Paper 2025/329

Towards a White-Box Secure Fiat-Shamir Transformation

Gal Arnon, Weizmann Institute of Science, Bar-Ilan University
Eylon Yogev, Bar-Ilan University
Abstract

The Fiat–Shamir transformation is a fundamental cryptographic technique widely used to convert public-coin interactive protocols into non-interactive ones. This transformation is crucial in both theoretical and practical applications, particularly in the construction of succinct non-interactive arguments (SNARKs). While its security is well-established in the random oracle model, practical implementations replace the random oracle with a concrete hash function, where security is merely assumed to carry over. A growing body of work has given theoretical examples of protocols that remain secure under the Fiat–Shamir transformation in the random oracle model but become insecure when instantiated with any white-box implementation of the hash function. Recent research has shown how these attacks can be applied to natural cryptographic schemes, including real-world systems. These attacks rely on a general diagonalization technique, where the protocol exploits its access to the white-box implementation of the hash function. These attacks cast serious doubt on the security of cryptographic systems deployed in practice today, leaving their soundness uncertain. We propose a new Fiat–Shamir transformation (XFS) that aims to defend against a broad family of attacks. Our approach is designed to be practical, with minimal impact on the efficiency of the prover and verifier and on the proof length. At a high level, our transformation combines the standard Fiat–Shamir technique with a new type of proof-of-work that we construct. We provide strong evidence for the security of our transformation by proving its security in a relativized random oracle model. Specifically, we show diagonalization attacks on the standard Fiat–Shamir transformation that can be mapped to analogous attacks within this model, meaning they do not rely on a concrete instantiation of the random oracle. In contrast, we prove unconditionally that our XFS variant of the Fiat–Shamir transformation remains secure within this model. Consequently, any successful attack on XFS must deviate from known techniques and exploit aspects not captured by our model. We hope that our transformation will help preserve the security of systems relying on the Fiat–Shamir transformation.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint.
Keywords
Fiat-Shamir transformationproof-of-workrandom oracle modeldiagonalization
Contact author(s)
galarnon42 @ gmail com
eylon yogev @ biu ac il
History
2025-02-27: revised
2025-02-23: received
See all versions
Short URL
https://ia.cr/2025/329
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2025/329,
      author = {Gal Arnon and Eylon Yogev},
      title = {Towards a White-Box Secure Fiat-Shamir Transformation},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/329},
      year = {2025},
      url = {https://eprint.iacr.org/2025/329}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.