Presentation is loading. Please wait.

Presentation is loading. Please wait.

Post-Quantum Security of Fiat-Shamir

Published byVeronica Newton Modified over 5 years ago

Similar presentations

Presentation on theme: "Post-Quantum Security of Fiat-Shamir"β€” Presentation transcript:

1 Post-Quantum Security of Fiat-Shamir
Dominique Unruh University of Tartu

2 Fiat-Shamir (overview)
Non-interactive proof system: Zero-knowledge proof of knowledge Signature scheme (Signer proves knowledge of sk) Quantum secure? Prover π‘π‘œπ‘š,𝐻 π‘π‘œπ‘š ,π‘Ÿπ‘’π‘ π‘ Verifier statement witness statement Verifier learns β€œnothing” Prover must know witness Quantum Fiat-Shamir

3 Understanding FS: Sigma protocols
Interactive proof system Honest-verifier zero-knowledge Interaction 𝑃↔𝑉 efficiently simulated Special soundness Given: π‘Ÿπ‘’π‘ π‘ for two π‘β„Žπ‘Žπ‘™π‘™ (same π‘π‘œπ‘š) Get: Witness P V commitment challenge response Quantum Fiat-Shamir

4 Understanding FS: The construction
Verifier Prover Prover sends simulated sigma-proto interaction οƒ  Soundness of sigma-protocol carries over P V π‘π‘œπ‘š π‘β„Žπ‘Žπ‘™π‘™β‰” 𝐻(π‘π‘œπ‘š) π‘π‘œπ‘š,π‘β„Žπ‘Žπ‘™π‘™,π‘Ÿπ‘’π‘ π‘ π‘β„Žπ‘Žπ‘™π‘™ π‘Ÿπ‘’π‘ π‘ Quantum Fiat-Shamir

5 Breaking FS soundness (quantum)
Artificial sigma-protocol [Ambainis,Rosmanis,U14] (relative to specific oracles) P Can give π‘Ÿπ‘’π‘ π‘ for any π‘β„Žπ‘Žπ‘™π‘™ (using |Ξ¨βŒͺ) Only once (|Ξ¨βŒͺ used up) FS insecure (soundness) But: sigma-protocol has special soundness π‘π‘œπ‘šπ‘š |Ξ¨βŒͺ π‘β„Žπ‘Žπ‘™π‘™ π‘Ÿπ‘’π‘ π‘ Quantum Fiat-Shamir

6 Breaking FS soundness (quantum)
FS not secure in general For quantum attackers Relative to specific oracles Ways out: Non-relativizing proofs? Doubtful. Other protocols? Yes. Extra conditions on sigma-protocol? This talk. [U15] [Dagdelen, Fischlin,Gagliardoni13] Quantum Fiat-Shamir

7 Main result Sigma protocol Fiat-Shamir Statistical soundness
Reduction to quantum search Simulation soundness Stronger than classical Weaker than classical Honest verifier ZK Adaptive RO reprogramming Zero knowledge Unpredictable commitments Complete Complete Quantum Fiat-Shamir

8 P V P V Soundness proof Sigma protocol
Def: π‘β„Žπ‘Žπ‘™π‘™ is β€œpromising” if βˆƒ π‘Ÿπ‘’π‘ π‘ P V π‘π‘œπ‘š π‘β„Žπ‘Žπ‘™π‘™ π‘Ÿπ‘’π‘ π‘ statistical soundness ⟹ For any π‘π‘œπ‘š, few promising π‘β„Žπ‘Žπ‘™π‘™ Hard to find: π‘π‘œπ‘š with 𝐻(π‘₯,π‘π‘œπ‘š) promising Fiat-Shamir Hard to break Fiat-Shamir soundness: Finding valid π‘π‘œπ‘š,𝐻 π‘₯,π‘π‘œπ‘š ,π‘Ÿπ‘’π‘ π‘ P π‘π‘œπ‘š,𝐻 π‘₯,π‘π‘œπ‘š ,π‘Ÿπ‘’π‘ π‘ V Quantum Fiat-Shamir

9 Simulation sound extractability
What about signatures? Quantum Classical approach: Sigma protocol Fiat-Shamir (as proof) Statistical Special soundness Simulation sound extractability βœ” ? Fiat-Shamir (as signature) Unforgeability Honest verifier ZK Zero knowledge Hard instances Dual-mode Hard to guess π‘ π‘˜ from π‘π‘˜ π‘π‘˜ indistinguishable from π‘π‘˜ without π‘ π‘˜ Quantum Fiat-Shamir

10 Open problems Suitable sigma protocols [Kiltz,Lyubashevsky,Schaffner]?
Stronger guarantees: Extractability? Weaker assms: Computational soundness? Tightness of reductions Quantum Fiat-Shamir

11 I thank you for your attention
This research was supported by European Social Fund’s Doctoral Studies and Internationalisation Programme DoRa

Download ppt "Post-Quantum Security of Fiat-Shamir"

Similar presentations

Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Non-interactive Zero- Knowledge Arguments for Voting Jens Groth UCLA.

Non-interactive Zero- Knowledge Arguments for Voting Jens Groth UCLA.
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.

Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.
Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.

Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.
Zero Knowledge Proofs(2) Suzanne van Wijk & Maaike Zwart

Zero Knowledge Proofs(2) Suzanne van Wijk & Maaike Zwart
Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.

Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.
The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.

The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian.

Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Isolated PoK and Isolated ZK Ivan DamgΓ₯rd, Jesper Buus Nielsen and Daniel Wichs.

Isolated PoK and Isolated ZK Ivan DamgΓ₯rd, Jesper Buus Nielsen and Daniel Wichs.
13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.

13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas WiktrΓΆm (KTH) 1.

On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas WiktrΓΆm (KTH) 1.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Similar presentations

Ads by Google