Untangling the Security of Kilian’s Protocol: Upper and Lower Bounds

Alessandro Chiesa; Marcel Dall’Agnol; Ziyi Guan; Nicholas Spooner; Eylon Yogev

doi:10.1007/978-3-031-78011-0_6

Untangling the Security of Kilian’s Protocol: Upper and Lower Bounds

Alessandro Chiesa, Marcel Dall’Agnol, Ziyi Guan, Nicholas Spooner, Eylon Yogev

Department of Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Sigma protocols are elegant cryptographic proofs that have become a cornerstone of modern cryptography. A notable example is Schnorr’s protocol, a zero-knowledge proof-of-knowledge of a discrete logarithm. Despite extensive research, the security of Schnorr’s protocol in the standard model is not fully understood. In this paper we study Kilian’s protocol, an influential public-coin interactive protocol that, while not a sigma protocol, shares striking similarities with sigma protocols. The first example of a succinct argument, Kilian’s protocol is proved secure via rewinding, the same idea used to prove sigma protocols secure. In this paper we show how, similar to Schnorr’s protocol, a precise understanding of the security of Kilian’s protocol remains elusive. We contribute new insights via upper bounds and lower bounds. Upper bounds. We establish the tightest known bounds on the security of Kilian’s protocol in the standard model, via strict-time reductions and via expected-time reductions. Prior analyses are strict-time reductions that incur large overheads or assume restrictive properties of the PCP underlying Kilian’s protocol.Lower bounds. We prove that significantly improving on the bounds that we establish for Kilian’s protocol would imply improving the security analysis of Schnorr’s protocol beyond the current state-of-the-art (an open problem). This partly explains the difficulties in obtaining tight bounds for Kilian’s protocol. Upper bounds. We establish the tightest known bounds on the security of Kilian’s protocol in the standard model, via strict-time reductions and via expected-time reductions. Prior analyses are strict-time reductions that incur large overheads or assume restrictive properties of the PCP underlying Kilian’s protocol. Lower bounds. We prove that significantly improving on the bounds that we establish for Kilian’s protocol would imply improving the security analysis of Schnorr’s protocol beyond the current state-of-the-art (an open problem). This partly explains the difficulties in obtaining tight bounds for Kilian’s protocol.

Original language	English
Title of host publication	Theory of Cryptography - 22nd International Conference, TCC 2024, Proceedings
Editors	Elette Boyle, Elette Boyle, Mohammad Mahmoody
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	158-188
Number of pages	31
ISBN (Print)	9783031780103
DOIs	https://doi.org/10.1007/978-3-031-78011-0_6
State	Published - 2025
Event	22nd Theory of Cryptography Conference, TCC 2024 - Milan, Italy Duration: 2 Dec 2024 → 6 Dec 2024

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	15364 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	22nd Theory of Cryptography Conference, TCC 2024
Country/Territory	Italy
City	Milan
Period	2/12/24 → 6/12/24

Bibliographical note

Publisher Copyright:
© International Association for Cryptologic Research 2025.

Keywords

succinct interactive arguments
vector commitment schemes

Access to Document

10.1007/978-3-031-78011-0_6

Cite this

Chiesa, A., Dall’Agnol, M., Guan, Z., Spooner, N., & Yogev, E. (2025). Untangling the Security of Kilian’s Protocol: Upper and Lower Bounds. In E. Boyle, E. Boyle, & M. Mahmoody (Eds.), Theory of Cryptography - 22nd International Conference, TCC 2024, Proceedings (pp. 158-188). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 15364 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-78011-0_6

Chiesa, Alessandro ; Dall’Agnol, Marcel ; Guan, Ziyi et al. / Untangling the Security of Kilian’s Protocol : Upper and Lower Bounds. Theory of Cryptography - 22nd International Conference, TCC 2024, Proceedings. editor / Elette Boyle ; Elette Boyle ; Mohammad Mahmoody. Springer Science and Business Media Deutschland GmbH, 2025. pp. 158-188 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{f1d42666bc2046b0b4e98f2d44c81e95,

title = "Untangling the Security of Kilian{\textquoteright}s Protocol: Upper and Lower Bounds",

