On Round Elimination for Special-Sound Multi-round Identification and the Generality of the Hypercube for MPCitH

Andreas Hülsing, David Joseph, Christian Majenz, Anand kumar Narayanan

Onderzoeksoutput: Hoofdstuk in Boek/Rapport/CongresprocedureConferentiebijdrageAcademicpeer review

Samenvatting

A popular way to build post-quantum signature schemes is by first constructing an identification scheme (IDS) and applying the Fiat-Shamir transform to it. In this work we tackle two open questions related to the general applicability of techniques around this approach that together allow for efficient post-quantum signatures with optimal security bounds in the QROM. First, we consider a recent work by Aguilar-Melchor, Hülsing, Joseph, Majenz, Ronen, and Yue (Asiacrypt’23) that showed that an optimal bound for three-round commit & open IDS by Don, Fehr, Majenz, and Schaffner (Crypto’22) can be applied to the five-round Syndrome-Decoding in the Head (SDitH) IDS. For this, they first applied a transform that replaced the first three rounds by one. They left it as an open problem if the same approach applies to other schemes beyond SDitH. We answer this question in the affirmative, generalizing their round-elimination technique and giving a generic security proof for it. Our result applies to any IDS with 2n+1 rounds for n>1. However, a scheme has to be suitable for the resulting bound to not be trivial. We find that IDS are suitable when they have a certain form of special-soundness which many commit & open IDS have. Second, we consider the hypercube technique by Aguilar-Melchor, Gama, Howe, Hülsing, Joseph, and Yue (Eurocrypt’23). An optimization that was proposed in the context of SDitH and is now used by several of the contenders in the NIST signature on-ramp. It was conjectured that the technique applies generically for the MPC-in-the-Head (MPCitH) technique that is used in the design of many post-quantum IDS if they use an additive secret sharing scheme but this was never proven. In this work we show that the technique generalizes to MPCitH IDS that use an additively homomorphic MPC protocol, and we prove that security is preserved. We demonstrate the application of our results to the identification scheme of RYDE, a contender in the recent NIST signature on-ramp. While RYDE was already specified with the hypercube technique applied, this gives the first QROM proof for RYDE with an optimally tight bound.

Originele taal-2Engels
TitelAdvances in Cryptology – CRYPTO 2024
RedacteurenLeonid Reyzin, Douglas Stebila
Hoofdstuk12
Pagina's373-408
Aantal pagina's36
DOI's
StatusGepubliceerd - 16 aug. 2024

Publicatie series

NaamLecture Notes in Computer Science
Volume14920
ISSN van geprinte versie0302-9743
ISSN van elektronische versie1611-3349

Vingerafdruk

Duik in de onderzoeksthema's van 'On Round Elimination for Special-Sound Multi-round Identification and the Generality of the Hypercube for MPCitH'. Samen vormen ze een unieke vingerafdruk.

Citeer dit