Paper 2018/775

The Fiat-Shamir Zoo: Relating the Security of Different Signature Variants

Matilda Backendal, Mihir Bellare, Jessica Sorrell, and Jiahao Sun


The Fiat-Shamir paradigm encompasses many different ways of turning a given identification scheme into a signature scheme. Security proofs pertain sometimes to one variant, sometimes to another. We systematically study three variants that we call the challenge (signature is challenge and response), commit (signature is commitment and response) and transcript (signature is challenge, commitment and response) variants. Our framework captures the variants via transforms that determine the signature scheme as a function of not only the identification scheme and hash function (to cover both standard and random oracle model hashing), but also what we call a signing algorithm, to cover both classical and with-abort signing. We relate the security of the signature schemes produced by these transforms, giving minimal conditions under which uf-security of one transfers to the other. To apply this comprehensively, we formalize linear identification schemes, show that many schemes in the literature are linear, and show that any linear scheme meets our conditions for the signature schemes given by the three transforms to have equivalent uf-security. Our results give a comprehensive picture of the Fiat-Shamir zoo and allow proofs of security in the literature to be transferred automatically from one variant to another.

Available format(s)
Public-key cryptography
Publication info
Published elsewhere. MAJOR revision.NordSec 2018
Contact author(s)
mihir @ eng ucsd edu
2018-09-18: last of 3 revisions
2018-08-27: received
See all versions
Short URL
Creative Commons Attribution


      author = {Matilda Backendal and Mihir Bellare and Jessica Sorrell and Jiahao Sun},
      title = {The Fiat-Shamir Zoo: Relating the Security of Different Signature Variants},
      howpublished = {Cryptology ePrint Archive, Paper 2018/775},
      year = {2018},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.