SLIDE 1
Ran Canetti, Yilei Chen, Leonid Reyzin, Ron Rothblum
Fiat-Shamir and correlation intractability from strong kdm secure encryption
1
2
Fiat-Shamir and correlation intractability from strong kdm secure - - PowerPoint PPT Presentation
Fiat-Shamir and correlation intractability from strong kdm secure - - PowerPoint PPT Presentation
Fiat-Shamir and correlation intractability from strong kdm secure encryption Ran Canetti, Yilei Chen, Leonid Reyzin, Ron Rothblum Eurocrypt 2018, Tel Aviv 1 2 How are you? 3 How are you? Great! How are you? 4 How are you? Great! How
SLIDE 2
SLIDE 3
3
How are you?
SLIDE 4
4
Great! How are you? How are you?
SLIDE 5
5
Great! How are you? Great! How are you?
SLIDE 6
6
A typical 4-message greeting protocol in America Great! How are you? Great! How are you? Have a great day!
SLIDE 7
7
Israeli
SLIDE 8
8
What’s up? Israeli
SLIDE 9
9
What’s up? Not bad. Israeli
SLIDE 10
10
What’s up? Not bad. Israeli Round reducing, fast and clean!
SLIDE 11
11
Fiat, Shamir 86: 3 round interactive protocol => 1 round argument
SLIDE 12
12
P
a
V
b (public coins) c
Fiat, Shamir 86: 3 round interactive protocol => 1 round argument
SLIDE 13
13
P
a
V
b (public coins) c
=>
P V
a, b=H(a), c
Fiat, Shamir 86: 3 round interactive protocol => 1 round argument
SLIDE 14
14
P
a
V
b (public coins) c
=>
P V
a, b=H(a), c
Fiat, Shamir 86: 3 round interactive protocol => 1 round argument
Pointcheval, Stern 96: secure in the random oracle model.
SLIDE 15
15
P
a
V
b (public coins) c
=>
P V
a, b=H(a), c
Fiat, Shamir 86: 3 round interactive protocol => 1 round argument
Pointcheval, Stern 96: secure in the random oracle model. Goldwasser, Kalai 03: insecure for arguments with any real hash functions.
SLIDE 16
16
P
a
V
b (public coins) c
=>
P V
a, b=H(a), c
Fiat, Shamir 86: 3 round interactive protocol => 1 round argument
Pointcheval, Stern 96: secure in the random oracle model. Goldwasser, Kalai 03: insecure for arguments with any real hash functions. A very popular paradigm, hard to argue security with a concrete property.
SLIDE 17
17
P
a
V
b (public coins) c
=>
P V
a, b=H(a), c
Fiat, Shamir 86: 3 round interactive protocol => 1 round argument
Pointcheval, Stern 96: secure in the random oracle model. Goldwasser, Kalai 03: insecure for arguments with any real hash functions. A very popular paradigm, hard to argue security with a concrete property. Kalai, Rothblum, Rothblum 17: iO + more => Fiat-Shamir for proofs
SLIDE 18
18
This talk:
- 1. Correlation intractability => Fiat Shamir for proofs
- 2. Show that for T = Enck(m)
HT(x) = Decx(T)
is correlation intractable if (Enc, Dec) is exp. KDM secure.
- 3. More about correlation intractability
SLIDE 19
19
Part I: What is correlation intractability?
SLIDE 20
20
Correlation Intractability
“infeasibility of finding ‘sparse’ input-output relations”
- -- Canetti, Goldreich, Halevi 1998
SLIDE 21
21
Sparse Relations “For every input (x), the fraction of outputs (y) in the relation is negligible”
SLIDE 22
22
Correlation intractability [Canetti, Goldreich, Halevi ‘98] Sparse Relations “For every input (x), the fraction of outputs (y) in the relation is negligible”
SLIDE 23
23
Correlation intractability [Canetti, Goldreich, Halevi ‘98] For all sparse relations R: Sparse Relations “For every input (x), the fraction of outputs (y) in the relation is negligible”
SLIDE 24
24
Correlation intractability [Canetti, Goldreich, Halevi ‘98] Adversary Challenger h For all sparse relations R: Sparse Relations “For every input (x), the fraction of outputs (y) in the relation is negligible”
SLIDE 25
25
Correlation intractability [Canetti, Goldreich, Halevi ‘98] Adversary Challenger x, (as a result, y=h(x)) Adversary wins if R(x, y)=1 h For all sparse relations R: Sparse Relations “For every input (x), the fraction of outputs (y) in the relation is negligible”
SLIDE 26
26
Correlation intractability => Fiat-Shamir for proofs [ Hada, Tanaka 99; Dwork et al. 99 ]
SLIDE 27
27
Fiat, Shamir 86: 3 round proof system => 1 round argument
An interactive proof system
A
a
B
b (public coins) c
=>
A B
a, b=H(a), c
SLIDE 28
28
Fiat, Shamir relation: (the instance x is part of a or c)
R(a, b)=1 if ∃ c s.t. x ∉ L and Verifier(x, a, b, c) accepts
Fiat, Shamir 86: 3 round proof system => 1 round argument
An interactive proof system
A
a
B
b (public coins) c
=>
A B
a, b=H(a), c
SLIDE 29
29
Fiat, Shamir 86: 3 round proof system => 1 round argument
An interactive proof system [ Bitansky et al. ‘13 ] for proof systems, impossible from black-box reductions to falsifiable assumptions.
A
a
B
b (public coins) c
=>
A B
a, b=H(a), c
SLIDE 30
30
More quick facts of correlation intractability
Impossible when key/seed is short [ Canetti, Goldreich, Halevi 98 ].
SLIDE 31
31
More quick facts of correlation intractability
Impossible when key/seed is short [ Canetti, Goldreich, Halevi 98 ]. Our goal: capture as many sparse relations as possible, including the relations that cover Fiat-Shamir for proofs.
SLIDE 32
32
Part 2: How to construct correlation intractable functions?
SLIDE 33
33
Existing constructions:
SLIDE 34
34
Existing constructions:
SLIDE 35
35
Existing constructions:
SLIDE 36
36
SLIDE 37
37
SLIDE 38
38
SLIDE 39
39
SLIDE 40
40
SLIDE 41
41
SLIDE 42
42
SLIDE 43
43
SLIDE 44
44
Construction
SLIDE 45
45
SLIDE 46
46
SLIDE 47
47
gax+b
SLIDE 48
48
[xA+b]
SLIDE 49
49
Analysis
SLIDE 50
50
SLIDE 51
51
SLIDE 52
52
SLIDE 53
53
SLIDE 54
54
SLIDE 55
55
SLIDE 56
56
∊
SLIDE 57
57
∊ ∊ ⋅
SLIDE 58
58
∊ ∊ ⋅ ∊ ⋅
SLIDE 59
59
∊ ∊ ⋅ ∊
∊
⋅ ∊ ⋅
SLIDE 60
60
∊ ∊ ⋅ ∊
∊
⋅ ∊ ⋅
SLIDE 61
61
Part 3: More … Correlation intractability & Bitcoin
SLIDE 62
62
H(???...?)=000000….XYZ3d83h
SLIDE 63
63
H(???...?)=000000….XYZ3d83h Quantitative correlation intractability: For all relations of density d, all adversaries running in time T succeed with probability f(d, T).
SLIDE 64
64
Future directions
Quantitative correlation intractability. Multiple-input-output relations.
SLIDE 65
65