Abstract
Group actions are fundamental mathematical tools, with a long history of use in cryptography. Indeed, the action of finite groups at the basis of the discrete logarithm problem is behind a very large portion of modern cryptographic systems. With the advent of post-quantum cryptography, however, other group actions, such as isogeny-based ones, received interest from the cryptographic community, attracted by the possibility of translating old discrete logarithm-based functionalities.
Usually, research focuses on abelian group actions; however in this work we show that isomorphism problems which stem from non-abelian cryptographic group actions can be viable building blocks for threshold signature schemes. In particular, we construct a full N-out-of-N threshold signature scheme, and discuss the efficiency issues arising from extending it to the generic T-out-of-N case. To give a practical outlook on our constructions, we instantiate them with two different flavors of code-based cryptographic group actions, respectively at the basis of the LESS and MEDS signature schemes, two of NIST’s candidates in the recent call for post-quantum standardization.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
Unfortunately, while standard linear secret sharing would be more efficient, it is difficult to use in a non-abelian setting.
- 3.
i.e. the probability of guessing the commitment is negligible.
References
Abdalla, M., An, J.H., Bellare, M., Namprempre, C.: From identification to signatures via the Fiat-Shamir transform: minimizing assumptions for security and forward-security. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 418–433. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_28
Aguilar Melchor, C., et al.: HQC. NIST PQC Submission (2020)
Alamati, N., De Feo, L., Montgomery, H., Patranabis, S.: Cryptographic group actions and applications. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12492, pp. 411–439. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64834-3_14
Albrecht, M.R., et al.: Classic McEliece. NIST PQC Submission (2020)
Aragon, N., et al.: BIKE. NIST PQC Submission (2020)
Baldi, M., et al.: Matrix equivalence digital signature (2023). https://www.less-project.com/LESS-2023-08-18.pdf. Accessed 15 Sept 2023
Barenghi, A., Biasse, J.-F., Ngo, T., Persichetti, E., Santini, P.: Advanced signature functionalities from the code equivalence problem. Cryptology ePrint Archive, Paper 2022/710 (2022). https://eprint.iacr.org/2022/710
Barenghi, A., Biasse, J.-F., Persichetti, E., Santini, P.: LESS-FM: fine-tuning signatures from the code equivalence problem. In: Cheon, J.H., Tillich, J.P. (eds.) PQCrypto 2021. LNCS, vol. 12841, pp. 23–43. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-81293-5_2
Barenghi, A., Biasse, J.-F., Persichetti, E., Santini, P.: On the computational hardness of the code equivalence problem in cryptography. Adv. Math. Commun. 17(1), 23–55 (2023)
Basso, A., et al.: Supersingular curves you can trust. In: Hazay, C., Stam, M. (eds.) EUROCRYPT 2023. LNCS, vol. 14005, pp. 405–437. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-30617-4_14
Battagliola, M., Galli, A., Longo, R., Meneghetti, A.: A provably-unforgeable threshold schnorr signature with an offline recovery party. In: DLT2022 at Itasec 2022, CEUR Workshop Proceedings (2022)
Battagliola, M., Longo, R., Meneghetti, A.: Extensible decentralized secret sharing and application to schnorr signatures (2022). https://eprint.iacr.org/2022/1551
Battagliola, M., Longo, R., Meneghetti, A., Sala, M.: A provably-unforgeable threshold EdDSA with an offline recovery party (2020). https://arxiv.org/abs/2009.01631
Battagliola, M., Longo, R., Meneghetti, A., Sala, M.: Threshold ECDSA with an offline recovery party. Mediterr. J. Math. 19(4) (2022)
Bellare, M., Neven, G.: Multi-signatures in the plain public-key model and a general forking lemma. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS 2006, pp. 390–399. Association for Computing Machinery, New York (2006)
Beullens, W., Disson, L., Pedersen, R., Vercauteren, F.: CSI-RAShi: distributed key generation for CSIDH. In: Cheon, J.H., Tillich, J.P. (eds.) PQCrypto 2021. LNCS, vol. 12841, pp. 257–276. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-81293-5_14
