Attacks on the Fiat-Shamir paradigm and program obfuscation
Author(s)Tauman Kalai, Yael
Massachusetts Institute of Technology. Dept. of Electrical Engineering and Computer Science.
MetadataShow full item record
The goal of cryptography is to construct *secure* and *efficient* protocols for various tasks. Unfortunately, it is often the case that protocols that are provably secure are not efficient enough for practical use. As a result, most protocols used in practice are *heuristics* that lack proofs of security. These heuristics are typically very efficient and are believed to be secure, though no proof of security has been provided. In this thesis we study the security of some of these popular heuristics. In particular, we focus on two types of heuristics: (1) the Fiat-Shamir heuristic for constructing digital signature schemes, and (2) heuristics for obfuscation. We show that, in some sense, both of these types of heuristics are insecure. Thus, this thesis consists of two parts: (1) The insecuirty of the Fiat-Shamir paradigm: The Fiat-Shamir heuristic provides a general method for transforming secure 3-round public-coin identification schemes into digital signature schemes. The idea of the transformation is to replace the random (second-round) message of the verifier in the identification scheme, with the value of some deterministic hash function evaluated on the first-round message (sent by the prover) and on the message to be signed.(cont.) The Fiat-Shamir methodology for producing digital signature schemes quickly gained popularity both in theory and in practice, as it yields efficient and easy to implement digital signature schemes. The most important question however remained open: are the digital signature schemes produced by the Fiat-Shamir methodology secure? In this thesis, we answer this question negatively. We show that there exist secure 3-round public-coin identification schemes for which the Fiat-Shamir transformation yields *insecure* digital signature schemes for *any* hash function used by the transformation. This is in contrast to the work of Pointcheval and Stern, who proved that the Fiat-Shamir methodology always produces digital signature schemes that are secure against chosen message attacks in the ``Random Oracle Model" -- when the hash function is modeled by a random oracle. (2) The impossibility of obfuscation: The goal of code obfuscation is to make a program completely "unintelligible" while preserving its functionality. Obfuscation has been used for many years in attempts to prevent reverse engineering, e.g ., in copy protection, licensing schemes, and games.(cont.) As a result, many heuristics for obfuscation have emerged, and the important question that remained is: are these heuristics for obfuscation secure? In this thesis, we show that there are many "natural" classes of functions for which obfuscation is not at all possible. This impossibility result holds in an augmentation of the formal obfuscation model of Barak, et al. (2001) that includes auxiliary input. In both of these parts, among other tools, we make new usage of Barak's technique for taking advantage of non black-box access to a program, this time in the context of digital signature schemes and in the context of obfuscation.
Thesis (Ph. D.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2006.This electronic version was submitted by the student author. The certified thesis is available in the Institute Archives and Special Collections.Includes bibliographical references (p. 115-119).
DepartmentMassachusetts Institute of Technology. Dept. of Electrical Engineering and Computer Science.
Massachusetts Institute of Technology
Electrical Engineering and Computer Science.