 Okay, so the last talk of the session has a type term which is post-computer security of Fiat Shamir. I guess it is about the post-computer security of the Fiat Shamir scheme. Yep, not the security of the two people. Okay, I don't need them. Hello everyone. So before I start talking about the security of Fiat Shamir, let me quickly recap what Fiat Shamir is for those who are not familiar with it. So Fiat Shamir is a non-interactive proof system. So we are in the setting where we have a prover who gets his input, some statements or something that is supposed to be proven, and a witness, so a proof of that statement. And then a certain message is sent over that work, just one message, and the verifier who also knows that it's a statement but doesn't know the proof, will have to verify that this statement is actually correct. And we want informally two properties of such proof system. One is that it's zero-knowledge, so the verifier should not do anything besides the fact that the statement is true, and it should usually be a proof of knowledge, which means the verifier should be convinced that the prover actually knows the witness for the statement, so that the prover knows the proof for that statement. Non-interactive zero-knowledge proof systems are quite common in all kinds of cryptographic schemes. But one important application of Fiat Shamir, which is probably what most people have been thinking about when they were thinking about Fiat Shamir recently in the context of post-bundant cryptography, is that you can get an efficient signature scheme out of Fiat Shamir. Why can you do that? Well, what you do is the prover doesn't sign just an arbitrary statement, not just an arbitrary statement, but the prover proves that it knows the secret key. And since only the prover can do that, it is a signature. So, of course, to see that this is really a signature and that you cannot, for example, give you a signature for one message, make a signature for another message, etc., you need a more careful analysis, but for the moment being just trust me that this can be done. So, once you have shown a suitable variant of these properties, you get a highly efficient signature scheme. The question that I want to talk about today is Fiat Shamir quantum secure. Can the quantum computer break it or not? So, let me talk in slightly more detail about how Fiat Shamir works. So, what kind of construction is it? In Fiat Shamir, we start by using some interactive proof system. So, Fiat Shamir is not just one cryptosystem, it is actually a transformation. We start with an interactive proof system. So, again, something where the prover knows the prover of a statement and wants to come into the verifier. And we consider proof systems of very specific form, namely so-called sigma protocols. These are proof systems which have exactly three messages called the commitment, the challenge, and the response. With the added property that the challenge, so the method by the verifier, is a uniformly random message. And we require two properties of such a proof system. The first is that it is honest verifier zero knowledge, meaning whatever happens here between an honest proof and verifier could be efficiently simulated by a simulator that has no access to the witness whatsoever. And that intuitively means that by seeing such interaction, you don't learn anything. And secondly, one usually requires special soundness, which means that given a valid response for two different challenges for the same commitment, you can efficiently compute the witness. And these two properties together allow us now... So, a sigma protocol with these two properties allows us to construct a non-interactive proof system using Fiat Shamir. Let me sketch how this is done. So, the Fiat Shamir Prover internally simulates an interaction between the prover and the verifier for the sigma protocol. So, the prover runs the sigma protocol prover, which gives a commitment, the verifier answers with a random challenge, and the prover answers with a response. And then the prover takes these three messages and sends them to the verifier over the network. Well, as it is written like this, this would not be a secure non-interactive proof system. Why not? Because the verifier who checks whether this is a valid interaction cannot be sure whether this internal verifier has actually just sent a uniformly random challenge. So, it's actually when you do it like this, very easy for the Fiat Shamir Prover to make an invalid interaction or a valid interaction for an invalid statement by just picking a challenge for which it can finish this proof. So, what do we do to enforce that the challenge sent here is actually kind of like random? Well, what we can do is we can take a hash function and instead of taking this challenge randomly, we take the commitment, hash it, and this will be the challenge. And for a sufficiently ideal hash function or in the formal analysis, a random oracle, this is still like indistinguishable from a normal interaction of the sigma protocol, so it should still in particular lead to a valid triple of commitment challenge in response. But the Prover cannot anymore pick this challenge in a way so that he can cheat in the protocol. And without giving you any formal analysis of this, we would now get the property that since this sigma protocol is a simulation of an original sigma protocol, with the additional property that this challenge is kind of random, the soundness of the original sigma protocol carries over and we have that this