Skip to main content
Book cover

International Conference on Security and Cryptography for Networks

SCN 2016: Security and Cryptography for Networks pp 198–215Cite as

Fiat–Shamir for Highly Sound Protocols Is Instantiable

Part of the Lecture Notes in Computer Science book series (LNSC,volume 9841)

Abstract

The Fiat–Shamir (FS) transformation (Fiat and Shamir, Crypto ’86) is a popular paradigm for constructing very efficient non-interactive zero-knowledge (NIZK) arguments and signature schemes using a hash function, starting from any three-move interactive protocol satisfying certain properties. Despite its wide-spread applicability both in theory and in practice, the known positive results for proving security of the FS paradigm are in the random oracle model, i.e., they assume that the hash function is modelled as an external random function accessible to all parties. On the other hand, a sequence of negative results shows that for certain classes of interactive protocols, the FS transform cannot be instantiated in the standard model.

We initiate the study of complementary positive results, namely, studying classes of interactive protocols where the FS transform does have standard-model instantiations. In particular, we show that for a class of “highly sound” protocols that we define, instantiating the FS transform via a q-wise independent hash function yields NIZK arguments and secure signature schemes. For NIZK, we obtain a weaker “q-bounded” zero-knowledge flavor where the simulator works for all adversaries asking an a-priori bounded number of queries q; for signatures, we obtain the weaker notion of random-message unforgeability against q-bounded random message attacks.

Our main idea is that when the protocol is highly sound, then instead of using random-oracle programming, one can use complexity leveraging. The question is whether such highly sound protocols exist and if so, which protocols lie in this class. We answer this question in the affirmative in the common reference string (CRS) model and under strong assumptions. Namely, assuming indistinguishability obfuscation and puncturable pseudorandom functions we construct a compiler that transforms any 3-move interactive protocol with instance-independent commitments and simulators (a property satisfied by the Lapidot-Shamir protocol, Crypto ’90) into a compiled protocol in the CRS model that is highly sound. We also present a second compiler, in order to be able to start from a larger class of protocols, which only requires instance-independent commitments (a property for example satisfied by the classical protocol for quadratic residuosity due to Blum, Crypto ’81). For the second compiler we require dual-mode commitments.

We hope that our work inspires more research on classes of (efficient) 3-move protocols where Fiat–Shamir is (efficiently) instantiable.

Keywords

  • Hash Function
  • Signature Scheme
  • Random Oracle
  • Commitment Scheme
  • Interactive Protocol

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

This is a preview of subscription content, access via your institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-319-44618-9_11
  • Chapter length: 18 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   69.99
Price excludes VAT (USA)
  • ISBN: 978-3-319-44618-9
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   89.99
Price excludes VAT (USA)
Learn about institutional subscriptions
Fig. 1.
Fig. 2.

Notes

  1. 1.

    There are over 3.000 Google-Scholar-known citations to [26], as we type.

  2. 2.

    The value \(\beta \) is typically omitted from the proof, as the verifier can compute it by itself.

  3. 3.

    Entropy preservation roughly says that for all efficient adversaries that get a uniformly random hash key \(\mathsf {hk}\) and produce a correlated value \(\alpha \), the conditional Shannon entropy of \(\beta = \mathsf {H}(\mathsf {hk},\alpha )\) given \(\alpha \), but not \(\mathsf {hk}\), is sufficiently large.

  4. 4.

    For standard-model 3PC arguments, the CRS contains the empty string \(\varepsilon \). The reason for considering a CRS is that, looking ahead, our compilers yield highly sound protocols in the CRS model.

  5. 5.

    Note that the value k can be included in the language, and thus considered as public.

