1 Introduction

The Fiat-Shamir heuristic [FS86] is an extremely influential approach for eliminating or reducing interaction in a wide variety of cryptographic protocols. First proposed as a practical method for constructing digital signature schemes from identification protocols, it was later generalized to reduce interaction of arbitrary (public-coin) protocols. In a nutshell, the idea is to replace the messages from the public-coin verifier (which are uniformly random strings) with a suitable hash of all preceding prover messages.

Identifying whether and when the Fiat-Shamir heuristic is sound has been a focus of cryptographic research for decades. It has been known for over 25 years that security holds in an idealized model where the hash function is modeled as a random oracle [PS96]. While the random oracle is often a useful methodology for designing heuristically secure protocols [BR94], it does not provide any guarantees when the random oracle is replaced with any explicit hash function family. As a matter of fact, results of Barak [Bar01] and Goldwasser and Kalai [GK03] give a strong negative indication. Specifically, these works exhibit sound protocols which become totally insecure after the application of the Fiat-Shamir transform using any hash function.

Still, the protocols designed by [Bar01, GK03] were, in a sense, specifically tailored to make the Fiat-Shamir fail. Thus, it is important to understand whether this methodology can be soundly applied to protocols with additional natural structure that we care about. A prominent example for such a protocol is Kilian’s [Kil92] beautiful 4-message argument-system for any \(\mathsf {NP}\) language. Remarkably, this protocol (which relies on a relatively mild cryptographic assumption) can be used to prove the correctness of any \(\mathsf {NP}\) language with an extremely short proof and with a super efficient verification procedure. A main drawback of Kilian’s protocol is that it requires back and forth interaction between the prover and verifier (which is undesirable for some applications) and so this protocol is (arguably) the prime example of a protocol for which we would like to apply Fiat-Shamir.

Indeed, this very idea was advocated by Micali [Mic00] in his construction of CS proofs, which are now more commonly referred to as \(\mathsf {SNARG}\)s (an abbreviation for Succinct Non-interactive ARGuments). \(\mathsf {SNARG}\)s are an incredibly powerful and versatile tool that are currently being implemented and adopted in practice (especially in the domain of blockchain technology and cryptocurrencies [BGG17, BGM17, BBB+18]). Some leading \(\mathsf {SNARG}\) implementation efforts are closely following the basic approach of applying Fiat-Shamir to (suitable extensions of) Kilian’s protocol [BCS16, BBC+17, BBHR18a, BBHR18b, BCR+19]. For convenience, throughout this work we refer to the candidate \(\mathsf {SNARG}\) obtained by applying Fiat-Shamir to Kilian’s protocol as the \(\mathsf {FSKM}\) protocol.

Thus, a basic question that we would like to understand (and was posed explicitly by [GK03]) is the following:

Do there exist hash functions with which the \(\mathsf {FSKM}\) protocol is sound?

Jumping ahead, we show that the \(\mathsf {FSKM}\) protocol can potentially be insecure when instantiated with any Fiat-Shamir hash function family. However, to explain our results more precisely, we first recall some details of Kilian’s original protocol and the resulting \(\mathsf {FSKM}\) protocol.

1.1 Kilian’s Protocol and \(\mathsf {FSKM}\)

First and foremost, Kilian’s protocol relies on probabilistically checkable proofs (\(\mathsf {PCP}\)s). Recall that \(\mathsf {PCP}\)s can be thought of as a way to encode a witness w so that the encoded witness \(\pi \) can be verified by only reading a few of its bits. The celebrated \(\mathsf {PCP}\) Theorem [ALM+98] shows that such \(\mathsf {PCP}\)s exist for all \(\mathsf {NP}\) languages.

Consider some language \(\mathcal {L} \in \mathsf {NP}\) and let \({\varPi }_\mathsf {PCP} = (\mathcal {P}_{\mathsf {PCP}}, \mathcal {V}_{\mathsf {PCP}})\) be a \(\mathsf {PCP}\) proof-system for \(\mathcal {L}\). To establish that \(x \in \mathcal {L}\), and given a witness w, the prover \(\mathcal {P}_{\mathsf {Kilian}}\) engages in the following protocol with the verifier \(\mathcal {V}_{\mathsf {Kilian}}\):

  1. 1.

    \(\mathcal {V}_{\mathsf {Kilian}}\) samples a collision-resistant hash function \(h_\mathsf {CRHF} \leftarrow \mathcal {H}_\mathsf {CRHF}\), and sends \(h_\mathsf {CRHF}\) to \(\mathcal {P}_{\mathsf {Kilian}}\).

  2. 2.

    \(\mathcal {P}_{\mathsf {Kilian}}\) constructs a \(\mathsf {PCP}\) \(\pi \) for x’s membership in \(\mathcal {L}\), and sends a Merkle hash (using \(h_\mathsf {CRHF}\)) of \(\pi \) to \(\mathcal {V}_{\mathsf {Kilian}}\).

  3. 3.

    \(\mathcal {V}_{\mathsf {Kilian}}\) chooses random coins r for the \(\mathsf {PCP}\) verifier \(\mathcal {V}_{\mathsf {PCP}}\) and sends them to \(\mathcal {P}_{\mathsf {Kilian}}\).

  4. 4.

    \(\mathcal {P}_{\mathsf {Kilian}}\) computes the locations \(i_1, \ldots , i_q\) that \(\mathcal {V}_{\mathsf {PCP}}\) would query on randomness r and input x, and “decommits” to the values of \((\pi _{i_1}, \ldots , \pi _{i_q})\).Footnote 1

  5. 5.

    \(\mathcal {V}_{\mathsf {Kilian}}\) checks that the decommitments are valid and that the values that were opened make the \(\mathsf {PCP}\) verifier accept using the random string r.

We denote by \(\mathsf {FSKM}[{\varPi }_\mathsf {PCP},\mathcal {H}_{\mathsf {CRHF}},\mathcal {H}_{\mathsf {FS}}]\) the protocol that results from applying Fiat-Shamir with hash family \(\mathcal {H}_\mathsf {FS}\) to the above 4 message argument. Observe that \(\mathsf {FSKM}[{\varPi }_\mathsf {PCP},\mathcal {H}_{\mathsf {CRHF}},\mathcal {H}_{\mathsf {FS}}]\) can be implemented using only 2 messages: in the first message the verifier specifies the collision resistant hash function and the Fiat-Shamir hash function \(h_\mathsf {FS} \leftarrow \mathcal {H}_\mathsf {FS}\), and in the second message the prover reveals the root \(\mathsf {rt}\) of the Merkle tree together with the relevant decommitments with respect to \(r=h_\mathsf {FS}(\mathsf {rt})\).

We will also consider a variant of the \(\mathsf {FSKM}\) protocol that uses a generalization of \(\mathsf {PCP}\)s called probabilistically checkable interactive proofs or \(\mathsf {PCIP}\)s [BCS16, RRR16a].Footnote 2 A \(\mathsf {PCIP}\) is a type of proof system that combines the locally checkable aspect of \(\mathsf {PCP}\)s with the multi-round aspect of interactive proofs, thereby generalizing both. More precisely, in a \(\mathsf {PCIP}\) the prover first sends a \(\mathsf {PCP}\) proof to the verifier, which can make some queries to this proof string (as in standard \(\mathsf {PCP}\)s). The difference however is that now the verifier is allowed to respond with a random challenge and the prover sends an additional \(\mathsf {PCP}\) proof string - this process can continue for several rounds.

One of the key benefits of \(\mathsf {PCIP}\)s (advocated by [BCS16]) is that they can allow for practical efficiency benefits over standard \(\mathsf {PCP}\)s. As observed by [BCS16], Kilian’s protocol can be readily extended to handle \(\mathsf {PCIP}\)s, by having the prover send a Merkle hash of its entire message in every round, and eventually decommiting to the desired bits as in Kilian’s original protocol. It is natural therefore to apply Fiat-Shamir to the resulting protocol and this was shown to be sound by [BCS16] in the random oracle model. We extend our notation of \(\mathsf {FSKM}\) to the more general setting of \(\mathsf {PCIP}\)s in the natural way (see Line 3 for details).

As mentioned above, the \(\mathsf {FSKM}\) protocol, when combined with highly efficient \(\mathsf {PCIP}\)s, is at the heart of current successful implementations of \(\mathsf {SNARG}\)s [BCS16, BBC+17, BBHR18a, BBHR18b, BCR+19].

1.2 Our Results

Loosely speaking, we show that the \(\mathsf {FSKM}\) protocol can be insecure when instantiated with any Fiat-Shamir hash function unless security relies on specific properties of both (1) the collision resistant hash function, and (2) the underlying \(\mathsf {PCP}\) (or more precisely \(\mathsf {PCIP}\)). This is established by our two main results which are described next.

Our first main result shows that there exists a collision-resistant hash family \(\widetilde{\mathcal {H}}_{\mathsf {CRHF}}\) such that for any “reasonable” \(\mathsf {PCP}\) \({\varPi }_\mathsf {PCP}\) and all candidate Fiat-Shamir hash families \(\mathcal {H}_{\mathsf {FS}}\), the protocol \(\mathsf {FSKM}[{\varPi }_\mathsf {PCP}, \widetilde{\mathcal {H}}_{\mathsf {CRHF}}, \mathcal {H}_{\mathsf {FS}}]\) is not sound. We refer to such a \(\mathsf {CRHF}\) as being \(\mathsf {FSKM}\)-incompatible. The existence of such an \(\mathsf {FSKM}\)-incompatible \(\mathsf {CRHF}\) shows that soundness of the \(\mathsf {FSKM}\) protocol cannot be based on a generic \(\mathsf {CRHF}\). Loosely speaking, by “a reasonable \(\mathsf {PCP}\),” we mean one where it is possible given the verifier’s randomness to compute a proof string that the verifier would accept.

Unreasonable \(\mathsf {PCP}\)s may exist. For instance, if \(\mathsf {SNARG}\)s exist, then any \(\mathsf {PCP}\) for an \(\mathsf {NP}\) language \(\mathcal {L}\) can be modified (in a contrived way) to be an unreasonable \(\mathsf {PCP}\) for \(\mathcal {L}\): Honest proof strings for \(x \in \mathcal {L}\) are modified by appending a \(\mathsf {SNARG}\) \(\pi _{\mathsf {SNARG}}\) attesting that \(x \in \mathcal {L}\); the verifier is modified so that in addition to performing the original \(\mathsf {PCP}\) verifier’s checks, it also verifies that \(\pi _{\mathsf {SNARG}}\) is a valid \(\mathsf {SNARG}\). However there is a sense in which such \(\mathsf {PCP}\)s (already having an embedded \(\mathsf {SNARG}\)) are the only unreasonable \(\mathsf {PCP}\)s. We formalize this in Theorem 6.

The collision-resistance of our \(\mathsf {FSKM}\)-Incompatible \(\mathsf {CRHF}\) relies on a strong cryptographic assumption: the existence of Succinct Non-Interactive ARguments of Knowledge (\(\mathsf {SNARK}\)s) with “computationally unique” proofs. By computationally unique we mean that it should be infeasible to find two different proofs corresponding to the same \(\mathsf {NP}\) witness.

Our result implies that under this assumption, \(\mathsf {FSKM}[{\varPi }_\mathsf {PCP}, \mathcal {H}_{\mathsf {CRHF}}, \mathcal {H}_{\mathsf {FS}}]\) cannot be proven to be sound when \(\mathcal {H}_{\mathsf {CRHF}}\) is a generic collision-resistant hash family—even if the \(\mathsf {PCP}\) \({\varPi }_\mathsf {PCP}\) and Fiat-Shamir hash function \(\mathcal {H}_{\mathsf {FS}}\) are carefully engineered.

Theorem 1

(Informally Stated, see Theorem 6). Assume the existence of collision resistant hash functions and (publicly verifiable) \(\mathsf {SNARK}\)s with computationally unique proofs. Then, there exists a collision-resistant hash family \(\widetilde{\mathcal {H}}_{\mathsf {CRHF}}\) such that for every “reasonable” \(\mathsf {PCP}\) \({\varPi }_\mathsf {PCP}\) and every hash family \(\mathcal {H}_{\mathsf {FS}}\), the protocol \(\mathsf {FSKM}[{\varPi }_\mathsf {PCP}, \widetilde{\mathcal {H}}_{\mathsf {CRHF}}, \mathcal {H}_{\mathsf {FS}}]\) is not sound.

We instantiate this theorem with a \(\mathsf {SNARK}\) constructed in the works of [BCI+13, BCCT13], whose soundness follows from a knowledge of exponent assumption in bilinear groups (along with a more standard “power” discrete log assumption). Such knowledge assumptions are very strong (and are not known to be falsifiable), but are still plausible, and in particular can be proven to hold in the generic group model [Nec94, Sho97, Mau05].Footnote 3 In the full version [BBH+19], we show that under the same set of assumptions (we need collision resistant hashing as well, but this follows from either of the assumptions on groups), this \(\mathsf {SNARK}\) has computationally unique proofs. However, as discussed in [BCCT13], the soundness notion satisfied by this \(\mathsf {SNARK}\) is slightly weaker than standard soundness. We overcome this difficulty by additionally assuming the existence of injective one-way functions that are exponentially hard.

