Fiat-Shamir and Correlation Intractability from Strong KDM-Secure Encryption

  • Ran Canetti
  • Yilei Chen
  • Leonid Reyzin
  • Ron D. Rothblum
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10820)

Abstract

A hash function family is called correlation intractable if for all sparse relations, it is hard to find, given a random function from the family, an input-output pair that satisfies the relation (Canetti et al., STOC 1998). Correlation intractability (CI) captures a strong Random-Oracle-like property of hash functions. In particular, when security holds for all sparse relations, CI suffices for guaranteeing the soundness of the Fiat-Shamir transformation from any constant round, statistically sound interactive proof to a non-interactive argument. However, to date, the only CI hash function for all sparse relations (Kalai et al., Crypto 2017) is based on general program obfuscation with exponential hardness properties.

We construct a simple CI hash function for arbitrary sparse relations, from any symmetric encryption scheme that satisfies some natural structural properties, and in addition guarantees that key recovery attacks mounted by polynomial-time adversaries have only exponentially small success probability - even in the context of key-dependent messages (KDM). We then provide parameter settings where ElGamal encryption and Regev encryption plausibly satisfy the needed properties. Our techniques are based on those of Kalai et al., with the main contribution being substituting a statistical argument for the use of obfuscation, therefore greatly simplifying the construction and basing security on better-understood intractability assumptions.

In addition, we extend the definition of correlation intractability to handle moderately sparse relations so as to capture the properties required in proof-of-work applications (e.g. Bitcoin). We also discuss the applicability of our constructions and analyses in that regime.

Notes

Acknowledgments

We thank the anonymous reviewers for their helpful comments.

R.C. is a member of the Check Point Institute for Information Security, and is supported by ISF grant 1523/14. R.C. and Y.C. are supported by the NSF MACS project. L.R. is supported by NSF grant 1422965. R.D.R is supported by DARPA and the U.S. Army Office under contract numbers W911NF-15-C-0226 and W911NF-15-C-0236, a SIMONS Investigator Award Agreement Dated 6-5-12, and the Cybersecurity and Privacy Institute at Northeastern University.

