Results 1  10
of
11
Separating succinct noninteractive arguments from all falsifiable assumptions
 In Proceedings of the 43rd Annual ACM Symposium on Theory of Computing, STOC ’11
, 2011
"... An argument system (computationally sound proof) for N P is succinct, if its communication complexity is polylogarithmic the instance and witness sizes. The seminal works of Kilian ’92 and Micali ’94 show that such arguments can be constructed under standard cryptographic hardness assumptions with f ..."
Abstract

Cited by 75 (4 self)
 Add to MetaCart
An argument system (computationally sound proof) for N P is succinct, if its communication complexity is polylogarithmic the instance and witness sizes. The seminal works of Kilian ’92 and Micali ’94 show that such arguments can be constructed under standard cryptographic hardness assumptions with four rounds of interaction, and that they be made noninteractive in the randomoracle model. The latter construction also gives us some evidence that succinct noninteractive arguments (SNARGs) may exist in the standard model with a common reference string (CRS), by replacing the oracle with a sufficiently complicated hash function whose description goes in the CRS. However, we currently do not know of any construction of SNARGs with a proof of security under any simple cryptographic assumption. In this work, we give a broad blackbox separation result, showing that blackbox reductions cannot be used to prove the security of any SNARG construction based on any falsifiable cryptographic assumption. This includes essentially all common assumptions used in cryptography (oneway functions, trapdoor permutations, DDH, RSA, LWE etc.). More generally, we say that an assumption is falsifiable if it can be modeled as an interactive game between an adversary and an efficient challenger that can efficiently decide if the adversary won the game. This is similar, in spirit, to the notion of falsifiability of Naor ’03, and captures the fact that we can efficiently check if an adversarial strategy breaks the assumption. Our separation result also extends to designated verifier SNARGs, where the verifier needs a trapdoor associated with the CRS to verify arguments, and slightly succinct SNARGs, whose size is only required to be sublinear in the statement and witness size.
Instantiating Random Oracles via UCEs
, 2013
"... This paper provides a (standardmodel) notion of security for (keyed) hash functions, called UCE, that we show enables instantiation of random oracles (ROs) in a fairly broad and systematic way. Goals and schemes we consider include deterministic PKE; messagelocked encryption; hardcore functions; p ..."
Abstract

Cited by 9 (3 self)
 Add to MetaCart
(Show Context)
This paper provides a (standardmodel) notion of security for (keyed) hash functions, called UCE, that we show enables instantiation of random oracles (ROs) in a fairly broad and systematic way. Goals and schemes we consider include deterministic PKE; messagelocked encryption; hardcore functions; pointfunction obfuscation; OAEP; encryption secure for keydependent messages; encryption secure under relatedkey attack; proofs of storage; and adaptivelysecure garbled circuits with short tokens. We can take existing, natural and efficient ROM schemes and show that the instantiated scheme resulting from replacing the RO with a UCE function is secure in the standard model. In several cases this results in the first standardmodel schemes for these goals. The definition of UCEsecurity itself is quite simple, asking that outputs of the function look random given some “leakage, ” even if the adversary knows the key, as long as the leakage does not permit the adversary to compute the inputs.
On the security of onewitness blind signature schemes
, 2012
"... Blind signatures have proved an essential building block for applications that protect privacy while ensuring unforgeability, i.e., electronic cash and electronic voting. One of the oldest, and most efficient blind signature schemes is the one due to Schnorr that is based on his famous identificati ..."
Abstract

Cited by 7 (3 self)
 Add to MetaCart
Blind signatures have proved an essential building block for applications that protect privacy while ensuring unforgeability, i.e., electronic cash and electronic voting. One of the oldest, and most efficient blind signature schemes is the one due to Schnorr that is based on his famous identification scheme. Although it was proposed over twenty years ago, its unforgeability remains an open problem, even in the randomoracle model. In this paper, we show that current techniques for proving security in the random oracle model do not work for the Schnorr blind signature by providing a metareduction which we call “personal nemesis adversary”. Our results generalize to other important blind signatures, such as the one due to Brands. Brands ’ blind signature is at the heart of Microsoft’s newly implemented UProve system, which makes this work relevant to cryptographic practice as well.
