Paper 2024/904

On round elimination for special-sound multi-round identification and the generality of the hypercube for MPCitH

Andreas Hülsing, Eindhoven University of Technology, SandboxAQ
David Joseph, SandboxAQ
Christian Majenz, Technical University of Denmark
Anand Kumar Narayanan, SandboxAQ
Abstract

A popular way to build post-quantum signature schemes is by first constructing an identification scheme (IDS) and applying the Fiat-Shamir transform to it. In this work we tackle two open questions related to the general applicability of techniques around this approach that together allow for efficient post-quantum signatures with optimal security bounds in the QROM. First we consider a recent work by Aguilar-Melchor, Hülsing, Joseph, Majenz, Ronen, and Yue (Asiacrypt'23) that showed that an optimal bound for three-round commit & open IDS by Don, Fehr, Majenz, and Schaffner (Crypto'22) can be applied to the five-round Syndrome-Decoding in the Head (SDitH) IDS. For this, they first applied a transform that replaced the first three rounds by one. They left it as an open problem if the same approach applies to other schemes beyond SDitH. We answer this question in the affirmative, generalizing their round-elimination technique and giving a generic security proof for it. Our result applies to any IDS with $2n+1$ rounds for $n>1$. However, a scheme has to be suitable for the resulting bound to not be trivial. We find that IDS are suitable when they have a certain form of special-soundness which many commit & open IDS have. Second, we consider the hypercube technique by Aguilar-Melchor, Gama, Howe, Hülsing, Joseph, and Yue (Eurocrypt'23). An optimization that was proposed in the context of SDitH and is now used by several of the contenders in the NIST signature on-ramp. It was conjectured that the technique applies generically for the MPC-in-the-Head (MPCitH) technique that is used in the design of many post-quantum IDS if they use an additive secret sharing scheme but this was never proven. In this work we show that the technique generalizes to MPCitH IDS that use an additively homomorphic MPC protocol, and we prove that security is preserved. We demonstrate the application of our results to the identification scheme of RYDE, a contender in the recent NIST signature on-ramp. While RYDE was already specified with the hypercube technique applied, this gives the first QROM proof for RYDE with an optimally tight bound.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
A major revision of an IACR publication in CRYPTO 2024
Keywords
Post-quantum cryptographyDigital SignatureMPCitHFiat-ShamirQROMIdentification schemeRound-ReductionRYDE
Contact author(s)
andreas @ huelsing net
david joseph @ sandboxaq com
chmaj @ dtu dk
anand kumar @ sandboxaq com
History
2024-06-06: approved
2024-06-06: received
See all versions
Short URL
https://ia.cr/2024/904
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2024/904,
      author = {Andreas Hülsing and David Joseph and Christian Majenz and Anand Kumar Narayanan},
      title = {On round elimination for special-sound multi-round identification and the generality of the hypercube for {MPCitH}},
      howpublished = {Cryptology ePrint Archive, Paper 2024/904},
      year = {2024},
      note = {\url{https://eprint.iacr.org/2024/904}},
      url = {https://eprint.iacr.org/2024/904}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.