Why "Fiat-Shamir for proofs" lacks a proof

Nir Bitansky; Dana Dachman-Soled; Sanjam Garg; Abhishek Jain; Yael Tauman Kalai; Adriana López-Alt; Daniel Wichs

doi:10.1007/978-3-642-36594-2_11

Why "Fiat-Shamir for proofs" lacks a proof

Nir Bitansky, Dana Dachman-Soled, Sanjam Garg, Abhishek Jain, Yael Tauman Kalai, Adriana López-Alt, Daniel Wichs

School of Computer Science

Tel Aviv University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

The Fiat-Shamir heuristic [CRYPTO '86] is used to convert any 3-message public-coin proof or argument system into a non-interactive argument, by hashing the prover's first message to select the verifier's challenge. It is known that this heuristic is sound when the hash function is modeled as a random oracle. On the other hand, the surprising result of Goldwasser and Kalai [FOCS '03] shows that there exists a computationally sound argument on which the Fiat-Shamir heuristic is never sound, when instantiated with any actual efficient hash function. This leaves us with the following interesting possibility: perhaps we can securely instantiates the Fiat-Shamir heuristic for all 3-message public-coin statistically sound proofs, even if we must fail for some computationally sound arguments. Indeed, this has been conjectured to be the case by Barak, Lindell and Vadhan [FOCS '03], but we do not have any provably secure instantiation under any "standard assumption". In this work, we give a broad black-box separation result showing that the security of the Fiat-Shamir heuristic for statistically sound proofs cannot be proved under virtually any standard assumption via a black-box reduction. More precisely: -If we want to have a "universal" instantiation of the Fiat-Shamir heuristic that works for all 3-message public-coin proofs, then we cannot prove its security via a black-box reduction from any assumption that has the format of a "cryptographic game". -For many concrete proof systems, if we want to have a "specific" instantiation of the Fiat-Shamir heuristic for that proof system, then we cannot prove its security via a black box reduction from any "falsifiable assumption" that has the format of a cryptographic game with an efficient challenger.

Original language	English
Title of host publication	Theory of Cryptography - 10th Theory of Cryptography Conference, TCC 2013, Proceedings
Pages	182-201
Number of pages	20
DOIs	https://doi.org/10.1007/978-3-642-36594-2_11
State	Published - 2013
Event	10th Theory of Cryptography Conference, TCC 2013 - Tokyo, Japan Duration: 3 Mar 2013 → 6 Mar 2013

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	7785 LNCS

Conference

Conference	10th Theory of Cryptography Conference, TCC 2013
Country/Territory	Japan
City	Tokyo
Period	3/03/13 → 6/03/13

All Science Journal Classification (ASJC) codes

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-3-642-36594-2_11

Cite this

Bitansky, N., Dachman-Soled, D., Garg, S., Jain, A., Kalai, Y. T., López-Alt, A., & Wichs, D. (2013). Why "Fiat-Shamir for proofs" lacks a proof. In Theory of Cryptography - 10th Theory of Cryptography Conference, TCC 2013, Proceedings (pp. 182-201). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 7785 LNCS). https://doi.org/10.1007/978-3-642-36594-2_11

@inproceedings{3f724882da3942ad8b59c2251ee4ad99,

title = "Why {"}Fiat-Shamir for proofs{"} lacks a proof",

abstract = "The Fiat-Shamir heuristic [CRYPTO '86] is used to convert any 3-message public-coin proof or argument system into a non-interactive argument, by hashing the prover's first message to select the verifier's challenge. It is known that this heuristic is sound when the hash function is modeled as a random oracle. On the other hand, the surprising result of Goldwasser and Kalai [FOCS '03] shows that there exists a computationally sound argument on which the Fiat-Shamir heuristic is never sound, when instantiated with any actual efficient hash function. This leaves us with the following interesting possibility: perhaps we can securely instantiates the Fiat-Shamir heuristic for all 3-message public-coin statistically sound proofs, even if we must fail for some computationally sound arguments. Indeed, this has been conjectured to be the case by Barak, Lindell and Vadhan [FOCS '03], but we do not have any provably secure instantiation under any {"}standard assumption{"}. In this work, we give a broad black-box separation result showing that the security of the Fiat-Shamir heuristic for statistically sound proofs cannot be proved under virtually any standard assumption via a black-box reduction. More precisely: -If we want to have a {"}universal{"} instantiation of the Fiat-Shamir heuristic that works for all 3-message public-coin proofs, then we cannot prove its security via a black-box reduction from any assumption that has the format of a {"}cryptographic game{"}. -For many concrete proof systems, if we want to have a {"}specific{"} instantiation of the Fiat-Shamir heuristic for that proof system, then we cannot prove its security via a black box reduction from any {"}falsifiable assumption{"} that has the format of a cryptographic game with an efficient challenger.",

author = "Nir Bitansky and Dana Dachman-Soled and Sanjam Garg and Abhishek Jain and Kalai, \{Yael Tauman\} and Adriana L{\'o}pez-Alt and Daniel Wichs",

year = "2013",

doi = "10.1007/978-3-642-36594-2\_11",

language = "الإنجليزيّة",

isbn = "9783642365935",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

pages = "182--201",

booktitle = "Theory of Cryptography - 10th Theory of Cryptography Conference, TCC 2013, Proceedings",

note = "10th Theory of Cryptography Conference, TCC 2013 ; Conference date: 03-03-2013 Through 06-03-2013",

