A Concrete Treatment of Fiat-Shamir Signatures in the Quantum - - PowerPoint PPT Presentation

a concrete treatment of fiat shamir signatures in the
SMART_READER_LITE
LIVE PREVIEW

A Concrete Treatment of Fiat-Shamir Signatures in the Quantum - - PowerPoint PPT Presentation

Feb 12, 2024 8 likes •268 views

A Concrete Treatment of Fiat-Shamir Signatures in the Quantum Random-Oracle Model EUROCRYPT 2018 Eike Kiltz , Vadim Lyubashevsky, Christian Schaffner Classical Signature Schemes Full Domain Hash Trapdoor function Signature Scheme Fiat-Shamir

slide-1
SLIDE 1

A Concrete Treatment of Fiat-Shamir Signatures in the Quantum Random-Oracle Model

EUROCRYPT 2018 Eike Kiltz, Vadim Lyubashevsky, Christian Schaffner

slide-2
SLIDE 2

Classical Signature Schemes

2

Trapdoor function Identification Scheme Signature Scheme Full Domain Hash Fiat-Shamir This work: concrete treatment of Fiat-Shamir against quantum adv Goal: help setting concrete parameters

slide-3
SLIDE 3

Outline

Part I: Fiat-Shamir Signatures in the Random Oracle Model Part II: Fiat-Shamir Signatures in the Quantum Random Oracle Model Part III: Concrete Instantiations from lattices

3

slide-4
SLIDE 4

Part I: Fiat-Shamir Signatures in the ROM

slide-5
SLIDE 5

Digital Signatures

UF-NMA: unforgeability against no message attack

5

Challenger Adversary

pk message m Signature ! (message m*, signature !*) x H(x) signing queries RO queries

UF-CMA: unforgeability against chosen message attack in the ROM

Identification Signature

Images: xkcd

slide-6
SLIDE 6

Canonical Identification

(aka Σ-protocol)

Verifier (pk): transcript (com,ch,res) valid?

6

Prover (sk) Verifier (pk)

com “commitment” ch∊{0,1}n “challenge” res “response”

Identification Signature

slide-7
SLIDE 7

Fiat-Shamir Signatures

Verify: (com, ch=H(m,com), res) valid?

7

Prover (sk) Verifier (pk)

com ch := H(m,com) res

Signature on m: ! = (com, res)

Identification Signature

slide-8
SLIDE 8

Deterministic Fiat-Shamir Signatures

Verify: (comm, chm=H(m,comm), resm) valid?

8

Prover (sk) Verifier (pk)

comm chm := H(m, comm) resm Deterministically derived from m

Signature on m: !m = (comm, resm)

slide-9
SLIDE 9

Security of Fiat-Shamir Signatures in ROM Known results [PS96,AABN02,Lyu09,AFLT12]

: tight implication : non-tight implication UF-CMA: unforgeability against chosen message attack UF-NMA: unforgeability against no message attack

9

UF-NMA UF-CMA special soundness LOSSY

rewinding identification Fiat-Shamir signature

Lossy Identification [AFLT12]

  • pk ≈c pklossy→ statistical soundness
  • Stronger than special soundness
slide-10
SLIDE 10

Fiat-Shamir Signatures

  • Schnorr Signatures/EdDSA (DLOG)
  • Guillou-Quisquater (Factoring)
  • Katz-Wang signatures (DDH)
  • NIST Post-Quantum competition (Lattices/Codes)

– Dilithium – qTESLA – MQDSS – …

10

Security against Quantum Adversaries?

slide-11
SLIDE 11

Quantum Computers

  • Compute on QBits in superposition |x > = !a|a
  • Easy: Factoring, DLOG, etc.
  • Hard: symmetric, lattices, codes, isogenies, ..
  • How to model “offline primitives”?

11

x H(x)

Random Oracle [BR93]

|

>

Quantum Random Oracle [BDFLSZ11]

|x > |H(x) >

Σ

a∊{0,1}n

Many RO tools useless in QROM:

  • Rewinding
  • Lazy evaluation
  • RO patching
  • Pre-image awareness
slide-12
SLIDE 12

Part II: Fiat-Shamir Signatures in the QROM

slide-13
SLIDE 13

Digital Signature Schemes in the QROM

UF-CMA: unforgeability against chosen message attack UF-NMA: unforgeability against no message attack

13

Challenger Adversary

pk message m Signature ! (message m*, Signature !*) |x > |H(x) > signing queries QRO queries

slide-14
SLIDE 14

Security of Fiat-Shamir Signatures in ROM Recap

: tight implication : non-tight implication

14

UF-NMA UF-CMA special soundness LOSSY

identification Fiat-Shamir signature

slide-15
SLIDE 15

Security of Fiat-Shamir Signatures in QROM

15

UF-NMA UF-CMA special soundness LOSSY

[ARU14] [U17]

Fiat-Shamir Deterministic Fiat-Shamir non-tight [U17]

*QRAM: assumes superposition queries to classical data in unit time

QRAM* tight [U17‘] tight [U17‘] Deterministic Fiat-Shamir tight [new]

slide-16
SLIDE 16

Proof: UF-NMA ⇒ UF-CMA in ROM

How to simulate " = (com,res) without sk?

16

Reduction Adversary

m

  • 1. HVZK: random

transcript: (com,ch,res) " :=(com,res) (com, m)

  • 2. H(com, m) := ch

“patching“ H(com,m) signing query RO query

slide-17
SLIDE 17

Proof: UF-NMA ⇒ UF-CMA in ROM

How to simulate " = (com,res) without sk?

17

Reduction Adversary

m

  • 1. HVZK: random

transcript: (com,ch,res) " :=(com,res) (com, m)

  • 2. H(com, m) := ch

“patching“ H(com,m) signing query RO query

Why RO patching works

  • com high entropy
  • ⇒ H(com,m) undefined w.h.p.
  • Entropy argument/patching

fails in QROM

slide-18
SLIDE 18

Our proof: UF-NMA ⇒ UF-CMA in QROM deterministic Fiat-Shamir

How to simulate "m = (comm, resm) without sk?

18

Reduction Adversary

m Unique HVZK transcript for m: (comm,chm,resm) "m :=(comm,resm) |(com, m)> Define QRO: H(com, m) := chm ⇔ com=comm |H(com,m)> signing query QRO query

slide-19
SLIDE 19

Our proof: UF-NMA ⇒ UF-CMA in QROM deterministic Fiat-Shamir

How to simulate "m = (comm, resm) without sk?

19

Reduction Adversary

m Unique HVZK transcript for m: (comm,chm,resm) "m :=(comm,resm) |(com, m)> Define QRO: H(com, m) := chm ⇔ com=comm |H(com,m)> signing query QRO query

Why QRO defining works

  • m ó unique transcript (comm,chm,resm)
  • H(comm,m):=chmholds globally
  • No patching (history free)
  • Does not work for probabilisitic FS
slide-20
SLIDE 20

Deterministic Fiat-Shamir in QROM

20

UF-NMA UF-CMA LOSSY

We just proved this

All implications tight!

slide-21
SLIDE 21

Part III: Instantiations from lattices

slide-22
SLIDE 22

Generic Identification from (Module-)LWE [Lyu09]

pk = (A, t=As1 + s2) sk = s1, s2

22

Prover (sk) Verifier (pk)

w := Ay1 + y2 c z1 := y1 + cs1 z2 := y2 + cs2 accept ⇔ w = Az1 + z2 − ct z1,z1 short

≈c LOSSY (pk: A, t=uniform) Pr[accept] = small

slide-23
SLIDE 23

(Lossy-)Dilithium

23

Dilithium (→NIST) Generic Dilithium pk+sig compression small params Generic (M)LWE Lossy Dilithium large params

8 UF-CMA security in QROM |pk| |!| Lossy-Dilithium (Module-)LWE 8 KB 6 KB Dilithium UF-NMA = “Self-Target SIS“ 1.5 KB 3 KB

slide-24
SLIDE 24

(Lossy-)Dilithium

24

Dilithium (→NIST) Generic Dilithium pk+sig compression small params Generic (M)LWE Lossy Dilithium large params

8 UF-CMA security in QROM |pk| |!| Lossy-Dilithium (Module-)LWE 8 KB 6 KB Dilithium UF-NMA = “Self-Target SIS“ 1.5 KB 3 KB

Self-Target SIS

  • Input: random A, t, hash H
  • Output: short s1, s2, c and m such that

H(As1 + s2 - tc, m) = c

slide-25
SLIDE 25

Summary: Deterministic Fiat-Shamir in QROM

25

UF-NMA UF-CMA LOSSY (M)LWE Self-Target SIS

This work

  • Green arrows: tight implications
  • Concrete analysis helps setting parameters

Lossy Dilithium Dilithium

slide-26
SLIDE 26

Open Problem

26

https://eprint.iacr.org/2017/916

  • Tightness of probabilistic

Fiat-Shamir in QROM?

Thank you!

Probabilistic Fiat-Shamir Deterministic Fiat-Shamir non-tight [U17] tight [new] QRAM tight [U17‘] tight [U17‘]