[PPT] - Security of the Fiat-Shamir Transformation in the Quantum PowerPoint Presentation

SLIDE 1

Security of the Fiat-Shamir Transformation in the Quantum Random-Oracle Model

Jelle Don, Serge Fehr, Christian Majenz and Christian Schaffner QIP 2020 Hilton Shenzhen Shekou Nanhai Hotel, Shenzhen, China

SLIDE 2

Two facts of life

SLIDE 3

Two facts of life

1. Interaction is exhausting (=costly).

SLIDE 4

Two facts of life

1. Interaction is exhausting (=costly).
2. Testing/verification is more efficient interactively than

noninteractively

SLIDE 5

Two facts of life

1. Interaction is exhausting (=costly).
2. Testing/verification is more efficient interactively than

noninteractively Fiat-Shamir reconciles the two in certain cases.

SLIDE 6

Outline

1. Introduction
Interactive proof systems
The Fiat Shamir transformation
2. Results
Overview
Reduction
Techniques
3. Application: Digital Signatures

SLIDE 7

1. Introduction

SLIDE 8

Interactive proof system

SLIDE 9

Interactive proof system

Prover Verifier

SLIDE 10

Interactive proof system

Prover Verifier is true!

x

SLIDE 11

Interactive proof system

Prover Verifier is true!

x

Prove it!

SLIDE 12

Interactive proof system

Prover Verifier is true!

x

Prove it! bla

SLIDE 13

Interactive proof system

Prover Verifier is true!

x

Prove it! bla bla

SLIDE 14

Interactive proof system

Prover Verifier is true!

x

Prove it! bla bla bla

SLIDE 15

Interactive proof system

Prover Verifier is true!

x

Prove it! bla bla bla bla

SLIDE 16

Interactive proof system

Prover Verifier is true!

x

Prove it! bla bla bla bla …

SLIDE 17

Interactive proof system

Prover Verifier is true!

x

Prove it! bla bla Now I believe that is true…

x

bla bla …

SLIDE 18

Interactive proof system

SLIDE 19

Interactive proof system

Many cryptographic properties:

SLIDE 20

Interactive proof system

Many cryptographic properties:

Completeness

SLIDE 21

Interactive proof system

Many cryptographic properties:

Completeness
Soundness

SLIDE 22

Interactive proof system

Many cryptographic properties:

Completeness
Soundness
Zero-knowledge

SLIDE 23

Interactive proof system

Many cryptographic properties:

Completeness
Soundness
Zero-knowledge
Proof-of-knowledge

SLIDE 24

Interactive proof system

Many cryptographic properties:

Completeness
Soundness
Zero-knowledge
Proof-of-knowledge
…

SLIDE 25

Interactive proof system

Many cryptographic properties:

Completeness
Soundness
Zero-knowledge
Proof-of-knowledge
…

}

perfect/statistical/computational

SLIDE 26

Interactive proof system

Many cryptographic properties:

Completeness
Soundness
Zero-knowledge
Proof-of-knowledge
…

Can we do the same without interaction?

}

perfect/statistical/computational

SLIDE 27

Interactive proof system

Many cryptographic properties:

Completeness
Soundness
Zero-knowledge
Proof-of-knowledge
…

Can we do the same without interaction? Yes, at least in some cases, using the Fiat Shamir transformation

}

perfect/statistical/computational

SLIDE 28

Prover Verifier is true!

x

Prove it!

a c ∈R 𝒟

Now I believe that is true…

x r

protocol

Σ

SLIDE 29

Prover Verifier is true!

x

Prove it!

a c ∈R 𝒟

Now I believe that is true…

x r

protocol

Σ

“public coin”

SLIDE 30

Prover Verifier is true!

x

Prove it!

a c ∈R 𝒟

Now I believe that is true…

x r

Fiat Shamir transformation

SLIDE 31

Prover Verifier is true!

x

Prove it!

a c = H(a)

Now I believe that is true…

x r

Fiat Shamir transformation

SLIDE 32

Prover Verifier is true!

