# On the (In)security of the Fiat-Shamir paradigm

@article{Goldwasser2003OnT, title={On the (In)security of the Fiat-Shamir paradigm}, author={Shafi Goldwasser and Yael Tauman Kalai}, journal={44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings.}, year={2003}, pages={102-113} }

In 1986, Fiat and Shamir proposed a general method for transforming secure 3-round public-coin identification schemes into digital signature schemes. The idea of the transformation was to replace the random message of the verifier in the identification scheme, with the value of some deterministic hash function evaluated on various quantities in the protocol and on the message to be signed. The Fiat-Shamir methodology for producing digital signature schemes quickly gained popularity as it yields…

## 350 Citations

### On the (In)security of Fischlin's Paradigm

- Computer Science, MathematicsTCC
- 2013

A counterexample to the Fischlin's transformation is shown, which can be applied to any so called 3-round 'Fiat-Shamir proof of knowledge'' and can be used to derive non-interactive zero-knowledge proofs of knowledge as well as signature schemes.

### From Identification to Signatures Via the Fiat–Shamir Transform: Necessary and Sufficient Conditions for Security and Forward-Security

- Computer Science, MathematicsIEEE Transactions on Information Theory
- 2008

In this paper, minimal conditions on the identification scheme to ensure security of the signature scheme in the random oracle model are determined, both in the usual and in the forward-secure cases.

### From Identification to Signatures via the Fiat-Shamir Transform: Minimizing Assumptions for Security and Forward-Security

- Computer Science, MathematicsEUROCRYPT
- 2002

It is shown that the signature scheme is secure against chosen-message attacks in the random oracle model if and only if the underlying identification scheme isSecure, and has its commitments drawn at random from a large space.

### The Fiat-Shamir Transform for Group and Ring Signature Schemes

- Computer Science, MathematicsSCN
- 2010

This paper provides the missing foundations for the use of the Fiat-Shamir transform in more complex settings and defines a formal security model for identity escrow schemes (a concept proposed earlier but never rigorously formalized).

### How Risky Is the Random-Oracle Model?

- Computer Science, MathematicsCRYPTO
- 2009

It is given evidence that in the case of RSA and Rabin/Rabin-Williams, an appropriate PSS padding is more robust than all other paddings known, and a slight modification can prevent these attacks, while preserving the ROM security result.

### Black-Box Separations of Hash-and-Sign Signatures in the Non-Programmable Random Oracle Model

- Computer Science, MathematicsProvSec
- 2015

This work follows the technique of Fischlin and Fleischhacker to show that the security of malleable hash-and-sign signature cannot be reduced to its related hard cryptographic problem without programming the RO.

### Two-Tier Signatures, Strongly Unforgeable Signatures, and Fiat-Shamir Without Random Oracles

- Computer Science, MathematicsPublic Key Cryptography
- 2007

We provide a positive result about the Fiat-Shamir (FS) transform in the standard model, showing how to use it to convert threemove identification protocols into two-tier signature schemes with a…

### On the Insecurity of the Fiat-Shamir Signatures with Iterative Hash Functions

- Computer Science, MathematicsProvSec
- 2009

A much simpler counter example in the restricted (but realistic) case that the hash functions are designed by iterating an underlying hash function with an a-priori bounded input length, although the Fiat-Shamir paradigm is slightly extended.

### Fiat-Shamir: from practice to theory

- Mathematics, Computer ScienceSTOC
- 2019

A framework for reducing the security of protocols based on the learning with errors (LWE) problem to qualitatively simpler and weaker computational hardness assumptions is presented.

### Provably Secure Identity-Based Identification Schemes and Transitive Signatures

- Computer Science, Mathematics
- 2004

A general framework of security-preserving transformations between related primitives is presented and used as a tool to prove the security of schemes from 13 different “families” that were proposed in the literature over the last two decades, but that lacked a security proof prior to this work.

## References

SHOWING 1-10 OF 49 REFERENCES

### From Identification to Signatures via the Fiat-Shamir Transform: Minimizing Assumptions for Security and Forward-Security

- Computer Science, MathematicsEUROCRYPT
- 2002

It is shown that the signature scheme is secure against chosen-message attacks in the random oracle model if and only if the underlying identification scheme isSecure, and has its commitments drawn at random from a large space.

### Optimal Security Proofs for PSS and Other Signature Schemes

- Computer Science, MathematicsEUROCRYPT
- 2001

A new security proof for PSS is derived in which a much shorter random salt is used to achieve the same security level, namely it is shown that log2 qsig bits suffice, whereqsig is the number of signature queries made by the attacker.

### Secure Hash-and-Sign Signatures Without the Random Oracle

- Computer Science, MathematicsEUROCRYPT
- 1999

A new signature scheme is presented which is existentially unforgeable under chosen message attacks, assuming some variant of the RSA conjecture, and is unique in that the assumptions made on the cryptographic hash function in use are well defined and reasonable.

### Provably Secure and Practical Identification Schemes and Corresponding Signature Schemes

- Computer Science, MathematicsCRYPTO
- 1992

A variant is proposed which is proven to be as secuie as the difficulty of solving both the discrete logarithm problem and the specific factoring problem simultaneously simultaneously and some other variants such as an identity-based variant and an elliptic curve variant are also proposed.

### A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks

- Computer Science, MathematicsSIAM J. Comput.
- 1988

A digital signature scheme based on the computational difficulty of integer factorization possesses the novel property of being robust against an adaptive chosen-message attack: an adversary who receives signatures for messages of his choice cannot later forge the signature of even a single additional message.

### Improving the exact security of digital signature schemes

- Computer ScienceJournal of Cryptology
- 2001

We put forward a new method of constructing Fiat-Shamir-like signature schemes that yields better “exact security” than the original Fiat-Shamir method. (We also point out, however, that such tight…

### A "Paradoxical" Indentity-Based Signature Scheme Resulting from Zero-Knowledge

- Computer Science, MathematicsCRYPTO
- 1988

Additional features are introduced in order to provide: firstly, a mutual interactive authentication of both communicating entities and previously exchanged messages, and, secondly, a digital signature of messages, with a non-interactive zero-knowledge protocol.

### Security Proofs for Signature Schemes

- Computer Science, MathematicsEUROCRYPT
- 1996

This paper establishes the generality of this technique against adaptively chosen message attacks and achieves such a security proof for a slight variant of the El Garrial signature schemc where committed values are hashed together with the message.

### Signature schemes based on the strong RSA assumption

- Computer Science, MathematicsCCS '99
- 1999

A new digital signature scheme is described and analyzed that can be proven secure against adaptive chosen message attack under a reasonable intractability assumption, and also secure in the random oracle model under the standard RSA assumption.

### Signature schemes based on the strong RSA assumption

- Computer Science, MathematicsTSEC
- 2000

A new digital signature scheme is described that is quite efficient, does not require the signer to maintain any state, and can be proven secure against adaptive chosen message attack under a reasonable intractability assumption, the so-called strong RSA assumption.