Beullens, W., Katsumata, S., Pintore, F.: Calamari and Falafl: logarithmic (linkable) ring signatures from isogenies and lattices. Cryptology ePrint Archive, Paper 2020/646 (2020). https://eprint.iacr.org/2020/646
Beullens, W., Kleinjung, T., Vercauteren, F.: CSI-FiSh: efficient isogeny based signatures through class group computations. In: Galbraith, S., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 227–247. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_9
Biasse, J.-F., Micheli, G., Persichetti, E., Santini, P.: Less is more: code-based signatures without syndromes. In: Nitaj, A., Youssef, A. (eds.) AFRICACRYPT 2020. LNCS, vol. 12174, pp. 45–65. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-51938-4_3
Bläser, M., et al.: On digital signatures based on isomorphism problems: qrom security, ring signatures, and applications. Cryptology ePrint Archive (2022)
Boneh, D., Gennaro, R., Goldfeder, S.: Using level-1 homomorphic encryption to improve threshold DSA signatures for bitcoin wallet security. In: Lange, T., Dunkelman, O. (eds.) LATINCRYPT 2017. LNCS, vol. 11368, pp. 352–377. Springer, Cham (2017). https://doi.org/10.1007/978-3-030-25283-0_19
Bonte, C., Smart, N.P., Tanguy, T.: Thresholdizing hasheddsa: MPC to the rescue. Int. J. Inf. Secur. 20, 879–894 (2021)
Brandão, L.T.A.N., Davidson, M.: Notes on threshold eddsa/schnorr signatures. Accessed 01 May 2023
Brandão, L.T.A.N., Davidson, M., Vassilev, A.: NIST roadmap toward criteria for threshold schemes for cryptographic primitives. Accessed 27 Aug 2020
Campos, F., Muth, P.: On actively secure fine-grained access structures from isogeny assumptions. In: Cheon, J.H., Johansson, T. (eds.) PQCrypto 2022. LNCS, vol. 13512, pp. 375–398. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-17234-2_18
Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11274, pp. 395–427. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03332-3_15
Chailloux, A.: On the (in) security of optimized stern-like signature schemes. In: WCC (2022)
Chou, T., et al.: Matrix equivalence digital signature (2023). https://meds-pqc.org/spec/MEDS-2023-05-31.pdf. Accessed 12 Sept 2023
Chou, T., Niederhagen, R., Persichetti, E., Randrianarisoa, T.H., Reijnders, K., Samardjiska, S., Trimoska, M.: Take your meds: digital signatures from matrix code equivalence. In: El Mrabet, N., De Feo, L., Duquesne, S. (eds.) AFRICACRYPT 2023. LNCS, vol. 14064, pp. 28–52. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-37679-5_2
Chou, T., Persichetti, E., Santini, P.: On linear equivalence, canonical forms, and digital signatures (2023). https://tungchou.github.io/papers/leq.pdf. Accessed 20 Sept 2023
Cozzo, D., Smart, N.P.: Sharing the LUOV: threshold post-quantum signatures. In: Albrecht, M. (ed.) IMACC 2019. LNCS, vol. 11929, pp. 128–153. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-35199-1_7
Cozzo, D., Smart, N.P.: Sashimi: cutting up CSI-FiSh secret keys to produce an actively secure distributed signing protocol. In: Ding, J., Tillich, J.-P. (eds.) PQCrypto 2020. LNCS, vol. 12100, pp. 169–186. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-44223-1_10
D’Alconzo, G., Scala, A.J.D.: Representations of group actions and their applications in cryptography. Cryptology ePrint Archive, Paper 2023/1247 (2023)
De Feo, L., Galbraith, S.D.: SeaSign: compact isogeny signatures from class group actions. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 759–789. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_26
De Feo, L., Meyer, M.: Threshold schemes from isogeny assumptions. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020. LNCS, vol. 12111, pp. 187–212. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45388-6_7
Doerner, J., Kondi, Y., Lee, E., Shelat, A.: Secure two-party threshold ECDSA from ECDSA assumptions. In: 2018 IEEE Symposium on Security and Privacy (SP), pp. 980–997. IEEE (2018)
Doerner, J., Kondi, Y., Lee, E., Shelat, A.: Threshold ECDSA from ECDSA assumptions: the multiparty case. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 1051–1066. IEEE (2019)
