Rohit Chatterjee,Kai-Min Chung,Xiao Liang,Giulio Malavolta

DOI: https://doi.org/10.48550/arXiv.2112.06078

2021-12-12

Abstract:This work revisits the security of classical signatures and ring signatures in a quantum world. For (ordinary) signatures, we focus on the arguably preferable security notion of blind-unforgeability recently proposed by Alagic et al. (Eurocrypt'20). We present two short signature schemes achieving this notion: one is in the quantum random oracle model, assuming quantum hardness of SIS; and the other is in the plain model, assuming quantum hardness of LWE with super-polynomial modulus. Prior to this work, the only known blind-unforgeable schemes are Lamport's one-time signature and the Winternitz one-time signature, and both of them are in the quantum random oracle model. For ring signatures, the recent work by Chatterjee et al. (Crypto'21) proposes a definition trying to capture adversaries with quantum access to the signer. However, it is unclear if their definition, when restricted to the classical world, is as strong as the standard security notion for ring signatures. They also present a construction that only partially achieves (even) this seeming weak definition, in the sense that the adversary can only conduct superposition attacks over the messages, but not the rings. We propose a new definition that does not suffer from the above issue. Our definition is an analog to the blind-unforgeability in the ring signature setting. Moreover, assuming the quantum hardness of LWE, we construct a compiler converting any blind-unforgeable (ordinary) signatures to a ring signature satisfying our definition.

Quantum Physics,Cryptography and Security

Ward Beullens,Samuel Dobson,Shuichi Katsumata,Yi-Fu Lai,Federico Pintore

DOI: https://doi.org/10.1007/s10623-023-01192-x

2023-03-01

Abstract:We construct an efficient dynamic group signature (or more generally an accountable ring signature) from isogeny and lattice assumptions. Our group signature is based on a simple generic construction that can be instantiated by cryptographically hard group actions such as the CSIDH group action or an MLWE-based group action. The signature is of size , where N is the number of users in the group. Our idea builds on the recent efficient OR-proof by Beullens, Katsumata, and Pintore (Asiacrypt'20), where we efficiently add a proof of valid ciphertext to their OR-proof and further show that the resulting non-interactive zero-knowledge proof system is online extractable . Our group signatures satisfy more ideal security properties compared to previously known constructions, while simultaneously having an attractive signature size. The signature size of our isogeny-based construction is an order of magnitude smaller than all previously known post-quantum group signatures (e.g., 6.6 KB for 64 members). In comparison, our lattice-based construction has a larger signature size (e.g., either 126 KB or 89 KB for 64 members depending on the satisfied security property). However, since the -notation hides a very small constant factor, it remains small even for very large group sizes, say .

mathematics, applied,computer science, theory & methods

Shuichi Katsumata,Yi-Fu Lai,Jason T. LeGrow,Ling Qin

DOI: https://doi.org/10.1007/s10623-024-01441-7

IF: 1.4

2024-07-19

Designs Codes and Cryptography

Abstract:In this paper, we construct the first provably-secure isogeny-based (partially) blind signature scheme. While at a high level the scheme resembles the Schnorr blind signature, our work does not directly follow from that construction, since isogenies do not offer as rich an algebraic structure. Specifically, our protocol does not fit into the linear identification protocol abstraction introduced by Hauck, Kiltz, and Loss (EUROCYRPT'19), which was used to generically construct Schnorr-like blind signatures based on modules such as classical groups and lattices. Consequently, our scheme is provably secure in the random oracle model (ROM) against poly-logarithmically-many concurrent sessions assuming the subexponential hardness of the group action inverse problem. In more detail, our blind signature exploits the quadratic twist of an elliptic curve in an essential way to endow isogenies with a strictly richer structure than abstract group actions (but still more restrictive than modules). The basic scheme has public key size 128 B and signature size 8 KB under the CSIDH-512 parameter sets—these are the smallest among all provably secure post-quantum secure blind signatures. Relying on a new ring variant of the group action inverse problem ( ), we can halve the signature size to 4 KB while increasing the public key size to 512 B. We provide preliminary cryptanalysis of and show that for certain parameter settings, it is essentially as secure as the standard . Finally, we show a novel way to turn our blind signature into a partially blind signature, where we deviate from prior methods since they require hashing into the set of public keys while hiding the corresponding secret key—constructing such a hash function in the isogeny setting remains an open problem.

