TY - JOUR
T1 - Fiat–Shamir Transformation of Multi-Round Interactive Proofs (Extended Version)
AU - Attema, Thomas
AU - Fehr, Serge
AU - Klooß, Michael
N1 - Funding Information:
The first author was supported by EU H2020 Project No. 780701 (PROMETHEUS) and the Vraaggestuurd Programma Cyber Security & Resilience, part of the Dutch Top Sector High Tech Systems and Materials program. The third author was supported by the topic Engineering Secure Systems (46.23.01) of the Helmholtz Association (HGF) and by KASTEL Security Research Labs.
Publisher Copyright:
© 2023, The Author(s).
PY - 2023/10
Y1 - 2023/10
N2 - The celebrated Fiat–Shamir transformation turns any public-coin interactive proof into a non-interactive one, which inherits the main security properties (in the random oracle model) of the interactive version. While originally considered in the context of 3-move public-coin interactive proofs, i.e., so-called Σ -protocols, it is now applied to multi-round protocols as well. Unfortunately, the security loss for a (2 μ+ 1) -move protocol is, in general, approximately Qμ , where Q is the number of oracle queries performed by the attacker. In general, this is the best one can hope for, as it is easy to see that this loss applies to the μ -fold sequential repetition of Σ -protocols, but it raises the question whether certain (natural) classes of interactive proofs feature a milder security loss. In this work, we give positive and negative results on this question. On the positive side, we show that for (k1, … , kμ) -special-sound protocols (which cover a broad class of use cases), the knowledge error degrades linearly in Q, instead of Qμ . On the negative side, we show that for t-fold parallel repetitions of typical (k1, … , kμ) -special-sound protocols with t≥ μ (and assuming for simplicity that t and Q are integer multiples of μ), there is an attack that results in a security loss of approximately 12Qμ/μμ+t .
AB - The celebrated Fiat–Shamir transformation turns any public-coin interactive proof into a non-interactive one, which inherits the main security properties (in the random oracle model) of the interactive version. While originally considered in the context of 3-move public-coin interactive proofs, i.e., so-called Σ -protocols, it is now applied to multi-round protocols as well. Unfortunately, the security loss for a (2 μ+ 1) -move protocol is, in general, approximately Qμ , where Q is the number of oracle queries performed by the attacker. In general, this is the best one can hope for, as it is easy to see that this loss applies to the μ -fold sequential repetition of Σ -protocols, but it raises the question whether certain (natural) classes of interactive proofs feature a milder security loss. In this work, we give positive and negative results on this question. On the positive side, we show that for (k1, … , kμ) -special-sound protocols (which cover a broad class of use cases), the knowledge error degrades linearly in Q, instead of Qμ . On the negative side, we show that for t-fold parallel repetitions of typical (k1, … , kμ) -special-sound protocols with t≥ μ (and assuming for simplicity that t and Q are integer multiples of μ), there is an attack that results in a security loss of approximately 12Qμ/μμ+t .
UR - http://www.scopus.com/inward/record.url?scp=85168241151&partnerID=8YFLogxK
U2 - 10.1007/s00145-023-09478-y
DO - 10.1007/s00145-023-09478-y
M3 - Article
AN - SCOPUS:85168241151
SN - 0933-2790
VL - 36
JO - Journal of Cryptology
JF - Journal of Cryptology
IS - 4
M1 - 36
ER -