Security of the Fiat-Shamir Transformation in the Quantum Random - PowerPoint PPT Presentation

Security of the Fiat-Shamir Transformation in the Quantum Random Oracle Model Serge Fehr Chris Majenz Chris Schaffner Jelle Don CWI and UvA UvA CWI Leiden University

Our Result in Short Let S be a S -protocol, FS[ S ] its Fiat-Shamir transformation. Theorem. If S is secure (against a dishonest prover), then FS[ S ] is secure (against a dishonest prover) in the quantum random oracle model ( Q ROM) . Holds for any (reasonable) notion of security . Proof. Transformation: P attacking FS[ S ] ⇝ P ʹ attacking S .

S -Protocols A S -protocol is an interactive proof of a special form to prove x Î L , i.e., $ w : s.t. ( x , w ) satisfies relation R without revealing w Examples (for L ): L = { x Î Z | $ w : w 2 º x (mod N )} for a composite N . L = {( a , b , c ) Î G 3 | $ w : a = g w , c = b w } for a group G = á g ñ . L = {( G 0 , G 1 ) Î Graph 2 | $ p Î Perm : G 1 = p ( G 0 )} .

I want to prove that S -Protocol for Graph Isomorphism G 0 and G 1 are isomorphic without revealing p G 0 , G 1 VERIFIER V PROVER P H := s ( G 0 ) s ¬ Perm c c ¬ {0,1} t := s ∘ p - c ? H = t ( G c )

Analysis (of Soundness ) Assume that G 0 ≄ G 1 , i.e. $ ⁄ p Î Perm : G 1 = p ( G 0 ) Consider arbitrary (possibly dishonest) prover P Either H ≄ G 0 or H ≄ G 1 (or both) ⇒ P fails to answer c with probability 1/2 . Probability can be “boosted” by repeating the proof: if repeated k times, then GI Proof V accepts false proof H := s ( G 0 ) s ¬ Perm with prob. 1/2 k . c c ¬ {0,1} t := s ∘ p - c ? H = t ( G c )

Analysis (of Soundness ) Can show something stronger ( proof of knowledge ): Assume that G 0 ≄ G 1 , i.e. $ ⁄ p Î Perm : G 1 = p ( G 0 ) If P succeeds with good probability then he must know p . Consider arbitrary (possibly dishonest) prover P What about privacy ( V not learning p )? Either H ≄ G 0 or H ≄ G 1 (or both) V obviously does not obtain p “in the clear”. ⇒ P fails to answer c with probability 1/2 . Can show: V learns no info at all on p ( zero-knowledge ). Probability can be “boosted” by repeating the proof: if repeated k times, then GI Proof V accepts false proof H := s ( G 0 ) s ¬ Perm with prob. 1/2 k . c c ¬ {0,1} t := s ∘ p - c ? H = t ( G c )

The Fiat-Shamir Transformation x x,w VERIFIER V a PROVER P c c ¬ {0,1} n S z V ( x,a,c,z ) ? FS FS[ S ] p = ( , ) a z c := H ( a ) V ( x,a,H ( a ) ,z ) ?

The Fiat-Shamir Transformation x x,w Hope is: if H is a “good” cryptographic hash function that behaves like a random function VERIFIER V a PROVER P then FS[ S ] inherits security properties of S c c ¬ {0,1} n S z V ( x,a,c,z ) ? Works well in practice - cannot be proven. FS FS[ S ] p = ( , ) a z c := H ( a ) V ( x,a,H ( a ) ,z ) ?

The Fiat-Shamir Transformation x x,w Side remark: Hope is: Understanding x as public key and w as secret key , and if H is a “good” cryptographic hash function setting c := H ( m , a ) , a proof p forms a signature on m that behaves like a random function VERIFIER V a PROVER P (can be computed only by someone who knows w ). then FS[ S ] inherits security properties of S c c ¬ {0,1} n S z V ( x,a,c,z ) ? Works well in practice - cannot be proven. FS FS[ S ] p = ( , ) a z c := H ( a ) V ( x,a,H ( a ) ,z ) ?

The Random Oracle Model - in the context here RO x x,w a a H ( a ) H ( a ) VERIFIER V PROVER P p = ( a , z ) c := H ( a ) V ( x,a,H ( a ), z ) Idea: FS[ S ] not let H be fixed function known to P and V but instead let H be random function unknown to P and V accessible (only) via an oracle - the random oracle (RO)

S versus FS[ S ] in the RO Model x,w a c S z PROVER P versus x,w RO a FS[ S ] H ( a ) PROVER P p = ( a , z )

S versus FS[ S ] in the RO Model a c S z PROVER P Dishonest prover P can versus query the RO many times RO FS[ S ] PROVER P p = ( a , z )

Security of FS[ S ] in the (classical) RO Model Classical result: Theorem. If S is secure then FS[ S ] is secure in the ROM . Security is w.r.t. any notion regarding a dishonest prover P : secure Î { comp./stat. sound, comp./stat. proof-of-knowledge } The RO heuristic then suggests security in real life if using a “good enough” cryptographic hash function (Cannot be proven, but works well in practice) Remark: This RO methodology is used throughout crypto (to avoid no-go results, obtain more efficient schemes)

The Proof Transformation: P attacking FS[ S ] in ROM ⇝ P ʹ attacking S a 1 choose i ← {1,.., q } H ( a 1 ) set a ʹ := a i … a ʹ a i c ʹ H ʹ ( a i ) from i -th query on … a q answer with H ʹ where H ʹ ( a q ) H ʹ ( a i ) = H ʹ ( a ʹ ) := c ʹ and H ʹ := H otherwise P z ʹ a,z set z ʹ := z P ʹ Pr[ V ( x,a,H ( a ), z ) ] ³ d

