13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the...
-
Upload
ashley-robertson -
Category
Documents
-
view
214 -
download
0
Transcript of 13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the...
13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1
Adaptive Proofs of Knowledgein the Random Oracle Model
21. PKC 2015
Marc Fischlin
joint work with David Bernhard, Bogdan Warinschi
April 1st, 2015 | Marc Fischlin | PKC 2015 | 2
(Interactive) Proofs of Knowledge
extractor(malicious)prover
theorem
witness
interactiveproof
extraction usuallythrough rewinding
April 1st, 2015 | Marc Fischlin | PKC 2015 | 3
Non-interactive Proofs of Knowledgein the Random Oracle (RO) Model…
extractor(malicious)prover
non-interactive
RO
…still require rewinding for extraction
RO *
[Fiat-Shamir]
April 1st, 2015 | Marc Fischlin | PKC 2015 | 4
RO
Extraction is easy in the RO model… [Pointcheval-Stern]
RO*
Example: Fiat-Shamir-Schnorr signatures
April 1st, 2015 | Marc Fischlin | PKC 2015 | 6
adaptive zero-knowledge proofs of knowledge in random oracle model (ROM)
[Shoup-Gennaro] adversary
RO
RO
RO…
April 1st, 2015 | Marc Fischlin | PKC 2015 | 7
RO
simulation-sound adaptive zero-knowledge proofs of knowledge in the ROM
ZK simulator extractor
needs to program RO needs to program RO
?
April 1st, 2015 | Marc Fischlin | PKC 2015 | 8
This work here:
Model for simulation-sound adaptive ZK PoKs in ROM
Show that one can work with it
Show that one can achieve it
Discuss that some approaches fail
April 1st, 2015 | Marc Fischlin | PKC 2015 | 9
RO
RO
same coins
list of queries
main execution (non-rewinding)
local branches
adversary wins if extractor at some point fails to compute witness
PPT adversaries extractor: Pr [ adversary wins ] is negligible
April 1st, 2015 | Marc Fischlin | PKC 2015 | 10
Result #1 (applicability):
CPA-secure encryption+
simulation-sound adaptive zero-knowledge proof of knowledge in ROM
CCA-secure encryption in ROM
so far: common reference string model [Groth, Chase-Lysanskaya, Dodis et al.]
„I know message andrandomness encryptedunder CPA scheme“
April 1st, 2015 | Marc Fischlin | PKC 2015 | 11
Result #2 (feasibility):
Fischlin‘s transformation with straightline extractorfor ∑ protocols with special soundness
is
simulation-sound adaptivezero-knowledge proof of knowledge in the ROM
so far: only shown for adaptive scenario in [Fischlin]
April 1st, 2015 | Marc Fischlin | PKC 2015 | 12
RO
RO
Idea:straightline extractor in Fischlin‘s scheme
only needs hash queries of adversary
April 1st, 2015 | Marc Fischlin | PKC 2015 | 13
Result #3 (limitations):
Fiat-Shamir-Schnorr transformation is not adaptive proof of knowledge
under one-more DL assumption(for black-box extractors).
so far: certain extractor strategy fails [Shoup-Gennaro]
here: any efficient extractor strategy fails
April 1st, 2015 | Marc Fischlin | PKC 2015 | 14
One-More-DL Problem
A
Ch
DL
output more solutionsto challenges than DL queries
[Bellare et al.]
April 1st, 2015 | Marc Fischlin | PKC 2015 | 15
RO
RO
Metareduction
Ch
DL
output more solutions to challenges than DL queries
April 1st, 2015 | Marc Fischlin | PKC 2015 | 16
RO
ROCh
DL
output more solutions to challenges than DL queries
Metareduction use [Shoup-Gennaro]adversary here
April 1st, 2015 | Marc Fischlin | PKC 2015 | 17
ROCh
DL
output more solutions to challenges than DL queriesif extractor requires less than 2 executions to extractfor some , then metareduction solves OMDL problem
Metareduction use [Shoup-Gennaro]adversary here
make at most 2 calls to DL for each
April 1st, 2015 | Marc Fischlin | PKC 2015 | 18
Final step in the proof (not here):
If extractor requires 2 executions to extract for each
then Shoup-Gennaro adversary forces exponential number of executions
combinatorial, via execution tree