Abstract
The celebrated Fiat-Shamir transformation turns any public-coin interactive proof into a non-interactive one, which inherits the main security properties (in the random oracle model) of the interactive version. While originally considered in the context of 3-move public-coin interactive proofs, i.e., so-called \(\varSigma \)-protocols, it is now applied to multi-round protocols as well. Unfortunately, the security loss for a \((2\mu + 1)\)-move protocol is, in general, approximately \(Q^\mu \), where Q is the number of oracle queries performed by the attacker. In general, this is the best one can hope for, as it is easy to see that this loss applies to the \(\mu \)-fold sequential repetition of \(\varSigma \)-protocols, but it raises the question whether certain (natural) classes of interactive proofs feature a milder security loss.
In this work, we give positive and negative results on this question. On the positive side, we show that for \((k_1, \ldots , k_\mu )\)-special-sound protocols (which cover a broad class of use cases), the knowledge error degrades linearly in Q, instead of \(Q^\mu \). On the negative side, we show that for t-fold parallel repetitions of typical \((k_1, \ldots , k_\mu )\)-special-sound protocols with \(t \ge \mu \) (and assuming for simplicity that t and Q are integer multiples of \(\mu \)), there is an attack that results in a security loss of approximately \(\frac{1}{2} Q^\mu /\mu ^{\mu +t}\).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
As a matter of fact, [11] considers arbitrary interactive oracle proofs (IOPs), but these notions are well-defined for ordinary interactive proofs too.
- 2.
This is clearly a contrived example since the natural construction would be to apply the Fiat-Shamir transformation to the parallel repetition of the original \(\varSigma \)-protocol, where no such huge security loss would then occur.
- 3.
When finalizing our write-up, we were informed by Wikström that he derived similar results a few months earlier, subsequently made available online [31].
- 4.
We always assume that the prover sends the first and the last message.
- 5.
The probabilities \(\Pr (A_i >0 \mid J = j)\) are all 0 or 1; however, it’s still convenient to use probability notation here.
- 6.
Of course, it would be sufficient to rewind \(\mathcal {A}\) to the point where it makes the (first) query to a, but this would make the description more clumsy.
- 7.
Recall that we use \(a_i(j_1,\dots ,j_U)\) and \(a_i(j_1,\dots ,j_{i-1},j_{i+1},\dots ,j_U)\) interchangeably, exploiting that \(a_i(j_1,\dots ,j_U)\) does not depend on the i-th input \(j_i\).
- 8.
To be more precise, to allow for fresh randomness in the different runs of \(\mathcal {E}_{m+1}\) within \(\mathcal {E}_m\), we first replace the randomness of \(\mathcal {E}_{m+1}\) by \(F(j_1,\dots ,j_U)\) for a random function F, where \((j_1,\dots ,j_U)\) is the function table of the random oracle providing the answers to \(\mathcal {E}_{m+1}\)’s queries, and then we fix the choice of F and average over F after having applied Lemma 2 and Lemma 5.
- 9.
The soundness and knowledge error of a single invocation of \(\varPi \) are both equal to \({\text {Er}}(\textbf{k};N)\). Therefore, it immediately follows that the soundness error of the parallel repetition \(\varPi ^t\) is \({\text {Er}}(\textbf{k};N)^t\). The fact that the knowledge error of \(\varPi ^t\) also equals \({\text {Er}}(\textbf{k};N)^t\) follows from the recent work [7].
