Christian Majenz, University of Amsterdam
Hash functions are ubiquitous in cryptography. One example application are digital signature schemes. On the one hand, there are schemes whose security is solely based on hash functions, like e.g., SPHINCS+. On the other hand, there are several NIST post-quantum candidate digital signature schemes that make use of the Fiat-Shamir transformation, that uses a hash function to make a public-coin interactive proof system non-interactive. Another example is chosen-ciphertext security for key encapsulation mechanisms. Here, many schemes use the Fujisaki Okamoto transformation to lift weaker security to chosen-ciphertext security.
After introducing hash functions, giving an overview over the different points of attack they allow for, I will introduce the two mentioned generic transformations. I will discuss the problems of the (quantum) random oracle model, in which the transformations have security proofs. Subsequently, I will contrast the status of the two transformations with respect to attack opportunities. I will show how the Fiat Shamir transformation allows for an attack matching the bound given by a recently published security proof, but how the situation is unclear for the Fujisaki Okamoto transformation.