Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fiat-Shamir for Highly Sound Protocols is Instantiable

Published byBlaze Skinner Modified over 5 years ago

Similar presentations

Presentation on theme: "Fiat-Shamir for Highly Sound Protocols is Instantiable"β€” Presentation transcript:

1 Fiat-Shamir for Highly Sound Protocols is Instantiable
Arno Mittelbach Daniele Venturi Say we could not attend the conference Security and Cryptography for Networks – SCN 2016 Amalfi, 01/09/2016

2 Fiat-Shamir for Highly Sound Protocols is Instantiable
Sigma Protocols 𝛼 (π‘₯,𝑀)βˆˆπ‘… π‘₯ 𝛽 NP Relation 𝛾 Prover Verifier Completeness: Honest prover (almost) always convinces verifier Soundness: Malicious prover can’t prove false statements π‘₯βˆ‰πΏ HVZK: There exists efficient simulator that given π‘₯ produces triplets 𝛼,𝛽,𝛾 with the same distribution as honest protocol transcripts with π‘₯,𝑀 βˆˆπ‘… Fiat-Shamir for Highly Sound Protocols is Instantiable

3 Fiat-Shamir Transform
(π‘₯,𝑀)βˆˆπ‘… π‘₯ πœ‹=(𝛼,𝛾) 𝛽=𝐻(𝛼) Prover Verifier The verifier accepts as long as (𝛼,𝛽,𝛾) is valid for 𝛽=𝐻(𝛼) Theorem [FS89,…]: If 𝛴 is a Sigma protocol and H is modelled as a RO, the FS transform yields a NIZK Fiat-Shamir for Highly Sound Protocols is Instantiable

4 Negative Results Fundamental Question: Prove restricted standard-model results for FS Fiat-Shamir for Highly Sound Protocols is Instantiable

5 Fiat-Shamir for Highly Sound Protocols is Instantiable
Our Work & Talk Outline Identify a class of so-called highly sound protocols admitting a simple information-theoretic instantiation of FS These are special Sigma protocols satisfying three requirements P1, P2, P3 General-purpose compilers in the CRS model First compiler: Takes any 𝛴 with P1, P3 and outputs 𝛴′ with P1, P2, P3 Second compiler: Takes any 𝛴 with P1 and outputs 𝛴′ with P1, P3 Ingredients: iO, puncturable PRFs, equivocable commitments Many natural protocols already meet P1, and protocols meeting P1 and P3 exist for all of 𝑁𝑃 assuming one-way permutations [LS91,OV12] Fiat-Shamir for Highly Sound Protocols is Instantiable

6 Standard Model Instantiation
𝐻 βˆ™ =β„Žπ‘˜ (π‘₯,𝑀)βˆˆπ‘… π‘₯ πœ‹=(𝛼,𝛾) 𝛽=𝐻 𝛼 =β„Žπ‘˜ Prover Verifier We show that under certain properties the above preserves soundness and suffices for one-time zero-knowledge Can be generalized to π‘ž-bounded zero-knowledge using π‘ž-wise independent hashing Fiat-Shamir for Highly Sound Protocols is Instantiable

7 The Selective FS Transform
𝛼 (π‘₯,𝑀)βˆˆπ‘… π‘₯ β„Žπ‘˜ 𝛽=𝐻 𝛼 =β„Žπ‘˜ 𝛾 Prover Verifier Theorem: If 𝛴 is complete and sound, so is its Selective FS transform with the constant hash function Explain that the constant hash function is programmable Fiat-Shamir for Highly Sound Protocols is Instantiable

8 Intuition for Soundness Proof
Hope 𝛼= 𝛼 βˆ— 𝐻 βˆ™ =β„Žπ‘˜ 𝛼 πœ‹=( 𝛼 βˆ— , 𝛾 βˆ— ) β„Žπ‘˜ 𝛾 βˆ— π‘₯ π‘₯ π‘₯ FS Collapse Adversary Selective FS Adversary Verifier P2: Ratio is bounded away from one Soundness = Selective FS Soundness max probability of guessing 𝛼 βˆ— Fiat-Shamir for Highly Sound Protocols is Instantiable

9 Intuition for (One-Time) Zero Knowledge
(𝛼,𝛽) π‘π‘Ÿπ‘ =β„Žπ‘˜ HVZK Simulator P3: Can be computed indep. of π‘₯ (π‘₯,𝑀)βˆˆπ‘… π‘‘π‘˜=π‘Ÿ πœ‹=(𝛼,𝛾) π‘₯ πœ‹=(𝛼,𝛾) P1: Can be computed indep. of π‘₯,𝑀 π‘₯ Prover Verifier NIZK Simulator Instead in the ROM proof the programming is done adaptively by programming the random oracle (𝛼,𝛾) HVZK Simulator Essentially we do the programming up-front relying on P1 and P3 Fiat-Shamir for Highly Sound Protocols is Instantiable

10 Highly Sound Protocols and Main Theorem
3-move protocols with completeness, soundness, HVZK and P1: Commitment 𝛼 can be computed independently of π‘₯,𝑀 P2: Soundness-error-to-guessing ratio (SEGR) bounded away from one P3: HVZK Simulator computes (𝛼,𝛽) independently of π‘₯ Main question: Do highly sound protocols exist at all??? Theorem: If 𝛴 is highly sound, then its FS collapse using a π‘ž-wise independent hash is a π‘ž-bounded NIZK Fiat-Shamir for Highly Sound Protocols is Instantiable