abstract = "Sigma protocols are elegant cryptographic proofs that have become a cornerstone of modern cryptography. A notable example is Schnorr{\textquoteright}s protocol, a zero-knowledge proof-of-knowledge of a discrete logarithm. Despite extensive research, the security of Schnorr{\textquoteright}s protocol in the standard model is not fully understood. In this paper we study Kilian{\textquoteright}s protocol, an influential public-coin interactive protocol that, while not a sigma protocol, shares striking similarities with sigma protocols. The first example of a succinct argument, Kilian{\textquoteright}s protocol is proved secure via rewinding, the same idea used to prove sigma protocols secure. In this paper we show how, similar to Schnorr{\textquoteright}s protocol, a precise understanding of the security of Kilian{\textquoteright}s protocol remains elusive. We contribute new insights via upper bounds and lower bounds. Upper bounds. We establish the tightest known bounds on the security of Kilian{\textquoteright}s protocol in the standard model, via strict-time reductions and via expected-time reductions. Prior analyses are strict-time reductions that incur large overheads or assume restrictive properties of the PCP underlying Kilian{\textquoteright}s protocol.Lower bounds. We prove that significantly improving on the bounds that we establish for Kilian{\textquoteright}s protocol would imply improving the security analysis of Schnorr{\textquoteright}s protocol beyond the current state-of-the-art (an open problem). This partly explains the difficulties in obtaining tight bounds for Kilian{\textquoteright}s protocol. Upper bounds. We establish the tightest known bounds on the security of Kilian{\textquoteright}s protocol in the standard model, via strict-time reductions and via expected-time reductions. Prior analyses are strict-time reductions that incur large overheads or assume restrictive properties of the PCP underlying Kilian{\textquoteright}s protocol. Lower bounds. We prove that significantly improving on the bounds that we establish for Kilian{\textquoteright}s protocol would imply improving the security analysis of Schnorr{\textquoteright}s protocol beyond the current state-of-the-art (an open problem). This partly explains the difficulties in obtaining tight bounds for Kilian{\textquoteright}s protocol.",

keywords = "succinct interactive arguments, vector commitment schemes",

author = "Alessandro Chiesa and Marcel Dall{\textquoteright}Agnol and Ziyi Guan and Nicholas Spooner and Eylon Yogev",

note = "Publisher Copyright: {\textcopyright} International Association for Cryptologic Research 2025.; 22nd Theory of Cryptography Conference, TCC 2024 ; Conference date: 02-12-2024 Through 06-12-2024",

year = "2025",

doi = "10.1007/978-3-031-78011-0_6",

language = "אנגלית",

isbn = "9783031780103",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "158--188",

editor = "Elette Boyle and Elette Boyle and Mohammad Mahmoody",

booktitle = "Theory of Cryptography - 22nd International Conference, TCC 2024, Proceedings",

address = "גרמניה",

}

Chiesa, A, Dall’Agnol, M, Guan, Z, Spooner, N & Yogev, E 2025, Untangling the Security of Kilian’s Protocol: Upper and Lower Bounds. in E Boyle, E Boyle & M Mahmoody (eds), Theory of Cryptography - 22nd International Conference, TCC 2024, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 15364 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 158-188, 22nd Theory of Cryptography Conference, TCC 2024, Milan, Italy, 2/12/24. https://doi.org/10.1007/978-3-031-78011-0_6

Untangling the Security of Kilian’s Protocol: Upper and Lower Bounds. / Chiesa, Alessandro; Dall’Agnol, Marcel; Guan, Ziyi et al.
Theory of Cryptography - 22nd International Conference, TCC 2024, Proceedings. ed. / Elette Boyle; Elette Boyle; Mohammad Mahmoody. Springer Science and Business Media Deutschland GmbH, 2025. p. 158-188 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 15364 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Untangling the Security of Kilian’s Protocol

