fiat-shamir: from practice to theoryย ยท โppt ๐ด, pr โโ๐ป ๐ฅโ๐ด(โ) t,โ tโ = h...
TRANSCRIPT
![Page 1: Fiat-Shamir: from Practice to Theoryย ยท โPPT ๐ด, Pr โโ๐ป ๐ฅโ๐ด(โ) T,โ Tโ = H ... Need enc. with KDM security for bounded functions. Known [BHHI10,BGK11,A11]](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d46da6d88c9936a5f8ba23b/html5/thumbnails/1.jpg)
Fiat-Shamir: from Practice to Theory
Ron RothblumTechnion
Based on joint works with: Ran Canetti, Yilei Chen, Justin Holmgren, Yael Kalai, Alex Lombardi, Leo Reyzin and Guy Rothblum
![Page 2: Fiat-Shamir: from Practice to Theoryย ยท โPPT ๐ด, Pr โโ๐ป ๐ฅโ๐ด(โ) T,โ Tโ = H ... Need enc. with KDM security for bounded functions. Known [BHHI10,BGK11,A11]](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d46da6d88c9936a5f8ba23b/html5/thumbnails/2.jpg)
The Fiat-Shamir Transform
Hash Function ๐ป๐ท ๐ฝ
โฆ
Public-CoinInteractive Protocol
(Each ๐ฝ๐ uniformly random)
Non-InteractiveArgument
generically
๐ผ1
๐ฝ1
๐ผ๐โ1
๐ฝ๐โ1
๐ผ๐
๐ผ1 , โฆ , ๐ผ๐
๐ฝ๐ = ๐ป(๐ฅ, ๐ผ1, โฆ , ๐ผ๐)
๐ท๐ญ๐บ ๐ฝ๐ญ๐บ
๐ฝ2 = ๐ป(๐ฅ, ๐ผ1 , ๐ผ2)
๐ฝ1 = ๐ป(๐ฅ, ๐ผ1)
โฆ
![Page 3: Fiat-Shamir: from Practice to Theoryย ยท โPPT ๐ด, Pr โโ๐ป ๐ฅโ๐ด(โ) T,โ Tโ = H ... Need enc. with KDM security for bounded functions. Known [BHHI10,BGK11,A11]](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d46da6d88c9936a5f8ba23b/html5/thumbnails/3.jpg)
Fiat Shamir โ Security?
[PS96]: Fiat Shamir transform is secure in the random oracle model.
Can we instantiate the heuristic securely using an explicit hash family?
![Page 4: Fiat-Shamir: from Practice to Theoryย ยท โPPT ๐ด, Pr โโ๐ป ๐ฅโ๐ด(โ) T,โ Tโ = H ... Need enc. with KDM security for bounded functions. Known [BHHI10,BGK11,A11]](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d46da6d88c9936a5f8ba23b/html5/thumbnails/4.jpg)
Fiat Shamir โ Impossible?
Def: a hash family ๐ป is FS-compatible for a protocol ฮ if ๐น๐๐ป(ฮ ) is a sound argument-system.
Thm [B01,GK03]: โ protocols which are not FS-compatible for any ๐ป.
Hope? Those counterexamples are arguments! Maybe sound if we start with a proof?
[BDGJKLW13]: no blackbox reduction to a falsifiable assumption, even for proofs.
![Page 5: Fiat-Shamir: from Practice to Theoryย ยท โPPT ๐ด, Pr โโ๐ป ๐ฅโ๐ด(โ) T,โ Tโ = H ... Need enc. with KDM security for bounded functions. Known [BHHI10,BGK11,A11]](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d46da6d88c9936a5f8ba23b/html5/thumbnails/5.jpg)
This Talk: New Positive Results
First positive indications: Hash functions that are FS compatible for proofs.
Bypass impossibility results by:
โข Strong (but meaningful) assumptions.
โข Considering restricted classes of proofs.
