Our official English website, www.x-mol.net, welcomes your
feedback! (Note: you will need to create a separate account there.)
Fiat-Shamir for Proofs Lacks a Proof Even in the Presence of Shared Entanglement
Quantum ( IF 5.1 ) Pub Date : 2024-12-17 , DOI: 10.22331/q-2024-12-17-1568 Frédéric Dupuis, Philippe Lamontagne, Louis Salvail
Quantum ( IF 5.1 ) Pub Date : 2024-12-17 , DOI: 10.22331/q-2024-12-17-1568 Frédéric Dupuis, Philippe Lamontagne, Louis Salvail
We explore the cryptographic power of arbitrary shared physical resources. The most general such resource is access to a fresh entangled quantum state at the outset of each protocol execution. We call this the $\textit{Common Reference Quantum State (CRQS)}$ model, in analogy to the well-known $\textit{Common Reference String (CRS)}$. The CRQS model is a natural generalization of the CRS model but appears to be more powerful: in the two-party setting, a CRQS can sometimes exhibit properties associated with a Random Oracle queried once by measuring a maximally entangled state in one of many mutually unbiased bases. We formalize this notion as a $\textit{Weak One-Time Random Oracle (WOTRO)}$, where we only ask of the $m$-bit output to have some randomness when conditioned on the $n$-bit input.
We show that when $n-m\in\omega(\lg n)$, any protocol for WOTRO in the CRQS model can be attacked by an (inefficient) adversary. Moreover, our adversary is efficiently simulatable, which rules out the possibility of proving the computational security of a scheme by a fully black-box reduction to a cryptographic game assumption. On the other hand, we introduce a non-game quantum assumption for hash functions that implies WOTRO in the CRQS model (where the CRQS consists only of EPR pairs). We first build a statistically secure WOTRO protocol where $m=n$, then hash the output.
The impossibility of WOTRO has the following consequences. First, we show the fully-black-box impossibility of a $quantum$ Fiat-Shamir transform, extending the impossibility result of Bitansky et al. (TCC 2013) to the CRQS model. Second, we show a fully-black-box impossibility result for a strenghtened version of quantum lightning (Zhandry, Eurocrypt 2019) where quantum bolts have an additional parameter that cannot be changed without generating new bolts. Our results also apply to $2$-message protocols in the plain model.
中文翻译:
fiat-shamir for proofs 即使在存在共同纠缠的情况下也缺乏证明
我们探索了任意共享物理资源的加密能力。最通用的此类资源是在每个协议执行开始时访问新的纠缠量子状态。我们称之为 $\textit{公共参考量子态 (CRQS)}$ 模型,类似于众所周知的 $\textit{公共参考字符串 (CRS)}$。CRQS 模型是 CRS 模型的自然泛化,但似乎更强大:在两方设置中,CRQS 有时可以表现出与随机 Oracle 相关的属性,该 Oracle 通过测量许多互不偏基之一中的最大纠缠状态来查询一次。我们将这个概念正式化为 $\textit{弱一次性随机预言机 (WOTRO)}$,其中我们只要求 $m$ 位输出在 $n$ 位输入条件下具有一定的随机性。
我们表明,当 $n-m\in\omega(\lg n)$ 时,CRQS 模型中 WOTRO 的任何协议都可能被(低效的)对手攻击。此外,我们的对手是可有效模拟的,这排除了通过对加密博弈假设的完全黑盒简化来证明方案的计算安全性的可能性。另一方面,我们为哈希函数引入了一个非博弈量子假设,这意味着 CRQS 模型中的 WOTRO(其中 CRQS 仅由 EPR 对组成)。我们首先构建一个统计上安全的 WOTRO 协议,其中 $m=n$,然后对输出进行哈希处理。
WOTRO 的不可能性会产生以下后果。首先,我们展示了 $quantum$ Fiat-Shamir 变换的完全黑盒不可能性,将 Bitansky 等人 (TCC 2013) 的不可能性结果扩展到 CRQS 模型。其次,我们展示了量子闪电的强化版本(Zhandry,Eurocrypt 2019)的完全黑盒不可能性结果,其中量子闪电有一个额外的参数,如果不生成新的闪电就无法更改。我们的结果也适用于普通模型中的 $2$ 消息协议。
更新日期:2024-12-17
We show that when $n-m\in\omega(\lg n)$, any protocol for WOTRO in the CRQS model can be attacked by an (inefficient) adversary. Moreover, our adversary is efficiently simulatable, which rules out the possibility of proving the computational security of a scheme by a fully black-box reduction to a cryptographic game assumption. On the other hand, we introduce a non-game quantum assumption for hash functions that implies WOTRO in the CRQS model (where the CRQS consists only of EPR pairs). We first build a statistically secure WOTRO protocol where $m=n$, then hash the output.
The impossibility of WOTRO has the following consequences. First, we show the fully-black-box impossibility of a $quantum$ Fiat-Shamir transform, extending the impossibility result of Bitansky et al. (TCC 2013) to the CRQS model. Second, we show a fully-black-box impossibility result for a strenghtened version of quantum lightning (Zhandry, Eurocrypt 2019) where quantum bolts have an additional parameter that cannot be changed without generating new bolts. Our results also apply to $2$-message protocols in the plain model.
中文翻译:
fiat-shamir for proofs 即使在存在共同纠缠的情况下也缺乏证明
我们探索了任意共享物理资源的加密能力。最通用的此类资源是在每个协议执行开始时访问新的纠缠量子状态。我们称之为 $\textit{公共参考量子态 (CRQS)}$ 模型,类似于众所周知的 $\textit{公共参考字符串 (CRS)}$。CRQS 模型是 CRS 模型的自然泛化,但似乎更强大:在两方设置中,CRQS 有时可以表现出与随机 Oracle 相关的属性,该 Oracle 通过测量许多互不偏基之一中的最大纠缠状态来查询一次。我们将这个概念正式化为 $\textit{弱一次性随机预言机 (WOTRO)}$,其中我们只要求 $m$ 位输出在 $n$ 位输入条件下具有一定的随机性。
我们表明,当 $n-m\in\omega(\lg n)$ 时,CRQS 模型中 WOTRO 的任何协议都可能被(低效的)对手攻击。此外,我们的对手是可有效模拟的,这排除了通过对加密博弈假设的完全黑盒简化来证明方案的计算安全性的可能性。另一方面,我们为哈希函数引入了一个非博弈量子假设,这意味着 CRQS 模型中的 WOTRO(其中 CRQS 仅由 EPR 对组成)。我们首先构建一个统计上安全的 WOTRO 协议,其中 $m=n$,然后对输出进行哈希处理。
WOTRO 的不可能性会产生以下后果。首先,我们展示了 $quantum$ Fiat-Shamir 变换的完全黑盒不可能性,将 Bitansky 等人 (TCC 2013) 的不可能性结果扩展到 CRQS 模型。其次,我们展示了量子闪电的强化版本(Zhandry,Eurocrypt 2019)的完全黑盒不可能性结果,其中量子闪电有一个额外的参数,如果不生成新的闪电就无法更改。我们的结果也适用于普通模型中的 $2$ 消息协议。
京公网安备 11010802027423号