Revisiting TESLA in the quantum random oracle model Selected - - PowerPoint PPT Presentation

revisiting tesla in the quantum random oracle model
SMART_READER_LITE
LIVE PREVIEW

Revisiting TESLA in the quantum random oracle model Selected - - PowerPoint PPT Presentation

Feb 28, 2023 1.13k likes •1.6k views

Revisiting TESLA in the quantum random oracle model Selected history of Fiat-Shamir style signatures from LWE or SIS Lyubashevsky 2012 Sigs via Fiat-Shamir Bai-Galbraith BLISS 2013 Short sigs Optimized DBGGOPSS 2014 Improvements,

slide-1
SLIDE 1

Revisiting TESLA in the quantum random oracle model

slide-2
SLIDE 2

Selected history of Fiat-Shamir— style signatures from LWE or SIS

2012 2013 2015 2014 Lyubashevsky Sigs via Fiat-Shamir Bai-Galbraith Short sigs BLISS Optimized DBGGOPSS Improvements, fast implementation TESLA Tight security reduction, fast implementation ring-TESLA Now with rings, fast implementation TESLA# Improvements, fast implementation 2016

slide-3
SLIDE 3

Selected history of Fiat-Shamir— style signatures from LWE or SIS

2012 2013 2015 2014 Lyubashevsky Sigs via Fiat-Shamir Bai-Galbraith Short sigs BLISS Optimized DBGGOPSS Improvements, fast implementation TESLA Tight security reduction, fast implementation ring-TESLA Now with rings, fast implementation TESLA# Improvements, fast implementation 2016 This talk

slide-4
SLIDE 4

Preamble

slide-5
SLIDE 5

Given a forger...

Forger Sign

slide-6
SLIDE 6

...construct a P-solver

Forger

slide-7
SLIDE 7

Parameter choice should account for the security reduction

slide-8
SLIDE 8

Tightness

slide-9
SLIDE 9

The quantum random oracle model (QROM)

Hash

slide-10
SLIDE 10

When does ROM imply QROM?

Boneh, Dagdelen, Fischlin, Lehmann, Schaffner, Zhandry

slide-11
SLIDE 11

Prior work on TESLA

Lyubashevsky Sigs via Fiat-Shamir Bai-Galbraith Short sigs BLISS Optimized DBGGOPSS Improvements, fast implementation TESLA Tight security reduction, fast implementation ring-TESLA Now with rings, fast implementation TESLA# Improvements, fast implementation Reduction from LWE, SIS. Proof uses Forking Lemma. Non-tight, re-programming. ROM but not QROM. Reduction from LWE only. Tight reduction in ROM. QROM via chameleon hash functions.

slide-12
SLIDE 12

Our contributions (theoretical)

slide-13
SLIDE 13

Our contributions (practical)

slide-14
SLIDE 14

Summary of related work

Abdalla, Fouque, Lyubashevsky, Tibouchi Katz, Wang Gentry, Peikert, Vaikuntanathan Boyen, Li

slide-15
SLIDE 15

“Lattice-based” crypto

slide-16
SLIDE 16

“Lattice-based” crypto

slide-17
SLIDE 17

Learning with Errors (LWE) (matrix version)

slide-18
SLIDE 18

TESLA key generation

Pk: LWE yes-instance Sk: witness

slide-19
SLIDE 19

TESLA sign

Zero-knowledge proof (S,E) + Fiat-Shamir

slide-20
SLIDE 20

TESLA sign: terminology

slide-21
SLIDE 21

TESLA verify

slide-22
SLIDE 22

Security theorem for TESLA

slide-23
SLIDE 23

Security theorem for TESLA

Tightness: Scaling factor 1.

slide-24
SLIDE 24

Proof overview

Forger Sign Hash

slide-25
SLIDE 25

Simulator

Sign Hash Simulator

classical quantum classical quantum

slide-26
SLIDE 26

Forger forges, even with a simulator

Forger Simulator

slide-27
SLIDE 27

Forger + Simulator = LWE solver

Forger Simulator

slide-28
SLIDE 28

Forger + Simulator = LWE solver

slide-29
SLIDE 29

Yes-instances: Signature simulator

slide-30
SLIDE 30

Yes-instances: Signature simulator

Re-program a quantum oracle!

slide-31
SLIDE 31

Re-programming in TESLA

slide-32
SLIDE 32

No-instances: Good hash inputs

slide-33
SLIDE 33

Search through unstructured space

slide-34
SLIDE 34

Good hash inputs are rare

slide-35
SLIDE 35

Parameter sets

slide-36
SLIDE 36

Parameter sets

slide-37
SLIDE 37

Software

slide-38
SLIDE 38
slide-39
SLIDE 39

Global A matrix?

slide-40
SLIDE 40

Proof approach

Abdalla, Fouque, Lyubashevsky, Tibouchi

slide-41
SLIDE 41

Other tightly-secure LWE or SIS signatures (move to the end?)

slide-42
SLIDE 42

Comparison: LWE/SIS schemes

slide-43
SLIDE 43

Comparison: hash-based schemes