## On the (In)security of the Fiat-Shamir Paradigm (2003)

### Cached

### Download Links

- [eprint.iacr.org]
- [theory.lcs.mit.edu]
- [groups.csail.mit.edu]
- [eprint.iacr.org]
- [research.microsoft.com]
- DBLP

### Other Repositories/Bibliography

Venue: | In Proceedings of the 44th Annual IEEE Symposium on Foundations of Computer Science |

Citations: | 44 - 2 self |

### BibTeX

@INPROCEEDINGS{Goldwasser03onthe,

author = {Sha Goldwasser and Yael Taumann},

title = {On the (In)security of the Fiat-Shamir Paradigm},

booktitle = {In Proceedings of the 44th Annual IEEE Symposium on Foundations of Computer Science},

year = {2003},

pages = {102--115},

publisher = {IEEE Computer Society Press}

}

### Years of Citing Articles

### OpenURL

### Abstract

In 1986, Fiat and Shamir suggested a general method for transforming secure 3-round public-coin identification schemes into digital signature schemes. The significant contribution of this method is a means for designing efficient digital signatures, while hopefully achieving security against chosen message attacks. All other known constructions which achieve such security are substantially more inefficient and complicated in design. In 1996...

### Citations

2754 | New Directions in Cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ...f of Lemma 6.4 42 C Proof of Claim 6.5.1 46 D Proof of Claim 6.7.1 47 E Proof of Claim 6.7.2 48 1 Introduction In their famous paper laying the foundations for modern cryptography, Diffie and Hellman =-=[DH76]-=- introduced the notion of digital signatures and proposed a general method for designing them. Their method uses trapdoor functions as its basic primitive and is known as the trapdoor-function signatu... |

1351 | Random oracles are practical: A paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...succinct description of this function. This gives an implementation of the idealized scheme in the real world. This methodology, introduced implicitly by [FS86], was formalized by Bellare and Rogaway =-=[BR93]-=-. 1 The conditions are that the identification scheme is secure against impersonation under passive attacks, and that the first message sent by the prover is drawn at random from a large space. [AABN0... |

1149 | Identity-Based Encryption from the Weil Pairing - Boneh, Franklin - 2001 |

841 | How to prove yourself: practical solutions to identification, signature problems
- Fiat, Shamir
- 1987
(Show Context)
Citation Context ...tions. These schemes, however, are rarely used in applications as they are often considered too inefficient. A general paradigm for designing digital signature schemes was proposed by Fiat and Shamir =-=[FS86]-=-. Their starting observation was that designing secure interactive identification protocols (in which a sender merely identifies himself to a receiver) can be done with greater ease and efficiency tha... |

835 | A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks - Goldwasser, Micali, et al. - 1988 |

828 | The MD5 Message-Digest Algorithm - Rivest - 1992 |

633 | How to construct random functions - Goldreich, Goldwasser, et al. - 1986 |

610 | How to Generate Cryptographically Strong Sequences of Pseudo-Random Bits - Blum, Micali - 1984 |

330 | A Certified Digital Signature - Merkle |

314 | Universal one-way hash functions and their cryptographic applications
- Naor, Yung
- 1989
(Show Context)
Citation Context ...r digital signature schemes were proposed and proved existentially unforgeable against chosen message attacks under standard intractability assumptions [GMR88, BM84, NY89, GHR99, CS99]. Most notably, =-=[NY89]-=- and [Rom90] showed that the existence of secure digital signature schemes is equivalent to the existence of one-way functions. These schemes, however, are rarely used in applications as they are ofte... |

313 |
A.: Zero knowledge proofs of identity
- Fiege, Fiat, et al.
- 1987
(Show Context)
Citation Context ...lying the Fiat-Shamir Paradigm, and are insecure regardless of which “hash” function is used. Several related questions arise. 1. Our proof does not imply that the ID schemes used in practice such as =-=[FFS88]-=- or [Sch91] combined with some particular hash function ensemble H necessarily yield insecure digital signature schemes. It does imply that a proof of security would have to involve the particulars of... |

250 | New directions in cryptography - Die, Hellman - 1976 |

210 | Security proofs for signature schemes
- Pointcheval, Stern
(Show Context)
Citation Context ... by the protocol and to the message to be signed. The main question regarding any of these proposals is what can be proven about the security of the resulting signature schemes. Pointcheval and Stern =-=[PS96]-=- made a first step towards answering this question. They proved that for every 3-round public-coin identification protocol, which is zero-knowledge with respect to an honest verifier, the signature sc... |

196 | On the (im)possibility of obfuscating programs - Barak, Goldreich, et al. |