Moving on, Theorem 1 still leaves open the possibility that a careful choice of \(\mathcal {H}_{\mathsf {CRHF}}\) and \(\mathcal {H}_{\mathsf {FS}}\) suffices to establish soundness of \(\mathsf {FSKM}[{\varPi }_\mathsf {PCP}, \mathcal {H}_{\mathsf {CRHF}}, \mathcal {H}_{\mathsf {FS}}]\). Our second main result shows a significant obstacle to this possibility. Specifically, we show that there exists a \(\mathsf {PCIP}\) such that for any collision-resistant hash function \(\mathsf {CRHF}\) and any Fiat-Shamir hash function, the resulting \(\mathsf {FSKM}\) protocol is not sound. We refer to such a \(\mathsf {PCIP}\) as being an \(\mathsf {FSKM}\)-incompatible \(\mathsf {PCIP}\). The existence of \(\mathsf {FSKM}\)-incompatible \(\mathsf {PCIP}\)s implies that the soundness of any \(\mathsf {FSKM}\) protocol must rely on specific properties of the underlying \(\mathsf {PCIP}\). In contrast to Theorem 1, this result is unconditional (i.e., does not rely on any cryptographic assumptions).

Theorem 2

(Informally Stated, see Theorem 7). There exists a \(\mathsf {PCIP}\) \(\widetilde{{\varPi }}_\mathsf {PCIP}\) such that for all hash families \(\mathcal {H}_{\mathsf {CRHF}}\) and \(\mathcal {H}_{\mathsf {FS}}\), the protocol \(\mathsf {FSKM} [\widetilde{{\varPi }}_\mathsf {PCIP}, \mathcal {H}_{\mathsf {CRHF}}, \mathcal {H}_{\mathsf {FS}}]\) is not sound.

In the proof of Theorem 2, we show soundness of \(\mathsf {FSKM}[\widetilde{{\varPi }}_\mathsf {PCIP}, \mathcal {H}_{\mathsf {CRHF}}, \mathcal {H}_{\mathsf {FS}}]\) is broken in an extremely strong sense. Namely, there exists a polynomial-time adversary that convinces the \(\mathsf {FSKM}\) verifier to accept any input \(x \not \in L\) with probability 1.

Interpretation of Our Results. We emphasize that our construction of \(\mathsf {CRHF}\) (in Theorem 1) and \(\mathsf {PCIP}\) (in Theorem 2) are highly contrived. Thus, it certainly remains a possibility that some special structure of known \(\mathsf {CRHF}\)s and \(\mathsf {PCP}\)s/\(\mathsf {PCIP}\)s might be identified that will allow for the \(\mathsf {FSKM}\) protocol to be securely instantiated. Indeed, we hope that our results will lead to the identification of special structure that can be leveraged to securely instantiate \(\mathsf {FSKM}\).

In fact, we give some initial progress towards this goal. In the full version [BBH+19], we give a sound instantiation (under standard assumptions) of the \(\mathsf {FSKM}\) protocol when the underlying \(\mathsf {PCP}\) is a specific \(\mathsf {PCP}\) for the empty language. In order to bypass our impossibility, we make use of a collision-resistant hash function with special structure: the somewhere statistically binding hash function of Hubáček and Wichs [HW15b]. For the Fiat-Shamir hash function, we use a correlation-intractable hash function for efficiently searchable relations, recently constructed under the Learning with Errors assumption by Peikert and Shiehian [PS19]. Needless to say, \(\mathsf {SNARK}\) constructions for the empty language are not particularly interesting. However, we hope that this blueprint will be useful in the future for proving instantiations of \(\mathsf {FSKM}\) sound when the underlying \(\mathsf {PCP}\) is defined for more expressive languages.

1.3 Additional Prior Work

Goldwasser and Kalai [GK03] showed that the original application of the Fiat-Shamir heuristic is not sound; there exists a contrived identification protocol such that no matter what hash function is used in the Fiat-Shamir transform, the resulting digital signature scheme is insecure. Since they use a very particular protocol, their result does not yield a negative result for applying Fiat-Shamir to the \(\mathsf {FSKM}\) protocol (indeed, as mentioned above, finding such a negative result was posed as an open problem in [GK03]).

Another very related work is that of Gentry and Wichs [GW11], who showed a substantial barrier to constructing \(\mathsf {SNARG}\)s. Our work is incomparable to that of [GW11]. On the one hand [GW11] rule out a very general class of \(\mathsf {SNARG}\) constructions whereas we focus on a very particular approach (i.e., applying Fiat-Shamir to \(\mathsf {FSKM}\) with a generic CRHF). On the other hand, when restricting to the foregoing approach, we overcome some significant limitations of [GW11]. First, in contrast to [GW11], our result is not limited to SNARGs whose security holds under a black-box reduction from a falsifiable assumption. Second, it applies also to constructions based on non-falsifiable assumptions. Third, it rules out protocol achieving standard (i.e., non-adaptive) soundness, whereas [GW11] only rules out adaptively sound protocols. And fourth, our work applies to any \(\mathsf {NP}\) language whereas [GW11] only rules out \(\mathsf {SNARG}\)s for particular (extremely) hard \(\mathsf {NP}\) languages.

A recent line of work [KRR17, CCRR18, HL18, CCH+19, PS19] constructs hash functions that are compatible with Fiat-Shamir, when applied to statistically sound interactive proofs. Still, the question of whether the Fiat-Shamir transform can be securely applied to preserve the computational soundness of Kilian’s argument scheme has remained open.

1.4 Technical Overview

We proceed to an overview of our two main results. First, in Sect. 1.4 we give an overview of our \(\mathsf {FSKM}\)-incompatible \(\mathsf {CRHF}\) and then, in Sect. 1.4, we give an overview of our \(\mathsf {FSKM}\)-incompatible \(\mathsf {PCIP}\).

An \(\mathsf {FSKM}\)-incompatible \(\mathsf {CRHF}\varvec{.}\) For simplicity, in this overview we describe a weaker result. Specifically, we construct an \(\mathsf {FSKM}\)-incompatible \(\mathsf {CRHF}\) for a particular choice of the language \(\mathcal {L}\) and for a \(\mathsf {PCP}\) for \(\mathcal {L}\) (rather than handling all languages \(\mathcal {L}\) and all “reasonable” \(\mathsf {PCP}\)s). Nevertheless, this weaker result demonstrates the main ideas that go into the proof of Theorem 1. Specifically, we focus on the empty language \(\mathcal {L}=\emptyset \). While this language has a trivial \(\mathsf {PCP}\) \({\varPi }_\mathsf {PCP}\) (of length 0) in which the verifier always rejects, we will consider a different \(\mathsf {PCP}\) \(\widetilde{{\varPi }}_\mathsf {PCP}\) for \(\mathcal {L}\) (parameterized by a security parameter \(\lambda \)): the \(\mathsf {PCP}\) proof string is expected to have length \(2 \lambda \) and the verifier uses a random string of length \(\lambda \), and accepts if the first \(\lambda \) bits of the \(\mathsf {PCP}\) are equal to its random string. Completeness holds in an empty sense whereas the soundness error is clearly \(2^{-\lambda }\). We construct a contrived collision-resistant hash function \(\widetilde{\mathcal {H}}_{\mathsf {CRHF}}\) such that \(\mathsf {FSKM}[\widetilde{{\varPi }}_\mathsf {PCP}, \widetilde{\mathcal {H}}_{\mathsf {CRHF}}, \mathcal {H}_{\mathsf {FS}}]\) is not sound for any hash family \(\mathcal {H}_{\mathsf {FS}}\).

We will construct \(\widetilde{\mathcal {H}}_{\mathsf {CRHF}} = \{\widetilde{H}^{(\lambda )}_\mathsf {CRHF} : \{0,1\}^{2 \lambda } \rightarrow \{0,1\}^\lambda \}\) so that it satisfies the following property: Given \(\widetilde{h}_\mathsf {CRHF} \leftarrow \widetilde{H}^{(\lambda )}_{\mathsf {CRHF}}\) and any efficiently computable function f, it is possible to efficiently find \((x_0\Vert x_1) \in \{0,1\}^{2 \lambda }\) such that \(x_0 = f(\widetilde{h}_\mathsf {CRHF}(x_0\Vert x_1))\). This property immediately allows us to break the soundness of \(\mathsf {FSKM}[\widetilde{{\varPi }}_\mathsf {PCP}, \widetilde{\mathcal {H}}_{\mathsf {CRHF}}, \mathcal {H}_{\mathsf {FS}}]\) as follows. We view \(h_{\mathsf {FS}} \leftarrow \mathcal {H}_{\mathsf {FS}}\) as the function f, and so a cheating prover can produce a valid commitment \(\mathsf {rt}\) to a string \((x_0\Vert x_1)\) such that the verifier’s randomness is \(h_{\mathsf {FS}}(\mathsf {rt}) = x_0\). The prover sends \(\mathsf {rt}\) as the Merkle root but can now decommit to \(x_0\), which makes the \(\mathsf {PCP}\) verifier accept. We refer to a \(\mathsf {CRHF}\) having the foregoing property as a circular tractable (\(\mathsf {CT}\)-) \(\mathsf {CRHF}\).

A \(\mathsf {CT}\)-\(\mathsf {CRHF}\) from Ideal Obfuscation. We first illustrate how it is possible to construct a \(\mathsf {CT}\)-\(\mathsf {CRHF}\) assuming ideal Turing-machine obfuscation. For readability, we will use collision-resistant hash functions (rather than ensembles) in this section.

We will start with any \(\mathsf {CRHF}\) \(h'_\mathsf {CRHF} : \{0,1\}^{2 \lambda } \rightarrow \{0,1\}^{\lambda - 1}\), and we construct a \(\mathsf {CT}\)-\(\mathsf {CRHF}\) hash function \(\widetilde{h}_\mathsf {CRHF} : \{0,1\}^{2 \lambda } \rightarrow \{0,1\}^\lambda \). The hash function \(\widetilde{h}_\mathsf {CRHF}\) will have two types of outputs: normal outputs, which end in a 1, and special outputs, which end in \(0^{\lambda /2}\). On almost all inputs \(x_0\Vert x_1\), we will have

$$\begin{aligned} \widetilde{h}_\mathsf {CRHF}(x_0\Vert x_1) = h'_\mathsf {CRHF}(x_0\Vert x_1)\Vert 1. \end{aligned}$$

However, we will guarantee that for every \(x_0\) and special output \(y\Vert 0^{\lambda /2}\), \(x_0\) can be extended into a (not efficiently computable) “special” \(x_0\Vert x_1\) such that \(\widetilde{h}_\mathsf {CRHF} (x_0\Vert x_1) = y\Vert 0^{\lambda /2}\). This is easy to achieve if we augment the description of \(\widetilde{h}_\mathsf {CRHF}\) to include a verification of a (public-key) digital signature scheme, and \(\widetilde{h}_\mathsf {CRHF}\) is defined as

In order to actually (efficiently) use the added structure of \(\widetilde{h}_\mathsf {CRHF}\), we will also augment the description of \(\widetilde{h}_\mathsf {CRHF}\) to include an obfuscation \(\widehat{P}\) of a program P that has the signature signing key hard-wired, and on input the description \(\langle f \rangle \) of a function f acts as follows:

  1. 1.

    Computes \(y = h''_\mathsf {CRHF}(\langle f \rangle )\), where \(h''_\mathsf {CRHF} : \{0,1\}^* \rightarrow \{0,1\}^{\lambda /2}\) is a generic \(\mathsf {CRHF}\).

  2. 2.

    Compute \(x_0 = f(y\Vert 0^{\lambda /2})\).

  3. 3.

    Compute a signature \(\sigma \) of \((x_0, y)\).

  4. 4.

    Output \((x_0, y, \sigma )\).

It is clear that the inclusion of \(\widehat{P}\) in the description of \(\widetilde{h}_\mathsf {CRHF}\) makes \(\widetilde{h}_\mathsf {CRHF}\) circular tractable, but why is \(\widetilde{h}_\mathsf {CRHF}\) collision-resistant?

Suppose that an efficient adversary \(\mathcal {A}\) were to output a colliding pair \((x_0\Vert x_1)\) and \((x'_0\Vert x'_1)\) of \(\widetilde{h}_\mathsf {CRHF}\). The only new collisions that \(\widetilde{h}_\mathsf {CRHF}\) has compared to \(h'_\mathsf {CRHF}\) (and thus that \(\mathcal {A}\) might possibly output) are collisions for special outputs (standard outputs can never collide with special outputs due to their last bit being different). That is, we may assume that \(x_1 = y\Vert \sigma \) and \(x'_1 = y\Vert \sigma '\). The security of the signature scheme and of the ideal obfuscator imply that if \(\mathcal {A}\) produced such a collision, it must have queried \(\widehat{P}\) on two distinct inputs \(\langle f\rangle \), \(\langle f'\rangle \) such that \(P(\langle f\rangle ) = (x_0, y, \sigma )\) and \(P(\langle f'\rangle ) = (x'_0, y, \sigma ')\). But this would in particular imply that \(h''_\mathsf {CRHF}(\langle f\rangle ) = h''_\mathsf {CRHF}(\langle f'\rangle ) = y\), meaning that \(\mathcal {A}\) found a collision in \(h''_\mathsf {CRHF}\), which is a contradiction.

