security of the fiat shamir transformation in the quantum
play

Security of the Fiat-Shamir Transformation in the Quantum - PowerPoint PPT Presentation

Sep 24, 2023 •391 likes •1.38k views

Security of the Fiat-Shamir Transformation in the Quantum Random-Oracle Model Jelle Don, Serge Fehr, Christian Majenz and Christian Schaffner QIP 2020 Hilton Shenzhen Shekou Nanhai Hotel, Shenzhen, China Two facts of life Two facts of life

  1. Security of the Fiat-Shamir Transformation in the Quantum Random-Oracle Model Jelle Don, Serge Fehr, Christian Majenz and Christian Schaffner QIP 2020 Hilton Shenzhen Shekou Nanhai Hotel, Shenzhen, China

  2. Two facts of life

  3. Two facts of life 1. Interaction is exhausting (=costly).

  4. Two facts of life 1. Interaction is exhausting (=costly). 2. Testing/verification is more efficient interactively than noninteractively

  5. Two facts of life 1. Interaction is exhausting (=costly). 2. Testing/verification is more efficient interactively than noninteractively Fiat-Shamir reconciles the two in certain cases.

  6. Outline 1. Introduction ‣ Interactive proof systems ‣ The Fiat Shamir transformation 2. Results ‣ Overview ‣ Reduction ‣ Techniques 3. Application: Digital Signatures

  7. 1. Introduction

  8. Interactive proof system

  9. Interactive proof system Prover Verifier

  10. Interactive proof system is true! x Prover Verifier

  11. Interactive proof system Prove it! is true! x Prover Verifier

  12. Interactive proof system Prove it! is true! x bla Prover Verifier

  13. Interactive proof system Prove it! is true! x bla bla Prover Verifier

  14. Interactive proof system Prove it! is true! x bla bla bla Prover Verifier

  15. Interactive proof system Prove it! is true! x bla bla bla bla Prover Verifier

  16. Interactive proof system Prove it! is true! x bla bla bla bla … Prover Verifier

  17. Interactive proof system Prove it! is true! x bla bla bla bla … Prover Verifier Now I believe that is true… x

  18. Interactive proof system

  19. Interactive proof system Many cryptographic properties:

  20. Interactive proof system Many cryptographic properties: ‣ Completeness

  21. Interactive proof system Many cryptographic properties: ‣ Completeness ‣ Soundness

  22. Interactive proof system Many cryptographic properties: ‣ Completeness ‣ Soundness ‣ Zero-knowledge

  23. Interactive proof system Many cryptographic properties: ‣ Completeness ‣ Soundness ‣ Zero-knowledge ‣ Proof-of-knowledge

  24. Interactive proof system Many cryptographic properties: ‣ Completeness ‣ Soundness ‣ Zero-knowledge ‣ Proof-of-knowledge ‣ …

  25. Interactive proof system Many cryptographic properties: ‣ Completeness ‣ Soundness } ‣ Zero-knowledge perfect/statistical/computational ‣ Proof-of-knowledge ‣ …

  26. Interactive proof system Many cryptographic properties: ‣ Completeness ‣ Soundness } ‣ Zero-knowledge perfect/statistical/computational ‣ Proof-of-knowledge ‣ … Can we do the same without interaction?

  27. Interactive proof system Many cryptographic properties: ‣ Completeness ‣ Soundness } ‣ Zero-knowledge perfect/statistical/computational ‣ Proof-of-knowledge ‣ … Can we do the same without interaction? Yes, at least in some cases, using the Fiat Shamir transformation

  28. -protocol Σ Prove it! is true! x a c ∈ R 𝒟 r Prover Verifier Now I believe that is true… x

  29. -protocol Σ “public coin” Prove it! is true! x a c ∈ R 𝒟 r Prover Verifier Now I believe that is true… x

  30. Fiat Shamir transformation Prove it! is true! x a c ∈ R 𝒟 r Prover Verifier Now I believe that is true… x

  31. Fiat Shamir transformation Prove it! is true! x a c = H ( a ) r Prover Verifier Now I believe that is true… x

  32. Fiat Shamir transformation Prove it! is true! x a c = H ( a ) r Hash function, “looks random” Prover Verifier Now I believe that is true… x

