Fiat-Shamir for Highly Sound Protocols is Instantiable.

simulators (a property satisfied by the Lapidot-Shamir protocol, Crypto '90) into a compiled protocol in the CRS model that is highly sound. ... For the second compiler we require dual-mode commitments. We hope that our work inspires more research on classes of (efficient) 3-move protocols where Fiat-Shamir is (efficiently) instantiable. ... We also thank the reviewer for pointing out the Blum-Lapidot-Shamir protocol, and we thank Ivan Visconti for helpful discussions and clarifications on the protocol itself. ...

doi:10.1016/j.tcs.2018.05.001 fatcat:katwsed2zjc5bksg6v7h4nmliy

Szczepanski

simulators (a property satisfied by the Lapidot-Shamir protocol, Crypto '90) into a compiled protocol in the CRS model that is highly sound. ... For the second compiler we require dual-mode commitments. We hope that our work inspires more research on classes of (efficient) 3-move protocols where Fiat-Shamir is (efficiently) instantiable. ... We also thank the reviewer for pointing out the Blum-Lapidot-Shamir protocol, and we thank Ivan Visconti for helpful discussions and clarifications on the protocol itself. ...

doi:10.1007/978-3-319-44618-9_11 fatcat:b3on5wx4hfehricmt7j5d3zabe

instantiating the Fiat-Shamir heuristic for eliminating interaction in public-coin interactive protocols. ... Our main result shows how to instantiate Fiat-Shamir for parallel repetitions of much more general interactive proofs. ... Acknowledgements We thank Vinod Vaikuntanathan for helpful discussions and feedback. ...

dblp:journals/iacr/HolmgrenLR21 fatcat:zfv7baek5vbuljtxd5wfndrake

On the other hand, the surprising result of Goldwasser and Kalai [FOCS '03] shows that there exists a computationally sound argument on which the Fiat-Shamir heuristic is never sound, when instantiated ... This leaves us with the following interesting possibility: perhaps we can securely instantiates the Fiat-Shamir heuristic for all 3-message public-coin statistically sound proofs, even if we must fail ... for the soundness of the resulting protocols obtained by applying the Fiat-Shamir paradigm. ...

doi:10.1007/978-3-642-36594-2_11 fatcat:wa6argayqramfnwwbo2zutmcqu

This continues a recent line of works aiming to instantiate the Fiat-Shamir methodology via correlation intractability under progressively weaker and better-understood assumptions. ... We obtain our result by constructing a new correlation-intractable hash family [Canetti, Goldreich, and Halevi, JACM '04] for a large class of relations, which suffices to apply the Fiat-Shamir heuristic ... Acknowledgements We thank Adam Sealfon for comments on an earlier version of this work, and in particular for pointing out that our NIZK argument system has a statistically sound mode. ...

dblp:journals/iacr/CanettiLW18 fatcat:swzssijiynaabcoh6juimxmz7a

First, we show the black-box impossibility of a quantum Fiat-Shamir transform, extending the impossibility result of Bitansky et al. (TCC '13) to the CRQS model. ... The most general such resource is access to a fresh entangled quantum state at the outset of each protocol execution. ... In particular, Goldwasser and Kalai have shown that the Fiat-Shamir transform applied to some (contrived) Σ-protocols is not sound for any instantiation of the hash function (i.e. instantiated using a ...

arXiv:2204.02265v1 fatcat:4vuehb52avbftco4a64xe5sfli

We argue that SSS arguments evade the current Fiat-Shamir counterexamples, including the one for Kilian's protocol (Bartusek, Bronfman, Holmgren, Ma and Rothblum, TCC 2019) by requiring additional properties ... Observing that the first two messages of Kilian's protocol, instantiated with these primitives, is a sound instantiation of the BMW heuristic (Kalai, Raz, and Rothblum, STOC 2013), we show how to efficiently ... [BBH + 19] give an instantiation of Kilian's protocol for the trivial (empty) language for which applying the Fiat-Shamir paradigm provably results in a sound protocol. ...

dblp:journals/iacr/KalaiVZ21 fatcat:q4ux6amfnreszbxopav6ss74nm

In this short paper, we present a Fiat-Shamir type transform that takes any Sigma protocol for a relation R and outputs a non-interactive zero-knowledge proof (not of knowledge) for the associated language ... The concrete computational complexity of the transform is only slightly higher than the original Fiat-Shamir transform. ... Acknowledgements We thank Ben Riva, Nigel Smart and Daniel Wichs for helpful discussions. ...

doi:10.1007/978-3-662-46494-6_5 fatcat:m5mjutpn7nda7efl3tb3yporua

For example, we can conclude that the non-optimized version of Fish, which is the bare Fiat-Shamir variant of the NIST candidate Picnic, is secure in the quantum random-oracle model. ... natural properties), the corresponding Fiat-Shamir signature scheme is secure in the quantum random-oracle model. ... Acknowledgement We thank Tommaso Gagliardoni and Dominique Unruh for comments on early basic ideas of our approach, and Andreas Hülsing, Eike Kiltz and Greg Zaverucha for helpful discussions. ...

arXiv:1902.07556v3 fatcat:ddlyhvdmubavdp52sc6unugdfy

Multiple Versions

All existing methods of building non-interactive zero-knowledge (NIZK) arguments for NP from the Learning With Errors (LWE) assumption have relied on instantiating the Fiat-Shamir paradigm on a parallel ... Instead, we show how to make use of the more efficient "MPC in the Head" technique for building an underlying honest-verifier protocol upon which to apply the Fiat-Shamir paradigm. ... Finally, by a union bound the soundness error is then e −c 2 q−c + 1/ q β = negl(q). 6 Instantiating Fiat-Shamir via Correlation Intractable Hash Functions. ...

dblp:journals/iacr/GhosalLS22 fatcat:53x7bc3objgrjgstu2w6zfcway

Then, we show that any Fiat-Shamir transformed Σprotocol is not adaptively secure unless a related problem which we call the Σ-one-wayness problem is easy. ... Taken together, these results suggest that the highly efficient proofs based on the popular Fiat-Shamir transformed Σ-protocols should be used with care in settings where adaptive security of such proofs ... Then the Fiat-Shamir transformed Σ-protocol F φ is the following proof scheme for sets (X , W) and relation ρ(x, w) = 1 ⇐⇒ φ(w) = x. ...

doi:10.1007/978-3-319-61204-1_17 fatcat:dw3li2ba55dinfce6ayodpgmga

Due to the usage of public-key operations for every non-linear gate, their protocol is not concretely efficient. Although Boneh et al. ... [BGIN20] proposed an approach based on Fiat-Shamir to make the ZK proof on inner-product tuples non-interactive, where the difference between the secret and randomness needs to be sent. ... Our strong NIMVZK protocol is highly efficient for proving the satisfiability of a single generic circuit. ...

dblp:journals/iacr/YangW22 fatcat:7tb6c32yrjclfcij6oam3nvkba

Provided a zerocoin is worth less than the reward for a Bitcoin block, forging a coin is not an economically rational action. ... Given this freedom, we explore several techniques for drastically reducing proof size while ensuring that forging a single zerocoin is more difficult than the block mining process used to maintain Bitcoin's ... Figure 2 : 2 The Fiat-Shamir heuristic as applied to the Schnorr protocol. Figure 3 : 3 Dishonest verifier Schnorr Protocol with Fiat-Shamir. ...

doi:10.1007/978-3-662-44774-1_10 fatcat:cjkrw3uo5fgwzo4omvstzwkh6a

In this work, we develop a new technique for efficiently adding logarithmic-sized set membership proofs to any MPC-in-the-head based zero-knowledge protocol (Ishai et al. [STOC'07]). ... ℛ(w, x) = 1 and x is a member of a public set {x 1, . . . , x𝓁}. This allows the identity of the prover to remain hidden, eg. ring signatures and confidential transactions in cryptocurrencies. ... Complexity of the resulting Σ-protocol in this case is dependent on ×|R(•, •)|, which is highly inefficient. ...

doi:10.2478/popets-2022-0047 fatcat:kjnmuvna7nh2jc2pxlgihgvekm

DOAJ

Finally, we provide a concrete instantiation of our generic ABS construction from lattices by introducing a new Σ-protocol, that highly departs from the previously known techniques, for proving possession ... Therefore, this formalization is believed to be of independent interest. ... We would like to thank the anonymous reviewers of PKC 2018 for insightful comments. ...

doi:10.1007/978-3-319-76581-5_4 fatcat:ybab6uxqvfgy7l5xx43vj5fwb4

Fiat–Shamir for highly sound protocols is instantiable

Preserved Fulltext

Fiat–Shamir for Highly Sound Protocols Is Instantiable [chapter]

Preserved Fulltext

Fiat-Shamir via List-Recoverable Codes (or: Parallel Repetition of GMW is not Zero-Knowledge) [article]

Preserved Fulltext

Why "Fiat-Shamir for Proofs" Lacks a Proof [chapter]

Preserved Fulltext

Non-Interactive Zero Knowledge and Correlation Intractability from Circular-Secure FHE [article]

Preserved Fulltext

Fiat-Shamir for Proofs Lacks a Proof Even in the Presence of Shared Entanglement [article]

Preserved Fulltext

Somewhere Statistical Soundness, Post-Quantum Security, and SNARGs for P [article]

Preserved Fulltext

An Efficient Transform from Sigma Protocols to NIZK with a CRS and Non-programmable Random Oracle [chapter]

Preserved Fulltext

Security of the Fiat-Shamir Transformation in the Quantum Random-Oracle Model [article]

Preserved Fulltext

Other Versions

Efficient NIZKs from LWE via Polynomial Reconstruction and "MPC in the Head" [article]

Preserved Fulltext

Adaptive Proofs Have Straightline Extractors (in the Random Oracle Model) [chapter]

Preserved Fulltext

Non-Interactive Zero-Knowledge Proofs to Multiple Verifiers [article]

Preserved Fulltext

Rational Zero: Economic Security for Zerocoin with Everlasting Anonymity [chapter]

Preserved Fulltext

Efficient Set Membership Proofs using MPC-in-the-Head

Preserved Fulltext

Attribute-Based Signatures for Unbounded Circuits in the ROM and Efficient Instantiations from Lattices [chapter]

Preserved Fulltext