Fiat-Shamir for highly sound protocols is instantiable

The Fiat–Shamir (FS) transformation (Fiat and Shamir, Crypto '86) is a popular paradigm for constructing very efficient non-interactive zero-knowledge (NIZK) arguments and signature schemes from a hash function and any three-move interactive protocol satisfying certain properties. Despite its wide-spread applicability both in theory and in practice, the known positive results for proving security of the FS paradigm are in the random oracle model only, i.e., they assume that the hash function is modeled as an external random function accessible to all parties. On the other hand, a sequence of negative results shows that for certain classes of interactive protocols, the FS transform cannot be instantiated in the standard model. We initiate the study of complementary positive results, namely, studying classes of interactive protocols where the FS transform does have standard-model instantiations. In particular, we show that for a class of “highly sound” protocols that we define, instantiating the FS transform via a q-wise independent hash function yields NIZK arguments and secure signature schemes. In the case of NIZK, we obtain a weaker “q-bounded” zero-knowledge flavor where the simulator works for all adversaries asking an a-priori bounded number of queries q; in the case of signatures, we obtain the weaker notion of random-message unforgeability against q-bounded random message attacks. Our main idea is that when the protocol is highly sound, then instead of using random-oracle programming, one can use complexity leveraging. The question is whether such highly sound protocols exist and if so, which protocols lie in this class. We answer this question in the affirmative in the common reference string (CRS) model and under strong assumptions. Namely, assuming indistinguishability obfuscation and puncturable pseudorandom functions we construct a compiler that transforms any 3-move interactive protocol with instance-independent commitments and simulators (a property satisfied by the Lapidot–Shamir protocol, Crypto '90) into a compiled protocol in the CRS model that is highly sound. We also present a second compiler, in order to be able to start from a larger class of protocols, which only requires instance-independent commitments (a property for example satisfied by the classical protocol for quadratic residuosity due to Blum, Crypto '81). For the second compiler we require dual-mode commitments. We hope that our work inspires more research on classes of (efficient) 3-move protocols where Fiat–Shamir is (efficiently) instantiable

Universal Computational Extractors and the Superfluous Padding Assumption for Indistinguishability Obfuscation

Universal Computational Extractors (UCEs), introduced by Bellare, Hoang and Keelveedhi (CRYPTO 2013), are a framework of assumptions on hash functions that allow to instantiate random oracles in a large variety of settings. Brzuska, Farshim and Mittelbach (CRYPTO 2014) showed that a large class of UCE assumptions with \emph{computationally} unpredictable sources cannot be achieved, if indistinguishability obfuscation exists. In the process of circumventing obfuscation-based attacks, new UCE notions emerged, most notably UCEs with respect to \emph{statistically} unpredictable sources that suffice for a large class of applications. However, the only standard model constructions of UCEs are for a small subclass considering only $q$-query sources which are \emph{strongly statistically} unpredictable (Brzuska, Mittelbach; Asiacrypt 2014). The contributions of this paper are threefold: 1) We show a surprising equivalence for the notions of strong unpredictability and (plain) unpredictability thereby lifting the construction from Brzuska and Mittelbach to achieve $q$-query UCEs for statistically unpredictable sources. This yields standard model instantiations for various ($q$-query) primitives including, deterministic public-key encryption, message-locked encryption, multi-bit point obfuscation, CCA-secure encryption, and more. For some of these, our construction yields the first standard model candidate. 2) We study the blow-up that occurs in indistinguishability obfuscation proof techniques due to puncturing and state the \emph{Superfluous Padding Assumption} for indistinguishability obfuscation which allows us to lift the $q$-query restriction of our construction. We validate the assumption by showing that it holds for virtual black-box obfuscation. 3) Brzuska and Mittelbach require a strong form of point obfuscation secure in the presence of auxiliary input for their construction of UCEs. We show that this assumption is indeed necessary for the construction of injective UCEs

Hash Combiners for Second Pre-Image Resistance, Target Collision Resistance and Pre-Image Resistance have Long Output

