Adaptive proofs of knowledge in the random oracle model

We formalise the notion of adaptive proofs of knowledge in the random oracle model, where the extractor has to recover witnesses for multiple, possibly adaptively chosen statements and proofs. We also discuss extensions to simulation soundness, as typically required for the “encrypt-then-prove” construction of strongly secure encryption from IND-CPA schemes. Utilizing our model we show three results: (1) Simulation-sound adaptive proofs exist. (2) The “encrypt-then-prove” construction with a simulation-sound adaptive proof yields CCA security. This appears to be a “folklore” result but which has never been proven in the random oracle model. As a corollary, we obtain a new class of CCA-secure encryption schemes. (3) We show that the Fiat-Shamir transformed Schnorr protocol is not adaptively secure and discuss the implications of this limitation.

[1]  Moni Naor,et al.  Public-key cryptosystems provably secure against chosen ciphertext attacks , 1990, STOC '90.

[2]  Mihir Bellare,et al.  On Defining Proofs of Knowledge , 1992, CRYPTO.

[3]  Marc Fischlin,et al.  Notions of Black-Box Reductions, Revisited , 2013, IACR Cryptol. ePrint Arch..

[4]  Melissa Chase,et al.  On Signatures of Knowledge , 2006, CRYPTO.

[5]  Yannick Seurin,et al.  On the Exact Security of Schnorr-Type Signatures in the Random Oracle Model , 2012, IACR Cryptol. ePrint Arch..

[6]  Ben Adida,et al.  Helios: Web-based Open-Audit Voting , 2008, USENIX Security Symposium.

[7]  Marc Fischlin,et al.  Communication-Efficient Non-interactive Proofs of Knowledge with Online Extractors , 2005, CRYPTO.

[8]  Mihir Bellare,et al.  Code-Based Game-Playing Proofs and the Security of Triple Encryption , 2004, IACR Cryptol. ePrint Arch..

[9]  Juan A. Garay,et al.  Strengthening Zero-Knowledge Protocols Using Signatures , 2003, Journal of Cryptology.

[10]  Marc Fischlin,et al.  Limitations of the Meta-Reduction Technique: The Case of Schnorr Signatures , 2013, IACR Cryptol. ePrint Arch..

[11]  Jens Groth,et al.  Simulation-Sound NIZK Proofs for a Practical Language and Constant Size Group Signatures , 2006, ASIACRYPT.

[12]  Rosario Gennaro,et al.  Securing Threshold Cryptosystems against Chosen Ciphertext Attack , 1998, Journal of Cryptology.

[13]  Rafail Ostrovsky,et al.  Robust Non-interactive Zero Knowledge , 2001, CRYPTO.

[14]  Mihir Bellare,et al.  On Probabilistic versus Deterministic Provers in the Definition of Proofs Of Knowledge , 2006, IACR Cryptol. ePrint Arch..

[15]  Rafail Ostrovsky,et al.  Software protection and simulation on oblivious RAMs , 1996, JACM.

[16]  Amit Sahai,et al.  Efficient Non-interactive Proof Systems for Bilinear Groups , 2008, EUROCRYPT.

[17]  Yiannis Tsiounis,et al.  On the Security of ElGamal Based Encryption , 1998, Public Key Cryptography.

[18]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[19]  Adi Shamir,et al.  Zero Knowledge Proofs of Knowledge in Two Rounds , 1989, CRYPTO.

[20]  Jacques Stern,et al.  Security Arguments for Digital Signatures and Blind Signatures , 2015, Journal of Cryptology.

[21]  Ran Canetti,et al.  Resettable Zero-Knowledge , 1999, IACR Cryptol. ePrint Arch..

[22]  Rafael Pass,et al.  On Deniability in the Common Reference String and Random Oracle Model , 2003, CRYPTO.

[23]  Yannick Seurin,et al.  A Robust and Plaintext-Aware Variant of Signed ElGamal Encryption , 2013, CT-RSA.

[24]  Yevgeniy Dodis,et al.  Efficient Public-Key Cryptography in the Presence of Key Leakage , 2010, ASIACRYPT.

[25]  Daniel R. Simon,et al.  Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack , 1991, CRYPTO.

[26]  Pascal Paillier,et al.  Discrete-Log-Based Signatures May Not Be Equivalent to Discrete Log , 2005, ASIACRYPT.

[27]  Mihir Bellare,et al.  The Oracle Diffie-Hellman Assumptions and an Analysis of DHIES , 2001, CT-RSA.

[28]  Douglas Wikström,et al.  Simplified Submission of Inputs to Protocols , 2008, SCN.

[29]  Amos Fiat,et al.  Zero-knowledge proofs of identity , 1987, Journal of Cryptology.

[30]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[31]  A. D. Santis,et al.  Zero-Knowledge Proofs of Knowledge Without Interaction (Extended Abstract) , 1992, FOCS 1992.

[32]  Ran Canetti,et al.  Resettable zero-knowledge (extended abstract) , 2000, STOC '00.

[33]  Martin Tompa,et al.  Random self-reducibility and zero knowledge interactive proofs of possession of information , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[34]  Jennifer Seberry,et al.  Practical Approaches to Attaining Security Against Adaptively Chosen Ciphertext Attacks (Extended Abstract) , 1992, CRYPTO.

[35]  Bogdan Warinschi,et al.  How Not to Prove Yourself: Pitfalls of the Fiat-Shamir Heuristic and Applications to Helios , 2012, ASIACRYPT.

[36]  Masayuki Abe,et al.  Combining Encryption and Proof of Knowledge in the Random Oracle Model , 2004, Comput. J..

[37]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[38]  David Pointcheval,et al.  Threshold Cryptosystems Secure against Chosen-Ciphertext Attacks , 2001, ASIACRYPT.

[39]  Markus Jakobsson,et al.  Security of Signed ElGamal Encryption , 2000, ASIACRYPT.

[40]  Yevgeniy Dodis,et al.  Non-malleable Encryption: Simpler, Shorter, Stronger , 2016, Journal of Cryptology.

[41]  Marc Fischlin,et al.  On the Hardness of Proving CCA-Security of Signed ElGamal , 2016, Public Key Cryptography.

[42]  Raghav Bhaskar,et al.  Improved Bounds on Security Reductions for Discrete Log Based Signatures , 2008, CRYPTO.

[43]  Victor Shoup,et al.  A Proposal for an ISO Standard for Public Key Encryption , 2001, IACR Cryptol. ePrint Arch..

[44]  Mihir Bellare,et al.  Multi-signatures in the plain public-Key model and a general forking lemma , 2006, CCS '06.

[45]  Amit Sahai,et al.  Non-malleable Encryption: Equivalence between Two Notions, and an Indistinguishability-Based Characterization , 1999, CRYPTO.

[46]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[47]  Amit Sahai,et al.  Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[48]  Manuel Blum,et al.  Non-interactive zero-knowledge and its applications , 1988, STOC '88.

[49]  Eike Kiltz,et al.  A General Construction of IND-CCA2 Secure Public Key Encryption , 2003, IMACC.

[50]  Markulf Kohlweiss,et al.  On the Non-malleability of the Fiat-Shamir Transform , 2012, INDOCRYPT.

[51]  Jung Hee Cheon,et al.  Multisignatures secure under the discrete logarithm assumption and a generalized forking lemma , 2008, CCS.

[52]  Tatsuaki Okamoto,et al.  Secure Integration of Asymmetric and Symmetric Encryption Schemes , 1999, Journal of Cryptology.

[53]  Ivan Damgård,et al.  Towards Practical Public Key Systems Secure Against Chosen Ciphertext Attacks , 1991, CRYPTO.

[54]  Yehuda Lindell,et al.  A Simpler Construction of CCA2-Secure Public-Key Encryption under General Assumptions , 2003, EUROCRYPT.

[55]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[56]  Adi Shamir,et al.  Multiple non-interactive zero knowledge proofs based on a single random string , 1990, Proceedings [1990] 31st Annual Symposium on Foundations of Computer Science.

[57]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[58]  Chanathip Namprempre,et al.  The One-More-RSA-Inversion Problems and the Security of Chaum's Blind Signature Scheme , 2003, Journal of Cryptology.

[59]  Hoeteck Wee Zero Knowledge in the Random Oracle Model, Revisited , 2009, ASIACRYPT.

[60]  Alfredo De Santis,et al.  Zero-knowledge proofs of knowledge without interaction , 1992, Proceedings., 33rd Annual Symposium on Foundations of Computer Science.

[61]  Marc Fischlin,et al.  Adaptive Proofs of Knowledge in the Random Oracle Model , 2015, Public Key Cryptography.