A \(\mathsf {CT}\)-\(\mathsf {CRHF}\) from Unique-Proof \(\mathsf {SNARK}\)s. The above construction is tantalizing, but unfortunately we do not know how to prove security (collision-resistance) from any general-purpose notion of obfuscation security (e.g., indistinguishability obfuscation) that is not known to be unachievable. Instead, we show how to use similar ideas to obtain a \(\mathsf {CT}\)-\(\mathsf {CRHF}\) using special \(\mathsf {SNARK}\)s that can be constructed based on a knowledge of exponent assumption.

Taking a closer look at the obfuscation-based construction, we observe that ideal obfuscation was used to ensure that if an adversary \(\mathcal {A}\) could come up with an input \(x_0\Vert x_1\) such that \(\widetilde{h}_\mathsf {CRHF}(x_0\Vert x_1)\) is the special output \(y\Vert 0^{\lambda /2}\), then \(\mathcal {A}\) must “know” an f such that \(h''_\mathsf {CRHF}(\langle f\rangle ) = y\) (and \(x_0\Vert x_1\) are a fixed function of f).

With this observation in mind, an alternative way of defining special inputs is as the set of \(x_0\Vert x_1\) that contain a \(\mathsf {SNARK}\) of this fact. That is, let special inputs be strings x of the form \(x_0\Vert y\Vert \pi \), where \(\pi \) is a valid proof of knowledge of f satisfying \(h''_\mathsf {CRHF}(\langle f\rangle ) = y \wedge x_0 = f(y)\), and on such inputs let \(\widetilde{h}_\mathsf {CRHF}(x) = y\Vert 0^{\lambda /2}\).

Is the resulting \(\widetilde{h}_\mathsf {CRHF}\) collision-resistant? There are two types of collisions that we need to consider. The first type is collisions of the form \(x_0\Vert y\Vert \pi \), \(x'_0\Vert y\Vert \pi '\) with \(x_0 \ne x'_0\). The second type is collisions in which \(x_0 = x'_0\) (but \(\pi \ne \pi '\)).

The first type of collision is ruled out by the standard \(\mathsf {SNARK}\) proof-of-knowledge property. If an adversary produces such a collision, then there is an extractor that produces \(\langle f\rangle \), \(\langle f'\rangle \) such that \(h''_\mathsf {CRHF}(\langle f\rangle ) = h''_\mathsf {CRHF}(\langle f'\rangle ) = y\) but \(f(y) = x_0 \ne x'_0 = f'(y)\). The latter inequality implies that \(\langle f\rangle \ne \langle f'\rangle \), which means that the extractor is finding a collision in \(h''_\mathsf {CRHF}\).

To rule out the second type of collision, we require a new “unique proofs” property for the \(\mathsf {SNARK}\) to ensure that the extracted \(\langle f\rangle \), \(\langle f'\rangle \) are distinct. Informally, this property says that for any adversary \(\mathcal {A}\) that comes up with two distinct valid \(\mathsf {SNARK}\)-proofs of the same \(\mathsf {NP}\) claim, there is an extractor \(\mathcal {E}\) that comes up with two distinct \(\mathsf {NP}\) witnesses for the same claim.

An \(\mathsf {FSKM}\)-incompatible \(\mathsf {PCIP}\varvec{.}\) For every language \(\mathcal {L} \in \mathsf {NP}\) and collision resistant hash function ensemble \(\mathcal {H}_\mathsf {CRHF}\), we present a contrived \(\mathsf {PCIP}\) \(\widetilde{{\varPi }}_{\mathsf {PCIP}}\), such that for any choice of Fiat-Shamir hash function ensemble \(\mathcal {H}_{\mathsf {FS}}\), the resulting protocol \(\mathsf {FSKM}[\widetilde{{\varPi }}_{\mathsf {PCIP}}, \mathcal {H}_\mathsf {CRHF}, \mathcal {H}_{\mathsf {FS}}]\) is not sound.

The \(\mathsf {PCIP}\) construction is inspired by and builds on Barak’s [Bar01] beautiful protocol, while taking steps to make the approach compatible with Kilian’s protocol. Roughly speaking, our approach is to take an arbitrary \(\mathsf {PCP}\) for \(\mathcal {L}\) (say the one established by the classical \(\mathsf {PCP}\) theorem) and “tweaking” it so as to maintain its soundness while enabling an attack on the resulting \(\mathsf {FSKM}\) protocol. Since the tweaking of the \(\mathsf {PCP}\) will add an additional round, we only obtain a \(\mathsf {FS}\)-incompatible \(\mathsf {PCIP}\) rather than a \(\mathsf {PCP}\).

In more detail, the first message sent by the honest \(\mathsf {PCIP}\) prover is \( \pi ' = b \Vert \pi \) where b is a single bit and \(\pi \) is a string. The honest \(\mathsf {PCIP}\) prover always sets the bit b to 0 but we add the option of having a malicious prover set b to 1 to facilitate the attack on \(\mathsf {FSKM}\).

The \(\mathsf {PCIP}\) verifier, given this string, first reads the value of b. In case \(b=0\), the verifier simply treats \(\pi \) as a \(\mathsf {PCP}\) proof string and runs the underlying \(\mathsf {PCP}\) verifier while redirecting its proof queries to \(\pi \). This concludes the entire interaction and the \(\mathsf {PCIP}\) verifier accepts if and only if the \(\mathsf {PCP}\) verifier accepts. Completeness of the entire protocol as well as soundness for the case that \(b=0\) follow immediately from the construction.

Note however that a malicious prover may indeed send the value \(b=1\). While the verifier could immediately reject in this case, we intentionally make our \(\mathsf {PCIP}\) verifier do something different. Ignoring \(\pi \) for a moment, the verifier now chooses a random string \(r \in \{0,1\}^\lambda \) and sends r to the \(\mathsf {PCIP}\) prover. The key observation is that when the protocol is compiled via \(\mathsf {FSKM}\) using a \(\mathsf {CRHF}\) \(h_{\mathsf {CRHF}}\) and \(\mathsf {FS}\) hash function \(h_{\mathsf {FS}}\), in the resulting non-interactive argument the value r is fully determined. More specifically, it will always be the case that \(r=h_{\mathsf {FS}}(\mathsf {MerkleCom}(h_\mathsf {CRHF},\pi '))\), where \(\mathsf {MerkleCom}\) simply computes a Merkle tree of the string \(\pi '\) using the hash function \(h_{\mathsf {CRHF}}\) and outputs its root. Thus, in order to facilitate the attack, we would like to design our \(\mathsf {PCIP}\) verifier to accept if it happens to be the case that \(r=h_{\mathsf {FS}}(\mathsf {MerkleCom}(h_\mathsf {CRHF},\pi '))\).

What may seem initially problematic is that it is unclear how the \(\mathsf {PCIP}\) verifier can know which \(\mathsf {CRHF}\) and \(\mathsf {FS}\) hash functions will be used in the \(\mathsf {FSKM}\) protocol. We handle this by simply letting the \(\mathsf {PCIP}\) prover specify these functions as part of \(\pi =(h_{\mathsf {CRHF}},h_{\mathsf {FS}})\). Thus, after sampling r, we would like for our \(\mathsf {PCIP}\) verifier to check that \(\pi = (h_\mathsf {CRHF},h_\mathsf {FS})\) such that \(r=h_{\mathsf {FS}}(\mathsf {MerkleCom}(h_\mathsf {CRHF},\pi '))\). Suppose for now that the \(\mathsf {PCIP}\) verifier does this explicitly (i.e., by reading all of \(\pi '\)). Observe that the \(\mathsf {PCIP}\) remains sound since r is chosen after the value \(h_{\mathsf {FS}}(\mathsf {MerkleCom}(h_\mathsf {CRHF},\pi '))\) is fully determined (and so the probability that r is equal to this value is exponentially vanishing).

On the other hand, we can now demonstrate an attack on the resulting \(\mathsf {FSKM}\) protocol. Consider a cheating \(\mathsf {FSKM}\) prover that works as follows. Recall that the \(\mathsf {FSKM}\) verifier gives the prover descriptions of a \(\mathsf {CRHF}\) \(h_\mathsf {CRHF}\) and an \(\mathsf {FS}\) hash function \(h_\mathsf {FS}\). The prover now sets \(\pi =(h_\mathsf {CRHF},h_\mathsf {FS})\) and continues as in the \(\mathsf {FSKM}\) protocol while using \(\pi '=(1,\pi )\) as the first \(\mathsf {PCIP}\) message. In more detail, it computes and sends a Merkle root \(\mathsf {MerkleCom}(h_\mathsf {CRHF},\pi ')\) to the verifier. By design, the prover and verifier now agree to use the “random” string \(r=h_{\mathsf {FS}}(\mathsf {MerkleCom}(h_\mathsf {CRHF},\pi '))\) which makes all of the verifier’s tests pass.

A final difficulty that we need to overcome is that the \(\mathsf {PCIP}\) verifier as described so far has linear query complexity since in case \(b=1\) it reads the entire message \(\pi \). We resolve this by replacing the explicit test done by the verifier with another round of interaction. In more detail, when \(b=1\), after receiving r, the prover is expected to send an additional \(\mathsf {PCP}\) proving that \(r=h_{FS}(\mathsf {MerkleCom}(h_\mathsf {CRHF},\pi '))\) holds. Actually, a standard \(\mathsf {PCP}\) will not suffice since a \(\mathsf {PCP}\) verifier reads its entire input (which in our case is the first \(\mathsf {PCIP}\) message \(\pi \)). Rather, we will use a \(\mathsf {PCP}\) of proximity (\(\mathsf {PCPP}\)) [BGH+06, DR06] which is a \(\mathsf {PCP}\) in which the verifier only reads a few bits of its input and is required to reject inputs that are far from the language. To make this approach work, the prover will actually send \(\pi \) encoded under an error-correcting code. We defer further details to the technical sections.

1.5 Organization

In Sect. 2 we give preliminaries. The proof of Theorem 1, via a construction of an \(\mathsf {FSKM}\)-Incompatible \(\mathsf {CRHF}\) is presented in Sect. 3. The proof of Theorem 2, via a construction of an \(\mathsf {FSKM}\)-Incompatible \(\mathsf {PCIP}\) is presented in Sect. 4. In the full version [BBH+19], we give a sound instantiation of the \(\mathsf {FSKM}\) protocol for a specific \(\mathsf {PCP}\) for the empty language, as well as a candidate construction of a \(\mathsf {SNARK}\) with computationally unique proofs.

2 Preliminaries

We let \(\lambda \) denote the security parameter. Let \([n] = \{1,\dots ,n\}\). Throughout, we will use \(\langle P \rangle \) to denote the description of a function/machine/program P. A function \(\epsilon (\lambda )\) is said to be negligible, if for every \(c \in \mathbb {N}\) it holds that \(\epsilon (\lambda ) = O(\lambda ^{-c})\).

We let \(\mathcal {H} = \{\mathcal {H}^{(\lambda )}\}_\lambda \), where \(\mathcal {H}^{(\lambda )} = \{h: \{0,1\}^{n(\lambda )} \rightarrow \{0,1\}^{m(\lambda )}\}_{h}\) denote a hash function ensemble, where hash functions \(h: \{0,1\}^{n(\lambda )} \rightarrow \{0,1\}^{m(\lambda )}\) are sampled as \(h \leftarrow \mathcal {H}^{(\lambda )}\).

The relative distance between strings \(x, y \in {\varSigma } ^\ell \) is \({\varDelta }(x,y) = |{\left\{ {i \mid x_i \ne y_i}\right\} }| / \ell \). The relative distance of a string \(x \in {\varSigma }^\ell \) from a (non-empty) set \(S \subseteq {\varSigma }^\ell \) is \({\varDelta }(x,S) = \underset{y \in S}{\min } \big ( {\varDelta } (x,y) \big )\).

2.1 Proof Systems

In this work we adhere to the convention in which all proof systems (as well as other cryptographic primitives) are relative to a security parameter \(\lambda \) (given in unary representation to all parties) and with soundness error that is negligible in \(\lambda \).

Argument Systems (aka Computationally Sound Proofs). The interaction between a prover \(\mathcal {P}\), on input x and security parameter \(1^\lambda \), and a verifier \(\mathcal {V}\), with input y and the same security parameter \(\lambda \), is denoted by \(\langle {\mathcal {P}(x, \lambda )}\leftrightarrow {\mathcal {V}(y, \lambda )}\rangle \) and includes a polynomial number of rounds in which each party sends the other a message. The interaction terminates when the verifier \(\mathcal {V}\) decides whether to accept or reject its input y. The result of the interaction is the bit \(b \in \{0,1\}\) returned by \(\mathcal {V}\) indicating whether it accepted, which is denoted by \(\langle {\mathcal {P}(x)}\leftrightarrow {\mathcal {V}(y)}\rangle \). If \(b = 1\), then we say that \(\mathcal {V}\) \(\textsf {accepts}\).

