fiat-shamir: from practice to theory - biu
TRANSCRIPT
Fiat-Shamir: from Practice to Theory
Ron RothblumTechnion
Based on joint works with: Ran Canetti, Yilei Chen, Justin Holmgren, Yael Kalai, Alex Lombardi, Leo Reyzin and Guy Rothblum
The Fiat-Shamir Transform
Hash Function ๐ป๐ท ๐ฝ
โฆ
Public-CoinInteractive Protocol
(Each ๐ฝ๐ uniformly random)
Non-InteractiveArgument
generically
๐ผ1
๐ฝ1
๐ผ๐โ1
๐ฝ๐โ1
๐ผ๐
๐ผ1 , โฆ , ๐ผ๐
๐ฝ๐ = ๐ป(๐ฅ, ๐ผ1, โฆ , ๐ผ๐)
๐ท๐ญ๐บ ๐ฝ๐ญ๐บ
๐ฝ2 = ๐ป(๐ฅ, ๐ผ1 , ๐ผ2)
๐ฝ1 = ๐ป(๐ฅ, ๐ผ1)
โฆ
Fiat Shamir โ Security?
[PS96]: Fiat Shamir transform is secure in the random oracle model.
Can we instantiate the heuristic securely using an explicit hash family?
Fiat Shamir โ Impossible?
Def: a hash family ๐ป is FS-compatible for a protocol ฮ if ๐น๐๐ป(ฮ ) is a sound argument-system.
Thm [B01,GK03]: โ protocols which are not FS-compatible for any ๐ป.
Hope? Those counterexamples are arguments! Maybe sound if we start with a proof?
[BDGJKLW13]: no blackbox reduction to a falsifiable assumption, even for proofs.
This Talk: New Positive Results
First positive indications: Hash functions that are FS compatible for proofs.
Bypass impossibility results by:
โข Strong (but meaningful) assumptions.
โข Considering restricted classes of proofs.
Very recent followups make progress on longstanding open problems:
1. ๐๐ผ๐๐พ from ๐ฟ๐๐ธ [CLW19,PS19]2. PPAD hardness [CHKPRR19]
STRONG ASSUMPTIONS AHEAD
A Detour: Optimal Hardnessโข For this talk: optimal hardness means ๐๐๐ algorithm
can only break with poly ๐ /2๐ probability.
โข Holds in ROM, whereas optimal-size hardness does not.
โข When challenge is re-randomizable:
โ Weaker than optimal-size hardness.
โ Implies a polynomial-space attack.
FS for Proofs:Recent Positive Results
[KRR16]: subexponential IO+OWF, optimal input-hiding Obf.
[CCRR17]: optimal KDM secure encryption* scheme, for unbounded KDM functions.
[CCHLRR18]: optimal KDM secure encryption* for bounded KDM functions, but only for โniceโ IPs.
IPs that we care about are nice.
Applications
Thm [CCHLRR18]: publicly verifiable non-interactive arguments for ๐๐ถ, assuming suitable ๐น๐ป๐ธ is optimally hard (for key recovery).
Thm [CCHLRR18]: NIZKs for all of ๐๐, assuming search LWE is optimally hard.
Corollary (via [DNRS03]): assuming search-LWE is optimally hard, parallel rep. of QR protocol is not zero-knowledge.
1. Statistical ZK.2. Uniform CRS.3. Adaptive soundness
[PS19]: same conclusion but only assuming LWE!
Proof Idea
Recent Positive Results
[KRR17]: subexponential IO+OWF, optimal input-hiding Obf.
[CCRR18]: optimal KDM secure encryption* scheme, for unbounded KDM functions.
[CCHLRR18]: optimal KDM secure encryption* for bounded KDM functions, but only for โniceโ IPs.
[CCRR17] Assumption
Symmetric-key encryption scheme (๐ธ, ๐ท) s.t.:
1. (Optimal KDM sec.): โ๐ โPPT ๐ด,
2. (Universal Ciphertexts): for any fixed key ๐โ:
Pr ๐ด(๐ธ๐ ๐ ๐ = ๐ โค poly ๐ /2๐
๐ธ๐โ ๐ โก ๐ธ๐พ(๐โฒ)
Correlation Intractability[CHG04]
A hash family ๐ป is correlation intractable for a sparse relation ๐ if:
Given โ โ๐ ๐ป, infeasible to find ๐ฅ s.t. ๐ฅ, โ ๐ฅ โ ๐ .
