LOGBOOK

HELP

Quiz Entry - updated: 2026.05.31

What does the Fiat-Shamir heuristic convert, and why is it everywhere in modern crypto?

Fiat-Shamir converts an interactive zero-knowledge proof into a non-interactive one by replacing the verifier's random challenges with the output of a cryptographic hash. The result: one-shot signatures and offline-verifiable proofs.

In the classic ZK protocol (e.g. the two-coloured balls):

Prover ─── commitment ───▶ Verifier
Prover ◀── random challenge ── Verifier
Prover ─── response ───▶ Verifier

The verifier's challenge must be unpredictable — that's what stops the prover from cheating.

Fiat-Shamir's insight (1986): if you compute the challenge as H(commitment ‖ public input), the prover cannot influence it in advance (one-wayness of H), but it's deterministic — so the protocol becomes one-message.

Where it shows up:

  • Schnorr signatures (modern ECDSA-like): a Fiat-Shamir-transformed Schnorr identification protocol.
  • EdDSA / Ed25519: same.
  • zk-SNARKs (used in Zcash, zkSync, …): the "non-interactive" in NIZK comes from Fiat-Shamir.
  • STARKs: also Fiat-Shamir-transformed.

Caveat: Fiat-Shamir security relies on modelling H as a random oracle. In the standard model (without that assumption), Fiat-Shamir can be subtly broken — bugs in the transformation have caused real CVEs (e.g. "Frozen Heart" attacks against several ZK implementations in 2022).

Tip: Whenever you see a single-message non-interactive proof, there's almost certainly a Fiat-Shamir transformation lurking inside. It's one of the most-used "tricks" in modern cryptographic protocol design.

From Quiz: ISF / Cryptographic Protocols & Requirements | Updated: May 31, 2026