Fiat-Shamir for Highly Sound Protocols Is Instantiable

Abstract The Fiat–Shamir (FS) transformation (Fiat and Shamir, Crypto '86) is a popular paradigm for constructing very efficient non-interactive zero-knowledge (NIZK) arguments and signature schemes from a hash function and any three-move interactive protocol satisfying certain properties. Despite its wide-spread applicability both in theory and in practice, the known positive results for proving security of the FS paradigm are in the random oracle model only, i.e., they assume that the hash function is modeled as an external random function accessible to all parties. On the other hand, a sequence of negative results shows that for certain classes of interactive protocols, the FS transform cannot be instantiated in the standard model. We initiate the study of complementary positive results, namely, studying classes of interactive protocols where the FS transform does have standard-model instantiations. In particular, we show that for a class of “highly sound” protocols that we define, instantiating the FS transform via a q-wise independent hash function yields NIZK arguments and secure signature schemes. In the case of NIZK, we obtain a weaker “q-bounded” zero-knowledge flavor where the simulator works for all adversaries asking an a-priori bounded number of queries q; in the case of signatures, we obtain the weaker notion of random-message unforgeability against q-bounded random message attacks. Our main idea is that when the protocol is highly sound, then instead of using random-oracle programming, one can use complexity leveraging. The question is whether such highly sound protocols exist and if so, which protocols lie in this class. We answer this question in the affirmative in the common reference string (CRS) model and under strong assumptions. Namely, assuming indistinguishability obfuscation and puncturable pseudorandom functions we construct a compiler that transforms any 3-move interactive protocol with instance-independent commitments and simulators (a property satisfied by the Lapidot–Shamir protocol, Crypto '90) into a compiled protocol in the CRS model that is highly sound. We also present a second compiler, in order to be able to start from a larger class of protocols, which only requires instance-independent commitments (a property for example satisfied by the classical protocol for quadratic residuosity due to Blum, Crypto '81). For the second compiler we require dual-mode commitments. We hope that our work inspires more research on classes of (efficient) 3-move protocols where Fiat–Shamir is (efficiently) instantiable.

[1]  Ivan Visconti,et al.  Hybrid Trapdoor Commitments and Their Applications , 2005, ICALP.

[2]  Carmit Hazay,et al.  Signature Schemes Secure Against Hard-to-Invert Leakage , 2015, Journal of Cryptology.

[3]  Moni Naor,et al.  Magic functions , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[4]  Aggelos Kiayias,et al.  End-to-End Verifiable Elections in the Standard Model , 2015, EUROCRYPT.

[5]  Ivan Visconti,et al.  Online/Offline OR Composition of Sigma Protocols , 2016, IACR Cryptol. ePrint Arch..

[6]  Mihir Bellare,et al.  Poly-Many Hardcore Bits for Any One-Way Function and a Framework for Differing-Inputs Obfuscation , 2014, ASIACRYPT.

[7]  Jan Camenisch,et al.  Compact E-Cash , 2005, EUROCRYPT.

[8]  Kai-Min Chung,et al.  On Extractability Obfuscation , 2014, IACR Cryptol. ePrint Arch..

[9]  Manuel Blum,et al.  Coin Flipping by Telephone. , 1981, CRYPTO 1981.

[10]  Ivan Visconti,et al.  A Transform for NIZK Almost as Efficient and General as the Fiat-Shamir Transform Without Programmable Random Oracles , 2016, IACR Cryptol. ePrint Arch..

[11]  Boaz Barak,et al.  How to go beyond the black-box simulation barrier , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[12]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[13]  Yevgeniy Dodis,et al.  Randomness Condensers for Efficiently Samplable, Seed-Dependent Sources , 2012, TCC.

[14]  Oded Goldreich,et al.  Foundations of Cryptography: Basic Tools , 2000 .

[15]  Moni Naor,et al.  Non-Malleable Cryptography (Extended Abstract) , 1991, STOC 1991.

[16]  Amit Sahai,et al.  Efficient Non-interactive Proof Systems for Bilinear Groups , 2008, EUROCRYPT.

[17]  Nir Bitansky,et al.  Why "Fiat-Shamir for Proofs" Lacks a Proof , 2013, TCC.

[18]  Jean-Jacques Quisquater,et al.  A "Paradoxical" Indentity-Based Signature Scheme Resulting from Zero-Knowledge , 1988, CRYPTO.

[19]  Ivan Visconti,et al.  Improved OR Composition of Sigma-Protocols , 2016, IACR Cryptol. ePrint Arch..