x

Prove it!

a c = H(a)

Now I believe that is true…

x r

Fiat Shamir transformation

Hash function, “looks random”

SLIDE 33

Fiat Shamir transformation

Intractability of hash function replaces interaction

SLIDE 34

Fiat Shamir transformation

Intractability of hash function replaces interaction
Yields non-interactive proof system

SLIDE 35

Fiat Shamir transformation

Intractability of hash function replaces interaction
Yields non-interactive proof system
Used for digital signature schemes

SLIDE 36

Fiat Shamir transformation

Intractability of hash function replaces interaction
Yields non-interactive proof system
Used for digital signature schemes
Preserves properties in the Random Oracle Model (ROM)

(Pointcheval & Stern ‘00)

SLIDE 37

Fiat Shamir transformation

Intractability of hash function replaces interaction
Yields non-interactive proof system
Used for digital signature schemes
Preserves properties in the Random Oracle Model (ROM)

(Pointcheval & Stern ‘00)

Pretend that hash function is random and everybody has oracle access

SLIDE 38

Fiat Shamir transformation

Intractability of hash function replaces interaction
Yields non-interactive proof system
Used for digital signature schemes
Preserves properties in the Random Oracle Model (ROM)

(Pointcheval & Stern ‘00)

? What about the quantum ROM (QROM)?

SLIDE 39

Fiat Shamir transformation

Intractability of hash function replaces interaction
Yields non-interactive proof system
Used for digital signature schemes
Preserves properties in the Random Oracle Model (ROM)

(Pointcheval & Stern ‘00)

? What about the quantum ROM (QROM)?

Unruh ’17: The Fiat Shamir transformation preserves some security properties in the QROM if the underlying -protocol is statistically sound.

Σ

SLIDE 40

Fiat Shamir transformation

Intractability of hash function replaces interaction
Yields non-interactive proof system
Used for digital signature schemes
Preserves properties in the Random Oracle Model (ROM)

(Pointcheval & Stern ‘00)

? What about the quantum ROM (QROM)?

Unruh ’17: The Fiat Shamir transformation preserves some security properties in the QROM if the underlying -protocol is statistically sound.

Σ

Many cases important for post-quantum crypto still open.

SLIDE 41

2. Results

SLIDE 42

Our results

1. A general reduction for the Fiat Shamir transform in the

QROM.

SLIDE 43

Our results

1. A general reduction for the Fiat Shamir transform in the

QROM.

Theorem (Don, Fehr, M, Schaffner):

The Fiat Shamir transformation of a -protocol inherits all its security properties in the QROM.

Σ

SLIDE 44

Our results

1. A general reduction for the Fiat Shamir transform in the

QROM.

Theorem (Don, Fehr, M, Schaffner):

The Fiat Shamir transformation of a -protocol inherits all its security properties in the QROM.

Σ

Concurrent work: Liu and Zhandry, less tight reduction.

SLIDE 45

Our results

1. A general reduction for the Fiat Shamir transform in the

QROM.

2. A novel criterion for the computational proof-of-knowledge

property for sigma protocols (related to collapsingness)

Theorem (Don, Fehr, M, Schaffner):

The Fiat Shamir transformation of a -protocol inherits all its security properties in the QROM.

Σ

Concurrent work: Liu and Zhandry, less tight reduction.

SLIDE 46

Our results

1. A general reduction for the Fiat Shamir transform in the

QROM.

2. A novel criterion for the computational proof-of-knowledge

property for sigma protocols (related to collapsingness)

Theorem (Don, Fehr, M, Schaffner):

The Fiat Shamir transformation of a -protocol inherits all its security properties in the QROM.

Σ

Concurrent work: Liu and Zhandry, less tight reduction.

