Skip to main content
Springer Nature Link
Log in

On the Concrete Security of Non-interactive FRI

  • Conference paper
  • First Online:
Security and Cryptography for Networks (SCN 2024)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14973))

Included in the following conference series:

  • 195 Accesses

Abstract

FRI is a cryptographic protocol widely deployed today as a building block of many efficient SNARKs that help secure transactions of hundreds of millions of dollars per day. The Fiat-Shamir security of FRI—vital for understanding the security of FRI-based SNARKs—has only recently been formalized and established by Block et al. (ASIACRYPT ’23).

In this work, we complement the result of Block et al. by providing a thorough concrete security analysis of non-interactive FRI under various parameter settings from protocols deploying (or soon to be deploying) FRI today. We find that these parameters nearly achieve their desired security targets (being at most 1-bit less secure than their targets) for non-interactive FRI with respect to a certain security conjecture about the FRI Protocol. However, in all but one set of parameters, we find that the provable security of non-interactive FRI under these parameters is severely lacking, being anywhere between 21- and 63-bits less secure than the conjectured security. The conjectured security of FRI assumes that known attacks are optimal, the security of these systems would be severely compromised should a better attack be discovered. In light of this, we present parameter guidelines for achieving 100-bits of provable security for non-interactive FRI along with a methodology for tuning these parameters to suit the needs of protocol designers.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    An interactive protocol is public-coin if all messages sent by the verifier are sampled uniformly at random and are independent of all prior protocol messages.

  2. 2.

    See Remark 2 for a discussion on the difference between these notions.

  3. 3.

    A similar definition for bits of security is given in the ethSTARK documentation [26].

  4. 4.

    To the best of our knowledge, all projects using this conjecture set \(\delta = 1-\rho \).

References

  1. Abdalla, M., An, J.H., Bellare, M., Namprempre, C.: From identification to signatures via the Fiat-Shamir transform: minimizing assumptions for security and forward-security. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 418–433. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_28

    Chapter  Google Scholar 

  2. Attema, T., Fehr, S., Klooß, M.: Fiat-Shamir transformation of multi-round interactive proofs. In: Kiltz, E., Vaikuntanathan, V. (eds.) TCC 2022, Part I. LNCS, vol. 13747, pp. 113–142. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-22318-1_5

  3. Barak, B.: How to go beyond the black-box simulation barrier. In: 42nd FOCS, pp. 106–115. IEEE Computer Society Press, October 2001. https://doi.org/10.1109/SFCS.2001.959885

  4. Ben-Sasson, E., Bentov, I., Gabizon, A., Riabzev, M.: Improved concrete efficiency and security analysis of reed-solomon pcpps. Electron. Colloquium Comput. Complex. TR16-073 (2016)

    Google Scholar 

  5. Ben-Sasson, E., Bentov, I., Gabizon, A., Riabzev, M.: A security analysis of probabilistically checkable proofs. Electron. Colloquium Comput. Complex. TR16-149 (2016)

    Google Scholar 

  6. Ben-Sasson, E., Bentov, I., Horesh, Y., Riabzev, M.: Fast reed-solomon interactive oracle proofs of proximity. In: Chatzigiannakis, I., Kaklamanis, C., Marx, D., Sannella, D. (eds.) ICALP 2018. LIPIcs, vol. 107, pp. 14:1–14:17. Schloss Dagstuhl, July 2018. https://doi.org/10.4230/LIPIcs.ICALP.2018.14

  7. Ben-Sasson, E., Carmon, D., Ishai, Y., Kopparty, S., Saraf, S.: Proximity gaps for Reed-Solomon codes. In: 61st FOCS, pp. 900–909. IEEE Computer Society Press, November 2020. https://doi.org/10.1109/FOCS46700.2020.00088

  8. Ben-Sasson, E., Chiesa, A., Spooner, N.: Interactive oracle proofs. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 31–60. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_2

    Chapter  Google Scholar 

  9. Ben-Sasson, E., Goldberg, L., Kopparty, S., Saraf, S.: DEEP-FRI: sampling outside the box improves soundness. In: Vidick, T. (ed.) ITCS 2020, vol. 151, pp. 5:1–5:32. LIPIcs, January 2020. https://doi.org/10.4230/LIPIcs.ITCS.2020.5

  10. Bernhard, D., Pereira, O., Warinschi, B.: How not to prove yourself: pitfalls of the Fiat-Shamir heuristic and applications to Helios. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 626–643. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_38

  11. Bitansky, N., et al.: Why Fiat-Shamir for proofs lacks a proof. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 182–201. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36594-2_11

    Chapter  Google Scholar 

  12. Block, A.R., Garreta, A., Katz, J., Thaler, J., Tiwari, P.R., Zajac, M.: Fiat-Shamir security of FRI and related SNARKs. In: Guo, J., Steinfeld, R. (eds.) ASIACRYPT 2023, Part II. LNCS, vol. 14439, pp. 3–40. Springer, Heidelberg (2023). https://doi.org/10.1007/978-981-99-8724-5_1