T2 - 22nd Theory of Cryptography Conference, TCC 2024

AU - Chiesa, Alessandro

AU - Dall’Agnol, Marcel

AU - Guan, Ziyi

AU - Spooner, Nicholas

AU - Yogev, Eylon

PY - 2025

Y1 - 2025

N2 - Sigma protocols are elegant cryptographic proofs that have become a cornerstone of modern cryptography. A notable example is Schnorr’s protocol, a zero-knowledge proof-of-knowledge of a discrete logarithm. Despite extensive research, the security of Schnorr’s protocol in the standard model is not fully understood. In this paper we study Kilian’s protocol, an influential public-coin interactive protocol that, while not a sigma protocol, shares striking similarities with sigma protocols. The first example of a succinct argument, Kilian’s protocol is proved secure via rewinding, the same idea used to prove sigma protocols secure. In this paper we show how, similar to Schnorr’s protocol, a precise understanding of the security of Kilian’s protocol remains elusive. We contribute new insights via upper bounds and lower bounds. Upper bounds. We establish the tightest known bounds on the security of Kilian’s protocol in the standard model, via strict-time reductions and via expected-time reductions. Prior analyses are strict-time reductions that incur large overheads or assume restrictive properties of the PCP underlying Kilian’s protocol.Lower bounds. We prove that significantly improving on the bounds that we establish for Kilian’s protocol would imply improving the security analysis of Schnorr’s protocol beyond the current state-of-the-art (an open problem). This partly explains the difficulties in obtaining tight bounds for Kilian’s protocol. Upper bounds. We establish the tightest known bounds on the security of Kilian’s protocol in the standard model, via strict-time reductions and via expected-time reductions. Prior analyses are strict-time reductions that incur large overheads or assume restrictive properties of the PCP underlying Kilian’s protocol. Lower bounds. We prove that significantly improving on the bounds that we establish for Kilian’s protocol would imply improving the security analysis of Schnorr’s protocol beyond the current state-of-the-art (an open problem). This partly explains the difficulties in obtaining tight bounds for Kilian’s protocol.

AB - Sigma protocols are elegant cryptographic proofs that have become a cornerstone of modern cryptography. A notable example is Schnorr’s protocol, a zero-knowledge proof-of-knowledge of a discrete logarithm. Despite extensive research, the security of Schnorr’s protocol in the standard model is not fully understood. In this paper we study Kilian’s protocol, an influential public-coin interactive protocol that, while not a sigma protocol, shares striking similarities with sigma protocols. The first example of a succinct argument, Kilian’s protocol is proved secure via rewinding, the same idea used to prove sigma protocols secure. In this paper we show how, similar to Schnorr’s protocol, a precise understanding of the security of Kilian’s protocol remains elusive. We contribute new insights via upper bounds and lower bounds. Upper bounds. We establish the tightest known bounds on the security of Kilian’s protocol in the standard model, via strict-time reductions and via expected-time reductions. Prior analyses are strict-time reductions that incur large overheads or assume restrictive properties of the PCP underlying Kilian’s protocol.Lower bounds. We prove that significantly improving on the bounds that we establish for Kilian’s protocol would imply improving the security analysis of Schnorr’s protocol beyond the current state-of-the-art (an open problem). This partly explains the difficulties in obtaining tight bounds for Kilian’s protocol. Upper bounds. We establish the tightest known bounds on the security of Kilian’s protocol in the standard model, via strict-time reductions and via expected-time reductions. Prior analyses are strict-time reductions that incur large overheads or assume restrictive properties of the PCP underlying Kilian’s protocol. Lower bounds. We prove that significantly improving on the bounds that we establish for Kilian’s protocol would imply improving the security analysis of Schnorr’s protocol beyond the current state-of-the-art (an open problem). This partly explains the difficulties in obtaining tight bounds for Kilian’s protocol.

KW - succinct interactive arguments

KW - vector commitment schemes

UR - http://www.scopus.com/inward/record.url?scp=85211931236&partnerID=8YFLogxK

U2 - 10.1007/978-3-031-78011-0_6

DO - 10.1007/978-3-031-78011-0_6

M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???

AN - SCOPUS:85211931236

SN - 9783031780103

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 158

EP - 188

BT - Theory of Cryptography - 22nd International Conference, TCC 2024, Proceedings

A2 - Boyle, Elette

A2 - Mahmoody, Mohammad

PB - Springer Science and Business Media Deutschland GmbH

Y2 - 2 December 2024 through 6 December 2024

ER -

Chiesa A, Dall’Agnol M, Guan Z, Spooner N, Yogev E. Untangling the Security of Kilian’s Protocol: Upper and Lower Bounds. In Boyle E, Boyle E, Mahmoody M, editors, Theory of Cryptography - 22nd International Conference, TCC 2024, Proceedings. Springer Science and Business Media Deutschland GmbH. 2025. p. 158-188. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-031-78011-0_6