security of the fiat shamir transformation in the quantum
play

Security of the Fiat-Shamir Transformation in the Quantum - PowerPoint PPT Presentation

Sep 24, 2023 •391 likes •1.38k views

Security of the Fiat-Shamir Transformation in the Quantum Random-Oracle Model Jelle Don, Serge Fehr, Christian Majenz and Christian Schaffner QIP 2020 Hilton Shenzhen Shekou Nanhai Hotel, Shenzhen, China Two facts of life Two facts of life

  1. Security of the Fiat-Shamir Transformation in the Quantum Random-Oracle Model Jelle Don, Serge Fehr, Christian Majenz and Christian Schaffner QIP 2020 Hilton Shenzhen Shekou Nanhai Hotel, Shenzhen, China

  2. Two facts of life

  3. Two facts of life 1. Interaction is exhausting (=costly).

  4. Two facts of life 1. Interaction is exhausting (=costly). 2. Testing/verification is more efficient interactively than noninteractively

  5. Two facts of life 1. Interaction is exhausting (=costly). 2. Testing/verification is more efficient interactively than noninteractively Fiat-Shamir reconciles the two in certain cases.

  6. Outline 1. Introduction ‣ Interactive proof systems ‣ The Fiat Shamir transformation 2. Results ‣ Overview ‣ Reduction ‣ Techniques 3. Application: Digital Signatures

  7. 1. Introduction

  8. Interactive proof system

  9. Interactive proof system Prover Verifier

  10. Interactive proof system is true! x Prover Verifier

  11. Interactive proof system Prove it! is true! x Prover Verifier

  12. Interactive proof system Prove it! is true! x bla Prover Verifier

  13. Interactive proof system Prove it! is true! x bla bla Prover Verifier

  14. Interactive proof system Prove it! is true! x bla bla bla Prover Verifier

  15. Interactive proof system Prove it! is true! x bla bla bla bla Prover Verifier

  16. Interactive proof system Prove it! is true! x bla bla bla bla … Prover Verifier

  17. Interactive proof system Prove it! is true! x bla bla bla bla … Prover Verifier Now I believe that is true… x

  18. Interactive proof system

  19. Interactive proof system Many cryptographic properties:

  20. Interactive proof system Many cryptographic properties: ‣ Completeness

  21. Interactive proof system Many cryptographic properties: ‣ Completeness ‣ Soundness

  22. Interactive proof system Many cryptographic properties: ‣ Completeness ‣ Soundness ‣ Zero-knowledge

  23. Interactive proof system Many cryptographic properties: ‣ Completeness ‣ Soundness ‣ Zero-knowledge ‣ Proof-of-knowledge

  24. Interactive proof system Many cryptographic properties: ‣ Completeness ‣ Soundness ‣ Zero-knowledge ‣ Proof-of-knowledge ‣ …

  25. Interactive proof system Many cryptographic properties: ‣ Completeness ‣ Soundness } ‣ Zero-knowledge perfect/statistical/computational ‣ Proof-of-knowledge ‣ …

  26. Interactive proof system Many cryptographic properties: ‣ Completeness ‣ Soundness } ‣ Zero-knowledge perfect/statistical/computational ‣ Proof-of-knowledge ‣ … Can we do the same without interaction?

  27. Interactive proof system Many cryptographic properties: ‣ Completeness ‣ Soundness } ‣ Zero-knowledge perfect/statistical/computational ‣ Proof-of-knowledge ‣ … Can we do the same without interaction? Yes, at least in some cases, using the Fiat Shamir transformation

  28. -protocol Σ Prove it! is true! x a c ∈ R 𝒟 r Prover Verifier Now I believe that is true… x

  29. -protocol Σ “public coin” Prove it! is true! x a c ∈ R 𝒟 r Prover Verifier Now I believe that is true… x

  30. Fiat Shamir transformation Prove it! is true! x a c ∈ R 𝒟 r Prover Verifier Now I believe that is true… x

  31. Fiat Shamir transformation Prove it! is true! x a c = H ( a ) r Prover Verifier Now I believe that is true… x

  32. Fiat Shamir transformation Prove it! is true! x a c = H ( a ) r Hash function, “looks random” Prover Verifier Now I believe that is true… x