Definition 1 (Argument system)

An argument system for a language \(\mathcal {L} \in \mathsf {NP}\), with soundness error \(s : \mathbb {N} \rightarrow [0,1]\) is a pair of probabilistic polynomial-time algorithms \(\mathcal {P}\) and \(\mathcal {V}\) such that:

  1. 1.

    \(\mathbf {Completeness\!:}\) If \(x\in \mathcal {L}\) and w is a corresponding witness, then for every security parameter \(\lambda \) it holds that

    $$\Pr \big [\langle {\mathcal {P}(x, w, 1^\lambda )}\leftrightarrow {\mathcal {V}(x, 1^\lambda )}\rangle =1 \big ] = 1.$$
  2. 2.

    \(\mathbf {Computational\,\,soundness\!:}\) If \(x \notin \mathcal {L}\), then for all probabilistic polynomial-time malicious prover \(\mathcal {P}^*\) and all sufficiently large security parameters \(\lambda \), it holds that

    $$\Pr \big [\langle {\mathcal {P}^*(x, 1^\lambda )}\leftrightarrow {\mathcal {V}(x, 1^\lambda )}\rangle =1 \big ] \le s(\lambda ).$$

An argument system \((\mathcal {P},\mathcal {V})\) is said to be public-coin if all messages sent by the verifier \(\mathcal {V}\) are random-coin tosses, and \(\mathcal {V}\) does not toss any additional random coins.

Probabilistically Checkable Proofs \(\mathbf{(}{\mathbf {\mathsf{{PCP}}}}\)s) . Roughly speaking, a probabilistically checkable proof (\(\mathsf {PCP}\)) is an encoding of an \(\mathsf {NP}\) witness that can be verified by reading only a few of its bits. More formally:

Definition 2 (Probabilistically checkable proof)

A probabilistically checkable proof (\(\mathsf {PCP}\)) for a language \(\mathcal {L} \in \mathsf {NP}\) consists of a polynomial-time algorithm \(\mathcal {P}\), which receives a main input x and witness w, and a probabilistic polynomial-time oracle machine \(\mathcal {V}\), which receives x and a security parameter \(1^\lambda \) as explicit inputs, and oracle access to a proof \(\pi \). The \(\mathsf {PCP}\) has soundness-error \(s : \mathbb {N} \rightarrow [0,1]\) if:

  1. 1.

    \(\mathbf {Completeness\!:}\) If \(x \in \mathcal {L}\) and w is a corresponding witness, then for \(\pi = \mathcal {P}(x,w)\) and every \(\lambda \) holds that

    $$\underset{}{\Pr } \big [\mathcal {V}^{\pi }(x, 1^\lambda ) = 1 \big ] = 1.$$
  2. 2.

    \(\mathbf {Soundness\!:}\) If \(x \notin \mathcal {L}\), for every proof \(\pi ^*\) and security parameter \(\lambda \) it holds that

    $$\underset{}{\Pr } \big [ \mathcal {V}^{\pi ^*} (x, 1^\lambda ) = 1 \big ] < s(\lambda ) .$$

In order to query \(\pi \), the verifier \(\mathcal {V}\) tosses \(r = r(|x|, \lambda )\) random coins and generates \(q = q(|x|, \lambda )\) queries. It will often be convenient to view \(\mathcal {V}\) as two separate algorithms \((\mathcal {V}_0,\mathcal {V}_1)\). The first, \(\mathcal {V}_0(x;r)\), runs on the instance x and randomness r and outputs the set of queries \(\{q_i\}_i\) that \(\mathcal {V}\) makes to \(\pi \). The second algorithm, \(\mathcal {V}_1(\{b_i\}_i,x;r)\), takes the corresponding responses \(\{b_i\}_i\) as input (as well as the instance x and the same randomness r as \(\mathcal {V}_0\)), and decides whether to accept or reject.

The following celebrated theorem by [ALM+98] establishes the expressive power of \(\mathsf {PCP}\)s.

Theorem 1

(\(\mathsf {PCP}\) theorem). Every language \(\mathcal {L} \in \mathsf {NP}\) has a \(\mathsf {PCP}\) with soundness error \(\frac{1}{2}\), constant query complexity, and logarithmic randomness complexity.

Note that a \(\mathsf {PCP}\) with negligible soundness error can be easily obtained from Theorem 1 by having the verifier generate \(\mathsf {polylog}(\lambda )\) independent query sets.

Probabilistically Checkable Proofs of Proximity (\({\mathbf {\mathsf{{PCPP}}}}\)). In a standard \(\mathsf {PCP}\), the verifier is explicitly given the entire input x along with access to an oracle that encodes a “probabilistically checkable” witness. In contrast, in a \(\mathsf {PCP}\) of proximity \((\mathsf {PCPP}\)) [BGH+06, DR06] the goal is for the verifier to decide without even reading the entire input. Thus, the verifier is given oracle access to the input and we count the total number of queries to both the input and the proof.

Since the verifier cannot even read the entire input, the notion of soundness in \(\mathsf {PCPP}\) is relaxed: the verifier must only reject inputs that “far” from the language (i.e. where distance is measured in Hamming distance).

Following [BGH+06], we define \(\mathsf {PCPP}\)s with respect to pair-languages, which are simply a subset of \(\{0,1\}^* \times \{0,1\}^*\). The projection of a pair-language \(\mathcal {L}\) on x is \(\mathcal {L}(x) = {\left\{ {y \mid (x,y) \in \mathcal {L}}\right\} }\).

In our context, we view the first component x of a pair \((x,y) \in \mathcal {L}\) as an explicit input for the verifier whereas the second component, y, is an implicit input (i.e., the verifier only has oracle access to y). We count the total number of queries to the oracle y, as well as the proof string \(\pi \). The soundness requirement is that the verifier has to reject words in which the implicit input is far from the projection of \(\mathcal {L}\) onto x.

Definition 3

(\(\mathsf {PCPP}\)). A probabilistically checkable proof of proximity (\(\mathsf {PCPP}\)) for a pair-language \(\mathcal {L} \in \mathsf {NP}\) consists of a polynomial-time prover \(\mathcal {P}\) that gets as input a pair (xy) as well as a witness w, and a probabilistic polynomial-time oracle machine \(\mathcal {V}\) that receives x as an explicit input, oracle access to y and oracle access to a proof string \(\pi \). The verifier also receives (explicitly) a proximity parameter \(\delta >0\) and security parameter \(1^\lambda \). The \(\mathsf {PCPP}\) has soundness error \(s : \mathbb {N} \rightarrow [0,1]\) if for every proximity parameter \(\delta \in [0,1]\), security parameter \(\lambda >0\) and input (xy):

  1. 1.

    \(\mathbf {Completeness\!:}\) If \((x,y) \in \mathcal {L}\) and w is the corresponding witness, for \(\pi = \mathcal {P}((x,y),w)\) it holds that

    $$\begin{aligned} \underset{}{\Pr }[\mathcal {V}^{y, \pi }(x, |y|, |\pi |, 1^\lambda ,\delta ) = 1] = 1. \end{aligned}$$
  2. 2.

    \(\mathbf {Soundness\!:}\) If \({\varDelta }(y,\mathcal {L}(x)) > \delta \) and oracle \(\pi ^*\), it holds that

    $$\underset{}{\Pr }[\mathcal {V}^{y, \pi ^*}(x, |y|, |\pi ^*|, 1^\lambda ,\delta ) = 1] < s(\lambda ).$$

The verifier \(\mathcal {V}\) generates \(r = r(|x|, \lambda )\) random coins and makes \(q = q(|x|, \lambda )\) queries for both oracles. We omit the lengths of the implicit input y and the proof \(\pi \) from the input of the verifier when these are clear from the context.

Ben-Sasson et al. [BGH+05] give a construction of \(\mathsf {PCPP}\) for all of \(\mathsf {NP}\) (with a suitably efficient verifier).

Theorem 2

([BGH+05]). For every language \(\mathcal {L} \in \textsf {NTIME}(T)\) and every constant \(\delta \in [0,1]\), there exists a \(\mathsf {PCPP}\) for \(\mathcal {L}\) with respect to proximity parameter \(\delta \), soundness-error of \(\frac{1}{2}\) and proof length \(\mathsf {poly}(T)\). The verifier runs in time \(\mathsf {polylog}(T)\) and the prover runs in time \(\mathsf {poly}(T)\) (i.e., the \(\mathsf {PCPP}\) proof can be generated in time \(\mathsf {poly}(T)\) given the \(\mathsf {NP}\) witness).

Probabilistically Checkable Interactive Proofs. Probabilistically checkable interactive proofs (\(\mathsf {PCIP}\)s) [BCS16, RRR16b] (also known as interactive oracle proofs) are generalizations of both interactive proofs and \(\mathsf {PCP}\)s. They allow for multi-round interactions, in which the prover provides the verifier with oracle access to long proof strings, but we only count the number of bits that were actually queried by the verifier. In this work, we will only consider public-coin \(\mathsf {PCIP}\)s.

Definition 4

(Probabilistically checkable interactive proof). A probabilistically Checkable Interactive Proof (\(\mathsf {PCIP}\)) for a language \(\mathcal {L} \in \mathsf {NP}\) consists of a pair of interactive probabilistic machines \((\mathcal {P},\mathcal {V})\). The prover \(\mathcal {P}\) is a deterministic polynomial-time algorithm, which gets as input x a witness w and a security parameter \(\lambda \), and the verifier \(\mathcal {V}\) is a PPT algorithm, which gets as input x and \(\lambda \). The interaction consists of the following 3 phases:

  1. 1.

    \(\mathbf {Communication\,\,phase\!:}\) The two parties interact for \(k=k(|x|, \lambda )\) rounds, in which \(\mathcal {V}\) only sends random strings of total length \(r=r(|x|, \lambda )\) and \(\mathcal {P}\) sends proofs strings \(\pi _1,...,\pi _{k(|x|, \lambda )}\), where \(\pi _i\) is sent in the i-th round.

  2. 2.

    \(\mathbf {Query\,\,phase\!:}\) In which \(\mathcal {V}\) sends makes a total of \(q=q(|x|, \lambda )\) queries to the messages sent by \(\mathcal {P}\) in the communication phase.

  3. 3.

    \(\mathbf {Decision\,\,phase\!:}\) Based on its random messages in the communication phase, and the answers to its queries in the query phase, the verifier \(\mathcal {V}\) decides whether to accept or reject.

The \(\mathsf {PCIP}\) \((\mathcal {P},\mathcal {V})\) has soundness \(s:\mathbb {N} \rightarrow [0,1]\) if:

  1. 1.

    \(\mathbf {Completeness\!:}\) If \(x \in \mathcal {L}\) and w is the corresponding witness, then for every security parameter \(\lambda \) it holds that

  2. 2.

    \(\mathbf {Soundness\!:}\) If \(x \notin \mathcal {L}\), then \(\forall \mathcal {P}^*\) and security parameters \(\lambda \), it holds that

2.2 Kilian’s Protocol

Before describing Kilian’s protocol, we first recall the definition of collision resistant hash functions and Merkle trees.

\({\mathbf {\mathsf{{CRHF}}}}\) and Merkle Trees. An efficiently computable hash function ensemble \(\mathcal {H} = \{\mathcal {H}^{(\lambda )}\}_\lambda \) where \(\mathcal {H}^{(\lambda )} = \{h : {\left\{ {0,1}\right\} }^{2\lambda } \rightarrow {\left\{ {0,1}\right\} }^{\lambda } \}\) is collision resistant (\(\mathsf {CRHF}\)), if there exists a key generation algorithm \(\mathsf {Gen}\) that on input \(1^\lambda \) samples h from \(\mathcal {H}^{(\lambda )}\) such that for every PPT adversary \(\mathcal {A}\) it holds that

$$ \underset{\begin{array}{c} h \leftarrow \mathsf {Gen}(1^\lambda )\\ (x, x') \leftarrow \mathcal {A}(h) \end{array}}{\Pr }\left[ {h(x) = h(x') \wedge x \ne x'} \right] \le \mathsf {negl}(|\lambda |). $$

Remark 1

The above definition of \(\mathsf {CRHF}\) is sometimes referred to as a private-coin \(\mathsf {CRHF}\) [HR04] since security is not guaranteed if the adversary sees the coins used by \(\mathsf {Gen}\). Nevertheless, for sake of conciseness we will sometimes avoid mentioning \(\mathsf {Gen}\) explicitly and simply write \(h \leftarrow \mathcal {H}^{(\lambda )}\).

We will use the following syntax to describe Merkle tree commitments, which can be built from any \(\mathsf {CRHF}\) family \(\mathcal {H} = {\left\{ {\mathcal {H}^{(\lambda )}}\right\} }_{\lambda }\). For each of the following algorithms, the input hash function h is drawn uniformly at random from \(\mathcal {H}^{(\lambda )}\). For any \(d \ge 1\), a Merkle tree commitment allows us to commit to a message \(s \in \{0,1\}^m\) where . That is, we view s as \(2^d\) blocks of \(\lambda \) bits.