References

  1. 1.
    Abdalla, M., An, J.H., Bellare, M., Namprempre, C.: From identification to signatures via the Fiat-Shamir transform: minimizing assumptions for security and forward-security. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 418–433. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-46035-7_28CrossRefGoogle Scholar
  2. 2.
    Adleman, L.: A subexponential algorithm for the discrete logarithm problem with applications to cryptography. In: 1979 20th Annual Symposiumon Foundations of Computer Science, pp. 55–60. IEEE (1979)Google Scholar
  3. 3.
    Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: STOC, pp. 99–108 (1996)Google Scholar
  4. 4.
    Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9(3), 169–203 (2015)MathSciNetCrossRefMATHGoogle Scholar
  5. 5.
    Applebaum, B.: Key-dependent message security: generic amplification and completeness. J. Cryptol. 27(3), 429–451 (2014)MathSciNetCrossRefMATHGoogle Scholar
  6. 6.
    Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-03356-8_35CrossRefGoogle Scholar
  7. 7.
    Arora, S., Ge, R.: New algorithms for learning in presence of errors. In: Aceto, L., Henzinger, M., Sgall, J. (eds.) ICALP 2011. LNCS, vol. 6755, pp. 403–415. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-22006-7_34CrossRefGoogle Scholar
  8. 8.
    Babai, L.: On Lovász’ lattice reduction and the nearest lattice point problem. Combinatorica 6(1), 1–13 (1986)MathSciNetCrossRefMATHGoogle Scholar
  9. 9.
    Barak, B., Haitner, I., Hofheinz, D., Ishai, Y.: Bounded key-dependent message security. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 423–444. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-13190-5_22CrossRefGoogle Scholar
  10. 10.
    Barak, B., Lindell, Y., Vadhan, S.P.: Lower bounds for non-black-box zero knowledge. J. Comput. Syst. Sci. 72(2), 321–391 (2006)MathSciNetCrossRefMATHGoogle Scholar
  11. 11.
    Bellare, M., Hoang, V.T., Keelveedhi, S.: Instantiating random oracles via UCEs. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 398–415. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-40084-1_23CrossRefGoogle Scholar
  12. 12.
    Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: ACM Conference on Computer and Communications Security, pp. 62–73 (1993)Google Scholar
  13. 13.
    Ben-Sasson, E., Chiesa, A., Spooner, N.: Interactive oracle proofs. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 31–60. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53644-5_2CrossRefGoogle Scholar
  14. 14.
    Bitansky, N., Dachman-Soled, D., Garg, S., Jain, A., TaumanKalai, Y., López-Alt, A., Wichs, D.: Why “fiat-shamir for proofs” lacks a proof. In: TCC, pp. 182–201 (2013)Google Scholar
  15. 15.
    Black, J., Rogaway, P., Shrimpton. T.: Encryption-scheme security in the presence of key-dependent messages. In: Selected Areas in Cryptography, pp. 62–75 (2002)Google Scholar
  16. 16.
    Blum, A., Kalai, A., Wasserman, H.: Noise-tolerant learning, the parity problem, and the statistical query model. J. ACM (JACM) 50(4), 506–519 (2003)MathSciNetCrossRefMATHGoogle Scholar
  17. 17.
    Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications (extended abstract). In: Proceedings of the 20th Annual ACM Symposium on Theory of Computing, 2–4 May 1988, Chicago, Illinois, USA, pp. 103–112 (1988)Google Scholar
  18. 18.
    Boldyreva, A., Cash, D., Fischlin, M., Warinschi, B.: Foundations of non-malleable hash and one-way functions. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 524–541. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-10366-7_31CrossRefGoogle Scholar
  19. 19.
    Boneh, D., Halevi, S., Hamburg, M., Ostrovsky, R.: Circular-secure encryption from decision Diffie-Hellman. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 108–125. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-85174-5_7CrossRefGoogle Scholar
  20. 20.
    Brakerski, Z., Goldwasser, S.: Circular and leakage resilient public-key encryption under subgroup indistinguishability. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 1–20. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-14623-7_1CrossRefGoogle Scholar
  21. 21.
    Brakerski, Z., Goldwasser, S., Kalai, Y.T.: Black-Box circular-secure encryption beyond affine functions. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 201–218. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-19571-6_13CrossRefGoogle Scholar
  22. 22.
    Camenisch, J., Lysyanskaya, A.: An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In: EUROCRYPT: Advances in Cryptology: Proceedings of EUROCRYPT (2001)Google Scholar
  23. 23.
    Canetti, R.: Towards realizing random oracles: hash functions that hide all partial information. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 455–469. Springer, Heidelberg (1997).  https://doi.org/10.1007/BFb0052255CrossRefGoogle Scholar
  24. 24.
    Canetti, R., Chen, Y., Reyzin, L.: On the correlation intractability of obfuscated pseudorandom functions. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9562, pp. 389–415. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49096-9_17CrossRefGoogle Scholar
  25. 25.