SLIDE 47

𝒝

The reduction

SLIDE 48

𝒝

x

The reduction

SLIDE 49

𝒝 H

x

The reduction

Random oracle

SLIDE 50

𝒝 H

x

The reduction

p = (a, c = H(a), r)

SLIDE 51

𝒝 𝒯

Verifier

x

The reduction

SLIDE 52

𝒝 𝒯

Verifier

x

The reduction

a c ∈R {0,1}ℓc r

SLIDE 53

𝒝 𝒯

Verifier

x

The reduction

SLIDE 54

𝒝 𝒯

Verifier

x

The reduction

SLIDE 55

𝒝 𝒯

Verifier

x

The reduction

H

SLIDE 56

𝒝 𝒯

Verifier

x

The reduction

Measure random query

H

SLIDE 57

𝒝 𝒯

a Verifier

x

The reduction

Measure random query

H

use result as

SLIDE 58

𝒝 𝒯

a Verifier

x

The reduction

H

SLIDE 59

𝒝 𝒯

a c ∈R {0,1}ℓc Verifier

x

The reduction

H

SLIDE 60

𝒝 𝒯

a c ∈R {0,1}ℓc Verifier

x

The reduction

use challenge to reprogram

H*

SLIDE 61

𝒝 𝒯

a c ∈R {0,1}ℓc Verifier

x

The reduction

H*

SLIDE 62

𝒝 𝒯

a c ∈R {0,1}ℓc r Verifier

x

The reduction

H*

use part of output as response

SLIDE 63

𝒝 𝒯

a c ∈R {0,1}ℓc r Verifier

x

The reduction

H*

SLIDE 64

𝒝 𝒯

a c ∈R {0,1}ℓc r Verifier

x

Success probability: ε(𝒯[𝒝]) ≥ ε(𝒝)

O(q2)

The reduction

H*

SLIDE 65

𝒝 𝒯

a c ∈R {0,1}ℓc r Verifier

x

Success probability: ε(𝒯[𝒝]) ≥ ε(𝒝)

O(q2)

The reduction

H*

Why on earth does it work?

SLIDE 66

𝒝 𝒯

a c ∈R {0,1}ℓc r Verifier

x

Success probability: ε(𝒯[𝒝]) ≥ ε(𝒝)

O(q2)

The reduction

H*

Why on earth does it work? Intuition: prover needs to measure anyway.

SLIDE 67

Technique

Simplified picture: one query.

SLIDE 68

Technique

Simplified picture: one query. (without final measurement)

𝒝H|ϕ⟩ = U2OHU1|ϕ⟩

SLIDE 69

Technique

Simplified picture: one query. (without final measurement)

𝒝H|ϕ⟩ = U2OHU1|ϕ⟩

for , independently uniformly random

H*(x) = H(x) x ≠ x0 H*(x0)

SLIDE 70

Technique

Simplified picture: one query. (without final measurement)

𝒝H|ϕ⟩ = U2OHU1|ϕ⟩

for , independently uniformly random

H*(x) = H(x) x ≠ x0 H*(x0)

“ unless queries on ”, i.e.

⇒ 𝒝H = 𝒝H* 𝒝 x0

SLIDE 71

Technique

Simplified picture: one query. (without final measurement)

𝒝H|ϕ⟩ = U2OHU1|ϕ⟩

for , independently uniformly random

H*(x) = H(x) x ≠ x0 H*(x0)

“ unless queries on ”, i.e.

⇒ 𝒝H = 𝒝H* 𝒝 x0

(*) (à la BBBV)

𝒝H*|ϕ⟩ = 𝒝H|ϕ⟩ + U2OH*|x0⟩⟨x0|U1|ϕ⟩ − U2OH|x0⟩⟨x0|U1|ϕ⟩

SLIDE 72

Technique

Simplified picture: one query. (without final measurement)

𝒝H|ϕ⟩ = U2OHU1|ϕ⟩

for , independently uniformly random

H*(x) = H(x) x ≠ x0 H*(x0)

“ unless queries on ”, i.e.