[20]  Rafael Pass,et al.  An Efficient Parallel Repetition Theorem , 2010, TCC.

[21]  Brent Waters,et al.  How to use indistinguishability obfuscation: deniable encryption, and more , 2014, IACR Cryptol. ePrint Arch..

[22]  Manuel Blum,et al.  Non-Interactive Zero-Knowledge and Its Applications (Extended Abstract) , 1988, STOC 1988.

[23]  Rafail Ostrovsky,et al.  Simultaneous Resettability from Collision Resistance , 2012, Electron. Colloquium Comput. Complex..

[24]  Yael Tauman Kalai,et al.  On the (In)security of the Fiat-Shamir paradigm , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[25]  Brent Waters,et al.  Replacing a Random Oracle: Full Domain Hash From Indistinguishability Obfuscation , 2014, IACR Cryptol. ePrint Arch..

[26]  Yael Tauman Kalai,et al.  From Obfuscation to the Security of Fiat-Shamir for Proofs , 2017, CRYPTO.

[27]  Rafael Pass,et al.  An efficient parallel repetition theorem for Arthur-Merlin games , 2007, STOC '07.

[28]  Carmit Hazay,et al.  On the Power of Secure Two-Party Computation , 2016, Journal of Cryptology.

[29]  Yehuda Lindell,et al.  An Efficient Transform from Sigma Protocols to NIZK with a CRS and Non-programmable Random Oracle , 2015, TCC.

[30]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[31]  Mihir Bellare,et al.  Two-Tier Signatures, Strongly Unforgeable Signatures, and Fiat-Shamir Without Random Oracles , 2007, Public Key Cryptography.

[32]  Edith Elkind,et al.  Interleaving Cryptography and Mechanism Design: The Case of Online Auctions , 2004, Financial Cryptography.

[33]  Iftach Haitner A Parallel Repetition Theorem for Any Interactive Argument , 2009, 2009 50th Annual IEEE Symposium on Foundations of Computer Science.

[34]  Bogdan Warinschi,et al.  How Not to Prove Yourself: Pitfalls of the Fiat-Shamir Heuristic and Applications to Helios , 2012, ASIACRYPT.

[35]  Ivan Damgård,et al.  Efficient Concurrent Zero-Knowledge in the Auxiliary String Model , 2000, EUROCRYPT.

[36]  Kai-Min Chung,et al.  Tight Parallel Repetition Theorems for Public-Coin Arguments using KL-divergence , 2015 .

[37]  Marc Fischlin,et al.  Communication-Efficient Non-interactive Proofs of Knowledge with Online Extractors , 2005, CRYPTO.

[38]  Rafail Ostrovsky,et al.  Black-box non-black-box zero knowledge , 2014, IACR Cryptol. ePrint Arch..

[39]  Daniele Venturi,et al.  Leakage-Resilient Signatures with Graceful Degradation , 2014, Public Key Cryptography.

[40]  Jan Camenisch,et al.  Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials , 2002, CRYPTO.

[41]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[42]  Yehuda Lindell,et al.  Lower bounds for non-black-box zero knowledge , 2006, J. Comput. Syst. Sci..

[43]  Adi Shamir,et al.  Publicly Verifiable Non-Interactive Zero-Knowledge Proofs , 1990, CRYPTO.

[44]  Chanathip Namprempre,et al.  From Identification to Signatures via the Fiat-Shamir Transform: Minimizing Assumptions for Security and Forward-Security , 2002, EUROCRYPT.

[45]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[46]  Ivan Visconti,et al.  Hybrid commitments and their applications to zero-knowledge proof systems , 2007, Theor. Comput. Sci..

[47]  Jacques Stern,et al.  Security Arguments for Digital Signatures and Blind Signatures , 2015, Journal of Cryptology.

[48]  Daniele Venturi,et al.  A Second Look at Fischlin's Transformation , 2014, AFRICACRYPT.

[49]  Markulf Kohlweiss,et al.  On the Non-malleability of the Fiat-Shamir Transform , 2012, INDOCRYPT.

[50]  Tatsuaki Okamoto,et al.  Provably Secure and Practical Identification Schemes and Corresponding Signature Schemes , 1992, CRYPTO.

[51]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[52]  Ran Canetti,et al.  On the Correlation Intractability of Obfuscated Pseudorandom Functions , 2016, TCC.

[53]  Amit Sahai,et al.  On the (im)possibility of obfuscating programs , 2001, JACM.