TY - GEN
T1 - Why "Fiat-Shamir for proofs" lacks a proof
AU - Bitansky, Nir
AU - Dachman-Soled, Dana
AU - Garg, Sanjam
AU - Jain, Abhishek
AU - Kalai, Yael Tauman
AU - López-Alt, Adriana
AU - Wichs, Daniel
PY - 2013
Y1 - 2013
N2 - The Fiat-Shamir heuristic [CRYPTO '86] is used to convert any 3-message public-coin proof or argument system into a non-interactive argument, by hashing the prover's first message to select the verifier's challenge. It is known that this heuristic is sound when the hash function is modeled as a random oracle. On the other hand, the surprising result of Goldwasser and Kalai [FOCS '03] shows that there exists a computationally sound argument on which the Fiat-Shamir heuristic is never sound, when instantiated with any actual efficient hash function. This leaves us with the following interesting possibility: perhaps we can securely instantiates the Fiat-Shamir heuristic for all 3-message public-coin statistically sound proofs, even if we must fail for some computationally sound arguments. Indeed, this has been conjectured to be the case by Barak, Lindell and Vadhan [FOCS '03], but we do not have any provably secure instantiation under any "standard assumption". In this work, we give a broad black-box separation result showing that the security of the Fiat-Shamir heuristic for statistically sound proofs cannot be proved under virtually any standard assumption via a black-box reduction. More precisely: -If we want to have a "universal" instantiation of the Fiat-Shamir heuristic that works for all 3-message public-coin proofs, then we cannot prove its security via a black-box reduction from any assumption that has the format of a "cryptographic game". -For many concrete proof systems, if we want to have a "specific" instantiation of the Fiat-Shamir heuristic for that proof system, then we cannot prove its security via a black box reduction from any "falsifiable assumption" that has the format of a cryptographic game with an efficient challenger.
AB - The Fiat-Shamir heuristic [CRYPTO '86] is used to convert any 3-message public-coin proof or argument system into a non-interactive argument, by hashing the prover's first message to select the verifier's challenge. It is known that this heuristic is sound when the hash function is modeled as a random oracle. On the other hand, the surprising result of Goldwasser and Kalai [FOCS '03] shows that there exists a computationally sound argument on which the Fiat-Shamir heuristic is never sound, when instantiated with any actual efficient hash function. This leaves us with the following interesting possibility: perhaps we can securely instantiates the Fiat-Shamir heuristic for all 3-message public-coin statistically sound proofs, even if we must fail for some computationally sound arguments. Indeed, this has been conjectured to be the case by Barak, Lindell and Vadhan [FOCS '03], but we do not have any provably secure instantiation under any "standard assumption". In this work, we give a broad black-box separation result showing that the security of the Fiat-Shamir heuristic for statistically sound proofs cannot be proved under virtually any standard assumption via a black-box reduction. More precisely: -If we want to have a "universal" instantiation of the Fiat-Shamir heuristic that works for all 3-message public-coin proofs, then we cannot prove its security via a black-box reduction from any assumption that has the format of a "cryptographic game". -For many concrete proof systems, if we want to have a "specific" instantiation of the Fiat-Shamir heuristic for that proof system, then we cannot prove its security via a black box reduction from any "falsifiable assumption" that has the format of a cryptographic game with an efficient challenger.
UR - http://www.scopus.com/inward/record.url?scp=84873963131&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84873963131&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-36594-2_11
DO - 10.1007/978-3-642-36594-2_11
M3 - Conference contribution
AN - SCOPUS:84873963131
SN - 9783642365935
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 182
EP - 201
BT - Theory of Cryptography - 10th Theory of Cryptography Conference, TCC 2013, Proceedings
T2 - 10th Theory of Cryptography Conference, TCC 2013
Y2 - 3 March 2013 through 6 March 2013
ER -