  13. Canetti, R., et al.: Fiat-Shamir: from practice to theory. In: Charikar, M., Cohen, E. (eds.) 51st ACM STOC, pp. 1082–1090. ACM Press, June 2019. https://doi.org/10.1145/3313276.3316380

  14. Chiesa, A., Ojha, D., Spooner, N.: Fractal: post-quantum and transparent recursive proofs from holography. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 769–793. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_27

    Chapter  Google Scholar 

  15. Dao, Q., Miller, J., Wright, O., Grubbs, P.: Weak Fiat-Shamir attacks on modern proof systems. In: 2023 IEEE Symposium on Security and Privacy, pp. 199–216. IEEE Computer Society Press, May 2023. https://doi.org/10.1109/SP46215.2023.10179408

  16. Davis, H., Diemert, D., Günther, F., Jager, T.: On the concrete security of TLS 1.3 PSK mode. In: Dunkelman, O., Dziembowski, S. (eds.) Advances in Cryptology – EUROCRYPT 2022. EUROCRYPT 2022. LNCS, vol. 13276, pp. 876–906. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-07085-3_30

  17. Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12

    Chapter  Google Scholar 

  18. Goldwasser, S., Kalai, Y.T.: On the (in)security of the Fiat-Shamir paradigm. In: 44th FOCS, pp. 102–115. IEEE Computer Society Press, October 2003. https://doi.org/10.1109/SFCS.2003.1238185

  19. Haböck, U.: A summary on the FRI low degree test. Cryptology ePrint Archive, Report 2022/1216 (2022). https://eprint.iacr.org/2022/1216

  20. Hopwood, D., Bowe, S., Hornby, T., Wilcox, N.: Zcash protocol specification. https://zips.z.cash/protocol/protocol.pdf, version 2022.3.8 [NU5]

  21. Jaeger, J., Tessaro, S.: Expected-time cryptography: generic techniques and applications to concrete soundness. In: Pass, R., Pietrzak, K. (eds.) TCC 2020. LNCS, vol. 12552, pp. 414–443. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64381-2_15

    Chapter  Google Scholar 

  22. L2BEAT: L2beat total value locked. https://l2beat.com/scaling/tvl

  23. Pointcheval, D., Stern, J.: Security proofs for signature schemes. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 387–398. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_33

    Chapter  Google Scholar 

  24. Polygon Labs: Fri verification procedures. https://wiki.polygon.technology/docs/miden/user_docs/stdlib/crypto/fri/

  25. Reed, I.S., Solomon, G.: Polynomial codes over certain finite fields. J. Soc. Ind. Appl. Math. 8(2), 300–304 (1960). https://doi.org/10.1137/0108018

  26. StarkWare: ethSTARK documentation. Cryptology ePrint Archive, Report 2021/582 (2021). https://eprint.iacr.org/2021/582

  27. StarkWare Industries: Starkex documentation: Customers and their deployment contract addresses. https://docs.starkware.co/starkex/deployments-addresses.html

  28. Team, R.Z.: Risc zero’s proof system for a zkvm (2023). https://github.com/risc0/risc0

  29. Thaler, J.: Snark security and performance (2019). https://a16zcrypto.com, https://a16zcrypto.com/snark-security-and-performance/

  30. Wikström, D.: Special soundness in the random oracle model. Cryptology ePrint Archive, Report 2021/1265 (2021). https://eprint.iacr.org/2021/1265

Download references

Acknowledgements

The authors would like to thank Matthew Green for all the helpful presentation suggestions of this work. Alexander R. Block was supported by DARPA under Contract Nos. HR00112020022 and HR00112020025. Pratyush Ranjan Tiwari was supported by the Ethereum Foundation’s grant FY23-1087, and partly supported by a Security & Privacy research gift from Google, a research gift from Cisco. The views, opinions, findings, conclusions, and/or recommendations expressed in this material are those of the authors and should not be interpreted as reflecting the position or policy of DARPA or the United States Government, and no official endorsement should be inferred.

Author information

Authors and Affiliations

  1. Georgetown University, Washington, DC, USA

    Alexander R. Block

  2. University of Maryland, College Park, USA

    Alexander R. Block

  3. Johns Hopkins University, Baltimore, USA

    Pratyush Ranjan Tiwari

Authors
  1. Alexander R. Block
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Pratyush Ranjan Tiwari
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Pratyush Ranjan Tiwari .

Editor information

Editors and Affiliations

  1. Università degli Studi di Salerno, Fisciano, Italy

    Clemente Galdi

  2. Télécom Paris, Paris, France

    Duong Hieu Phan

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Block, A.R., Tiwari, P.R. (2024). On the Concrete Security of Non-interactive FRI. In: Galdi, C., Phan, D.H. (eds) Security and Cryptography for Networks. SCN 2024. Lecture Notes in Computer Science, vol 14973. Springer, Cham. https://doi.org/10.1007/978-3-031-71070-4_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-71070-4_13

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-71069-8

  • Online ISBN: 978-3-031-71070-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics