Aarhus University Seal

Fiat-Shamir Bulletproofs are Non-Malleable (in the Algebraic Group Model)

Research output: Contribution to book/anthology/report/proceedingArticle in proceedingsResearchpeer-review

Bulletproofs (Bünz et al. IEEE S&P 2018) are a celebrated ZK proof system that allows for short and efficient proofs, and have been implemented and deployed in several real-world systems. In practice, they are most often implemented in their non-interactive version obtained using the Fiat-Shamir transform, despite the lack of a formal proof of security for this setting. Prior to this work, there was no evidence that malleability attacks were not possible against Fiat-Shamir Bulletproofs. Malleability attacks can lead to very severe vulnerabilities, as they allow an adversary to forge proofs re-using or modifying parts of the proofs provided by the honest parties. In this paper, we show for the first time that Bulletproofs (or any other similar multi-round proof system satisfying some form of weak unique response property) achieve simulation-extractability in the algebraic group model. This implies that Fiat-Shamir Bulletproofs are non-malleable.

Original languageEnglish
Title of host publicationAdvances in Cryptology – EUROCRYPT 2022
EditorsOrr Dunkelman, Stefan Dziembowski
Number of pages30
Place of publicationCham
Publication year2022
ISBN (print)9783031070846
Publication statusPublished - 2022
SeriesLecture Notes in Computer Science (LNCS)

    Research areas

  • Fiat-Shamir, Non-interactive zero-knowledge, Simulation-extractability

See relations at Aarhus University Citationformats

ID: 264366925