 Bonjour tout le monde, je m'appelle Thomas de Brice à Lazare, je suis un postdoc à l'Université de Royale Holloway et je vais vous présenter un travail joint avec André Chailloux de Inuria Paris. Nous proposons une réduction d'accès à la sécurité de l'accès sur les signatures basées sur les fonctions employables de trapdoor préhimage. Comme je vais vous expliquer, ce concept est la relaxation des fonctions employables de trapdoor préhimage, qui ont été introduites par Gentry, Baker et Vaikun Tanatan pour faire des signatures basées sur la sécurité de l'accès sur les signatures basées sur les fonctions employables. Let's start with the concept of security reduction. Our goal is to prove that a cryptographic scheme is secure. For this, we first need a problem p that we believe to be hard. The security reduction consists in giving a proof that breaking the scheme in time t implies breaking the problem p in time t times c of t for some function c. In this case, we say that we made a security reduction of the scheme to the problem p with the c of t lost. As a consequence, if there are no algorithms to solve the problem p in times less than t, then there are no algorithms to break the scheme in time less than t divided by c of t. In order to rely the security as close as possible to p, what we wish is a tight security reduction. Roughly speaking, it means that breaking the scheme in time t implies that breaking the problem p in time approximately t. This kind of proof are assessing the exact security and hence the efficiency of a cryptographic scheme. To have a security reduction, we often need an idealized model called the random or a call model that I will call ROM in what photos. It is the first step and it is used mostly for signatures. The ROM is used when the cryptographic scheme needs a public function that behaves like random. For instance, when it is used a hash function like in the schemes as full domain hash signature scheme, FDH scheme. In the ROM, when proving the security, we model the hash function as a perfect random function for which every parties have an access via a black box model. This model is idealized, but thanks to it, we have tighter and simpler proof. There is an extension of this model which is called the quantum random or a call model. Suppose that an adversary has access to a quantum computer. It gives to him an additional power. From any function that is a classical circuit, it can efficiently run the quantum unitary here OC associated to the circuit C. In other words, the adversary can make superposition computation. The running time of OC is mostly equal to the computing time of C. In the quantum or a call model, we take into account this additional power. Any adversary has access to the hash function H and thus to the quantum unitary OH associated to it. This is natural in a world where a quantum computer exists. It gives to adversaries the possibility to run the Grover's algorithm or to find collision faster than the classical keys. In our work, we were interested in the security reduction in models like the ROM and the Q-ROM for full domain hash signature schemes. And we call here how these schemes works. There are two ingredients. First, hash function H that will be modulated as a random function. Secondly, we have a trapdoor one-way function F. The signer knows the circuit key. Here, the circuit key permits to him to invert the function. Then to sign a message, the signer computes the invert for the function of the H of the message. For signatures, the classical adversarial model is existential and forciability under chosen message attack. The so-called FCMA model or CFCMA model if the attacker has a quantum computer. We have the signer who owns the circuit key which enables him to invert the trapdoor one-way function and the attacker who owns the public key namely the one-way function. Furthermore, there is a hash function which is modulated as a random function. This would be in the ROM or the Q-ROM. Now, in this model, the attacker can make signature queries of each choice. He can ask to the signer to sign any message. It is important in this model. But in this case, requests are classical even if the attacker has a quantum access. But a quantum attacker cannot ask for signatures in super positions. Otherwise, the attacker has access to the hash function and if his quantum can compute these functions in super positions. Then the attacker's goal is to produce a valid signature of a message that was not signed by the signer. The function that is used to sign is a trapdoor one-way function. Therefore, with only the knowledge of the public key, the attacker cannot invert the function and thus forging the signatures. Or, however, in the FCMA or QFCM model, the attacker has access to signatures of his choice. So signatures could leak information on the secret key that is used to invert the function. In this context, Gentry, Paikkan, and Vaikunatan propose to add property to the one-way function to ensure the security. They introduced the concept of trapdoor pre-mache shamplable function. And we'll call this function TPS of SF in what follows. Mostly speaking, the definition is as follows. Let D be a distribution over inputs of the one-way function F. We need two properties. The first one asks that for all inputs, Y here, the distribution of the algorithm which inverts the function on Y is close to the one of X picked according to the distribution D. But conditioning on the event F of X is equal to Y. It means that the algorithm which inverts the function with the trapdoor is distributed independently of the secret key. And thus, we will nothing on it. The second property asks for the image of the function to be uniformly distributed when inputs are distributed according to D. Mostly speaking, it means that points of the function range have the same number of inputs. With this definition, Gentry, Paikkan, and Vaikunatan propose the one-way function based on the lattice problem in homogeneous short integer solution, ICIS. They show how to reach the properties of TPSF. Thanks to that, they gave a tight security reduction to the problem of collision. In other words, they showed that the collision problem is easier than forging signatures which is itself easier than solving ICIS. From the above diagram, we can see that the GPV construction gives for lattices a tight and optimal reduction to the hardness of inversion, the one-way hypothesis here. This problem is essentially as hard as finding a collision. Si cis for these parameters, for the proposed parameters is approximately as hard as ICIS. But this results raises two questions. First is the tight security reduction is necessarily to the collision problem. Secondly, the properties of pre-image and playable functions are hard to make. Can we relax them and still having a tight security reduction? In this work, we made four things to answer to this question. First, we propose a relaxation of properties which are required to have a TPSF. We propose the definition of average TPSF. Secondly, we show how to build signatures with this function and we give a tight security reduction for them to the claw with random function problem, which is harder than the collision problem. We extend this result to