Paper 2014/188

A Second Look at Fischlin's Transformation

Özgür Dagdelen and Daniele Venturi


Fischlin’s transformation is an alternative to the standard Fiat-Shamir transform to turn a certain class of public key identification schemes into digital signatures (in the random oracle model). We show that signatures obtained via Fischlin’s transformation are existentially unforgeable even in case the adversary is allowed to get arbitrary (yet bounded) information on the entire state of the signer (including the signing key and the random coins used to generate signatures). A similar fact was already known for the Fiat-Shamir transform, however, Fischlin’s transformation allows for a significantly higher leakage parameter than Fiat-Shamir. Moreover, in contrast to signatures obtained via Fiat-Shamir, signatures obtained via Fischlin enjoy a tight reduction to the underlying hard problem. We use this observation to show (via simulations) that Fischlin’s transformation, usually considered less efficient, outperforms the Fiat-Shamir transform in verification time for a reasonable choice of parameters. In terms of signing Fiat-Shamir is faster for equal signature sizes. Nonetheless, our experiments show that the signing time of Fischlin’s transformation becomes, e.g., 22% of the one via Fiat-Shamir if one allows the signature size to be doubled.

Available format(s)
Public-key cryptography
Publication info
Published elsewhere. Africacrypt 2014
Fischlin’s transformationleakagetightnessrandom oracle
Contact author(s)
oezguer dagdelen @ cased de
2014-03-12: received
Short URL
Creative Commons Attribution


      author = {Özgür Dagdelen and Daniele Venturi},
      title = {A Second Look at Fischlin's Transformation},
      howpublished = {Cryptology ePrint Archive, Paper 2014/188},
      year = {2014},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.