Abstract. A (k, l) hash-function combiner for property P is a construction that, given access to l hash functions, yields a single cryptographic hash function which has property P as long as at least k out of the l hash functions have that property. Hash function combiners are used to hedge against the failure of one or more of the individual components. One example of the application of hash function combiners are the previous versions of the TLS and SSL protocols [10, 8]. The concatenation combiner which simply concatenates the outputs of all hash functions is an example of a robust combiner for collision resistance. However, its output length is, naturally, significantly longer than each individual hash-function output, while the security bounds are not necessarily stronger than that of the strongest input hash-function. In 2006 Boneh and Boyen asked whether a robust black-box combiner for collision resistance can exist that has an output length which is significantly less than that of the concatenation combiner [4]. Regrettably, this question has since been answered in the negative for fully black-box constructions (where hash function and adversary access is being treated as blackbox), that is, combiners (in this setting) for collision resistance roughly need at least the length of the concatenation combiner to be robust [4, 5, 16, 17]. In this paper we examine weaker notions of collision resistance, namely: second pre-image resistanc

Iowa DNR Wastewater News, April 12, 2021

E-newsletter providing information about Iowa natural resources activities across the state. Produced by the Iowa Department of Natural Resources

Random Oracles in the Standard Model

Provable security is a fundamental concept of modern cryptography (see, e.g., Katz and Lindell; Introduction to Modern Cryptography, Chapter 1, 2007). In order to argue about security, we first require a precise and rigorous definition of what security means (e.g., a definition of secure encryption). Such a security definition, in particular, contains a description of the capabilities of an adversary, i.e., a model of the adversary which tries to come as close to reality as possible. Given a security model, the provable security approach is to provide a mathematical proof that a given construction achieves the desired level of security. In other words, we prove that no (efficient) adversary can break the security with good probability given that it behaves as defined within the security model. Typically, proofs reduce the security of a construction to an unproven cryptographic hardness-assumption---we show that the existence of an adversary violates an assumption---which, preferably, is as simple as possible. Furthermore, any assumption needs to be stated precisely. Examples of cryptographic hardness assumptions can be complexity-theoretic assumptions, such as, P vs. NP, the assumed existence of objects, such as, one-way functions, or long standing open problems from number theory, such as, factoring large integers or computing the discrete log in certain groups. A widely used technique for the construction of cryptographic schemes is the so-called random oracle methodology, introduced in 1993 by Bellare and Rogaway (CCS, 1993). As before, we start with a precise model of security which is extended to include a uniformly random function which may be evaluated by any party (including the construction and adversary). As a random function has a huge, if not infinite description, parties cannot be given its code but, instead, are provided with black-box access to an oracle which evaluates the function for them. This oracle is called the random oracle. Then, as before, a mathematical proof is given that a construction is secure as per definition relative to the random oracle. Finally, to implement the scheme in practice, the random oracle is replaced by a cryptographic hash function (such as SHA-3). No mathematical model can fully capture reality and, thus, cast in the framework of provable security, we may consider a random oracle security model as being somewhat further away from reality than a standard security model: in addition to the abstractions of the standard security model it is assumed that adversaries do not make any use of the code of a hash function; it is assumed that they do not even evaluate the hash function on their own but use an external device for the evaluation (i.e., black-box access). Now, if we trust schemes that are designed according to the provable security approach, should we then also trust schemes devised via the random oracle methodology? This question has lead to a huge debate within the cryptographic community and has been discussed for more than two decades. The discussion is fueled by results showing that the extension of security models to include a random oracle may produce provably secure schemes that cannot be securely implemented. In 1998, Canetti, Goldreich, and Halevi (STOC, 1998) showed that schemes exist that are inherently insecure but which should be secure according to the random oracle methodology. In more detail, they present a public-key encryption scheme which an adversary can trivially attack when given the code of the hash function that was used to replace the random oracle. Note that this differs from, e.g., side-channel attacks: while here also the attack is successful because it is outside the model, implementations can, potentially, protect against these attacks and, thus, secure implementations may exist. With the scheme presented by Canetti et al., on the other hand, there is, provably, no secure implementation although the scheme is secure in the random oracle model. Despite these negative