Fiat–Shamir Bulletproofs are Non-malleable (in the Random Oracle Model)

Bulletproofs (Bünz et al., in: 2018 IEEE symposium on security and privacy, IEEE Computer Society Press, pp 315–334, 2018) are a celebrated ZK proof system that allows for short and efficient proofs, and have been implemented and deployed in several real-world systems. In practice, they are most often implemented in their non-interactive version obtained using the Fiat–Shamir transform. A security proof for this setting is necessary for ruling out malleability attacks. These attacks can lead to very severe vulnerabilities, as they allow an adversary to forge proofs re-using or modifying parts of the proofs provided by the honest parties. An earlier version of this work (Ganesh et al., in: EUROCRYPT 2022, Part II. LNCS, vol 13276, Springer, Cham, pp 397–426, 2022) provided evidence for non-malleability of Fiat–Shamir Bulletproofs. This was done by proving simulation-extractability, which implies non-malleability, in the algebraic group model. In this work, we generalize the former result and prove simulation-extractability in the programmable random oracle model, removing the need for the algebraic group model. Along the way, we establish a generic chain of reductions for Fiat–Shamir-transformed multi-round public-coin proofs to be simulation-extractable in the (programmable) random oracle model, which may be of independent interest.