Skip to content
Snippets Groups Projects
Commit 4d229154 authored by Fabio Campos's avatar Fabio Campos
Browse files

ACNS: changes to QROM

parent 1c2ec959
No related branches found
No related tags found
No related merge requests found
\section{Actively Secure Secret Shared Signature Protocols}\label{sec.signatures} \section{Actively Secure Secret Shared Signature Protocols}\label{sec.signatures}
We convert the key exchange mechanism in \hyperref[fig.keygen]{Algorithm \ref{fig.keygen}}, \hyperref[fig.encaps]{Algorithm \ref{fig.encaps}} and \hyperref[fig.decaps]{Algorithm \ref{fig.decaps}} into an actively secure signature scheme with secret shared signing key. We concede, that applying active security measures to a signature scheme to ensure the correctness of the resulting signature is counter-intuitive, since the correctness of a signature can easily be checked through the verifying protocol. Yet verification returning \(\false\) only shows that the signature is incorrect, a misbehaving shareholder cannot be identified this way. An actively secure signature scheme achieves just that. An identified cheating shareholder can hence be excluded from future runs of the signing protocol. We convert the key exchange mechanism in \hyperref[fig.keygen]{Algorithm \ref{fig.keygen}}, \hyperref[fig.encaps]{Algorithm \ref{fig.encaps}} and \hyperref[fig.decaps]{Algorithm \ref{fig.decaps}} into an actively secure signature scheme with secret shared signing key. We concede, that applying active security measures to a signature scheme to ensure the correctness of the resulting signature is counter-intuitive, since the correctness of a signature can easily be checked through the verifying protocol. Yet verification returning \(\false\) only shows that the signature is incorrect, a misbehaving shareholder cannot be identified this way. An actively secure signature scheme achieves just that. An identified cheating shareholder can hence be excluded from future runs of the signing protocol.
A signature scheme consists of three protocols: key generation, signing and verifying. We transfer the unmodified key generation protocol from the key exchange mechnism in \hyperref[sec.kem]{Section \ref{sec.kem}} to our signature scheme. The signing protocol is derived from the decapsulation protocol (\hyperref[fig.decaps]{Algorithm \ref{fig.decaps}}) by applying the Fiat-Shamir-transformation, the verifying protocol follows straightforward. The protocols are given in \hyperref[fig.sign]{Algorithm \ref{fig.sign}} and \hyperref[fig.ver]{Algorithm \ref{fig.ver}}.
Similar to \cite{DBLP:conf/asiacrypt/BeullensKV19}, the results from \cite{DBLP:conf/crypto/DonFMS19} on Fiat-Shamir in the QROM can be applied to our setting as follows. First, in the case without hashing, since the sigma protocol has special soundness \cite{DBLP:conf/asiacrypt/BeullensKV19} and in our case perfect unique reponses, \cite{DBLP:conf/crypto/DonFMS19} shows that the protocol is a quantum proof of knowledge. Further, in the case with hashing, the collapsingness property implies that the protocol has unique responses in a quantum scenario.\\
\noindent \textbf{Instantiations.} As a practical instantiation, we propose the available parameter set for CSIDH-512 HHS from \cite{DBLP:conf/asiacrypt/BeullensKV19}. Currently no other instantiation of the presented schemes seems feasible in a practical sense. Furthermore, according to recent works \cite{DBLP:conf/eurocrypt/Peikert20,DBLP:conf/eurocrypt/BonnetainS20} CSIDH-512 may not reach the initially estimated security level.
\begin{algorithm}[] \begin{algorithm}[]
\DontPrintSemicolon \DontPrintSemicolon
\SetAlgoShortEnd \SetAlgoShortEnd
...@@ -50,9 +56,9 @@ We convert the key exchange mechanism in \hyperref[fig.keygen]{Algorithm \ref{fi ...@@ -50,9 +56,9 @@ We convert the key exchange mechanism in \hyperref[fig.keygen]{Algorithm \ref{fi
\label{fig.sign} \label{fig.sign}
\end{algorithm} \end{algorithm}
A signature scheme consists of three protocols: key generation, signing and verifying. We transfer the unmodified key generation protocol from the key exchange mechnism in \hyperref[sec.kem]{Section \ref{sec.kem}} to our signature scheme. The signing protocol is derived from the decapsulation protocol (\hyperref[fig.decaps]{Algorithm \ref{fig.decaps}}) by applying the Fiat-Shamir-transformation, the verifying protocol follows straightforward. The protocols are given in \hyperref[fig.sign]{Algorithm \ref{fig.sign}} and \hyperref[fig.ver]{Algorithm \ref{fig.ver}}.\\
\noindent \textbf{Instantiations.} As a practical instantiation, we propose the available parameter set for CSIDH-512 HHS from \cite{DBLP:conf/asiacrypt/BeullensKV19}. Currently no other instantiation of the presented schemes seems feasible in a practical sense. Furthermore, according to recent works \cite{DBLP:conf/eurocrypt/Peikert20,DBLP:conf/eurocrypt/BonnetainS20} CSIDH-512 may not reach the initially estimated security level.
%Active security in our signing protocol is achieved by applying the Fiat-Shamir-transfer to the decapsulation protocol presented above. This gives us a signing protocol, in which each engaged shareholder outputs messages exactly once, making the protocol very efficient. %Active security in our signing protocol is achieved by applying the Fiat-Shamir-transfer to the decapsulation protocol presented above. This gives us a signing protocol, in which each engaged shareholder outputs messages exactly once, making the protocol very efficient.
% \begin{figure} % \begin{figure}
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment