Adaptive Proofs Have Straightline Extractors (in the Random Oracle Model)
The concept of adaptive security for proofs of knowledge was recently studied by Bernhard et al. They formalised adaptive security in the ROM and showed that the non-interactive version of the Schnorr protocol obtained using the Fiat-Shamir transformation is not adaptively secure unless the one-more discrete logarithm problem is easy. Their only construction for adaptively secure protocols used the Fischlin transformation  which yields protocols with straight-line extractors. In this paper we provide two further key insights. Our main result shows that any adaptively secure protocol must have a straight-line extractor: even the most clever rewinding strategies cannot offer any benefits against adaptive provers. Then, we show that any Fiat-Shamir transformed \(\varSigma \)-protocol is not adaptively secure unless a related problem which we call the \(\varSigma \)-one-wayness problem is \(easy \). This assumption concerns not just Schnorr but applies to a whole class of \(\varSigma \)-protocols including e.g. Chaum-Pedersen and representation proofs. We also prove that \(\varSigma \)-one-wayness is hard in an extension of the generic group model which, on its own is a contribution of independent interest. Taken together, these results suggest that the highly efficient proofs based on the popular Fiat-Shamir transformed \(\varSigma \)-protocols should be used with care in settings where adaptive security of such proofs is important.
- 1.Bellare, M., Namprempre, C., Pointcheval, D., Semanko, M.: The one-more-RSA-inversion problems and the security of Chaum’s blind signature scheme. eprint 2001/002. Originally appeared as “The power of RSA inversion oracles and the security of Chaum’s RSA-based blind signature scheme. In: Financial Cryptography. LNCS, vol. 2339, pp. 319–338. Springer, Heidelberg (2001)Google Scholar
- 2.Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006). doi: 10.1007/11761679_25. The title cited is from the latest version on eprint at http://eprint.iacr.org/2004/331 CrossRefGoogle Scholar
- 3.Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Proceedings of the 1st ACM Conference on Computer and Communications Security, CCS 1993, pp. 62–73 (1993)Google Scholar
- 4.Bernhard, D.: Zero-knowledge proofs in theory and practice. Ph.D. thesis, University of Bristol (2014). www.cs.bris.ac.uk/bernhard/papers.html
- 7.Bernhard, D., Nguyen, N.K., Warinschi, B.: Adaptive Proofs have Straightline Extractors (in the Random Oracle Model). Full version on eprint 2015/712Google Scholar
- 8.Brown, D.: Irreducibility to the One-More Evaluation Problems: More May Be Less. eprint 2007/435Google Scholar