Adaptive Proofs of Knowledge in the Random Oracle Model

  • David Bernhard
  • Marc Fischlin
  • Bogdan Warinschi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9020)


We formalise the notion of adaptive proofs of knowledge in the random oracle model, where the extractor has to recover witnesses for multiple, possibly adaptively chosen statements and proofs. We also discuss extensions to simulation soundness, as typically required for the “encrypt-then-prove” construction of strongly secure encryption from IND-CPA schemes. Utilizing our model we show three results:
  1. (1)

    Simulation-sound adaptive proofs exist.

  2. (2)

    The “encrypt-then-prove” construction with a simulation-sound adaptive proof yields CCA security. This appears to be a “folklore” result but which has never been proven in the random oracle model. As a corollary, we obtain a new class of CCA-secure encryption schemes.

  3. (3)

    We show that the Fiat-Shamir transformed Schnorr protocol is not adaptively secure and discuss the implications of this limitation.


Our result not only separates adaptive proofs from proofs of knowledge, but also gives a strong hint why Signed ElGamal as the most prominent encrypt-then-prove example has not been proven CCA-secure without making further assumptions.


Random Oracle Random String Random Oracle Model Proof Scheme Valid Proof 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abe, M.: Combining Encryption and Proof of Knowledge in the Random Oracle Model. The Computer Journal 47(1), 58–70 (2004)CrossRefzbMATHGoogle Scholar
  2. 2.
    Abdalla, M., Bellare, M., Rogaway, P.: The oracle diffie-Hellman assumptions and an analysis of DHIES. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, p. 143. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  3. 3.
    Adida, B.: Helios: web-based open-audit voting. In: 17th USENIX security symposium, pp. 335–348. Helios website (2008). paper:
  4. 4.
    Bagherzandi, A., Cheaon, J.H., Jarecki, S.: Multisignatures secure under the discrete logarithm assumption and a generalized forking lemma. In: CCS 2008, pp. 449–458. ACM press (2008)Google Scholar
  5. 5.
    Bellare, M., Goldreich, O.: On defining proofs of knowledge. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 390–420. Springer, Heidelberg (1993) CrossRefGoogle Scholar
  6. 6.
    Bellare, M., Goldreich, O.: On probabilistic versus deterministic provers in the definition of proofs of knowledge. In: Goldreich, O. (ed.) Studies in Complexity and Cryptography. LNCS, vol. 6650, pp. 114–123. Springer, Heidelberg (2011) Google Scholar
  7. 7.
    Bellare, M., Namprempre, C., Pointcheval, D., Semanko, M.: The One-More-RSA-Inversion Problems and the Security of Chaum’s Blind Signature Scheme. J. Cryptology 16(3), 185–215 (2003). SpringerCrossRefzbMATHMathSciNetGoogle Scholar
  8. 8.
    Bellare, M., Neven, G.: Multi-signatures in the plain public-key model and a general forking lemma. In: Proceedings of ACM Conference on Computer and Communications Security, pp. 390–399 (2006)Google Scholar
  9. 9.
    Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: ACM Conference on Computer and Communications Security, pp. 62–73. ACM (1993)Google Scholar
  10. 10.
    Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006). Full version of 27 November 2008 (Draft 3.0) at CrossRefGoogle Scholar
  11. 11.
    Bellare, M., Sahai, A.: Non-malleable encryption: equivalence between two notions, and an indistinguishability-based characterization. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 519–536. Springer, Heidelberg (1999) Google Scholar
  12. 12.
    Bernhard, D., Pereira, O., Warinschi, B.: How not to prove yourself: pitfalls of the Fiat-Shamir Heuristic and applications to Helios. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 626–643. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  13. 13.
    Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications. In: Proceedings of the twentieth annual ACM symposium on theory of computing (STOC 1990), pp. 103–112 (1988)Google Scholar
  14. 14.
    Canetti, R., Goldreich, O., Goldwasser, S., Micali, S.: Resettable zero-knowledge. In: STOC, pp. 235–244. ACM Press (2000)Google Scholar
  15. 15.
    Chase, M., Lysyanskaya, A.: On signatures of knowledge. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 78–96. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  16. 16.
    Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, p. 13. Springer, Heidelberg (1998) CrossRefGoogle Scholar
  17. 17.
    Damgård, I.B.: Towards practical public key systems secure against chosen ciphertext attacks. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 445–456. Springer, Heidelberg (1992) Google Scholar
  18. 18.
    De Santis, A., Di Crescenzo, G., Ostrovsky, R., Persiano, G., Sahai, A.: Robust non-interactive zero knowledge. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, p. 566. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  19. 19.
    De Santis, A., Persiano, G.: Zero-knowledge proofs of knowledge without interaction (extended abstract). In: FOCS, pp. 427–436 (1992)Google Scholar
  20. 20.
    Dodis, Y., Haralambiev, K., López-Alt, A., Wichs, D.: Efficient public-key cryptography in the presence of key leakage. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 613–631. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  21. 21.
    Faust, S., Kohlweiss, M., Marson, G.A., Venturi, D.: On the non-malleability of the Fiat-Shamir transform. In: Galbraith, S., Nandi, M. (eds.) INDOCRYPT 2012. LNCS, vol. 7668. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  22. 22.
    Feige, U., Fiat, A., Shamir, A.: Zero-knowledge proofs of identity. Journal of Cryptology 1(2), 77–94 (1988)CrossRefzbMATHMathSciNetGoogle Scholar
  23. 23.