โPPT ๐ด,
Prโโ๐ป
๐ฅโ๐ด(โ)
๐ฅ, โ ๐ฅ โ ๐ = ๐๐๐๐
CIโFS
๐ ๐
Public-CoinInteractive Protocol ฮ
Non-InteractiveArgument ฮ ๐น๐
๐ผ
๐ฝ
๐พ
๐ผ, ๐พ
๐ฝ = โ(๐ฅ, ๐ผ)
โ
Consider ๐ ฮ = ๐ผ,๐ฝ โถ โ๐พ ๐ . ๐ก. Verifier accepts ๐ฅ, ๐ผ, ๐ฝ, ๐พ ) .
Cheating ๐๐น๐โ finds ๐ผโ s.t. ๐ผโ, โ ๐ฅ, ๐ผโ โ ๐ ฮ โ breaks ๐ถ๐ผ.
๐๐น๐ ๐๐น๐
Our Hash Function
โข Hash function described by a ciphertext ๐.
โข Messages are enc/dec keys.
Want to show: CI for all sparse relations.
Today: for simplicity consider relations ๐ that are functions (โ๐ฅโ! ๐ฆ s.t. ๐ฅ, ๐ฆ โ ๐ ).
โ๐ ๐ = ๐ท๐(๐)
Our Hash Function
Intuition: breaking ๐ถ๐ผ for ๐ means
๐ โ ๐ s.t. ๐ทc ๐ = ๐ ๐
In words, from ๐ we can find ๐ s.t. ๐ = ๐ธ๐(๐ ๐ ).
Smells like KDM game, but order is wrong.
โ๐ ๐ = ๐ท๐(๐)
Analysis
๐พ,๐ถ = ๐ธ๐พ(๐) Pr
๐ด ๐ถ โ ๐โ
๐โ, ๐ท๐๐๐โ ๐ถ โ ๐ โฅ ๐
๐พ, ๐พโ
๐ถ = ๐ธ๐พ(๐) Pr๐ด ๐ถ = ๐พโ
๐พโ, ๐ท๐๐๐พโ ๐ถ โ ๐ โฅ ๐/2๐
๐พโ,๐ถ = ๐ธ๐พโ(๐) Pr
๐ด ๐ถ = ๐พโ
๐พโ, ๐ท๐๐๐พโ ๐ถ โ ๐ โฅ ๐/2๐
๐พโ, ๐ = ๐ (๐พโ)๐ถ = ๐ธ๐พโ(๐)
Pr ๐ด ๐ถ = ๐พโ โฅ ๐/(2๐ โ ๐)
Experiment Event
Sparsity of ๐
Recent Positive Results
[KRR17]: subexponential IO+OWF, optimal input-hiding Obf.
[CCRR18]: optimal KDM secure encryption* scheme, for unbounded KDM functions.
[CCHLRR18]: optimal KDM secure encryption* for bounded KDM functions, but only for โniceโ IPs.
Recent Positive Results
[KRR17]: subexponential IO+OWF, optimal input-hiding Obf.
[CCRR18]: optimal KDM secure encryption* scheme, for unbounded KDM functions.
[CCHLRR18]: optimal KDM secure encryption* for bounded KDM functions, but only for โniceโ IPs.
[CCHLRR18] ImprovementOptimal ๐พ๐ท๐ security for ๐ โ CI for ๐ .
Q1: Are there interesting interactive proofs for which ๐ is an efficient function?
Q2: Can we get (optimal) KDM security for bounded KDM functions from better assumptions?
A1: Yes! Delegation schemes [GKR08] & ZKPs [GMW89].
A2: Yes! Garbled Circuits or FHE [BHHI10,A11].
[CCHLRR18] ImprovementOptimal ๐พ๐ท๐ security for ๐ โ CI for ๐ .
Q1: Are there interesting interactive proofs for which ๐ is an efficient function?
Q2: Can we get (optimal) KDM security for bounded KDM functions from better assumptions?
A1: Yes! Delegation schemes [GKR08] & ZKPs [GMW89].
A2: Yes! Garbled Circuits or FHE [BHHI10,A11].
Publicly-Verifiable Non-Interactive Delegation
Weak client wants to check whether ๐ฅ โ ๐ฟ.
Publically verifiable โ can re-use CRS and anyone can verify.
๐๐๐๐๐
CRS
PV Delegation: Prior Work
Known under strong assumptions:
- Knowledge assumptions [Groth10,โฆ] (even ๐๐).
- iO [SW13].
- Zero testable homomorphic enc [PR17].
Independent work [KPY18]: from new (falsifiable) assumptions on bilinear maps. CRS is long (and non-uniform).
PV Delegation: Our Result
Thm: assume optimal hardness of key-recovery attacks for [BV11/GSW13/BV14โฆ]๐น๐ป๐ธ scheme.