References
Full version of this paper. IACR ePrint 2021/1377
Albrecht, M.R., Lai, R.W.F.: Subtractive sets over cyclotomic rings - limits of schnorr-like arguments over lattices. In: CRYPTO, pp. 519–548 (2021)
Ames, S., Hazay, C., Ishai, Y., Venkitasubramaniam, M.: Ligero: lightweight sublinear arguments without a trusted setup. In: CCS, pp. 2087–2104. ACM (2017)
Attema, T., Cramer, R.: Compressed \(\Sigma \)-protocol theory and practical application to plug & play secure algorithmics. In: CRYPTO, pp. 513–543 (2020)
Attema, T., Cramer, R., Kohl, L.: A compressed \(\Sigma \)-protocol theory for lattices. In: CRYPTO, pp. 549–579 (2021)
Attema, T., Cramer, R., Rambaud, M.: Compressed \(\Sigma \)-protocols for bilinear group arithmetic circuits and application to logarithmic transparent threshold signatures. In: ASIACRYPT, pp. 526–556 (2021)
Attema, T., Fehr, S.: Parallel repetition of \((k_1,\dots , k_{\mu })\)-special-sound multi-round interactive proofs. In: CRYPTO (2022)
Barak, B., Lindell, Y.: Strict polynomial-time in simulation and extraction. In: STOC, pp. 484–493 (2002)
Bellare, M., Neven, G.: Multi-signatures in the plain public-key model and a general forking lemma. In: CCS, pp. 390–399 (2006)
Ben-Sasson, E., Chiesa, A., Riabzev, M., Spooner, N., Virza, M., Ward, N.P.: Aurora: transparent succinct arguments for R1CS. In: EUROCRYPT, pp. 103–128 (2019)
Ben-Sasson, E., Chiesa, A., Spooner, N.: Interactive oracle proofs. In: TCC, pp. 31–60 (2016)
Block, A.R., Holmgren, J., Rosen, A., Rothblum, R.D., Soni, P.: Time- and space-efficient arguments from groups of unknown order. In: CRYPTO, pp. 123–152 (2021)
Bootle, J., Cerulli, A., Chaidos, P., Groth, J., Petit, C.: Efficient zero-knowledge arguments for arithmetic circuits in the discrete log setting. In: EUROCRYPT, pp. 327–357 (2016)
Bootle, J., Lyubashevsky, V., Nguyen, N.K., Seiler, G.: A non-PCP approach to succinct quantum-safe zero-knowledge. In: CRYPTO, pp. 441–469 (2020)
Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: short proofs for confidential transactions and more. In: S &P, pp. 315–334 (2018)
Bünz, B., Fisch, B., Szepieniec, A.: Transparent SNARKs from DARK compilers. In: EUROCRYPT, pp. 677–706 (2020)
Canetti, R., Chen, Y., Holmgren, J., Lombardi, A., Rothblum, G.N., Rothblum, R.D., Wichs, D.: Fiat-Shamir: from practice to theory. In: STOC, pp. 1082–1090. ACM (2019)
Chiesa, A., Manohar, P., Spooner, N.: Succinct arguments in the quantum random oracle model. In: TCC, pp. 1–29 (2019)
Fiat, A., Shamir, A.: How to prove yourself: Practical solutions to identification and signature problems. In: CRYPTO, pp. 186–194 (1986)
Ganesh, C., Khoshakhlagh, H., Kohlweiss, M., Nitulescu, A., Zajac, M.: What makes Fiat-Shamir zkSNARKs (updatable SRS) simulation extractable? In: SCN, pp. 735–760 (2022)
Gentry, C., Halevi, S., Lyubashevsky, V.: Practical non-interactive publicly verifiable secret sharing with thousands of parties. In: EUROCRYPT, pp. 458–487 (2022)
Ghoshal, A., Tessaro, S.: Tight state-restoration soundness in the algebraic group model. In: CRYPTO, pp. 64–93 (2021)
Goldreich, O.: The Foundations of Cryptography. Basic Applications, Vol. 2. Cambridge University Press (2004)
Hoffmann, M., Klooß, M., Rupp, A.: Efficient zero-knowledge arguments in the discrete log setting, revisited. In: CCS, pp. 2093–2110 (2019)
Jaeger, J., Tessaro, S.: Expected-time cryptography: generic techniques and applications to concrete soundness. In: TCC, pp. 414–443 (2020)
Maller, M., Bowe, S., Kohlweiss, M., Meiklejohn, S.: Sonic: zero-knowledge SNARKs from linear-size universal and updatable structured reference strings. In: CCS, pp. 2111–2128 (2019)
del Pino, R., Lyubashevsky, V., Seiler, G.: Short discrete log proofs for FHE and ring-LWE ciphertexts. In: PKC, pp. 344–373 (2019)
Pointcheval, D., Stern, J.: Security proofs for signature schemes. In: EUROCRYPT, pp. 387–398 (1996)
Wahby, R.S., Tzialla, I., Shelat, A., Thaler, J., Walfish, M.: Doubly-efficient zkSNARKs without trusted setup. In: S &P, pp. 926–943 (2018)
Wikström, D.: Special soundness revisited. IACR ePrint 2018/1157 (2018)
Wikström, D.: Special soundness in the random oracle model. IACR ePrint 2021/1264 (2021)
Acknowledgments
The first author was supported by EU H2020 project No. 780701 (PROMETHEUS) and the Vraaggestuurd Programma Cyber Security & Resilience, part of the Dutch Top Sector High Tech Systems and Materials program. The third author was supported by the topic Engineering Secure Systems (46.23.01) of the Helmholtz Association (HGF) and by KASTEL Security Research Labs.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Attema, T., Fehr, S., Klooß, M. (2022). Fiat-Shamir Transformation of Multi-round Interactive Proofs. In: Kiltz, E., Vaikuntanathan, V. (eds) Theory of Cryptography. TCC 2022. Lecture Notes in Computer Science, vol 13747. Springer, Cham. https://doi.org/10.1007/978-3-031-22318-1_5
Download citation
DOI: https://doi.org/10.1007/978-3-031-22318-1_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-22317-4
Online ISBN: 978-3-031-22318-1
eBook Packages: Computer ScienceComputer Science (R0)