Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Quantum Oracle Distribution Switching and its Applications to Fully Anonymous Ring Signatures

Marvin Beckmann, Christian Majenz

TL;DR

This work provides four security reductions in the quantum-accessible random oracle model (QROM) for two generic ring signature constructions: two for the AOS framework and two for a construction paradigm based on ring trapdoors, whose generic backbone the authors formalize.

Abstract

Ring signatures are a powerful primitive that allows a member to sign on behalf of a group, without revealing their identity. Recently, ring signatures have received additional attention as an ingredient for post-quantum deniable authenticated key exchange, e.g., for a post-quantum version of the Signal protocol, employed by virtually all end-to-end-encrypted messenger services. While several ring signature constructions from post-quantum assumptions offer suitable security and efficiency for use in deniable key exchange, they are currently proven secure in the random oracle model (ROM) only, which is insufficient for post-quantum security. In this work, we provide four security reductions in the quantum-accessible random oracle model (QROM) for two generic ring signature constructions: two for the AOS framework and two for a construction paradigm based on ring trapdoors, whose generic backbone we formalize. The two security proofs for AOS ring signatures differ in their requirements on the underlying sigma protocol and their tightness. The two reductions for the ring-trapdoor-based ring signatures exhibit various differences in requirements and the security they provide. We employ the measure-and-reprogram technique, QROM straightline extraction tools based on the compressed oracle, history-free reductions and QROM reprogramming tools. To make use of Rényi divergence properties in the QROM, we study the behavior of quantum algorithms that interact with an oracle whose distribution is based on one of two different distributions over the set of outputs. We provide tight bounds for the statistical distance, show that the Rényi divergence can not be used to replace the entire oracle and provide a workaround.

Quantum Oracle Distribution Switching and its Applications to Fully Anonymous Ring Signatures

TL;DR

This work provides four security reductions in the quantum-accessible random oracle model (QROM) for two generic ring signature constructions: two for the AOS framework and two for a construction paradigm based on ring trapdoors, whose generic backbone the authors formalize.

Abstract

Ring signatures are a powerful primitive that allows a member to sign on behalf of a group, without revealing their identity. Recently, ring signatures have received additional attention as an ingredient for post-quantum deniable authenticated key exchange, e.g., for a post-quantum version of the Signal protocol, employed by virtually all end-to-end-encrypted messenger services. While several ring signature constructions from post-quantum assumptions offer suitable security and efficiency for use in deniable key exchange, they are currently proven secure in the random oracle model (ROM) only, which is insufficient for post-quantum security. In this work, we provide four security reductions in the quantum-accessible random oracle model (QROM) for two generic ring signature constructions: two for the AOS framework and two for a construction paradigm based on ring trapdoors, whose generic backbone we formalize. The two security proofs for AOS ring signatures differ in their requirements on the underlying sigma protocol and their tightness. The two reductions for the ring-trapdoor-based ring signatures exhibit various differences in requirements and the security they provide. We employ the measure-and-reprogram technique, QROM straightline extraction tools based on the compressed oracle, history-free reductions and QROM reprogramming tools. To make use of Rényi divergence properties in the QROM, we study the behavior of quantum algorithms that interact with an oracle whose distribution is based on one of two different distributions over the set of outputs. We provide tight bounds for the statistical distance, show that the Rényi divergence can not be used to replace the entire oracle and provide a workaround.
Paper Structure (66 sections, 44 theorems, 152 equations, 8 figures, 1 table)

This paper contains 66 sections, 44 theorems, 152 equations, 8 figures, 1 table.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Signatures
  4. Unforgeability of Ring Signatures.
  5. Anonymity of Ring Signatures.
  6. Sigma Protocols
  7. QROM
  8. Query Complexity bounds in the QROM.
  9. Deutsch-Jozsa Algorithm
  10. Quantum Oracle Distribution Switching
  11. Oracle Switching using Statistical Distance
  12. Oracle Switching using Rényi Divergence
  13. Replacing the entire Distribution Fails
  14. Replacing some Positions using Small-Range Distributions
  15. Reprogramming with Different Distributions
  16. ...and 51 more sections

Key Result

lemma 1

Let $P$ and $Q$ be two discrete probability distributions and $E$ an event such that $E\subseteq\supp{P}\subseteq \supp{Q}$. Let $f: \supp{Q} \to \mathcal{X}$ be a function (or stochastic map). For any $\alpha \in (1, \infty]$, we have the probability preservation property and the data processing in

Figures (8)

  • Figure 1: Unforgeability game for ring signatures.
  • Figure 2: The anonymity game for RSSs under full key exposure.
  • Figure 3: Generic construction of a ring signature from a RPSF with $k$ bits of salt. The key generation and setup algorithm of the ring signature are identical to those of $\pcalgostyle{RPSF}$.
  • Figure 4: Construction of a ring signature $\pcalgostyle{AOS}(\Sigma)$ from a $\mathsf{\Sigma}$-protocol $\Sigma$ and its HVZK simulator $\simulator$ using AC:AbeOhkSuz02. The construction can be modified if $\Sigma$ has commitment recoverability. In the modified version, $\pckeystyle{ch}_1$ can be sent instead of all the commitments, and the commitments and challenges are computed on the fly. Finally, there would be a consistency check, if $\pckeystyle{ch}_1$ is the challenge that can be recovered from the last commitment. $\pcalgostyle{Stp}$ only fixes the maximal ring size and $\kgen$ is identical to $\Sigma.\pcalgostyle{Gen}$.
  • Figure 5: Unforgeability and anonymity games $\pcgameprocedurestyle{\pcgamename}_{0}$ to $\pcgameprocedurestyle{\pcgamename}_{2}$ in \ref{['thm: UFCRA to UFNRA']}. All indices are interpreted to be modulo $N, N'$, and modulo $N^*$, respectively. In $\pcgameprocedurestyle{\pcgamename}_{0}$, we have the normal unforgeability/anonymity game. In $\pcgameprocedurestyle{\pcgamename}_{1}$, the RO is reprogrammed to a RO value, and in $\pcgameprocedurestyle{\pcgamename}_{2}$, the signature is generated entirely without the secret key $w$.
  • ...and 3 more figures

Theorems & Definitions (88)

  • lemma 1: EC:LanSteSte14 and van_Erven_2014
  • lemma 2: AC:BLLSS15
  • lemma 3: CHES:PopDucGun14
  • definition 1: Ring Signatures
  • definition 2: $\pcnotionstyle{UF\pcmathhyphen{}NRA}$ of Ring Signatures
  • definition 3: $\pcnotionstyle{SUF\pcmathhyphen{}CRA}$ of Ring Signatures
  • definition 4: $\pcnotionstyle{UF\pcmathhyphen{}CRA1}$ of Ring Signatures
  • definition 5: Anonymity of Ring Signatures
  • theorem 1: C:DonFehMaj20
  • lemma 4: AC:GHHM21
  • ...and 78 more