Fiat–Shamir Transformation of Multi-Round Interactive Proofs (Extended Version)

Abstract The celebrated Fiat–Shamir transformation turns any public-coin interactive proof into a non-interactive one, which inherits the main security properties (in random oracle model) of version. While originally considered in context 3-move proofs, i.e., so-called $$\varSigma $$ Σ -protocols, it is now applied to multi-round protocols as well. Unfortunately, loss for $$(2\mu + 1)$$ ( 2 μ + 1 ) -move protocol is, general, approximately $$Q^\mu Q , where Q number queries performed by attacker. In this best one can hope for, easy see that applies $$\mu -fold sequential repetition but raises question whether certain (natural) classes proofs feature milder loss. work, we give positive and negative results on question. On side, show $$(k_1, \ldots k_\mu )$$ k , … -special-sound (which cover broad class use cases), knowledge error degrades linearly instead . t parallel repetitions typical with $$t \ge \mu t ≥ (and assuming simplicity are integer multiples ), there an attack $$\frac{1}{2} Q^\mu /\mu ^{\mu +t}$$ /