}

Bitansky, N, Dachman-Soled, D, Garg, S, Jain, A, Kalai, YT, López-Alt, A & Wichs, D 2013, Why "Fiat-Shamir for proofs" lacks a proof. in Theory of Cryptography - 10th Theory of Cryptography Conference, TCC 2013, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 7785 LNCS, pp. 182-201, 10th Theory of Cryptography Conference, TCC 2013, Tokyo, Japan, 3/03/13. https://doi.org/10.1007/978-3-642-36594-2_11

Why "Fiat-Shamir for proofs" lacks a proof. / Bitansky, Nir; Dachman-Soled, Dana; Garg, Sanjam et al.
Theory of Cryptography - 10th Theory of Cryptography Conference, TCC 2013, Proceedings. 2013. p. 182-201 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 7785 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Why "Fiat-Shamir for proofs" lacks a proof

AU - Bitansky, Nir

AU - Dachman-Soled, Dana

AU - Garg, Sanjam

AU - Jain, Abhishek

AU - Kalai, Yael Tauman

AU - López-Alt, Adriana

AU - Wichs, Daniel

PY - 2013

Y1 - 2013

N2 - The Fiat-Shamir heuristic [CRYPTO '86] is used to convert any 3-message public-coin proof or argument system into a non-interactive argument, by hashing the prover's first message to select the verifier's challenge. It is known that this heuristic is sound when the hash function is modeled as a random oracle. On the other hand, the surprising result of Goldwasser and Kalai [FOCS '03] shows that there exists a computationally sound argument on which the Fiat-Shamir heuristic is never sound, when instantiated with any actual efficient hash function. This leaves us with the following interesting possibility: perhaps we can securely instantiates the Fiat-Shamir heuristic for all 3-message public-coin statistically sound proofs, even if we must fail for some computationally sound arguments. Indeed, this has been conjectured to be the case by Barak, Lindell and Vadhan [FOCS '03], but we do not have any provably secure instantiation under any "standard assumption". In this work, we give a broad black-box separation result showing that the security of the Fiat-Shamir heuristic for statistically sound proofs cannot be proved under virtually any standard assumption via a black-box reduction. More precisely: -If we want to have a "universal" instantiation of the Fiat-Shamir heuristic that works for all 3-message public-coin proofs, then we cannot prove its security via a black-box reduction from any assumption that has the format of a "cryptographic game". -For many concrete proof systems, if we want to have a "specific" instantiation of the Fiat-Shamir heuristic for that proof system, then we cannot prove its security via a black box reduction from any "falsifiable assumption" that has the format of a cryptographic game with an efficient challenger.

AB - The Fiat-Shamir heuristic [CRYPTO '86] is used to convert any 3-message public-coin proof or argument system into a non-interactive argument, by hashing the prover's first message to select the verifier's challenge. It is known that this heuristic is sound when the hash function is modeled as a random oracle. On the other hand, the surprising result of Goldwasser and Kalai [FOCS '03] shows that there exists a computationally sound argument on which the Fiat-Shamir heuristic is never sound, when instantiated with any actual efficient hash function. This leaves us with the following interesting possibility: perhaps we can securely instantiates the Fiat-Shamir heuristic for all 3-message public-coin statistically sound proofs, even if we must fail for some computationally sound arguments. Indeed, this has been conjectured to be the case by Barak, Lindell and Vadhan [FOCS '03], but we do not have any provably secure instantiation under any "standard assumption". In this work, we give a broad black-box separation result showing that the security of the Fiat-Shamir heuristic for statistically sound proofs cannot be proved under virtually any standard assumption via a black-box reduction. More precisely: -If we want to have a "universal" instantiation of the Fiat-Shamir heuristic that works for all 3-message public-coin proofs, then we cannot prove its security via a black-box reduction from any assumption that has the format of a "cryptographic game". -For many concrete proof systems, if we want to have a "specific" instantiation of the Fiat-Shamir heuristic for that proof system, then we cannot prove its security via a black box reduction from any "falsifiable assumption" that has the format of a cryptographic game with an efficient challenger.

UR - http://www.scopus.com/inward/record.url?scp=84873963131&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-36594-2_11

DO - 10.1007/978-3-642-36594-2_11

M3 - منشور من مؤتمر

SN - 9783642365935

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 182

EP - 201

BT - Theory of Cryptography - 10th Theory of Cryptography Conference, TCC 2013, Proceedings

T2 - 10th Theory of Cryptography Conference, TCC 2013

Y2 - 3 March 2013 through 6 March 2013

ER -

Bitansky N, Dachman-Soled D, Garg S, Jain A, Kalai YT, López-Alt A et al. Why "Fiat-Shamir for proofs" lacks a proof. In Theory of Cryptography - 10th Theory of Cryptography Conference, TCC 2013, Proceedings. 2013. p. 182-201. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-642-36594-2_11

Why "Fiat-Shamir for proofs" lacks a proof

Abstract

Publication series

Conference

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this