Post-Quantum Security of Fiat-Shamir

Slides:

Advertisements

Similar presentations

Perfect Non-interactive Zero-Knowledge for NP

Advertisements

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Non-interactive Zero- Knowledge Arguments for Voting Jens Groth UCLA.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.

Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.

Zero Knowledge Proofs(2) Suzanne van Wijk & Maaike Zwart

Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.

The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.

Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Isolated PoK and Isolated ZK Ivan Damgård, Jesper Buus Nielsen and Daniel Wichs.

13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.

Nir Bitansky and Omer Paneth. Interactive Proofs.

Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.

1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science.

Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.

Non-interactive and Reusable Non-malleable Commitments Ivan Damgård, BRICS, Aarhus University Jens Groth, Cryptomathic A/S.

On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

Dan Boneh Introduction What is cryptography? Online Cryptography Course Dan Boneh.

1 Cross-Domain Secure Computation Chongwon Cho (HRL Laboratories) Sanjam Garg (IBM T.J. Watson) Rafail Ostrovsky (UCLA)

Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols By Stephen Hall.

(Multimedia University) Ji-Jian Chin Swee-Huay Heng Bok-Min Goi

Impossibility and Feasibility Results for Zero Knowledge with Public Keys Joël Alwen Tech. Univ. Vienna AUSTRIA Giuseppe Persiano Univ. Salerno ITALY Ivan.

Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.

Introduction to Modern Cryptography Sharif University Spring 2015 Data and Network Security Lab Sharif University of Technology Department of Computer.

Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.

New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.

On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU.

Non-interactive quantum zero-knowledge proofs

CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016.

Formal Verification of Quantum Cryptography Dominique Unruh University of Tartu.

Dominique Unruh Quantum Proofs of Knowledge Dominique Unruh University of Tartu Tartu, April 12, 2012.

On the Hardness of Proving CCA-Security of Signed ElGamal Bogdan Warinschi (University of Bristol) joint work with David Bernhard, Marc Fischlin.

Zero Knowledge r Two parties:  All powerful prover P  Polynomially bounded verifier V r P wants to prove a statement to V with the following properties:

Feige-Fiat-Shamir Zero Knowledge Proof Based on difficulty of computing square roots mod a composite n Given two large primes p, q and n=p * q, computing.

IP, (NON)ISOGRAPH and Zero Knowledge Protocol COSC 6111 Advanced Algorithm Design and Analysis Daniel Stübig.

Topic 36: Zero-Knowledge Proofs

On the Size of Pairing-based Non-interactive Arguments

MPC and Verifiable Computation on Committed Data

Zero Knowledge Anupam Datta CMU Fall 2017

Online/Offline OR Composition of ∑-Protocols

Efficient Public-Key Distance Bounding

Digital Signature Schemes and the Random Oracle Model

Cryptographic Protocols

A Generic Approach for Constructing Verifiable Random Functions

Digital Signature Schemes and the Random Oracle Model

Shorter Quasi-Adaptive NIZK Proofs for Linear Subspaces

Cryptographic protocols 2016, Lecture 12 Sigma protocols

Cryptography for Quantum Computers

cryptographic protocols 2014, lecture 12 Getting full zero knowledge

cryptographic protocols 2016, lecture 13 Sigma protocols for DL

Cryptographic Protocols

Masayuki Fukumitsu Hokkaido Information University, Japan

Quantum-security of commitment schemes and hash functions

Enabling Full Transactional Privacy with

Fiat-Shamir for Highly Sound Protocols is Instantiable

Short Pairing-based Non-interactive Zero-Knowledge Arguments

Impossibility of SNARGs

Collapse-binding quantum commitments without random oracles

Cryptology Design Fundamentals

Jens Groth and Mary Maller University College London

Presentation transcript:

Post-Quantum Security of Fiat-Shamir Dominique Unruh University of Tartu

Fiat-Shamir (overview) Non-interactive proof system: Zero-knowledge proof of knowledge Signature scheme (Signer proves knowledge of sk) Quantum secure? Prover 𝑐𝑜𝑚,𝐻 𝑐𝑜𝑚 ,𝑟𝑒𝑠𝑝 Verifier statement witness statement Verifier learns “nothing” Prover must know witness Quantum Fiat-Shamir

