 Okay, so yeah, so this talk is on the security of the Fiat-Chemir paradigm when applied to statistically sound proof. This is joined to work with Ron Rothblum and Guy Rothblum. So Ron was supposed to give this talk. He's an amazing speaker, but unfortunately for you guys, and for me, he couldn't make it, so I'm going to be his proxy. So okay, so let's start. So the Fiat-Chemir heuristic is a really, really beautiful and elegant way to convert any three round ID scheme into a signature scheme. So what is the difference between an ID scheme and a signature scheme? The main difference is that an ID scheme is interactive. It contains three rounds, whereas signature scheme is a non-intractive. You just sign a message. So what is the idea? How do you kind of reduce this interaction? So the idea is extremely simple and beautiful. So the idea is the following. You know what? The signer is going to produce the entire three messages denoted throughout the talk by alpha, beta, and gamma. He will produce this on his own. Subject to beta will need to be a hash of the first message alpha and the message to be signed M. Okay, so when you want to sign a message M, you generate alpha, like the prover. Beta will simply be a hash of alpha and the message you want to sign, and then you generate gamma. So alpha, beta, gamma is a proof, and it's accepted if it's an accepted transcript by the verifier of the ID scheme, and if beta is indeed the hash of alpha and the message. Okay, and this hash is going to be part of the public key. So that's the transformation. It's extremely simple, it's elegant, it's nice, and the great power of it is that typically signature schemes were extremely complex to construct, and the identification scheme are extremely simple to construct. So it kind of shows you kind of a very easy way to go from one to the other. And indeed it was extremely popular both by theoreticians and more applied people, I'm sure most of you, by the way, show of hands, who is sort of this paradigm, the future paradigm? Okay, so yeah. So as you see, I mean, we've all heard about it, and it's really beautiful. And the main question is, is it secure? So if you start with the secure ID scheme, do you get a secure signature scheme? And let me give you the intuition why it is secure. Okay, so what can an impersonator who tries to forge a signature, what can he do? He gets this hash. Now suppose this hash is really great, it's like a pseudo random function. So it's like random, and more over suppose that all the impersonator can do is kind of use this hash as a black box. Okay, it's kind of up to skater or something. All you can do is kind of use it as a black box. And in this case, generating this transcript by alphabetic gamma by interacting with a box, with a random or with this box, is really the same as interacting with a verifier in the ID scheme. So the ID scheme is secure. The signature scheme should also be secure. Okay, so that's the reason why security should hold. And indeed, this was formalized in the random oracle model. So it was proved that this paradigm is secure in the random oracle model. If the hash is modeled as a random oracle by a series of beautiful works, starting with the work of Ponchival and Stern, who gave a really, really beautiful idea with the Forking Lama of showing this security. Okay, so the main question though, the remains, is it secure in the plain model? So can we come up with an actual hash function, not a random oracle, but an actual description of a hash function for which this paradigm is secure? So in 2003 together with Shafi, we gave a negative result. We showed that no, and let me explain to you what exactly we showed. What we actually did is we gave a contrived example of an ID scheme, of a secure ID scheme, for which the corresponding signature scheme will be insecure no matter which hash functions you use. Okay, so this ID scheme is contrived. So didn't really say, oh, don't do the hash function, it's insecure. The take home message from this work is that don't try to kind of prove a general possibility result for the Fiat-Chemir paradigm, because we do have counter examples, okay? So in general, it's not always secure. Okay, actually this Fiat-Chemir paradigm, even though it was originally defined to convert ID schemes into signature schemes, it's much more general than that and has a lot of applications beyond ID signatures, and in particular it's been used, it can be used to kind of convert, to reduce interaction in any interactive protocol. So you can start with any constant round public coin interactive protocol and convert it to just two rounds using the Fiat-Chemir paradigm. Okay, how? In the first round, the verifier will just send a hash as before. And the second round, the prover will generate the entire transcript on his own, where the random messages of the verifier, he will compute by hashing the transcript so far, okay? Using the hash that he got from the verifier. So you can think of it in this extended setting, and again, and this is very useful, it's been used a lot. One of the staples examples is Mikali's very influential work on CS proofs uses this paradigm, and there's been many, many works in the literature that use this paradigm. And the main question as before, is it secure? When we look at it in this extended setting, do we get security? So one can very easily, one can show that the same kind of idea of punctual violence term can be used to argue that this paradigm, this extended paradigm is secure in the random oracle model, okay? So again, if we model H as a random oracle, it is secure. But then still we ask, is it secure in the plain model? And in 2001, in the seminal work, Baraka gave a negative result. He showed that it's insecure. And again, let me explain what we mean by insecure. What he actually showed, he gave an example of, he showed the existence of a constant round public coin zero knowledge protocol, okay? This seems very completely unrelated to the Fiat-Chemere paradigm. However, it was known that the existence of such a zero knowledge protocol immediately implies the insecurity of this extended Fiat-Chemere paradigm. Why? So here's the intuition, the intuition is the following. What does it mean? So let's say this protocol here, the interactive proof, is zero knowledge. What does it mean? By definition of zero knowledge, it means for any cheating verifier V star, there exists an efficient simulator who can simulate the interaction, right? So this simulator actually can be a cheating prover in the two round protocol. Why? Think of the V star, the cheating verifier, as instead of doing what he's supposed to, he uses a hash. Okay, so he actually generates the messages in this interactive protocol using a hash. That's the type of a cheating verifier. For this cheating verifier, there exists a simulator by the zero knowledge property. And this simulator, given the hash, just generates a transcript that is indistinguishable. So this was noticed by work of Hadetanaka and by Duoc et al. That if we did have a zero knowledge protocol, that would immediately, a public point concerned on zero knowledge protocol, it would immediately imply the insecurity of the Fiat-Chemere paradigm. And since Barak had constructed such as zero knowledge protocol, we got the insecurity. Okay, so, so far, I just gave you examples why the Fiat-Chemere is insecure. It's the extended Fiat-Chemere is insecure as was showed by Barak. The original Fiat-Chemere is insecure as later showed by Shafi and myself as a follow-up work to Barak and we actually used many of his ideas. But still, I promised you that I'm gonna have a positive result. So where's that positive result hiding? So let's take a closer look at the negative results. If we take a closer look at these examples of where the negative result comes, we can see that the initial protocol, both the ID scheme and the zero knowledge protocol, only have computational soundness. They're not statistically sound. Okay, so the interactive protocol, if you're all powerful, you can cheat, you can break the protocol. One can ask, well, what if we start with an interactive protocol that has statistical soundness? Can we, is the Fiat-Chemere secure in that case? So if you start with an interactive proof that's statistically sound and convert it to a two round argument using the Fiat-Chemere paradigm, is there any hope, can we prove that it's sound? And in a nutshell, our result is yes, under strong assumptions. So what do we show? We show that the Fiat-Chemere, the extended Fiat-Chemere, the focus, it'd be easier to think of the extended Fiat-Chemere throughout the stock, is secure when applied to statistically sound proofs as opposed to argument under strong assumptions such as eye obfuscation. And I'll get back to the assumptions in a minute. But before I explain the assumptions in more detail, let me first talk about prior work and the security of Fiat-Chemere for proofs. So we noticed a long time ago that our negative results were only for computationally sound proof and there's a lot of work trying to prove or disprove the Fiat-Chemere paradigm when applied to statistically sound proof. And let me kind of give you the main results in the literature that I'm aware of. So in the positive result, Barak Lindel and Wadan showed that there exists some property of hash function, some kind of entropy preserving property that I don't want to define. That if your hash function has this property, that when you apply the Fiat-Chemere with this kind of hash function, you will get security. But whether there exists a hash function, we don't know, okay? There's no construction or instantiations. Later, Dodi Sital showed that there actually does exist such a hash function that has this special property. But under some assumption, assuming that there's some robust randomness condensers with the certain properties and whether such things exist, we don't know. So we kind of know what we're looking for but we didn't find it yet. And very recently, there's a result by Middelbeck and Venturi who actually gave a positive result for a special class of protocols, a special class of ID schemes. So that when you convert them into signature schemes, you'll get soundness. But this special class doesn't contain, I don't know really what's in there, but none of the ID schemes that were around that were suggested in the literature are contained in this class. They also showed how to kind of convert some ID schemes with some properties under IO to kind of fall into this special class in the CRS model. So they do have some kind of a general result as well. Okay. And the negative result? We also know, this is joint work with Bitansketal, that you cannot prove soundness of the Fiat-Chamir paradigm, even for proofs, just focusing on proofs, you cannot prove soundness using what's called kind of a black box reduction to a falsifiable assumption. Given indicating that using the techniques that we have, we won't be able to prove soundness based on standard assumption. So falsifiable assumption