eprint.iacr.org will be offline for approximately an hour for routine maintenance at 11pm UTC on Tuesday, April 16. We lost some data between April 12 and April 14, and some authors have been notified that they need to resubmit their papers.

Paper 2016/771

How not to Prove Yourself: Pitfalls of the Fiat-Shamir Heuristic and Applications to Helios

David Bernhard, Olivier Pereira, and Bogdan Warinschi


The Fiat-Shamir transformation is the most efficient construction of non-interactive zero-knowledge proofs. This paper is concerned with two variants of the transformation that appear but have not been clearly delineated in existing literature. Both variants start with the prover making a commitment. The strong variant then hashes both the commitment and the statement to be proved, whereas the weak variant hashes only the commitment. This minor change yields dramatically different security guarantees: in situations where malicious provers can select their statements adaptively, the weak Fiat-Shamir transformation yields unsound/unextractable proofs. Yet such settings naturally occur in systems when zero-knowledge proofs are used to enforce honest behavior. We illustrate this point by showing that the use of the weak Fiat-Shamir transformation in the Helios cryptographic voting system leads to several possible security breaches: for some standard types of elections, under plausible circumstances, malicious parties can cause the tallying procedure to run indefinitely and even tamper with the result of the election. On the positive side, we define a form of adaptive security for zero-knowledge proofs in the random oracle model (essentially simulation-sound extractability), and show that a variant which we call strong Fiat-Shamir yields secure non-interactive proofs. This level of security was assumed in previous works on Helios and our results are then necessary for these analyses to be valid. Additionally, we show that strong proofs in Helios achieve non-malleable encryption and satisfy ballot privacy, improving on previous results that required CCA security.

Available format(s)
Publication info
A major revision of an IACR publication in ASIACRYPT 2012
fiat-shamirzero-knowledgerandom oracle model
Contact author(s)
csxdb @ bristol ac uk
2016-08-12: received
Short URL
Creative Commons Attribution


      author = {David Bernhard and Olivier Pereira and Bogdan Warinschi},
      title = {How not to Prove Yourself: Pitfalls of the Fiat-Shamir Heuristic and Applications to Helios},
      howpublished = {Cryptology ePrint Archive, Paper 2016/771},
      year = {2016},
      note = {\url{https://eprint.iacr.org/2016/771}},
      url = {https://eprint.iacr.org/2016/771}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.