Advertisement

Security of the Fiat-Shamir Transformation in the Quantum Random-Oracle Model

  • Jelle Don
  • Serge Fehr
  • Christian MajenzEmail author
  • Christian SchaffnerEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11693)

Abstract

The famous Fiat-Shamir transformation turns any public-coin three-round interactive proof, i.e., any so-called \(\Sigma {\text {-protocol}}\), into a non-interactive proof in the random-oracle model. We study this transformation in the setting of a quantum adversary that in particular may query the random oracle in quantum superposition.

Our main result is a generic reduction that transforms any quantum dishonest prover attacking the Fiat-Shamir transformation in the quantum random-oracle model into a similarly successful quantum dishonest prover attacking the underlying \(\Sigma {\text {-protocol}}\) (in the standard model). Applied to the standard soundness and proof-of-knowledge definitions, our reduction implies that both these security properties, in both the computational and the statistical variant, are preserved under the Fiat-Shamir transformation even when allowing quantum attacks. Our result improves and completes the partial results that have been known so far, but it also proves wrong certain claims made in the literature.

In the context of post-quantum secure signature schemes, our results imply that for any \(\Sigma {\text {-protocol}}\) that is a proof-of-knowledge against quantum dishonest provers (and that satisfies some additional natural properties), the corresponding Fiat-Shamir signature scheme is secure in the quantum random-oracle model. For example, we can conclude that the non-optimized version of Fish, which is the bare Fiat-Shamir variant of the NIST candidate Picnic, is secure in the quantum random-oracle model.

Notes

Acknowledgement

We thank Tommaso Gagliardoni and Dominique Unruh for comments on early basic ideas of our approach, and Andreas Hülsing, Eike Kiltz and Greg Zaverucha for helpful discussions. We thank Thomas Vidick for helpful remarks on an earlier version of this article.

JD and SF were partly supported by the EU Horizon 2020 Research and Innovation Program Grant 780701 (PROMETHEUS). JD, CM, and CS were supported by a NWO VIDI grant (Project No. 639.022.519).