Very recent followups make progress on longstanding open problems:
1. ๐๐ผ๐๐พ from ๐ฟ๐๐ธ [CLW19,PS19]2. PPAD hardness [CHKPRR19]
![Page 6: Fiat-Shamir: from Practice to Theoryย ยท โPPT ๐ด, Pr โโ๐ป ๐ฅโ๐ด(โ) T,โ Tโ = H ... Need enc. with KDM security for bounded functions. Known [BHHI10,BGK11,A11]](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d46da6d88c9936a5f8ba23b/html5/thumbnails/6.jpg)
STRONG ASSUMPTIONS AHEAD
![Page 7: Fiat-Shamir: from Practice to Theoryย ยท โPPT ๐ด, Pr โโ๐ป ๐ฅโ๐ด(โ) T,โ Tโ = H ... Need enc. with KDM security for bounded functions. Known [BHHI10,BGK11,A11]](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d46da6d88c9936a5f8ba23b/html5/thumbnails/7.jpg)
A Detour: Optimal Hardnessโข For this talk: optimal hardness means ๐๐๐ algorithm
can only break with poly ๐ /2๐ probability.
โข Holds in ROM, whereas optimal-size hardness does not.
โข When challenge is re-randomizable:
โ Weaker than optimal-size hardness.
โ Implies a polynomial-space attack.
![Page 8: Fiat-Shamir: from Practice to Theoryย ยท โPPT ๐ด, Pr โโ๐ป ๐ฅโ๐ด(โ) T,โ Tโ = H ... Need enc. with KDM security for bounded functions. Known [BHHI10,BGK11,A11]](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d46da6d88c9936a5f8ba23b/html5/thumbnails/8.jpg)
FS for Proofs:Recent Positive Results
[KRR16]: subexponential IO+OWF, optimal input-hiding Obf.
[CCRR17]: optimal KDM secure encryption* scheme, for unbounded KDM functions.
[CCHLRR18]: optimal KDM secure encryption* for bounded KDM functions, but only for โniceโ IPs.
IPs that we care about are nice.
![Page 9: Fiat-Shamir: from Practice to Theoryย ยท โPPT ๐ด, Pr โโ๐ป ๐ฅโ๐ด(โ) T,โ Tโ = H ... Need enc. with KDM security for bounded functions. Known [BHHI10,BGK11,A11]](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d46da6d88c9936a5f8ba23b/html5/thumbnails/9.jpg)
Applications
Thm [CCHLRR18]: publicly verifiable non-interactive arguments for ๐๐ถ, assuming suitable ๐น๐ป๐ธ is optimally hard (for key recovery).
Thm [CCHLRR18]: NIZKs for all of ๐๐, assuming search LWE is optimally hard.
Corollary (via [DNRS03]): assuming search-LWE is optimally hard, parallel rep. of QR protocol is not zero-knowledge.
1. Statistical ZK.2. Uniform CRS.3. Adaptive soundness
[PS19]: same conclusion but only assuming LWE!
![Page 10: Fiat-Shamir: from Practice to Theoryย ยท โPPT ๐ด, Pr โโ๐ป ๐ฅโ๐ด(โ) T,โ Tโ = H ... Need enc. with KDM security for bounded functions. Known [BHHI10,BGK11,A11]](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d46da6d88c9936a5f8ba23b/html5/thumbnails/10.jpg)
Proof Idea
![Page 11: Fiat-Shamir: from Practice to Theoryย ยท โPPT ๐ด, Pr โโ๐ป ๐ฅโ๐ด(โ) T,โ Tโ = H ... Need enc. with KDM security for bounded functions. Known [BHHI10,BGK11,A11]](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d46da6d88c9936a5f8ba23b/html5/thumbnails/11.jpg)
Recent Positive Results
[KRR17]: subexponential IO+OWF, optimal input-hiding Obf.
[CCRR18]: optimal KDM secure encryption* scheme, for unbounded KDM functions.
[CCHLRR18]: optimal KDM secure encryption* for bounded KDM functions, but only for โniceโ IPs.
