Adaptive Proofs Have Straightline Extractors (in the Random Oracle Model)

  • David Bernhard
  • Ngoc Khanh NguyenEmail author
  • Bogdan Warinschi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10355)


The concept of adaptive security for proofs of knowledge was recently studied by Bernhard et al. They formalised adaptive security in the ROM and showed that the non-interactive version of the Schnorr protocol obtained using the Fiat-Shamir transformation is not adaptively secure unless the one-more discrete logarithm problem is easy. Their only construction for adaptively secure protocols used the Fischlin transformation [11] which yields protocols with straight-line extractors. In this paper we provide two further key insights. Our main result shows that any adaptively secure protocol must have a straight-line extractor: even the most clever rewinding strategies cannot offer any benefits against adaptive provers. Then, we show that any Fiat-Shamir transformed \(\varSigma \)-protocol is not adaptively secure unless a related problem which we call the \(\varSigma \)-one-wayness problem is \(easy \). This assumption concerns not just Schnorr but applies to a whole class of \(\varSigma \)-protocols including e.g. Chaum-Pedersen and representation proofs. We also prove that \(\varSigma \)-one-wayness is hard in an extension of the generic group model which, on its own is a contribution of independent interest. Taken together, these results suggest that the highly efficient proofs based on the popular Fiat-Shamir transformed \(\varSigma \)-protocols should be used with care in settings where adaptive security of such proofs is important.


  1. 1.
    Bellare, M., Namprempre, C., Pointcheval, D., Semanko, M.: The one-more-RSA-inversion problems and the security of Chaum’s blind signature scheme. eprint 2001/002. Originally appeared as “The power of RSA inversion oracles and the security of Chaum’s RSA-based blind signature scheme. In: Financial Cryptography. LNCS, vol. 2339, pp. 319–338. Springer, Heidelberg (2001)Google Scholar
  2. 2.
    Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006). doi: 10.1007/11761679_25. The title cited is from the latest version on eprint at CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Proceedings of the 1st ACM Conference on Computer and Communications Security, CCS 1993, pp. 62–73 (1993)Google Scholar
  4. 4.
    Bernhard, D.: Zero-knowledge proofs in theory and practice. Ph.D. thesis, University of Bristol (2014).
  5. 5.
    Bernhard, D., Fischlin, M., Warinschi, B.: Adaptive proofs of knowledge in the random oracle model. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 629–649. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46447-2_28 Google Scholar
  6. 6.
    Bernhard, D., Fischlin, M., Warinschi, B.: On the hardness of proving CCA-security of signed ElGamal. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 47–69. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49384-7_3 CrossRefGoogle Scholar
  7. 7.
    Bernhard, D., Nguyen, N.K., Warinschi, B.: Adaptive Proofs have Straightline Extractors (in the Random Oracle Model). Full version on eprint 2015/712Google Scholar
  8. 8.
    Brown, D.: Irreducibility to the One-More Evaluation Problems: More May Be Less. eprint 2007/435Google Scholar
  9. 9.
    Bresson, E., Monnerat, J., Vergnaud, D.: Separation results on the “one-more” computational problems. In: Malkin, T. (ed.) CT-RSA 2008. LNCS, vol. 4964, pp. 71–87. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-79263-5_5 CrossRefGoogle Scholar
  10. 10.
    Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). doi: 10.1007/3-540-47721-7_12 CrossRefGoogle Scholar
  11. 11.
    Fischlin, M.: Communication-efficient non-interactive proofs of knowledge with online extractors. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 152–168. Springer, Heidelberg (2005). doi: 10.1007/11535218_10 CrossRefGoogle Scholar
  12. 12.
    Fischlin, M., Fleischhacker, N.: Limitations of the meta-reduction technique: the case of schnorr signatures. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 444–460. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-38348-9_27. eprint 2013/140CrossRefGoogle Scholar
  13. 13.
    Koblitz, N., Menezes, A.: Another look at non-standard discrete log and Diffie-Hellman problems. J. Math. Cryptol. 2(4), 311–326 (2008). eprint 2007/442MathSciNetCrossRefzbMATHGoogle Scholar
  14. 14.
    Maurer, U.: Abstract models of computation in cryptography. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 1–12. Springer, Heidelberg (2005). doi: 10.1007/11586821_1 CrossRefGoogle Scholar
  15. 15.
    Nechaev, V.I.: Complexity of a determinate algorithm for the discrete logarithm. Math. Notes 55(2), 165–172 (1994)MathSciNetCrossRefzbMATHGoogle Scholar
  16. 16.
    Paillier, P., Vergnaud, D.: Discrete-log-based signatures may not be equivalent to discrete log. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 1–20. Springer, Heidelberg (2005). doi: 10.1007/11593447_1 CrossRefGoogle Scholar
  17. 17.
    Schnorr, C.P.: Efficient signature generation for smart cards. J. Cryptol. 4, 161–174 (1991). SpringerCrossRefzbMATHGoogle Scholar
  18. 18.
    Seurin, Y., Treger, J.: A robust and plaintext-aware variant of signed ElGamal encryption. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 68–83. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-36095-4_5 CrossRefGoogle Scholar
  19. 19.
    Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997). doi: 10.1007/3-540-69053-0_18 Google Scholar
  20. 20.
    Shoup, V., Gennaro, R.: Securing threshold cryptosystems against chosen ciphertext attack. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 1–16. Springer, Heidelberg (1998). doi: 10.1007/BFb0054113 CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • David Bernhard
    • 1
  • Ngoc Khanh Nguyen
    • 1
    Email author
  • Bogdan Warinschi
    • 1
  1. 1.Computer Science DepartmentUniversity of BristolBristolEngland

Personalised recommendations