What does the Fiat-Shamir heuristic convert, and why is it everywhere in modern crypto?
Fiat-Shamir converts an interactive zero-knowledge proof into a non-interactive one by replacing the verifier's random challenges with the output of a cryptographic hash. The result: one-shot signatures and offline-verifiable proofs.
In the classic ZK protocol (e.g. the two-coloured balls):
Prover ─── commitment ───▶ Verifier
Prover ◀── random challenge ── Verifier
Prover ─── response ───▶ Verifier
The verifier's challenge must be unpredictable — that's what stops the prover from cheating.
Fiat-Shamir's insight (1986): if you compute the challenge as H(commitment ‖ public input), the prover cannot influence it in advance (one-wayness of H), but it's deterministic — so the protocol becomes one-message.
Where it shows up:
- Schnorr signatures (modern ECDSA-like): a Fiat-Shamir-transformed Schnorr identification protocol.
- EdDSA / Ed25519: same.
- zk-SNARKs (used in Zcash, zkSync, …): the "non-interactive" in NIZK comes from Fiat-Shamir.
- STARKs: also Fiat-Shamir-transformed.
Caveat: Fiat-Shamir security relies on modelling H as a random oracle. In the standard model (without that assumption), Fiat-Shamir can be subtly broken — bugs in the transformation have caused real CVEs (e.g. "Frozen Heart" attacks against several ZK implementations in 2022).
Tip: Whenever you see a single-message non-interactive proof, there's almost certainly a Fiat-Shamir transformation lurking inside. It's one of the most-used "tricks" in modern cryptographic protocol design.