Need to make sure: The Proof Easy to see: a = a i holds with prob. » 1/ q Transformation: P attacking FS[ S ] in ROM ⇝ P ʹ attacking S Pr[ V ( x,a,H ʹ ( a ), z ) ] ³ d a 1 choose i ← {1,.., q } H ( a 1 ) set a ʹ := a i … a ʹ a i c ʹ H ʹ ( a i ) from i -th query on … a q answer with H ʹ where H ʹ ( a q ) H ʹ ( a i ) = H ʹ ( a ʹ ) := c ʹ and H ʹ := H otherwise P z ʹ a,z set z ʹ := z P ʹ Pr[ V ( x,a,H ( a ), z ) ] ³ d Pr[ V ( x,a ʹ ,c ʹ , z ʹ ) ] > d / q ~

Part II: The Quantum Random Oracle Model

FS[ S ] in the Quantum RO Model (QROM) If dishonest P is equipped with a quantum computer in real life: P can compute H in quantum superposition in RO model: must allow P superposition queries Dishonest prover P can query the RO many times and in quantum superposition , i.e. RO ↦ å b a | a ñ å b a | a ñ | H ( a ) ñ a a FS[ S ] PROVER P p = ( a , z )

Bit Question Classical result: Theorem. If S is secure then FS[ S ] is secure in the ROM . (here: security always refers to dishonest prover P ) Is that still true in the Quantum ROM???

What’s the Problem? å b a 1 | a 1 ñ choose i ← {1,.., q } ??? å b a 1 | a 1 ñ | H ( a 1 ) ñ set a ʹ := a i … a ʹ å b a i | a i ñ c ʹ å b a i | a i ñ ( a i ) ñ | H ʹ from i -th query on … Natural approach: answer with H ʹ where å b a q | a q ñ å b a q | a q ñ Measure å b a i | a i ñ ( a q ) ñ | H ʹ H ʹ ( a i ) = H ʹ ( a ʹ ) := c ʹ and to obtain a ʹ H ʹ := H otherwise P z ʹ a,z Problem: set z ʹ := z P ʹ Pr[ V ( x,a,H ( a ), z ) ] ³ d Disturbs the state Unclear how this affects P

Known Results Partial positive results [Unruh15 & 17]: Security of another, less efficient , transformation S is statistically sound ⇒ FS[ S ] computationally sound in the QROM. Negative claims: [DFG13] claim impossibility for proof-of-knowledge [Unruh17] claims necessity of stat-to-comp degradation (both claims have unconvincing reasoning)

Our Result Theorem. If S is secure then FS[ S ] is secure in the Q ROM. Also here: security is w.r.t. secure Î { comp./stat. sound, comp./stat. proof-of-knowledge } or any reasonable notion regarding a dishonest prover P . Small caveat: Our security reduction is less tight : q 2 loss, rather than q . Remark : In independent work, Lie & Zhandry showed the same kind of result, but with a q 9 loss.

Intuition Natural approach: å b a 1 | a 1 ñ choose i ← {1,.., q } å b a 1 | a 1 ñ | H ( a 1 ) ñ set a ʹ := a i obtained by measuring … a ʹ å b a i | a i ñ c ʹ | a i ñ | c ʹ ñ … from i -th query on å b a q | a q ñ answer with H ʹ å b a q | a q ñ ( a q ) ñ | H ʹ P z ʹ a,z set z ʹ := z P ʹ Pr[ V ( x,a,H ( a ), z ) ] ³ d Recall: H ʹ ( a i ) = H ʹ ( a ʹ ) := c ʹ and H ʹ := H otherwise

Intuition Natural approach: å b a 1 | a 1 ñ choose i ← {1,.., q } Problem: May be detected by P ! å b a 1 | a 1 ñ | H ( a 1 ) ñ set a ʹ := a i obtained by measuring … a ʹ å b a i | a i ñ c ʹ | a i ñ | c ʹ ñ … But: such detection destroys info gained on H ! from i -th query on å b a q | a q ñ answer with H ʹ å b a q | a q ñ ( a q ) ñ | H ʹ Thus: should work if i is the query where P learns H ( a ) P z ʹ a,z set z ʹ := z Can this be turned into a rigorous proof ? No! P ʹ Pr[ V ( x,a,H ( a ), z ) ] ³ d Recall: H ʹ ( a i ) = H ʹ ( a ʹ ) := c ʹ and H ʹ := H otherwise

A Small Tweak Our approach: å b a 1 | a 1 ñ choose i ← {1,.., q } å b a 1 | a 1 ñ | H ( a 1 ) ñ set a ʹ := a i obtained by measuring … a ʹ å b a i | a i ñ c ʹ | a i ñ | c ʹ ñ or | a i ñ | H ( a i ) ñ or ( i +1) -st … å b a q | a q ñ from i -th query on answer with H ʹ å b a q | a q ñ ( a q ) ñ | H ʹ P z ʹ a,z set z ʹ := z P ʹ Pr[ V ( x,a,H ( a ), z ) ] ³ d Remark : The uniformly random H can be dealt with by replacing it with a 2 q - wise independent function. Recall: H ʹ ( a i ) = H ʹ ( a ʹ ) := c ʹ and H ʹ := H otherwise

Part III: The Proof