Don, J., Fehr, S., Majenz, C., Schaffner, C.: Security of the Fiat-Shamir transformation in the quantum random-oracle model. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_13
Feneuil, T., Joux, A., Rivain, M.: Syndrome decoding in the head: shorter signatures from zero-knowledge proofs. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022. LNCS, vol. 13508, pp. 541–572. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-15979-4_19
Feneuil, T., Joux, A., Rivain, M.: Shared permutation for syndrome decoding: new zero-knowledge protocol and code-based signature. Des. Codes Crypt. 91(2), 563–608 (2023)
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
Gennaro, R., Goldfeder, S.: Fast multiparty threshold ECDSA with fast trustless setup. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1179–1194 (2018)
Gennaro, R., Goldfeder, S., Narayanan, A.: Threshold-optimal DSA/ECDSA signatures and an application to bitcoin wallet security. In: Manulis, M., Sadeghi, A.R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 156–174. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-39555-5_9
Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Robust threshold DSS signatures. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 354–371. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_31
Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Secure distributed key generation for discrete-log based cryptosystems. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_21
Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Secure distributed key generation for discrete-log based cryptosystems. J. Cryptol. 20, 51–83 (2007)
Grilo, A.B., Hövelmanns, K., Hülsing, A., Majenz, C.: Tight adaptive reprogramming in the QROM. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13090. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92062-3_22
Gueron, S., Persichetti, E., Santini, P.: Designing a practical code-based signature scheme from zero-knowledge proofs with trusted setup. Cryptography 6(1), 5 (2022)
Ito, M., Saito, A., Nishizeki, T.: Secret sharing scheme realizing general access structure. Electron. Commun. Japan 72(9), 56–64 (1989)
Kuperberg, G.: Another subexponential-time quantum algorithm for the dihedral hidden subgroup problem. In: Severini, S., Brandão, F.G.S.L. (eds.) TQC 2013. LIPIcs, vol. 22. Schloss Dagstuhl (2013)
Lindell, Y.: Fast secure two-party ECDSA signing. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_21
Liu, Q., Zhandry, M.: Revisiting post-quantum Fiat-Shamir. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 326–355. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_12
MacKenzie, P., Reiter, M.K.: Two-party generation of DSA signatures. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 137–154. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_8
MacKenzie, P., Reiter, M.K.: Two-party generation of DSA signatures. Int. J. Inf. Secur. (2004)
NIST. Post-Quantum Cryptography Standardization (2017). https://csrc.nist.gov/Projects/Post-Quantum-Cryptography
NIST. Call for Additional Digital Signature Schemes for the Post-Quantum Cryptography Standardization Process (2023). https://csrc.nist.gov/projects/pqc-dig-sig/standardization/call-for-proposals
Persichetti, E., Santini, P.: A new formulation of the linear equivalence problem and shorter less signatures. Cryptology ePrint Archive (2023)
Schwabe, P., et al.: CRYSTALS-KYBER. NIST PQC Submission (2020)
Unruh, D.: Post-quantum security of Fiat-Shamir. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 65–95. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_3
Acknowledgement
This publication was created with the co-financing of the European Union FSE-REACT-EU, PON Research and Innovation 2014-2020 DM1062/2021. The authors acknowledge support from Ripple’s University Blockchain Research Initiative. The first author acknowledges support from TIM S.p.A. through the Ph.D. scholarship. The second author acknowledges support from Telsy S.p.A. and De Componendis Cifris through the M.Sc. scholarship and Collegio Clesio. The third author is a member of the INdAM Research Group GNSAGA. The fourth author acknowledges support from NSF through grant 1906360 and NSA through grant H98230-22-1-0328.