  • \(\mathsf {MerkleCom}(h, s \in \{0,1\}^m)\). Write s as \((\ell _1 \Vert \ell _2 \Vert \dots \Vert \ell _{2^d})\) where each \(\ell _j \in \{0,1\}^\lambda \). Build a binary tree of hash evaluations, starting from the \(2^d\) leaves \((\ell _1 \Vert \ell _2 \Vert \dots \Vert \ell _{2^d})\). Output the root \(\mathsf {com} \in \{0,1\}^\lambda \) of the resulting tree.

A commitment to s can be locally opened to the reveal the bits in the ith block by revealing the siblings along the root-to-ith-leaf path:

  • \(\mathsf {MerkleOpen}(h, s \in \{0,1\}^m, i \in [2^d])\). Write s as \((\ell _1 \Vert \ell _2 \Vert \dots \Vert \ell _{2^d})\) where each \(\ell _j \in \{0,1\}^\lambda \). Determine the path from \(\ell _i\) to the root in the tree of hash evaluations under h, denoted \(\{\widehat{c}_j\}_{j \in [d]}\) where \(\widehat{c}_d = \ell _i\). For each \(i \in [d]\), determine the sibling \(\mathsf {sib}_i\) of \(\widehat{c}_i\). Output \(\mathsf {open} = \{(\widehat{c}_i,\mathsf {sib}_i,p_i)\}_{i \in [d]}\) where \(p_i \in \{\mathsf {left},\mathsf {right}\}\) denotes whether \(\mathsf {sib}_i\) is a left or right sibling of \(\widehat{c}_i\). For \(I \subseteq [2^d]\) we define \(\mathsf {MerkleOpen}(h, s \in \{0,1\}^m, I)\) as \((\mathsf {MerkleOpen}(h, s \in \{0,1\}^m, i))_{i \in I}\).

These openings can easily be verified by verifying the hash computations with h:

  • \(\mathsf {MerkleVer}(h,\mathsf {com},\mathsf {open})\) first writes \(\mathsf {open}\) as \(\{(\widehat{c}_i,\mathsf {sib}_i,p_i)\}_{i \in [d]}\). Let \(\widehat{c}_0 = \mathsf {com}\). For each \(i \in [d]\), check that \(h(\mathsf {sib}_i \Vert \widehat{c}_i) = \widehat{c}_{i-1}\) if \(p_i = \mathsf {left}\) or that \(h(\widehat{c}_i \Vert \mathsf {sib}_i) = \widehat{c}_{i-1}\) if \(p_i = \mathsf {right}\). Output 1 (accept) if all checks pass, otherwise output 0.

Kilian’s Protocol.

While Kilian’s original protocol relied on \(\mathsf {PCP}\)s, a natural generalization to \(\mathsf {PCIP}\)s was suggested by Ben-Sasson et al. [BCS16]. This extension proceeds by having the prover repeatedly commit to each of its oracles (rather than sending the entire oracle). At the end of the interaction, the verifier can specify which locations to open and the prover can use the Merkle tree structure to succinctly decommit to these specific locations.

Fig. 1.
figure 1

Kilian’s protocol

Full size image

Construction 3

Let \((\mathcal {P},\mathcal {V})\) be a public-coin k-round \(\mathsf {PCIP}\) for \(\mathcal {L} \in \mathsf {NP}\). Consider the following argument system for \(\mathcal {L}\), denoted by \((\mathcal {P}',\mathcal {V}') = \mathsf {Kilian}[(\mathcal {P},\mathcal {V}),\mathcal {H}]\), as described in Fig. 1, w.r.t. a \(\mathsf {CRHF}\) \(\mathcal {H}\).

Theorem 4 (Kilian’s protocol)

If (PV) is a \(\mathsf {PCIP}\) and \(\mathcal {H}\) is a \(\mathsf {CRHF}\) family, then Construction 3 is a computationally sound argument system with negligible soundness error, communication complexity \(\mathsf {poly}(\lambda , \mathsf {log}|x|)\). The verifier runs in time \(O(|x| \cdot \mathsf {poly}(\lambda , \mathsf {log} |x|))\) and the prover runs in time \(\mathsf {poly}(|x|,|w|,\lambda )\).

Completeness follows from the correctness of the Merkle tree commitment scheme and the completeness of the \(\mathsf {PCIP}\) for \(\mathcal {L}\).

Soundness follows from the binding property of the commitment scheme and the soundness of the \(\mathsf {PCP}\). Note that the soundness of the \(\mathsf {PCIP}\) was not enough on its own, as without committing to the \(\mathsf {PCIP}\) proof strings, the prover could have engineered proof strings to make the verifier accept according to its queries.

2.3 Fiat-Shamir

The Fiat-Shamir Heuristic.

The Fiat-Shamir heuristic [FS86] is a method for reducing the number of rounds in public-coin interactive proofs. Loosely speaking, the idea is that instead of having the verifier send their random coins, the prover uses a hash function in order to generate the verifier’s randomness.

Definition 5 (Fiat-Shamir transform)

Let \(\mathcal {H}_\mathsf {FS} \!=\! {\left\{ {\mathcal {H}_{\mathsf {FS}}^{(\lambda )}: {\left\{ {0,1}\right\} }^*}{\!\!\rightarrow \!\! {\left\{ {0,1}\right\} }^*}\right\} }_{\lambda \in \mathbb {N}}\) be a hash-function ensemble, \({\varPi } = (\mathcal {P},\mathcal {V})\) be a public-coin protocol, and

$$(\alpha _1, \beta _1, ..., \alpha _m, \beta _m)$$

be the set of exchanged messages between \((\mathcal {P},\mathcal {V})\), where \({\left\{ {\alpha _i}\right\} }_{i=1}^m\) are messages sent by the prover and \({\left\{ {\beta _i}\right\} }_{i=1}^m\) the messages sent by the verifier. The Fiat-Shamir transform of \({\varPi }\), denoted by \((\mathcal {P}_{\mathsf {FS}}, \mathcal {V}_{\mathsf {FS}}) = \mathsf {FS}[{\varPi },\mathcal {H}_\mathsf {FS}]\) is defined in Fig. 2.

Fig. 2.
figure 2

The Fiat-Shamir transform.

Full size image

The \({\mathbf {\mathsf{{FSKM}}}}\) Protocol. The \(\mathsf {FSKM}\) protocol is obtained by applying the Fiat-Shamir transform to Kilian’s protocol (or rather to its extension to \(\mathsf {PCIP}\)s), to create succinct non-interactive argument systems for \(\mathsf {NP}\).

Recall that the \(\mathsf {FSKM}\) protocol emulates \(\mathsf {Kilian}\)’s protocol, and replaces the verifier’s randomness with the application of a \(\mathsf {FS}\) hash function on the transcript thus far. Regardless of whether it is applied on a \(\mathsf {PCP}\) or \(\mathsf {PCIP}\), the \(\mathsf {FSKM}\) protocol is a two-round argument system.

Definition 6

(\(\mathsf {FSKM}\) Protocol). Given a \(\mathsf {PCIP}\) \({\varPi }\), a \(\mathsf {CRHF}\) ensemble \(\mathcal {H}_{\mathsf {CRHF}}\), and \(\mathsf {FS}\) hash function ensemble \(\mathcal {H}_{\mathsf {FS}}\), we define

$$ \mathsf {FSKM}[{\varPi }, \mathcal {H}_{\mathsf {CRHF}}, \mathcal {H}_{\mathsf {FS}}] \triangleq \mathsf {FS}\left[ \mathsf {Kilian}\big [{\varPi }, \mathcal {H}_{\mathsf {CRHF}} \big ], \mathcal {H}_{\mathsf {FS}} \right] .$$

3 An \(\mathsf {FSKM}\)-Incompatible \(\mathsf {CRHF}\)

In this section, we obtain our first main result by constructing a specific \(\mathsf {CRHF}\) family \(\widetilde{\mathcal {H}}_\mathsf {CRHF}\), for which, loosely speaking, \(\mathsf {FSKM}\) is not sound. Our \(\mathsf {CRHF}\) will make use of a publicly-verifiable succinct non-interactive argument of knowledge (\(\mathsf {pv\text {-}SNARK}\)) with an additional “unique proofs” property that we formalize in Sect. 3.1. For completeness, we start by providing some background on \(\mathsf {SNARK}\)s.

3.1 Background on \(\mathsf {SNARK}\)s

We first define the universal relation [BG08] relative to random-access machines.

Definition 7 (Universal Relation)

The universal relation is the set \(\mathcal {R}_{\mathcal {U}}\) of instance-witness pairs \((y,w) = \Big ( \big ( \langle M\rangle ,x,t \big ),w\Big )\), where \(|y|,|w| \le t\) and \(\langle M \rangle \) is the description of a random-access machine M, such that M accepts (xw) after at most t steps. We denote by \(\mathcal {L}_{\mathcal {U}}\) the universal language corresponding to \(\mathcal {R}_{\mathcal {U}}\).

We next define publicly-verifiable succinct non-interactive arguments of knowledge (\(\mathsf {pv\text {-}SNARK}\)s), following [BCCT13]. The following definition is taken verbatim from Bitansky et al. [BCCT13], and for more in-depth discussion on SNARKs we refer the reader to [BCCT13].

Definition 8

(\(\mathsf {pv\text {-}SNARK}\)s). A triple of algorithms \((\mathcal {G},\mathcal {P},\mathcal {V})\), where \(\mathcal {G}\) is probabilistic and \(\mathcal {V}\) is deterministic, is a fully-succinct \(\mathsf {pv\text {-}SNARK}\) if the following conditions are satisfied:

  • \(\mathbf {Completeness\!:}\) For every large enough security parameter \(\lambda \in \mathbb {N}\), every time bound \(B \in \mathbb {N}\), and every instance-witness pair \((y,w) = \left( ({\langle M\rangle },x,t),w\right) \in \mathcal {R}_{\mathcal {U}}\) with \(t \le B\),

    $$\begin{aligned} \Pr \left[ \mathcal {V}(\mathsf {crs},y,\pi )=1 : \begin{array}{r}\mathsf {crs}\leftarrow \mathcal {G}(1^\lambda ,B) \\ \pi \leftarrow \mathcal {P}(\mathsf {crs},y,w)\end{array}\right] =1. \end{aligned}$$

  • \(\mathbf {Adaptive\,\,Proof\,\,of\,\,Knowledge\!:}\) For every polynomial-sized prover \(\mathcal {P}^*\) there exists a polynomial-sized extractor \(\mathcal {E}_{\mathcal {P}^*}\) such that for every auxiliary input \(z \in \{0,1\}^{\mathsf {poly}(\lambda )}\), every time bound \(B \in \mathbb {N}\),

    $$\begin{aligned} \Pr \left[ \begin{array}{c}\mathcal {V}(\mathsf {crs},y,\pi )=1 \\ (y,w) \notin \mathcal {R}_{\mathcal {U}} \end{array} : \begin{array}{r}\mathsf {crs} \leftarrow \mathcal {G}(1^\lambda ,B) \\ (y,\pi ) \leftarrow \mathcal {P}^*(z,\mathsf {crs}) \\ w \leftarrow \mathcal {E}_{\mathcal {P}^*}(z,\mathsf {crs})\end{array}\right] \le \mathsf {negl}(\lambda ), \end{aligned}$$

  • \(\mathbf {Efficiency\!:}\) There exists a universal polynomial p such that for every large enough security parameter \(\lambda \in \mathbb {N}\), and \(t \le \lambda ^{\log (\lambda )}\),

    • the generator \(\mathcal {G}(1^\lambda )\) runs in time \(p(\lambda )\),

    • the prover \(\mathcal {P}(\mathsf {crs},y,w)\) runs in time \(p(\lambda + |M| + |x| + t)\),

    • the verifier \(\mathcal {V}(\mathsf {crs},y,\pi )\) runs in time \(p(\lambda +|M|+|x|)\),

    • and an honestly generated proof has size \(p(\lambda )\).

Computationally Unique \({\mathbf {\mathsf{{SNARK}}}}\varvec{.}\) In this work we introduce a new security property of \(\mathsf {SNARK}\)s which we refer to as computationally unique proofs (which can be thought of as a particular computational variant of unambiguous proofs [RRR16a]). The requirement here is that if a computationally bounded prover \(\mathcal {P}\) can generate two valid proofs \(\pi _1 \ne \pi _2\) for the same instance y, it must be possible to extract from \(\mathcal {P}\) two distinct witnesses \(w_1 \ne w_2\) for y.

