Why “Fiat-Shamir for Proofs” Lacks a Proof

  • Nir Bitansky
  • Dana Dachman-Soled
  • Sanjam Garg
  • Abhishek Jain
  • Yael Tauman Kalai
  • Adriana López-Alt
  • Daniel Wichs
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7785)

Abstract

The Fiat-Shamir heuristic [CRYPTO ’86] is used to convert any 3-message public-coin proof or argument system into a non-interactive argument, by hashing the prover’s first message to select the verifier’s challenge. It is known that this heuristic is sound when the hash function is modeled as a random oracle. On the other hand, the surprising result of Goldwasser and Kalai [FOCS ’03] shows that there exists a computationally sound argument on which the Fiat-Shamir heuristic is never sound, when instantiated with any actual efficient hash function. This leaves us with the following interesting possibility: perhaps we can securely instantiates the Fiat-Shamir heuristic for all 3-message public-coin statistically sound proofs, even if we must fail for some computationally sound arguments. Indeed, this has been conjectured to be the case by Barak, Lindell and Vadhan [FOCS ’03], but we do not have any provably secure instantiation under any “standard assumption”. In this work, we give a broad black-box separation result showing that the security of the Fiat-Shamir heuristic for statistically sound proofs cannot be proved under virtually any standard assumption via a black-box reduction. More precisely:

–If we want to have a “universal” instantiation of the Fiat-Shamir heuristic that works for all 3-message public-coin proofs, then we cannot prove its security via a black-box reduction from any assumption that has the format of a “cryptographic game”.

–For many concrete proof systems, if we want to have a “specific” instantiation of the Fiat-Shamir heuristic for that proof system, then we cannot prove its security via a black box reduction from any “falsifiable assumption” that has the format of a cryptographic game with an efficient challenger.

References

  1. [AABN02]
    Abdalla, M., An, J.H., Bellare, M., Namprempre, C.: From Identification to Signatures via the Fiat-Shamir Transform: Minimizing Assumptions for Security and Forward-Security. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 418–433. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  2. [BGW12]
    Bitansky, N., Garg, S., Wichs, D.: Why ”fiat-shamir for proofs” lacks a proof. Cryptology ePrint Archive, Report 2012/705 (2012), http://eprint.iacr.org/
  3. [Blu81]
    Blum, M.: Coin flipping by telephone. In: Proceedings of the 18th Annual International Cryptology Conference, CRYPTO 1981, pp. 11–15 (1981)Google Scholar
  4. [Blu87]
    Blum, M.: How to prove a theorem so no one else can claim it. In: Proceedings of the International Congress of Mathematicians, pp. 1444–1451 (1987)Google Scholar
  5. [BLV03]
    Barak, B., Lindell, Y., Vadhan, S.P.: Lower bounds for non-black-box zero knowledge. In: 44th Annual Symposium on Foundations of Computer Science, pp. 384–393. IEEE Computer Society Press (October 2003)Google Scholar
  6. [BR93]
    Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: Ashby, V. (ed.) ACM CCS 1993: 1st Conference on Computer and Communications Security, pp. 62–73. ACM Press (November 1993)Google Scholar
  7. [Bro05]
    Brown, D.R.L.: Breaking rsa may be as difficult as factoring. Cryptology ePrint Archive, Report 2005/380 (2005), http://eprint.iacr.org/
  8. [BV98]
    Boneh, D., Venkatesan, R.: Breaking RSA May Not Be Equivalent to Factoring. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 59–71. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  9. [Cor02]
    Coron, J.-S.: Security Proof for Partial-Domain Hash Signature Schemes. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 613–626. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  10. [Cra12]
    Cramer, R. (ed.): TCC 2012. LNCS, vol. 7194. Springer, Heidelberg (2012)MATHGoogle Scholar
  11. [DHT12]
    Dodis, Y., Haitner, I., Tentes, A.: On the instantiability of hash-and-sign rsa signatures. In: Cramer [Cra12], pp. 112–132Google Scholar
  12. [DJKL12]
    Dachman-Soled, D., Jain, A., Kalai, Y.T., Lopez-Alt, A.: On the (in)security of the fiat-shamir paradigm, revisited. Cryptology ePrint Archive, Report 2012/706 (2012), http://eprint.iacr.org/
  13. [DNRS99]
    Dwork, C., Naor, M., Reingold, O., Stockmeyer, L.J.: Magic functions. In: FOCS, pp. 523–534 (1999)Google Scholar
  14. [DOP05]
    Dodis, Y., Oliveira, R., Pietrzak, K.: On the Generic Insecurity of the Full Domain Hash. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 449–466. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  15. [DRV12]
    Dodis, Y., Ristenpart, T., Vadhan, S.P.: Randomness condensers for efficiently samplable, seed-dependent sources. In: Cramer [Cra12], pp. 618–635Google Scholar
  16. [FS86]
    Fiat, A., Shamir, A.: How to Prove Yourself: Practical Solutions to Identification and Signature Problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)CrossRefGoogle Scholar
  17. [GBL08]
    Garg, S., Bhaskar, R., Lokam, S.V.: Improved Bounds on Security Reductions for Discrete Log Based Signatures. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 93–107. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  18. [GK03]
    Goldwasser, S., Kalai, Y.T.: On the (in)security of the Fiat-Shamir paradigm. In: 44th Annual Symposium on Foundations of Computer Science, pp. 102–115. IEEE Computer Society Press (October 2003)Google Scholar
  19. [GMR89]
    Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM Journal on Computing 18(1), 186–208 (1989); Preliminary version appeared in STOC 1985. Google Scholar
  20. [GO94]
    Goldreich, O., Oren, Y.: Definitions and properties of zero-knowledge proof systems. Journal of Cryptology 7(1), 1–32 (1994)MathSciNetCrossRefMATHGoogle Scholar
  21. [GQ90]
    Guillou, L.C., Quisquater, J.-J.: A “Paradoxical” Identity-Based Signature Scheme Resulting from Zero-Knowledge. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 216–231. Springer, Heidelberg (1990)CrossRefGoogle Scholar
  22. [GW11]
    Gentry, C., Wichs, D.: Separating succinct non-interactive arguments from all falsifiable assumptions. In: Fortnow, L., Vadhan, S.P. (eds.) 43rd Annual ACM Symposium on Theory of Computing, pp. 99–108. ACM Press (June 2011)Google Scholar
  23. [HH09]
    Haitner, I., Holenstein, T.: On the (Im)Possibility of Key Dependent Encryption. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 202–219. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  24. [Kil92]
    Kilian, J.: A note on efficient zero-knowledge proofs and arguments. In: Proceedings of the 24th Annual ACM Symposium on Theory of Computing, STOC 1992, pp. 723–732 (1992)Google Scholar
  25. [Mic94]
    Micali, S.: A secure and efficient digital signature algorithm. Technical Memo MIT/LCS/TM-501b, Massachusetts Institute of Technology, Laboratory for Computer Science (April 1994)Google Scholar
  26. [Mic00]
    Micali, S.: Computationally sound proofs. SIAM Journal on Computing 30(4), 1253–1298 (2000); Preliminary version appeared in FOCS 1994MathSciNetCrossRefMATHGoogle Scholar
  27. [Nao03]
    Naor, M.: On Cryptographic Assumptions and Challenges. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 96–109. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  28. [Oka93]
    Okamoto, T.: Provably Secure and Practical Identification Schemes and Corresponding Signature Schemes. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 31–53. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  29. [Pas03]
    Pass, R.: Simulation in Quasi-Polynomial Time, and Its Application to Protocol Composition. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 160–176. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  30. [Pas11]
    Pass, R.: Limits of provable security from standard assumptions. In: Fortnow, L., Vadhan, S.P. (eds.) 43rd Annual ACM Symposium on Theory of Computing, pp. 109–118. ACM Press (June 2011)Google Scholar
  31. [PS00]
    Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. Journal of Cryptology 13(3), 361–396 (2000)CrossRefMATHGoogle Scholar
  32. [PV05]
    Paillier, P., Vergnaud, D.: Discrete-Log-Based Signatures May Not Be Equivalent to Discrete Log. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 1–20. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  33. [Sch91]
    Schnorr, C.-P.: Efficient signature generation by smart cards. Journal of Cryptology 4(3), 161–174 (1991)MathSciNetCrossRefMATHGoogle Scholar
  34. [Seu12]
    Seurin, Y.: On the Exact Security of Schnorr-Type Signatures in the Random Oracle Model. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 554–571. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  35. [Wic12]
    Wichs, D.: Barriers in cryptography with weak, correlated and leaky sources. Cryptology ePrint Archive, Report 2012/459 (2012), http://eprint.iacr.org/

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  • Nir Bitansky
    • 1
  • Dana Dachman-Soled
    • 2
  • Sanjam Garg
    • 3
  • Abhishek Jain
    • 4
  • Yael Tauman Kalai
    • 2
  • Adriana López-Alt
    • 5
  • Daniel Wichs
    • 6
  1. 1.Tel Aviv UniversityIsrael
  2. 2.Microsoft Research New EnglandUK
  3. 3.UCLAUSA
  4. 4.MIT and BUUSA
  5. 5.NYUUSA
  6. 6.IBM Research, T.J. WatsonUSA

Personalised recommendations