Results 1 - 10
of
11
Separating succinct non-interactive arguments from all falsifiable assumptions
- In Proceedings of the 43rd Annual ACM Symposium on Theory of Computing, STOC ’11
, 2011
"... An argument system (computationally sound proof) for N P is succinct, if its communication complexity is polylogarithmic the instance and witness sizes. The seminal works of Kilian ’92 and Micali ’94 show that such arguments can be constructed under standard cryptographic hardness assumptions with f ..."
Abstract
-
Cited by 75 (4 self)
- Add to MetaCart
An argument system (computationally sound proof) for N P is succinct, if its communication complexity is polylogarithmic the instance and witness sizes. The seminal works of Kilian ’92 and Micali ’94 show that such arguments can be constructed under standard cryptographic hardness assumptions with four rounds of interaction, and that they be made non-interactive in the random-oracle model. The latter construction also gives us some evidence that succinct non-interactive arguments (SNARGs) may exist in the standard model with a common reference string (CRS), by replacing the oracle with a sufficiently complicated hash function whose description goes in the CRS. However, we currently do not know of any construction of SNARGs with a proof of security under any simple cryptographic assumption. In this work, we give a broad black-box separation result, showing that black-box reductions cannot be used to prove the security of any SNARG construction based on any falsifiable cryptographic assumption. This includes essentially all common assumptions used in cryptography (one-way functions, trapdoor permutations, DDH, RSA, LWE etc.). More generally, we say that an assumption is falsifiable if it can be modeled as an interactive game between an adversary and an efficient challenger that can efficiently decide if the adversary won the game. This is similar, in spirit, to the notion of falsifiability of Naor ’03, and captures the fact that we can efficiently check if an adversarial strategy breaks the assumption. Our separation result also extends to designated verifier SNARGs, where the verifier needs a trapdoor associated with the CRS to verify arguments, and slightly succinct SNARGs, whose size is only required to be sublinear in the statement and witness size.
Instantiating Random Oracles via UCEs
, 2013
"... This paper provides a (standard-model) notion of security for (keyed) hash functions, called UCE, that we show enables instantiation of random oracles (ROs) in a fairly broad and systematic way. Goals and schemes we consider include deterministic PKE; message-locked encryption; hardcore functions; p ..."
Abstract
-
Cited by 9 (3 self)
- Add to MetaCart
(Show Context)
This paper provides a (standard-model) notion of security for (keyed) hash functions, called UCE, that we show enables instantiation of random oracles (ROs) in a fairly broad and systematic way. Goals and schemes we consider include deterministic PKE; message-locked encryption; hardcore functions; pointfunction obfuscation; OAEP; encryption secure for key-dependent messages; encryption secure under related-key attack; proofs of storage; and adaptively-secure garbled circuits with short tokens. We can take existing, natural and efficient ROM schemes and show that the instantiated scheme resulting from replacing the RO with a UCE function is secure in the standard model. In several cases this results in the first standard-model schemes for these goals. The definition of UCE-security itself is quite simple, asking that outputs of the function look random given some “leakage, ” even if the adversary knows the key, as long as the leakage does not permit the adversary to compute the inputs.
On the security of one-witness blind signature schemes
, 2012
"... Blind signatures have proved an essential building block for applications that protect privacy while ensuring unforgeability, i.e., electronic cash and electronic voting. One of the oldest, and most efficient blind signature schemes is the one due to Schnorr that is based on his famous identificati ..."
Abstract
-
Cited by 7 (3 self)
- Add to MetaCart
Blind signatures have proved an essential building block for applications that protect privacy while ensuring unforgeability, i.e., electronic cash and electronic voting. One of the oldest, and most efficient blind signature schemes is the one due to Schnorr that is based on his famous identification scheme. Although it was proposed over twenty years ago, its unforgeability remains an open problem, even in the random-oracle model. In this paper, we show that current techniques for proving security in the random oracle model do not work for the Schnorr blind signature by providing a meta-reduction which we call “personal nemesis adversary”. Our results generalize to other important blind signatures, such as the one due to Brands. Brands ’ blind signature is at the heart of Microsoft’s newly implemented UProve system, which makes this work relevant to cryptographic practice as well.
Limitations of the Meta-Reduction Technique: The Case of Schnorr Signatures
"... ca.cs.uni-saarland.de Abstract. We revisit the security of Fiat-Shamir signatures in the non-programmable random oracle model. The well-known proof by Pointcheval and Stern for such signature schemes (Journal of Cryptology, 2000) relies on the ability to re-program the random oracle, and it has been ..."
