13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.

13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1

Adaptive Proofs of Knowledgein the Random Oracle Model

21. PKC 2015

Marc Fischlin

joint work with David Bernhard, Bogdan Warinschi

April 1st, 2015 | Marc Fischlin | PKC 2015 | 2

(Interactive) Proofs of Knowledge

extractor(malicious)prover

theorem

witness

interactiveproof

extraction usuallythrough rewinding


Non-interactive Proofs of Knowledgein the Random Oracle (RO) Model…

extractor(malicious)prover

non-interactive

RO

…still require rewinding for extraction

RO *

[Fiat-Shamir]


RO

Extraction is easy in the RO model… [Pointcheval-Stern]

RO*

Example: Fiat-Shamir-Schnorr signatures


…or is it?

Extraction is easy in the RO model…


adaptive zero-knowledge proofs of knowledge in random oracle model (ROM)

[Shoup-Gennaro] adversary

RO

RO

RO…


RO

simulation-sound adaptive zero-knowledge proofs of knowledge in the ROM

ZK simulator extractor

needs to program RO needs to program RO

?


This work here:

Model for simulation-sound adaptive ZK PoKs in ROM

Show that one can work with it

Show that one can achieve it

Discuss that some approaches fail


RO

RO

same coins

list of queries

main execution (non-rewinding)

local branches

adversary wins if extractor at some point fails to compute witness

PPT adversaries extractor: Pr [ adversary wins ] is negligible


Result #1 (applicability):

CPA-secure encryption+

simulation-sound adaptive zero-knowledge proof of knowledge in ROM

CCA-secure encryption in ROM

so far: common reference string model [Groth, Chase-Lysanskaya, Dodis et al.]

„I know message andrandomness encryptedunder CPA scheme“


Result #2 (feasibility):

Fischlin‘s transformation with straightline extractorfor ∑ protocols with special soundness

is

simulation-sound adaptivezero-knowledge proof of knowledge in the ROM

so far: only shown for adaptive scenario in [Fischlin]


RO

RO

Idea:straightline extractor in Fischlin‘s scheme

only needs hash queries of adversary


Result #3 (limitations):

Fiat-Shamir-Schnorr transformation is not adaptive proof of knowledge

under one-more DL assumption(for black-box extractors).

so far: certain extractor strategy fails [Shoup-Gennaro]

here: any efficient extractor strategy fails


One-More-DL Problem

A

Ch

DL

output more solutionsto challenges than DL queries

[Bellare et al.]


RO

RO

Metareduction

Ch

DL

output more solutions to challenges than DL queries


RO

ROCh

DL

output more solutions to challenges than DL queries

Metareduction use [Shoup-Gennaro]adversary here


ROCh

DL

output more solutions to challenges than DL queriesif extractor requires less than 2 executions to extractfor some , then metareduction solves OMDL problem

Metareduction use [Shoup-Gennaro]adversary here

make at most 2 calls to DL for each


Final step in the proof (not here):

If extractor requires 2 executions to extract for each

then Shoup-Gennaro adversary forces exponential number of executions

combinatorial, via execution tree


Take-home Message


RO

RO

1. CPA + ss-adaptive PoK CCA in ROM 2. Fischlin‘s transformation is an example for ss-adaptive PoK3. Fiat-Shamir transformation in general is (presumably) not

13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.

Documents

marc fischlin pkc

fischlin slide

ro model slide

marc fischlin kryptosicherheit

marc fischlin joint

rewinding slide

knowledge proofs of

extraction ro