Skip to main content

Fiat-Shamir Transformation of Multi-round Interactive Proofs

  • Conference paper
  • First Online:
Theory of Cryptography (TCC 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13747))

Included in the following conference series:

Abstract

The celebrated Fiat-Shamir transformation turns any public-coin interactive proof into a non-interactive one, which inherits the main security properties (in the random oracle model) of the interactive version. While originally considered in the context of 3-move public-coin interactive proofs, i.e., so-called \(\varSigma \)-protocols, it is now applied to multi-round protocols as well. Unfortunately, the security loss for a \((2\mu + 1)\)-move protocol is, in general, approximately \(Q^\mu \), where Q is the number of oracle queries performed by the attacker. In general, this is the best one can hope for, as it is easy to see that this loss applies to the \(\mu \)-fold sequential repetition of \(\varSigma \)-protocols, but it raises the question whether certain (natural) classes of interactive proofs feature a milder security loss.

In this work, we give positive and negative results on this question. On the positive side, we show that for \((k_1, \ldots , k_\mu )\)-special-sound protocols (which cover a broad class of use cases), the knowledge error degrades linearly in Q, instead of \(Q^\mu \). On the negative side, we show that for t-fold parallel repetitions of typical \((k_1, \ldots , k_\mu )\)-special-sound protocols with \(t \ge \mu \) (and assuming for simplicity that t and Q are integer multiples of \(\mu \)), there is an attack that results in a security loss of approximately \(\frac{1}{2} Q^\mu /\mu ^{\mu +t}\).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    As a matter of fact, [11] considers arbitrary interactive oracle proofs (IOPs), but these notions are well-defined for ordinary interactive proofs too.

  2. 2.

    This is clearly a contrived example since the natural construction would be to apply the Fiat-Shamir transformation to the parallel repetition of the original \(\varSigma \)-protocol, where no such huge security loss would then occur.

  3. 3.

    When finalizing our write-up, we were informed by Wikström that he derived similar results a few months earlier, subsequently made available online [31].

  4. 4.

    We always assume that the prover sends the first and the last message.

  5. 5.

    The probabilities \(\Pr (A_i >0 \mid J = j)\) are all 0 or 1; however, it’s still convenient to use probability notation here.

  6. 6.

    Of course, it would be sufficient to rewind \(\mathcal {A}\) to the point where it makes the (first) query to a, but this would make the description more clumsy.

  7. 7.

    Recall that we use \(a_i(j_1,\dots ,j_U)\) and \(a_i(j_1,\dots ,j_{i-1},j_{i+1},\dots ,j_U)\) interchangeably, exploiting that \(a_i(j_1,\dots ,j_U)\) does not depend on the i-th input \(j_i\).

  8. 8.

    To be more precise, to allow for fresh randomness in the different runs of \(\mathcal {E}_{m+1}\) within \(\mathcal {E}_m\), we first replace the randomness of \(\mathcal {E}_{m+1}\) by \(F(j_1,\dots ,j_U)\) for a random function F, where \((j_1,\dots ,j_U)\) is the function table of the random oracle providing the answers to \(\mathcal {E}_{m+1}\)’s queries, and then we fix the choice of F and average over F after having applied Lemma 2 and Lemma 5.

  9. 9.

    The soundness and knowledge error of a single invocation of \(\varPi \) are both equal to \({\text {Er}}(\textbf{k};N)\). Therefore, it immediately follows that the soundness error of the parallel repetition \(\varPi ^t\) is \({\text {Er}}(\textbf{k};N)^t\). The fact that the knowledge error of \(\varPi ^t\) also equals \({\text {Er}}(\textbf{k};N)^t\) follows from the recent work [7].

References

  1. Full version of this paper. IACR ePrint 2021/1377

    Google Scholar 

  2. Albrecht, M.R., Lai, R.W.F.: Subtractive sets over cyclotomic rings - limits of schnorr-like arguments over lattices. In: CRYPTO, pp. 519–548 (2021)

    Google Scholar 

  3. Ames, S., Hazay, C., Ishai, Y., Venkitasubramaniam, M.: Ligero: lightweight sublinear arguments without a trusted setup. In: CCS, pp. 2087–2104. ACM (2017)

    Google Scholar 

  4. Attema, T., Cramer, R.: Compressed \(\Sigma \)-protocol theory and practical application to plug & play secure algorithmics. In: CRYPTO, pp. 513–543 (2020)

    Google Scholar 

  5. Attema, T., Cramer, R., Kohl, L.: A compressed \(\Sigma \)-protocol theory for lattices. In: CRYPTO, pp. 549–579 (2021)

    Google Scholar 

  6. Attema, T., Cramer, R., Rambaud, M.: Compressed \(\Sigma \)-protocols for bilinear group arithmetic circuits and application to logarithmic transparent threshold signatures. In: ASIACRYPT, pp. 526–556 (2021)

    Google Scholar 

  7. Attema, T., Fehr, S.: Parallel repetition of \((k_1,\dots , k_{\mu })\)-special-sound multi-round interactive proofs. In: CRYPTO (2022)

    Google Scholar 

  8. Barak, B., Lindell, Y.: Strict polynomial-time in simulation and extraction. In: STOC, pp. 484–493 (2002)

    Google Scholar 

  9. Bellare, M., Neven, G.: Multi-signatures in the plain public-key model and a general forking lemma. In: CCS, pp. 390–399 (2006)