  33. Fiat Shamir transformation ‣ Intractability of hash function replaces interaction

  34. Fiat Shamir transformation ‣ Intractability of hash function replaces interaction ‣ Yields non-interactive proof system

  35. Fiat Shamir transformation ‣ Intractability of hash function replaces interaction ‣ Yields non-interactive proof system ‣ Used for digital signature schemes

  36. Fiat Shamir transformation ‣ Intractability of hash function replaces interaction ‣ Yields non-interactive proof system ‣ Used for digital signature schemes ‣ Preserves properties in the Random Oracle Model (ROM) (Pointcheval & Stern ‘00)

  37. Fiat Shamir transformation ‣ Intractability of hash function replaces interaction ‣ Yields non-interactive proof system ‣ Used for digital signature schemes ‣ Preserves properties in the Random Oracle Model (ROM) (Pointcheval & Stern ‘00) Pretend that hash function is random and everybody has oracle access

  38. Fiat Shamir transformation ‣ Intractability of hash function replaces interaction ‣ Yields non-interactive proof system ‣ Used for digital signature schemes ‣ Preserves properties in the Random Oracle Model (ROM) (Pointcheval & Stern ‘00) ? What about the quantum ROM (QROM)?

  39. Fiat Shamir transformation ‣ Intractability of hash function replaces interaction ‣ Yields non-interactive proof system ‣ Used for digital signature schemes ‣ Preserves properties in the Random Oracle Model (ROM) (Pointcheval & Stern ‘00) ? What about the quantum ROM (QROM)? Unruh ’17: The Fiat Shamir transformation preserves some security properties in the QROM if the underlying -protocol is Σ statistically sound.

  40. Fiat Shamir transformation ‣ Intractability of hash function replaces interaction ‣ Yields non-interactive proof system ‣ Used for digital signature schemes ‣ Preserves properties in the Random Oracle Model (ROM) (Pointcheval & Stern ‘00) ? What about the quantum ROM (QROM)? Unruh ’17: The Fiat Shamir transformation preserves some security properties in the QROM if the underlying -protocol is Σ statistically sound. Many cases important for post-quantum crypto still open.

  41. 2. Results

  42. Our results 1. A general reduction for the Fiat Shamir transform in the QROM.

  43. Our results 1. A general reduction for the Fiat Shamir transform in the QROM. Theorem (Don, Fehr, M, Schaffner): The Fiat Shamir transformation of a -protocol inherits Σ all its security properties in the QROM.

  44. Our results 1. A general reduction for the Fiat Shamir transform in the QROM. Theorem (Don, Fehr, M, Schaffner): The Fiat Shamir transformation of a -protocol inherits Σ all its security properties in the QROM. Concurrent work: Liu and Zhandry, less tight reduction.

  45. Our results 1. A general reduction for the Fiat Shamir transform in the QROM. Theorem (Don, Fehr, M, Schaffner): The Fiat Shamir transformation of a -protocol inherits Σ all its security properties in the QROM. Concurrent work: Liu and Zhandry, less tight reduction. 2. A novel criterion for the computational proof-of-knowledge property for sigma protocols (related to collapsingness)

  46. Our results 1. A general reduction for the Fiat Shamir transform in the QROM. Theorem (Don, Fehr, M, Schaffner): The Fiat Shamir transformation of a -protocol inherits Σ all its security properties in the QROM. Concurrent work: Liu and Zhandry, less tight reduction. 2. A novel criterion for the computational proof-of-knowledge property for sigma protocols (related to collapsingness)