References

  1. Abdalla, M., An, J.H., Bellare, M., Namprempre, C.: From identification to signatures via the Fiat-Shamir transform: minimizing assumptions for security and forward-security. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 418–433. Springer, Heidelberg (2002)

    CrossRef  Google Scholar 

  2. Barak, B.: How to go beyond the black-box simulation barrier. In: 42nd Annual Symposium on Foundations of Computer Science, 14–17 October 2001, pp. 106–115. IEEE Computer Society Press, Las Vegas (2001)

    Google Scholar 

  3. Barak, B., Lindell, Y., Vadhan, S.P.: Lower bounds for non-black-box zero knowledge. In: 44th Annual Symposium on Foundations of Computer Science, 11–14 October 2003, pp. 384–393. IEEE Computer Society Press, Cambridge (2003)

    Google Scholar 

  4. Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Ashby, V. (ed.) ACM CCS 93: 1st Conference on Computer and Communications Security, 3–5 November 1993, pp. 62–73. ACM Press, Fairfax (1993)

    Google Scholar 

  5. Bellare, M., Shoup, S.: Two-tier signatures, strongly unforgeable signatures, and Fiat-Shamir without random oracles. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 201–216. Springer, Heidelberg (2007)

    CrossRef  Google Scholar 

  6. Bernhard, D., Pereira, O., Warinschi, B.: How not to prove yourself: pitfalls of the Fiat-Shamir heuristic and applications to helios. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 626–643. Springer, Heidelberg (2012)

    CrossRef  Google Scholar 

  7. Bitansky, N., Dachman-Soled, D., Garg, S., Jain, A., Kalai, Y.T., López-Alt, A., Wichs, D.: Why “Fiat-Shamir for proofs” lacks a proof. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 182–201. Springer, Heidelberg (2013)

    CrossRef  Google Scholar 

  8. Bitansky, N., Garg, S., Wichs, D.: Why Fiat-Shamir for proofs lacks a proof. Cryptology ePrint Archive, Report 2012/705 (2012). http://eprint.iacr.org/2012/705

  9. Blum, M.: Coin flipping by telephone. In: Gersho, A. (ed.) Advances in Cryptology - CRYPTO 1981. ECE Report 82–04, pp. 11–15. U.C. Santa Barbara, Department of Electrical and Computer Engineering, Santa Barbara, CA, USA (1981)

    Google Scholar 

  10. Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications (extended abstract). In: 20th Annual ACM Symposium on Theory of Computing, 2–4 May 1988, pp. 103–112. ACM Press, Chicago (1988)

    Google Scholar 

  11. Camenisch, J.L., Hohenberger, S., Lysyanskaya, A.: Compact e-cash. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 302–321. Springer, Heidelberg (2005)

    CrossRef  Google Scholar 

  12. Camenisch, J.L., Lysyanskaya, A.: Dynamic accumulators and application to efficient revocation of anonymous credentials. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 61–76. Springer, Heidelberg (2002)

    CrossRef  Google Scholar 

  13. Canetti, R., Chen, Y., Reyzin, L.: On the correlation intractability of obfuscated pseudorandom functions. Cryptology ePrint Archive, Report 2015/334 (2015). http://eprint.iacr.org/

  14. Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited (preliminary version). In: 30th Annual ACM Symposium on Theory of Computing, 23–26 May 1998, pp. 209–218. ACM Press, Dallas (1988)

    Google Scholar 

  15. Ciampi, M., Persiano, G., Scafuro, A., Siniscalchi, L., Visconti, I.: Improved OR-composition of sigma-protocols. In: Kushilevitz, E., et al. (eds.) TCC 2016-A. LNCS, vol. 9563, pp. 112–141. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49099-0_5

    CrossRef  Google Scholar 

  16. Ciampi, M., Persiano, G., Scafuro, A., Siniscalchi, L., Visconti, I.: Online/offline or composition of sigma protocols. Cryptology ePrint Archive, Report 2016/175 (2016). http://eprint.iacr.org/

  17. Ciampi, M., Persiano, G., Siniscalchi, L., Visconti, I.: A transform for NIZK almost as efficient and general as the Fiat-Shamir transform without programmable random oracles. In: Kushilevitz, E., et al. (eds.) TCC 2016-A. LNCS, vol. 9563, pp. 83–111. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49099-0_4