Definition 9

(\(\mathsf {SNARK}\)s with computationally unique proofs). A \(\mathsf {SNARK}\) with computationally unique proofs is defined as in Definition 8, but with one additional requirement:

  • \(\mathbf {Computationally\,\,Unique\,\,Proofs\!:}\) For every polynomial-sized adversary \(\mathcal {A}^*\), there exists a polynomial-sized “extractor” \(\mathcal {E}_{\mathcal {A}^{*}}\) such that for every auxiliary input \(z \in \{0,1\}^{\mathsf {poly}(k)}\), every time bound \(B \in \mathbb {N}\),

    $$\begin{aligned} \Pr \left[ \begin{array}{c}\mathcal {V}(\mathsf {crs},y,\pi _1)=1 \\ \mathcal {V}(\mathsf {crs},y,\pi _2)=1\\ \pi _1 \ne \pi _2 \\ (y,w_1) \notin \mathcal {R}_{\mathcal {U}} \vee (y,w_2) \notin \mathcal {R}_{\mathcal {U}} \\ \vee w_1=w_2\end{array} : \begin{array}{r}\mathsf {crs} \leftarrow \mathcal {G}(1^\lambda ,B) \\ (y,\pi _1,\pi _2) \leftarrow \mathcal {A}^*(z,\mathsf {crs}) \\ (w_1,w_2) \leftarrow \mathcal {E}_{\mathcal {A}^*}(z,\mathsf {crs})\end{array}\right] \le \mathsf {negl}(\lambda ). \end{aligned}$$

In the full version [BBH+19], we prove that a preprocessing \(\mathsf {pv\text {-}SNARK}\) constructed in Bitansky et al. [BCI+13] from a knowledge of exponent assumption satisfies our notion of computationally unique proofs. We then show that the generic transformation of [BCCT13] from a preprocessing \(\mathsf {pv\text {-}SNARK}\) to fully-succinct \(\mathsf {pv\text {-}SNARK}\) maintains the computationally unique proofs property. Thus, we obtain a fully-succinct \(\mathsf {pv\text {-}SNARK}\) with computationally unique proofs from a knowledge of exponent assumption (and additionally the existence of exponentially-secure one-way functions to address a subtlety in the definition of adaptive proof of knowledge).

3.2 An \(\mathsf {FSKM}\)-Incompatible \(\mathsf {CRHF}\)

To formally state our result, we first define a trivial \(\mathsf {PCP}\)-based 2-message protocol—a protocol that, intuitively, should not be sound. Jumping ahead, at a high level, our main result shows that there exists a collision-resistant hash family \(\widetilde{\mathcal {H}}_\mathsf {CRHF}\) such that for any \({\varPi }_\mathsf {PCP}\) and any \(\mathcal {H}_\mathsf {FS}\), the corresponding \(\mathsf {FSKM}\) protocol is no more secure than the corresponding trivial protocol.

The first message of the trivial protocol will be a random string r drawn from some distribution \(\mathcal {S}\), which will serve as \(\mathcal {V}_\mathsf {PCP}\)’s randomness. The prover takes r as input and outputs a \(\mathsf {PCP}\) proof \(\pi \) that will be then verified by \(\mathcal {V}_\mathsf {PCP}\) using randomness r. Intuitively, since a cheating prover is aware of the verifier’s randomness, it can answer queries adaptively, so we do not expect the trivial protocol to be sound.

Suppose we have some \(\mathsf {PCP}\) \({\varPi }_\mathsf {PCP} = (\mathcal {P}_\mathsf {PCP},\mathcal {V}_\mathsf {PCP})\). It will be convenient for us to split the verifier \(\mathcal {V}_\mathsf {PCP}\) into two algorithms: \(\mathcal {V}^{(0)}_\mathsf {PCP}\) (which outputs the set of query locations) and \(\mathcal {V}^{(1)}_\mathsf {PCP}\) (which decides whether or not to accept after seeing the prover responses).

Construction 5

(Trivial Protocol). Let \(\mathsf {Trivial}[{\varPi }_\mathsf {PCP},\mathcal {S}] = (\mathcal {P}_{\mathsf {Trivial}}, \mathcal {V}_{\mathsf {Trivial}})\) be the following 2-message protocol, for some \(\mathsf {PCP}\) \({\varPi }_\mathsf {PCP} = (\mathcal {P}_{\mathsf {PCP}}, \mathcal {V}^{(0)}_{\mathsf {PCP}}, \mathcal {V}^{(1)}_\mathsf {PCP})\) for a language \(\mathcal {L}\), and some sampling algorithm \(\mathcal {S}\). The verifier \(\mathcal {V}_{\mathsf {Trivial}}\) generates a random string r from \(\mathcal {S}\) and sends r to the prover. The prover \(\mathcal {P}_{\mathsf {Trivial}}\), on input (xwr) for \(x \in \mathcal {L}\) runs \(\mathcal {V}^{(0)}_\mathsf {PCP}(x;r)\) to obtain a set of query locations \(\{q_i\}_i\). \(\mathcal {P}_{\mathsf {Trivial}}\) then computes \(b_i \leftarrow \mathcal {P}_{\mathsf {PCP}}(x, w, q_i)\) for each i and sends \(\{b_i\}\) to the verifier \(\mathcal {V}_{\mathsf {Trivial}}\). The verifier \(\mathcal {V}_{\mathsf {Trivial}}\) computes \(\mathcal {V}^{(0)}_\mathsf {PCP}(x;r) = \{q_i\}_i\) and accepts if and only if \(\mathcal {V}^{(1)}_\mathsf {PCP} \big (x,\{(q_i,b_i)\}_i; r \big )\) accepts.

In what follows, we will sometimes view \(\mathcal {S}\) as an algorithm that explicitly takes its randomness u as input, and outputs \(r = \mathcal {S}(u)\).

For non-contrived choices of a \(\mathsf {PCP}\) and sampling algorithm we do not expect Construction 5 to be sound. For example, consider Håstad’s \(\mathsf {PCP}\) [Hås01] in which the verifier queries 3 bits of the proof and checks whether their parity is some known fixed value b. Soundness of the trivial protocol can now be violated by having the prover send the answers (0, 0, b).Footnote 4

Recall (see Line 3) that \(\mathsf {FSKM}[{\varPi }_\mathsf {PCP},\mathcal {H}_\mathsf {CRHF},\mathcal {H}_\mathsf {FS}]\) denotes the 2-message argument that results from applying the Fiat-Shamir transform with hash function ensemble \(\mathcal {H}_\mathsf {FS}\) to \(\mathsf {Kilian}[{\varPi }_\mathsf {PCP},\mathcal {H}_\mathsf {CRHF}]\).

The main theorem of this section is the following.

Theorem 6

Assume the existence of a fully-succinct \(\mathsf {pv\text {-}SNARK}\) with computationally unique proofs, where honestly generated proofs have size at most \(p(\lambda )\), and collision resistant hash functions. Define . Then, there exists a collision resistant hash family \(\widetilde{\mathcal {H}}_\mathsf {CRHF} = \left\{ \widetilde{\mathcal {H}}_\mathsf {CRHF}^{(\lambda )}: \{0,1\}^{2m} \rightarrow \{0,1\}^{m}\right\} _{\lambda \in \mathbb {N}}\) such that for any \(\mathsf {PCP}\) \({\varPi }_\mathsf {PCP} = (\mathcal {P}_\mathsf {PCP}, \mathcal {V}_\mathsf {PCP})\) with proof length at most \(2^{\lambda }\), and any hash function ensemble \(\mathcal {H}_\mathsf {FS}\), if \(\mathsf {FSKM}[{\varPi }_\mathsf {PCP},\widetilde{\mathcal {H}}_\mathsf {CRHF},\mathcal {H}_\mathsf {FS}]\) is computationally sound, then \(\mathsf {Trivial}[{\varPi }_\mathsf {PCP},\mathcal {H}_\mathsf {FS}]\) is computationally sound.

We believe that for natural choices of \(\mathsf {PCP}\)s, the trivial protocol will not be sound which, by Theorem 6, means that the corresponding \(\mathsf {FSKM}\) protocol is not sound. However, actually proving that the trivial protocol is not sound seems to be difficult in case the sampling algorithm generates a peculiar distribution of random strings.Footnote 5

Nevertheless, we can exhibit a specific (trivial) \(\mathsf {PCP}\) for which the trivial protocol is provably not sound. The immediate implication is that for every \(\mathsf {FS}\) hash function, there exists a \(\mathsf {PCP}\) and a bounded size \(\mathsf {CRHF}\) for which soundness of the corresponding \(\mathsf {FSKM}\) is violated. This is formalized in the following corollary.

Corollary 1

Assume the existence of a fully-succinct \(\mathsf {pv\text {-}SNARK}\) with computationally unique proofs. There exists a language \(\mathcal {L} \in \mathsf {NP}\), a \(\mathsf {PCP}\) for \(\mathcal {L}\) (with \(\mathsf {polylog}(\lambda )\) query complexity) and a fixed polynomial \(p(\cdot )\) such that for all efficiently computable hash function ensembles \(\mathcal {H}_\mathsf {FS}\), there exists a \(\mathsf {CRHF}\) ensemble \(\mathcal {H}_\mathsf {CRHF}= \left\{ \mathcal {H}^{(\lambda )}_\mathsf {CRHF}: \{0,1\}^{2s(\lambda )} \rightarrow \{0,1\}^{s(\lambda )}\right\} _{\lambda \in \mathbb {N}}\) with \(s(\lambda ) \le p(\lambda )\), such that \(\mathsf {FSKM}[{\varPi }_\mathsf {PCP},\mathcal {H}_\mathsf {CRHF},\mathcal {H}_\mathsf {FS}]\) is not sound.

We first prove Corollary 1 and then go back to the main part—proving Theorem 6.

Proof of Corollary

1. We exhibit a contrived \(\mathsf {PCP}\) \({\varPi }_\emptyset \) for the empty language for which the statement holds. Specifically, consider a \(\mathsf {PCP}\) verifier that samples at random \(r \in \{0,1\}^{\log ^2(\lambda )}\) and checks whether the \(\log ^2(\lambda )\)-long prefix of the proof is exactly equal to r (by making \(\log ^2(\lambda )\) queries).

Completeness holds vacuously, and this \(\mathsf {PCP}\) is sound since the proof must be specified before r was sampled. However, the protocol \(\mathsf {Trivial}[{\varPi }_\emptyset ,\mathcal {H}_\mathsf {FS}]\) for any sampler \(\mathcal {H}_\mathsf {FS}\) is clearly not sound, since the cheating prover receives the verifier randomness r as input and simply returns r as its proof.    \(\square \)

In the full version [BBH+19], we actually give a secure instantiation of \(\mathsf {FSKM}\) for a variant of the \(\mathsf {PCP}\) \({\varPi }_{\emptyset }\) that was used to prove Corollary 2. This does not contradict our impossibility, which only rules out security of \(\mathsf {FSKM}\) with a generic \(\mathsf {CRHF}\). In particular, our instantiation requires the collision-resistant hash function to also be somewhere statistically binding [HW15a]. Unfortunately, we do not know how to instantiate the \(\mathsf {FSKM}\) protocol to construct an argument scheme for a non-trivial language.

The remainder of this section will be devoted to a proof of Theorem 6. As described in Sect. 1.4, our strategy centers on a carefully-designed hash function family \(\widetilde{\mathcal {H}}_\mathsf {CRHF}\), built using two \(\mathsf {CRHF}\)s and a fully-succinct \(\mathsf {pv\text {-}SNARK}\) with computationally unique proofs (Definition 9). The result then follows immediately from combining Lemma 1, which states that \(\widetilde{\mathcal {H}}_\mathsf {CRHF}\) is a \(\mathsf {CRHF}\) family, and Lemma 2, which establishes the soundness implication.

3.3 \(\mathsf {CRHF}\) Construction

Throughout this construction we will use the notation from the statement of Theorem 6; recall that \(p(\lambda )\) is a bound on the proof size of our \(\mathsf {pv\text {-}SNARK}\), , and \(c>0\) is an arbitrary constant independent of \(p(\lambda )\).

We prove Theorem 6 by carefully constructing a \(\mathsf {CRHF}\) family \(\widetilde{\mathcal {H}}_\mathsf {CRHF} = \{ \widetilde{\mathcal {H}}_\mathsf {CRHF}^{(\lambda )} : \{0,1\}^{2m} \rightarrow \{0,1\}^m \}_{\lambda \in \mathbb {N}}\). Our construction requires the following:

  • A fully-succinct \(\mathsf {pv\text {-}SNARK}\) \(\mathcal {S} = (\mathcal {G},\mathcal {P},\mathcal {V})\) with computationally unique proofs (Definition 9), where honestly generated proofs have size exactly \(p(\lambda )\) (assume that shorter proofs are appropriately padded with zeros).

  • A \(\mathsf {CRHF}\) family \(\mathcal {H}_\mathsf {rt} = \{\mathcal {H}_ \mathsf {rt}^{(\lambda )}:\{0,1\}^{*} \rightarrow \{0,1\}^{m/2-\lambda -\log (\lambda )-2}\}_{\lambda \in \mathbb {N}}\).

  • A \(\mathsf {CRHF}\) family \(\mathcal {H}_\mathsf {tree} = \{\mathcal {H}_\mathsf {tree}^{(\lambda )}:\{0,1\}^{2m} \rightarrow \{0,1\}^{m-2}\}_{\lambda \in \mathbb {N}}\).

3.4 \(\mathsf {CRHF}\) Key Generation

We sample a hash function \(\widetilde{h}_\mathsf {CRHF} \leftarrow \widetilde{\mathcal {H}}_\mathsf {CRHF}^{(\lambda )}\) as follows.

  1. 1.

    Sample uniformly random \(\$_{\mathsf {rt}} \leftarrow \{0,1\}^m\).