mathematics, applied,computer science, theory & methods

Zongyang Zhang,Yu Chen,Sherman S. M. Chow,Goichiro Hanaoka,Zhenfu Cao,Yunlei Zhao

DOI: https://doi.org/10.1007/978-3-319-26059-4_24

2015-01-01

Abstract:A popular methodology of designing cryptosystems with practical efficiency is to give a security proof in the random oracle RO model. The work of Fischlin and Fleischhacker Eurocrypt﾿'13 investigated the case of Schnorr signature and generally, Fiat-Shamir signatures and showed the reliance of RO model is inherent. We generalize their results to a large class of \"malleable\" hash-and-sign signatures, where one can efficiently \"maul\"any two valid signatures between two signature instances with different public keys if it can get the difference between the secret keys. We follow the technique of Fischlin and Fleischhacker to show that the security of malleable hash-and-sign signature cannot be reduced to its related hard cryptographic problem without programming the RO. Our proof assumes the hardness of a one-more cryptographic problem depending on the signature instantiation. Our result applies to single-instance black-box reductions, subsuming those reductions used in existing proofs. Our framework not only encompasses Fiat-Shamir signatures as special cases, but also covers $$\\Gamma $$-signature Yao and Zhao, IEEE Transactions on Information Forensics and Security﾿'13, and other schemes which implicitly used malleable hash-and-sign signatures, including Boneh-Franklin identity-based encryption, and Sakai-Ohgishi-Kasahara non-interactive identity-based key exchange.

Keisuke Hara

DOI: https://doi.org/10.1016/j.tcs.2024.114516

IF: 1.002

2024-03-27

Theoretical Computer Science

Abstract:Ring signature and group signature are two major cryptographic primitives providing users anonymity and authentication simultaneously. While both primitives enable any user to sign messages as a member of a set of users, the feature of ring signature is that a signer can choose a group in an ad-hoc manner, which is called a ring, by itself. Conversely, in group signature, a group membership is managed by some trusted third party, which is called a group manager, and an (appropriate) accountability is provided for the group manager to identify illegal anonymous signers. Accountable ring signature (ARS) is a cryptographic primitive combining the features of ring signature and group signature. ARS allows signers to choose their groups (rings) in an ad-hoc manner, and at the same time, maintain accountability by forcing them to select a designated opener who can identify them. In this paper, we propose the first ARS scheme with O(log⁡n) signature size in the standard model (without depending on the random oracle methodology), where n is the size of a ring. More precisely, we propose a new generic construction of ARS based on (standard) signature, (standard) public key encryption, non-interactive zero-knowledge proof system, somewhere perfectly binding hash function, and public key encryption with non-interactive opening. All building blocks for our ARS scheme can be obtained under the decisional linear (DLIN) assumption over bilinear groups.

computer science, theory & methods

Farzin Renan,Péter Kutas

2024-04-24

Abstract:Adaptor signatures can be viewed as a generalized form of the standard digital signature schemes where a secret randomness is hidden within a signature. Adaptor signatures are a recent cryptographic primitive and are becoming an important tool for blockchain applications such as cryptocurrencies to reduce on-chain costs, improve fungibility, and contribute to off-chain forms of payment in payment-channel networks, payment-channel hubs, and atomic swaps. However, currently used adaptor signature constructions are vulnerable to quantum adversaries due to Shor's algorithm. In this work, we introduce $\mathsf{SQIAsignHD}$, a new quantum-resistant adaptor signature scheme based on isogenies of supersingular elliptic curves, using SQIsignHD - as the underlying signature scheme - and exploiting the idea of the artificial orientation on the supersingular isogeny Diffie-Hellman key exchange protocol, SIDH, as the underlying hard relation. We, furthermore, show that our scheme is secure in the Quantum Random Oracle Model (QROM).