Abstract
-
Cited by 6 (3 self)
- Add to MetaCart
ca.cs.uni-saarland.de Abstract. We revisit the security of Fiat-Shamir signatures in the non-programmable random oracle model. The well-known proof by Pointcheval and Stern for such signature schemes (Journal of Cryptology, 2000) relies on the ability to re-program the random oracle, and it has been unknown if this property is inherent. Pailler and Vergnaud (Asiacrypt 2005) gave some first evidence of the hardness by showing via meta-reduction techniques that algebraic reductions cannot succeed in reducing key-only attacks against unforgeability to the discrete-log assumptions. We also use meta-reductions to show that the security of Schnorr signatures cannot be proven equivalent to the discrete logarithm problem without programming the random oracle. Our result also holds under the one-more discrete logarithm assumption but applies to a large class of reductions, we call single-instance reductions, subsuming those used in previous proofs of security in the (programmable) random oracle model. In contrast to algebraic reductions, our class allows arbitrary operations, but can only invoke a single resettable adversary instance, making our class incomparable to algebraic reductions. Our main result, however, is about meta-reductions and the question if this technique can be used to further strengthen the separations above. Our answer is negative. We present, to the best of our knowledge for the first time, limitations of the meta-reduction technique in the sense that finding a meta-reduction for general reductions is most likely infeasible. In fact, we prove that finding a metareduction against a potential reduction is equivalent to finding a “meta-meta-reduction ” against the strong existential unforgeability of the signature scheme. This means that the existence of a metareduction implies that the scheme must be insecure (against a slightly stronger attack) in the first place. 1
Round optimal blind signatures
- In CRYPTO 2011, volume 6841 of LNCS
, 2011
"... Abstract. Constructing round-optimal blind signatures in the standard model has been a long standing open problem. In particular, Fischlin and Schröder recently ruled out a large class of three-move blind signatures in the standard model (Eurocrypt’10). In particular, their result shows that finding ..."
Abstract
-
Cited by 4 (0 self)
- Add to MetaCart
(Show Context)
Abstract. Constructing round-optimal blind signatures in the standard model has been a long standing open problem. In particular, Fischlin and Schröder recently ruled out a large class of three-move blind signatures in the standard model (Eurocrypt’10). In particular, their result shows that finding security proofs for the well-known blind signature schemes by Chaum, and by Pointcheval and Stern in the standard model via black-box reductions is hard. In this work we propose the first round-optimal, i.e., two-move, blind signature scheme in the standard model (i.e., without assuming random oracles or the existence of a common reference string). Our scheme relies on the Decisional Diffie Hellman assumption and the existence of sub-exponentially hard 1-to-1 one way functions. This scheme is also secure in the concurrent setting. 1
Unprovable Security of Perfect NIZK and Non-interactive Non-malleable Commitments
, 2012
"... We present barriers to provable security of two fundamental (and well-studied) cryptographic primitives perfect non-interactive zero knowledge (NIZK), and non-malleable commitments: • Black-box reductions cannot be used to demonstrate adaptive soundness (i.e., that soundness holds even if the statem ..."
Abstract
-
Cited by 2 (0 self)
- Add to MetaCart
We present barriers to provable security of two fundamental (and well-studied) cryptographic primitives perfect non-interactive zero knowledge (NIZK), and non-malleable commitments: • Black-box reductions cannot be used to demonstrate adaptive soundness (i.e., that soundness holds even if the statement to be proven is chosen as a function of the common reference string) of any statistical (and thus also perfect) NIZK for N P based on any “standard ” intractability assumptions. • Black-box reductions cannot be used to demonstrate non-malleability of non-interactive, or even 2-message, commitment schemes based on any “standard ” intractability assumptions. We emphasize that the above separations apply even if the construction of the considered primitives makes a non-black-box use of the underlying assumption. As an independent contribution, we suggest a taxonomy of game-based intractability assumption based on 1) the security threshold, 2) the number of communication rounds in the security game, 3) the computational complexity of the game challenger, 4) the communication complexity of the challenger, and 5) the computational complexity of the security reduction.
Unprovable Security of Two-Message Zero Knowledge
"... Goldreich and Oren (JoC’94) show that only trivial languages have 2-message zero-knowledge arguments. In this note we consider weaker, super-polynomial-time simulation (SPS), notions of zero-knowledge. We present barriers to using black-box reductions for demonstrating soundness of 2-message protoco ..."
