Tight Adaptive Reprogramming in the QROM

Alex B. Grilo; Kathrin Hövelmanns; Andreas Hülsing; Christian Majenz

doi:10.1007/978-3-030-92062-3_22

Tight Adaptive Reprogramming in the QROM

Alex B. Grilo, Kathrin Hövelmanns, Andreas Hülsing, Christian Majenz

Department of Applied Mathematics and Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Book chapter › Research › peer-review

60 Downloads (Orbit)

Abstract

The random oracle model (ROM) enjoys widespread popularity, mostly because it tends to allow for tight and conceptually simple proofs where provable security in the standard model is elusive or costly. While being the adequate replacement of the ROM in the post-quantum security setting, the quantum-accessible random oracle model (QROM) has thus far failed to provide these advantages in many settings. In this work, we focus on adaptive reprogrammability, a feature of the ROM enabling tight and simple proofs in many settings. We show that the straightforward quantum-accessible generalization of adaptive reprogramming is feasible by proving a bound on the adversarial advantage in distinguishing whether a random oracle has been reprogrammed or not. We show that our bound is tight by providing a matching attack. We go on to demonstrate that our technique recovers the mentioned advantages of the ROM in three QROM applications: 1) We give a tighter proof of security of the message compression routine as used by XMSS. 2) We show that the standard ROM proof of chosen-message security for Fiat-Shamir signatures can be lifted to the QROM, straightforwardly, achieving a tighter reduction than previously known. 3) We give the first QROM proof of security against fault injection and nonce attacks for the hedged Fiat-Shamir transform.

Original language	English
Title of host publication	International Conference on the Theory and Application of Cryptology and Information Security
Publisher	Springer
Publication date	2021
Pages	637-667
ISBN (Print)	978-3-030-92061-6
DOIs	https://doi.org/10.1007/978-3-030-92062-3_22
Publication status	Published - 2021
Event	27^th International Conference on the Theory and Application of Cryptology and Information Security - Singapore, Singapore Duration: 6 Dec 2021 → 10 Dec 2021 Conference number: 27 https://asiacrypt.iacr.org/2021/

Conference

Conference	27^th International Conference on the Theory and Application of Cryptology and Information Security
Number	27
Country/Territory	Singapore
City	Singapore
Period	06/12/2021 → 10/12/2021
Internet address	https://asiacrypt.iacr.org/2021/

Series	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	13090
ISSN	0302-9743

Keywords

Post-quantum security
QROM
Adaptive reprogramming
Digital signature
Fiat-Shamir transform
Hedged Fiat-Shamir
XMSS

Access to Document

10.1007/978-3-030-92062-3_22

SubmittedSubmitted manuscript, 737 KB

OpenUrl availability

Full text

Cite this

Grilo, Alex B. ; Hövelmanns, Kathrin ; Hülsing, Andreas et al. / Tight Adaptive Reprogramming in the QROM. International Conference on the Theory and Application of Cryptology and Information Security. Springer, 2021. pp. 637-667 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), Vol. 13090).

@inbook{1f8cf0f0ea044bf7b9faf4e8720f5d83,

title = "Tight Adaptive Reprogramming in the QROM",

abstract = "The random oracle model (ROM) enjoys widespread popularity, mostly because it tends to allow for tight and conceptually simple proofs where provable security in the standard model is elusive or costly. While being the adequate replacement of the ROM in the post-quantum security setting, the quantum-accessible random oracle model (QROM) has thus far failed to provide these advantages in many settings. In this work, we focus on adaptive reprogrammability, a feature of the ROM enabling tight and simple proofs in many settings. We show that the straightforward quantum-accessible generalization of adaptive reprogramming is feasible by proving a bound on the adversarial advantage in distinguishing whether a random oracle has been reprogrammed or not. We show that our bound is tight by providing a matching attack. We go on to demonstrate that our technique recovers the mentioned advantages of the ROM in three QROM applications: 1) We give a tighter proof of security of the message compression routine as used by XMSS. 2) We show that the standard ROM proof of chosen-message security for Fiat-Shamir signatures can be lifted to the QROM, straightforwardly, achieving a tighter reduction than previously known. 3) We give the first QROM proof of security against fault injection and nonce attacks for the hedged Fiat-Shamir transform.",

keywords = "Post-quantum security, QROM, Adaptive reprogramming, Digital signature, Fiat-Shamir transform, Hedged Fiat-Shamir, XMSS",

author = "Grilo, \{Alex B.\} and Kathrin H{\"o}velmanns and Andreas H{\"u}lsing and Christian Majenz",

year = "2021",

doi = "10.1007/978-3-030-92062-3\_22",

language = "English",

isbn = "978-3-030-92061-6",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer",

pages = "637--667",

booktitle = "International Conference on the Theory and Application of Cryptology and Information Security",

note = "27<sup>th</sup> International Conference on the Theory and Application of Cryptology and Information Security, ASIACRYPT 2021 ; Conference date: 06-12-2021 Through 10-12-2021",

url = "https://asiacrypt.iacr.org/2021/",

}

Grilo, AB, Hövelmanns, K, Hülsing, A & Majenz, C 2021, Tight Adaptive Reprogramming in the QROM. in International Conference on the Theory and Application of Cryptology and Information Security. Springer, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 13090, pp. 637-667, 27^th International Conference on the Theory and Application of Cryptology and Information Security, Singapore, Singapore, 06/12/2021. https://doi.org/10.1007/978-3-030-92062-3_22

Tight Adaptive Reprogramming in the QROM. / Grilo, Alex B.; Hövelmanns, Kathrin; Hülsing, Andreas et al.
International Conference on the Theory and Application of Cryptology and Information Security. Springer, 2021. p. 637-667 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), Vol. 13090).

Research output: Chapter in Book/Report/Conference proceeding › Book chapter › Research › peer-review

TY - CHAP

T1 - Tight Adaptive Reprogramming in the QROM

AU - Grilo, Alex B.

AU - Hövelmanns, Kathrin

AU - Hülsing, Andreas

AU - Majenz, Christian

N1 - Conference code: 27

PY - 2021

Y1 - 2021

N2 - The random oracle model (ROM) enjoys widespread popularity, mostly because it tends to allow for tight and conceptually simple proofs where provable security in the standard model is elusive or costly. While being the adequate replacement of the ROM in the post-quantum security setting, the quantum-accessible random oracle model (QROM) has thus far failed to provide these advantages in many settings. In this work, we focus on adaptive reprogrammability, a feature of the ROM enabling tight and simple proofs in many settings. We show that the straightforward quantum-accessible generalization of adaptive reprogramming is feasible by proving a bound on the adversarial advantage in distinguishing whether a random oracle has been reprogrammed or not. We show that our bound is tight by providing a matching attack. We go on to demonstrate that our technique recovers the mentioned advantages of the ROM in three QROM applications: 1) We give a tighter proof of security of the message compression routine as used by XMSS. 2) We show that the standard ROM proof of chosen-message security for Fiat-Shamir signatures can be lifted to the QROM, straightforwardly, achieving a tighter reduction than previously known. 3) We give the first QROM proof of security against fault injection and nonce attacks for the hedged Fiat-Shamir transform.

AB - The random oracle model (ROM) enjoys widespread popularity, mostly because it tends to allow for tight and conceptually simple proofs where provable security in the standard model is elusive or costly. While being the adequate replacement of the ROM in the post-quantum security setting, the quantum-accessible random oracle model (QROM) has thus far failed to provide these advantages in many settings. In this work, we focus on adaptive reprogrammability, a feature of the ROM enabling tight and simple proofs in many settings. We show that the straightforward quantum-accessible generalization of adaptive reprogramming is feasible by proving a bound on the adversarial advantage in distinguishing whether a random oracle has been reprogrammed or not. We show that our bound is tight by providing a matching attack. We go on to demonstrate that our technique recovers the mentioned advantages of the ROM in three QROM applications: 1) We give a tighter proof of security of the message compression routine as used by XMSS. 2) We show that the standard ROM proof of chosen-message security for Fiat-Shamir signatures can be lifted to the QROM, straightforwardly, achieving a tighter reduction than previously known. 3) We give the first QROM proof of security against fault injection and nonce attacks for the hedged Fiat-Shamir transform.

KW - Post-quantum security

KW - QROM

KW - Adaptive reprogramming

KW - Digital signature

KW - Fiat-Shamir transform

KW - Hedged Fiat-Shamir

KW - XMSS

U2 - 10.1007/978-3-030-92062-3_22

DO - 10.1007/978-3-030-92062-3_22

M3 - Book chapter

SN - 978-3-030-92061-6

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 637

EP - 667

BT - International Conference on the Theory and Application of Cryptology and Information Security

PB - Springer

T2 - 27<sup>th</sup> International Conference on the Theory and Application of Cryptology and Information Security

Y2 - 6 December 2021 through 10 December 2021

ER -

Grilo AB, Hövelmanns K, Hülsing A, Majenz C. Tight Adaptive Reprogramming in the QROM. In International Conference on the Theory and Application of Cryptology and Information Security. Springer. 2021. p. 637-667. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), Vol. 13090). doi: 10.1007/978-3-030-92062-3_22