Cryptography and Security

Longcheng Li,Qian Li,Xingjian Li,Qipeng Liu

2024-05-31

Abstract:The seminal work by Impagliazzo and Rudich (STOC'89) demonstrated the impossibility of constructing classical public key encryption (PKE) from one-way functions (OWF) in a black-box manner. However, the question remains: can quantum PKE (QPKE) be constructed from quantumly secure OWF? A recent line of work has shown that it is indeed possible to build QPKE from OWF, but with one caveat -- they rely on quantum public keys, which cannot be authenticated and reused. In this work, we re-examine the possibility of perfect complete QPKE in the quantum random oracle model (QROM), where OWF exists. Our first main result: QPKE with classical public keys, secret keys and ciphertext, does not exist in the QROM, if the key generation only makes classical queries. Therefore, a necessary condition for constructing such QPKE from OWF is to have the key generation classically ``un-simulatable''. Previous discussions (Austrin et al. CRYPTO'22) on the impossibility of QPKE from OWF rely on a seemingly strong conjecture. Our work makes a significant step towards a complete and unconditional quantization of Impagliazzo and Rudich's results. Our second main result extends to QPKE with quantum public keys. The second main result: QPKE with quantum public keys, classical secret keys and ciphertext, does not exist in the QROM, if the key generation only makes classical queries and the quantum public key is either pure or ``efficiently clonable''. The result is tight due to all existing QPKEs constructions. Our result further gives evidence on why existing QPKEs lose reusability. To achieve these results, we use a novel argument based on conditional mutual information and quantum Markov chain by Fawzi and Renner (Communications in Mathematical Physics). We believe the techniques used in the work will find other usefulness in separations in quantum cryptography/complexity.

Quantum Physics,Cryptography and Security

Lei Zhang,Futai Zhang,Wei Wu

DOI: https://doi.org/10.48550/arXiv.1712.09145

2017-12-26

Abstract:Ring signature is a kind of group-oriented signature. It allows a member of a group to sign messages on behalf of the group without revealing his/her identity. Certificateless public key cryptography was first introduced by Al-Riyami and Paterson in Asiacrypt 2003. In certificateless cryptography, it does not require the use of certificates to guarantee the authenticity of users' public keys. Meanwhile, certificateless cryptography does not have the key escrow problem, which seems to be inherent in the Identity-based cryptography. In this paper, we propose a concrete certificateless ring signature scheme. The security models of certificateless ring signature are also formalized. Our new scheme is provably secure in the random oracle model, with the assumption that the Computational Diffie-Hellman problem is hard. In addition, we also show that a generic construction of certificateless ring signature is insecure against the key replacement attack defined in our security models.

Cryptography and Security

Xing-Jia Wei,Dian-Jun Lu,Shuang-Shuang Luo,Zhi-Hui Li

DOI: https://doi.org/10.1142/s0217732323501754

2024-01-13

Modern Physics Letters A

Abstract:Modern Physics Letters A, Ahead of Print. Quantum signature has become a hot topic in the current research of digital signature schemes due to its unconditional security. As a special kind of digital signature, ring signatures are frequently employed in practical situations because of their superior anonymity. In this work, we propose a quantum ring signature scheme based on secret sharing that does not use entanglement states. To guarantee the complete security of the participants' secret keys, the idea of secret sharing is incorporated into the quantum key distribution process during the key distribution stage. Each ring member contributes his private key share to the final verification formula through a recursive relationship throughout the signing and verification phases, and the verifier can utilize his private key share along with the user's public key to confirm the ring members' authenticity; The [math]-AS2U hash function is used to encrypt the ring signer's identity during the entire signature process, which assures the signer's identity's complete anonymity, effectively protects the signer's privacy, and is more in line with practical requirements.

astronomy & astrophysics,physics, particles & fields, nuclear, mathematical

Song-Kong Chong,Yi-Ping Luo,Tzonelih Hwang

DOI: https://doi.org/10.1103/PhysRevA.85.056301

2011-05-06

Abstract:Recently, Zou et al. [Phys. Rev. A 82, 042325 (2010)] pointed out that two arbitrated quantum signature (AQS) schemes are not secure, because an arbitrator cannot arbitrate the dispute between two users when a receiver repudiates the integrity of a signature. By using a public board, they try to propose two AQS schemes to solve the problem. This work shows that the same security problem may exist in their schemes and also a malicious party can reveal the other party's secret key without being detected by using the Trojan-horse attacks. Accordingly, two basic properties of a quantum signature, i.e. unforgeability and undeniability, may not be satisfied in their scheme.