is a notion I introduced, but in all, for those who are not familiar with this notion, just think of it as standard assumptions. Okay, it's a notion that's supposed to capture all standard assumptions. Okay. So this is where we stand. And now let me explain our results in more detail. So what we show in this work, we actually show an explicit hash function right there, the IO of a PRF family, such that if you start with any interactive proof that statistically sound, then your round argument will be sound under some assumptions. So let me tell you our assumptions. First assumption, we need to assume that this IO over there that we use is really secure. It has to be actually sub-exponentially secure, or in other words, it needs to be two to then secure where n is the input length. But just think of it as sub-exponential IO. This is kind of an assumption that often we need to rely on when we use IO in applications. Okay, another assumption is that the function f sub s that we IO is what's called a puncturable PRF, again with sub-exponential security, and this is known how to construct based on sub-exponential one-way function. And the third assumption, and this is kind of weird, the third assumption actually has nothing to do with the construction. Okay, so the hash that I'm using is just IO of a puncturable PRF family. So a very secure IO and a very secure puncturable a pseudo-random function. But I have another assumption, and the other assumption is I'm assuming exponential security of multi-bit point function obfuscation. I need a weak definition of obfuscation, we only need input hiding obfuscation, which is kind of weaker than VBB, but we need exponential security for this multi-bit point function obfuscation. Now, when you look at this, it's really not clear where does point function obfuscation come into play. So first let me say that this notion has been studied in previous work before, and it's been constructed under a strong variant of the DDH assumption. We do not need auxiliary input in this assumption for those who, because with auxiliary input there's a lot of caveats, we do not need auxiliary inputs for those who are familiar. But the interesting thing, this assumption is only used actually in the analysis. Okay, so in the analysis, if I have time to show you, you'll see we use this assumption. Okay, so this is our result. Now let's pause a minute and try to understand this result. So what's the take-home message? The take-home message here, so maybe some of you in the audience will say, oh, is this efficient? So the take-home message is, no, it's not efficient. Should you go and use the first term here from now on with this kind of hash function because we prove soundness? No, so do not try this at home. It'll be very inefficient, it's not a good idea. So what is the take-home message? So there's two ways to think of this result. One is to say, look, this was a proof of concept that there exists hash function for which you can prove security, and you can take this as an invitation to try to prove this for an efficient hash family. One can also think of it as, I don't know, some of us have been trying to prove negative result for this, so it kind of shows you, well, in order to prove a negative result, you'll need to disprove these assumptions or you'll need to overcome serious hurdles in order to prove a negative result. But in addition, I think this theorem has actually really interesting applications beyond the Fiat-Chemir paradigm. And let me give you one corollary. So one corollary that we get out of this theorem is we prove that there does not exist a constant round public coin, zero-knowledge proof, statistically sound proof. So Barak showed this for an argument, for computationally. So Barak showed sorry that there exists a constant round public coin argument, computationally sound. Does there exist a statistically sound zero-knowledge public coin? We show no. So this problem was kind of opened for the last few decades. There was a very famous work by Goldreich and Kravchik that shows that there does not exist a constant round public coin black box zero-knowledge proof. So if you restrict the simulator to use the cheating verifier as a black box, then there does not exist. But the question whether there exists any zero-knowledge proof, not black box zero-knowledge proof, with constant round public coin was an open question. And a corollary of our main theorem is that under our assumption, there does not exist. And why, why is that a corollary? So let's recall the transformation that we saw earlier that if you had a constant round public coin zero-knowledge proof, this in itself is a counter example, is demonstrate the insecurity of the future mirror paradigm. So, hmm, okay, sorry. So if you had such a thing, you'll get that the future mirror paradigm when applied to proof would be insecure. But what I showed you that under my assumption, this is secure. And so with this secure, it must imply that there does not exist a constant round public coin zero-knowledge proof. And in particular, what this implies is that parallel repetition does not preserve zero-knowledge. So in particular, take your favorite three-round, you know, zero-knowledge with constant soundness and a blunt protocol or three-coloring zero-knowledge, zero-knowledge for three-coloring, all these protocols, if any of this, if you wanna try to run them in parallel, zero-knowledge will not be preserved. Okay, so that's a corollary of our main result. Another way to view our result