Cryptology ePrint Archive: Report 2019/997

On the (In)security of Kilian-Based SNARGs

James Bartusek and Liron Bronfman and Justin Holmgren and Fermi Ma and Ron Rothblum

Abstract: The Fiat-Shamir transform is an incredibly powerful technique that uses a suitable hash function to reduce the interaction of general public-coin protocols. Unfortunately, there are known counterexamples showing that this methodology may not be sound (no matter what concrete hash function is used). Still, these counterexamples are somewhat unsatisfying, as the underlying protocols were specifically tailored to make Fiat-Shamir fail. This raises the question of whether this transform is sound when applied to natural protocols.

One of the most important protocol for which we would like to reduce interaction is Kilian’s four-message argument system for all of NP, based on collision resistant hash functions (CRHF) and probabilistically checkable proofs (PCPs). Indeed, an application of the Fiat-Shamir transform to Kilian's protocol is at the heart of both theoretical results (e.g., Micali's CS proofs) as well as leading practical approaches of highly efficient non-interactive proof-systems (e.g., SNARKs and STARKs).

In this work, we show significant obstacles to establishing soundness of (what we refer to as) the "Fiat-Shamir-Kilian-Micali" (FSKM) protocol. More specifically:

- We construct a (contrived) CRHF for which FSKM is unsound for a very large class of PCPs and for any Fiat-Shamir hash function. The collision-resistance of our CRHF relies on very strong but plausible cryptographic assumptions. The statement is "tight" in the following sense: any PCP outside the scope of our result trivially implies a SNARK, eliminating the need for FSKM in the first place.

- Second, we consider a known extension of Kilian’s protocol to an interactive variant of PCPs called probabilistically checkable interactive proofs (PCIP) (also known as interactive oracle proofs or IOPs). We construct a particular (contrived) PCIP for NP for which the FSKM protocol is unsound no matter what CRHF and Fiat-Shamir hash function is used. This result is unconditional (i.e., does not rely on any cryptographic assumptions).

Put together, our results show that the soundness of FSKM must rely on some special structure of both the CRHF and PCP that underlie Kilian's protocol. We believe these negative results may cast light on how to securely instantiate the FSKM protocol by a synergistic choice of the PCP, CRHF, and Fiat-Shamir hash function.

Category / Keywords: foundations / Fiat-Shamir, Kilian's protocol, interactive proofs, SNARGs, SNARKs

Original Publication (with minor differences): IACR-TCC-2019

Date: received 2 Sep 2019

Contact author: bartusek james at gmail com, br at cs technion ac il, holmgren at alum mit edu, fermima at alum mit edu, rothblum at cs technion ac il

Available format(s): PDF | BibTeX Citation

Version: 20190905:072535 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]