Quantum Physics

Attila A. Yavuz,Rouzbeh Behnia

DOI: https://doi.org/10.48550/arXiv.2205.07112

2022-05-15

Abstract:Forward-secure signatures guarantee that the signatures generated before the compromise of private key remain secure, and therefore offer an enhanced compromise-resiliency for real-life applications such as digital forensics, audit logs, and financial systems. However, the vast majority of state-of-the-art forward-secure signatures rely on conventional intractability assumptions and therefore are not secure against quantum computers. Hash-based signatures (HBS) (e.g., XMSS) can offer forward-secure post-quantum security. However, they are efficient only for a pre-defined number of messages to be signed and incur high key generation overhead, highly expensive signing, and large signature sizes for an increasing number of messages. It is an open problem to develop quantum-safe forward-secure signatures that are efficient and practical with a signing capability scalable to their security parameters. In this work, we propose a new series of post-quantum signatures that we call FROG (Forward-secuRe pOst-quantum siGnature). Unlike HBS alternatives, FROG can achieve highly computational efficient signatures with sub-linear key/signature sizes and (practically) unbounded signing capability. This is achieved by transforming suitable post-quantum signatures into forward-secure settings via MMM constructions. We investigated the transformation of prominent post-quantum secure signatures such as Dilithium, WOTS, and BLISS with MMM. Our experiments indicate that FROG outperforms XMSS for the vast majority (if not all for a large number of messages) of performance metrics. We also discuss one-time variants of these base signature schemes that can push the performance of FROG to the edge. Overall, FROG shows a better performance than the existing alternatives with forward-security and therefore is an ideal alternative for the standardization efforts for forward-secure post-quantum signatures.

Cryptography and Security

Kunal Dey,Somnath Kumar,Vikas Srivastava,Sumit Kumar Debnath,Ashok Kumar Das

2024-10-09

Abstract:E-governance is a two-way protocol through which one can use government services, share data and request information. It refers to the use of communication and information technologies to provide government services to public in an efficient and fast manner. In addition, any document submitted to the e-Government system must be authenticated by a government officer using a digital signature scheme. In the context of digital signatures, the proxy signature is an important cryptographic primitive that allows the original signer to delegate signing authority to another signer (proxy signer). The proxy signature has a number of important applications in the e-government system. There are now a large amount of proxy signature schemes. The security of most of them relies on the following hard problems: the discrete logarithm problem and the factorization of integers problem. However, a large-scale quantum computer can solve them in polynomial time due to Shor's algorithm. As a consequence, there is a need for a quantum computer-resistant proxy signature to secure e-governance system from quantum adversaries. In this work, we propose the first post-quantum isogeny based proxy signature scheme CSI-PS (commutative supersingular isogeny proxy signature). Our construction is proven to be uf-cma secure under the hardness of the group action inverse problem (GAIP) based on isogeny.

Cryptography and Security

Tianyuan Zhang,Xiangjun Xin,Lei Sun,Chaoyang Li,Fagen Li

DOI: https://doi.org/10.1007/s11128-024-04257-5

IF: 1.965

2024-02-06

Quantum Information Processing

Abstract:The security of most quantum signatures cannot be proved with security model under chosen-message attack. No formal proof can prove that their security is fully dependent on the basic quantum theory. Based on the orthogonal quantum state and key-controlled quantum hash function, an arbitrated quantum signature is proposed. In this scheme, the signatory produces the quantum signature by quantum-encrypting the output of key-controlled quantum hash function. The signature verification is performed by decrypting the signed message and comparing the decrypted message with the output of the key-controlled quantum hash function. The security of the proposed scheme depends on the indistinguishability of the unknown quantum sequence. Its unforgeability can be formally proved with security model under chosen-message attack. Therefore, its security can be supported by the formal proof. On the other hand, in the proposed scheme, no entangled state is used. It also has better qubit efficiency as well.