Then, โ๐ฟ โ ๐๐ถ has a publicly verifiable non-interactive argument-system where verifier is เทจ๐ ๐ time and prover is poly ๐ time.
Fiat-Shamir for GKR
[GKR08]: very efficient, but highly interactive, public-coin interactive proof for ๐๐ถ.
Want to apply FS but face two challenges:
1. Need to show that ๐ is efficient.
2. Not constant-round!
Fiat-Shamir for GKR
[GKR08]: very efficient, but highly interactive, public-coin interactive proof for ๐๐ถ.
Want to apply FS but face two challenges:
1. Need to show that ๐ is efficient.
2. Not constant-round!
FS for ๐ 1 Rounds
FS is not secure (even in ROM) for ๐ 1 -round interactive proofs.
[BCS16]: FS is secure for resetably sound interactive proofs in ROM.
Open: show that ๐ถ๐ผ suffices for FS of resetablysound proofs.
Round-by-Round Soundness
Def:ฮ has RBR soundness if โpredicate doomeddefined on any partial transcript s.t. โ๐ฅ โ ๐ฟ:
1. Empty transcript is doomed.
2. Given a doomed transcript ๐, whp ๐, ๐ฝ is doomed.
3. If full transcript is doomed then verifier rejects.
Lemma: parallel rep. of any IP has RBR soundness.
RBR + CI โ FS
Suppose ฮ has RBR soundness.
Define
RBR soundness โ ๐ ฮ is sparse.
Breaking RBR soundness โ breaking CI of ๐ ฮ .
๐ ฮ = ๐, ๐ฝ โถ๐ is doomed
but ๐, ๐ฝ is not
[CCHLRR18] Improvement
Optimal ๐พ๐ท๐ security for ๐ โ CI for ๐ .
Q1: Are there interesting interactive proofs for which ๐ is an efficient function?
Q2: Can we get (optimal) KDM security for bounded KDM functions from better assumptions.
A1: Yes! Delegation schemes [GKR08] & ZKPs [GMW89].
A2: Yes! Garbled Circuits or FHE [BHHI10,A11]
NIZK from Strong LWE
Thm: assume that search-LWE (with suitable parameters) is optimally hard.
Then โ๐ฟ โ ๐๐ has a non-interactive statistical zero-knowledge argument in uniform CRS model.
Note: NIZK from LWE is (still) wide open.
[GMW89] Reminder
๐ถ๐๐๐๐๐ก(๐ ๐บ )
๐
๐ท๐๐๐๐๐๐๐ก(๐ ๐ )
๐ โ๐ ๐๐
๐(๐บ,๐) ๐(๐บ)
๐ โ๐ ๐ธ
NIZK: FS for GMW
Would like to apply FS to (parallel rep) of GMW.
Difficulty: relation ๐ = {๐๐๐๐๐๐ก๐๐๐๐ก, ๐} not clear given commitment how to sample ๐.
Solution (using [HL18]): use a trapdoor commitment scheme, trapdoor is hard-wired in the relation.
๐ถ๐๐๐๐๐ก(๐ ๐บ )
๐
๐ท๐๐๐๐๐๐๐ก(๐ ๐ )
๐ โ๐ ๐๐
๐(๐บ,๐) ๐(๐บ)
๐ โ๐ ๐ธ
NIZK: FS for GMW
Perfectly correct ๐๐พ๐ธ โ trapdoor commitment scheme.
Further:
1. If public-keys are random โ uniform CRS.
2. Lossy PKE โ statistically ZK.
Can obtain both from ๐ฟ๐๐ธ.
[CCHLRR18] ImprovementOptimal ๐พ๐ท๐ security for ๐ โ CI for ๐ .
Q1: Are there interesting interactive proofs for which ๐ is an efficient function?
Q2: Can we get (optimal) KDM security for bounded KDM functions from better assumptions.
A1: Yes! Delegation schemes [GKR08] & ZKPs [GMW89].
A2: Yes! Garbled Circuits or FHE [BHHI10,A11].
Optimal Bounded KDM Security
Need enc. with KDM security for bounded functions.
Known [BHHI10,BGK11,A11] but face two challenges:
1. Universal ciphertexts.
2. Preserving optimal hardness.
Garbled circuits a la [A11] โ non-compact (good enough for NIZKs).
FHE a la [BHHI10] โ compact, good for delegation.
Summary
Fiat Shamir for proofs can be realized!
Striking improvement in assumptions in just 2 years.
Open: what other random oracle properties can we get? Using these techniques?