results, many of the schemes that we trust on a daily basis---examples include the standardized public-key encryption scheme RSA-OAEP as well as the standardized signature schemes RSA-PSS and DSA---only have proofs in the random oracle model. Similarly, for many advanced cryptographic concepts, including IND-secure deterministic public-key encryption, correlated-input secure hash functions, universal hardcore functions, and many others, we (so far) only have constructions in the random oracle model. One reason for the success of random oracles is that they allow to design very efficient and natural schemes. Furthermore, the power of random oracles enables us to realize concepts which we would not know how to implement without random oracles. A third, and very compelling argument in favor of the random oracle methodology is that the random oracle heuristic seems to be a good one: no random oracle scheme which was not designed to portrait inconsistencies of the random oracle model has been attacked due to the use of random oracles. However, if a scheme is, indeed, secure, should we then not be able to understand and pinpoint the underlying source of hardness? In this thesis we study random oracles with the help of program obfuscation (in particular indistinguishability obfuscation and point-function obfuscation). The study of obfuscation has a long tradition in computer science, and specifically in cryptography, but only recent advancements gave rise to the first candidate constructions of provably secure general-purpose indistinguishability obfuscators (Garg et al.; FOCS, 2013). Intuitively, a program obfuscator takes as input a program and produces a functionally equivalent but unintelligible program, i.e., the obfuscated program hides how it operates. Conceptually, this is very close to one of the fundamental abstractions made within the random oracle model where hash functions do not have an explicit and efficient description but can be evaluated only via black-box access to the random oracle. While an obfuscated hash function still has an explicit and efficient description, the description should hide the way the function works and, thus, intuitively, should be of no help to any adversary. Using obfuscation-based techniques we show how to instantiate the random oracle in various cryptographic constructions. Amongst others, we obtain the first standard model (i.e., without random oracles) candidate construction for a universal hardcore function with long output, a q-query correlated-input secure hash function, and q-query IND-secure deterministic public-key encryption. We obtain our positive results by instantiating various forms of universal computational extractors. The universal computational extractor (UCE) framework was introduced by Bellare, Hoang, and Keelveedhi (CRYPTO, 2013) to provide (very strong) standard-model notions of hash functions that allow instantiating random oracles in a wide range of applications. Intriguingly, even though obfuscation allows us to show how to replace random oracles in certain situations, it also allows us to show limitations of the random oracle methodology as well as of UCEs. Using obfuscation-based techniques, we prove that several concrete UCE assumptions (including all originally proposed assumptions) cannot hold in case indistinguishability obfuscation exists. (We note that these negative results inspired the weaker UCE notions that lay at the core of our positive constructions.) Assuming the existence of indistinguishability obfuscation also allows us to extend the uninstantiability techniques of Canetti et al. (STOC, 1998) and show that a large class of random-oracle transformations are not sound. This affects the Encrypt-with-Hash transformation (Bellare et al.; CRYPTO, 2007) to construct deterministic public-key encryption, as well as the widely used Fujisaki--Okamoto transformation (Fujisaki, Okamoto; CRYPTO, 1999) which transforms weak public-key encryption schemes into strong public-key encryption schemes. An often repeated criticism of random-oracle uninstantiability results is that the schemes only fail to be secure because they are designed to do so and, furthermore, their artificial design conflicts good cryptographic practice (see, for example, Koblitz and Menezes; Journal of Cryptology, 2007). Similar criticism can be voiced also for our counterexamples to the general applicability of the above mentioned random-oracle transformations. While this does not refute the mathematical validity of such uninstantiability results, we do, however, also present a very different counterexample to the soundness of the random oracle methodology: we show that if indistinguishability obfuscation exists, then a strong variant of point-function obfuscation (which can be similarly interpreted as a strong form of symmetric encryption) cannot be achieved without the help of random oracles while at the same time there are simple and elegant constructions in the random oracle model. We note that the same holds also for our negative results for UCEs. In summary, we develop techniques to work with obfuscation which allow us to show that the existence of indistinguishability obfuscation implies that various random oracle techniques may lead to insecure schemes. Our results suggest, once again, that we should be careful with random oracle proofs and we hope that they spark further research to overcome the necessity to use random oracles in the first place. Concerning the latter, we make first steps by proposing new and widely applicable UCE notions together with standard-model candidate constructions showing that UCEs may, indeed, be a viable alternative to the use of random oracles

