Fiat–Shamir for Highly Sound Protocols Is Instantiable
The Fiat–Shamir (FS) transformation (Fiat and Shamir, Crypto ’86) is a popular paradigm for constructing very efficient non-interactive zero-knowledge (NIZK) arguments and signature schemes using a hash function, starting from any three-move interactive protocol satisfying certain properties. Despit...
Saved in:
| Published in | Security and Cryptography for Networks pp. 198 - 215 |
|---|---|
| Main Authors | , |
| Format | Book Chapter |
| Language | English |
| Published |
Cham
Springer International Publishing
2016
|
| Series | Lecture Notes in Computer Science |
| Subjects | |
| Online Access | Get full text |
| ISBN | 9783319446172 3319446177 |
| ISSN | 0302-9743 1611-3349 |
| DOI | 10.1007/978-3-319-44618-9_11 |
Cover
Loading…
| Abstract | The Fiat–Shamir (FS) transformation (Fiat and Shamir, Crypto ’86) is a popular paradigm for constructing very efficient non-interactive zero-knowledge (NIZK) arguments and signature schemes using a hash function, starting from any three-move interactive protocol satisfying certain properties. Despite its wide-spread applicability both in theory and in practice, the known positive results for proving security of the FS paradigm are in the random oracle model, i.e., they assume that the hash function is modelled as an external random function accessible to all parties. On the other hand, a sequence of negative results shows that for certain classes of interactive protocols, the FS transform cannot be instantiated in the standard model.
We initiate the study of complementary positive results, namely, studying classes of interactive protocols where the FS transform does have standard-model instantiations. In particular, we show that for a class of “highly sound” protocols that we define, instantiating the FS transform via a q-wise independent hash function yields NIZK arguments and secure signature schemes. For NIZK, we obtain a weaker “q-bounded” zero-knowledge flavor where the simulator works for all adversaries asking an a-priori bounded number of queries q; for signatures, we obtain the weaker notion of random-message unforgeability against q-bounded random message attacks.
Our main idea is that when the protocol is highly sound, then instead of using random-oracle programming, one can use complexity leveraging. The question is whether such highly sound protocols exist and if so, which protocols lie in this class. We answer this question in the affirmative in the common reference string (CRS) model and under strong assumptions. Namely, assuming indistinguishability obfuscation and puncturable pseudorandom functions we construct a compiler that transforms any 3-move interactive protocol with instance-independent commitments and simulators (a property satisfied by the Lapidot-Shamir protocol, Crypto ’90) into a compiled protocol in the CRS model that is highly sound. We also present a second compiler, in order to be able to start from a larger class of protocols, which only requires instance-independent commitments (a property for example satisfied by the classical protocol for quadratic residuosity due to Blum, Crypto ’81). For the second compiler we require dual-mode commitments.
We hope that our work inspires more research on classes of (efficient) 3-move protocols where Fiat–Shamir is (efficiently) instantiable. |
|---|---|
| AbstractList | The Fiat–Shamir (FS) transformation (Fiat and Shamir, Crypto ’86) is a popular paradigm for constructing very efficient non-interactive zero-knowledge (NIZK) arguments and signature schemes using a hash function, starting from any three-move interactive protocol satisfying certain properties. Despite its wide-spread applicability both in theory and in practice, the known positive results for proving security of the FS paradigm are in the random oracle model, i.e., they assume that the hash function is modelled as an external random function accessible to all parties. On the other hand, a sequence of negative results shows that for certain classes of interactive protocols, the FS transform cannot be instantiated in the standard model.
We initiate the study of complementary positive results, namely, studying classes of interactive protocols where the FS transform does have standard-model instantiations. In particular, we show that for a class of “highly sound” protocols that we define, instantiating the FS transform via a q-wise independent hash function yields NIZK arguments and secure signature schemes. For NIZK, we obtain a weaker “q-bounded” zero-knowledge flavor where the simulator works for all adversaries asking an a-priori bounded number of queries q; for signatures, we obtain the weaker notion of random-message unforgeability against q-bounded random message attacks.
Our main idea is that when the protocol is highly sound, then instead of using random-oracle programming, one can use complexity leveraging. The question is whether such highly sound protocols exist and if so, which protocols lie in this class. We answer this question in the affirmative in the common reference string (CRS) model and under strong assumptions. Namely, assuming indistinguishability obfuscation and puncturable pseudorandom functions we construct a compiler that transforms any 3-move interactive protocol with instance-independent commitments and simulators (a property satisfied by the Lapidot-Shamir protocol, Crypto ’90) into a compiled protocol in the CRS model that is highly sound. We also present a second compiler, in order to be able to start from a larger class of protocols, which only requires instance-independent commitments (a property for example satisfied by the classical protocol for quadratic residuosity due to Blum, Crypto ’81). For the second compiler we require dual-mode commitments.