![Page 12: Fiat-Shamir: from Practice to Theoryย ยท โPPT ๐ด, Pr โโ๐ป ๐ฅโ๐ด(โ) T,โ Tโ = H ... Need enc. with KDM security for bounded functions. Known [BHHI10,BGK11,A11]](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d46da6d88c9936a5f8ba23b/html5/thumbnails/12.jpg)
[CCRR17] Assumption
Symmetric-key encryption scheme (๐ธ, ๐ท) s.t.:
1. (Optimal KDM sec.): โ๐ โPPT ๐ด,
2. (Universal Ciphertexts): for any fixed key ๐โ:
Pr ๐ด(๐ธ๐ ๐ ๐ = ๐ โค poly ๐ /2๐
๐ธ๐โ ๐ โก ๐ธ๐พ(๐โฒ)
![Page 13: Fiat-Shamir: from Practice to Theoryย ยท โPPT ๐ด, Pr โโ๐ป ๐ฅโ๐ด(โ) T,โ Tโ = H ... Need enc. with KDM security for bounded functions. Known [BHHI10,BGK11,A11]](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d46da6d88c9936a5f8ba23b/html5/thumbnails/13.jpg)
Correlation Intractability[CHG04]
A hash family ๐ป is correlation intractable for a sparse relation ๐ if:
Given โ โ๐ ๐ป, infeasible to find ๐ฅ s.t. ๐ฅ, โ ๐ฅ โ ๐ .
โPPT ๐ด,
Prโโ๐ป
๐ฅโ๐ด(โ)
๐ฅ, โ ๐ฅ โ ๐ = ๐๐๐๐
![Page 14: Fiat-Shamir: from Practice to Theoryย ยท โPPT ๐ด, Pr โโ๐ป ๐ฅโ๐ด(โ) T,โ Tโ = H ... Need enc. with KDM security for bounded functions. Known [BHHI10,BGK11,A11]](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d46da6d88c9936a5f8ba23b/html5/thumbnails/14.jpg)
CIโFS
๐ ๐
Public-CoinInteractive Protocol ฮ
Non-InteractiveArgument ฮ ๐น๐
๐ผ
๐ฝ
๐พ
๐ผ, ๐พ
๐ฝ = โ(๐ฅ, ๐ผ)
โ
Consider ๐ ฮ = ๐ผ,๐ฝ โถ โ๐พ ๐ . ๐ก. Verifier accepts ๐ฅ, ๐ผ, ๐ฝ, ๐พ ) .
Cheating ๐๐น๐โ finds ๐ผโ s.t. ๐ผโ, โ ๐ฅ, ๐ผโ โ ๐ ฮ โ breaks ๐ถ๐ผ.
๐๐น๐ ๐๐น๐
![Page 15: Fiat-Shamir: from Practice to Theoryย ยท โPPT ๐ด, Pr โโ๐ป ๐ฅโ๐ด(โ) T,โ Tโ = H ... Need enc. with KDM security for bounded functions. Known [BHHI10,BGK11,A11]](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d46da6d88c9936a5f8ba23b/html5/thumbnails/15.jpg)
Our Hash Function
โข Hash function described by a ciphertext ๐.
โข Messages are enc/dec keys.
Want to show: CI for all sparse relations.
Today: for simplicity consider relations ๐ that are functions (โ๐ฅโ! ๐ฆ s.t. ๐ฅ, ๐ฆ โ ๐ ).
โ๐ ๐ = ๐ท๐(๐)
![Page 16: Fiat-Shamir: from Practice to Theoryย ยท โPPT ๐ด, Pr โโ๐ป ๐ฅโ๐ด(โ) T,โ Tโ = H ... Need enc. with KDM security for bounded functions. Known [BHHI10,BGK11,A11]](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d46da6d88c9936a5f8ba23b/html5/thumbnails/16.jpg)
Our Hash Function
Intuition: breaking ๐ถ๐ผ for ๐ means
๐ โ ๐ s.t. ๐ทc ๐ = ๐ ๐
In words, from ๐ we can find ๐ s.t. ๐ = ๐ธ๐(๐ ๐ ).