    CrossRef  Google Scholar 

  18. Dachman-Soled, D., Jain, A., Kalai, Y.T., López-Alt, A.: On the (in)security of the Fiat-Shamir paradigm, revisited. IACR Cryptology ePrint Archive 2012, 706 (2012). http://eprint.iacr.org/2012/706

  19. Dagdelen, Ö., Venturi, D.: A second look at Fischlin’s transformation. In: Pointcheval, D., Vergnaud, D. (eds.) AFRICACRYPT 2014. LNCS, vol. 8469, pp. 356–376. Springer, Heidelberg (2014)

    CrossRef  Google Scholar 

  20. Damgård, I.B.: Efficient concurrent zero-knowledge in the auxiliary string model. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 418–430. Springer, Heidelberg (2000)

    CrossRef  Google Scholar 

  21. Dodis, Y., Ristenpart, T., Vadhan, S.: Randomness condensers for efficiently samplable, seed-dependent sources. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 618–635. Springer, Heidelberg (2012)

    CrossRef  Google Scholar 

  22. Dolev, D., Dwork, C., Naor, M.: Non-malleable cryptography (extended abstract). In: 23rd Annual ACM Symposium on Theory of Computing, 6–8 May 1991, pp. 542–552. ACM Press, New Orleans (1991)

    Google Scholar 

  23. Dwork, C., Naor, M., Reingold, O., Stockmeyer, L.J.: Magic functions. In: 40th Annual Symposium on Foundations of Computer Science, 17–19 October 1999, pp. 523–534. IEEE Computer Society Press, New York (1999)

    Google Scholar 

  24. Elkind, E., Lipmaa, H.: Interleaving cryptography and mechanism design. In: Juels, A. (ed.) FC 2004. LNCS, vol. 3110, pp. 117–131. Springer, Heidelberg (2004)

    CrossRef  Google Scholar 

  25. Faust, S., Kohlweiss, M., Marson, G.A., Venturi, D.: On the non-malleability of the Fiat-Shamir transform. In: Galbraith, S., Nandi, M. (eds.) INDOCRYPT 2012. LNCS, vol. 7668, pp. 60–79. Springer, Heidelberg (2012)

    CrossRef  Google Scholar 

  26. Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)

    CrossRef  Google Scholar 

  27. Fischlin, M.: Communication-efficient non-interactive proofs of knowledge with online extractors. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 152–168. Springer, Heidelberg (2005)

    CrossRef  Google Scholar 

  28. Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or a completeness theorem for protocols with honest majority. In: Aho, A. (ed.) 19th Annual ACM Symposium on Theory of Computing, 25–27 May 1987, pp. 218–229. ACM Press, New York City (1987)

    Google Scholar 

  29. Goldwasser, S., Kalai, Y.T.: On the (in)security of the Fiat-Shamir paradigm. In: 44th Annual Symposium on Foundations of Computer Science, 11–14 October 2003, pp. 102–115. IEEE Computer Society Press, Cambridge (2003)

    Google Scholar 

  30. Goyal, V., Ostrovsky, R., Scafuro, A., Visconti, I.: Black-box non-black-box zero knowledge. In: Shmoys, D.B. (ed.) 46th Annual ACM Symposium on Theory of Computing, May 31–June 3 2014, pp. 515–524. ACM Press, New York (2014)

    Google Scholar 

  31. Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer, Heidelberg (2008)

    CrossRef  Google Scholar 

  32. Haitner, I.: A parallel repetition theorem for any interactive argument. In: 50th Annual Symposium on Foundations of Computer Science, 25–27 October 2009, pp. 241–250. IEEE Computer Society Press, Atlanta (2009)

    Google Scholar 

  33. Hazay, C., Venkitasubramaniam, M.: On the power of secure two-party computation. Cryptology ePrint Archive, Report 2016/074 (2016). http://eprint.iacr.org/