    • Let \(\mathsf {pre}_\mathsf {rt}\) denote the first two bits of \(\$_\mathsf {rt}\).

    • Define and .

  2. 2.

    Sample uniformly random \(\$_\mathsf {path} \leftarrow \{0,1\}^\lambda \).

  3. 3.

    Sample \(h_{\mathsf {rt}} \leftarrow \mathcal {H}_\mathsf {rt}^{(\lambda )}\) and \(h_\mathsf {tree} \leftarrow \mathcal {H}_\mathsf {tree}^{(\lambda )}\).

  4. 4.

    Define \(h'_\mathsf {tree}: \{0,1\}^{2m} \rightarrow \{0,1\}^m\) such that \(h'_\mathsf {tree}(x) = (\mathsf {pre}_\mathsf {tree} \Vert h_\mathsf {tree}(x))\).

  5. 5.

    Sample \(\mathsf {crs} \leftarrow \mathcal {G}(1^{\lambda })\).

  6. 6.

    For each \(j \in [\lambda ]\), compute \(\mathsf {com}^{(\mathsf {zero})}_j = \mathsf {MerkleCom}(h'_\mathsf {tree},0^{m\cdot 2^j})\).

  7. 7.

    Output

    $$\begin{aligned} (\$_\mathsf {rt},\$_\mathsf {path},\mathsf {pre}_\mathsf {tree},\mathsf {pre}_\mathsf {path},h_\mathsf {rt},h'_\mathsf {tree},\mathsf {crs},\{\mathsf {com}_{j}^{(\mathsf {zero})}\}_{j \in [\lambda ]}), \end{aligned}$$

    as the description (hash key) of \(\widetilde{h}_\mathsf {CRHF}\).

\(\mathsf {CRHF}\) Evaluation. Before we describe how to compute \(\widetilde{h}_\mathsf {CRHF}(x)\), we need to introduce some specialized notation and definitions.

Notation. We will assume without loss of generality that \(m=2^{m'}\) is a power of 2, and that the PCP \({\varPi }_\mathsf {PCP}\) in fact has proof length bounded by \(2^{\lambda }-m\). Throughout, \(\{(q_i,b_i)\}_i\) will denote a set of (index, bit) pairs (representing PCP query/response pairs) where for each i, \(q_i \in [2^{\lambda }-m]\) and \(b_i \in \{0,1\}\). We assume without loss of generality that no index appears more than once.

For any set \(\{(q_i,b_i)\}_i\) satisfying these conditions, we let \(\pi ^{\{(q_i,b_i)\}_i}\) denote the length \(2^{\lambda } - m\) bitstring defined bit-wise for each \(j \in [2^{\lambda }-m]\) as:

In other words, \(\pi ^{\{(q_i,b_i)\}_i}\) is a PCP proof string that consists of the responses in \(\{(q_i,b_i)\}_i\) and 0s everywhere else.

We divide \(\pi ^{\{(q_i,b_i)\}_i}\) into \(2^{\lambda -m'}-1\) words \(\ell _k\) of \(m=2^{m'}\) bits each, i.e. \(\pi ^{\{(q_i,b_i)\}_i} = (\ell _1 \Vert \ell _2 \Vert \dots \Vert \ell _{2^{\lambda -m'} - 1})\), where each word \(\ell _k\) is in \(\{0,1\}^m\). Next, group the words as follows. The first \(2^{\lambda -m'-1}\) words will form the first block \(L_1\), the next \(2^{\lambda -m'-2}\) words will form the second block \(L_2\), and so on until the last block only consists of only 1 word. We can now write \(\pi ^{\{(q_i,b_i)\}_i}\) as

where the jth block \(L_j\) is exactly twice the length of the \((j+1)\)th block \(L_{j+1}\).

We define the helper functions t(q) and s(q) for any \(q \in [2^{\lambda }-m]\) so that the qth bit in \(\pi ^{\{(q_i,b_i)\}_i}\) is the t(q)th bit in block \(L_{s(q)}\).

Now define

  • , and

  • .

Note that given \(\{\mathsf {com}_{j}^{(\mathsf {zero})}\}_{j \in [\lambda ]}\), if \(|\{(q_i,b_i)\}_i| = \mathsf {poly}(\lambda )\), it is easy to compute \(\mathsf {block}\text {-}\mathsf {com}(h'_\mathsf {tree}, \{(q_i,b_i)\}_i,j)\) and \(\mathsf {block}\text {-}\mathsf {open}(h'_\mathsf {tree}, \{(q_i,b_i)\}_i,i)\) in time \(\mathsf {poly}(\lambda )\).

Language.

We also define a language \(\mathcal {L}_{\$_\mathsf {rt},h_\mathsf {rt},h'_\mathsf {tree}}\) based on \(\$_\mathsf {rt}, h_\mathsf {rt}\), and \(h'_\mathsf {tree}\) (all given in the \(\mathsf {CRHF}\) description \(\widetilde{h}_\mathsf {CRHF}\)). Throughout, we use \(\mathsf {bit}_\lambda (j)\) to denote the \(\log (\lambda )\)-bit binary representation of an integer j.

\(\mathcal {L}_{\$_\mathsf {rt},h_\mathsf {rt},h'_\mathsf {tree}}\) will be defined by relation \(\mathcal {R}_{\$_\mathsf {rt},h_\mathsf {rt},h'_\mathsf {tree}}\), which consists of all (instance, witness) pairs of the form

$$\begin{aligned} \Big ( (\alpha \Vert \mathsf {bit}_\lambda (j) \Vert \mathsf {sib}), (\langle h_\mathsf {FS}\rangle \Vert \langle \mathcal {A}_{\mathsf {Trivial}} \rangle \Vert \langle \mathcal {V}_\mathsf {PCP}\rangle )\Big ), \end{aligned}$$

which satisfy all of the following conditions:

  1. 1.

    \(\langle h_\mathsf {FS}\rangle \) and \(\langle \mathcal {A}_{\mathsf {Trivial}}\rangle \) can be parsed as descriptions of the (deterministic) circuits \(h_\mathsf {FS}\) and \(\mathcal {A}_{\mathsf {Trivial}}\). When used in the proof of Lemma 1, \(h_\mathsf {FS}\) will correspond to the Fiat-Shamir hash function \(h_\mathsf {FS} \leftarrow \mathcal {H}_\mathsf {FS}\), and \(\mathcal {A}_{\mathsf {Trivial}}\) will correspond to the adversary breaking the soundness of \(\mathsf {Trivial}[{\varPi }_\mathsf {PCP},\mathcal {H}_\mathsf {FS}]\).

  2. 2.

    \(\langle \mathcal {V}_\mathsf {PCP}\rangle \) can be parsed as the description of a two-part \(\mathsf {PCP}\) verifier \( \mathcal {V}^{(0)}_\mathsf {PCP},\mathcal {V}^{(1)}_\mathsf {PCP}\), where \(\mathcal {V}^{(0)}_\mathsf {PCP}\) outputs a set of query locations, and \(\mathcal {V}^{(1)}_\mathsf {PCP}\) takes the query responses and outputs a bit indicating accept/reject (see the discussion in Sect. 2.1).

  3. 3.

    \(\alpha = h_\mathsf {rt}\big (\langle h_\mathsf {FS}\rangle \Vert \langle \mathcal {A}_{\mathsf {Trivial}} \rangle \Vert \langle \mathcal {V}_\mathsf {PCP}\rangle \big )\).

  4. 4.

    \(\mathsf {sib} = \mathsf {block}\text {-}\mathsf {com}(h'_\mathsf {tree},\{(q_i,b_i)\}_i, j)\) where j is the integer represented by \(\mathsf {bit}_{\lambda }(j)\), and for

    \(\{(q_i,b_i)\}_i\) satisfies the requirements

    • \(\mathcal {A}_{\mathsf {Trivial}}\big (r) = x,\{b_i\}_i\),

    • \(\mathcal {V}^{(0)}_\mathsf {PCP}(x;r)=\{q_i\}_i\),

    • \(\mathcal {V}^{(1)}_\mathsf {PCP}(x,\{b_i\}_i;r)=1\).

Since \(\alpha \) is the result of applying the \(\mathsf {CRHF}\) \(h_{\mathsf {rt}}\) to the witness, which is \(\langle h_{FS} \rangle \Vert \langle \mathcal {A}_\mathsf {Trivial}\rangle \Vert \langle \mathcal {V}_\mathsf {PCP} \rangle \), an efficient adversary will only be able to find a single witness corresponding to any given \(\alpha \). The string \(\alpha \) fully determines \(\mathsf {rt}\) and r, which also determines \(\{(q_i,b_i)\}_i\) (where \(\{q_i\}\) is the set of \(\mathsf {PCP}\) indices that \(\mathcal {V}_\mathsf {PCP}\) would check when running on randomness r, and \(\{b_i\}_i\) are the \(\mathsf {PCP}\) responses output by \(\mathcal {A}_\mathsf {Trivial}\) which cause \(\mathcal {V}_\mathsf {PCP}\) to accept). This specifies a unique “cheating” \(\mathsf {PCP}\) proof string consisting of 0’s in almost every position, except with \(b_i\)’s in indices corresponding to the \(q_i\)’s. \(\mathsf {sib}\) then corresponds to the label of the off-path node at level j for the rightmost root-to-leaf path in the Merkle tree, and is obtained by applying \(h'_\mathsf {tree}\) to this cheating \(\mathsf {PCP}\) proof string.

In the proof of Lemma 2, we will rely on the fact that for any j and any witness \(\langle h_{FS} \rangle \Vert \langle \mathcal {A}_\mathsf {Trivial}\rangle \Vert \langle \mathcal {V}_\mathsf {PCP} \rangle \), a cheating prover can efficiently compute \(\alpha , \mathsf {sib}\) such that \(( (\alpha \Vert \mathsf {bit}_\lambda (j) \Vert \mathsf {sib}), (\langle h_\mathsf {FS}\rangle \Vert \langle \mathcal {A}_{\mathsf {Trivial}} \rangle \Vert \langle \mathcal {V}_\mathsf {PCP}\rangle ))\) is in the relation (by simply applying \(h_\mathsf {FS},\mathcal {A}_\mathsf {Trivial},\mathcal {V}^{(0)}_\mathsf {PCP},h'_\mathsf {tree}\) in the specified way). In the proof of Lemma 1, we use the fact that for each \((\alpha , j)\) pair, an efficient adversary can only find one \((\mathsf {sib},w)\) pair such that \(\left( (\alpha \Vert \mathsf {bit}_\lambda (j) \Vert \mathsf {sib}),w\right) \) is in the relation (due to the collision-resistance of \(h_\mathsf {rt}\)).

Hash Computation. Parse input \(x \in \{0,1\}^{2m}\) as

$$\Big (\mathsf {sib} \ \Big \vert \Big \vert \ (\mathsf {pre} \Vert \$ \Vert \mathsf {bit}_\lambda (j) \Vert \alpha ) \ \Big \vert \Big \vert \ (\pi _1 \Vert \dots \Vert \pi _j \Vert z)\Big ),$$

where

  • \(\mathsf {sib} \in \{0,1\}^{m}\),

  • \((\mathsf {pre} \Vert \$ \Vert \mathsf {bit}_\lambda (j) \Vert \alpha ) \in \{0,1\}^{m/2}\) (\(\mathsf {pre} \in \{0,1\}^2\), \(\$ \in \{0,1\}^{\lambda }\), \(\mathsf {bit}_\lambda (j) \in \{0,1\}^{\log (\lambda )}\), and \(\alpha \in \{0,1\}^{m/2 - \lambda - \log (\lambda ) - 2}\)),

  • and \((\pi _1 \Vert \dots \Vert \pi _j \Vert z) \in \{0,1\}^{m/2}\) (\(\pi _i \in \{0,1\}^{p(\lambda )}\) and \(z \in \{0,1\}^{m/2 - jp(\lambda )}\)).

If \(\mathsf {pre}=\mathsf {pre}_\mathsf {path},\$=\$_\mathsf {path}\), and \(z=0^{m/2-jp(\lambda )}\), run the \(\mathsf {SNARK}\) verifier for language \(\mathcal {L}_{\$_\mathsf {rt},h_\mathsf {rt},h'_\mathsf {tree}}\) on \((\tau ,(\alpha \Vert \mathsf {bit}_\lambda (j) \Vert \mathsf {sib}),\pi _j)\). If \(j \ge 1\) and the verifier accepts, then

  • if \(j \ge 2\), output

    $$\begin{aligned} \Big ((\mathsf {pre}_\mathsf {path} \Vert \$_\mathsf {path} \Vert \mathsf {bit}_\lambda (j-1) \Vert \alpha ) \ \Big \vert \Big \vert \ (\pi _1 \Vert \dots \Vert \pi _{j-1} \Vert 0^{m/2-(j-1)p(\lambda )})\Big ) \in \{0,1\}^{m}, \end{aligned}$$

  • and if \(j=1\), output

    $$\Big ( \$_\mathsf {rt} \oplus (0^{\lambda +\log (\lambda )+2} \Vert \alpha \Vert 0^{m/2})\Big ) \in \{0,1\}^m.$$

Otherwise, if the input does not parse as above, or the verifier does not accept, output \(h'_\mathsf {tree}(x)\).