  47. The reduction 𝒝

  48. The reduction x 𝒝

  49. The reduction Random oracle H x 𝒝

  50. The reduction H x 𝒝 p = ( a , c = H ( a ), r )

  51. The reduction Verifier x 𝒯 𝒝

  52. The reduction Verifier x a 𝒯 c ∈ R {0,1} ℓ c 𝒝 r

  53. The reduction Verifier x 𝒯 𝒝

  54. The reduction Verifier x 𝒯 𝒝

  55. The reduction H Verifier x 𝒯 𝒝

  56. The reduction Measure random query H Verifier x 𝒯 𝒝

  57. The reduction Measure random query use result as H Verifier x a 𝒯 𝒝

  58. The reduction H Verifier x a 𝒯 𝒝

  59. The reduction H Verifier x a 𝒯 c ∈ R {0,1} ℓ c 𝒝

  60. The reduction use challenge to reprogram H * Verifier x a 𝒯 c ∈ R {0,1} ℓ c 𝒝

  61. The reduction H * Verifier x a 𝒯 c ∈ R {0,1} ℓ c 𝒝

  62. The reduction H * Verifier x a 𝒯 c ∈ R {0,1} ℓ c 𝒝 r use part of output as response

  63. The reduction H * Verifier x a 𝒯 c ∈ R {0,1} ℓ c 𝒝 r

  64. The reduction H * Verifier x a 𝒯 c ∈ R {0,1} ℓ c 𝒝 r Success probability: ε ( 𝒯 [ 𝒝 ]) ≥ ε ( 𝒝 ) O ( q 2 )

  65. The reduction Why on earth does it work? H * Verifier x a 𝒯 c ∈ R {0,1} ℓ c 𝒝 r Success probability: ε ( 𝒯 [ 𝒝 ]) ≥ ε ( 𝒝 ) O ( q 2 )

  66. The reduction Why on earth does it work? Intuition: prover needs to H * Verifier measure anyway. x a 𝒯 c ∈ R {0,1} ℓ c 𝒝 r Success probability: ε ( 𝒯 [ 𝒝 ]) ≥ ε ( 𝒝 ) O ( q 2 )

  67. Technique Simplified picture: one query.

  68. Technique Simplified picture: one query. (without final measurement) 𝒝 H | ϕ ⟩ = U 2 O H U 1 | ϕ ⟩

  69. Technique Simplified picture: one query. (without final measurement) 𝒝 H | ϕ ⟩ = U 2 O H U 1 | ϕ ⟩ for , independently uniformly random x ≠ x 0 H *( x 0 ) H *( x ) = H ( x )

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security of the Fiat-Shamir Transformation in the Quantum Random Oracle Model Serge Fehr Chris

Security of the Fiat-Shamir Transformation in the Quantum Random Oracle Model Serge Fehr Chris

Security of the Fiat-Shamir Transformation in the Quantum Random Oracle Model Serge Fehr Chris Majenz Chris Schaffner Jelle Don CWI and UvA UvA CWI Leiden University Our Result in Short Let S be a S -protocol, FS[ S ] its Fiat-Shamir

422 views • 40 slides
A Concrete Treatment of Fiat-Shamir Signatures in the Quantum Random-Oracle Model EUROCRYPT 2018

A Concrete Treatment of Fiat-Shamir Signatures in the Quantum Random-Oracle Model EUROCRYPT 2018

A Concrete Treatment of Fiat-Shamir Signatures in the Quantum Random-Oracle Model EUROCRYPT 2018 Eike Kiltz , Vadim Lyubashevsky, Christian Schaffner Classical Signature Schemes Full Domain Hash Trapdoor function Signature Scheme Fiat-Shamir

268 views • 26 slides
Revisiting TESLA in the quantum random oracle model Selected history of Fiat-Shamir style

Revisiting TESLA in the quantum random oracle model Selected history of Fiat-Shamir style

Revisiting TESLA in the quantum random oracle model Selected history of Fiat-Shamir style signatures from LWE or SIS Lyubashevsky 2012 Sigs via Fiat-Shamir Bai-Galbraith BLISS 2013 Short sigs Optimized DBGGOPSS 2014 Improvements,

1.6k views • 43 slides
From Identification using Rejection Sampling to Signatures via the Fiat-Shamir Transform:

From Identification using Rejection Sampling to Signatures via the Fiat-Shamir Transform:

From Identification using Rejection Sampling to Signatures via the Fiat-Shamir Transform: Application to the BLISS Signature Pauline Bert and Adeline Roux-Langlois Journes C2 2018 Univ Rennes, CNRS, IRISA 1 Contribution Fiat-Shamir

326 views • 19 slides
The Measure-and-Reprogram Technique 2.0: Multi-Round Fiat-Shamir and More Jelle Don, CWI

The Measure-and-Reprogram Technique 2.0: Multi-Round Fiat-Shamir and More Jelle Don, CWI

The Measure-and-Reprogram Technique 2.0: Multi-Round Fiat-Shamir and More Jelle Don, CWI Amsterdam Joint work with Serge Fehr and Christian Majenz Introduction Proving Fiat-Shamir digital signatures and ZK proof systems secure against