All the authors would like to thank Giuseppe D’Alconzo and Leonardo Errati for their comments and suggestions.
The core of this work is contained also in the second author’s M.Sc. thesis.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Coding Theory Notions
A linear code \(\mathcal {C}\) is a vector subspace \(\mathcal {C}\subseteq \mathbb {F}_q^n\) of dimension k, and it is usually referred to as an [n, k] linear code. It follows that a basis for \(\mathcal {C}\) is given by a set of k linearly independent vectors in \(\mathbb {F}_q^n\). When these vectors are put as rows of a matrix \(\textbf{G}\), this is known as a generator matrix for the code, as it can generate each vector of \(\mathcal {C}\) (i.e. a codeword) as a linear combination of its rows. Note that such a generator is not unique, and any invertible \(k\times k\) matrix \(\textbf{S}\) yields another generator via a change of basis; however, it is always possible to utilize a “standard” form simply performing a Gaussian elimination on the left-hand side. This is usually called systematic if the result is the identity matrix (i.e. if the leftmost \(k\times k\) block is invertible); we denote this by \(\textrm{SF}\).
Linear codes are traditionally measured with the Hamming metric, which associates a weight to each codeword by simply counting the number of its non-zero entries. It follows, then, that an isometry (i.e. a map preserving the weight) is given by any \(n\times n\) permutation matrix \(\textbf{P}\) acting on each word, or indeed, on the columns of \(\textbf{G}\) (since every codeword can be generated as a linear combination of the rows of \(\textbf{G}\)). Moreover, it is possible to generalize this notion by adding some non-zero scaling factors from \(\mathbb {F}_q\) to each column. Such a matrix is commonly known as a monomial matrix, and we denote it by \(\textbf{Q}\); it can be seen as a product \(\boldsymbol{D}\cdot \textbf{P}\) between a permutation matrix and a diagonal matrix with non-zero components.
The notion of linear codes can be generalized to the case where each codeword is a matrix, instead of a vector; more precisely, \(m \times n\) matrices over \(\mathbb F_q\). We talk then about \([m\times n,k]\) matrix code, which can be seen as a k-dimensional subspace \(\mathcal {C}\) of \(\mathbb F_q^{m\times n}\). These objects are usually measured with a different metric, known as rank metric, where the weight of each codeword corresponds to its rank as a matrix. In this case, then, isometries are maps which preserve the rank of a matrix, and are thus identified by two non-singular matrices \(\textbf{A}\in \textrm{GL}_m\) and \(\textbf{B}\in \textrm{GL}_n\) acting respectively on the left and on the right of each codeword, by multiplication.
In both of the metrics defined above, we are able to formulate a notion of equivalence in the same way, by saying that two codes are equivalent if they are connected by an isometry. In other words, with a slight abuse of notation, we say that two linear codes \(\mathcal {C}\) and \(\mathcal {C}'\) are linearly equivalent if \(\mathcal {C}'=\mathcal {C}\textbf{Q}\), and two matrix codes \(\mathcal {C}\) and \(\mathcal {C}'\) are matrix equivalent if \(\mathcal {C}'=\textbf{A}\mathcal {C}\textbf{B}\). Note that the notion of permutation equivalence is just a special case of linear equivalence (with the diagonal matrix \(\boldsymbol{D}\) being the identity matrix), yet is often treated separately for a variety of reasons of both historical and practical nature (for instance, certain solvers behave quite differently).
B Signatures from Generic Group Actions
We summarize here briefly how to design a signature scheme from generic group actions. To begin, we formulate the Sigma protocol described in Fig. 3.