the cure-on problem. Finally, we apply these results to the recent wave code-based signature schemes. In this case, our results are crucial. Indeed, the collision problem for wave parameters is easy. Let us start with the definition of average trapdoor pre-image and playable function. But let us start by giving a more precise definition of what the TPSF is. Let F be a function that we suppose to be a trapdoor one-way. Let D be a distribution over the range of the function. Here, the notation delta means the statistical distance. We need this notion here of distance from the fact that if two distributions are close for this distance, then they are computationally indistinguishable. For F to be a TPSF, we need two properties with here epsilon1 and epsilon2, which are a small and negligible function. First, the output of the algorithm, which inverts F, is statistically close to the distribution D. This is given more precisely in the point 1 of the slide. We see that for all inputs, the algorithm which inverts F is epsilon1 close to the random variable here ES in red. In the point 2, we see that outputs of F are statistically close to the uniform distribution when here the input E is picked according to T. The important point here is the fact that the first property, here the point 1, is required for all fixed inputs. In our case, we relax these two properties into only one. We define the epsilon average trapdoor function as follows. I will call them average TPSF. It corresponds to function which are trapdoor one way, such that the algorithm which inverts the function is statistically close to the random variable E where E is picked according to D. But for inputs which are now random variables, here the random variables in red as unique. Inputs to F are not fixed anymore, they are uniformly distributed. Rosely speaking, we ask to the function F to verify the point 1 of TPSF but on average over inputs, not for all fixed inputs. Therefore, any TPSF is an average TPSF. The opposite is rosely speaking true, but with a loss, a square loss. Indeed, any epsilon average TPSF as we showed, is an epsilon 1, epsilon 2 TPSF with epsilon 2 which is equal to epsilon but epsilon 1 which is equal to the square of epsilon. This last properties follows from the leftover hash lemma. There is a loss of a square with a definition of average TPSF. Therefore, a loss of TPSF is equal to et via curvature reduction of Gentry, Paycard et Vaikounad. Today, we know an instantiation of TPSF with the lattice-based signature scheme Falcon. But, we know too, we know to an average TPSF wave. It is important here to note that wave de la tarte réduction de sécurité pour la couche avec le problème de fonction réactuale. Donc, qu'est-ce que c'est ? Le problème est fait comme le suivant. Vous êtes rendu en sorte que vous avez appris, à l'instant, un fonction f et un fonction réactuales h. Mes objectifs sont de trouver la couche entre ces fonctionnaires, namely, x et y, comme que f et x sont concis pour h et y. supposons que la fonction f, selon ce problème, est un tps avantage. Alors, si nous pouvons solider le problème en time t avec q queries à l'âge de la fonction ronde, nous pouvons invertir f en time q times t. Cela donne une réduction non-tite pour le problème d'invertir f. Je voudrais stresser ici que l'envers avec le problème de fonction ronde peut être seen as trying to invert f with multiple targets, which are given by the outputs of the function h. I can now present to you a sketch for security reduction. For security reduction to work, it is important to modify a little bit the signature scheme. When the signer wants to sign a message, he first pick a random salt or here in red on the slide. Then he inverts the one-way function on the edge of the message concatenated with the salt. Intuitively, it gives us input to the algorithm which inverts f, a uniformly distributed input. It essentially explains why we relax properties of tpsf into average tpsf. Now, to make our security reduction, we modify the hash function as follows. We first create a random list l1 at the bottom of the slide of salt or which suggests the list l1 as a size large enough. When there is a call to the hash function, we distinguish two cases. If the salt is in the list, l1 will return f of e seam where e seam is in blue here and it is a random variable which is picked according to the distribution d. Otherwise, we return a random value. But we keep in memory the value e seam. Here we are in the row where h, h, the hash function was modulated as a random function. So there are no differences with previously as outputs of the function f are uniformly distributed. Furthermore, we can remark here that outputs e of the algorithm which inverts f on the left of the slide are distributed according to d by definition of average tpsf. So the idea now is to replace outputs of this algorithm which uses the secret key by the random variable e seam. There will be no difference to previously. And what we do, we pick a salt in the list l1. We get e seam that is associated to the salt or that we pick in l1. And we put e seam and all. This creates a valid signature. Furthermore, we can run the attacker with only the knowledge of f which is an atpsf. At the end, the attacker forges the signatures. As the attacker has no information on the list l1, he will create a signature for a salt that is not in l1 with a high probability. So the attacker will find a clue between h, h of the message. Here concatenated with a salt which is not in the list l1. So he finds a clue between here the random values that are outputs by the hash function and the function f. So I gave here a quick sketch of the security reduction when the attacker makes classical queries to the hash function. For the quantum case, we used in the crucial way the following proposition of Zandri. This proposition states the following. Let a run be a quantum query algorithm running time t and making q queries to a run or a call. Let t be a distribution which is epsilon closed to the uniform distribution over fixed length big vectors. Then if we replace quantum queries of a to the run by quantum queries to a function g picked according to the distribution fun t. Here it means that the outputs of g are distributed like the distribution t. Then outputs of algorithm r will be the same up to a factor which is grossly equal to the square root of epsilon. I'm going now to conclude. In this work, we proposed a relaxation of the Gentry-Paker-Dewey-Kunatan condition to make hash and sign signature scheme with a tight security reduction. Now we reduce to the problem closed with random function, not the collision problem. We applied this security reduction to the code base signature scheme, WAVE. In this case, the closed with random function problem is known as decoding one out of many problems. It is a decoding problem where we have access to many noisy code words and we only want to decode one of them. In the case of WAVE parameters, best algorithm to solve the DOOM problem has the same complexity as those solving the decoding problem which is the problem upon which the one-way function relies. Therefore, we show in this case that forging a signature is the same as inverting the one-way function. Thank you.