    Google Scholar 

  10. Ben-Sasson, E., Chiesa, A., Riabzev, M., Spooner, N., Virza, M., Ward, N.P.: Aurora: transparent succinct arguments for R1CS. In: EUROCRYPT, pp. 103–128 (2019)

    Google Scholar 

  11. Ben-Sasson, E., Chiesa, A., Spooner, N.: Interactive oracle proofs. In: TCC, pp. 31–60 (2016)

    Google Scholar 

  12. Block, A.R., Holmgren, J., Rosen, A., Rothblum, R.D., Soni, P.: Time- and space-efficient arguments from groups of unknown order. In: CRYPTO, pp. 123–152 (2021)

    Google Scholar 

  13. Bootle, J., Cerulli, A., Chaidos, P., Groth, J., Petit, C.: Efficient zero-knowledge arguments for arithmetic circuits in the discrete log setting. In: EUROCRYPT, pp. 327–357 (2016)

    Google Scholar 

  14. Bootle, J., Lyubashevsky, V., Nguyen, N.K., Seiler, G.: A non-PCP approach to succinct quantum-safe zero-knowledge. In: CRYPTO, pp. 441–469 (2020)

    Google Scholar 

  15. Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: short proofs for confidential transactions and more. In: S &P, pp. 315–334 (2018)

    Google Scholar 

  16. Bünz, B., Fisch, B., Szepieniec, A.: Transparent SNARKs from DARK compilers. In: EUROCRYPT, pp. 677–706 (2020)

    Google Scholar 

  17. Canetti, R., Chen, Y., Holmgren, J., Lombardi, A., Rothblum, G.N., Rothblum, R.D., Wichs, D.: Fiat-Shamir: from practice to theory. In: STOC, pp. 1082–1090. ACM (2019)

    Google Scholar 

  18. Chiesa, A., Manohar, P., Spooner, N.: Succinct arguments in the quantum random oracle model. In: TCC, pp. 1–29 (2019)

    Google Scholar 

  19. Fiat, A., Shamir, A.: How to prove yourself: Practical solutions to identification and signature problems. In: CRYPTO, pp. 186–194 (1986)

    Google Scholar 

  20. Ganesh, C., Khoshakhlagh, H., Kohlweiss, M., Nitulescu, A., Zajac, M.: What makes Fiat-Shamir zkSNARKs (updatable SRS) simulation extractable? In: SCN, pp. 735–760 (2022)

    Google Scholar 

  21. Gentry, C., Halevi, S., Lyubashevsky, V.: Practical non-interactive publicly verifiable secret sharing with thousands of parties. In: EUROCRYPT, pp. 458–487 (2022)

    Google Scholar 

  22. Ghoshal, A., Tessaro, S.: Tight state-restoration soundness in the algebraic group model. In: CRYPTO, pp. 64–93 (2021)

    Google Scholar 

  23. Goldreich, O.: The Foundations of Cryptography. Basic Applications, Vol. 2. Cambridge University Press (2004)

    Google Scholar 

  24. Hoffmann, M., Klooß, M., Rupp, A.: Efficient zero-knowledge arguments in the discrete log setting, revisited. In: CCS, pp. 2093–2110 (2019)

    Google Scholar 

  25. Jaeger, J., Tessaro, S.: Expected-time cryptography: generic techniques and applications to concrete soundness. In: TCC, pp. 414–443 (2020)

    Google Scholar 

  26. Maller, M., Bowe, S., Kohlweiss, M., Meiklejohn, S.: Sonic: zero-knowledge SNARKs from linear-size universal and updatable structured reference strings. In: CCS, pp. 2111–2128 (2019)

    Google Scholar 

  27. del Pino, R., Lyubashevsky, V., Seiler, G.: Short discrete log proofs for FHE and ring-LWE ciphertexts. In: PKC, pp. 344–373 (2019)

    Google Scholar 

  28. Pointcheval, D., Stern, J.: Security proofs for signature schemes. In: EUROCRYPT, pp. 387–398 (1996)

    Google Scholar 

  29. Wahby, R.S., Tzialla, I., Shelat, A., Thaler, J., Walfish, M.: Doubly-efficient zkSNARKs without trusted setup. In: S &P, pp. 926–943 (2018)

    Google Scholar 

  30. Wikström, D.: Special soundness revisited. IACR ePrint 2018/1157 (2018)

    Google Scholar 

  31. Wikström, D.: Special soundness in the random oracle model. IACR ePrint 2021/1264 (2021)

    Google Scholar 

Download references

Acknowledgments

The first author was supported by EU H2020 project No. 780701 (PROMETHEUS) and the Vraaggestuurd Programma Cyber Security & Resilience, part of the Dutch Top Sector High Tech Systems and Materials program. The third author was supported by the topic Engineering Secure Systems (46.23.01) of the Helmholtz Association (HGF) and by KASTEL Security Research Labs.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Thomas Attema .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Attema, T., Fehr, S., Klooß, M. (2022). Fiat-Shamir Transformation of Multi-round Interactive Proofs. In: Kiltz, E., Vaikuntanathan, V. (eds) Theory of Cryptography. TCC 2022. Lecture Notes in Computer Science, vol 13747. Springer, Cham. https://doi.org/10.1007/978-3-031-22318-1_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-22318-1_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-22317-4

  • Online ISBN: 978-3-031-22318-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics