Fiat-Shamir transform for Σ-protocols #
The classical (non-aborting) Fiat-Shamir transform: given a 3-round Σ-protocol
and a generable relation, produce a signature scheme in the random-oracle
model. The signing algorithm commits, queries the random oracle on
(message, commitment), and responds to the resulting challenge.
This file contains the scheme definition, the random-oracle runtime bundle,
the naturality theorem, cost accounting, and completeness. The forking-lemma
bridge lives in FiatShamir.Sigma.Fork and the EUF-CMA reduction in
FiatShamir.Sigma.Security.
Given a Σ-protocol and a generable relation, the Fiat-Shamir transform produces a signature scheme. The signing algorithm commits, queries the random oracle on (message, commitment), and then responds to the challenge.
Instances For
Runtime bundle for the Fiat-Shamir random-oracle world.
Instances For
Fiat-Shamir is natural in any oracle semantics morphism that preserves both random-oracle queries and public-randomness lifting.
This is the basic coherence theorem behind the generic/concrete split:
- define Fiat-Shamir once over
HasQuery - specialize it in one monad
- transport it along a query-preserving monad morphism into another analysis monad
If the morphism also commutes with the designated ProbComp lift, then transporting the generic
construction agrees with re-instantiating the construction directly in the target monad.
Fiat-Shamir signing has query cost determined by its output: the signature (c, s) records
the unique queried commitment c, so the total weighted query cost is exactly
costFn (msg, c).
Fiat-Shamir signing has expected weighted query cost equal to the expectation of the queried commitment cost over the output signature distribution.
Fiat-Shamir signing makes exactly one random-oracle query under unit-cost instrumentation.
Fiat-Shamir verification incurs exactly the weighted cost assigned to the single
random-oracle query on (msg, sig.1).
Fiat-Shamir verification has expected weighted query cost equal to the weight of its single random-oracle query.
Fiat-Shamir verification makes exactly one random-oracle query under unit-cost instrumentation.
Completeness of the Fiat-Shamir signature scheme follows from completeness of the underlying Σ-protocol.