Random Oracles in the Standard Model

Provable security is a fundamental concept of modern cryptography (see, e.g., Katz and Lindell; Introduction to Modern Cryptography, Chapter 1, 2007). In order to argue about security, we first require a precise and rigorous definition of what security means (e.g., a definition of secure encryption). Such a security definition, in particular, contains a description of the capabilities of an adversary, i.e., a model of the adversary which tries to come as close to reality as possible. Given a security model, the provable security approach is to provide a mathematical proof that a given construction achieves the desired level of security. In other words, we prove that no (efficient) adversary can break the security with good probability given that it behaves as defined within the security model. Typically, proofs reduce the security of a construction to an unproven cryptographic hardness-assumption---we show that the existence of an adversary violates an assumption---which, preferably, is as simple as possible. Furthermore, any assumption needs to be stated precisely. Examples of cryptographic hardness assumptions can be complexity-theoretic assumptions, such as, P vs. NP, the assumed existence of objects, such as, one-way functions, or long standing open problems from number theory, such as, factoring large integers or computing the discrete log in certain groups. A widely used technique for the construction of cryptographic schemes is the so-called random oracle methodology, introduced in 1993 by Bellare and Rogaway (CCS, 1993). As before, we start with a precise model of security which is extended to include a uniformly random function which may be evaluated by any party (including the construction and adversary). As a random function has a huge, if not infinite description, parties cannot be given its code but, instead, are provided with black-box access to an oracle which evaluates the function for them. This oracle is called the random oracle. Then, as before, a mathematical proof is given that a construction is secure as per definition relative to the random oracle. Finally, to implement the scheme in practice, the random oracle is replaced by a cryptographic hash function (such as SHA-3). No mathematical model can fully capture reality and, thus, cast in the framework of provable security, we may consider a random oracle security model as being somewhat further away from reality than a standard security model: in addition to the abstractions of the standard security model it is assumed that adversaries do not make any use of the code of a hash function; it is assumed that they do not even evaluate the hash function on their own but use an external device for the evaluation (i.e., black-box access). Now, if we trust schemes that are designed according to the provable security approach, should we then also trust schemes devised via the random oracle methodology? This question has lead to a huge debate within the cryptographic community and has been discussed for more than two decades. The discussion is fueled by results showing that the extension of security models to include a random oracle may produce provably secure schemes that cannot be securely implemented. In 1998, Canetti, Goldreich, and Halevi (STOC, 1998) showed that schemes exist that are inherently insecure but which should be secure according to the random oracle methodology. In more detail, they present a public-key encryption scheme which an adversary can trivially attack when given the code of the hash function that was used to replace the random oracle. Note that this differs from, e.g., side-channel attacks: while here also the attack is successful because it is outside the model, implementations can, potentially, protect against these attacks and, thus, secure implementations may exist. With the scheme presented by Canetti et al., on the other hand, there is, provably, no secure implementation although the scheme is secure in the random oracle model. Despite these negative results, many of the schemes that we trust on a daily basis---examples include the standardized public-key encryption scheme RSA-OAEP as well as the standardized signature schemes RSA-PSS and DSA---only have proofs in the random oracle model. Similarly, for many advanced cryptographic concepts, including IND-secure deterministic public-key encryption, correlated-input secure hash functions, universal hardcore functions, and many others, we (so far) only have constructions in the random oracle model. One reason for the success of random oracles is that they allow to design very efficient and natural schemes. Furthermore, the power of random oracles enables us to realize concepts which we would not know how to implement without random oracles. A third, and very compelling argument in favor of the random oracle methodology