Paper 2023/1945

The Fiat--Shamir Transformation of $(\Gamma_1,\dots,\Gamma_\mu)$-Special-Sound Interactive Proofs

Thomas Attema, Centrum Wiskunde & Informatica, Netherlands Organisation for Applied Scientific Research
Serge Fehr, Centrum Wiskunde & Informatica, Leiden University
Michael Klooß, Aalto University
Nicolas Resch, University of Amsterdam
Abstract

The Fiat-Shamir transformation is a general principle to turn any public-coin interactive proof into non-interactive one (with security then typically analyzed in the random oracle model). While initially used for 3-round protocols, many recent constructions use it for multi-round protocols. However, in general the soundness error of the Fiat-Shamir transformed protocol degrades exponentially in the number of rounds. On the positive side, it was shown that for the special class of $(k_1,\dots,k_\mu)$-special-sound protocols the loss is actually only linear in the number of random oracle queries, and independent of the number of rounds, which is optimal. A natural next question is whether this positive result extends to the Fiat-Shamir transformation of so-called $(\Gamma_1,\dots,\Gamma_\mu)$-special-sound protocols, a notion recently defined and analyzed in the interactive case, with the aim to capture the most general notion of special-soundness. We show in this work that this is indeed the case. Concretely, we show that the Fiat--Shamir transformation of any $(\Gamma_1,\dots,\Gamma_\mu)$-special-sound interactive proof is knowledge sound under the same condition under which the original interactive proof is knowledge sound. Furthermore, also here the loss is linear in the number of random-oracle queries and independent of the number of rounds. In light of the above, one might suspect that our argument follows as a straightforward combination of the above mentioned prior works. However, this is not the case. The approach used for $(k_1,\dots,k_\mu)$-special-sound protocols, which is based on an extractor that samples without replacement, does not (seem to) generalize; on the other hand, the other approach, which uses an extractor based on sampling with replacement, comes with an additional loss that would blow up in the recursive multi-round analysis.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint.
Keywords
Interactive ProofInteractive ArgumentKnowledge SoundnessSpecial-SoundnessProof of Knowledge
Contact author(s)
thomas attema @ tno nl
serge fehr @ cwi nl
michael klooss @ aalto fi
n a resch @ uva nl
History
2023-12-22: approved
2023-12-22: received
See all versions
Short URL
https://ia.cr/2023/1945
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2023/1945,
      author = {Thomas Attema and Serge Fehr and Michael Klooß and Nicolas Resch},
      title = {The Fiat--Shamir Transformation of $(\Gamma_1,\dots,\Gamma_\mu)$-Special-Sound Interactive Proofs},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/1945},
      year = {2023},
      url = {https://eprint.iacr.org/2023/1945}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.