Abstract
Lyubashevky’s signatures are based on the Fiat-Shamir with Aborts paradigm. It transforms an interactive identification protocol that has a non-negligible probability of aborting into a signature by repeating executions until a loop iteration does not trigger an abort. Interaction is removed by replacing the challenge of the verifier by the evaluation of a hash function, modeled as a random oracle in the analysis. The access to the random oracle is classical (ROM), resp. quantum (QROM), if one is interested in security against classical, resp. quantum, adversaries. Most analyses in the literature consider a setting with a bounded number of aborts (i.e., signing fails if no signature is output within a prescribed number of loop iterations), while practical instantiations (e.g., Dilithium) run until a signature is output (i.e., loop iterations are unbounded).
In this work, we emphasize that combining random oracles with loop iterations induces numerous technicalities for analyzing correctness, run-time, and security of the resulting schemes, both in the bounded and unbounded case. As a first contribution, we put light on errors in all existing analyses. We then provide two detailed analyses in the QROM for the bounded case, adapted from Kiltz et al [EUROCRYPT’18] and Grilo et al [ASIACRYPT’21]. In the process, we prove the underlying \(\varSigma \)-protocol to achieve a stronger zero-knowledge property than usually considered for \(\varSigma \)-protocols with aborts, which enables a corrected analysis. A further contribution is a detailed analysis in the case of unbounded aborts, the latter inducing several additional subtleties.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Alkim, E., et al.: Revisiting TESLA in the quantum random oracle model. In: PQCrypto (2017)
Abdalla, M., Fouque, P.-A., Lyubashevsky, V., Tibouchi, M.: Tightly secure signatures from lossy identification schemes. J. Cryptol. (2016)
Ambainis, A., Hamburg, M., Unruh, D.: Quantum security proofs using semi-classical oracles. In: CRYPTO (2019)
Agrawal, S., Stehlé, D., Yadav, A.: Round-optimal lattice-based threshold signatures, revisited. In: ICALP (2022)
Barbosa, M., et al.: Fixing and mechanizing the security proof of Fiat-Shamir with aborts and Dilithium. In: CRYPTO (2023)
Barthe, G., et al.: Masking the GLP lattice-based signature scheme at any order. In: EUROCRYPT (2018)
Barthe, G., Belaïd, S., Espitau, T., Fouque, P.-A., Rossi, M., Tibouchi, M.: GALACTICS: gaussian sampling for lattice-based constant- time implementation of cryptographic signatures, revisited. In: CCS (2019)
Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: ASIACRYPT (2011)
Bai, S., Lepoint, T., Roux-Langlois, A., Sakzad, A., Stehlé, D., Steinfeld, R.: Improved security proofs in lattice-based cryptography: Using the Rényi divergence rather than the statistical distance. J. Cryptol. (2018)
Chen, Y., Lombardi, A., Ma, F., Quach, W.: Does Fiat-Shamir require a cryptographic hash function? In: CRYPTO (2021)
Don, J., Fehr, S., Majenz, C., Schaffner, C.: Security of the Fiat-Shamir transformation in the quantum random-oracle model. In: CRYPTO (2019)
Devevey, J., Fawzi, O., Passelègue, A., Stehlé, D.: On rejection sampling in Lyubashevsky’s signature scheme. In: ASIACRYPT (2022)
Devevey, J., Fallahpour, P., Passelègue, A., Stehlé, D.: A detailed analysis of fiat-shamir with aborts. Cryptology ePrint Archive, Paper 2023/245 (2023). https://eprint.iacr.org/2023/245
Ducas, L., et al.: CRYSTALS-dilithium: a lattice-based digital signature scheme. In: TCHES (2018)
Damgård, I., Pastro, V., Smart, N.P., Zakarias, S.: Multiparty computation from somewhat homomorphic encryption. In: CRYPTO (2012)
Fiat, A., Shamir, A.: How to prove yourself: Practical solutions to identification and signature problems. In: CRYPTO (1986)
Grilo, A.B., Hövelmanns, K., Hülsing, A., Majenz, C.: Tight adaptive reprogramming in the QROM. In: ASIACRYPT (2021)
Katsumata, S.: A new simple technique to bootstrap various lattice zero-knowledge proofs to QROM secure NIZKs. In: CRYPTO (2021)
Kiltz, E., Lyubashevsky, V., Schaffner, C.: A concrete treatment of Fiat-Shamir signatures in the quantum random-oracle model. In: EUROCRYPT (2018)
Lyubashevsky, V.: Fiat-Shamir with aborts: Applications to lattice and factoring-based signatures. In: ASIACRYPT (2009)
Lyubashevsky, V.: Lattice signatures without trapdoors. In: EUROCRYPT (2012)
Lyubashevsky, V.: Digital signatures based on the hardness of ideal lattice problems in all rings. In: ASIACRYPT (2016)
Liu, Q., Zhandry, M.: Revisiting post-quantum Fiat-Shamir. In: CRYPTO (2019)
Migliore, V., Gérard, B., Tibouchi, M., Fouque, P.-A.: Masking Dilithium - efficient implementation and side-channel evaluation. In: ACNS (2019)
Micciancio, D., Mol, P.: Pseudorandom knapsacks and the sample complexity of LWE search-to-decision reductions. In: CRYPTO (2011)
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM (2009)
Schnorr, C.-P.: Efficient identification and signatures for smart cards (abstract). In: EUROCRYPT (1989)
Zhandry, M.: How to construct quantum random functions. In: FOCS (2012)
Acknowledgments
We thank Andreas Hülsing, Chistian Majenz, and Thomas Prest for helpful discussions. This work was supported by the ANR Project ANR-21-ASTR-0016 AMIRAL, the France 2030 ANR Project ANR-22-PECY-003 SecureCompute, and the France 2030 ANR Project ANR-22-PETQ-0008 PQ-TLS.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Devevey, J., Fallahpour, P., Passelègue, A., Stehlé, D. (2023). A Detailed Analysis of Fiat-Shamir with Aborts. In: Handschuh, H., Lysyanskaya, A. (eds) Advances in Cryptology – CRYPTO 2023. CRYPTO 2023. Lecture Notes in Computer Science, vol 14085. Springer, Cham. https://doi.org/10.1007/978-3-031-38554-4_11
Download citation
DOI: https://doi.org/10.1007/978-3-031-38554-4_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-38553-7
Online ISBN: 978-3-031-38554-4
eBook Packages: Computer ScienceComputer Science (R0)