Smells like KDM game, but order is wrong.
โ๐ ๐ = ๐ท๐(๐)
![Page 17: Fiat-Shamir: from Practice to Theoryย ยท โPPT ๐ด, Pr โโ๐ป ๐ฅโ๐ด(โ) T,โ Tโ = H ... Need enc. with KDM security for bounded functions. Known [BHHI10,BGK11,A11]](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d46da6d88c9936a5f8ba23b/html5/thumbnails/17.jpg)
Analysis
๐พ,๐ถ = ๐ธ๐พ(๐) Pr
๐ด ๐ถ โ ๐โ
๐โ, ๐ท๐๐๐โ ๐ถ โ ๐ โฅ ๐
๐พ, ๐พโ
๐ถ = ๐ธ๐พ(๐) Pr๐ด ๐ถ = ๐พโ
๐พโ, ๐ท๐๐๐พโ ๐ถ โ ๐ โฅ ๐/2๐
๐พโ,๐ถ = ๐ธ๐พโ(๐) Pr
๐ด ๐ถ = ๐พโ
๐พโ, ๐ท๐๐๐พโ ๐ถ โ ๐ โฅ ๐/2๐
๐พโ, ๐ = ๐ (๐พโ)๐ถ = ๐ธ๐พโ(๐)
Pr ๐ด ๐ถ = ๐พโ โฅ ๐/(2๐ โ ๐)
Experiment Event
Sparsity of ๐
![Page 18: Fiat-Shamir: from Practice to Theoryย ยท โPPT ๐ด, Pr โโ๐ป ๐ฅโ๐ด(โ) T,โ Tโ = H ... Need enc. with KDM security for bounded functions. Known [BHHI10,BGK11,A11]](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d46da6d88c9936a5f8ba23b/html5/thumbnails/18.jpg)
Recent Positive Results
[KRR17]: subexponential IO+OWF, optimal input-hiding Obf.
[CCRR18]: optimal KDM secure encryption* scheme, for unbounded KDM functions.
[CCHLRR18]: optimal KDM secure encryption* for bounded KDM functions, but only for โniceโ IPs.
![Page 19: Fiat-Shamir: from Practice to Theoryย ยท โPPT ๐ด, Pr โโ๐ป ๐ฅโ๐ด(โ) T,โ Tโ = H ... Need enc. with KDM security for bounded functions. Known [BHHI10,BGK11,A11]](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d46da6d88c9936a5f8ba23b/html5/thumbnails/19.jpg)
Recent Positive Results
[KRR17]: subexponential IO+OWF, optimal input-hiding Obf.
[CCRR18]: optimal KDM secure encryption* scheme, for unbounded KDM functions.
[CCHLRR18]: optimal KDM secure encryption* for bounded KDM functions, but only for โniceโ IPs.
![Page 20: Fiat-Shamir: from Practice to Theoryย ยท โPPT ๐ด, Pr โโ๐ป ๐ฅโ๐ด(โ) T,โ Tโ = H ... Need enc. with KDM security for bounded functions. Known [BHHI10,BGK11,A11]](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d46da6d88c9936a5f8ba23b/html5/thumbnails/20.jpg)
[CCHLRR18] ImprovementOptimal ๐พ๐ท๐ security for ๐ โ CI for ๐ .
Q1: Are there interesting interactive proofs for which ๐ is an efficient function?
Q2: Can we get (optimal) KDM security for bounded KDM functions from better assumptions?
A1: Yes! Delegation schemes [GKR08] & ZKPs [GMW89].
A2: Yes! Garbled Circuits or FHE [BHHI10,A11].