    Canetti, R., Chen, Y., Reyzin, L., Rothblum, R.D.: Fiat-Shamir and correlation intractability from strong KDM-secure encryption. Cryptology ePrint Archive, Report 2018/131 (2018)Google Scholar
  26. 26.
    Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited (preliminary version). In: [78], pp. 209–218. ACM (1998)Google Scholar
  27. 27.
    Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. J. ACM 51(4), 557–594 (2004)MathSciNetCrossRefMATHGoogle Scholar
  28. 28.
    Canetti, R., Tauman Kalai, Y., Varia, M., Wichs, D.: On symmetric encryption and point obfuscation. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 52–71. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-11799-2_4CrossRefGoogle Scholar
  29. 29.
    Canetti, R., Micciancio, D., Reingold, O.: Perfectly one-way probabilistic hash functions (preliminary version). In: [78], pp. 131–140. ACM (1998)Google Scholar
  30. 30.
    Coppersmith, D., Odlyzko, A.M., Schroeppel, R.: Discrete logarithms in GF(p). Algorithmica 1(1), 1–15 (1986)MathSciNetCrossRefMATHGoogle Scholar
  31. 31.
    Diem, C.: On the discrete logarithm problem in elliptic curves. Compositio Mathematica 147(1), 75–104 (2011)MathSciNetCrossRefMATHGoogle Scholar
  32. 32.
    Dodis, Y., Oliveira, R., Pietrzak, K.: On the generic insecurity of the full domain hash. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 449–466. Springer, Heidelberg (2005).  https://doi.org/10.1007/11535218_27CrossRefGoogle Scholar
  33. 33.
    Dodis, Y., Ristenpart, T., Vadhan, S.P.: Randomness condensers for efficiently samplable, seed-dependent sources. In: TCC, pp. 618–635 (2012)Google Scholar
  34. 34.
    Döttling, N., Müller-Quade, J.: Lossy codes and a new variant of the learning-with-errors problem. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 18–34. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-38348-9_2CrossRefGoogle Scholar
  35. 35.
    Dwork, C., Naor, M.: Pricing via processing or combatting junk mail. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 139–147. Springer, Heidelberg (1993).  https://doi.org/10.1007/3-540-48071-4_10CrossRefGoogle Scholar
  36. 36.
    Dwork, C., Naor, M., Reingold, O., Stockmeyer, L.J.: Magic functions. J. ACM 50(6), 852–921 (2003)MathSciNetCrossRefMATHGoogle Scholar
  37. 37.
    ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theor. 31(4), 469–472 (1985)MathSciNetCrossRefMATHGoogle Scholar
  38. 38.
    Feige, U., Lapidot, D., Shamir, A.: Multiple noninteractive zero knowledge proofs under general assumptions. SIAM J. Comput. 29, 1–28 (1999)MathSciNetCrossRefMATHGoogle Scholar
  39. 39.
    Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987).  https://doi.org/10.1007/3-540-47721-7_12CrossRefGoogle Scholar
  40. 40.
    Galbraith, S.D., Gaudry, P.: Recent progress on the elliptic curve discrete logarithm problem. Des. Codes Crypt. 78(1), 51–72 (2016)MathSciNetCrossRefMATHGoogle Scholar
  41. 41.
    Gaudry, P.: Index calculus for abelian varieties of small dimension and the elliptic curve discrete logarithm problem. J. Symb. Comput. 44(12), 1690–1702 (2009)MathSciNetCrossRefMATHGoogle Scholar
  42. 42.
    Gaudry, P., Hess, F., Smart, N.P.: Constructive and destructive facets of weil descent on elliptic curves. J. Cryptology 15(1), 19–46 (2002)MathSciNetCrossRefMATHGoogle Scholar
  43. 43.
    Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Mitzenmacher, M. (ed.) STOC, pp. 169–178. ACM (2009)Google Scholar
  44. 44.
    Goldwasser, S., Kalai, Y.T.: On the (in)security of the Fiat-Shamir paradigm. In: FOCS, pp. 102–113 (2003)Google Scholar
  45. 45.
    Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984)MathSciNetCrossRefMATHGoogle Scholar
  46. 46.
    Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof-systems (extended abstract). In: STOC, pp. 291–304 (1985)Google Scholar
  47. 47.
    Goyal, V., O’Neill, A., Rao, V.: Correlated-input secure hash functions. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 182–200. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-19571-6_12CrossRefGoogle Scholar
  48. 48.
    Granville, A.: Smooth numbers: computational number theory and beyond, pp. 267–323 (2008)Google Scholar
  49. 49.
    Hada, S., Tanaka, T.: Zero-knowledge and correlation intractability. IEICE Trans. 89–A(10), 2894–2905 (2006)CrossRefGoogle Scholar
  50. 50.
    Haitner, I., Holenstein, T.: On the (im)possibility of key dependent encryption. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 202–219. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-00457-5_13CrossRefGoogle Scholar
  51. 51.
    Halevi, S., Krawczyk, H.: Security under key-dependent inputs. In: Ning, P., De Capitani di Vimercati, S., Syverson, P.F. (eds.) Proceedings of the 2007 ACM Conference on Computer and Communications Security, CCS 2007, Alexandria, Virginia, USA, 28–31, October 2007, pp. 466–475. ACM (2007)Google Scholar
  52. 52.
    Halevi, S., Myers, S., Rackoff, C.: On seed-incompressible functions. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 19–36. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-78524-8_2CrossRefGoogle Scholar
  53. 53.
    Hanke, T.: Asicboost - a speedup for bitcoin mining. CoRR abs/1604.00575 (2016)Google Scholar