  33. Fiat Shamir transformation ‣ Intractability of hash function replaces interaction

  34. Fiat Shamir transformation ‣ Intractability of hash function replaces interaction ‣ Yields non-interactive proof system

  35. Fiat Shamir transformation ‣ Intractability of hash function replaces interaction ‣ Yields non-interactive proof system ‣ Used for digital signature schemes

  36. Fiat Shamir transformation ‣ Intractability of hash function replaces interaction ‣ Yields non-interactive proof system ‣ Used for digital signature schemes ‣ Preserves properties in the Random Oracle Model (ROM) (Pointcheval & Stern ‘00)

  37. Fiat Shamir transformation ‣ Intractability of hash function replaces interaction ‣ Yields non-interactive proof system ‣ Used for digital signature schemes ‣ Preserves properties in the Random Oracle Model (ROM) (Pointcheval & Stern ‘00) Pretend that hash function is random and everybody has oracle access

  38. Fiat Shamir transformation ‣ Intractability of hash function replaces interaction ‣ Yields non-interactive proof system ‣ Used for digital signature schemes ‣ Preserves properties in the Random Oracle Model (ROM) (Pointcheval & Stern ‘00) ? What about the quantum ROM (QROM)?

  39. Fiat Shamir transformation ‣ Intractability of hash function replaces interaction ‣ Yields non-interactive proof system ‣ Used for digital signature schemes ‣ Preserves properties in the Random Oracle Model (ROM) (Pointcheval & Stern ‘00) ? What about the quantum ROM (QROM)? Unruh ’17: The Fiat Shamir transformation preserves some security properties in the QROM if the underlying -protocol is Σ statistically sound.

  40. Fiat Shamir transformation ‣ Intractability of hash function replaces interaction ‣ Yields non-interactive proof system ‣ Used for digital signature schemes ‣ Preserves properties in the Random Oracle Model (ROM) (Pointcheval & Stern ‘00) ? What about the quantum ROM (QROM)? Unruh ’17: The Fiat Shamir transformation preserves some security properties in the QROM if the underlying -protocol is Σ statistically sound. Many cases important for post-quantum crypto still open.

  41. 2. Results

  42. Our results 1. A general reduction for the Fiat Shamir transform in the QROM.

  43. Our results 1. A general reduction for the Fiat Shamir transform in the QROM. Theorem (Don, Fehr, M, Schaffner): The Fiat Shamir transformation of a -protocol inherits Σ all its security properties in the QROM.

  44. Our results 1. A general reduction for the Fiat Shamir transform in the QROM. Theorem (Don, Fehr, M, Schaffner): The Fiat Shamir transformation of a -protocol inherits Σ all its security properties in the QROM. Concurrent work: Liu and Zhandry, less tight reduction.

  45. Our results 1. A general reduction for the Fiat Shamir transform in the QROM. Theorem (Don, Fehr, M, Schaffner): The Fiat Shamir transformation of a -protocol inherits Σ all its security properties in the QROM. Concurrent work: Liu and Zhandry, less tight reduction. 2. A novel criterion for the computational proof-of-knowledge property for sigma protocols (related to collapsingness)

  46. Our results 1. A general reduction for the Fiat Shamir transform in the QROM. Theorem (Don, Fehr, M, Schaffner): The Fiat Shamir transformation of a -protocol inherits Σ all its security properties in the QROM. Concurrent work: Liu and Zhandry, less tight reduction. 2. A novel criterion for the computational proof-of-knowledge property for sigma protocols (related to collapsingness)