References

  1. [ABB+17]
    Alkim, E., et al.: Revisiting TESLA in the quantum random oracle model. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 143–162. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-59879-6_9CrossRefGoogle Scholar
  2. [AFLT12]
    Abdalla, M., Fouque, P.-A., Lyubashevsky, V., Tibouchi, M.: Tightly-secure signatures from lossy identification schemes. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 572–590. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-29011-4_34CrossRefGoogle Scholar
  3. [ARU14]
    Ambainis, A., Rosmanis, A., Unruh, D.: Quantum attacks on classical proof systems: the hardness of quantum rewinding. In: 2014 IEEE 55th Annual Symposium on Foundations of Computer Science, pp. 474–483, October 2014Google Scholar
  4. [BDF+11]
    Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-25385-0_3CrossRefzbMATHGoogle Scholar
  5. [BDK+18]
    Bos, J., et al.: CRYSTALS - Kyber: a CCA-secure module-lattice-based KEM. In: 2018 IEEE European Symposium on Security and Privacy (EuroS P), pp. 353–367, April 2018Google Scholar
  6. [BG93]
    Bellare, M., Goldreich, O.: On defining proofs of knowledge. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 390–420. Springer, Heidelberg (1993).  https://doi.org/10.1007/3-540-48071-4_28CrossRefGoogle Scholar
  7. [BR93]
    Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Proceedings of the 1st ACM Conference on Computer and Communications Security, pp. 62–73. ACM (1993)Google Scholar
  8. [CDG+17]
    Chase, M., et al. Post-quantum zero-knowledge and signatures from symmetric-key primitives. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, pp. 1825–1842. ACM, New York (2017)Google Scholar
  9. [CGH04]
    Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. J. ACM 51(4), 557–594 (2004)MathSciNetCrossRefGoogle Scholar
  10. [Dam10]
    Damgard, I.: On sigma-protocols, Lecture Notes, Faculty of Science Aarhus University, Department of Computer Science (2010)Google Scholar
  11. [DFG13]
    Dagdelen, Ö., Fischlin, M., Gagliardoni, T.: The Fiat–Shamir transformation in a quantum world. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 62–81. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-42045-0_4CrossRefzbMATHGoogle Scholar
  12. [ES15]
    Eaton, E., Song, F.: Making existential-unforgeable signatures strongly unforgeable in the quantum random-oracle model. In: 10th Conference on the Theory of Quantum Computation, Communication and Cryptography, pp. 147 (2015)Google Scholar
  13. [Feh18]
    Fehr, S.: Classical proofs for the quantum collapsing property of classical hash functions. In: Beimel, A., Dziembowski, S. (eds.) TCC 2018. LNCS, vol. 11240, pp. 315–338. Springer, Cham (2018).  https://doi.org/10.1007/978-3-030-03810-6_12CrossRefzbMATHGoogle Scholar
  14. [FKMV12]
    Faust, S., Kohlweiss, M., Marson, G.A., Venturi, D.: On the non-malleability of the Fiat-Shamir transform. In: Galbraith, S., Nandi, M. (eds.) INDOCRYPT 2012. LNCS, vol. 7668, pp. 60–79. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-34931-7_5CrossRefGoogle Scholar
  15. [FS87]
    Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987).  https://doi.org/10.1007/3-540-47721-7_12CrossRefGoogle Scholar
  16. [GMO16]
    Giacomelli, I., Madsen, J., Orlandi, C.: ZKBoo: faster zero-knowledge for Boolean circuits. In: 25th USENIX Security Symposium (USENIX Security 16), Austin, TX, pp. 1069–1083. USENIX Association (2016)Google Scholar
  17. [IKOS07]
    Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Zero-knowledge from secure multiparty computation. In: Proceedings of the Thirty-ninth Annual ACM Symposium on Theory of Computing - STOC 2007, p. 21 (2007)Google Scholar
  18. [KLS18]
    Kiltz, E., Lyubashevsky, V., Schaffner, C.: A concrete treatment of Fiat-Shamir signatures in the quantum random-oracle model. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 552–586. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-78372-7_18CrossRefzbMATHGoogle Scholar
  19. [Lyu09]
    Lyubashevsky, V.: Fiat-Shamir with aborts: applications to lattice and factoring-based signatures. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 598–616. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-10366-7_35CrossRefGoogle Scholar
  20. [Lyu12]
    Lyubashevsky, V.: Lattice signatures without trapdoors. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 738–755. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-29011-4_43CrossRefGoogle Scholar
  21. [LZ19]
    Liu, Q., Zhandry, M.: Revisiting post-quantum Fiat-Shamir. Cryptology ePrint Archive, Report 2019/262 (2019). https://eprint.iacr.org/2019/262
  22. [SXY18]
    Saito, T., Xagawa, K., Yamakawa, T.: Tightly-secure key-encapsulation mechanism in the quantum random oracle model. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 520–551. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-78372-7_17CrossRefzbMATHGoogle Scholar
  23. [Unr12]
    Unruh, D.: Quantum proofs of knowledge. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 135–152. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-29011-4_10CrossRefGoogle Scholar
  24. [Unr14]
    Unruh, D.: Quantum position verification in the random oracle model. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 1–18. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-44381-1_1CrossRefGoogle Scholar
  25. [Unr15]
    Unruh, D.: Non-interactive zero-knowledge proofs in the quantum random oracle model. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 755–784. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46803-6_25CrossRefzbMATHGoogle Scholar
  26. [Unr16]
    Unruh, D.: Computationally binding quantum commitments. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 497–527. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49896-5_18CrossRefGoogle Scholar
  27. [Unr17]
    Unruh, D.: Post-quantum security of Fiat-Shamir. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 65–95. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70694-8_3CrossRefGoogle Scholar
  28. [Zha12]
    Zhandry, M.: How to construct quantum random functions. In: 2012 IEEE 53rd Annual Symposium on Foundations of Computer Science, pp. 679–687. IEEE, October 2012Google Scholar
  29. [Zha15]
    Zhandry, M.: Secure identity-based encryption in the quantum random oracle model. Int. J. Quantum Inf. 13(04), 1550014 (2015)MathSciNetCrossRefGoogle Scholar
  30. [Zha17]
    Zhandry, M.: Quantum lightning never strikes the same state twice. http://arxiv.org/abs/1711.02276 (2017)
  31. [Zha18]
    Zhandry, M.: How to record quantum queries, and applications to quantum indifferentiability. Cryptology ePrint Archive, Report 2018/276 (2018). https://eprint.iacr.org/2018/276

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  1. 1.Centrum Wiskunde & Informatica (CWI)AmsterdamNetherlands
  2. 2.Institute for Logic, Language and ComputationUniversity of AmsterdamAmsterdamNetherlands
  3. 3.Mathematical InstituteLeiden UniversityLeidenNetherlands
  4. 4.QuSoftAmsterdamNetherlands

Personalised recommendations