The protocol above intuitively provides a soundness error of 1/2; it is in fact trivial to prove that an adversary who could solve answer both challenges simultaneuosly, would be able to recover a solution to GAIP. It is then necessary to amplify soundness, in order to reach the desired authentication level. This is accomplished, in the simplest way, by parallel repetition; in practice, several optimizations can be applied, as we will see in Sect. 5, without impacting security. At this point, a signature scheme can be obtained using the Fiat-Shamir transformation [41], which guarantees EUF-CMA security in the (Quantum) Random Oracle Model. The next result is intentionally a little vague, since it is well-known in literature, and we do not want to overly expand this section. Proofs tailored to the specific instantiations can be found, for example, in [8, 34]. For further discussions on Fiat-Shamir, and its security in the ROM and QROM, we point instead the reader to [1, 38, 41, 52].
Proposition 2
Let \(\textsf{I}\) be the identification protocol described above, and \(\textbf{S}\) be the signature scheme obtained by iterating \(\textsf{I}\) and then applying Fiat-Shamir. Then \(\textbf{S}\) is existentially unforgeable against chosen-message attacks, based on the hardness of GAIP.
Note that the protocol does not require any specific property from the group action in use, except those connected to efficient sampling and computation. Indeed, even though the action could in principle be non-transitive, as is the case for code-based group actions, the construction makes it so that we operate on a single orbit (i.e. it is transitive by design in this specific use case). It is however advisable to utilize a free group action, since this could have an impact on the difficulty of GAIP.
C Code-Based Group Actions
We now present the group action associated to code equivalence, according to the definitions given in the previous sections. First, consider the set \(X\subseteq \mathbb {F}_q^{k\times n}\) of all full-rank \(k\times n\) matrices, i.e. the set of generator matrices of [n, k]-linear codes. We then set \(G=\textsf{M}_{n}\), by which we denote the group of monomial matrices. Note that this group is isomorphic to \((\mathbb {F}_q^*)^n\rtimes \textsf{S}_n\) if we decompose each monomial matrix \(\textbf{Q}\in \textsf{M}_{n}\) into a product \(\boldsymbol{D}\cdot \textbf{P}\). The group operation can be then seen simply as multiplication, and the group action is given by
It is easy to see that the action is well-formed, with the identity element being \(\textbf{I}_n\), and compatible with respect to (right) multiplication.
Remark 2
The definition above considers a standardized choice of representative by utilizing the systematic form \(\textrm{SF}\). This simplifies the definition and makes sure to avoid cases where multiple generators for the same code could be chosen. Indeed, since the systematic form uniquely identifies linear codes, this allows us to see our group action as effectively acting on linear codes, rather than on their representatives (generator matrices).
The case of matrix code equivalence can be framed analogously. In this case, the set X is formed by the k-dimensional matrix codes of size \(m \times n\) over some base field \(\mathbb {F}_q\); similarly to linear codes, matrix codes can be represented via generator matrices \(\textbf{G}\in \mathbb {F}_q^{k\times mn}\). Then, the action of the group \(G = \textrm{GL}_m \times \textrm{GL}_n\) on this set can be described compactly as follows:
Note that this is equivalent to applying the matrices \(\textbf{A}\) and \(\textbf{B}\) to each codeword \(\textbf{C}\) in the matrix code as \(\textbf{A}\textbf{C}\textbf{B}\); indeed this is often the most convenient notation.
Note that, in both cases, the action is not commutative and in general neither transitive nor free. It is however possible to restrict the set X to a single well-chosen orbit to make the group action both transitive and free. In fact, picking any orbit generated from some starting code ensures transitivity, and the group action is free if the chosen code has a trivial automorphism group, where trivial means up to scalars in \(\mathbb {F}_q\). The non-commutativity is both a positive and negative feature: although it limits the cryptographical design possibilities, e.g. key exchange becomes hard, it prevents quantum attacks to which commutative cryptographic group actions are vulnerable, such as Kuperberg’s algorithm for the dihedral Hidden Subgroup Problem [50].
The vectorization problems for the code-based group actions are well-known problems in coding theory. We report them below.
