Fiat-Shamir: from practice to theory

We give new instantiations of the Fiat-Shamir transform using explicit, efficiently computable hash functions. We improve over prior work by reducing the security of these protocols to qualitatively simpler and weaker computational hardness assumptions. As a consequence of our framework, we obtain the following concrete results. 1) There exists a succinct publicly verifiable non-interactive argument system for log-space uniform computations, under the assumption that any one of a broad class of fully homomorphic encryption (FHE) schemes has almost optimal security against polynomial-time adversaries. The class includes all FHE schemes in the literature that are based on the learning with errors (LWE) problem. 2) There exists a non-interactive zero-knowledge argument system for in the common reference string model, under either of the following two assumptions: (i) Almost optimal hardness of search-LWE against polynomial-time adversaries, or (ii) The existence of a circular-secure FHE scheme with a standard (polynomial time, negligible advantage) level of security. 3) The classic quadratic residuosity protocol of [Goldwasser, Micali, and Rackoff, SICOMP ’89] is not zero knowledge when repeated in parallel, under any of the hardness assumptions above.

[1]  Silvio Micali,et al.  Computationally Sound Proofs , 2000, SIAM J. Comput..

[2]  Yuval Ishai,et al.  Bounded Key-Dependent Message Security , 2010, IACR Cryptol. ePrint Arch..

[3]  Steven Myers,et al.  On Seed-Incompressible Functions , 2008, TCC.

[4]  Eli Ben-Sasson,et al.  Interactive Oracle Proofs , 2016, TCC.

[5]  Ron Rothblum,et al.  Fiat-Shamir and Correlation Intractability from Strong KDM-Secure Encryption , 2018, IACR Cryptol. ePrint Arch..

[6]  Brent Waters,et al.  Candidate Indistinguishability Obfuscation and Functional Encryption for all Circuits , 2013, 2013 IEEE 54th Annual Symposium on Foundations of Computer Science.

[7]  Rafail Ostrovsky,et al.  New Techniques for Noninteractive Zero-Knowledge , 2012, JACM.

[8]  Yael Tauman Kalai,et al.  Delegating computation: interactive proofs for muggles , 2008, STOC.

[9]  Vinod Vaikuntanathan,et al.  Anonymous IBE, Leakage Resilience and Circular Security from New Assumptions , 2018, IACR Cryptol. ePrint Arch..

[10]  Benny Applebaum,et al.  Key-Dependent Message Security: Generic Amplification and Completeness , 2011, Journal of Cryptology.

[11]  Nir Bitansky,et al.  Why "Fiat-Shamir for Proofs" Lacks a Proof , 2013, TCC.

[12]  Jacques Stern,et al.  Security Proofs for Signature Schemes , 1996, EUROCRYPT.

[13]  Alex Lombardi,et al.  Cryptographic Hashing From Strong One-Way Functions , 2018, IACR Cryptol. ePrint Arch..

[14]  Moni Naor,et al.  Magic functions , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[15]  David Cash,et al.  Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems , 2009, CRYPTO.

[16]  Rafael Pass,et al.  Unprovable Security of Perfect NIZK and Non-interactive Non-malleable Commitments , 2013, computational complexity.

[17]  Zvika Brakerski,et al.  Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP , 2012, CRYPTO.

[18]  Rafael Pass Unprovable Security of Perfect NIZK and Non-interactive Non-malleable Commitments , 2013, TCC.

[19]  Silvio Micali,et al.  Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems , 1991, JACM.

[20]  Vinod Vaikuntanathan,et al.  Lattice-based FHE as secure as PKE , 2014, IACR Cryptol. ePrint Arch..

[21]  Yael Tauman Kalai,et al.  From Obfuscation to the Security of Fiat-Shamir for Proofs , 2017, CRYPTO.

[22]  Chanathip Namprempre,et al.  From Identification to Signatures via the Fiat-Shamir Transform: Minimizing Assumptions for Security and Forward-Security , 2002, EUROCRYPT.

[23]  Craig Gentry,et al.  (Leveled) fully homomorphic encryption without bootstrapping , 2012, ITCS '12.

[24]  Ran Canetti,et al.  On the Correlation Intractability of Obfuscated Pseudorandom Functions , 2016, TCC.

[25]  Ran Canetti,et al.  Non-Interactive Zero Knowledge and Correlation Intractability from Circular-Secure FHE , 2018, IACR Cryptol. ePrint Arch..

[26]  Yael Tauman Kalai,et al.  Cryptographic Assumptions: A Position Paper , 2016, TCC.

[27]  Adi Shamir,et al.  Multiple NonInteractive Zero Knowledge Proofs Under General Assumptions , 1999, SIAM J. Comput..

[28]  Yael Tauman Kalai,et al.  On the (In)security of the Fiat-Shamir paradigm , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[29]  Brent Waters,et al.  A Framework for Efficient and Composable Oblivious Transfer , 2008, CRYPTO.

[30]  Yuval Ishai,et al.  Cryptography in NC0 , 2004, SIAM J. Comput..

[31]  Yuval Ishai,et al.  How to Garble Arithmetic Circuits , 2011, 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science.

[32]  Mihir Bellare,et al.  Possibility and Impossibility Results for Encryption and Commitment Secure under Selective Opening , 2009, EUROCRYPT.

[33]  Moni Naor,et al.  On Cryptographic Assumptions and Challenges , 2003, CRYPTO.

[34]  Daniel Wichs,et al.  On the Communication Complexity of Secure Function Evaluation with Long Output , 2015, IACR Cryptol. ePrint Arch..

[35]  Boaz Barak,et al.  How to go beyond the black-box simulation barrier , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[36]  Brent Waters,et al.  Homomorphic Encryption from Learning with Errors: Conceptually-Simpler, Asymptotically-Faster, Attribute-Based , 2013, CRYPTO.

[37]  Yehuda Lindell,et al.  Lower bounds for non-black-box zero knowledge , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[38]  Vinod Vaikuntanathan,et al.  Efficient Fully Homomorphic Encryption from (Standard) LWE , 2011, 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science.

[39]  Yael Tauman Kalai,et al.  On Virtual Grey Box Obfuscation for General Circuits , 2017, Algorithmica.

[40]  Craig Gentry,et al.  Separating succinct non-interactive arguments from all falsifiable assumptions , 2011, STOC '11.

[41]  Amit Sahai,et al.  On the (im)possibility of obfuscating programs , 2001, JACM.

[42]  Zvika Brakerski,et al.  Circular and Leakage Resilient Public-Key Encryption Under Subgroup Indistinguishability (or: Quadratic Residuosity Strikes Back) , 2010, IACR Cryptol. ePrint Arch..

[43]  Silvio Micali,et al.  The round complexity of secure protocols , 1990, STOC '90.

[44]  Rafail Ostrovsky,et al.  Circular-Secure Encryption from Decision Diffie-Hellman , 2008, CRYPTO.

[45]  Abhi Shelat,et al.  Doubly-Efficient zkSNARKs Without Trusted Setup , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[46]  A. Yao,et al.  Fair exchange with a semi-trusted third party (extended abstract) , 1997, CCS '97.

[47]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[48]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[49]  Moni Naor,et al.  Cryptography and Game Theory: Designing Protocols for Exchanging Information , 2008, TCC.

[50]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.