Why “Fiat-Shamir for Proofs” Lacks a Proof

  • Nir Bitansky
  • Dana Dachman-Soled
  • Sanjam Garg
  • Abhishek Jain
  • Yael Tauman Kalai
  • Adriana López-Alt
  • Daniel Wichs
Conference paper

DOI: 10.1007/978-3-642-36594-2_11

Part of the Lecture Notes in Computer Science book series (LNCS, volume 7785)
Cite this paper as:
Bitansky N. et al. (2013) Why “Fiat-Shamir for Proofs” Lacks a Proof. In: Sahai A. (eds) Theory of Cryptography. Lecture Notes in Computer Science, vol 7785. Springer, Berlin, Heidelberg

Abstract

The Fiat-Shamir heuristic [CRYPTO ’86] is used to convert any 3-message public-coin proof or argument system into a non-interactive argument, by hashing the prover’s first message to select the verifier’s challenge. It is known that this heuristic is sound when the hash function is modeled as a random oracle. On the other hand, the surprising result of Goldwasser and Kalai [FOCS ’03] shows that there exists a computationally sound argument on which the Fiat-Shamir heuristic is never sound, when instantiated with any actual efficient hash function. This leaves us with the following interesting possibility: perhaps we can securely instantiates the Fiat-Shamir heuristic for all 3-message public-coin statistically sound proofs, even if we must fail for some computationally sound arguments. Indeed, this has been conjectured to be the case by Barak, Lindell and Vadhan [FOCS ’03], but we do not have any provably secure instantiation under any “standard assumption”. In this work, we give a broad black-box separation result showing that the security of the Fiat-Shamir heuristic for statistically sound proofs cannot be proved under virtually any standard assumption via a black-box reduction. More precisely:

–If we want to have a “universal” instantiation of the Fiat-Shamir heuristic that works for all 3-message public-coin proofs, then we cannot prove its security via a black-box reduction from any assumption that has the format of a “cryptographic game”.

–For many concrete proof systems, if we want to have a “specific” instantiation of the Fiat-Shamir heuristic for that proof system, then we cannot prove its security via a black box reduction from any “falsifiable assumption” that has the format of a cryptographic game with an efficient challenger.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  • Nir Bitansky
    • 1
  • Dana Dachman-Soled
    • 2
  • Sanjam Garg
    • 3
  • Abhishek Jain
    • 4
  • Yael Tauman Kalai
    • 2
  • Adriana López-Alt
    • 5
  • Daniel Wichs
    • 6
  1. 1.Tel Aviv UniversityIsrael
  2. 2.Microsoft Research New EnglandUK
  3. 3.UCLAUSA
  4. 4.MIT and BUUSA
  5. 5.NYUUSA
  6. 6.IBM Research, T.J. WatsonUSA

Personalised recommendations