![Page 21: Fiat-Shamir: from Practice to Theoryย ยท โPPT ๐ด, Pr โโ๐ป ๐ฅโ๐ด(โ) T,โ Tโ = H ... Need enc. with KDM security for bounded functions. Known [BHHI10,BGK11,A11]](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d46da6d88c9936a5f8ba23b/html5/thumbnails/21.jpg)
[CCHLRR18] ImprovementOptimal ๐พ๐ท๐ security for ๐ โ CI for ๐ .
Q1: Are there interesting interactive proofs for which ๐ is an efficient function?
Q2: Can we get (optimal) KDM security for bounded KDM functions from better assumptions?
A1: Yes! Delegation schemes [GKR08] & ZKPs [GMW89].
A2: Yes! Garbled Circuits or FHE [BHHI10,A11].
![Page 22: Fiat-Shamir: from Practice to Theoryย ยท โPPT ๐ด, Pr โโ๐ป ๐ฅโ๐ด(โ) T,โ Tโ = H ... Need enc. with KDM security for bounded functions. Known [BHHI10,BGK11,A11]](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d46da6d88c9936a5f8ba23b/html5/thumbnails/22.jpg)
Publicly-Verifiable Non-Interactive Delegation
Weak client wants to check whether ๐ฅ โ ๐ฟ.
Publically verifiable โ can re-use CRS and anyone can verify.
๐๐๐๐๐
CRS
![Page 23: Fiat-Shamir: from Practice to Theoryย ยท โPPT ๐ด, Pr โโ๐ป ๐ฅโ๐ด(โ) T,โ Tโ = H ... Need enc. with KDM security for bounded functions. Known [BHHI10,BGK11,A11]](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d46da6d88c9936a5f8ba23b/html5/thumbnails/23.jpg)
PV Delegation: Prior Work
Known under strong assumptions:
- Knowledge assumptions [Groth10,โฆ] (even ๐๐).
- iO [SW13].
- Zero testable homomorphic enc [PR17].
Independent work [KPY18]: from new (falsifiable) assumptions on bilinear maps. CRS is long (and non-uniform).
![Page 24: Fiat-Shamir: from Practice to Theoryย ยท โPPT ๐ด, Pr โโ๐ป ๐ฅโ๐ด(โ) T,โ Tโ = H ... Need enc. with KDM security for bounded functions. Known [BHHI10,BGK11,A11]](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d46da6d88c9936a5f8ba23b/html5/thumbnails/24.jpg)
PV Delegation: Our Result
Thm: assume optimal hardness of key-recovery attacks for [BV11/GSW13/BV14โฆ]๐น๐ป๐ธ scheme.
Then, โ๐ฟ โ ๐๐ถ has a publicly verifiable non-interactive argument-system where verifier is เทจ๐ ๐ time and prover is poly ๐ time.
![Page 25: Fiat-Shamir: from Practice to Theoryย ยท โPPT ๐ด, Pr โโ๐ป ๐ฅโ๐ด(โ) T,โ Tโ = H ... Need enc. with KDM security for bounded functions. Known [BHHI10,BGK11,A11]](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d46da6d88c9936a5f8ba23b/html5/thumbnails/25.jpg)
Fiat-Shamir for GKR
[GKR08]: very efficient, but highly interactive, public-coin interactive proof for ๐๐ถ.
Want to apply FS but face two challenges:
1. Need to show that ๐ is efficient.
2. Not constant-round!
![Page 26: Fiat-Shamir: from Practice to Theoryย ยท โPPT ๐ด, Pr โโ๐ป ๐ฅโ๐ด(โ) T,โ Tโ = H ... Need enc. with KDM security for bounded functions. Known [BHHI10,BGK11,A11]](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d46da6d88c9936a5f8ba23b/html5/thumbnails/26.jpg)
Fiat-Shamir for GKR
[GKR08]: very efficient, but highly interactive, public-coin interactive proof for ๐๐ถ.