Understanding FS: Sigma protocols Interactive proof system Honest-verifier zero-knowledge Interaction 𝑃↔𝑉 efficiently simulated Special soundness Given: 𝑟𝑒𝑠𝑝 for two 𝑐ℎ𝑎𝑙𝑙 (same 𝑐𝑜𝑚) Get: Witness P V commitment challenge response Quantum Fiat-Shamir

Understanding FS: The construction Verifier Prover Prover sends simulated sigma-proto interaction  Soundness of sigma-protocol carries over P V 𝑐𝑜𝑚 𝑐ℎ𝑎𝑙𝑙≔ 𝐻(𝑐𝑜𝑚) 𝑐𝑜𝑚,𝑐ℎ𝑎𝑙𝑙,𝑟𝑒𝑠𝑝 𝑐ℎ𝑎𝑙𝑙 𝑟𝑒𝑠𝑝 Quantum Fiat-Shamir

Breaking FS soundness (quantum) Artificial sigma-protocol [Ambainis,Rosmanis,U14] (relative to specific oracles) P Can give 𝑟𝑒𝑠𝑝 for any 𝑐ℎ𝑎𝑙𝑙 (using |Ψ〉) Only once (|Ψ〉 used up) FS insecure (soundness) But: sigma-protocol has special soundness 𝑐𝑜𝑚𝑚 |Ψ〉 𝑐ℎ𝑎𝑙𝑙 𝑟𝑒𝑠𝑝 Quantum Fiat-Shamir

Breaking FS soundness (quantum) FS not secure in general For quantum attackers Relative to specific oracles Ways out: Non-relativizing proofs? Doubtful. Other protocols? Yes. Extra conditions on sigma-protocol? This talk. [U15] [Dagdelen, Fischlin,Gagliardoni13] Quantum Fiat-Shamir

Main result Sigma protocol Fiat-Shamir Statistical soundness Reduction to quantum search Simulation soundness Stronger than classical Weaker than classical Honest verifier ZK Adaptive RO reprogramming Zero knowledge Unpredictable commitments Complete Complete Quantum Fiat-Shamir

P V P V Soundness proof Sigma protocol Def: 𝑐ℎ𝑎𝑙𝑙 is “promising” if ∃ 𝑟𝑒𝑠𝑝 P V 𝑐𝑜𝑚 𝑐ℎ𝑎𝑙𝑙 𝑟𝑒𝑠𝑝 statistical soundness ⟹ For any 𝑐𝑜𝑚, few promising 𝑐ℎ𝑎𝑙𝑙 Hard to find: 𝑐𝑜𝑚 with 𝐻(𝑥,𝑐𝑜𝑚) promising Fiat-Shamir Hard to break Fiat-Shamir soundness: Finding valid 𝑐𝑜𝑚,𝐻 𝑥,𝑐𝑜𝑚 ,𝑟𝑒𝑠𝑝 P 𝑐𝑜𝑚,𝐻 𝑥,𝑐𝑜𝑚 ,𝑟𝑒𝑠𝑝 V Quantum Fiat-Shamir

Simulation sound extractability What about signatures? Quantum Classical approach: Sigma protocol Fiat-Shamir (as proof) Statistical Special soundness Simulation sound extractability ✔ ? Fiat-Shamir (as signature) Unforgeability Honest verifier ZK Zero knowledge Hard instances Dual-mode Hard to guess 𝑠𝑘 from 𝑝𝑘 𝑝𝑘 indistinguishable from 𝑝𝑘 without 𝑠𝑘 Quantum Fiat-Shamir

Open problems Suitable sigma protocols [Kiltz,Lyubashevsky,Schaffner]? Stronger guarantees: Extractability? Weaker assms: Computational soundness? Tightness of reductions Quantum Fiat-Shamir

I thank you for your attention This research was supported by European Social Fund’s Doctoral Studies and Internationalisation Programme DoRa