Adaptive Proofs of Knowledge in the Random Oracle Model
نویسندگان
چکیده
We formalise the notion of adaptive proofs of knowledge in the random oracle model, where the extractor has to recover witnesses for multiple, possibly adaptively chosen statements and proofs. We also discuss extensions to simulation soundness, as typically required for the “encrypt-then-prove” construction of strongly secure encryption from IND-CPA schemes. Utilizing our model we show three results: (1) Simulation-sound adaptive proofs exist. (2) The “encrypt-then-prove” construction with a simulation-sound adaptive proof yields CCA security. This appears to be a “folklore” result but which has never been proven in the random oracle model. As a corollary, we obtain a new class of CCA-secure encryption schemes. (3) We show that the Fiat-Shamir transformed Schnorr protocol is not adaptively secure and discuss the implications of this limitation. Our result not only separates adaptive proofs from proofs of knowledge, but also gives a strong hint why Signed ElGamal as the most prominent encrypt-then-prove example has not been proven CCA-secure without making further assumptions.
منابع مشابه
On Limitations of the Fiat - Shamir Transformation
It has long been known (Shoup and Gennaro 1998 [1]) that non-interactive proofs in the Random Oracle model that rely on rewinding extractors can be problematic. Recent results by Seurin and Treger [10] and Bernhard et al. [12] formally confirmed such limitations for proofs derived from the Schnorr protocol via the Fiat-Shamir transform. The limitations relate to the concept of adaptive proofs w...
متن کاملSwitching Lemma for Bilinear Tests and Constant-Size NIZK Proofs for Linear Subspaces
We state a switching lemma for tests on adversarial responses involving bilinear pairings in hard groups, where the tester can effectively switch the randomness used in the test from being given to the adversary at the outset to being chosen after the adversary commits its response. The switching lemma can be based on any k-linear hardness assumptions on one of the groups. In particular, this e...
متن کاملSeparating Random Oracle Proofs from Complexity Theoretic Proofs: The Non-committing Encryption Case
We show that there exists a natural protocol problem which has a simple solution in the random-oracle (RO) model and which has no solution in the complexity-theoretic (CT) model, namely the problem of constructing a non-interactive communication protocol secure against adaptive adversaries a.k.a. non-interactive non-committing encryption. This separation between the models is due to the so-call...
متن کاملNon-adaptive programmability of random oracle
Random Oracles serve as an important heuristic for proving security of many popular and important cryptographic primitives. But, at the same time they are criticized due to the impossibility of practical instantiation. Programmability is one of the most important feature behind the power of Random Oracles. Unfortunately, in the standard hash functions, the feature of programmability is limited....
متن کاملThreshold and Revocation Cryptosystems via Extractable Hash Proofs
We present a new unifying framework for constructing non-interactive threshold encryption and signature schemes, as well as broadcast encryption schemes, and in particular, derive several new cryptosystems based on hardness of factoring, including: – a threshold signature scheme (in the random oracle model) that supports ad-hoc groups (i.e., exponential number of identities and the set-up is in...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
- IACR Cryptology ePrint Archive
دوره 2015 شماره
صفحات -
تاریخ انتشار 2015