 Hi everyone. This talk is called, does Fiat Shamir require a cryptographic hash function? My name is Fermi Ma, and I'll be giving this talk. This is based on joint work with Yulai Chen, Alex Lombardi, and Willy Flush. All right, so I'll be talking today about public coin interactive protocols. So we have a prover on the left and a verifier on the right, and the prover wants to convince the verifier that some kind of statement is true. So for instance, x is in three set or that it knows a witness for x. And the way the prover is going to do this is they're going to have a back and forth interaction with the verifier. So it sends over messages, these AIs, and the verifier responds by sampling uniformly random coins and sending them back. At the end of this interaction, the verifier determines whether or not to accept just based on the transfer below. There's no private randomness here. So there's two properties that we always want to satisfy. One is completeness and the other is soundness. Completeness says that if the statement is true, then the verifier should accept with probability one. And soundness says that if statement is false, then the verifier should reject with high probability no matter what the prover does, even if it deviates from the protocol. So we know that interaction is really powerful. There's a lot you can do with interaction. You can prove anything in PSPACE. You can prove things in zero knowledge. You can prove things distinctly. But we know that interaction is also quite impractical. It's a very unwieldy assumption to have to make that your two parties are going to wait for each other's messages to be received. So whatever possible, we want to do things non-interactively. And that brings me to the fiat smear heuristic, which in a nutshell is a magical compiler that somehow removes interaction from public coin interactive protocols. So here's how it works. The prover and verifier are going to agree on some fiat smear hash function h. And now the prover, instead of having a back and forth conversation with the verifier, is essentially going to simulate this conversation. And every time the verifier is supposed to send a random message, the prover is instead going to compute that message by applying the hash function h to the transcript of the interaction so far. So let's watch it happen. The prover computes the first message a1, then when it needs the next challenge, it computes h applied to a1, responds to a2, then for the next challenge, it computes that is h of a1, a2, and so on and so forth. And the prover can send all these ai's to the verifier. The verifier can just recompute all these challenges arrived by applying the hash to the transcript so far. And at the end, the verifier just decides whether or not to accept or reject based on whether or not the interactive verifier would have accepted or rejected. This has been an extraordinarily fruitful approach to constructing crypto. So the idea is you build some interactive protocol for desired functionality, such as identify yourself over the internet with someone. And then you apply fiat smear, you create a non-interactive protocol for the same functionality. The important question, of course, is when exactly does this transformation preserve soundness? So here's the intuition we have. We have some interactive protocol that sound when the ai's are chosen randomly and out of the prover's hands. And now the fiat smear hash function should essentially play that role. We don't have any guarantee of the protocol sound when the prover can pick the ai's for itself. But the fiat smear hash function should essentially bound the prover to not be able to come up with arbitrary good ai's that will allow it to fool the verifier. There's basically two known approaches for giving positive results for fiat smear. One is to treat the hash function h, essentially a random oracle. And you can show that in most cases, if the hash function is a random oracle, the fiat smear transformation is in fact sound. And more recently, there's been an exciting line of work showing fiat smear compilation in the standard model, in particular showing that when the hash function satisfies a property known as correlation interactability, there's a lot of interesting fiat smear compilations that you can do. But in all these cases, this fiat smear hash function h is a cryptographic hash function, and there is some sort of computational hardness coming from the hash function itself. In this work, we ask the question, is this really necessary? Is this necessary for sound fiat smear compilation? So our first set of results, perhaps surprisingly, are actually positive results. We show that some protocols don't seem to need cryptographic fiat smear hash functions. So in particular, what I mean by a simple non-cryptographic fiat smear hash function are things like, say, compute the bit decomposition of a vector. You have some vector over zq, and the bit decompose vector is just expanding out every single one of these zq elements into a bit string representation of them. Or for instance, a hash function that computes a linear function of its inputs. So these hash functions are clearly not