We hope that our work inspires more research on classes of (efficient) 3-move protocols where Fiat–Shamir is (efficiently) instantiable. |
| Author | Mittelbach, Arno Venturi, Daniele |
| Author_xml | – sequence: 1 givenname: Arno surname: Mittelbach fullname: Mittelbach, Arno organization: Cryptoplexity, Technische Universität Darmstadt, Darmstadt, Germany – sequence: 2 givenname: Daniele surname: Venturi fullname: Venturi, Daniele email: daniele.venturi@unitn.it organization: Department of Information Engineering and Computer Science, University of Trento, Trento, Italy |
| BookMark | eNo1kE1OwzAUhA0Uibb0BixyAcN7thPHS1TRH6kSSO3e8l_aQIhRHBbsuAM35CSkBaQnjTQzetJ8EzJqYxsIuUG4RQB5p2RJOeWoqBAFllRpxDMy4YNzMvJzMsYCkXIu1AWZDf3_TLIRGQMHRpUU_IpMUnoGACYVG5NyUZv--_NrezCvdZdVsctW9f7QfGTb-N767KmLfXSxSdl6uDb1pu1rY5twTS4r06Qw-9Mp2S0edvMV3Twu1_P7DU1MiJ4KB1AK4ywEW_nAnbHOl2ABPDfog3Te5yFHBiCclV5UlcFCSlRlBQL4lLDft-mtq9t96LSN8SVpBH3kooedmuthqT5h0Ecu_AfYAVRt |
| ContentType | Book Chapter |
| Copyright | Springer International Publishing Switzerland 2016 |
| Copyright_xml | – notice: Springer International Publishing Switzerland 2016 |
| DOI | 10.1007/978-3-319-44618-9_11 |
| DatabaseTitleList | |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Computer Science |
| EISBN | 3319446185 9783319446189 |
| EISSN | 1611-3349 |
| Editor | De Prisco, Roberto Zikas, Vassilis |
| Editor_xml | – sequence: 1 givenname: Vassilis surname: Zikas fullname: Zikas, Vassilis email: vzikas@cs.rpi.edu – sequence: 2 givenname: Roberto surname: De Prisco fullname: De Prisco, Roberto email: robdep@unisa.it |
| EndPage | 215 |
| GroupedDBID | -DT -GH -~X 1SB 29L 2HA 2HV 5QI 875 AASHB ABMNI ACGFS ADCXD AEFIE ALMA_UNASSIGNED_HOLDINGS EJD F5P FEDTE HVGLF LAS LDH P2P RIG RNI RSU SVGTG VI1 ~02 |
| ID | FETCH-LOGICAL-s244t-4c0084acb0ebfde3cabcd80b00d3a1de7cdd5e512004cb7d4ffa1677198f0403 |
| ISBN | 9783319446172 3319446177 |
| ISSN | 0302-9743 |
| IngestDate | Tue Jul 29 20:13:37 EDT 2025 |
| IsDoiOpenAccess | false |
| IsOpenAccess | true |
| IsPeerReviewed | true |
| IsScholarly | true |
| Language | English |
| LinkModel | OpenURL |
| MergedId | FETCHMERGED-LOGICAL-s244t-4c0084acb0ebfde3cabcd80b00d3a1de7cdd5e512004cb7d4ffa1677198f0403 |
| OpenAccessLink | http://hdl.handle.net/11573/959982 |
| PageCount | 18 |
| ParticipantIDs | springer_books_10_1007_978_3_319_44618_9_11 |
| PublicationCentury | 2000 |
| PublicationDate | 2016 |
| PublicationDateYYYYMMDD | 2016-01-01 |
| PublicationDate_xml | – year: 2016 text: 2016 |
| PublicationDecade | 2010 |
| PublicationPlace | Cham |
| PublicationPlace_xml | – name: Cham |
| PublicationSeriesSubtitle | Security and Cryptology |
| PublicationSeriesTitle | Lecture Notes in Computer Science |
| PublicationSeriesTitleAlternate | Lect.Notes Computer |
| PublicationSubtitle | 10th International Conference, SCN 2016, Amalfi, Italy, August 31 – September 2, 2016, Proceedings |
| PublicationTitle | Security and Cryptography for Networks |
| PublicationYear | 2016 |
| Publisher | Springer International Publishing |
| Publisher_xml | – name: Springer International Publishing |
| RelatedPersons | Kleinberg, Jon M. Mattern, Friedemann Naor, Moni Mitchell, John C. Terzopoulos, Demetri Steffen, Bernhard Pandu Rangan, C. Kanade, Takeo Kittler, Josef Weikum, Gerhard Hutchison, David Tygar, Doug |