Limitations of the MetaReduction Technique: The Case of Schnorr Signatures
"... ca.cs.unisaarland.de Abstract. We revisit the security of FiatShamir signatures in the nonprogrammable random oracle model. The wellknown proof by Pointcheval and Stern for such signature schemes (Journal of Cryptology, 2000) relies on the ability to reprogram the random oracle, and it has been ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
ca.cs.unisaarland.de Abstract. We revisit the security of FiatShamir signatures in the nonprogrammable random oracle model. The wellknown proof by Pointcheval and Stern for such signature schemes (Journal of Cryptology, 2000) relies on the ability to reprogram the random oracle, and it has been unknown if this property is inherent. Pailler and Vergnaud (Asiacrypt 2005) gave some first evidence of the hardness by showing via metareduction techniques that algebraic reductions cannot succeed in reducing keyonly attacks against unforgeability to the discretelog assumptions. We also use metareductions to show that the security of Schnorr signatures cannot be proven equivalent to the discrete logarithm problem without programming the random oracle. Our result also holds under the onemore discrete logarithm assumption but applies to a large class of reductions, we call singleinstance reductions, subsuming those used in previous proofs of security in the (programmable) random oracle model. In contrast to algebraic reductions, our class allows arbitrary operations, but can only invoke a single resettable adversary instance, making our class incomparable to algebraic reductions. Our main result, however, is about metareductions and the question if this technique can be used to further strengthen the separations above. Our answer is negative. We present, to the best of our knowledge for the first time, limitations of the metareduction technique in the sense that finding a metareduction for general reductions is most likely infeasible. In fact, we prove that finding a metareduction against a potential reduction is equivalent to finding a “metametareduction ” against the strong existential unforgeability of the signature scheme. This means that the existence of a metareduction implies that the scheme must be insecure (against a slightly stronger attack) in the first place. 1
Round optimal blind signatures
 In CRYPTO 2011, volume 6841 of LNCS
, 2011
"... Abstract. Constructing roundoptimal blind signatures in the standard model has been a long standing open problem. In particular, Fischlin and Schröder recently ruled out a large class of threemove blind signatures in the standard model (Eurocrypt’10). In particular, their result shows that finding ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Constructing roundoptimal blind signatures in the standard model has been a long standing open problem. In particular, Fischlin and Schröder recently ruled out a large class of threemove blind signatures in the standard model (Eurocrypt’10). In particular, their result shows that finding security proofs for the wellknown blind signature schemes by Chaum, and by Pointcheval and Stern in the standard model via blackbox reductions is hard. In this work we propose the first roundoptimal, i.e., twomove, blind signature scheme in the standard model (i.e., without assuming random oracles or the existence of a common reference string). Our scheme relies on the Decisional Diffie Hellman assumption and the existence of subexponentially hard 1to1 one way functions. This scheme is also secure in the concurrent setting. 1
Unprovable Security of Perfect NIZK and Noninteractive Nonmalleable Commitments
, 2012
"... We present barriers to provable security of two fundamental (and wellstudied) cryptographic primitives perfect noninteractive zero knowledge (NIZK), and nonmalleable commitments: • Blackbox reductions cannot be used to demonstrate adaptive soundness (i.e., that soundness holds even if the statem ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
We present barriers to provable security of two fundamental (and wellstudied) cryptographic primitives perfect noninteractive zero knowledge (NIZK), and nonmalleable commitments: • Blackbox reductions cannot be used to demonstrate adaptive soundness (i.e., that soundness holds even if the statement to be proven is chosen as a function of the common reference string) of any statistical (and thus also perfect) NIZK for N P based on any “standard ” intractability assumptions. • Blackbox reductions cannot be used to demonstrate nonmalleability of noninteractive, or even 2message, commitment schemes based on any “standard ” intractability assumptions. We emphasize that the above separations apply even if the construction of the considered primitives makes a nonblackbox use of the underlying assumption. As an independent contribution, we suggest a taxonomy of gamebased intractability assumption based on 1) the security threshold, 2) the number of communication rounds in the security game, 3) the computational complexity of the game challenger, 4) the communication complexity of the challenger, and 5) the computational complexity of the security reduction.
