security of the fiat shamir transformation in the quantum
play

Security of the Fiat-Shamir Transformation in the Quantum - PowerPoint PPT Presentation

Security of the Fiat-Shamir Transformation in the Quantum Random-Oracle Model Jelle Don, Serge Fehr, Christian Majenz and Christian Schaffner QIP 2020 Hilton Shenzhen Shekou Nanhai Hotel, Shenzhen, China Two facts of life Two facts of life


  1. Security of the Fiat-Shamir Transformation in the Quantum Random-Oracle Model Jelle Don, Serge Fehr, Christian Majenz and Christian Schaffner QIP 2020 Hilton Shenzhen Shekou Nanhai Hotel, Shenzhen, China

  2. Two facts of life

  3. Two facts of life 1. Interaction is exhausting (=costly).

  4. Two facts of life 1. Interaction is exhausting (=costly). 2. Testing/verification is more efficient interactively than noninteractively

  5. Two facts of life 1. Interaction is exhausting (=costly). 2. Testing/verification is more efficient interactively than noninteractively Fiat-Shamir reconciles the two in certain cases.

  6. Outline 1. Introduction ‣ Interactive proof systems ‣ The Fiat Shamir transformation 2. Results ‣ Overview ‣ Reduction ‣ Techniques 3. Application: Digital Signatures

  7. 1. Introduction

  8. Interactive proof system

  9. Interactive proof system Prover Verifier

  10. Interactive proof system is true! x Prover Verifier

  11. Interactive proof system Prove it! is true! x Prover Verifier

  12. Interactive proof system Prove it! is true! x bla Prover Verifier

  13. Interactive proof system Prove it! is true! x bla bla Prover Verifier

  14. Interactive proof system Prove it! is true! x bla bla bla Prover Verifier

  15. Interactive proof system Prove it! is true! x bla bla bla bla Prover Verifier

  16. Interactive proof system Prove it! is true! x bla bla bla bla … Prover Verifier

  17. Interactive proof system Prove it! is true! x bla bla bla bla … Prover Verifier Now I believe that is true… x

  18. Interactive proof system

  19. Interactive proof system Many cryptographic properties:

  20. Interactive proof system Many cryptographic properties: ‣ Completeness

  21. Interactive proof system Many cryptographic properties: ‣ Completeness ‣ Soundness

  22. Interactive proof system Many cryptographic properties: ‣ Completeness ‣ Soundness ‣ Zero-knowledge

  23. Interactive proof system Many cryptographic properties: ‣ Completeness ‣ Soundness ‣ Zero-knowledge ‣ Proof-of-knowledge

  24. Interactive proof system Many cryptographic properties: ‣ Completeness ‣ Soundness ‣ Zero-knowledge ‣ Proof-of-knowledge ‣ …

  25. Interactive proof system Many cryptographic properties: ‣ Completeness ‣ Soundness } ‣ Zero-knowledge perfect/statistical/computational ‣ Proof-of-knowledge ‣ …

  26. Interactive proof system Many cryptographic properties: ‣ Completeness ‣ Soundness } ‣ Zero-knowledge perfect/statistical/computational ‣ Proof-of-knowledge ‣ … Can we do the same without interaction?

  27. Interactive proof system Many cryptographic properties: ‣ Completeness ‣ Soundness } ‣ Zero-knowledge perfect/statistical/computational ‣ Proof-of-knowledge ‣ … Can we do the same without interaction? Yes, at least in some cases, using the Fiat Shamir transformation

  28. -protocol Σ Prove it! is true! x a c ∈ R 𝒟 r Prover Verifier Now I believe that is true… x

  29. -protocol Σ “public coin” Prove it! is true! x a c ∈ R 𝒟 r Prover Verifier Now I believe that is true… x

  30. Fiat Shamir transformation Prove it! is true! x a c ∈ R 𝒟 r Prover Verifier Now I believe that is true… x

  31. Fiat Shamir transformation Prove it! is true! x a c = H ( a ) r Prover Verifier Now I believe that is true… x

  32. Fiat Shamir transformation Prove it! is true! x a c = H ( a ) r Hash function, “looks random” Prover Verifier Now I believe that is true… x

  33. Fiat Shamir transformation ‣ Intractability of hash function replaces interaction

  34. Fiat Shamir transformation ‣ Intractability of hash function replaces interaction ‣ Yields non-interactive proof system

  35. Fiat Shamir transformation ‣ Intractability of hash function replaces interaction ‣ Yields non-interactive proof system ‣ Used for digital signature schemes

  36. Fiat Shamir transformation ‣ Intractability of hash function replaces interaction ‣ Yields non-interactive proof system ‣ Used for digital signature schemes ‣ Preserves properties in the Random Oracle Model (ROM) (Pointcheval & Stern ‘00)

  37. Fiat Shamir transformation ‣ Intractability of hash function replaces interaction ‣ Yields non-interactive proof system ‣ Used for digital signature schemes ‣ Preserves properties in the Random Oracle Model (ROM) (Pointcheval & Stern ‘00) Pretend that hash function is random and everybody has oracle access

  38. Fiat Shamir transformation ‣ Intractability of hash function replaces interaction ‣ Yields non-interactive proof system ‣ Used for digital signature schemes ‣ Preserves properties in the Random Oracle Model (ROM) (Pointcheval & Stern ‘00) ? What about the quantum ROM (QROM)?

  39. Fiat Shamir transformation ‣ Intractability of hash function replaces interaction ‣ Yields non-interactive proof system ‣ Used for digital signature schemes ‣ Preserves properties in the Random Oracle Model (ROM) (Pointcheval & Stern ‘00) ? What about the quantum ROM (QROM)? Unruh ’17: The Fiat Shamir transformation preserves some security properties in the QROM if the underlying -protocol is Σ statistically sound.

  40. Fiat Shamir transformation ‣ Intractability of hash function replaces interaction ‣ Yields non-interactive proof system ‣ Used for digital signature schemes ‣ Preserves properties in the Random Oracle Model (ROM) (Pointcheval & Stern ‘00) ? What about the quantum ROM (QROM)? Unruh ’17: The Fiat Shamir transformation preserves some security properties in the QROM if the underlying -protocol is Σ statistically sound. Many cases important for post-quantum crypto still open.

  41. 2. Results

  42. Our results 1. A general reduction for the Fiat Shamir transform in the QROM.

  43. Our results 1. A general reduction for the Fiat Shamir transform in the QROM. Theorem (Don, Fehr, M, Schaffner): The Fiat Shamir transformation of a -protocol inherits Σ all its security properties in the QROM.

  44. Our results 1. A general reduction for the Fiat Shamir transform in the QROM. Theorem (Don, Fehr, M, Schaffner): The Fiat Shamir transformation of a -protocol inherits Σ all its security properties in the QROM. Concurrent work: Liu and Zhandry, less tight reduction.

  45. Our results 1. A general reduction for the Fiat Shamir transform in the QROM. Theorem (Don, Fehr, M, Schaffner): The Fiat Shamir transformation of a -protocol inherits Σ all its security properties in the QROM. Concurrent work: Liu and Zhandry, less tight reduction. 2. A novel criterion for the computational proof-of-knowledge property for sigma protocols (related to collapsingness)

  46. Our results 1. A general reduction for the Fiat Shamir transform in the QROM. Theorem (Don, Fehr, M, Schaffner): The Fiat Shamir transformation of a -protocol inherits Σ all its security properties in the QROM. Concurrent work: Liu and Zhandry, less tight reduction. 2. A novel criterion for the computational proof-of-knowledge property for sigma protocols (related to collapsingness)

  47. The reduction 𝒝

  48. The reduction x 𝒝

  49. The reduction Random oracle H x 𝒝

  50. The reduction H x 𝒝 p = ( a , c = H ( a ), r )

  51. The reduction Verifier x 𝒯 𝒝

  52. The reduction Verifier x a 𝒯 c ∈ R {0,1} ℓ c 𝒝 r

  53. The reduction Verifier x 𝒯 𝒝

  54. The reduction Verifier x 𝒯 𝒝

  55. The reduction H Verifier x 𝒯 𝒝

  56. The reduction Measure random query H Verifier x 𝒯 𝒝

  57. The reduction Measure random query use result as H Verifier x a 𝒯 𝒝

  58. The reduction H Verifier x a 𝒯 𝒝

  59. The reduction H Verifier x a 𝒯 c ∈ R {0,1} ℓ c 𝒝

  60. The reduction use challenge to reprogram H * Verifier x a 𝒯 c ∈ R {0,1} ℓ c 𝒝

  61. The reduction H * Verifier x a 𝒯 c ∈ R {0,1} ℓ c 𝒝

  62. The reduction H * Verifier x a 𝒯 c ∈ R {0,1} ℓ c 𝒝 r use part of output as response

  63. The reduction H * Verifier x a 𝒯 c ∈ R {0,1} ℓ c 𝒝 r

  64. The reduction H * Verifier x a 𝒯 c ∈ R {0,1} ℓ c 𝒝 r Success probability: ε ( 𝒯 [ 𝒝 ]) ≥ ε ( 𝒝 ) O ( q 2 )

  65. The reduction Why on earth does it work? H * Verifier x a 𝒯 c ∈ R {0,1} ℓ c 𝒝 r Success probability: ε ( 𝒯 [ 𝒝 ]) ≥ ε ( 𝒝 ) O ( q 2 )

  66. The reduction Why on earth does it work? Intuition: prover needs to H * Verifier measure anyway. x a 𝒯 c ∈ R {0,1} ℓ c 𝒝 r Success probability: ε ( 𝒯 [ 𝒝 ]) ≥ ε ( 𝒝 ) O ( q 2 )

  67. Technique Simplified picture: one query.

  68. Technique Simplified picture: one query. (without final measurement) 𝒝 H | ϕ ⟩ = U 2 O H U 1 | ϕ ⟩

  69. Technique Simplified picture: one query. (without final measurement) 𝒝 H | ϕ ⟩ = U 2 O H U 1 | ϕ ⟩ for , independently uniformly random x ≠ x 0 H *( x 0 ) H *( x ) = H ( x )

Recommend


More recommend