712 views • 49 slides
Revisiting Post-Quantum Fiat-Shamir Qipeng Liu & Mark Zhandry

Revisiting Post-Quantum Fiat-Shamir Qipeng Liu & Mark Zhandry

Revisiting Post-Quantum Fiat-Shamir Qipeng Liu & Mark Zhandry (Princeton & NTT Research) Lattice Crypto Post-Quantum Crypto Typical Lattice Crypto Thm: are

623 views • 61 slides
Fiat-Shamir and correlation intractability from strong kdm secure encryption Ran Canetti, Yilei

Fiat-Shamir and correlation intractability from strong kdm secure encryption Ran Canetti, Yilei

Fiat-Shamir and correlation intractability from strong kdm secure encryption Ran Canetti, Yilei Chen, Leonid Reyzin, Ron Rothblum Eurocrypt 2018, Tel Aviv 1 2 How are you? 3 How are you? Great! How are you? 4 How are you? Great! How

681 views • 65 slides
The Fire and Invasive Annual Grass Assessment Tool (FIAT) Doug Havlina, BLM Fire Ecologist

The Fire and Invasive Annual Grass Assessment Tool (FIAT) Doug Havlina, BLM Fire Ecologist

The Fire and Invasive Annual Grass Assessment Tool (FIAT) Doug Havlina, BLM Fire Ecologist Topics to Cover Background and Development of FIAT FIAT Step 1: The regional context FIAT Step 2: Strategies within priority landscapes

577 views • 32 slides
Lecture 11 Authentication 1 Where are we now? We know a bit of the following:

Lecture 11 Authentication 1 Where are we now? We know a bit of the following:

Lecture 11 Authentication 1 Where are we now? We know a bit of the following: Conventional cryptography Hash functions and MACs Public key cryptography Encryption Signatures Identification (Fiat-Shamir) + Zero

213 views • 9 slides
Liquidity SMU Eco 3355 Liquidity and Why do people choose to hold fiat money despite its

Liquidity SMU Eco 3355 Liquidity and Why do people choose to hold fiat money despite its

Liquidity SMU Eco 3355 Liquidity and Why do people choose to hold fiat money despite its Financial Intermediation lower rate of return? Maybe because fiat money is less risky than most of the other assets. Maybe because fiat money is more

374 views • 8 slides
Security Industry Transformation Map Sharing Steve Tan Executive Secretary, Union of Security

Security Industry Transformation Map Sharing Steve Tan Executive Secretary, Union of Security

Security Industry Transformation Map Sharing Steve Tan Executive Secretary, Union of Security Employees Security Industry Transformation Map Security ITM One of 23 ITMs to chart Singapores future economy Part of Built

1.11k views • 41 slides
CASE STUDY Founded in 1976 consortium in 1985 (partners Fiat Group subsidiaries) 1980

CASE STUDY Founded in 1976 consortium in 1985 (partners Fiat Group subsidiaries) 1980

FIAT : Open Innovation in a downturn (1993-2003) High-Tech Business Venturing course Workgroup V: Mariangela, Lorenzo, Vito, Emmanuel, Giovanni Pontedera, January 30, 2015 CASE STUDY Founded in 1976 consortium in 1985 (partners Fiat

449 views • 18 slides
Quantum Communications (and their implications for Information Security) The Quantum

Quantum Communications (and their implications for Information Security) The Quantum

Quantum Communications (and their implications for Information Security) The Quantum Communications Hub Director: Professor Tim Spiller New Quantum Technologies Quantum technologies form a whole new technology sector. These technologies

222 views • 11 slides
An Introduction to Quantum Computers and Quantum Cryptography Computer Network Security

An Introduction to Quantum Computers and Quantum Cryptography Computer Network Security

An Introduction to Quantum Computers and Quantum Cryptography Computer Network Security Prepared by: Nima Bayan, P.Eng. Fall 2003 Contents ! Introduction " Cryptography and Relativity " Quantum Algorithms " Quantum Computers !

227 views • 11 slides
Security in a Quantum World Vladimir Zamdzhiev Department of Computer Science Tulane University

Security in a Quantum World Vladimir Zamdzhiev Department of Computer Science Tulane University

Security in a Quantum World Security in a Quantum World Vladimir Zamdzhiev Department of Computer Science Tulane University November 7 2017 Vladimir Zamdzhiev Security in a Quantum World 1 / 12 Security in a Quantum World Physical Theories

483 views • 24 slides
RSA Reference : Rivest, Shamir, Adleman, A Method for Obtaining Digital Sig- natures and Public Key

RSA Reference : Rivest, Shamir, Adleman, A Method for Obtaining Digital Sig- natures and Public Key

RSA Reference : Rivest, Shamir, Adleman, A Method for Obtaining Digital Sig- natures and Public Key Cryptosystems , CACM, Vol. 21, No. 2, pp. 120126, February 1978. RSA is a public key cryptosystem based on number theory. The security of RSA is

179 views • 7 slides
IM IMPLEMENTATION OF DIG IGIT ITAL SIG IGNATURE IN IN THE AVIA IATION IN INDUSTRY 13 13

IM IMPLEMENTATION OF DIG IGIT ITAL SIG IGNATURE IN IN THE AVIA IATION IN INDUSTRY 13 13

IM IMPLEMENTATION OF DIG IGIT ITAL SIG IGNATURE IN IN THE AVIA IATION IN INDUSTRY 13 13 OCTOBER 2017 1. What is Digital Signature? 2. Why use Digital Certificate? 3. Digital Signature Act 1997 4. Digital Signature Regulations 1998

282 views • 12 slides
Introduction to MiniApp (Packaging & Manifest) Yongjing Zhang zhangyongjing@huawei.com

Introduction to MiniApp (Packaging & Manifest) Yongjing Zhang zhangyongjing@huawei.com

Introduction to MiniApp (Packaging & Manifest) Yongjing Zhang zhangyongjing@huawei.com Huawei Device Co., Ltd. July 2020 MiniApp Packaging Each MiniApp package is a specialized ZIP file (to be registered as

804 views • 6 slides
Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1516/ Chapter 14: 1 Chapter

Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1516/ Chapter 14: 1 Chapter

Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1516/ Chapter 14: 1 Chapter 1: Cryptography Chapter 14: 2 Cryptography Cryptography is the science and study of secret writing. Cryptanalysis is the science and study

854 views • 48 slides
How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz Nicolas Sendrier ASIACRYPT 2001 Brisbane McEliece in a nutshell (Niederreiter version) This scheme is equivalent to the original McEliece

432 views • 12 slides
Digital Signatures (ctd.) Lecture 17 RECALL Digital Signatures Syntax: KeyGen, Sign SK and

Digital Signatures (ctd.) Lecture 17 RECALL Digital Signatures Syntax: KeyGen, Sign SK and

Digital Signatures (ctd.) Lecture 17 RECALL Digital Signatures Syntax: KeyGen, Sign SK and Verify VK . Security: Same experiment as MAC s, but adversary given VK Sig SK Ver VK s i = Sign SK (M i ) Ver VK (M,s) (M,s) M i VK Advantage =

693 views • 10 slides
B 9 1 6 8 7 A 2 C 10 3 5 4 11 12 13 F D 14 15 E # Symmetric Keys =

B 9 1 6 8 7 A 2 C 10 3 5 4 11 12 13 F D 14 15 E # Symmetric Keys =

B 9 1 6 8 7 A 2 C 10 3 5 4 11 12 13 F D 14 15 E # Symmetric Keys = n*(n-1)/2 # Symmetric Keys = n*(n-1)/2 # Public/Private Keys = 2 n public private B 9 1 6 8 7 A 2 C 10 3 public private 5 4 public

765 views • 20 slides
Digital Signatures Model A public key analog of MAC A digital signature scheme includes

Digital Signatures Model A public key analog of MAC A digital signature scheme includes

Digital Signatures Model A public key analog of MAC A digital signature scheme includes the following elements: A private key k A public key k A signature algorithm Public key is published Signature requires

475 views • 24 slides
T-79.159 Cryptography and Data Security Lecture 9: Kaufman et al: - Principles of

T-79.159 Cryptography and Data Security Lecture 9: Kaufman et al: - Principles of

T-79.159 Cryptography and Data Security Lecture 9: Kaufman et al: - Principles of authentication Ch. 2; 6.5 - Digital signatures - DSS Stallings: Ch. 11.1-2; 13.1; 13.3 - Random number generation 1 Principles of message authentication

337 views • 6 slides

More recommend