152 | Signature schemes based on the strong RSA assumption - Cramer, Shoup |

150 | A note on efficient zero-knowledge proofs and arguments (extended abstract - Kilian - 1992 |

148 | Provably Secure and Practical Identification Schemes and Corresponding Signature Schemes - Okamoto - 1992 |

122 | Secure Hash-and-Sign Signatures without the Random Oracle - Gennaro, Halevi, et al. - 1999 |

103 | A `Paradoxical' Identity-Based Signature Scheme Resulting from Zero-Knowledge - Guillou, Quisquater - 1990 |

100 | Foundations of Cryptography: Volume 1, Basic Tools - Goldreich - 2001 |

97 | Computationally sound proofs - Micali |

81 |
Oded Goldreich, and Shai Halevi. The random oracle methodology, revisited
- Canetti
(Show Context)
Citation Context ...s”, the obvious question was whether it is indeed always possible to replace the random oracle with a real world implementation. This question was answered negatively by Canetti, Goldreich and Halevi =-=[CGH98]-=-. They showed that there exists a signature scheme and an encryption scheme which are secure in the Random Oracle Model but are insecure with respect to any implementation of the random oracle by a fu... |

61 | Universal arguments and their applications
- Barak, Goldreich
- 2002
(Show Context)
Citation Context ...n NP relation. We restrict � the witness � to be of size at most � , so that the language corresponding to � will be in � � . We remark that the exact same relation was used by Barak and Goldreich in =-=[BG02]-=-. In order to carry out the above idea towards establishing the insecurity of the FS paradigm, we need a proofof-knowledge system for �. Moreover, since canonical ID schemes are confined to 3-rounds, ... |

40 | Bit Commitment using Pseudorandom Generators - Naor - 1991 |

32 | From identification to signatures via the Fiat-Shamir transform: minimizing assumptions for security and forward-security
- Abdalla, An, et al.
- 2002
(Show Context)
Citation Context ... signature schemes, including [Sch91, GQ88, Ok92], were designed following this paradigm. The paradigm has also been applied in other domains so as to achieve forward secure digital signature schemes =-=[AABN02]-=- and to achieve better exact security [MR02]. Both of the above applications actually use a variation of the Fiat-Shamir paradigm. Still, they share the same basic structure: start with some secure 3-... |

13 | Improving the exact security of digital signature schemes - Micali, Reyzin |

10 | Provable Secure and Practical Identi Schemes and Corresponding Signature Schemes. CRYPTO '92 - Okamoto |

8 | A note on ecient zero-knowledge proofs and arguments - Kilian - 1992 |

6 |
Rompel: One-Way Functions are Necessary and Sufficient for Secure Signatures, STOC
- John
- 1990
(Show Context)
Citation Context ...ignature schemes were proposed and proved existentially unforgeable against chosen message attacks under standard intractability assumptions [GMR88, BM84, NY89, GHR99, CS99]. Most notably, [NY89] and =-=[Rom90]-=- showed that the existence of secure digital signature schemes is equivalent to the existence of one-way functions. These schemes, however, are rarely used in applications as they are often considered... |

3 |
How to go beyond the black-box simuation barrier
- Barak
- 2001
(Show Context)
Citation Context ...e Fiat-Shamir paradigm. What it does imply is that any proof of security would have to involve the particulars of the ID scheme and the in question. Our first idea is to make use of Barak’s technique =-=[Bar01]-=- of taking advantage of non black-box access to the program of the verifier. Intuitively, the idea is to take any secure - round public-coin identification scheme (which is not necessarily zero-knowle... |

2 |
Reingold and L.Stockmeyer. Magic funcitons
- Dwork, Naor, et al.
- 1998
(Show Context)
Citation Context ...at least one of them demonstrates the failure of the FiatShamir paradigm. 1.2 Related Work: Fiat-Shamir Paradigm and Zero Knowledge Following the work of [CGH98], Dwork, Naor, Reingold and Stockmeyer =-=[DNRS99]-=- investigated the security of the Fiat-Shamir paradigm, and showed that it is closely related to two previously studied problems: the selective decommitment problem2 ,andthe existence of -round public... |

2 |
Efficient Signature Generation by Smart Cards; Journal of Cryptology 4/3
- Schnorr
- 1991
(Show Context)
Citation Context ...iat-Shamir Paradigm, and are insecure regardless of which “hash” function is used. Several related questions arise. 1. Our proof does not imply that the ID schemes used in practice such as [FFS88] or =-=[Sch91]-=- combined with some particular hash function ensemble H necessarily yield insecure digital signature schemes. It does imply that a proof of security would have to involve the particulars of the ID sch... |

1 | Canetti, Oded Goldreich, and Shai Halevi. The random oracle methodology, revisited - Shoup - 1998 |