  54. 54.
    Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999)MathSciNetCrossRefMATHGoogle Scholar
  55. 55.
    Herold, G., Kirshanova, E., May, A.: On the asymptotic complexity of solving lWE. Des. Codes Crypt., 1–29 (2015)Google Scholar
  56. 56.
    Hofheinz, D., Unruh, D.: Towards key-dependent message security in the standard model. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 108–126. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-78967-3_7CrossRefGoogle Scholar
  57. 57.
    Ishai, Y., Kilian, J., Nissim, K., Petrank, E.: Extending oblivious transfers efficiently. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 145–161. Springer, Heidelberg (2003).  https://doi.org/10.1007/978-3-540-45146-4_9CrossRefGoogle Scholar
  58. 58.
    Kalai, Y.T., Raz, R.: Probabilistically checkable arguments. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 143–159. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-03356-8_9CrossRefGoogle Scholar
  59. 59.
    Kalai, Y.T., Rothblum, G.N., Rothblum, R.D.: From obfuscation to the security of Fiat-Shamir for proofs. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 224–251. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-63715-0_8CrossRefGoogle Scholar
  60. 60.
    Kirchner, P., Fouque, P.-A.: An improved BKW algorithm for LWE with applications to cryptography and lattices. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 43–62. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-47989-6_3CrossRefGoogle Scholar
  61. 61.
    Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261(4), 515–534 (1982)MathSciNetCrossRefMATHGoogle Scholar
  62. 62.
    Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-19074-2_21CrossRefGoogle Scholar
  63. 63.
    Menezes, A., Okamoto, T., Vanstone, S.A.: Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Trans. Inf. Theor. 39(5), 1639–1646 (1993)MathSciNetCrossRefMATHGoogle Scholar
  64. 64.
    Micciancio, D., Peikert, C.: Hardness of SIS and LWE with small parameters. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 21–39. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-40041-4_2CrossRefGoogle Scholar
  65. 65.
    Micciancio, D., Regev, O.: Lattice-based cryptography. In: Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.) Post-Quantum Cryptography, pp. 147–191. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-540-88702-7_5CrossRefGoogle Scholar
  66. 66.
    Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2008). Accessed 28 Jan 2018Google Scholar
  67. 67.
    Nguyen, P.Q., Stehlé, D.: LLL on the average. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 238–256. Springer, Heidelberg (2006).  https://doi.org/10.1007/11792086_18CrossRefGoogle Scholar
  68. 68.
    Nielsen, J.B.: Separating random oracle proofs from complexity theoretic proofs: the non-committing encryption case. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 111–126. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-45708-9_8CrossRefGoogle Scholar
  69. 69.
    Petit, C., Kosters, M., Messeng, A.: Algebraic approaches for the elliptic curve discrete logarithm problem over prime fields. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9615, pp. 3–18. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49387-8_1CrossRefGoogle Scholar
  70. 70.
    Pollard, J.M.: A Monte Carlo method for factorization. BIT Numer. Math. 15(3), 331–334 (1975)MathSciNetCrossRefMATHGoogle Scholar
  71. 71.
    Rankin, R.A.: The difference between consecutive prime numbers. J. London Math. Soc. 1(4), 242–247 (1938)MathSciNetCrossRefMATHGoogle Scholar
  72. 72.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) Proceedings of the 37th Annual ACM Symposium on Theory of Computing, Baltimore, MD, USA, 22–24 May 2005, pp. 84–93. ACM (2005)Google Scholar
  73. 73.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 84–93 (2009)MathSciNetCrossRefMATHGoogle Scholar
  74. 74.
    Reingold, O., Rothblum, G.N.., Rothblum, R.D.: Constant-round interactive proofs for delegating computation. In: STOC, pp. 49–62. ACM (2016)Google Scholar
  75. 75.
    Schnorr, C.-P.: A hierarchy of polynomial time lattice basis reduction algorithms. Theor. Comput. Sci. 53, 201–224 (1987)MathSciNetCrossRefMATHGoogle Scholar
  76. 76.
    Semaev, I.A.: Summation polynomials and the discrete logarithm problem on elliptic curves (2004)Google Scholar
  77. 77.
    Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997).  https://doi.org/10.1007/3-540-69053-0_18CrossRefGoogle Scholar
  78. 78.
    Vitter, J.S. (eds.): Proceedings of the Thirtieth Annual ACM Symposium on the Theory of Computing, Dallas, Texas, USA, 23–26 May 1998. ACM (1998)Google Scholar
  79. 79.
    Zhandry, M.: The magic of ELFs. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 479–508. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53018-4_18CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  • Ran Canetti
    • 1
    • 2
  • Yilei Chen
    • 1
  • Leonid Reyzin
    • 1
  • Ron D. Rothblum
    • 3
    • 4
  1. 1.Boston UniversityBostonUSA
  2. 2.Tel Aviv UniversityTel AvivIsrael
  3. 3.MITCambridgeUSA
  4. 4.Northeastern UniversityBostonUSA

Personalised recommendations