Want to apply FS but face two challenges:
1. Need to show that ๐ is efficient.
2. Not constant-round!
![Page 27: Fiat-Shamir: from Practice to Theoryย ยท โPPT ๐ด, Pr โโ๐ป ๐ฅโ๐ด(โ) T,โ Tโ = H ... Need enc. with KDM security for bounded functions. Known [BHHI10,BGK11,A11]](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d46da6d88c9936a5f8ba23b/html5/thumbnails/27.jpg)
FS for ๐ 1 Rounds
FS is not secure (even in ROM) for ๐ 1 -round interactive proofs.
[BCS16]: FS is secure for resetably sound interactive proofs in ROM.
Open: show that ๐ถ๐ผ suffices for FS of resetablysound proofs.
![Page 28: Fiat-Shamir: from Practice to Theoryย ยท โPPT ๐ด, Pr โโ๐ป ๐ฅโ๐ด(โ) T,โ Tโ = H ... Need enc. with KDM security for bounded functions. Known [BHHI10,BGK11,A11]](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d46da6d88c9936a5f8ba23b/html5/thumbnails/28.jpg)
Round-by-Round Soundness
Def:ฮ has RBR soundness if โpredicate doomeddefined on any partial transcript s.t. โ๐ฅ โ ๐ฟ:
1. Empty transcript is doomed.
2. Given a doomed transcript ๐, whp ๐, ๐ฝ is doomed.
3. If full transcript is doomed then verifier rejects.
Lemma: parallel rep. of any IP has RBR soundness.
![Page 29: Fiat-Shamir: from Practice to Theoryย ยท โPPT ๐ด, Pr โโ๐ป ๐ฅโ๐ด(โ) T,โ Tโ = H ... Need enc. with KDM security for bounded functions. Known [BHHI10,BGK11,A11]](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d46da6d88c9936a5f8ba23b/html5/thumbnails/29.jpg)
RBR + CI โ FS
Suppose ฮ has RBR soundness.
Define
RBR soundness โ ๐ ฮ is sparse.
Breaking RBR soundness โ breaking CI of ๐ ฮ .
๐ ฮ = ๐, ๐ฝ โถ๐ is doomed
but ๐, ๐ฝ is not
![Page 30: Fiat-Shamir: from Practice to Theoryย ยท โPPT ๐ด, Pr โโ๐ป ๐ฅโ๐ด(โ) T,โ Tโ = H ... Need enc. with KDM security for bounded functions. Known [BHHI10,BGK11,A11]](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d46da6d88c9936a5f8ba23b/html5/thumbnails/30.jpg)
[CCHLRR18] Improvement
Optimal ๐พ๐ท๐ security for ๐ โ CI for ๐ .
Q1: Are there interesting interactive proofs for which ๐ is an efficient function?
Q2: Can we get (optimal) KDM security for bounded KDM functions from better assumptions.
A1: Yes! Delegation schemes [GKR08] & ZKPs [GMW89].
A2: Yes! Garbled Circuits or FHE [BHHI10,A11]
![Page 31: Fiat-Shamir: from Practice to Theoryย ยท โPPT ๐ด, Pr โโ๐ป ๐ฅโ๐ด(โ) T,โ Tโ = H ... Need enc. with KDM security for bounded functions. Known [BHHI10,BGK11,A11]](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d46da6d88c9936a5f8ba23b/html5/thumbnails/31.jpg)
NIZK from Strong LWE
Thm: assume that search-LWE (with suitable parameters) is optimally hard.
Then โ๐ฟ โ ๐๐ has a non-interactive statistical zero-knowledge argument in uniform CRS model.
Note: NIZK from LWE is (still) wide open.