using different terminology is we can cast our result in the terminology of correlation intractable hash functions. So this notion was, is a very beautiful notion introduced by Kaneti, Golda, and Alevi. And this property should be thought of as a proxy to random oracle. So we use the random oracle model a lot. And the question is what property do we really use from these, you know, what property of a hash on this random oracle model use? And the property that was put forth is correlation intractability. So what does correlation intractability means? So a hash function is said to be correlation intractable. If given a hash in the family, it's hard to find x and h of x that satisfy some rare relation. Okay, what does it mean? So for any relation that's rare or invasive, so what is an invasive relation? A invasive relation is one that for any input x, there are only negligibly many y's, no fraction of y's satisfy the relation. And h is said to be correlation intractable if for any such rare or invasive relation, given a random hash from the family, it is hard to find x such that x, h of x is in the relation. And in the original work of Kaneti et al, they showed that there does not exist correlation intractable h with where the description of the hash is short, shorter than the input size. Recently, there's a very nice work of Kaneti, Chen and Rezin that showed that there does exist correlation intractable h, but for some relation, not for all invasive relations, but rather for all invasive relationships that are computable in some up-priority fixed polynomial time, assuming IEO and related assumptions. And essentially, our result, what we show is that this specific hash function, IEO applied to this punctuable PRF, is correlation intractable under our assumptions. Okay, so let's just see kind of a quick summary. As what we showed is under the assumptions stated above that the Fiat-Chemier paradigm is secure when applied to proofs, which implies that there does not, it resolves the open problem that there does not exist concern around public coin zero-knowledge proof, which in turn implies that parallel repetition does not preserve zero-knowledge and also more generally cast in the language of correlation tractability, we show that there does exist a correlation intractable hash function, which kind of can be used maybe in other settings to try to remove a random oracle. So in the few minutes I have left, maybe I'll try to give a very, very one-minute brief overview of the proof. So let's just show the proof idea for the Fiat-Chemier paradigm. So why would it be secure to go from a three-round ID to signature? So intuitively, so what is our hash? It's IEO of a pseudo-random function. If instead of IEO, we used VBB security like virtual black box, we had oracle, then as we said, it is secure. That's kind of security in the random oracle model. So we do know it's secure. But we don't have VBB security, so IEO is kind of close. So let's use IEO. The question is IEO strong enough? Is that type of a fiscature in which only promises us indistinguishability is it strong enough? And what we show is it is strong enough if we start with statistically sound proof as opposed to computational sound. If we start with a computational sound, this is not strong enough because we have examples. But if we start with a statistically sound, it is strong enough. So why? So what does statistically sound proofs? What properties do they have? The property they have is that for any first message, for an X not in the language, for every first message alpha, there are very few betas for which there exists a gamma that will correspond to an accepting transcript. Now, if we use a PRF, a really strong PRF here, then by the strength of this PRF, the fact that f of s, this has nothing to do with IEO, just the fact that the PRF is strong enough, it means, let's call alpha bad if beta, which is H of alpha, for that there exists a gamma. So you kind of can cheat with that alpha. So because it looks like a random function, this property that there exists few good betas should remain. So still one can easily show that there exists a few bad alphas. So there is a few alphas for which H of alpha there exists a gamma. Okay, so there exists a few bad alphas. And now the main part is to show, to argue that IEO implies that it's hard to find these bad alphas. So the IEO hides alpha. Okay, and to prove this is that where we use the multi-bit point functions. So I don't have time, but I'll just say that the main idea is to just plant like alpha star and beta star that have an accepting gamma star. We kind of plant that in the PRF and we prove that it's hard to, that the cheating prover will find this planted alpha star follows from our assumptions. And then we get a contradiction by saying, oh, this alpha star that we planted, actually there's no way to find it because we're obfuscating this using a really, really strong PRF. Okay, so that's kind of the high-level idea. But again, just to summarize, Fiat-Chemier Secure for Proofs, this is very great news for me. I've been working on this problem since I was a grad student, so I'm very happy to see a positive result. I'll bite under a very strong assumption and inefficient will be great to reduce assumptions to gain efficiency and so on. And then we get really interesting correlation that have nothing to do with the Fiat-Chemier paradigm and kind of resolve just classical open problems related to zero knowledge, correlation tractability and so on. Okay, thank you.