11 Example: Blum’s QR Protocol
Blum Integer 𝑁 𝛼= π‘Ÿ 2 (π‘₯,𝑀)∈ 𝑅 𝑄𝑅 𝛽←{0,1} π‘₯= 𝑀 2 mod 𝑁 π‘₯ 𝛾 2 β‰Ÿ π‘₯ 𝛽 βˆ™π›Ό 𝛾= 𝑀 𝛽 βˆ™π‘Ÿ π‘Ÿβ† β„€ 𝑁 βˆ— Prover Verifier P1 clearly met, but P2 and P3 are not Soundness is only Β½ HVZK Simulator computes 𝛼 depending on π‘₯ The Lapidot-Shamir protocol for graph hamiltonicity directly meets P1 and P3 [LS91,OV12] Fiat-Shamir for Highly Sound Protocols is Instantiable

12 First Compiler 𝑖𝑂( 𝐹 1 ( π‘˜ 1 ,βˆ™)) 𝑖𝑂( 𝐹 2 ( π‘˜ 2 ,βˆ™+𝑖)) π‘˜ 2 π‘˜ 1
P1+P3 𝑖𝑂( 𝐹 1 ( π‘˜ 1 ,βˆ™)) 𝑖𝑂( 𝐹 2 ( π‘˜ 2 ,βˆ™+𝑖)) π‘˜ 2 π‘˜ 1 𝛼 1 ,…, 𝛼 𝑛 (π‘₯,𝑀)βˆˆπ‘… 𝛼 βˆ— Check:( 𝛼 𝑖 , 𝛽 𝑖 , 𝛾 𝑖 ) valid βˆ€π‘–βˆˆ[𝑛] π‘Ÿ βˆ— 𝛼 βˆ— 𝛽 1 ,…, 𝛽 𝑛 π‘˜ 2 𝛼 βˆ— 𝛼 1 ,…, 𝛼 𝑛 𝛾 1 ,…, 𝛾 𝑛 π‘₯ Prover Verifier P1 and P3 easily seen to be preserved P2 holds since 𝑛 is independent of the size of the pre-commitment 𝛼 βˆ— Fiat-Shamir for Highly Sound Protocols is Instantiable

13 Second Compiler 𝛼 βˆ— ( 𝛼 βˆ— ,𝛿)←Com(𝛼) 𝛽 (𝛾,𝛿) π‘₯ (π‘₯,𝑀)βˆˆπ‘…
Can be perfectly binding or equivocal depending on setup 𝛼 βˆ— ( 𝛼 βˆ— ,𝛿)←Com(𝛼) 𝛽 (𝛾,𝛿) (π‘₯,𝑀)βˆˆπ‘… π‘₯ Prover Verifier P1 clearly preserved, completeness and soundness also are preserved (when the commitment is binding) The HVZK Simulator can commit to arbitrary 𝛼 βˆ— and later open this to any 𝛼 (which allows to show P3) Fiat-Shamir for Highly Sound Protocols is Instantiable

14 Concluding Remarks We have shown a restricted positive result on FS without ROs Highly sound protocols admit simple instantiation of the RO Highly sound protocols exist for all of 𝑁𝑃 (under strong assumptions) in the CRS model Not clear what a positive result for FS in the CRS model means! Common Reference String π‘π‘Ÿπ‘  πœ€ NIZK proof of π‘₯∈𝐿 πœ€ 𝛾 βˆ— π‘₯ (π‘₯,𝑀)βˆˆπ‘… Prover Verifier Fiat-Shamir for Highly Sound Protocols is Instantiable

15 Fiat-Shamir for Highly Sound Protocols is Instantiable
Concluding Remarks Big open question! Still our result has some nice features: It works in the standard model if one can construct a highly sound protocol without relying on a CRS Our CRS-based compilers make a non-trivial use of the starting Sigma protocol Extensions and directions for future research: Similar result works for FS signatures (via highly sound ID schemes) What about Β«Strong FSΒ»? Apply our ideas to other RO-based transforms (e.g., Fischlin’s [Fis05]) Concurrent work by Kalai, Rothblum and Rothblum [KRR16] Positive result starting with any 3-move public-coin proof (uses similar tools) Only applies to soundness of the interactive FS collapse (2 rounds) Fiat-Shamir for Highly Sound Protocols is Instantiable

16 Thank You! Full version available as ePrint Report 2016/133
Fiat-Shamir for Highly Sound Protocols is Instantiable

Download ppt "Fiat-Shamir for Highly Sound Protocols is Instantiable"

Similar presentations

Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.

Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.
Non-interactive Zero- Knowledge Arguments for Voting Jens Groth UCLA.

Non-interactive Zero- Knowledge Arguments for Voting Jens Groth UCLA.
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Coin Tossing With A Man In The Middle Boaz Barak.

Coin Tossing With A Man In The Middle Boaz Barak.
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
Complexity Theory Lecture 9 Lecturer: Moni Naor. Recap Last week: –Toda’s Theorem: PH οƒŒ P #P. –Program checking and hardness on the average of the permanent.

Complexity Theory Lecture 9 Lecturer: Moni Naor. Recap Last week: –Toda’s Theorem: PH οƒŒ P #P. –Program checking and hardness on the average of the permanent.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian.

Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Isolated PoK and Isolated ZK Ivan DamgΓ₯rd, Jesper Buus Nielsen and Daniel Wichs.

Isolated PoK and Isolated ZK Ivan DamgΓ₯rd, Jesper Buus Nielsen and Daniel Wichs.
How to Delegate Computations: The Power of No-Signaling Proofs Ron Rothblum Weizmann Institute Joint work with Yael Kalai and Ran Raz.

How to Delegate Computations: The Power of No-Signaling Proofs Ron Rothblum Weizmann Institute Joint work with Yael Kalai and Ran Raz.
13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.

13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas WiktrΓΆm (KTH) 1.

On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas WiktrΓΆm (KTH) 1.
Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.

Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.
Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.

Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

Similar presentations

Ads by Google