  47. The reduction 𝒝

  48. The reduction x 𝒝

  49. The reduction Random oracle H x 𝒝

  50. The reduction H x 𝒝 p = ( a , c = H ( a ), r )

  51. The reduction Verifier x 𝒯 𝒝

  52. The reduction Verifier x a 𝒯 c ∈ R {0,1} ℓ c 𝒝 r

  53. The reduction Verifier x 𝒯 𝒝

  54. The reduction Verifier x 𝒯 𝒝

  55. The reduction H Verifier x 𝒯 𝒝

  56. The reduction Measure random query H Verifier x 𝒯 𝒝

  57. The reduction Measure random query use result as H Verifier x a 𝒯 𝒝

  58. The reduction H Verifier x a 𝒯 𝒝

  59. The reduction H Verifier x a 𝒯 c ∈ R {0,1} ℓ c 𝒝

  60. The reduction use challenge to reprogram H * Verifier x a 𝒯 c ∈ R {0,1} ℓ c 𝒝

  61. The reduction H * Verifier x a 𝒯 c ∈ R {0,1} ℓ c 𝒝

  62. The reduction H * Verifier x a 𝒯 c ∈ R {0,1} ℓ c 𝒝 r use part of output as response

  63. The reduction H * Verifier x a 𝒯 c ∈ R {0,1} ℓ c 𝒝 r

  64. The reduction H * Verifier x a 𝒯 c ∈ R {0,1} ℓ c 𝒝 r Success probability: ε ( 𝒯 [ 𝒝 ]) ≥ ε ( 𝒝 ) O ( q 2 )

  65. The reduction Why on earth does it work? H * Verifier x a 𝒯 c ∈ R {0,1} ℓ c 𝒝 r Success probability: ε ( 𝒯 [ 𝒝 ]) ≥ ε ( 𝒝 ) O ( q 2 )

  66. The reduction Why on earth does it work? Intuition: prover needs to H * Verifier measure anyway. x a 𝒯 c ∈ R {0,1} ℓ c 𝒝 r Success probability: ε ( 𝒯 [ 𝒝 ]) ≥ ε ( 𝒝 ) O ( q 2 )

  67. Technique Simplified picture: one query.

  68. Technique Simplified picture: one query. (without final measurement) 𝒝 H | ϕ ⟩ = U 2 O H U 1 | ϕ ⟩

  69. Technique Simplified picture: one query. (without final measurement) 𝒝 H | ϕ ⟩ = U 2 O H U 1 | ϕ ⟩ for , independently uniformly random x ≠ x 0 H *( x 0 ) H *( x ) = H ( x )

Recommend

Security of the Fiat-Shamir Transformation in the Quantum Random Oracle Model Serge Fehr Chris

Security of the Fiat-Shamir Transformation in the Quantum Random Oracle Model Serge Fehr Chris

Security of the Fiat-Shamir Transformation in the Quantum Random Oracle Model Serge Fehr Chris Majenz Chris Schaffner Jelle Don CWI and UvA UvA CWI Leiden University Our Result in Short Let S be a S -protocol, FS[ S ] its Fiat-Shamir

422 views • 40 slides
A Concrete Treatment of Fiat-Shamir Signatures in the Quantum Random-Oracle Model EUROCRYPT 2018

A Concrete Treatment of Fiat-Shamir Signatures in the Quantum Random-Oracle Model EUROCRYPT 2018

A Concrete Treatment of Fiat-Shamir Signatures in the Quantum Random-Oracle Model EUROCRYPT 2018 Eike Kiltz , Vadim Lyubashevsky, Christian Schaffner Classical Signature Schemes Full Domain Hash Trapdoor function Signature Scheme Fiat-Shamir

268 views • 26 slides
Revisiting TESLA in the quantum random oracle model Selected history of Fiat-Shamir style

Revisiting TESLA in the quantum random oracle model Selected history of Fiat-Shamir style

Revisiting TESLA in the quantum random oracle model Selected history of Fiat-Shamir style signatures from LWE or SIS Lyubashevsky 2012 Sigs via Fiat-Shamir Bai-Galbraith BLISS 2013 Short sigs Optimized DBGGOPSS 2014 Improvements,

1.6k views • 43 slides
From Identification using Rejection Sampling to Signatures via the Fiat-Shamir Transform:

From Identification using Rejection Sampling to Signatures via the Fiat-Shamir Transform:

From Identification using Rejection Sampling to Signatures via the Fiat-Shamir Transform: Application to the BLISS Signature Pauline Bert and Adeline Roux-Langlois Journes C2 2018 Univ Rennes, CNRS, IRISA 1 Contribution Fiat-Shamir

326 views • 19 slides
The Measure-and-Reprogram Technique 2.0: Multi-Round Fiat-Shamir and More Jelle Don, CWI

The Measure-and-Reprogram Technique 2.0: Multi-Round Fiat-Shamir and More Jelle Don, CWI

The Measure-and-Reprogram Technique 2.0: Multi-Round Fiat-Shamir and More Jelle Don, CWI Amsterdam Joint work with Serge Fehr and Christian Majenz Introduction Proving Fiat-Shamir digital signatures and ZK proof systems secure against

