Paper 2024/1645

Fiat-Shamir Goes Rational

Matteo Campanelli, No affiliation
Agni Datta, VIT Bhopal University
Abstract

This paper investigates the open problem of how to construct non-interactive rational proofs. Rational proofs, introduced by Azar and Micali (STOC 2012), are a model of interactive proofs where a computationally powerful server can be rewarded by a weaker client for running an expensive computation $f(x)$. The honest strategy is enforced by design when the server is rational: any adversary claiming a false output $y \neq f(x)$ will lose money on expectation. Rational proof constructions have appealing properties: they are simple, feature an extremely efficient verifier—reading only a sublinear number of bits of the input $x$—and do not require any collateral from the prover. Currently, all non-trivial constructions of rational proofs are interactive. Developing non-interactive rational protocols would be a game-changer, making them practical for use in smart contracts, one of their most natural applications. Our investigation revolves around the Fiat-Shamir transform, a common approach to compiling interactive proofs into their non-interactive counterparts. We are the first to tackle the question: "Can Fiat-Shamir be successfully applied to rational protocols?" We find negative evidence by showing that, after applying Fiat-Shamir in the random oracle model to two representative protocols in literature (AM13 and CG15) these lose their security guarantees. Our findings point to more general impossibility theorems, which we leave as future work. To achieve our results we first need to address a fundamental technical challenge: the standard Fiat-Shamir transform does not apply to protocols where the verifier has only oracle access to its input $x$ (a core feature of the rational setting). We propose two versions of Fiat-Shamir for this setting, a "vanilla" variant and a "stronger" variant (where the verifier has access to an honestly computed digest of its input). We show that neither variant is sufficient to ensure that AM13 or CG15 are secure in the non-interactive setting. Finally, as an additional contribution, we provide a novel, and arguably simpler, definition for the soundness property of rational proofs (interactive or non-interactive) of independent interest.

Metadata
Available format(s)
PDF
Category
Foundations
Publication info
Preprint.
Keywords
rational proofsfiat-shamir
Contact author(s)
binarywhalesinternaryseas @ gmail com
agnidatta @ gmail com
History
2024-10-14: revised
2024-10-12: received
See all versions
Short URL
https://ia.cr/2024/1645
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2024/1645,
      author = {Matteo Campanelli and Agni Datta},
      title = {Fiat-Shamir Goes Rational},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1645},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1645}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.