Fiat-Charmier proof is sound. By sound, I mean we cannot make a proof of the wrong statement. Now, if we come to the quantum setting, it turns out that we have a problem. Because as we showed some years ago, if the sigma protocol has the same properties as we assume in the classical setting, so to remind you, one is verified as a knowledge and this special soundness, so if you just assume this properties, then it is possible to construct some very artificial sigma protocol relative to certain artificial oracles, so there's a lot of artificiality involved, but it's just to give a counter example. So we can construct the sigma protocol so that the following happens. So we have the sigma protocol with commitment, a challenge, and a response. And it's possible that this sigma protocol allows us, with some malicious prover, to send some commitment and generate at the same time some secret quantum state psi. Then we get an arbitrary challenge and we give an always valid response, even if the statement we are proving is wrong. So if we have such a sigma protocol, obviously fiat-sharmil will be insecure because the fiat-sharmil prover can also just produce a commitment, hash it, gets a challenge, and gets a response from that. Now you might say, okay, but this is an insecure sigma protocol. Well, it turns out to be a sigma protocol that satisfies all the properties we usually expect. In particular, it has special solvers. How can that be? If we can answer to any challenge with correct response, then it should be that we can get correct response for two different challenges, which was what we were supposed not to be able to do with special solvers. Well, here comes in the quantum thing. This sigma protocol is carefully designed that we get together with the commitment a quantum state that allows us to give a correct response. But this quantum state allows us to do this only once. So computing this response destroys the quantum state, and since we cannot copy the quantum state, we can do this only once. So we now have a sigma protocol that allows us to, for any challenge, give a correct response, but only once. So we can do it for any challenge we choose, but we cannot do it for two challenges, not even two challenges that are random or nice or whatever. And this example shows that fear charming has a problem when we're in the quantum setting. So the big question is, what can we do about that? And there are three possibilities what we can do to resolve the problem I showed you just now. The first thing is that we could say, this counter example is very artificial. It uses certain hypothetical oracles that do not exist in the real world, et cetera. So it could be that such a counter example is only possible in a world with such oracles, and all we need to do to prove the security of fear charming is to make a proof that holds in the real world but that does not hold relative to any oracles. Then we would circumvent the counter example. So this is so-called non-relativising proof, and I cannot exclude that such a non-relativising proof is possible. However, if it is, well, it doesn't seem too likely that we find one because non-relativising proofs are usually very difficult to find, and in most cases we either have a relativeising proof or we don't have proof at all. So I think this is a doubtful attempt to solving the problem, but it will be a highly interesting one. The second way out is just to say, okay, let's forget about fear charming. Let's just try to do something different from fear charming with the same purpose or some other transformation to take a sigma protocol and make a non-interactive proof system out of it. And indeed, this works. There have been at least two approaches that have done it in the quantum setting. So one paper by me from 2015 that was already mentioned this morning also, as called the Unruh transform. And there's another construction even older from Dr. Lenfischlin in Galliadoni from 2013, which is also a variation of the idea of fear charming to get non-interactive proof systems. The problem with those solutions is that while this one is less efficient than fear charming, this one needs a lot of strong assumptions. So although we have alternatives, we may not be totally in contact with them. We might want to still keep using fear charming because it's very efficient and because it is already established. So this is the standard construction. And this leads to the third possibility what we might try to do. So we know that using the normal assumptions about sigma protocols, the ones that we usually use to prove fear charming in the classical settings, they are not sufficient. But we may try to put some extra conditions on the sigma protocols so that fear charming will be secure. And that is the purpose of this talk. So let me give you an overview of the main result. So what we show is that if we have a sigma protocol that has statistical soundness and honest verification of knowledge, and here I'll list a few extra conditions that are usually always satisfied so they're not really worth mentioning except they're technically necessary. So we have two important properties. The statistical soundness and honest verification of knowledge. And from these two properties we can then get if we apply the normal fear charming construction unmodified to that sigma protocol we get a proof system that has simulation soundness. So that's a particular variant of soundness I will say something more in a moment and zero knowledge. So it has nice properties. But let's get into detail what has actually changed with respect to the classical situation. Well, in the preconditions of the theorem so the assumption of the sigma protocol I have changed what we expect in terms of soundness. Before we had this special soundness. So special soundness said that it's hard to find two answers to the same challenge. This we replace by statistical soundness. Statistical soundness says it is hard to make a proof for a wrong statement even if the adversary is computationally unlimited. So this is an interesting thing. We do not know how to prove the security of fear charming based on a sigma protocol which is hard to break for computationally limited adversaries. So even though the final goal the security of fear charming we only try to prove for computationally limited adversaries we need to put in a information theoretical assumption into the protocol. And the second thing honest verify the emerge that's just the same as we do classically. So we have here strengthened our assumption relative to what we need classically. And on the other side we get actually something a bit weaker than classically. So we get the emerge properties fine and everything works. Well we get the simulation soundness. So first what is soundness? Soundness means we cannot prove an incorrect statement. Simulation soundness is a somewhat technical and that the first moment is not so easy to understand notion which says we cannot prove the wrong statement even if we get access to the emerge simulator for proving for creating fake statements. So we cannot make more fake statements than the simulator does. This simulation soundness is very important because it means we cannot make out of one proof another proof and if we want to construct a signature scheme we will need this non-malability product. But the thing is usually what we prove here is simulation sound extractability. So extractability means if we can make a proof for something then we can find the witness efficiently. While this we draw, we just say we cannot make proof for wrong statements but we don't say that we cannot make proof for wrong statements at all. What we don't say what we don't imply is that we cannot make proof without knowing the witness. So it could be that there is a correct statement for which we do not know the witness and we can make the proof. So this property is weaker than what is guaranteed in the classical setting and that will turn out to be a bit of a problem for the signatures because to make a signature scheme we usually use simulation sound extractability. And I will not sketch how this proof is done. It is interesting because we cannot go exactly like in the classical setting because we need to do re-programming of the random oracle which is tricky in the quantum setting but fortunately the methods developed in my 2015 paper the one that it did in alternative construction, those methods carry over relatively easily to this setting so there is no normal technique needed. So let me sketch how we can show simulation soundness or I will just sketch soundness from statistical soundness of the sigma protocol. So take the sigma protocol and we use the following definition. Say we call a challenge so the message from the verifier we call it promising if there exists a response to that challenge. We do not say that it is easy to find that response or anything, we just classify challenges into promising or not I mean relative to a certain commitment we say what the verifier sense is promising if it is at least hypothetically possible to give a response to it and it is not promising if it is impossible even for an unlimited adversary to give a valid response. And now we have we are assuming that the sigma protocol has statistical soundness and that applies at least if you are trying to prove a wrong statement that for any commitment there are only few promising responses why is that the case but if there would be a lot of promising responses then sorry few promising challenges would be so for any commitment there are only few challenges that are promising because if there would be a lot of challenges that would be promising the verifier would be likely to send one and then the prover could send a valid response and the prover is unlimited so statistical soundness implies there are only few promising challenges and that implies that if we have a hash function modeled as a random oracle that hashes the commitment and access the statement but we can ignore that we are now if we try to find a commitment so that the hash of that commitment is a promising challenge well we know that there are only very few promising challenges but analyzing this more carefully we can see that whether a given output of the hash function is promising or not is more than uniformly random and therefore we can use existing result about quantum search to show that finding the commitment so that the hash of the commitment is promising this is a hard problem and this means that breaking the soundness of the Achaomian's heart because to break the soundness we would need to find a commitment and a response so that this is valid and in order for this to be valid the challenge needs to be promising otherwise there would be a valid response but we just said finding a commitment so that the hash of it is valid for a wrong statement always implied that this is hard so we have shown we cannot break the soundness of the Achaomian now what about signatures I mentioned that there is a little problem so let me quickly say something about