physics, multidisciplinary,quantum science & technology, mathematical

Zhen Liu,Khoa Nguyen,Guomin Yang,Huaxiong Wang,Duncan S. Wong

DOI: https://doi.org/10.1007/978-3-030-29959-0_35

2019-01-01

Abstract:First proposed in CryptoNote, a collection of popular privacy-centric cryptocurrencies have employed Linkable Ring Signature and a corresponding Key Derivation Mechanism (KeyDerM) for keeping the payer and payee of a transaction anonymous and unlinkable. The KeyDerM is used for generating a fresh signing key and the corresponding public key, referred to as a stealth address, for the transaction payee. The stealth address will then be used in the linkable ring signature next time when the payee spends the coin. However, in all existing works, including Monero, the privacy model only considers the two cryptographic primitives separately. In addition, to be applied to cryptocurrencies, the security and privacy models for Linkable Ring Signature should capture the situation that the public key ring of a signature may contain keys created by an adversary (referred to as adversarially-chosen-key attack), since in cryptocurrencies, it is normal for a user (adversary) to create self-paying transactions so that some maliciously created public keys can get into the system without being detected .In this paper, we propose a new cryptographic primitive, referred to as Linkable Ring Signature Scheme with Stealth Addresses (SALRS), which comprehensively and strictly captures the security and privacy requirements of hiding the payer and payee of a transaction in cryptocurrencies, especially the adversarially-chosen-key attacks. We also propose a lattice-based SALRS construction and prove its security and privacy in the random oracle model. In other words, our construction provides strong confidence on security and privacy in twofolds, i.e., being proved under strong models which capture the practical scenarios of cryptocurrencies, and being potentially quantum-resistant. The efficiency analysis also shows that our lattice-based SALRS scheme is practical for real implementations.

Dan Boneh,Özgür Dagdelen,Marc Fischlin,Anja Lehmann,Christian Schaffner,Mark Zhandry

DOI: https://doi.org/10.1007/978-3-642-25385-0_3

2012-01-20

Abstract:The interest in post-quantum cryptography - classical systems that remain secure in the presence of a quantum adversary - has generated elegant proposals for new cryptosystems. Some of these systems are set in the random oracle model and are proven secure relative to adversaries that have classical access to the random oracle. We argue that to prove post-quantum security one needs to prove security in the quantum-accessible random oracle model where the adversary can query the random oracle with quantum states. We begin by separating the classical and quantum-accessible random oracle models by presenting a scheme that is secure when the adversary is given classical access to the random oracle, but is insecure when the adversary can make quantum oracle queries. We then set out to develop generic conditions under which a classical random oracle proof implies security in the quantum-accessible random oracle model. We introduce the concept of a history-free reduction which is a category of classical random oracle reductions that basically determine oracle answers independently of the history of previous queries, and we prove that such reductions imply security in the quantum model. We then show that certain post-quantum proposals, including ones based on lattices, can be proven secure using history-free reductions and are therefore post-quantum secure. We conclude with a rich set of open problems in this area.

Quantum Physics,Cryptography and Security

Mingxing Hu,Weijiong Zhang,Zhen Liu

DOI: https://doi.org/10.48550/arXiv.2206.12093

2022-06-24

Abstract:Ring signatures enable a user to sign messages on behalf of an arbitrary set of users, called the ring, without revealing exactly which member of that ring actually generated the signature. The signer-anonymity property makes ring signatures have been an active research topic. Recently, Park and Sealfon (CRYPTO 19) presented an important anonymity notion named signer-unclaimability and constructed a lattice-based ring signature scheme with unclaimable anonymity in the standard model, however, it did not consider the unforgeable w.r.t. adversarially-chosen-key attack (the public key ring of a signature may contain keys created by an adversary) and the signature size grows quadratically in the size of ring and message. In this work, we propose a new lattice-based ring signature scheme with unclaimable anonymity in the standard model. In particular, our work improves the security and efficiency of Park and Sealfons work, which is unforgeable w.r.t. adversarially-chosen-key attack, and the ring signature size grows linearly in the ring size.

Cryptography and Security

Xinjian Chen,Qiong Huang,Hongbo Li,Zhijian Liao,Willy Susilo

DOI: https://doi.org/10.1016/j.tcs.2022.08.022

IF: 1.002

2022-01-01

Theoretical Computer Science

Abstract:Multi-signature is an important technology to compress multiple signatures on the common message into a compact one, thereby reducing the consumption of storage space and transmission bandwidth. Such a cryptographic primitive is widely used in financial applications such as blockchain which requires multiple keys to authorize a transaction. With the advent of quantum computers, traditional multi-signature schemes may no longer be secure as their underlying security assumptions (e.g. RSA or discrete logarithm problems) may not hold anymore. In this paper, we propose a novel identity-based multi-signature (IBMS) scheme over NTRU lattices, which is secure against the attacks of quantum computers. To the best of our knowledge, it is the first lattice-based IBMS scheme. We show that our scheme is provably secure in the random oracle model based on the ring version of the short integer solution assumption (Ring-SIS). Compared with the closely related works in the literature, our scheme enables the signer to select its system identity (such as email address, physical IP address, and etc.) as the public key, which effectively alleviates the certificate management problem in the PKI setting, and takes the advantage of discrete Gaussian distribution instead of uniform distribution to generate secret signing keys and multi-signatures. Besides, our scheme does not require all the system users to setup a trusted common string, which further simplifies the deployment of our scheme in practice.