Problem 4
(Linear Equivalence (LEP)). Given two k-dimensional linear codes \(\mathcal {C}, \mathcal {C}'\subseteq \mathbb F_q^n\), find, if any, \(\textbf{Q}\in M_n\) such that \(\mathcal {C}'= \mathcal {C}\textbf{Q}\).
We have not defined explicitly here the Permutation Equivalence Problem (PEP), since we will not use it directly; this can be seen as just a special case of LEP, where the monomial matrix \(\textbf{Q}\) is a permutation.
Problem 5
(Matrix Code Equivalence (MCE)). Given two k-dimensional matrix codes \(\mathcal {C},\mathcal {C}'\), find, if any, \(\textbf{A} \in \textrm{GL}_m,\textbf{B} \in \textrm{GL}_n\) such that \(\mathcal {C}'=\textbf{A}\mathcal {C}\textbf{B}\).
Note that both of the above problems are traditionally formulated as decisional problems. Extensive discussion of their hardness is given, for instance, in [9, 29].
D Zero-Knowledge Proof for Action Equality
In the Distributed Key Generation given in Algorithm 1, we need a proof for the knowledge of a set element \(g_i\) such that the following relation holds:
The protocol presented below is a straightforward generalization of the one presented in Sect. 3.1 of [32], for a general group action.
For completeness we report here the proof of security for the non interactive version of the protocol, contained in [32] and [16].
Proposition 3
The protocol in Fig. 4 can be rendered to a non interactive computationally zero-knowledge quantum proof of knowledge for a free 2-weakly pseudorandom group actions in the QROM.
Proof
First we prove that the underlying protocol is complete, sound and computationally zero-knowledge. The completeness is straightforward. We need to prove soundness and zero knowledge.
-
Soundness: suppose that the Prover is able to answer both the challenges with \(u_0\) and \(u_1\), by the collision resistance of the hash function at this point we would retrieve g as \(u_1^{-1} u_0\) against the one wayness of the group action (thus also against 2-weakly pseudorandomness) and having that the public keys are generated by the same group elements.
-
Zero Knowledge: to simulate the protocol without knowing the secret g and for any pairs of elements \((x_a,y_a)\), \((x_b,y_b)\) the Prover flips a coin c. If \(c=0\), the Prover follows the protocol normally and is able to answer the challenge if \(b=0\). If \(c=1\), it computes \(\bar{x}_a = \bar{g} y_a\) and \(\bar{x}_b = \bar{g}y_b\) and sends them in place of \(\tilde{x}_a\) and \(\tilde{x}_b\). In this way it is able to answer to the challenge \(b=1\). Thus, if \(c=b\) the prover can convince the verifier, otherwise it rewind the verifier and try again. Since at every iteration the prover has probability \(\frac{1}{2}\) of guessing the correct c the simulation ends in expected polynomial time. Note that this transcript is indistinguishable from the honestly-obtained one, because a distinguisher between the honestly generated transcripts and the simulated one can be used to distinguish pairs \((\bar{x},g\star \bar{a})\) from random ones, against the 2-weakly pseudorandomness.
For the quantum resistance we can observe that since the automorphisms are all trivial the sigma protocol has perfect unique responses (see [20, Lemma 1]) then by [38, Theorem 25] the protocol is a quantum proof of knowledge. Then the protocol has completeness, high min entropyFootnote 3 and HVZK and is zero-knowledge against quantum adversaries thanks to [59]. \(\square \)
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Battagliola, M., Borin, G., Meneghetti, A., Persichetti, E. (2024). Cutting the GRASS: Threshold GRoup Action Signature Schemes. In: Oswald, E. (eds) Topics in Cryptology – CT-RSA 2024. CT-RSA 2024. Lecture Notes in Computer Science, vol 14643. Springer, Cham. https://doi.org/10.1007/978-3-031-58868-6_18
Download citation
DOI: https://doi.org/10.1007/978-3-031-58868-6_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-58867-9
Online ISBN: 978-3-031-58868-6
eBook Packages: Computer ScienceComputer Science (R0)