Post-quantum EU-CMA security from OWF-only

user4242

8/27/24, 10:55 AM

In the paper: "Universal One-Way Hash Functions and their Cryptographic Applications". The following is proven: "If 1-1 one-way functions exist, then the one-way based signature scheme described above is secure." For a signature scheme defined in the paper, where by secure they mean "existentially unforgeable under an adaptive chosen plaintext attack", if I understand correctly this is EU-CMA.

Now SPHINCS constructs a post-quantum EU-CMA, PQ-EU-CMA (SPHINCS definition) scheme from the stronger assumptions of among others collision-resistant hashes. If I understand correctly CRHFs are black-box separated from OWFs, in "Finding collisions on a one-way street: Can secure hash functions be based on general assumptions?". Is there any work proving PQ-EU-CMA from OWFs only?

Based on the suggestions by lamontap and some more thought, is there a study of PQ-EU-CMA from some post-quantum generalization of OWFs? Such as those defined in One-Way Functions Imply Secure Computation in a Quantum World

1 + 0

post-quantum-cryptography

reference-request

one-way-function

hash-signature

Score:0

Crypto

lamontap

8/28/24, 7:06 PM

Yes, there are post-quantum signature schemes that rely only on OWFs. A notable example is Picnic. If $f(\cdot)$ is a one-way function, Picnic's private key is an element $x$ in the domain of $f$ and its corresponding public key is $y=f(x)$. To sign a message, you compute a non-interactive message-dependent zero-knowledge proof of knowledge. The non-interactive proof itself relies on the existence of OWF (with security proved in the random oracle model).

In slightly more details:

The signature scheme relies on the MPC-in-the-Head paradigm to build a public-coin proof of knowledge of $x$ such that $y=f(x)$. The proof of knowledge requires bit commitment schemes, which are known to exist from OWFs. The prover performs an MPC protocol for checking $y=f(x)$ "in its head" where the parties hold secret shares of $x$. The prover commits to views of MPC parties and sends the commitments to the verifier. The verifier challenges the prover to open all but one of the views and checks for consistency with the MPC protocol. Since the verifier doesn't get all the shares of $x$, this is zero-knowledge and soundness comes from the security of the MPC protocol.
The Fiat-Shamir transform is then applied to the proof: the verifier's challenge is computed by the prover by hashing the commitments.
By adding the message $m$ to the hash input, this becomes a signature for $m$.

As far as I know, none of this requires collision resistance. Of course, provable security is only attainable in the random oracle model since the Fiat-Shamir transform has some pretty strong impossibility results. I hope this still answers your question. Note that there are more recent iterations of MPC-in-the-head signature schemes, some of them in NIST's recent call for additional signature schemes.

+ 1

user4242

8/28/24, 7:17 PM

Yes, I think having to use correlation-intractable hashes (CIHs) to use Fiat-Shamir in standard model (to provably instantiate the random oracle) is bit of a long shot from just turning OWFs into PQ-EU-CMA, the way we can turn OWFs into EU-CMA. Concretely CIHs and OWFs are also black-box separated, so I see no difference in settling for Fiat-Shamir and settling for collision-resistance instead of an OWF. That black-box separation is https://eprint.iacr.org/2021/057.pdf Indeed SPHINCS needs more than CRHF, but CRHF is one of the requirements.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Post-quantum EU-CMA security from OWF-only

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.