satisfying any any obvious cryptographic properties. They're totally invertible. And yet we show that these hash functions compile protocols such as Lubyshevsky's AD protocol, Schnorr's protocol, Chompeter's in protocol, so various protocols of interest that we actually want to implement non-interactively. So I should mention that the first result of Lubyshevsky is in the plain model, whereas all of our group-based results are shown in the generic group model. Our second set of results are negative results, basically showing that cryptographic fiat smear hash functions are necessary for a whole bunch of other protocols, so particular protocols that do not include the ones that we gave positive results for. So we show that for a large class of three message honest verifiers of your knowledge arguments, you actually do need some kind of cryptography in your hash function in order to get a sound fiat smear compilation. So in a little bit more detail, we show that any fiat smear hash function that compiles these protocols must be something called mix and match resistant, which I'll get into in the second half of this talk. So example protocols as it applies to are, say, Blom's Hamiltonicity protocol, the GMW3 coloring protocol, and in fact a one bit challenge version of the Schnorr protocol. And all these protocols crucially are sound via parallel repetition. And so this is actually the sort of the dividing line between the protocols that we have positive results for and the ones that we show negative results for. Essentially all of our positive results are for protocols that already sound, already have negligible soundness error without any parallel repetition. And our negative results apply to protocols that achieve their soundness, achieve negligible soundness by a parallel repetition of a protocol with a small challenge space. All right, so in this talk, I'm going to first give a simple, almost toy example, showing that simple fiat smear compiler works for turning Lubbish have these three message ID protocol into a one shot non interactive ID protocol. And then I'm going to show the a little more details on the negative results and explain why some protocols do require a cryptographic fiat smear hash function. And I encourage you all to look at the paper for more details on how our group based results work because I'm not going to cover those in this talk. So let me start by recapping Lubbish has to get a deep protocol. And for those of you familiar with the group based schnorr protocol, this is essentially a lattice analog of that of the schnorr protocol. So here we have three parameters a r and y. So a and y are going to be these two public matrices is going to be a random wide matrix over ZQ. Y is going to be statistically close to random. And why is going to be computed based on sampling a short square matrix are so short meaning the entries are small, right multiplying that to a computing y. So if I left over hash on my Y is going to be statistically random. So the prover is going to post these, these public and why these public parameters, and to identify itself to someone else is going to prove that it actually knows are right. So the prove it should be the only person who's able to convince somebody because they're the only person who generated Y and you are. So how does the prove reduce first it's going to sample a short vector T and left multiply this by a. And it's going to compute this vector alpha and send us over essentially alpha is going to function as type of commitment to T. Next, the verifier is going to sample a challenge vector. So we want the entries of the challenge vector to also be short for simplicity. I'm going to pick them to be random and zero one. And finally, the prover's task is to compute T plus R times C right so it knows are it can multiply R by C and they can add T to this and essentially mask it. And so it's going to send over the Z and the verifier can check the Z is computed correctly by left multiplying by a. So in particular checks that a times Z is equal to alpha plus Y times C and more over the Z is short. So you can verify that if the prover indeed follows a protocol correctly then this check will pass that Z will be short because T is short R is short and C is short and that AZ equals alpha plus YC holds as long as the prover does everything correctly. So in the Fiat Shamir version of the protocol, of course, the prover is just going to apply the hash function H to alpha and it's going to use that in place of C. So let me just put that up. So in the non-interactive Lubitschewski protocol, it's essentially the same thing but now H of alpha is playing the role of C. So it just sends over alpha and C because the verifier can compute the middle message H of alpha for itself. And so finally the verifier accepts same condition as in the interactive protocol if Z is short and this condition is satisfied. So let's think about what do you want out of H to ensure that this is actually hard, right? So that if somebody comes along and just sees A and Y has no knowledge of what R is, they shouldn't be able to produce this non-interactive proof that they know R. So here's what we