Unprovable Security of TwoMessage Zero Knowledge
"... Goldreich and Oren (JoC’94) show that only trivial languages have 2message zeroknowledge arguments. In this note we consider weaker, superpolynomialtime simulation (SPS), notions of zeroknowledge. We present barriers to using blackbox reductions for demonstrating soundness of 2message protoco ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
Goldreich and Oren (JoC’94) show that only trivial languages have 2message zeroknowledge arguments. In this note we consider weaker, superpolynomialtime simulation (SPS), notions of zeroknowledge. We present barriers to using blackbox reductions for demonstrating soundness of 2message protocols with efficient prover strategies satisfying SPS zeroknowledge. More precisely, we show that assuming the existence of poly(T (n))hard oneway functions, the following holds: • For subexponential (or smaller) T (·), polynomialtime blackbox reductions cannot be used to prove soundness of 2message T (·)simulatable arguments based on any polynomialtime intractability assumption. This matches known 2message quasipolynomialtime simulatable arguments using a quasipolynomialtime reduction (Pass’03), and 2message exponentialtime simulatable proofs using a polynomialtime reduction (DworkNaor’00, Pass’03). • poly(T (·))time blackbox reductions cannot be used to prove soundness of 2message strong T (·)simulatable (efficient prover) arguments based on any poly(T (·))time intractability assumption; strong T (·)simulatability means that the output of the simulator is indistinguishable also for poly(T (·))size circuits. This matches known 3message strong quasipolynomialtime simulatable proofs (Blum’86, Canetti et al ’ 00).
ConstantRound Concurrent Zero Knowledge in the Bounded Player Model
"... Abstract. In [18] Goyal et al. introduced the bounded player model for secure computation. In the bounded player model, there are an a priori bounded number of players in the system, however, each player may execute any unbounded (polynomial) number of sessions. They showed that even though the mod ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
Abstract. In [18] Goyal et al. introduced the bounded player model for secure computation. In the bounded player model, there are an a priori bounded number of players in the system, however, each player may execute any unbounded (polynomial) number of sessions. They showed that even though the model consists of a relatively mild relaxation of the standard model, it allows for roundefficient concurrent zero knowledge. Their protocol requires a superconstant number of rounds. In this work we show, constructively, that there exists a constantround concurrent zeroknowledge argument in the bounded player model. Our result relies on a new technique where the simulator obtains a trapdoor corresponding to a player identity by putting together information obtained in multiple sessions. Our protocol is only based on the existence of a collisionresistance hashfunction family and comes with a “straightline” simulator. We note that this constitutes the strongest result known on constantround concurrent zero knowledge in the plain model (under well accepted relaxations) and subsumes Barak’s constantround bounded concurrent zeroknowledge result. We view this as a positive step towards getting constant round fully concurrent zeroknowledge in the plain model, without relaxations.
On the Power of Nonuniformity in Proofs of Security ABSTRACT
"... Nonuniform proofs of security are common in cryptography, but traditional blackbox separations consider only uniform security reductions. In this paper, we initiate a formal study of the power and limits of nonuniform blackbox proofs of security. We first show that a known protocol (based on the e ..."
Abstract
 Add to MetaCart
(Show Context)
Nonuniform proofs of security are common in cryptography, but traditional blackbox separations consider only uniform security reductions. In this paper, we initiate a formal study of the power and limits of nonuniform blackbox proofs of security. We first show that a known protocol (based on the existence of oneway permutations) that uses a nonuniform proof of security, and it cannot be proven secure through a uniform security reduction. Therefore, nonuniform proofs of security are indeed provably more powerful than uniform ones. We complement this result by showing that many known blackbox separations in the uniform regime actually do extend to the nonuniform regime. We prove our results by providing general techniques for extending certain types of blackbox separations to handle nonuniformity.
An Unconditionally Hiding and LongTerm Binding PostQuantum Commitment Scheme
"... Abstract. Commitment schemes are among cryptography’s most important building blocks. Besides their basic properties, hidingness and bindingness, for many applications it is important that the schemes applied support proofs of knowledge. However, all existing solutions which have been proven to pr ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. Commitment schemes are among cryptography’s most important building blocks. Besides their basic properties, hidingness and bindingness, for many applications it is important that the schemes applied support proofs of knowledge. However, all existing solutions which have been proven to provide these protocols are only computationally hiding or are not resistant against quantum adversaries. This is not suitable for longlived systems, such as longterm archives, where commitments have to provide security also in the long run. Thus, in this work we present a new postquantum unconditionally hiding commitment scheme that supports (statistical) zeroknowledge protocols and allows to refreshes the binding property over time. The bindingness of our construction relies on the approximate shortest vector problem, a lattice problem which is conjectured to be hard for polynomial approximation factors, even for a quantum adversary. Furthermore, we provide a protocol that allows the committer to prolong the bindingness property of a given commitment while showing in zeroknowledge fashion that the value committed to did not change. In addition, our construction yields two more interesting features: one is the ability to “convert” a Pedersen commitment into a latticebased one, and the other one is the construction of a hybrid approach whose bindingness relies on the discrete logarithm and approximate shortest vector problems.