Random Oracle in Fiat-Shamir Transform (from Katz-Lindell Textbook)

Question

I am currently learning about the Fiat-Shamir transform from Katz and Lindell's textbook "Introduction to Modern Cryptography".

I use the 3rd edition textbook. In the Fiat-Shamir transform explained in Construction 13.9 (p. 478), the authors define the function $H: \{0,1\}^* \to \Omega_{pk}$ where $\Omega_{pk}$ is a set defined by the public key $pk$ from the identification scheme. However, they later explain that the challenge value $r$ is defined as $r:=H(I,m)$, which implies that $H$ takes two inputs, $I$ and $m$. The value $I$ itself is generated using the algorithm $\mathcal{P}_1$ from the identification scheme, that is, $I \gets \mathcal{P}_1(sk)$ where $sk$ is the private key of the identification scheme.

Can someone enlighten me on this notation? I have read Chapter 6 about Hash Functions and Applications (including the random-oracle model, ROM), but I have never encountered this kind of notation (i.e., hash function with two inputs).

How do we interpret $H$ exactly? Moreover, in Katz-Lindell book, $m \in \{0,1\}^*$ but $I$ is not necessarily an element of $\{0,1\}^*$ (for example, in Schnorr identification scheme in Construction 13.12, the authors define $I$ as an element of a cyclic group $\mathbb{G}$).

Thank you.

Answer 1

Anything can be encoded as a bitstring, we just need to be a bit careful as to preserve the security of the random oracle.

Let $I\in S$. Then what is meant here by $H(I,m)$ is actually $H(\psi(I,m))$, where $\psi : S \times \{0,1\}^* \to \{0,1\}^*$ is some arbitrary but fixed injective encoding function. It's just that this particular detail is not very relevant at the level covered in the book. It becomes very relevant, once you look at actual implementations, where we need to know how the encoding works and that it is indeed injective.