is that the random oracle heuristic seems to be a good one: no random oracle scheme which was not designed to portrait inconsistencies of the random oracle model has been attacked due to the use of random oracles. However, if a scheme is, indeed, secure, should we then not be able to understand and pinpoint the underlying source of hardness? In this thesis we study random oracles with the help of program obfuscation (in particular indistinguishability obfuscation and point-function obfuscation). The study of obfuscation has a long tradition in computer science, and specifically in cryptography, but only recent advancements gave rise to the first candidate constructions of provably secure general-purpose indistinguishability obfuscators (Garg et al.; FOCS, 2013). Intuitively, a program obfuscator takes as input a program and produces a functionally equivalent but unintelligible program, i.e., the obfuscated program hides how it operates. Conceptually, this is very close to one of the fundamental abstractions made within the random oracle model where hash functions do not have an explicit and efficient description but can be evaluated only via black-box access to the random oracle. While an obfuscated hash function still has an explicit and efficient description, the description should hide the way the function works and, thus, intuitively, should be of no help to any adversary. Using obfuscation-based techniques we show how to instantiate the random oracle in various cryptographic constructions. Amongst others, we obtain the first standard model (i.e., without random oracles) candidate construction for a universal hardcore function with long output, a q-query correlated-input secure hash function, and q-query IND-secure deterministic public-key encryption. We obtain our positive results by instantiating various forms of universal computational extractors. The universal computational extractor (UCE) framework was introduced by Bellare, Hoang, and Keelveedhi (CRYPTO, 2013) to provide (very strong) standard-model notions of hash functions that allow instantiating random oracles in a wide range of applications. Intriguingly, even though obfuscation allows us to show how to replace random oracles in certain situations, it also allows us to show limitations of the random oracle methodology as well as of UCEs. Using obfuscation-based techniques, we prove that several concrete UCE assumptions (including all originally proposed assumptions) cannot hold in case indistinguishability obfuscation exists. (We note that these negative results inspired the weaker UCE notions that lay at the core of our positive constructions.) Assuming the existence of indistinguishability obfuscation also allows us to extend the uninstantiability techniques of Canetti et al. (STOC, 1998) and show that a large class of random-oracle transformations are not sound. This affects the Encrypt-with-Hash transformation (Bellare et al.; CRYPTO, 2007) to construct deterministic public-key encryption, as well as the widely used Fujisaki--Okamoto transformation (Fujisaki, Okamoto; CRYPTO, 1999) which transforms weak public-key encryption schemes into strong public-key encryption schemes. An often repeated criticism of random-oracle uninstantiability results is that the schemes only fail to be secure because they are designed to do so and, furthermore, their artificial design conflicts good cryptographic practice (see, for example, Koblitz and Menezes; Journal of Cryptology, 2007). Similar criticism can be voiced also for our counterexamples to the general applicability of the above mentioned random-oracle transformations. While this does not refute the mathematical validity of such uninstantiability results, we do, however, also present a very different counterexample to the soundness of the random oracle methodology: we show that if indistinguishability obfuscation exists, then a strong variant of point-function obfuscation (which can be similarly interpreted as a strong form of symmetric encryption) cannot be achieved without the help of random oracles while at the same time there are simple and elegant constructions in the random oracle model. We note that the same holds also for our negative results for UCEs. In summary, we develop techniques to work with obfuscation which allow us to show that the existence of indistinguishability obfuscation implies that various random oracle techniques may lead to insecure schemes. Our results suggest, once again, that we should be careful with random oracle proofs and we hope that they spark further research to overcome the necessity to use random oracles in the first place. Concerning the latter, we make first steps by proposing new and widely applicable UCE notions together with standard-model candidate constructions showing that UCEs may, indeed, be a viable alternative to the use of random oracles