Wen Gao,Liqun Chen,Yupu Hu,Christopher J. P. Newton,Baocang Wang,Jiangshan Chen

DOI: https://doi.org/10.1007/s10207-018-0417-1

2018-08-20

International Journal of Information Security

Abstract:In cryptography, a ring signature is anonymous as it hides the signer’s identity among other users. When generating the signature, the users are arranged as a ring. Compared with group signatures, a ring signature scheme needs no group manager or special setup and supports flexibility of group choice. However, the anonymity provided by ring signatures can be used to conceal a malicious signer and put other ring members under suspicion. At the other extreme, it does not allow the actual signer to prove their identity and gain recognition for their actions. A deniable ring signature is designed to overcome these disadvantages. It can initially protect the signer, but if necessary, it enables other ring members to deny their involvement, and allows the real signer to prove who made the signed action. Many real-world applications can benefit from such signatures. Inspired by the requirement for them to remain viable in the post-quantum age, this work proposes a new non-interactive deniable ring signature scheme based on lattice assumptions. Our scheme is proved to be anonymous, traceable and non-frameable under quantum attacks.

computer science, information systems, theory & methods, software engineering

Alessandro Chiesa,Marcel Dall Agnol,Zijing Di,Ziyi Guan,Nicholas Spooner

2024-11-08

Abstract:We analyze the post-quantum security of succinct interactive arguments constructed from interactive oracle proofs (IOPs) and vector commitment schemes. We prove that an interactive variant of the BCS transformation is secure in the standard model against quantum adversaries when the vector commitment scheme is collapsing. Our proof builds on and extends prior work on the post-quantum security of Kilians succinct interactive argument, which is instead based on probabilistically checkable proofs (PCPs). We introduce a new quantum rewinding strategy that works across any number of rounds. As a consequence of our results, we obtain standard-model post-quantum secure succinct arguments with the best asymptotic complexity known.

Cryptography and Security,Quantum Physics

Xiao Zhang,Faguo Wu,Wang Yao,Wenhua Wang,Zhiming Zheng

DOI: https://doi.org/10.32604/cmc.2020.08008

2020-01-01

Abstract:Blockchain is an emerging decentralized architecture and distributed computing paradigm underlying Bitcoin and other cryptocurrencies, and has recently attracted intensive attention from governments, financial institutions, high-tech enterprises, and the capital markets. Its cryptographic security relies on asymmetric cryptography, such as ECC, RSA. However, with the surprising development of quantum technology, asymmetric cryptography schemes mentioned above would become vulnerable. Recently, lattice-based cryptography scheme was proposed to be secure against attacks in the quantum era. In 2018, with the aid of Bonsai Trees technology, Yin et al. [Yin, Wen, Li et al. (2018)] proposed a lattice-based authentication method which can extend a lattice space to multiple lattice spaces accompanied by the corresponding key. Although their scheme has theoretical significance, it is unpractical in actual situation due to extremely large key size and signature size. In this paper, aiming at tackling the critical issue of transaction size, we propose a post quantum blockchain over lattice. By using SampleMat and signature without trapdoor, we can reduce the key size and signature size of our transaction authentication approach by a significant amount. Instead of using a whole set of vectors as a basis, we can use only one vector and rotate it enough times to form a basis. Based on the hardness assumption of Short Integer Solution (SIS), we demonstrate that the proposed anti-quantum transaction authentication scheme over lattice provides existential unforgeability against adaptive chosen-message attacks in the random oracle. As compared to the Yin et al. [Yin, Wen, Li et al. (2018)] scheme, our scheme has better performance in terms of energy consumption, signature size and signing key size. As the underlying lattice problem is intractable even for quantum computers, our scheme would work well in the quantum age.