Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.
Wählen Sie Textabschnitte aus um mit Künstlicher Intelligenz passenden Patente zu finden.
powered by
Markieren Sie Textabschnitte, um KI-gestützt weitere passende Inhalte zu finden.
powered by
Abstract
The Fiat-Shamir paradigm [CRYPTO’86] is a heuristic for converting three-round identification schemes into signature schemes, and more generally, for collapsing rounds in constant-round public-coin interactive protocols. This heuristic is very popular both in theory and in practice, and its security has been the focus of extensive study.
In particular, this paradigm was shown to be secure in the Random Oracle Model. However, in the plain model, the results shown were mostly negative. In particular, the heuristic was shown to be insecure when applied to computationally sound proofs (also known as arguments). Moreover, recently it was shown that even in the restricted setting where the heuristic is applied to interactive proofs (as opposed to arguments), its soundness cannot be proven via a black-box reduction to any so-called falsifiable assumption.
In this work, we give a positive result for the security of this paradigm in the plain model. Specifically, we construct a hash function for which the Fiat Shamir paradigm is secure when applied to proofs (as opposed to arguments), assuming the existence of a sub-exponentially secure indistinguishability obfuscator, the existence of an exponentially secure input-hiding obfuscator for the class of multi-bit point functions, and the existence of a sub-exponentially secure one-way function.
More generally, we construct a hash family that is correlation intractable (under the computational assumptions above), solving an open problem originally posed by Canetti, Goldreich and Halevi (JACM, 2004), under the above assumptions.
In addition, we show that our result resolves a long-lasting open problem in about zero-knowledge proofs: It implies that there does not exist a public-coin constant-round zero-knowledge proof with negligible soundness (under the assumptions stated above).
Anzeige
Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.
Loosely speaking, a hash family \(\{h_s\}\) is said to have this security property if for every probabilistic polynomial time adversary \(\mathcal{A}\), that is given a random seed s and outputs an element in the domain of \(h_s\), the random variable \(h_s(\mathcal{A}(s))\) conditioned on \(\mathcal{A}(s)\) has almost full min entropy.
The formalization of a falsifiable assumption, given in [BDG+13], is similar to the formalization given in [GW11], and differs slightly from the formalization given in [Nao03].
Our assumptions (see Sect. 1.1), which deal with exponential-time (rather than polynomial-time) adversaries, are inherently not falsifiable. Note that [BDG+13] allow an unbounded challenger, but restrict to polynomial-time attackers. In the context of obfuscation, the attacker is the algorithm trying to break the security of the obfuscation. We assume hardness against super polynomial-time attackers, and thus our assumptions do not fall into the category ruled out by Bitansky et al.
This assumption has been made in many previous works on \(\mathsf{iO}\) and is referred to as sub-exponential \(\mathsf{iO}\), since the security parameter can be polynomially larger than n (which makes \(2^n\) sub-exponential in the security parameter).
While DDH (and even discrete log) can be broken in time less than \(2^n\) (even in the generic group model - e.g., by the baby-step giant-step algorithm), this does not imply a non-trivial polynomial-time attack (i.e., one with success probability greater than \(\text {poly}(n)/2^n\)).
Indeed, for the class of protocols that [MV16] support, reducing to 2 rounds while preserving soundness (but not necessarily zero-knowledge) is straightforward: Since the prover’s first message is not a function of the input, the verifier can compute the prover’s first message \(\alpha \) for it, and sends \(\alpha \) (together with the coins used to generate it) to the prover.
The Fiat Shamir paradigm refers to constant round protocols. Indeed, there are interactive proofs with a super-constant number of rounds (and negligible soundness error) for which the Fiat Shamir paradigm is insecure.
More specifically, the insecurity is in the sense that there exist contrived interactive arguments such that for any hash family \(\mathcal{H}\), applying the Fiat-Shamir paradigm with the hash family \(\mathcal{H}\), results in an insecure 2-round protocol [Bar01, GK03].
We use \((s\{\alpha \},\alpha ,f_s(\alpha ))\) to denote the circuit that on input \(\alpha \) outputs the hardwired value \(f_s(\alpha )\), and on any other input \(x\ne \alpha \) computes \(f_s(x)\) using the punctured seed \(s\{\alpha \}\).
The fact that subexponential OWF yield PRFs for which distinguishing the entire truth table from a random truth table the truth table of a random function has been previously noted in the literature, most notably by Razborov and Rudich [RR97] in their work on natural proofs.
We remark that the reason we bound the input length is solely because we use a simplified definition of argument system that does not have a security parameter, and we are aiming for argument systems with soundness that is negligible in the input length.
Since parallel repetition decreases the soundness error of interactive proofs at an exponential rate, we may assume without loss of generality that the soundness error is negligible in n.
For 4-message proofs, the same paradigm as in Fig. 1 is used, except that the verifier also sends its first message from the base proof-system (i.e., a random string) in the first round.
In the original protocol \(\varPi \), it may be the case that different messages \(\alpha \) sent by the prover can lead the verifier to accept with different probabilities. E.g., some specific \(\alpha \)’s may lead the verifier to accept with probability \(\mu \) and others with probability 0. This presents a technical difficulty later in the proof and so we construct the relaxed verifier \(V'\) so that every string \(\alpha \) leads it to accept with roughly the same probability (up to a small multiplicative constant) without increasing the soundness error by too much.
It may at first seem odd that we only use the soundness of the underlying proof-system with respect to a cheating prover that just sends a random message \(\alpha ^*\). Recall however that here we consider the relaxed verifier who, by design, has a (roughly) similar acceptance probability given any string \(\alpha \).