Abstract
-
Cited by 1 (1 self)
- Add to MetaCart
(Show Context)
Goldreich and Oren (JoC’94) show that only trivial languages have 2-message zero-knowledge arguments. In this note we consider weaker, super-polynomial-time simulation (SPS), notions of zero-knowledge. We present barriers to using black-box reductions for demonstrating soundness of 2-message protocols with efficient prover strategies satisfying SPS zero-knowledge. More precisely, we show that assuming the existence of poly(T (n))-hard one-way functions, the following holds: • For sub-exponential (or smaller) T (·), polynomial-time black-box reductions cannot be used to prove soundness of 2-message T (·)-simulatable arguments based on any polynomialtime intractability assumption. This matches known 2-message quasi-polynomial-time simulatable arguments using a quasi-polynomial-time reduction (Pass’03), and 2-message exponential-time simulatable proofs using a polynomial-time reduction (Dwork-Naor’00, Pass’03). • poly(T (·))-time black-box reductions cannot be used to prove soundness of 2-message strong T (·)-simulatable (efficient prover) arguments based on any poly(T (·))-time intractability assumption; strong T (·)-simulatability means that the output of the simulator is indistinguishable also for poly(T (·))-size circuits. This matches known 3-message strong quasi-polynomial-time simulatable proofs (Blum’86, Canetti et al ’ 00).
Constant-Round Concurrent Zero Knowledge in the Bounded Player Model
"... Abstract. In [18] Goyal et al. introduced the bounded player model for secure computation. In the bounded player model, there are an a pri-ori bounded number of players in the system, however, each player may execute any unbounded (polynomial) number of sessions. They showed that even though the mod ..."
Abstract
-
Cited by 1 (1 self)
- Add to MetaCart
(Show Context)
Abstract. In [18] Goyal et al. introduced the bounded player model for secure computation. In the bounded player model, there are an a pri-ori bounded number of players in the system, however, each player may execute any unbounded (polynomial) number of sessions. They showed that even though the model consists of a relatively mild relaxation of the standard model, it allows for round-efficient concurrent zero knowl-edge. Their protocol requires a super-constant number of rounds. In this work we show, constructively, that there exists a constant-round concur-rent zero-knowledge argument in the bounded player model. Our result relies on a new technique where the simulator obtains a trapdoor corre-sponding to a player identity by putting together information obtained in multiple sessions. Our protocol is only based on the existence of a collision-resistance hash-function family and comes with a “straight-line” simulator. We note that this constitutes the strongest result known on constant-round concurrent zero knowledge in the plain model (under well accepted relaxations) and subsumes Barak’s constant-round bounded concurrent zero-knowledge result. We view this as a positive step towards getting constant round fully concurrent zero-knowledge in the plain model, with-out relaxations.
On the Power of Nonuniformity in Proofs of Security ABSTRACT
"... Nonuniform proofs of security are common in cryptography, but traditional black-box separations consider only uniform security reductions. In this paper, we initiate a formal study of the power and limits of nonuniform black-box proofs of security. We first show that a known protocol (based on the e ..."
Abstract
- Add to MetaCart
(Show Context)
Nonuniform proofs of security are common in cryptography, but traditional black-box separations consider only uniform security reductions. In this paper, we initiate a formal study of the power and limits of nonuniform black-box proofs of security. We first show that a known protocol (based on the existence of one-way permutations) that uses a nonuniform proof of security, and it cannot be proven secure through a uniform security reduction. Therefore, nonuniform proofs of security are indeed provably more powerful than uniform ones. We complement this result by showing that many known black-box separations in the uniform regime actually do extend to the nonuniform regime. We prove our results by providing general techniques for extending certain types of black-box separations to handle nonuniformity.
An Unconditionally Hiding and Long-Term Binding Post-Quantum Commitment Scheme
"... Abstract. Commitment schemes are among cryptography’s most im-portant building blocks. Besides their basic properties, hidingness and bindingness, for many applications it is important that the schemes ap-plied support proofs of knowledge. However, all existing solutions which have been proven to pr ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract. Commitment schemes are among cryptography’s most im-portant building blocks. Besides their basic properties, hidingness and bindingness, for many applications it is important that the schemes ap-plied support proofs of knowledge. However, all existing solutions which have been proven to provide these protocols are only computationally hiding or are not resistant against quantum adversaries. This is not suitable for long-lived systems, such as long-term archives, where com-mitments have to provide security also in the long run. Thus, in this work we present a new post-quantum unconditionally hiding commit-ment scheme that supports (statistical) zero-knowledge protocols and allows to refreshes the binding property over time. The bindingness of our construction relies on the approximate shortest vector problem, a lattice problem which is conjectured to be hard for polynomial approxi-mation factors, even for a quantum adversary. Furthermore, we provide a protocol that allows the committer to prolong the bindingness prop-erty of a given commitment while showing in zero-knowledge fashion that the value committed to did not change. In addition, our construc-tion yields two more interesting features: one is the ability to “convert” a Pedersen commitment into a lattice-based one, and the other one is the construction of a hybrid approach whose bindingness relies on the discrete logarithm and approximate shortest vector problems.