  34. Hohenberger, S., Sahai, A., Waters, B.: Replacing a random oracle: full domain hash from indistinguishability obfuscation. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 201–220. Springer, Heidelberg (2014)

    CrossRef  Google Scholar 

  35. Kalai, Y.T., Rothblum, G.N., Rothblum, R.D.: From obfuscation to the security of Fiat-Shamir for proofs. Cryptology ePrint Archive, Report 2016/303 (2016). http://eprint.iacr.org/

  36. Kiayias, A., Zacharias, T., Zhang, B.: End-to-end verifiable elections in the standard model. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 468–498. Springer, Heidelberg (2015)

    Google Scholar 

  37. Lapidot, D., Shamir, A.: Publicly verifiable non-interactive zero-knowledge proofs. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 353–365. Springer, Heidelberg (1991)

    Google Scholar 

  38. Lindell, Y.: An efficient transform from sigma protocols to NIZK with a CRS and non-programmable random oracle. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015, Part I. LNCS, vol. 9014, pp. 93–109. Springer, Heidelberg (2015)

    Google Scholar 

  39. Mittelbach, A., Venturi, D.: Fiat-Shamir for highly sound protocols is instantiable. IACR Cryptology ePrint Archive 2016, 313 (2016). http://eprint.iacr.org/2016/313

  40. Okamoto, T.: Provably secure and practical identification schemes and corresponding signature schemes. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 31–53. Springer, Heidelberg (1993)

    CrossRef  Google Scholar 

  41. Ostrovsky, R., Visconti, I.: Simultaneous resettability from collision resistance. Electronic Colloquium on Computational Complexity (ECCC) 19, 164 (2012). http://eccc.hpi-web.de/report/2012/164

  42. Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Cryptol. 13(3), 361–396 (2000)

    CrossRef  MATH  Google Scholar 

  43. Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: Shmoys, D.B. (ed.) 46th Annual ACM Symposium on Theory of Computing, May 31–June 3 2014, pp. 475–484. ACM Press, New York (2014)

    Google Scholar 

Download references

Acknowledgments

We are grateful to Christina Brzuska for her active participation in this research. Her ideas, feedback and suggestions played an essential part in the development of this work.

We thank Nils Fleischhacker and Markulf Kohlweiss for helpful comments on the presentation. We are grateful to an anonymous reviewer of TCC 2016 for pointing out that the constant hash function already suffices for obtaining a 1-bounded NIZK assuming properties \(\mathbf P1 \)-\(\mathbf P3 \) and thereby inspiring using a q-wise independent hash-function as instantiation. Before, we used a more complicated construction based on indistinguishability obfuscation and puncturable PRFs. We also thank the reviewer for pointing out the Blum-Lapidot-Shamir protocol, and we thank Ivan Visconti for helpful discussions and clarifications on the Blum-Lapidot-Shamir protocol.

Author information

Authors and Affiliations

  1. Cryptoplexity, Technische Universität Darmstadt, Darmstadt, Germany

    Arno Mittelbach

  2. Department of Information Engineering and Computer Science, University of Trento, Trento, Italy

    Daniele Venturi

Authors
  1. Arno Mittelbach
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Daniele Venturi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Daniele Venturi .

Editor information

Editors and Affiliations

  1. Rensselaer Polytechnic Institute, Troy, New York, USA

    Vassilis Zikas

  2. University of Salerno, Fisciano, Italy

    Roberto De Prisco

Rights and permissions

Reprints and Permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Mittelbach, A., Venturi, D. (2016). Fiat–Shamir for Highly Sound Protocols Is Instantiable. In: Zikas, V., De Prisco, R. (eds) Security and Cryptography for Networks. SCN 2016. Lecture Notes in Computer Science(), vol 9841. Springer, Cham. https://doi.org/10.1007/978-3-319-44618-9_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-44618-9_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-44617-2

  • Online ISBN: 978-3-319-44618-9

  • eBook Packages: Computer ScienceComputer Science (R0)