![Page 32: Fiat-Shamir: from Practice to Theoryย ยท โPPT ๐ด, Pr โโ๐ป ๐ฅโ๐ด(โ) T,โ Tโ = H ... Need enc. with KDM security for bounded functions. Known [BHHI10,BGK11,A11]](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d46da6d88c9936a5f8ba23b/html5/thumbnails/32.jpg)
[GMW89] Reminder
๐ถ๐๐๐๐๐ก(๐ ๐บ )
๐
๐ท๐๐๐๐๐๐๐ก(๐ ๐ )
๐ โ๐ ๐๐
๐(๐บ,๐) ๐(๐บ)
๐ โ๐ ๐ธ
![Page 33: Fiat-Shamir: from Practice to Theoryย ยท โPPT ๐ด, Pr โโ๐ป ๐ฅโ๐ด(โ) T,โ Tโ = H ... Need enc. with KDM security for bounded functions. Known [BHHI10,BGK11,A11]](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d46da6d88c9936a5f8ba23b/html5/thumbnails/33.jpg)
NIZK: FS for GMW
Would like to apply FS to (parallel rep) of GMW.
Difficulty: relation ๐ = {๐๐๐๐๐๐ก๐๐๐๐ก, ๐} not clear given commitment how to sample ๐.
Solution (using [HL18]): use a trapdoor commitment scheme, trapdoor is hard-wired in the relation.
๐ถ๐๐๐๐๐ก(๐ ๐บ )
๐
๐ท๐๐๐๐๐๐๐ก(๐ ๐ )
๐ โ๐ ๐๐
๐(๐บ,๐) ๐(๐บ)
๐ โ๐ ๐ธ
![Page 34: Fiat-Shamir: from Practice to Theoryย ยท โPPT ๐ด, Pr โโ๐ป ๐ฅโ๐ด(โ) T,โ Tโ = H ... Need enc. with KDM security for bounded functions. Known [BHHI10,BGK11,A11]](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d46da6d88c9936a5f8ba23b/html5/thumbnails/34.jpg)
NIZK: FS for GMW
Perfectly correct ๐๐พ๐ธ โ trapdoor commitment scheme.
Further:
1. If public-keys are random โ uniform CRS.
2. Lossy PKE โ statistically ZK.
Can obtain both from ๐ฟ๐๐ธ.
![Page 35: Fiat-Shamir: from Practice to Theoryย ยท โPPT ๐ด, Pr โโ๐ป ๐ฅโ๐ด(โ) T,โ Tโ = H ... Need enc. with KDM security for bounded functions. Known [BHHI10,BGK11,A11]](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d46da6d88c9936a5f8ba23b/html5/thumbnails/35.jpg)
[CCHLRR18] ImprovementOptimal ๐พ๐ท๐ security for ๐ โ CI for ๐ .
Q1: Are there interesting interactive proofs for which ๐ is an efficient function?
Q2: Can we get (optimal) KDM security for bounded KDM functions from better assumptions.
A1: Yes! Delegation schemes [GKR08] & ZKPs [GMW89].
A2: Yes! Garbled Circuits or FHE [BHHI10,A11].
![Page 36: Fiat-Shamir: from Practice to Theoryย ยท โPPT ๐ด, Pr โโ๐ป ๐ฅโ๐ด(โ) T,โ Tโ = H ... Need enc. with KDM security for bounded functions. Known [BHHI10,BGK11,A11]](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d46da6d88c9936a5f8ba23b/html5/thumbnails/36.jpg)
Optimal Bounded KDM Security
Need enc. with KDM security for bounded functions.
Known [BHHI10,BGK11,A11] but face two challenges:
1. Universal ciphertexts.
2. Preserving optimal hardness.
Garbled circuits a la [A11] โ non-compact (good enough for NIZKs).
FHE a la [BHHI10] โ compact, good for delegation.
![Page 37: Fiat-Shamir: from Practice to Theoryย ยท โPPT ๐ด, Pr โโ๐ป ๐ฅโ๐ด(โ) T,โ Tโ = H ... Need enc. with KDM security for bounded functions. Known [BHHI10,BGK11,A11]](https://reader030.vdocuments.net/reader030/viewer/2022041201/5d46da6d88c9936a5f8ba23b/html5/thumbnails/37.jpg)
Summary
Fiat Shamir for proofs can be realized!
Striking improvement in assumptions in just 2 years.
Open: what other random oracle properties can we get? Using these techniques?