiencies with s.d. between ±0.02 and ±0.05. We suggest experimental and computational procedures for converting FRET efficiencies into accurate distances, and discuss potential uncertainties in the experiment and the modeling. Our quantitative assessment of the reproducibility of intensity-based smFRET measurements and a unified correction procedure represents an important step toward the validation of distance networks, with the ultimate aim of achieving reliable structural models of biomolecular systems by smFRET-based hybrid methods