Fiat-Shamir and correlation intractability from strong kdm secure - PowerPoint PPT Presentation

Fiat-Shamir and correlation intractability from strong kdm secure encryption Ran Canetti, Yilei Chen, Leonid Reyzin, Ron Rothblum Eurocrypt 2018, Tel Aviv 1

2

How are you? 3

How are you? Great! How are you? 4

How are you? Great! How are you? Great! 5

How are you? Great! How are you? Great! Have a great day! A typical 4-message greeting protocol in America 6

Israeli 7

What’s up? Israeli 8

What’s up? Not bad. Israeli 9

What’s up? Not bad. Israeli Round reducing, fast and clean! 10

Fiat, Shamir 86: 3 round interactive protocol => 1 round argument 11

a P V b (public coins) c Fiat, Shamir 86: 3 round interactive protocol => 1 round argument 12

a P V P V b (public coins) => a, b=H(a), c c Fiat, Shamir 86: 3 round interactive protocol => 1 round argument 13

a P V P V b (public coins) => a, b=H(a), c c Fiat, Shamir 86: 3 round interactive protocol => 1 round argument Pointcheval, Stern 96: secure in the random oracle model. 14

a P V P V b (public coins) => a, b=H(a), c c Fiat, Shamir 86: 3 round interactive protocol => 1 round argument Pointcheval, Stern 96: secure in the random oracle model. Goldwasser, Kalai 03: insecure for arguments with any real hash functions. 15

a P V P V b (public coins) => a, b=H(a), c c Fiat, Shamir 86: 3 round interactive protocol => 1 round argument Pointcheval, Stern 96: secure in the random oracle model. Goldwasser, Kalai 03: insecure for arguments with any real hash functions. A very popular paradigm, hard to argue security with a concrete property. 16

a P V P V b (public coins) => a, b=H(a), c c Fiat, Shamir 86: 3 round interactive protocol => 1 round argument Pointcheval, Stern 96: secure in the random oracle model. Goldwasser, Kalai 03: insecure for arguments with any real hash functions. A very popular paradigm, hard to argue security with a concrete property. Kalai, Rothblum, Rothblum 17: iO + more => Fiat-Shamir for proofs 17

This talk: 1. Correlation intractability => Fiat Shamir for proofs 2. Show that for T = Enc k (m) H T (x) = Dec x (T) is correlation intractable if (Enc, Dec) is exp. KDM secure. 3. More about correlation intractability 18

Part I: What is correlation intractability? 19

Correlation Intractability “infeasibility of finding ‘sparse’ input-output relations” --- Canetti, Goldreich, Halevi 1998 20

Sparse Relations “For every input (x), the fraction of outputs (y) in the relation is negligible” 21

Sparse Relations “For every input (x), the fraction of outputs (y) in the relation is negligible” Correlation intractability [Canetti, Goldreich, Halevi ‘98] 22

Sparse Relations “For every input (x), the fraction of outputs (y) in the relation is negligible” Correlation intractability [Canetti, Goldreich, Halevi ‘98] For all sparse relations R: 23

Sparse Relations “For every input (x), the fraction of outputs (y) in the relation is negligible” Correlation intractability [Canetti, Goldreich, Halevi ‘98] For all sparse relations R: Adversary Challenger h 24

Sparse Relations “For every input (x), the fraction of outputs (y) in the relation is negligible” Correlation intractability [Canetti, Goldreich, Halevi ‘98] For all sparse relations R: Adversary Challenger h x, (as a result, y=h(x)) Adversary wins if R(x, y)=1 25

Correlation intractability => Fiat-Shamir for proofs [ Hada, Tanaka 99; Dwork et al. 99 ] 26

An interactive proof system a A B b (public coins) A B => a, b=H(a), c c Fiat, Shamir 86: 3 round proof system => 1 round argument 27

An interactive proof system a A B b (public coins) A B => a, b=H(a), c c Fiat, Shamir 86: 3 round proof system => 1 round argument Fiat, Shamir relation: (the instance x is part of a or c) R(a, b)=1 if ∃ c s.t. x ∉ L and Verifier(x, a, b, c) accepts 28

An interactive proof system a A B b (public coins) A B => a, b=H(a), c c Fiat, Shamir 86: 3 round proof system => 1 round argument [ Bitansky et al. ‘13 ] for proof systems, impossible from black-box reductions to falsifiable assumptions. 29

More quick facts of correlation intractability Impossible when key/seed is short [ Canetti, Goldreich, Halevi 98 ]. 30

More quick facts of correlation intractability Impossible when key/seed is short [ Canetti, Goldreich, Halevi 98 ]. Our goal: capture as many sparse relations as possible, including the relations that cover Fiat-Shamir for proofs. 31

Part 2: How to construct correlation intractable functions? 32

Existing constructions: 33

Existing constructions: 34

Existing constructions: 35

36

37

38

39

40

41

42

43

Construction 44

45

46

g ax+b 47

[xA+b] 48

Analysis 49

50

51

52

53

54

55

∊ 56

∊ ∊ ⋅ 57

∊ ∊ ⋅ ∊ ⋅ 58

∊ ∊ ⋅ ∊ ⋅ ∊ ⋅ ∊ 59

∊ ∊ ⋅ ∊ ⋅ ∊ ⋅ ∊ 60

Part 3: More … Correlation intractability & Bitcoin 61

H(???...?)=000000….XYZ3d83h 62

H(???...?)=000000….XYZ3d83h Quantitative correlation intractability: For all relations of density d, all adversaries running in time T succeed with probability f(d, T). 63

Quantitative correlation intractability. Multiple-input-output relations. Future directions 64

Thanks for your time! 65