Tight Adaptive Reprogramming in the QROM

Grilo, Alex B.; Hövelmanns, Kathrin; Hülsing, Andreas; Majenz, Christian

doi:10.1007/978-3-030-92062-3_22

Cited by 26 publications

(6 citation statements)

References 34 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Normally, this is not a big issue and the HVZK property will imply the multi-HVZK but this needn't be always the case. In [GHHM21], where the authors argue about the security of the Fiat-Shamir transform, they write "In our security proofs, we will have to argue that collections of honestly generated transcripts are indistinguishable from collections of simulated ones. Since it is not always clear whether computational HVZK implies computational HVZK for multiple transcripts, we extend our definition, accordingly: In the multi-HVZK game, the adversary obtains a collection of transcripts (rather than a single one).…”

Section: Mitigating the Attack: The Salt+ Index Constructionmentioning

confidence: 99%

“…The transformation is proven to be secure in both classical and quantum random-oracle model, if the identification has good properties. Recently in [GHHM21], the Fiat-Shamir is proven to be secure essentially if the underlying identification scheme has low soundness advantage and low t-HVZK advantage. For Stern's identification scheme, the soundness advantage will be immediate and the main focus of our work will be on the t-HVZK advantage.…”

Section: Signature Schemesmentioning

confidence: 99%

“…We show that this is not the case, by showing that Stern's scheme with the salt + index construction is multi-HVZK. Then, one can use the results of [GHHM21] to prove the EUF-CMA security of the resulting signature scheme.…”

Section: Zero-knowledge For Is Stern Without Pseudo-random Generatorsmentioning

confidence: 99%

See 2 more Smart Citations

On the (in)security of optimized Stern-like signature schemes

Chailloux,

Etinski

2023

Des. Codes Cryptogr.

View full text Add to dashboard Cite

Stern's signature scheme is a historically important code-based signature scheme. A crucial optimization of this scheme is to generate pseudo-random vectors and permutation instead of random ones, and most proposals that are based on Stern's signature use this optimization. However, its security has not been properly analyzed, especially when we use deterministic commitments. In this article, we study the security of this optimization. We first show that for some parameters, there is an attack that exploits this optimization and breaks the scheme in time O(2 λ 2 ) while the claimed security is λ bits. This impacts in particular the recent Quasy-cyclic Stern signature scheme [BGKS22]. Our second result shows that there is an efficient fix to this attack. By adding a string salt ∈ {0, 1} 2λ to the scheme, and changing slightly how the pseudorandom strings are generated, we prove not only that our attack doesn't work but that for any attack, the scheme preserves λ bits of security, and this fix increases the total signature size by only 2λ bits. We apply this construction to other optimizations on Stern's signature scheme, such as the use of Lee's metric or the use of hash trees, and we show how these optimizations improve the signature length of Stern's signature scheme.

show abstract

Section: Mitigating the Attack: The Salt+ Index Constructionmentioning

confidence: 99%

Section: Signature Schemesmentioning

confidence: 99%

See 1 more Smart Citation

On the (in)security of optimized Stern-like signature schemes

Chailloux,

Etinski

2023

Des. Codes Cryptogr.

View full text Add to dashboard Cite

show abstract

“…This implies that the only way to get a scheme secure against a quantum adversary is to use both chameleon hashes and other hash functions simulated as quantum random oracles in the proof. In this article, we extend this generic transformation to the QROM with a compatible-with-ROM case proof, using some adaptive reprogramming results of [17] (restated in Proposition 6).…”

Section: Generic Transformationmentioning

confidence: 99%

Shorter and Faster Identity-Based Signatures with Tight Security in the (Q)ROM from Lattices

Sageloli,

Pébereau,

Méaux

et al. 2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

We provide identity-based signature (IBS) schemes with tight security against adaptive adversaries, in the (classical or quantum) random oracle model (ROM or QROM), in both unstructured and structured lattices, based on the SIS or RSIS assumption. These signatures are short (of size independent of the message length). Our schemes build upon a work from Pan and Wagner (PQCrypto'21) and improve on it in several ways. First, we prove their transformation from nonadaptive to adaptive IBS in the QROM. Then, we simplify the parameters used and give concrete values. Finally, we simplify the signature scheme by using a non-homogeneous relation, which helps us reduce the size of the signature and get rid of one costly trapdoor delegation. On the whole, we get better security bounds, shorter signatures and faster algorithms.

show abstract

“…Then, the generic QROM reduction for the Fiat-Shamir transformation from [DFMS19] is used to construct a knowledge extractor for the signature scheme in the QROM from the extractor for the Σ-protocol. Finally, the technique from [GHHM21] is used for simulating the chosen-message oracle to reduce breaking NMA (no-message attack) security to breaking CMA (chosen-message attack) security. This final step connects to the previous one because for the signature scheme the witness extracted from an NMA attacker is the secret key.…”

Section: ⊓ ⊔mentioning

confidence: 99%

Efficient NIZKs and Signatures from Commit-and-Open Protocols in the QROM

Don¹,

Fehr²,

Majenz³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

Commit-and-open Σ-protocols are a popular class of protocols for constructing noninteractive zero-knowledge arguments and digital-signature schemes via the Fiat-Shamir transformation. Instantiated with hash-based commitments, the resulting non-interactive schemes enjoy tight online-extractability in the random oracle model. Online extractability improves the tightness of security proofs for the resulting digital-signature schemes by avoiding lossy rewinding or forking-lemma based extraction.In this work, we prove tight online extractability in the quantum random oracle model (QROM), showing that the construction supports post-quantum security. First, we consider the default case where committing is done by element-wise hashing. In a second part, we extend our result to Merkletree based commitments. Our results yield a significant improvement of the provable post-quantum security of the digital-signature scheme Picnic. Our analysis makes use of a recent framework by Chung et al. [CFHL21] for analysing quantum algorithms in the QROM using purely classical reasoning. Therefore, our results can to a large extent be understood and verified without prior knowledge of quantum information science.

show abstract

Tight Adaptive Reprogramming in the QROM

Cited by 26 publications

References 34 publications

On the (in)security of optimized Stern-like signature schemes

On the (in)security of optimized Stern-like signature schemes

Shorter and Faster Identity-Based Signatures with Tight Security in the (Q)ROM from Lattices

Efficient NIZKs and Signatures from Commit-and-Open Protocols in the QROM

Contact Info

Product

Resources

About