want, right? We want H such that if you see a random A and Y, it's going to be hard to find alpha and a short Z satisfying this equation, this condition that if satisfied the verifier will accept. So here is the key idea. Everything is in this box. So what you want to do is pick an H such that alpha is equal to G times H of alpha for some matrix G. So in particular, you want that the input alpha is some linear function of the output H of alpha. So alpha is equal to some matrix G times the output H of alpha. So one example of a choice of H that works is think about H being the big decomposition of vector alpha, right? Taking the vector alpha and taking every component and expanding out the big decomposition. Now you can pick G to be the so called gadget matrix. It was powers of two matrix, right? And now multiplying G by H of alpha recovers the original input alpha. So this is the G matrix to keep in mind here. So imagine we've set our Fiat smear hash function this way. H satisfies this property. It is the big decomposition function and satisfies this property. Then we can plug in alpha and replace that alpha vector with the G times H of alpha. And now all we have to do is rearrange. So now we're going to get minus A can catenate with G plus Y. And this times the vector Z can catenate with H of alpha is actually equal to the zero vector. But I claim now that we're actually done. This is all we wanted to show. That producing this alpha and short Z is now hard. And the reason is that A and Y are random, right? So for some fixed G, we're going to have that A can catenate with G plus Y is a random wide matrix. And if the adversary is able to convince the verifier to accept, then it also finds a short Z can catenate with H of alpha vector such that this vector times A can catenate G plus Y is a zero vector. And if you look at it, this is actually just a sys problem. I gave you a random wide matrix and you found me a short solution, a short pre-image of zero. So that's it. We're done. This shows that the non-interactive version of Lubyshevsky is sound as long as you use the bit decomposition function as your fiat smear hash function. So a brief aside on lattices, note here that the honest prover is actually able to compute this short solution, the sys solution. So in particular, it knows a short R is something AR equals Y and it computes a short solution. And if this sounds familiar, it's because it really is. So one fun fact, we've just re-derived lattice trapdoors. So the lattice trapdoors of MP12 and LW15 actually arise from applying fiat smear with the bit decomposition function to Lubyshevsky. So this is not at all how lattice trapdoors were derived in literature, but you actually could have arrived at them. You could have rediscovered them by trying to do fiat smear with a simple information theoretic hash function. And going a little bit further, if we want to talk all the way, talk about signatures, there's essentially two seemingly unrelated approaches to lattice signatures. And one is this GPV-based approach where this pre-image sampleable functions approach to computing signatures. And the other is the fiat smear-based approach by applying fiat smear to Lubyshevsky. And we show that essentially these two previously unrelated protocols or unrelated ways to getting lattice-based signatures are actually equivalent. If you instantiate the fiat smear with a particular bit decomposition-based hash function and then apply hash and sign with the random oracle. So thinking about fiat smear as simple hash functions allowed us to find this simple connection between the two way we know for constructing lattice signatures, which I think is a fun fact. All right, so that was a taste of the positive results. I encourage you to look at the paper for a lot more positive results, particularly all of our group-based results are deferred to the paper. I want to move on to the negative results in a particular, so I want to talk about why some protocols are going to require a cryptographic fiat smear hash function, exactly what that means. So I'm going to put up a generic sigma protocol, pi. So in a generic protocol, generic sigma protocol, the prover first sends a commitment alpha, gets a response beta, gets a challenge beta, and sends a response gamma. And in all of our positive results that I mentioned before, this challenge beta is sampled from some challenge space R that's really large, right? In the Lubishevsky example, for instance, beta is a random bit vector, so there's exponentially many choices for the challenge. But many important protocols, for instance, GMR, BLOM, GMW, the challenge space size is actually small. It could be two, it could be poly, and soundness actually requires parallel repetition, right? You send many commitments alpha one, alpha t, you get a lot of challenges, you send a lot of responses over. And so that's actually the protocol that you want to apply fiat smear to, right? You want negligible soundness, so you first parallel repeat the interactive protocol, and then you apply fiat smear to that. So the bad news here is that our positive fiat smear results do not apply to these protocols. So in particular, you