Tight adaptive reprogramming in the QROM

The random oracle model (ROM) enjoys widespread popularity, mostly because it tends to allow for tight and conceptually simple proofs where provable security in the standard model is elusive or costly. While being the adequate replacement of the ROM in the post-quantum security setting, the quantum-accessible random oracle model (QROM) has thus far failed to provide these advantages in many settings. In this work, we focus on adaptive reprogrammability, a feature of the ROM enabling tight and simple proofs in many settings. We show that the straightforward quantum-accessible generalization of adaptive reprogramming is feasible by proving a bound on the adversarial advantage in distinguishing whether a random oracle has been reprogrammed or not. We show that our bound is tight by providing a matching attack. We go on to demonstrate that our technique recovers the mentioned advantages of the ROM in three QROM applications: 1) We give a tighter proof of security of the message compression routine as used by XMSS. 2) We show that the standard ROM proof of chosen-message security for Fiat-Shamir signatures can be lifted to the QROM, straightforwardly, achieving a tighter reduction than previously known. 3) We give the first QROM proof of security against fault injection and nonce attacks for the hedged Fiat-Shamir transform.

[1]  Christian Majenz,et al.  Quantum copy-protection of compute-and-compare programs in the quantum random oracle model , 2020, IACR Cryptol. ePrint Arch..

[2]  Ronald de Wolf,et al.  Quantum lower bounds by polynomials , 2001, JACM.

[3]  Damien Stehlé,et al.  CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme , 2018, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[4]  Eike Kiltz,et al.  A Concrete Treatment of Fiat-Shamir Signatures in the Quantum Random-Oracle Model , 2018, IACR Cryptol. ePrint Arch..

[5]  Mark Zhandry,et al.  Random Oracles in a Quantum World , 2010, ASIACRYPT.

[6]  Andris Ambainis,et al.  Quantum security proofs using semi-classical oracles , 2019, IACR Cryptol. ePrint Arch..

[7]  Johannes A. Buchmann,et al.  XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions , 2011, IACR Cryptol. ePrint Arch..

[8]  Mark Zhandry,et al.  Revisiting Post-Quantum Fiat-Shamir , 2019, IACR Cryptol. ePrint Arch..

[9]  Fang Song,et al.  Mitigating Multi-Target Attacks in Hash-based Signatures , 2016, IACR Cryptol. ePrint Arch..

[10]  Fang Song,et al.  Making Existential-Unforgeable Signatures Strongly Unforgeable in the Quantum Random-Oracle Model , 2015, IACR Cryptol. ePrint Arch..

[11]  Daniel Apon,et al.  Status report on the first round of the NIST post-quantum cryptography standardization process , 2019 .

[12]  Alexander Russell,et al.  Efficient simulation of random states and random unitaries , 2019, IACR Cryptol. ePrint Arch..

[13]  Mark Zhandry,et al.  A Note on Separating Classical and Quantum Random Oracles , 2020, IACR Cryptol. ePrint Arch..

[14]  Serge Fehr,et al.  Security of the Fiat-Shamir Transformation in the Quantum Random-Oracle Model , 2019, IACR Cryptol. ePrint Arch..

[15]  Michael Hamburg,et al.  Tighter proofs of CCA security in the quantum random oracle model , 2019, IACR Cryptol. ePrint Arch..

[16]  Peter Schwabe,et al.  From 5-Pass MQ -Based Identification to MQ -Based Signatures , 2016, ASIACRYPT.

[17]  Eike Kiltz,et al.  Generic Authenticated Key Exchange in the Quantum Random Oracle Model , 2020, IACR Cryptol. ePrint Arch..

[18]  Isaac L. Chuang,et al.  Quantum Computation and Quantum Information (10th Anniversary edition) , 2011 .

[19]  Alexander Russell,et al.  Quantum-Access-Secure Message Authentication via Blind-Unforgeability , 2020, EUROCRYPT.

[20]  Hong Wang,et al.  IND-CCA-Secure Key Encapsulation Mechanism in the Quantum Random Oracle Model, Revisited , 2018, CRYPTO.

[21]  Dominique Unruh,et al.  Revocable Quantum Timed-Release Encryption , 2014, J. ACM.

[22]  Zhenfeng Zhang,et al.  Key Encapsulation Mechanism with Explicit Rejection in the Quantum Random Oracle Model , 2019, IACR Cryptol. ePrint Arch..

[23]  Denis Butin,et al.  XMSS: Extended Hash-Based Signatures , 2015 .

[24]  Serge Fehr,et al.  The Measure-and-Reprogram Technique 2.0: Multi-Round Fiat-Shamir and More , 2020, IACR Cryptol. ePrint Arch..

[25]  Takashi Yamakawa,et al.  Tightly-Secure Key-Encapsulation Mechanism in the Quantum Random Oracle Model , 2018, IACR Cryptol. ePrint Arch..

[26]  Mehdi Tibouchi,et al.  Tightly Secure Signatures From Lossy Identification Schemes , 2015, Journal of Cryptology.

[27]  Diego F. Aranha,et al.  Security of Hedged Fiat-Shamir Signatures under Fault Attacks , 2020, IACR Cryptol. ePrint Arch..

[28]  Anne Broadbent,et al.  Uncloneable Quantum Encryption via Oracles , 2020, TQC.

[29]  Tatsuaki Okamoto,et al.  Secure Integration of Asymmetric and Symmetric Encryption Schemes , 1999, Journal of Cryptology.

[30]  Dominique Unruh,et al.  Quantum Position Verification in the Random Oracle Model , 2014, CRYPTO.

[31]  Daniel Slamanig,et al.  Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives , 2017, CCS.

[32]  Andreas Hülsing,et al.  Rapidly Verifiable XMSS Signatures , 2020, IACR Cryptol. ePrint Arch..

[33]  Eike Kiltz,et al.  A Modular Analysis of the Fujisaki-Okamoto Transformation , 2017, TCC.

[34]  Vadim Lyubashevsky,et al.  Fiat-Shamir with Aborts: Applications to Lattice and Factoring-Based Signatures , 2009, ASIACRYPT.