this problem so in the classical setting when we want to show that Fiachami is a signature scheme we use the following approach although if you have seen proofs of the fact that Fiachami is a signature scheme it may not look this way because often it is not done in a two step approach that we show that it's proof system and then we show it's a signature scheme instead it's done more than one but those proofs do the same steps but just implicitly so this is a way to look at those proofs but often it will not be made explicit so what we usually have is that we show simulation sound extractability, zero knowledge we assume that the the Sigma protocol we are using is such that given the public key which is the statement it is hard to guess the corresponding security so this is kind of the weakest assumption we could make to get a signature scheme obviously if you can guess a secret key the signature scheme will be broken and then we prove our proofs that it knows a secret key and the extractability basically says if it knows a secret key if it proves that it knows a secret key it means that it knows a secret key and an addresser cannot do that that's basically the idea of the proof but we need to use this extractability here we need to prove that if we forge a message then we know a secret key and now if we go to the quantum setting as I showed you we don't have extractability in rule we just have simulation soundness so now the question is can we still get signatures because what I told you just now doesn't work and it turns out we can save the idea by changing this assumption we need something stronger if we assume we have a sigma protocol for proving that there is a secret key for public key and this secret public key relation has a property which I call dual-multile instances then the whole thing works so what are dual-multile instances I give you only the very vague idea it just means that having a valid public key you also randomly normally chose public key is indistinguishable from having a fake public key for which there exists no secret key then we say we have dual-multile hard instances and this stronger property actually makes the whole thing work very roughly because we could when we make a security proof fake public keys that do not have a secret key and then when we have someone forge a signature we can show oh forging a signature means proving there is a secret key but this is a false statement and we have a contradiction to the softness so I will not go into detail because we don't have time for that but now it goes through and what are the interesting old problems here where one is to nice sigma protocols that lead for example to efficient signatures using this approach there is a recent paper by Kils Debershevsky and Chafna who uses quite similar ideas and gives explicit construction for specific sigma protocols but I have not yet fully worked out whether it is exactly matching the properties from here or not because they analyze here specifically with the direct proof for those sigma protocols then we may want to know can we strengthen this result can we actually get some variant of extractability by putting in strong assumptions so this is a very interesting old question or can we weaken the assumption so I said we use statistical softness can we do it with some variant of computational softness but not the one we usually use because that one we showed doesn't work but some and finally can we make the reduction really tight so that we get efficient key lengths and so on that's all thank you for your attention any question your notion of dual mode hard instance I think the other one is called lossy public keys or something can you discuss the relationship between this lossy public key and this dual mode thing it is more or less the same idea so there are some slight differences I think the lossy public keys had at least in the definition statistical indistinguishability while I assume computation indistinguishability there are various little differences but the the basic idea is the same your talk assumes the existence of quantum computers that you allow only the cheating property to use it what happens if the commitments are quantum states the hash function is transforming quantum states to quantum states what happens if everything is allowed to be quantum that's a good question so let's see what I can say at the top of my head so the hash function and therefore the challenge quantum I would have to think whether this is a well defined notion or not what would be a quantum hash function so I don't know you could consider the commitment to be a quantum state and then respond something that is measured and then I think the zero knowledge part might go through with ideas I don't know and the but for the soulless part I wouldn't know how to directly transfer the proof so it might be that it's still secure but I think one would need to think about fight some changes here ah well if the commitment is a quantum state then I don't know what it would be to hash it so actually there's been more open so drastically open I would say classical computer an unbounded analysis can already break the soundness of the Fiat-Chamion fast forward right? yes but what we assumed was um we did not assume or I said nothing about security here against unbounded adversaries so the interesting thing is we need security of the sigma protocol and then it's unbounded adversaries to get security of Fiat-Chamion against bounded adversaries so let's try the speaker again for lunch now