can't really hope to have such a simple fiat smear compiler like we did in the previous part of this talk for protocols such as GMR and BLOM. So here's our theorem. We show that for many common secret protocols pi, in particular, ones that satisfy these three properties. First off, that beta is sampled from some polynomial size challenge space. The first message alpha is going to be pseudo random. And moreover, we have honest verifier zero knowledge, which is a standard property of single protocols. So if you have your protocol satisfying all these three properties, which are satisfied by most of the classic protocols in literature, then the fiat smear hash function h that compiles the ty's parallel repetition of the protocol must be cryptographic. So this deserves a little bit more explanation. But what does it mean for h to be cryptographic? Well, informally, what I mean is that you can use the hash function h to define a challenger adversary game with a computational statistical gap. All right. So here's the proof idea. For any hash function h, we're going to define something called the mix and match game. And to ensure that there's actually a computational statistical gap, we're going to show that any, that an inefficient adversary can almost always win this game. Then we show that if an efficient adversary can win the mix and match game, then it can break the fiat smear compiled version of this protocol. So what exactly is this mix and match game for the hash function h? So what we're going to do is have a challenger. It's going to sample a whole bunch of alpha ij, beta ij's, basically in a grid. So we're going to have, you know, t columns where t, this t here corresponds to the t, the number of parallel repetitions we have. And k is going to be some number of rows that we'll set in a bit. So we sample an alpha ij, beta ij pair and put it in each cell. And now the adversary is given this table of these randomly chosen alpha ij, beta ij's. And the adversary is challenged to find one cell in each column, such that if you apply the fiat smear hash function h to all the alpha ij's in those cells, then it spits out all the beta ij's in those cells. All right. So in particular, like if the adversary could win, if it finds, say, these green cells here, if h applied to all these alphas can catenate together, gives all those betas can catenate it together. And so we show that as long as the number of rows is asymptotically larger than the number of columns, then there exists a solution to this game with overwhelming probability. And this could be, this is true for any hash function h. That's what's interesting about this lemma. All right. So what remains to show is that if you have an efficient attacker for this mix and match game for a hash function h, then you can break soundness of the fiat smear protocol. So here's how the attack works. It's very simple. So first, what we're going to do is run the honest verifier zero knowledge simulator for the signature protocol. We're going to do this every single, for every single cell of the mix and match game. So we're going to build up this whole grid. And we're only going to place the alpha ij beta ij part of the accepting transcript in each cell. We're going to hide the gamma ij's. We're not going to give that to our mix and match attacker. So we come up with this whole grid, and we're going to run the mix and match attacker on this grid of inputs, the all these alpha ij beta ij's, and that attacker is going to tell us which cell in each column to use. And just by the design of the mix and match game, if the mix and match attacker is correct, then we're actually fine. We're happy and we can break the fiat smear protocol. In particular, by the guarantee of the mix and match attacker, if it wins, then h applied to all these alphas will give us all the corresponding betas. And therefore, for those betas, we actually have the correct final message gamma ij that would make the verifier accept. And so why does this work? Why does this attack actually succeed? Well, the mix and match attacker is actually expecting to see a randomly generated grid of alpha ij and beta ij's. That's not quite what we have here, but we are relying on the fact that the first message of the smear protocol looks pseudo random. And moreover, that we have an honest verifier as your knowledge simulator so that the distribution of the simulated transcripts looks just like the real distribution. So from the perspective of the mix and match attacker, it sees essentially, or computationally, a random grid. And so if it succeeds in the mix and match game, it will succeed on this pseudo random grid. And then if the attacker succeeds, as I just explained, then we're able to break fiat smear. We're able to break the fiat smear protocol. All right, so in summary, the answer to our title question is basically sometimes. Does fiat smear require a cryptographic hash function? Well, for some protocols, it doesn't. And for some protocols, it does. So I encourage you to look at the paper for a larger collection of results. There's only a small taste of what we do in the full paper. Thanks so much for your attention. Take care.