⇒ 𝒝H = 𝒝H* 𝒝 x0

(*) (à la BBBV)

𝒝H*|ϕ⟩ = 𝒝H|ϕ⟩ + U2OH*|x0⟩⟨x0|U1|ϕ⟩ − U2OH|x0⟩⟨x0|U1|ϕ⟩

Successful

utputs

for some

𝒝H* |x⟩|H*(x)⟩ x

SLIDE 73

Technique

Simplified picture: one query. (without final measurement)

𝒝H|ϕ⟩ = U2OHU1|ϕ⟩

for , independently uniformly random

H*(x) = H(x) x ≠ x0 H*(x0)

“ unless queries on ”, i.e.

⇒ 𝒝H = 𝒝H* 𝒝 x0

(*) (à la BBBV)

𝒝H*|ϕ⟩ = 𝒝H|ϕ⟩ + U2OH*|x0⟩⟨x0|U1|ϕ⟩ − U2OH|x0⟩⟨x0|U1|ϕ⟩

Successful

utputs

for some

𝒝H* |x⟩|H*(x)⟩ x

Plan: 1. Use (*) to test whether

utputs

𝒝H* |x0⟩|H*(x0)⟩

SLIDE 74

Technique

Simplified picture: one query. (without final measurement)

𝒝H|ϕ⟩ = U2OHU1|ϕ⟩

for , independently uniformly random

H*(x) = H(x) x ≠ x0 H*(x0)

“ unless queries on ”, i.e.

⇒ 𝒝H = 𝒝H* 𝒝 x0

(*) (à la BBBV)

𝒝H*|ϕ⟩ = 𝒝H|ϕ⟩ + U2OH*|x0⟩⟨x0|U1|ϕ⟩ − U2OH|x0⟩⟨x0|U1|ϕ⟩

Successful

utputs

for some

𝒝H* |x⟩|H*(x)⟩ x

Plan: 1. Use (*) to test whether

utputs

𝒝H* |x0⟩|H*(x0)⟩

2. Interpret RHS as algorithm

SLIDE 75

Technique

(*)

𝒝H*|ϕ⟩ = 𝒝H|ϕ⟩ + U2OH*|x0⟩⟨x0|U1|ϕ⟩ − U2OH|x0⟩⟨x0|U1|ϕ⟩

Plan: 1. Use (*) to test whether

utputs

𝒝H* |x0⟩|H*(x0)⟩

2. Interpret RHS as algorithm

SLIDE 76

Technique

(*)

𝒝H*|ϕ⟩ = 𝒝H|ϕ⟩ + U2OH*|x0⟩⟨x0|U1|ϕ⟩ − U2OH|x0⟩⟨x0|U1|ϕ⟩

Plan: 1. Use (*) to test whether

utputs

𝒝H* |x0⟩|H*(x0)⟩

2. Interpret RHS as algorithm

⟨x0|⟨H*(x0)|𝒝H*|ϕ⟩ = ⟨x0|⟨H*(x0)|𝒝H|ϕ⟩

+⟨x0|⟨H*(x0)|U2OH*|x0⟩⟨x0|U1|ϕ⟩ − ⟨x0|⟨H*(x0)|U2OH|x0⟩⟨x0|U1|ϕ⟩

SLIDE 77

(*)

𝒝H|ϕ⟩ = 𝒝H*|ϕ⟩ + U2OH|x0⟩⟨x0|U1|ϕ⟩ − U2OH*|x0⟩⟨x0|U1|ϕ⟩

Plan: 1. Use (*) to test whether

utputs

𝒝H |x0⟩|H(x0)⟩

2. Interpret RHS as algorithm

∥⟨x0|⟨H*(x0)|𝒝H*|ϕ⟩∥2 ≤ ∥⟨x0|⟨H*(x0)|𝒝H|ϕ⟩∥2

+∥⟨x0|⟨H*(x0)|U2OH*|x0⟩⟨x0|U1|ϕ⟩∥2 + ∥⟨x0|⟨H*(x0)|U2OH|x0⟩⟨x0|U1|ϕ⟩∥2

Technique

SLIDE 78

(*)