| RelatedPersons_xml | – sequence: 1 givenname: David surname: Hutchison fullname: Hutchison, David organization: Lancaster University, Lancaster, United Kingdom – sequence: 2 givenname: Takeo surname: Kanade fullname: Kanade, Takeo organization: Carnegie Mellon University, Pittsburgh, USA – sequence: 3 givenname: Josef surname: Kittler fullname: Kittler, Josef organization: University of Surrey, Guildford, United Kingdom – sequence: 4 givenname: Jon M. surname: Kleinberg fullname: Kleinberg, Jon M. organization: Cornell University, Ithaca, USA – sequence: 5 givenname: Friedemann surname: Mattern fullname: Mattern, Friedemann organization: CNB H 104.2, ETH Zurich, Zürich, Switzerland – sequence: 6 givenname: John C. surname: Mitchell fullname: Mitchell, John C. organization: Stanford, USA – sequence: 7 givenname: Moni surname: Naor fullname: Naor, Moni organization: Weizmann Institute of Science, Rehovot, Israel – sequence: 8 givenname: C. surname: Pandu Rangan fullname: Pandu Rangan, C. organization: Madras, Indian Institute of Technology, Chennai, India – sequence: 9 givenname: Bernhard surname: Steffen fullname: Steffen, Bernhard organization: Fakultät Informatik, TU Dortmund, Dortmund, Germany – sequence: 10 givenname: Demetri surname: Terzopoulos fullname: Terzopoulos, Demetri organization: University of California, Los Angeles, USA – sequence: 11 givenname: Doug surname: Tygar fullname: Tygar, Doug organization: University of California, Berkeley, USA – sequence: 12 givenname: Gerhard surname: Weikum fullname: Weikum, Gerhard organization: Max Planck Institute for Informatics, Saarbrücken, Germany |
| SSID | ssj0002792 ssj0001720393 |
| Score | 1.833021 |
| Snippet | The Fiat–Shamir (FS) transformation (Fiat and Shamir, Crypto ’86) is a popular paradigm for constructing very efficient non-interactive zero-knowledge (NIZK)... |
| SourceID | springer |
| SourceType | Publisher |
| StartPage | 198 |
| SubjectTerms | Commitment Scheme Hash Function Interactive Protocol Random Oracle Signature Scheme |
| Title | Fiat–Shamir for Highly Sound Protocols Is Instantiable |
| URI | http://link.springer.com/10.1007/978-3-319-44618-9_11 |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwnV07T8MwELagLIiBt3grA1sV1NRNkw4MFaIqCLpQULfIr4hKpUWNGWDiP_AP-SXc2XETSpciRVGURHncZ5_P5_vuCDnndR6zZsp8rpCSw3joxzCw-q00UmmLCzCR0N9x32t2Hxu3g3BQhI0ZdonmF-JjIa_kP6jCOcAVWbJLIDt7KJyAY8AX9oAw7OeM399uVsvhyCvPGff_1fT9VefZp03kYM-Gd88s5vuh1mrEma381J6OJ-7Kkxl2ynzzcjPqAHQuIII-PLOX4dQ8H-NDRqB3sCoTsg30BFpUVr3JTPgBwDVETpbVWZhLObu8y1crehNtgsCqrqCE0y9lB0Qw74BwDsg5F2bhRfs1Y6XQ5WEGGkRlpyYFrQzzGqvolFXETUyvSG0601y5BrZedT5O1y0N9M8QUI76QIYWvg10eoIE8NUoDitkrX19e_dUeOJwJbrEpsWUinbtyX4VMoLcV0c2Z1PxFyU25qJX_llfN2ZLf4tsIJXFQ44JCG2brKjxDtl0cvdyue-SGFH-_vyy-HqAr2fx9Qy-3gxf7wa2Er57pN-57l91_bykhp-BHaf9hsACCkzwmuKpVFQwLmRcA90rKQukioSUoQIjEHqZ4JFspCkLmlEEok9B3dN9UhlPxuqAeC0Uk5Ssnqp6g9diLuEGXNUNBWUtJQ9J1f15gn0kS1yCbJBTQhOQU2LklKCcjpa6-5isFw3xhFT09E2dgm2o-VkO7g_DL1z0 |
| linkProvider | Library Specific Holdings |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.title=Security+and+Cryptography+for+Networks&rft.au=Mittelbach%2C+Arno&rft.au=Venturi%2C+Daniele&rft.atitle=Fiat%E2%80%93Shamir+for+Highly+Sound+Protocols+Is+Instantiable&rft.series=Lecture+Notes+in+Computer+Science&rft.date=2016-01-01&rft.pub=Springer+International+Publishing&rft.isbn=9783319446172&rft.issn=0302-9743&rft.eissn=1611-3349&rft.spage=198&rft.epage=215&rft_id=info:doi/10.1007%2F978-3-319-44618-9_11 |
| thumbnail_l | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=0302-9743&client=summon |
| thumbnail_m | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=0302-9743&client=summon |
| thumbnail_s | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=0302-9743&client=summon |