3.5 Proof of Theorem 6

The proof follows easily from these two lemmas, both of which are proven in the full version [BBH+19].

Lemma 1

Assuming \(\mathcal {H}_\mathsf {rt}\) and \(\mathcal {H}_\mathsf {tree}\) are \(\mathsf {CRHF}\) families and that \(\mathcal {S} = (\mathcal {G},\mathcal {P},\mathcal {V})\) is a fully-succinct \(\mathsf {SNARK}\) with computationally unique proofs, then the above construction of \(\widetilde{\mathcal {H}}_\mathsf {CRHF}\) is a \(\mathsf {CRHF}\) family.

Lemma 2

For any \(\mathsf {PCP}\) \({\varPi }_\mathsf {PCP} =(\mathcal {P}_{\mathsf {PCP}},\mathcal {V}_{\mathsf {PCP}})\) and \(\mathcal {H}_\mathsf {FS}\), if \(\mathsf {Trivial}[{\varPi }_\mathsf {PCP},\mathcal {H}_\mathsf {FS}]\) is not sound, then \(\mathsf {FSKM}[{\varPi }_\mathsf {PCP},\widetilde{\mathcal {H}}_\mathsf {CRHF},\mathcal {H}_\mathsf {FS}]\) is not sound.

4 An \(\mathsf {FSKM}\)-Incompatible \(\mathsf {PCIP}\)

In this section we show that for every language in \(\mathsf {NP}\) there exists a probabilistically checkable interactive proof such that for every Fiat-Shamir hash function and every collision-resistant hash function, the resulting \(\mathsf {FSKM}\) protocol is not sound.

Theorem 7

Let \(\mathcal {L} \in \mathsf {NP}\). There exists a \(\mathsf {PCIP}\) \({\varPi }\) for \(\mathcal {L}\) with negligible soundness error such that for every collision resistant hash function family \(\mathcal {H}_{\mathsf {CRHF}}\) and every Fiat-Shamir hash function family \(\mathcal {H}_{\mathsf {FS}}\), the protocol \(\mathsf {FSKM}[{\varPi },\mathcal {H}_{\mathsf {CRHF}},\mathcal {H}_{\mathsf {FS}}]\) is not sound.

As a matter of fact, our attack breaks soundness of \(\mathsf {FSKM}[{\varPi },\mathcal {H}_{\mathsf {CRHF}},\mathcal {H}_{\mathsf {FS}}]\) in an extremely strong sense—it is a \(\mathsf {poly}(n,\lambda )\)-time attack that causes the verifier to accept any input \(x \notin \mathcal {L}\), with probability 1.

4.1 Proof of Theorem 7

Let \(\mathcal {L} \in \mathsf {NP}\) and let \(\mathcal {H}_{\mathsf {CRHF}} = {\left\{ {\mathcal {H}^{(\lambda )}_\mathsf {CRHF} }\right\} }_\lambda \), \(\mathcal {H}_{\mathsf {CRHF}}^{(\lambda )} = {\left\{ {h_{\mathsf {CRHF}}: {\left\{ {0,1}\right\} }^{2\lambda } \rightarrow {\left\{ {0,1}\right\} }^\lambda }\right\} }\) be a collision resistant hash family. The proof will take the following steps.

  1. 1.

    First, we construct a sound \(\mathsf {PCIP}\) \((\mathcal {P},\mathcal {V})\) for \(\mathcal {L} \). The \(\mathsf {PCIP}\) will be constructed in a contrived manner (to facilitate the attack in Step 3). This step is done in Sect. 4.1.

  2. 2.

    We briefly describe the argument system \((\mathcal {P}_{\mathsf {Kilian}},\mathcal {V}_{\mathsf {Kilian}}) = \mathsf {Kilian}[\mathsf {PCIP},\mathcal {H}_{\mathsf {CRHF}}]\). Its soundness follows from [Kil88, BCS16] (since we are instantiating Kilian’s protocol with a sound \(\mathsf {PCIP}\) and a \(\mathsf {CRHF}\)). This step is done in Line 7.

  3. 3.

    For every hash family \(\mathcal {H}_{\mathsf {FS}}\), we present the protocol \(\mathsf {FSKM}[\mathsf {PCIP},\mathcal {H}_{\mathsf {CRHF}},\mathcal {H}_{\mathsf {FS}}]\) and show an attack that causes the verifier to accept every possible input \(x \not \in \mathcal {L}\) with probability 1. This last step is done in Line 7.

A Contrived \(\mathsf {PCIP}\) for \(\mathcal {L}\varvec{.}\) We next construct our \(\mathsf {PCIP}\) \((\mathcal {P},\mathcal {V})\) for the language \(\mathcal {L}\). Before doing so, we first set up some tools that we be used in the construction.

Some Useful Ingredients. Since \(\mathcal {L} \in \mathsf {NP}\), by the \(\mathsf {PCP}\) Theorem (Theorem 1), there exists a \(\mathsf {PCP}\) \((\mathcal {P}_\mathcal {L}, \mathcal {V}_\mathcal {L})\) for \(\mathcal {L}\) with soundness error \(\epsilon _\mathcal {L}(\lambda ) = \mathsf {neg}(\lambda )\), query complexity \(q_\mathcal {L} = \mathsf {polylog} (\lambda )\) and randomness complexity \(r_\mathcal {L} = \mathsf {poly}(\log (n),\log (\lambda ))\).

Recall that \(\mathsf {MerkleCom}(h, s)\) is the Merkle tree root generated from s using the hash function h (see Sect. 2.2). Let C be an efficiently computable and decodable error correcting code ensemble with constant rate and constant \(\delta _0>0\) relative distance (for more background on codes and the fact that such codes exist, see the full version [BBH+19]. We define an auxiliary pair language \(\mathcal {L}'\) as follows:

$$ \mathcal {L}' = \left\{ \Big ( r, \pi = C \big (\langle h_{\mathsf {CRHF}} \rangle \Vert \langle h_{\mathsf {FS}} \rangle \big ) \Big ) : \begin{array}{l} r \in {\left\{ {0,1}\right\} }^\lambda ,\\ \langle h_{\mathsf {CRHF}} \rangle , \langle h_{\mathsf {FS}} \rangle \text { are Boolean circuits, and } \\ h_{\mathsf {FS}} \big (\mathsf {MerkleCom}(h_{\mathsf {CRHF}}, (1 \Vert \pi )) \big ) = r \end{array}\right\} $$

In other words, \(\mathcal {L}' \subseteq {\left\{ {0,1}\right\} }^* \times {\left\{ {0,1}\right\} }^*\) is a pair language, in which the first part of the input r is a binary string of length \(\lambda \) (which will be the security parameter in the upcoming \(\mathsf {PCIP}\)), and the second part of the input \(\pi \) is an encoding under C of two Boolean circuits. Jumping ahead, the first circuit \( h_{\mathsf {CRHF}} \) will play the part of the \(\mathsf {CRHF}\) used in Kilian’s protocol, while the circuit \( h_{\mathsf {FS}} \) will be the \(\mathsf {FS}\) hash function. For such \((r, \pi )\), it holds that \((r, \pi ) \in \mathcal {L}'\) if and only if \(h_{\mathsf {FS}} \big (\mathsf {MerkleCom}(h_{\mathsf {CRHF}}, (1 \Vert \pi )) \big ) = r\).

Observe that \(\mathcal {L}'\) can be decided by a polynomial time Turing machine (i.e., polynomial in the input length \(|r|+|\pi |\)). Therefore, by Theorem 2 there exists a \(\mathsf {PCPP}\) proof-system for \(\mathcal {L}'\), denoted by \((\mathcal {P}_{\mathcal {L}'}, \mathcal {V}_{\mathcal {L}'})\) such that for input \((r,\pi )\) and every proximity parameter \(\delta >0\), the soundness error is \(\epsilon _{\mathcal {L}'}(\lambda ) = \mathsf {neg}(\lambda )\), query complexity \(q_{\mathcal {L}'} = \mathsf {poly}(\log (\lambda ), \frac{1}{\delta })\) and randomness complexity \(r_{\mathcal {L}'} = \mathsf {poly}(\log (\lambda ), \log (t) / \delta )\), where \(t=|r|+|\pi |\). Furthermore, the prover \(\mathcal {P}_{\mathcal {L}'}\) runs in time \(\mathsf {poly}(t, \log (\lambda ))\), and \(\mathcal {V}_{\mathcal {L}'}\) runs in time \(\mathsf {poly}(\log (t), \log (\lambda ), \frac{1}{\delta })\).

\(\mathsf {PCIP}\) for \(\mathcal {L}.\) With these tools in hand, we are ready to present the \(\mathsf {PCIP}\). Intuitively (and as hinted on in Sect. 1.4), the verifier \(\mathcal {V}\) will accept input x in one of two possible scenarios: The first scenario (denoted by having the prover initially send a bit \(b=0\)), is that the prover provides \(\mathcal {V}\) with an honest \(\mathsf {PCP}\) proof for \(x \in \mathcal {L}\), thus allowing the honest prover \(\mathcal {P}\) to convince the verifier with probability 1. The second scenario (denoted by having the prover send \(b=1\)), is that the prover manages to pass the following test (which will act as a backdoor once we compile the \(\mathsf {PCIP}\) with \(\mathsf {FSKM}\)):

The prover \(\mathcal {P}\) is required to send a description of a Fiat-Shamir hash function \(h_{\mathsf {FS}}\) which manages to accurately predict \(r_1\), the random coins of \(\mathcal {V}\), which have yet to be sampled. A cheating \(\mathsf {PCIP}\) prover has \(2^{-|r_1|} = \mathsf {negl}(\lambda )\) probability of passing the challenge.

In contrast, once the \(\mathsf {FSKM}\) transform is applied, the challenge becomes easy to beat. A malicious prover will simply commit to the \(\mathsf {FS}\) hash function provided by the verifier, as described in the \(\mathsf {FSKM}\) transform. Therefore, the malicious prover will be able to predict the randomness of the verifier, thus passing the test.

In order to make the number of queries by \(\mathcal {V}\) polylogarithmic in \(\lambda \), we shall have the prover send its messages via an error-correcting code and run a \(\mathsf {PCPP}\) checking that the verifier would have accepted had it explicitly read all of \(\pi _1\).

The \(\mathsf {PCIP}\) \((\mathcal {P},\mathcal {V})\) is formally described in Fig. 3. In the protocol we use the convention that messages received by the verifier from the prover, which might be maliciously crafted, are denoted with a tilde.

Fig. 3.
figure 3

\((\mathcal {P},\mathcal {V})\) a \(\mathsf {PCIP}\) for \(\mathcal {L}\).

Full size image

We emphasize that while the honest prover always sends \(b=0\) and \(\pi _2\) as the empty string, a cheating prover might not. Indeed, we added the possibility of sending different values here as a kind of backdoor. As we shall show, this backdoor does not violate the soundness of \((\mathcal {P},\mathcal {V})\) as a \(\mathsf {PCIP}\) (see Lemma 3) but completely breaks the soundness of the construction after applying Kilian and Fiat-Shamir (see Corollary 2).

Lemma 3

The protocol \((\mathcal {P},\mathcal {V})\) is a \(\mathsf {PCIP}\) for \(\mathcal {L}\) with negligible soundness error.

A proof of this can be found in the full version [BBH+19].

Applying Kilian’s Protocol to \((\mathcal {P},\mathcal {V})\varvec{.}\) As our next step (the second step in the outline), we consider the protocol \((\mathcal {P}_{\mathsf {Kilian}},\mathcal {V}_{\mathsf {Kilian}}\)) resulting from applying Kilian’s protocol to the \(\mathsf {PCIP}\) \((\mathcal {P},\mathcal {V}\)).

Ben-Sasson et al. [BCS16] showed that applying Kilian’s protocol to any sound \(\mathsf {PCIP}\) results in a sound interactive argument. Thus, we obtain the following result as an immediate corollary of Lemma 3:

Corollary 2

The argument system \((\mathcal {P}_{\mathsf {Kilian}},\mathcal {V}_{\mathsf {Kilian}})\) has negligible soundness error.

Attack on Fiat-Shamir of \((\mathcal {P}_{\mathsf {Kilian}}, \mathcal {V}_{\mathsf {Kilian}})\varvec{.}\) Lastly, consider \((\mathcal {P}_{\mathsf {FS}}, \mathcal {V}_{\mathsf {FS}})\), the result of applying Fiat-Shamir to the previous protocol for hash function ensemble \(\mathcal {H}_{\mathsf {FS}} = {\left\{ {\mathcal {H}^{(\lambda )}_{\mathsf {FS}}}\right\} }_\lambda \).

Lemma 4

There exists a malicious prover \(\mathcal {P}^*\) such that for every input \(x \in {\left\{ {0,1}\right\} }^n\) and security parameter \(\lambda \), it holds that \(\mathcal {P}^*\) runs in time \(\mathsf {poly}(n,\lambda )\) and

A proof of this can be found in the full version [BBH+19].