Modeling Random Oracles Under Unpredictable Queries

International audienceIn recent work, Bellare, Hoang, and Keelveedhi (CRYPTO 2013) introduced a new abstraction called Universal Computational Extractors (UCEs), and showed how they can replace random oracles (ROs) across a wide range of cryptosystems. We formulate a new framework, called Interactive Computational Extractors (ICEs), that extends UCEs by viewing them as models of ROs under unpredictable (aka. high-entropy) queries. We overcome a number of limitations of UCEs in the new framework, and in particular prove the adaptive RKA and semi-adaptive KDM securities of a highly efficient symmetric encryption scheme using ICEs under key offsets. We show both negative and positive feasibility results for ICEs. On the negative side, we demonstrate ICE attacks on the HMAC and NMAC constructions. On the positive side we show that: 1) ROs are indeed ICE secure, thereby confirming the structural soundness of our definition and enabling a finer layered approach to protocol design in the RO model; and 2) a modified version of Liskov's Zipper Hash is ICE secure with respect to an underlying fixed-input-length RO, for appropriately restricted classes of adversaries. This brings the first result closer to practice by moving away from variable-input-length ROs. Our security proofs employ techniques from indifferentiability in multi-stage settings

Fiat–Shamir for highly sound protocols is instantiable

The Fiat–Shamir (FS) transformation (Fiat and Shamir, Crypto ‘86) is a popular paradigm for constructing very efficient non-interactive zero-knowledge (NIZK) arguments and signature schemes from a hash function and any three-move interactive protocol satisfying certain properties. Despite its wide-spread applicability both in theory and in practice, the known positive results for proving security of the FS paradigm are in the random oracle model only, i.e., they assume that the hash function is modeled as an external random function accessible to all parties. On the other hand, a sequence of negative results shows that for certain classes of interactive protocols, the FS transform cannot be instantiated in the standard model. We initiate the study of complementary positive results, namely, studying classes of interactive protocols where the FS transform does have standard-model instantiations. In particular, we show that for a class of “highly sound” protocols that we define, instantiating the FS transform via a q-wise independent hash function yields NIZK arguments and secure signature schemes. In the case of NIZK, we obtain a weaker “q-bounded” zero-knowledge flavor where the simulator works for all adversaries asking an a-priori bounded number of queries q; in the case of signatures, we obtain the weaker notion of random-message unforgeability against q-bounded random message attacks. Our main idea is that when the protocol is highly sound, then instead of using random-oracle programming, one can use complexity leveraging. The question is whether such highly sound protocols exist and if so, which protocols lie in this class. We answer this question in the affirmative in the common reference string (CRS) model and under strong assumptions. Namely, assuming indistinguishability obfuscation and puncturable pseudorandom functions we construct a compiler that transforms any 3-move interactive protocol with instance-independent commitments and simulators (a property satisfied by the Lapidot–Shamir protocol, Crypto ‘90) into a compiled protocol in the CRS model that is highly sound. We also present a second compiler, in order to be able to start from a larger class of protocols, which only requires instance-independent commitments (a property for example satisfied by the classical protocol for quadratic residuosity due to Blum, Crypto ‘81). For the second compiler we require dual-mode commitments. We hope that our work inspires more research on classes of (efficient) 3-move protocols where Fiat–Shamir is (efficiently) instantiable

The Theory of Hash Functions and Random Oracles - An Approach to Modern Cryptography

Self-contained textbook explains the foundations of modern cryptography. Supported with exercises, notes, references, and pointers to further reading. Authors introduce the theoretical foundations of the Random Oracle methodology. Suitable for undergraduate and graduate students of cryptology, information security, and computational complexity

The Holinshed Project: comparing and linking two editions of Holinshed's Chronicles

This poster (digital or physical) discusses the digital humanities aspects of The Holinshed Project at the University of Oxford. To assist the project editors in comparing the two editions (1577 and 1587) of this important work, the Research Technologies Service built a comparison engine known as the 'TEI-Comparator'. This open source program incorporated a a bespoke fuzzy text comparison algorithm based on n-grams with a front-end based on Google Web Toolkit for making, confirming automatic matches, correcting mistaken ones, or providing annotations of the matches between the two documents. By the time of the DRHA 2009 conference, the TEI-Comparator will have launched itself on Sourceforge with documentation and examples to make it easy for others to re-purpose this software for other similar uses, and submit bugs and requests for future development. Although it has been known as the 'TEI-Comparator', in fact the program should work well with XML files of any vocabulary as long as the elements being compared have sufficient unique text in them.Citation: Cummings, J. & Mittelbach, A. (2009). The Holinshed Project: comparing and linking two editions of Holinshed's Chronicles'. Poster presented at: Digital Resources for the Humanities & Arts: Dynamic Networks of Knowledge and Practice: Contexts, Crises, Futures (DRHA 2009); 2009 Sep 7-9; Belfast, Ireland