Adaptive Proofs have Straightline Extractors

The concept of adaptive security for proofs of knowledge was recently studied by Bernhard et al. They formalised adaptive security in the ROM and showed that the non-interactive version of the Schnorr protocol obtained using the Fiat-Shamir transformation is not adaptively secure unless the one-more discrete logarithm problem is easy. Their only construction for adaptively secure protocols used the Fischlin transformation [3] which yields protocols with straight-line extractors. In this paper we provide two further key insights. Our main result shows that any adaptively secure protocol must have a straight-line extractor: even the most clever rewinding strategies cannot o er any bene ts against adaptive provers. Then, we show that any Fiat-Shamir transformedΣ-protocol is not adaptively secure unless a related problem which we call the Σ-one-wayness problem is easy. This assumption concerns not just Schnorr but applies to a whole class of Σ-protocols including e.g. Chaum-Pedersen and representation proofs. We also prove that Σ-one-wayness is hard in the generic group model. Taken together, these results suggest that FiatShamir transformed Σ-protocols should not be used in settings where adaptive security is important.