712 views • 49 slides
Revisiting Post-Quantum Fiat-Shamir Qipeng Liu & Mark Zhandry

Revisiting Post-Quantum Fiat-Shamir Qipeng Liu & Mark Zhandry

Revisiting Post-Quantum Fiat-Shamir Qipeng Liu & Mark Zhandry (Princeton & NTT Research) Lattice Crypto Post-Quantum Crypto Typical Lattice Crypto Thm: are

623 views • 61 slides
Fiat-Shamir and correlation intractability from strong kdm secure encryption Ran Canetti, Yilei

Fiat-Shamir and correlation intractability from strong kdm secure encryption Ran Canetti, Yilei

Fiat-Shamir and correlation intractability from strong kdm secure encryption Ran Canetti, Yilei Chen, Leonid Reyzin, Ron Rothblum Eurocrypt 2018, Tel Aviv 1 2 How are you? 3 How are you? Great! How are you? 4 How are you? Great! How

681 views • 65 slides
The Fire and Invasive Annual Grass Assessment Tool (FIAT) Doug Havlina, BLM Fire Ecologist

The Fire and Invasive Annual Grass Assessment Tool (FIAT) Doug Havlina, BLM Fire Ecologist

The Fire and Invasive Annual Grass Assessment Tool (FIAT) Doug Havlina, BLM Fire Ecologist Topics to Cover Background and Development of FIAT FIAT Step 1: The regional context FIAT Step 2: Strategies within priority landscapes

577 views • 32 slides
Lecture 11 Authentication 1 Where are we now? We know a bit of the following:

Lecture 11 Authentication 1 Where are we now? We know a bit of the following:

Lecture 11 Authentication 1 Where are we now? We know a bit of the following: Conventional cryptography Hash functions and MACs Public key cryptography Encryption Signatures Identification (Fiat-Shamir) + Zero

213 views • 9 slides
Liquidity SMU Eco 3355 Liquidity and Why do people choose to hold fiat money despite its

Liquidity SMU Eco 3355 Liquidity and Why do people choose to hold fiat money despite its

Liquidity SMU Eco 3355 Liquidity and Why do people choose to hold fiat money despite its Financial Intermediation lower rate of return? Maybe because fiat money is less risky than most of the other assets. Maybe because fiat money is more

374 views • 8 slides
Security Industry Transformation Map Sharing Steve Tan Executive Secretary, Union of Security

Security Industry Transformation Map Sharing Steve Tan Executive Secretary, Union of Security

Security Industry Transformation Map Sharing Steve Tan Executive Secretary, Union of Security Employees Security Industry Transformation Map Security ITM One of 23 ITMs to chart Singapores future economy Part of Built

1.11k views • 41 slides
CASE STUDY Founded in 1976 consortium in 1985 (partners Fiat Group subsidiaries) 1980

CASE STUDY Founded in 1976 consortium in 1985 (partners Fiat Group subsidiaries) 1980

FIAT : Open Innovation in a downturn (1993-2003) High-Tech Business Venturing course Workgroup V: Mariangela, Lorenzo, Vito, Emmanuel, Giovanni Pontedera, January 30, 2015 CASE STUDY Founded in 1976 consortium in 1985 (partners Fiat

449 views • 18 slides
Quantum Communications (and their implications for Information Security) The Quantum

Quantum Communications (and their implications for Information Security) The Quantum

Quantum Communications (and their implications for Information Security) The Quantum Communications Hub Director: Professor Tim Spiller New Quantum Technologies Quantum technologies form a whole new technology sector. These technologies

222 views • 11 slides
An Introduction to Quantum Computers and Quantum Cryptography Computer Network Security

An Introduction to Quantum Computers and Quantum Cryptography Computer Network Security

An Introduction to Quantum Computers and Quantum Cryptography Computer Network Security Prepared by: Nima Bayan, P.Eng. Fall 2003 Contents ! Introduction " Cryptography and Relativity " Quantum Algorithms " Quantum Computers !

