Fiat–Shamir Heuristic
   HOME

TheInfoList



OR:

In
cryptography Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adver ...
, the Fiat–Shamir heuristic is a technique for taking an interactive proof of knowledge and creating a
digital signature A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature, where the prerequisites are satisfied, gives a recipient very high confidence that the message was created b ...
based on it. This way, some fact (for example, knowledge of a certain secret number) can be publicly proven without revealing underlying information. The technique is due to
Amos Fiat Amos Fiat (born December 1, 1956) is an Israeli computer scientist, a professor of computer science at Tel Aviv University. He is known for his work in cryptography, online algorithms, and algorithmic game theory. Biography Fiat earned his Ph. ...
and
Adi Shamir Adi Shamir ( he, עדי שמיר; born July 6, 1952) is an Israeli cryptographer. He is a co-inventor of the Rivest–Shamir–Adleman (RSA) algorithm (along with Ron Rivest and Len Adleman), a co-inventor of the Feige–Fiat–Shamir identificat ...
(1986). For the method to work, the original interactive proof must have the property of being public-coin, i.e. verifier's random coins are made public throughout the proof protocol. The heuristic was originally presented without a proof of security; later, Pointcheval and
Stern The stern is the back or aft-most part of a ship or boat, technically defined as the area built up over the sternpost, extending upwards from the counter rail to the taffrail. The stern lies opposite the bow, the foremost part of a ship. Ori ...
proved its security against chosen message attacks in the ''random oracle model'', that is, assuming
random oracle In cryptography, a random oracle is an oracle (a theoretical black box) that responds to every ''unique query'' with a (truly) random response chosen uniformly from its output domain. If a query is repeated, it responds the same way every time th ...
s exist. This result was generalized to the quantum-accessible random oracle (QROM) by Don, Fehr, Majenz and Schaffner, and concurrently by Liu and Zhandry. In the case that random oracles do not exist, the Fiat–Shamir heuristic has been proven insecure by
Shafi Goldwasser en, Shafrira Goldwasser , name = Shafi Goldwasser , image = Shafi Goldwasser.JPG , caption = Shafi Goldwasser in 2010 , birth_place = New York City, New York, U.S. , birth_date = , death_date ...
and
Yael Tauman Kalai Yael Tauman Kalai is a cryptographer and theoretical computer scientist who works as a Senior Principal Researcher at Microsoft Research New England and as an adjunct professor at MIT in the Computer Science and Artificial Intelligence Lab. Edu ...
. The Fiat–Shamir heuristic thus demonstrates a major application of random oracles. More generally, the Fiat–Shamir heuristic may also be viewed as converting a public-coin interactive proof of knowledge into a non-interactive proof of knowledge. If the interactive proof is used as an identification tool, then the non-interactive version can be used directly as a digital signature by using the message as part of the input to the random oracle.


Example

For the algorithm specified below, readers should be familiar with the laws of
modular arithmetic In mathematics, modular arithmetic is a system of arithmetic for integers, where numbers "wrap around" when reaching a certain value, called the modulus. The modern approach to modular arithmetic was developed by Carl Friedrich Gauss in his book ...
, especially with multiplicative groups of integers modulo n with prime ''q''. Here is an interactive proof of knowledge of a discrete logarithm. # Peggy wants to prove to Victor the verifier that she knows x: the discrete logarithm of y = g^x to the base g (mod ''n''). # She picks a random v\in \Z^*_q, computes t = g^v and sends t to Victor. # Victor picks a random c\in \Z^*_q and sends it to Peggy. # Peggy computes r = v - cx \bmod \lambda(q) and returns r to Victor. # He checks whether t \equiv g^ry^c. This holds because g^ry^c = g^g^ = g^v = t. Fiat–Shamir heuristic allows to replace the interactive step 3 with a non-interactive
random oracle In cryptography, a random oracle is an oracle (a theoretical black box) that responds to every ''unique query'' with a (truly) random response chosen uniformly from its output domain. If a query is repeated, it responds the same way every time th ...
access. In practice, we can use a
cryptographic hash function A cryptographic hash function (CHF) is a hash algorithm (a map of an arbitrary binary string to a binary string with fixed size of n bits) that has special properties desirable for cryptography: * the probability of a particular n-bit output re ...
instead. # Peggy wants to prove that she knows x: the discrete logarithm of y = g^x to the base g. # She picks a random v\in\Z^*_q and computes t = g^v. # Peggy computes c = H(g,y,t), where H() is a cryptographic hash function. # She computes r = v - cx \bmod \lambda(q). The resulting proof is the pair (t,r). # Anyone can use this proof to calculate c and check whether t \equiv g^ry^c. As r is an exponent of g and we're using cyclic groups with order q, it can be calculated modulo \lambda(q), not modulo q. \lambda(q) is q - 1 in the case when q is prime order of group. If the hash value used below does not depend on the (public) value of ''y'', the security of the scheme is weakened, as a malicious prover can then select a certain value ''y'' so that the product ''cx'' is known.


Extension of this method

As long as a fixed random generator can be constructed with the data known to both parties, then any interactive protocol can be transformed into a non-interactive one.


See also

*
Random oracle model In cryptography, a random oracle is an oracle (a theoretical black box) that responds to every ''unique query'' with a (truly) random response chosen uniformly from its output domain. If a query is repeated, it responds the same way every time t ...
*
Non-interactive zero-knowledge proof Non-interactive zero-knowledge proofs are zero-knowledge proofs where information between a prover and a verifier can be authenticated by the prover, without revealing any of the specific information beyond the validity of the transaction itself. T ...
* an application in anonymous veto network *
Forking lemma The forking lemma is any of a number of related lemmas in cryptography research. The lemma states that if an adversary (typically a probabilistic Turing machine), on inputs drawn from some distribution, produces an output that has some property wi ...


References

{{DEFAULTSORT:Fiat-Shamir heuristic Theory of cryptography