    Feige, U., Lapidot, D., Shamir, A.: Multiple non-interactive zero knowledge proofs based on a single random string (extended abstract). In: FOCS, pp. 308–317 (1990)Google Scholar
  24. 24.
    Feige, U., Shamir, A.: Zero knowledge proofs of knowledge in two rounds. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 526–544. Springer, Heidelberg (1990) Google Scholar
  25. 25.
    Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987) CrossRefGoogle Scholar
  26. 26.
    Fischlin, M.: Communication-efficient non-interactive proofs of knowledge with online extractors. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 152–168. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  27. 27.
    Fouque, P.-A., Pointcheval, D.: Threshold cryptosystems secure against chosen-ciphertext attacks. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, p. 351. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  28. 28.
    Fujisaki, E., Okamoto, T.: Secure Integration of Asymmetric and Symmetric Encryption Schemes. J. Cryptology 26(1), 80–101 (2013)CrossRefzbMATHMathSciNetGoogle Scholar
  29. 29.
    Garay, J.A., MacKenzie, P.D., Yang, K.: Strengthening Zero-Knowledge Protocols Using Signatures. J. Cryptology 19(2), 169–209 (2006). SpringerCrossRefzbMATHMathSciNetGoogle Scholar
  30. 30.
    Garg, S., Bhaskar, R., Lokam, S.V.: Improved bounds on security reductions for discrete log based signatures. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 93–107. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  31. 31.
    Goldwasser, S., Micali, S., Rackoff, C.: The Knowledge Complexity of Interactive Proof Systems. SIAM J. Comput. 18(1), 186–208 (1989)CrossRefzbMATHMathSciNetGoogle Scholar
  32. 32.
    Goldreich, O., Ostrovsky, R.: Software Protection and Simulation on Oblivious RAMs. J. ACM 43(3), 431–473 (1996)CrossRefzbMATHMathSciNetGoogle Scholar
  33. 33.
    Groth, J.: Simulation-sound NIZK proofs for a practical language and constant size group signatures. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 444–459. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  34. 34.
    Kiltz, E., Malone-Lee, J.: A General Construction of IND-CCA2 Secure Public Key Encryption. IMA Int. Conf. 152–166 (2003)Google Scholar
  35. 35.
    Lindell, Y.: A Simpler Construction of CCA2-Secure Public-KeyEncryption under General Assumptions. J. Cryptology 19(3), 359–377 (2006). SpringerCrossRefzbMATHMathSciNetGoogle Scholar
  36. 36.
    Naor, M., Yung, M.: Public-key cryptosystems provably secure against chosen ciphertext attacks. In: Proceedings of the twenty-second annual ACM symposium on theory of computing (STOC 1990), pp. 42–437 (1990)Google Scholar
  37. 37.
    Pointcheval, D., Stern, J.: Security Arguments for Digital Signatures and Blind Signatures. J. Cryptolog 13(3), 361–396 (2000). SpringerCrossRefzbMATHGoogle Scholar
  38. 38.
    Rackoff, C., Simon, D.R.: Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 433–444. Springer, Heidelberg (1992) Google Scholar
  39. 39.
    Sahai, A.: Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security. In: Proceedings of the 40th annual symposium on foundations of computer science (FOCS 1999), pp. 543–553 (1999)Google Scholar
  40. 40.
    Schnorr, C.P.: Efficient signature generation for smart cards. Journal of cryptology 4, 161–174 (1991). SpringerCrossRefzbMATHGoogle Scholar
  41. 41.
    Schnorr, C.-P., Jakobsson, M.: Security of signed elgamal encryption. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, p. 73. Springer, Heidelberg (2000) CrossRefGoogle Scholar
  42. 42.
    Seurin, Y.: On the exact security of schnorr-type signatures in the random oracle model. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 554–571. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  43. 43.
    Seurin, Y., Treger, J.: A robust and plaintext-aware variant of signed elgamal encryption. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 68–83. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  44. 44.
    Shoup, V.: A Proposal for an ISO Standard for Public Key Encryption. Version 2.1 (2001).
  45. 45.
    Shoup, V., Gennaro, R.: Securing threshold cryptosystems against chosen ciphertext attack. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 1–16. Springer, Heidelberg (1998) CrossRefGoogle Scholar
  46. 46.
    Shoup, V., Gennaro, R.: Securing Threshold Cryptosystems against Chosen Ciphertext Attack. J. Cryptology 15(2), 75–96 (2002). SpringerzbMATHMathSciNetGoogle Scholar
  47. 47.
    Tompa, M., Woll, H.: Random self-reducibility and zero knowledge interactive proofs of possession of information. In: FOCS, pp. 472–482 (1987)Google Scholar
  48. 48.
    Tsiounis, Y., Yung, M.: On the security of elgamal based encryption. In: Imai, H., Zheng, Y. (eds.) PKC 1998. LNCS, vol. 1431, p. 117. Springer, Heidelberg (1998) CrossRefGoogle Scholar
  49. 49.
    Wee, H.: Zero knowledge in the random oracle model, revisited. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 417–434. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  50. 50.
    Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  51. 51.
    Wikström, D.: Simplified submission of inputs to protocols. In: Ostrovsky, R., De Prisco, R., Visconti, I. (eds.) SCN 2008. LNCS, vol. 5229, pp. 293–308. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  52. 52.
    Zheng, Y., Seberry, J.: Practical approaches to attaining security against adaptively chosen ciphertext attacks. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740. Springer, Heidelberg (1992) Google Scholar

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  • David Bernhard
    • 1
  • Marc Fischlin
    • 2
  • Bogdan Warinschi
    • 1
  1. 1.University of BristolBristolUK
  2. 2.Technische Universität DarmstadtDarmstadtGermany

Personalised recommendations