227 views • 11 slides
Security in a Quantum World Vladimir Zamdzhiev Department of Computer Science Tulane University

Security in a Quantum World Vladimir Zamdzhiev Department of Computer Science Tulane University

Security in a Quantum World Security in a Quantum World Vladimir Zamdzhiev Department of Computer Science Tulane University November 7 2017 Vladimir Zamdzhiev Security in a Quantum World 1 / 12 Security in a Quantum World Physical Theories

483 views • 24 slides
RSA Reference : Rivest, Shamir, Adleman, A Method for Obtaining Digital Sig- natures and Public Key

RSA Reference : Rivest, Shamir, Adleman, A Method for Obtaining Digital Sig- natures and Public Key

RSA Reference : Rivest, Shamir, Adleman, A Method for Obtaining Digital Sig- natures and Public Key Cryptosystems , CACM, Vol. 21, No. 2, pp. 120126, February 1978. RSA is a public key cryptosystem based on number theory. The security of RSA is

179 views • 7 slides
A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation

A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation

A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM Qian Guo, Thomas Johansson, Alexander Nilsson August 10, 2020 Preliminaries Implementing Crypto Is Hard

994 views • 80 slides
Interactive proof and zero knowledge protocols Zero-knowledge: definition Probabilistic

Interactive proof and zero knowledge protocols Zero-knowledge: definition Probabilistic

Interactive proof and zero knowledge protocols Zero-knowledge: definition Probabilistic complexity classes and Interactive proofs Graph isomorphism and PCP Some zero knowledge protocols: Feige-Fiat-Shamir authentication protocol

170 views • 16 slides
Tufin: Maximizing Agility and Security Henry Pea Digital Transformation is all about Business

Tufin: Maximizing Agility and Security Henry Pea Digital Transformation is all about Business

Tufin: Maximizing Agility and Security Henry Pea Digital Transformation is all about Business Agility 2 The Tradeoff Balancing Security and Agility 3 The Problem: Manual Processes Speed Cost Risk Compliance 4 The Solution: Security

1.21k views • 46 slides
How Quantum Cryptography Quantum . . . and Quantum Computing How Quantum . . . How to Deal with

How Quantum Cryptography Quantum . . . and Quantum Computing How Quantum . . . How to Deal with

What Are Cyber- . . . For Cyber-Physical . . . How Cyber-Security Is . . . Quantum Challenge to . . . How Quantum Cryptography Quantum . . . and Quantum Computing How Quantum . . . How to Deal with This . . . Can Make Cyber-Physical

797 views • 43 slides
Rural Transformation for Food Security and Poverty Reduction Racha Ramadan Applying Quantitative

Rural Transformation for Food Security and Poverty Reduction Racha Ramadan Applying Quantitative

Rural Transformation for Food Security and Poverty Reduction Racha Ramadan Applying Quantitative Analysis to Development Issues Conference Bilbliotheca Alexandrina- 2018 Motivation Structural transformation is defined as the shift of an

736 views • 24 slides
Tutorial: Security of quantum key distribution: approach from complementarity Univ. of Tokyo

Tutorial: Security of quantum key distribution: approach from complementarity Univ. of Tokyo

QCrypt2020: Aug. 12, 2020 Tutorial: Security of quantum key distribution: approach from complementarity Univ. of Tokyo Masato Koashi Quantum key distribution (QKD) Public communication Weak light pulses signals measurement Eve tests Bob

1.22k views • 95 slides
Post-quantum Security of the CBC, CFB, OFB, Modes of Operation. CTR, and XTS Modes of Operation.

Post-quantum Security of the CBC, CFB, OFB, Modes of Operation. CTR, and XTS Modes of Operation.

Post-quantum Security of the CBC, CFB, OFB, CTR, and XTS Post-quantum Security of the CBC, CFB, OFB, Modes of Operation. CTR, and XTS Modes of Operation. Mayuresh Anand Motivation Mayuresh Anand, Ehsan Ebrahimi Targhi, Gelo Noel Tabia,

235 views • 22 slides
Threshold Ring Signatures: New Security Definitions and Post-Quantum Security Abida Haque ,

Threshold Ring Signatures: New Security Definitions and Post-Quantum Security Abida Haque ,

Problem Description Current State of the Art Our Contribution Our Scheme Summary References Threshold Ring Signatures: New Security Definitions and Post-Quantum Security Abida Haque , Alessandra Scafuro North Carolina State University May

736 views • 61 slides

More recommend