A Concrete Treatment of Fiat-Shamir Signatures in the Quantum Random-Oracle Model EUROCRYPT 2018 Eike Kiltz , Vadim Lyubashevsky, Christian Schaffner
Classical Signature Schemes Full Domain Hash Trapdoor function Signature Scheme Fiat-Shamir Identification Scheme This work: concrete treatment of Fiat-Shamir against quantum adv Goal: help setting concrete parameters 2
Outline Part I: Fiat-Shamir Signatures in the Random Oracle Model Part II: Fiat-Shamir Signatures in the Quantum Random Oracle Model Part III: Concrete Instantiations from lattices 3
Part I: Fiat-Shamir Signatures in the ROM
Digital Signatures Identification Signature UF-NMA: unforgeability against no message attack in the ROM UF-CMA: unforgeability against chosen message attack Challenger Adversary pk message m signing queries Signature ! x RO queries H(x) (message m*, signature ! *) Images: xkcd 5
Canonical Identification Identification Signature (aka Σ-protocol) Prover (sk) Verifier (pk) com “commitment” ch ∊ {0,1} n “challenge” res “response” Verifier (pk): transcript (com,ch,res) valid? 6
Fiat-Shamir Signatures Identification Signature Prover (sk) Verifier (pk) com ch := H(m,com) Signature on m: ! = (com, res) res Verify: (com, ch=H(m,com), res) valid? 7
Deterministic Fiat-Shamir Signatures Deterministically Prover (sk) Verifier (pk) derived from m com m ch m := H(m, com m ) Signature on m: ! m = (com m , res m ) res m Verify : (com m , ch m =H(m,com m ), res m ) valid? 8
Security of Fiat-Shamir Signatures in ROM Known results [PS96,AABN02,Lyu09,AFLT12] special rewinding soundness LOSSY UF-NMA UF-CMA Fiat-Shamir signature identification : tight implication Lossy Identification [AFLT12] : non-tight implication pk ≈ c pk lossy → statistical soundness • • Stronger than special soundness UF-CMA: unforgeability against chosen message attack UF-NMA: unforgeability against no message attack 9
Fiat-Shamir Signatures Schnorr Signatures/EdDSA (DLOG) • Guillou-Quisquater (Factoring) • Katz-Wang signatures (DDH) • NIST Post-Quantum competition (Lattices/Codes) • – Dilithium – qTESLA Security against – MQDSS – … Quantum Adversaries? 10
Quantum Computers Σ • Compute on QBits in superposition |x > = ! a |a a ∊ {0,1} n • Easy: Factoring, DLOG, etc. Many RO tools useless in QROM: • Hard: symmetric, lattices, codes, isogenies, .. Rewinding • Lazy evaluation • • How to model “offline primitives”? RO patching • • Pre-image awareness Random Oracle [BR93] Quantum Random Oracle [BDFLSZ11] > | |x > x |H(x) > H(x) 11
Part II: Fiat-Shamir Signatures in the QROM
Digital Signature Schemes in the QROM UF-CMA: unforgeability against chosen message attack UF-NMA: unforgeability against no message attack Challenger Adversary pk message m signing queries Signature ! |x > QRO queries |H(x) > (message m*, Signature ! *) 13
Security of Fiat-Shamir Signatures in ROM Recap special soundness LOSSY UF-NMA UF-CMA Fiat-Shamir signature identification : tight implication : non-tight implication 14
Security of Fiat-Shamir Signatures in QROM special [ARU14] soundness [U17] LOSSY UF-NMA UF-CMA Fiat-Shamir Deterministic Deterministic Fiat-Shamir Fiat-Shamir non-tight [U17] tight [new] *QRAM: assumes superposition queries to QRAM* tight [U17‘] tight [U17‘] classical data in unit time 15
Proof: UF-NMA ⇒ UF-CMA in ROM How to simulate " = (com,res) without sk? Reduction Adversary m 1. HVZK: random signing query " :=(com,res) transcript: (com,ch,res) 2. H(com, m) := ch (com, m) “patching“ RO query H(com,m) 16
Proof: UF-NMA ⇒ UF-CMA in ROM Why RO patching works com high entropy • How to simulate " = (com,res) without sk? ⇒ H(com,m) undefined w.h.p. • Entropy argument/patching • Reduction Adversary fails in QROM m 1. HVZK: random signing query " :=(com,res) transcript: (com,ch,res) 2. H(com, m) := ch (com, m) “patching“ RO query H(com,m) 17
Our proof: UF-NMA ⇒ UF-CMA in QROM deterministic Fiat-Shamir How to simulate " m = (com m , res m ) without sk? Reduction Adversary m Unique HVZK transcript for m: signing query " m :=(com m ,res m ) (com m ,ch m ,res m ) |(com, m)> Define QRO: H(com, m) := ch m QRO query |H(com,m)> ⇔ com=com m 18
Our proof: UF-NMA ⇒ UF-CMA in QROM deterministic Fiat-Shamir Why QRO defining works m ó unique transcript (com m ,ch m ,res m ) • How to simulate " m = (com m , res m ) without sk? H(com m ,m):=ch m holds globally • No patching (history free) • Reduction Adversary Does not work for probabilisitic FS • m Unique HVZK transcript for m: signing query " m :=(com m ,res m ) (com m ,ch m ,res m ) |(com, m)> Define QRO: H(com, m) := ch m QRO query |H(com,m)> ⇔ com=com m 19
Deterministic Fiat-Shamir in QROM We just proved this LOSSY UF-NMA UF-CMA All implications tight! 20
Part III: Instantiations from lattices
Generic Identification from (Module-)LWE [Lyu09] pk = (A, t=As 1 + s 2 ) ≈ c LOSSY (pk: A, t=uniform) sk = s 1 , s 2 Pr[accept] = small Prover (sk) Verifier (pk) w := Ay 1 + y 2 c z 1 := y 1 + cs 1 z 2 := y 2 + cs 2 accept ⇔ w = Az 1 + z 2 − ct z 1 ,z 1 short 22
(Lossy-)Dilithium Dilithium small params (→NIST) pk+sig Generic Generic (M)LWE Dilithium compression large params Lossy Dilithium 8 UF-CMA security in QROM |pk| | ! | Lossy-Dilithium (Module-)LWE 8 KB 6 KB Dilithium UF-NMA = “ Self-Target SIS“ 1.5 KB 3 KB 23
(Lossy-)Dilithium Dilithium small params (→NIST) pk+sig Generic Generic (M)LWE Dilithium compression Self-Target SIS large params Lossy Input: random A , t, hash H • Output: short s 1 , s 2 , c and m such that • Dilithium H( As 1 + s 2 - t c, m) = c 8 UF-CMA security in QROM |pk| | ! | Lossy-Dilithium (Module-)LWE 8 KB 6 KB Dilithium UF-NMA = “ Self-Target SIS“ 1.5 KB 3 KB 24
Summary: Deterministic Fiat-Shamir in QROM This work UF-CMA LOSSY UF-NMA Self-Target (M)LWE SIS Lossy Dilithium Dilithium • Green arrows: tight implications • Concrete analysis helps setting parameters 25
Open Problem • Tightness of probabilistic Probabilistic Deterministic Fiat-Shamir Fiat-Shamir Fiat-Shamir in QROM? non-tight [U17] tight [new] QRAM tight [U17‘] tight [U17‘] Thank you! https://eprint.iacr.org/2017/916 26
Recommend
More recommend
