Fiat–Shamir Transformation of Multi-Round Interactive Proofs (Extended Version)

The celebrated Fiat-Shamir transformation turns any public-coin interactive proof into a non-interactive one, which inherits the main security properties (in the random oracle model) of the interactive version. While originally considered in the context of 3-move public-coin interactive proofs, i.e., so-called Σ-protocols, it is now applied to multi-round protocols as well. Unfortunately, the security loss for a (2μ + 1)-move protocol is, in general, Q, where Q is the number of oracle queries performed by the attacker. In general, this is the best one can hope for, as it is easy to see that this loss applies to the μ-fold sequential repetition of Σ-protocols, but it raises the question whether certain (natural) classes of interactive proofs feature a milder security loss. In this work, we give positive and negative results on this question. On the positive side, we show that for (k1, . . . , kμ)-special-sound protocols (which cover a broad class of use cases), the knowledge error degrades linearly in Q, instead of Q. On the negative side, we show that for t-fold parallel repetitions of typical (k1, . . . , kμ)-special-sound protocols with t ≥ μ (and assuming for simplicity that t and Q are integer multiples of μ), there is an attack that results in a security loss of approximately 1 2 Q μ/μμ+t.

[1]  Douglas Wikstöm Special Soundness in the Random Oracle Model , 2021, IACR Cryptol. ePrint Arch..

[2]  S. Fehr,et al.  Parallel Repetition of (k1, đots, kμ)-Special-Sound Multi-Round Interactive Proofs , 2021, IACR Cryptol. ePrint Arch..

[3]  Martin R. Albrecht,et al.  Subtractive Sets over Cyclotomic Rings: Limits of Schnorr-like Arguments over Lattices , 2021, IACR Cryptol. ePrint Arch..

[4]  R. Cramer,et al.  A Compressed Σ-Protocol Theory for Lattices , 2021, IACR Cryptol. ePrint Arch..

[5]  Ashrujit Ghoshal,et al.  Tight State-Restoration Soundness in the Algebraic Group Model , 2020, IACR Cryptol. ePrint Arch..

[6]  Joseph Jaeger,et al.  Expected-Time Cryptography: Generic Techniques and Applications to Concrete Soundness , 2020, IACR Cryptology ePrint Archive.

[7]  Ronald Cramer,et al.  Compressed Σ-Protocol Theory and Practical Application to Plug & Play Secure Algorithmics , 2020, IACR Cryptol. ePrint Arch..

[8]  Andy Rupp,et al.  Efficient Zero-Knowledge Arguments in the Discrete Log Setting, Revisited , 2019, IACR Cryptol. ePrint Arch..

[9]  Vadim Lyubashevsky,et al.  Short Discrete Log Proofs for FHE and Ring-LWE Ciphertexts , 2019, IACR Cryptol. ePrint Arch..

[10]  Serge Fehr,et al.  Security of the Fiat-Shamir Transformation in the Quantum Random-Oracle Model , 2019, IACR Cryptol. ePrint Arch..

[11]  Dan Boneh,et al.  Bulletproofs: Short Proofs for Confidential Transactions and More , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[12]  Douglas Wikström,et al.  Special Soundness Revisited , 2018, IACR Cryptol. ePrint Arch..

[13]  Dominique Unruh,et al.  Post-quantum Security of Fiat-Shamir , 2017, ASIACRYPT.

[14]  Eli Ben-Sasson,et al.  Interactive Oracle Proofs , 2016, TCC.

[15]  Jens Groth,et al.  Efficient Zero-Knowledge Arguments for Arithmetic Circuits in the Discrete Log Setting , 2016, EUROCRYPT.

[16]  Mihir Bellare,et al.  Multi-signatures in the plain public-Key model and a general forking lemma , 2006, CCS '06.

[17]  Yehuda Lindell,et al.  Strict polynomial-time in simulation and extraction , 2002, STOC '02.

[18]  Jacques Stern,et al.  Security Proofs for Signature Schemes , 1996, EUROCRYPT.

[19]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.