moved some stuff in signatures.tex

625a9d19 · Philipp Muth · 88f79dc6 · 625a9d19
Commit 625a9d19 authored May 2, 2022 by Philipp Muth
--- a/ACNS/signatures.tex
+++ b/ACNS/signatures.tex
@@ -50,7 +50,6 @@ We convert the key exchange mechanism in \hyperref[fig.keygen]{Algorithm \ref{fi
    \label{fig.sign}
 \end{algorithm}

-
 A signature scheme consists of three protocols: key generation, signing and verifying. We transfer the unmodified key generation protocol from the key exchange mechnism in \hyperref[sec.kem]{Section \ref{sec.kem}} to our signature scheme. The signing protocol is derived from the decapsulation protocol (\hyperref[fig.decaps]{Algorithm \ref{fig.decaps}}) by applying the Fiat-Shamir-transformation, the verifying protocol follows straightforward. The protocols are given in \hyperref[fig.sign]{Algorithm \ref{fig.sign}} and \hyperref[fig.ver]{Algorithm \ref{fig.ver}}.

 %Active security in our signing protocol is achieved by applying the Fiat-Shamir-transfer to the decapsulation protocol presented above. This gives us a signing protocol, in which each engaged shareholder outputs messages exactly once, making the protocol very efficient.
@@ -124,6 +123,11 @@ A signature scheme consists of three protocols for key generation, signing and v

 Active security in our signing protocol is achieved by applying the Fiat-Shamir-transfer to the decapsulation protocol presented above. This gives us a signing protocol, in which each engaged shareholder outputs messages exactly once, making the protocol very efficient.

+Simulatability and active security of the signing protocol can be proven similar to \autoref{thm.actsecu}. Thus, we skip the proofs deeming them only little instructive.
+
+Similar to \cite{DBLP:conf/asiacrypt/BeullensKV19}, the results from \cite{DBLP:conf/crypto/DonFMS19} on Fiat-Shamir in the QROM can be applied to our setting as follows.
+First, in the case without hashing, since the sigma protocol has special soundness \cite{DBLP:conf/asiacrypt/BeullensKV19} and in our case perfect unique reponses, \cite{DBLP:conf/crypto/DonFMS19} shows that the protocol is a quantum proof of knowledge. Further, in the case with hashing, the collapsingness property implies that the protocol has unique responses in a quantum scenario.\\
+
 \begin{figure}
 	\procedure[space = auto]{$\mathsf{Sign}\paren*{m,S^\ast}$}{
 		\left(E^0_1,\ldots, E^0_\lambda\right) \gets \left(E_0,\ldots, E_0\right)\\
@@ -168,10 +172,4 @@ Active security in our signing protocol is achieved by applying the Fiat-Shamir-
 \end{figure}
 \end{comment}

-Simulatability and active security of the signing protocol can be proven similar to \autoref{thm.actsecu}. Thus, we skip the proofs deeming them only little instructive.\\
-
-Similar to \cite{DBLP:conf/asiacrypt/BeullensKV19}, the results from \cite{DBLP:conf/crypto/DonFMS19} on Fiat-Shamir in the QROM can be applied to our setting as follows.
-First, in the case without hashing, since the sigma protocol has special soundness \cite{DBLP:conf/asiacrypt/BeullensKV19} and in our case perfect unique reponses, \cite{DBLP:conf/crypto/DonFMS19} shows that the protocol is a
-quantum proof of knowledge. Further, in the case with hashing, the collapsingness property implies that the protocol has unique responses in a quantum scenario.\\
-
 \noindent \textbf{Instantiations.} As a practical instantiation, we propose the available parameter set for CSIDH-512 HHS from \cite{DBLP:conf/asiacrypt/BeullensKV19}. Currently no other instantiation of the presented schemes seems feasible in a practical sense. Furthermore, according to recent works \cite{DBLP:conf/eurocrypt/Peikert20,DBLP:conf/eurocrypt/BonnetainS20} CSIDH-512 may not reach the initially estimated security level.