𝒝H|ϕ⟩ = 𝒝H*|ϕ⟩ + U2OH|x0⟩⟨x0|U1|ϕ⟩ − U2OH*|x0⟩⟨x0|U1|ϕ⟩

Plan: 1. Use (*) to test whether

utputs

𝒝H |x0⟩|H(x0)⟩

2. Interpret RHS as algorithm

∥⟨x0|⟨H*(x0)|𝒝H*|ϕ⟩∥2 ≤ ∥⟨x0|⟨H*(x0)|𝒝H|ϕ⟩∥2

+∥⟨x0|⟨H*(x0)|U2OH*|x0⟩⟨x0|U1|ϕ⟩∥2 + ∥⟨x0|⟨H*(x0)|U2OH|x0⟩⟨x0|U1|ϕ⟩∥2

Technique

Small even after summing over x0

SLIDE 79

Measure query, outcome , reprogram before answering

x0

(*)

𝒝H|ϕ⟩ = 𝒝H*|ϕ⟩ + U2OH|x0⟩⟨x0|U1|ϕ⟩ − U2OH*|x0⟩⟨x0|U1|ϕ⟩

Plan: 1. Use (*) to test whether

utputs

𝒝H |x0⟩|H(x0)⟩

2. Interpret RHS as algorithm

∥⟨x0|⟨H*(x0)|𝒝H*|ϕ⟩∥2 ≤ ∥⟨x0|⟨H*(x0)|𝒝H|ϕ⟩∥2

+∥⟨x0|⟨H*(x0)|U2OH*|x0⟩⟨x0|U1|ϕ⟩∥2 + ∥⟨x0|⟨H*(x0)|U2OH|x0⟩⟨x0|U1|ϕ⟩∥2

Technique

SLIDE 80

(*)

𝒝H|ϕ⟩ = 𝒝H*|ϕ⟩ + U2OH|x0⟩⟨x0|U1|ϕ⟩ − U2OH*|x0⟩⟨x0|U1|ϕ⟩

Plan: 1. Use (*) to test whether

utputs

𝒝H |x0⟩|H(x0)⟩

2. Interpret RHS as algorithm

∥⟨x0|⟨H*(x0)|𝒝H*|ϕ⟩∥2 ≤ ∥⟨x0|⟨H*(x0)|𝒝H|ϕ⟩∥2

+∥⟨x0|⟨H*(x0)|U2OH*|x0⟩⟨x0|U1|ϕ⟩∥2 + ∥⟨x0|⟨H*(x0)|U2OH|x0⟩⟨x0|U1|ϕ⟩∥2

Technique

Measure query, outcome , reprogram after answering

x0

SLIDE 81

(*)

𝒝H|ϕ⟩ = 𝒝H*|ϕ⟩ + U2OH|x0⟩⟨x0|U1|ϕ⟩ − U2OH*|x0⟩⟨x0|U1|ϕ⟩

Plan: 1. Use (*) to test whether

utputs

𝒝H |x0⟩|H(x0)⟩

2. Interpret RHS as algorithm

∥⟨x0|⟨H*(x0)|𝒝H*|ϕ⟩∥2 ≤ ∥⟨x0|⟨H*(x0)|𝒝H|ϕ⟩∥2

+∥⟨x0|⟨H*(x0)|U2OH*|x0⟩⟨x0|U1|ϕ⟩∥2 + ∥⟨x0|⟨H*(x0)|U2OH|x0⟩⟨x0|U1|ϕ⟩∥2

Technique

SLIDE 82

(*)

𝒝H|ϕ⟩ = 𝒝H*|ϕ⟩ + U2OH|x0⟩⟨x0|U1|ϕ⟩ − U2OH*|x0⟩⟨x0|U1|ϕ⟩

Plan: 1. Use (*) to test whether

utputs

𝒝H |x0⟩|H(x0)⟩

2. Interpret RHS as algorithm

∥⟨x0|⟨H*(x0)|𝒝H*|ϕ⟩∥2 ≤ ∥⟨x0|⟨H*(x0)|𝒝H|ϕ⟩∥2

+∥⟨x0|⟨H*(x0)|U2OH*|x0⟩⟨x0|U1|ϕ⟩∥2 + ∥⟨x0|⟨H*(x0)|U2OH|x0⟩⟨x0|U1|ϕ⟩∥2 Square, Jensen’s inequality RHS: success probability of reduction, reprogramming before/after the measured query at random

⇒

Technique

SLIDE 83

(*)

𝒝H|ϕ⟩ = 𝒝H*|ϕ⟩ + U2OH|x0⟩⟨x0|U1|ϕ⟩ − U2OH*|x0⟩⟨x0|U1|ϕ⟩

Plan: 1. Use (*) to test whether

utputs

𝒝H |x0⟩|H(x0)⟩

2. Interpret RHS as algorithm

∥⟨x0|⟨H*(x0)|𝒝H*|ϕ⟩∥2 ≤ ∥⟨x0|⟨H*(x0)|𝒝H|ϕ⟩∥2

+∥⟨x0|⟨H*(x0)|U2OH*|x0⟩⟨x0|U1|ϕ⟩∥2 + ∥⟨x0|⟨H*(x0)|U2OH|x0⟩⟨x0|U1|ϕ⟩∥2 Square, Jensen’s inequality RHS: success probability of reduction, reprogramming before/after the measured query at random

⇒

queries: use (*) for each query. loss from Jensen, interpretation as expectation value

q O(q2)

Technique

SLIDE 84

3. Application: Digital

Signatures

SLIDE 85

Prover Verifier for !

∃sk pk

Prove it!

Identification scheme Identification scheme

sk

Now I believe for …

∃sk pk a c ∈R 𝒟 r pk

SLIDE 86

Prover Verifier for !

∃sk pk

Prove it!

Identification scheme

sk

Now I believe that Prover has for …

sk pk a c ∈R 𝒟 r pk

SLIDE 87

Prover Verifier for !

∃sk pk

Prove it!

Identification scheme

sk

Now I believe that Prover has for …

sk pk

Still private!

a c ∈R 𝒟 r pk

SLIDE 88

Prover Verifier for !

∃sk pk

Prove it!

Identification scheme

sk

Now I believe that Prover has for …

sk pk

Still private!

a c ∈R 𝒟 r

An Identification scheme is a zero-knowledge proof of knowledge of a private key.

pk

SLIDE 89

pk

Prover Verifier for !

∃sk pk

Prove it!

Noninteractive Identification scheme

sk

Now I believe that Prover has for …

sk pk a c = H(a) r

SLIDE 90

pk

Prover Verifier for !

∃sk pk

Prove it!

Digital signature scheme

sk

Now I believe that Prover has used to sign

sk m a c = H(a∥m) r

SLIDE 91

Fiat Shamir signatures

Several NIST post-quantum candidates use Fiat Shamir:

SLIDE 92

Fiat Shamir signatures

Several NIST post-quantum candidates use Fiat Shamir:

Picnic
Dilithium
MQDSS
QTesla

SLIDE 93

Fiat Shamir signatures

Several NIST post-quantum candidates use Fiat Shamir:

Picnic
Dilithium
MQDSS
QTesla

Our result QROM security

⇒

SLIDE 94

Fiat Shamir signatures

Several NIST post-quantum candidates use Fiat Shamir:

Picnic
Dilithium
MQDSS
QTesla

Improved efficiency! Our result QROM security

⇒

SLIDE 95

Fiat Shamir signatures

Several NIST post-quantum candidates use Fiat Shamir:

Picnic
Dilithium
MQDSS
QTesla

⇒

Improved efficiency! Our result QROM security

⇒

SLIDE 96

Further applications

Remove almost all interaction from Mahadev’s verification for BQP (Alagic, Childs, Hung ’19)

SLIDE 97

Summary

The Fiat Shamir transformation is secure in the quantum random

racle model.

This fact has nice applications, in particular for post-quantum secure digital signature schemes. Open problem: quantum forking lemma?

∃

SLIDE 98

Thanks!