The Fiat–Shamir heuristic takes an interactive proof of knowledge and uses this as base to create a digital signature.
Questions tagged [fiat-shamir]
79 questions
9
votes
2 answers
What is the sign bit for in Feige-Fiat-Shamir?
The Feige-Fiat-Shamir identity scheme is based on a ZKP assuming that square roots are "hard" modulo an integer of unknown factorization. The "parallel version" of this protocol includes a "sign bit" and the wikipedia article claims that the older…
Fixee
- 4,258
- 3
- 26
- 39
7
votes
1 answer
What does it mean to be "sound"?
I've been reading this in many places and I still don't properly understand what it means to be "sound". As an example of what I am asking for:
The Fiat-Shamir transfrom is sound in the Random Oracle Model (ROM), where hash functions are assumed to…
Bean Guy
- 772
- 3
- 11
7
votes
2 answers
Fiat Shamir transformation of zero knowledge proof
Consider the following three stage interactive zero knowledge proof
The prover sends some information $a$ to the verifier.
The verifier picks a challenge $c\in \{0 ,1\}$
Depending on the challenge, the prover responds with $r(c)$ that convinces the…
user1936752
- 778
- 1
- 4
- 17
6
votes
1 answer
Fiat-Shamir vs Common Reference String to make NIZK
I was introduced to NIZK from the notion of CRS: since we have a trusted CRS, then a prover can simulate a challenge by querying the CRS.
Similarly, the prover can simulate the challenge of a verifier by using the Fiat-Shamir heuristic.
Can someone…
graphtheory92
- 793
- 5
- 16
5
votes
1 answer
Fiat-Shamir for $(2n + 1)$
Consider the following $(2n+1)$ protocol:
$\mathcal{P}$ and $\mathcal{V}$ engage in an interaction where $\mathcal{P}$ consecutively sends a message $a_i$ answered by $\mathcal{V}$ with a random challenge $b_i$ for $i = 1,\dots,n$. Finally…
Lecter
- 113
- 6
5
votes
1 answer
Zero-Knowledgeness of Fiat-Shamir heuristic
I have read about the Fiat-Shamir heuristic for making an interactive proof of knowledge into a non-interactive proof of knowledge. If I apply this to zero-knowledge proof of knowledge, it seems to me that I would destroy the simulator and therefore…
joakimb
- 253
- 1
- 9
4
votes
1 answer
Can voters be authorities at the same time?
There is an encryption scheme where the votes are encrypted with ElGamal and the decryption key is the secret that is shared among the authorities. After everybody voted they publish their part of the secret according to the Shamir tresholding…
New2Math
- 141
- 3
4
votes
1 answer
Grinding in the Fiat-Shamir heuristic
The Fiat-Shamir heuristic is assumed to substitute public-coin messages from the verifier by hashes of the prover's messages until this point, i.e.: $$H(\alpha_1) = \beta_1, \\ H(\alpha_1, \alpha_2) = \beta_2,\\H(\alpha_1, \alpha_2, \alpha_3) =…
Bean Guy
- 772
- 3
- 11
4
votes
1 answer
How does the simulator generate a correct transcript under HVZK with the Fiat-Shamir heuristic?
Background
I understand the interactive version of Schnorr's protocol and I understand how the simulator can generate an output that is i.i.d to the output of the prover-verifier:
Question
What I don't understand is how does the simulator generate…
Lieu Zheng Hong
- 91
- 4
4
votes
1 answer
How to construct a strong Fiat-Shamir in zero-knowledge proof?
I'm new to zero-knowledge proof. Recently, I'm implementing a non-interactive zero-knowledge proof using the Schnorr scheme. I understand the non-interactive zero-knowledge proof needs random oracle for a prover to generate a proof along with a…
Chao Liu
- 41
- 2
4
votes
3 answers
What is the benefit of zero knowledge identification (Fiat Shamir) over a standard digital signature?
Let's say there is a public key $v$.
Peggy has to prove to Victor that she has the corresponding private key $a$. Of course she doesn't want to disclose $a$ to Victor, but just to prove that she has the key.
Question: What is the benefit of…
Basj
- 563
- 5
- 25
4
votes
2 answers
Fiat-Shamir With Aborts Signature Scheme: Why cannot we not sample uniformly at random from $R = \mathbb{Z}_p[x] / \langle X^n+1\rangle$
My understanding of the Fiat-Shamir With Aborts Signature Scheme is as follows. We calculate the signature $z = cs +y$, with $s$ being the secret key, and $c$ being the challenge. We need $y$ to hide $cs$, so that $z$'s distribution is…
BlockchainThomas
- 117
- 3
4
votes
1 answer
Random Oracle in Fiat-Shamir Transform (from Katz-Lindell Textbook)
I am currently learning about the Fiat-Shamir transform from Katz and Lindell's textbook "Introduction to Modern Cryptography".
I use the 3rd edition textbook. In the Fiat-Shamir transform explained in Construction 13.9 (p. 478), the authors define…
Iqazra
- 267
- 2
- 5
4
votes
1 answer
Security impact of weakened collision resistance for 128-bit Fiat-Shamir challenges
As I understand, to achieve a security level of $\lambda$, a hash function's output should be at least $2\lambda$ in length, since the search space is halved for collision resistance.
However, I am also under the impression that for many…
Taka
- 43
- 6
4
votes
1 answer
Alternatives of how the Fiat-Shamir transform random oracle is applied to a protocol
The Fiat-Shamir transform typically works by substituting (public) coin tosses from the verifier by hashes of the prover's messages until this point, i.e.: $$H(x,\alpha_1) = \beta_1, \\ H(x,\alpha_1, \alpha_2) = \beta_2,\\H(x,\alpha_1, \alpha_2,…
Bean Guy
- 772
- 3
- 11