# Random oracle model proofs and programmability

**Fiat-Shamir heuristic**; it ‘s a nice antic to make non-interactive zero cognition proofread .

Before getting to Fiat-Shamir, consider how your favored basic zero-knowledge proof works. Since this is Crypto SE, not CSTheory SE, hopefully you are thinking about proving cognition of discrete logarithm and quadratic residues, not graph isomorphisms or 3-coloring graph. ; )

[ Aside : technically these are not dependable zero-knowledge proof, they are honest-verifier zero-knowledge validation ( sometimes called $ \Sigma $ -protocols ) but we do n’t care about that distinction here ]

### Schnorr’s proof of knowledge of a discrete logarithm

$ P $ ( for prover ) comes along with two values $ guanine $ and $ y $ in some group $ \mathbb { G } _q $ where the discrete logarithm is hard. She claims : I know the prize $ adam $ such that $ y=g^x $. As $ adam $ is the discrete logarithm of $ y $ base $ gravitational constant $, computing $ ten $ directly is impracticable so $ V $ ( voucher ) can not initially be indisputable if she truly knows $ ten $ or not .

The Schnorr protocol lets $ P $ prove cognition of $ ten $ to $ V $ in a manner that does not disclose anything about $ x $. It goes as follows :

- $ P $ generates a random value $ a $, computes $ b=g^a $, and sends $ b $ to $ V $
- $ V $ generates a random value $ c $ and sends $ c $ back to $ P $
- $ P $ computes $ d=a+cx $ and sends $ d $ to $ V $
- $ V $ accepts $ \langle b-complex vitamin, vitamin c, d\rangle $ as proof for $ \langle deoxyguanosine monophosphate, y \rangle $ iff $ g^d=by^c $

### Security Analysis

We can ask ourselves, what do you we want in terms of security from such a protocol ? $ V $ is concerned that sending a bunch of numbers back and forth might not actually constitue a proof that $ P $ knows such an $ adam $. If he can actually conclude that $ P $ must know $ adam $ if $ P $ can produce many accepting $ \langle barn, coulomb, d\rangle $ transcripts, the proof is said to be **sound** .

$ P $ may be concerned that $ V $ might learn some data about $ ten $ from seeing one or more accept transcripts. This is supposed to be a proof that leaks zero information about $ adam $ ( glossing over the honest voucher technicality ). If it leaks zero information, it is said to be **zero-knowledge** .

### Soundness (via Extraction)

To show the Schnorr protocol is sound, we are actually going to do it indirectly. We are inaugural going to show it is something called “ extractable ” and then show that extractability implies soundness. I ‘m not going to give actual definitions or proof, fair a sketch of what is going on .

Schnorr protocols have a extra firmness property ( called, you guessed it, particular firmness ) : if there are two accepting transcripts $ t_1=\langle bel, deoxycytidine monophosphate, d \rangle $ and $ t_2=\langle bel, coulomb ‘, d ‘ \rangle $ where $ t_1 $ shares the same value of $ b $ with $ t_2 $ but $ coulomb $ ( and frankincense $ five hundred $ ) are unlike, then it is possible to calculate the value of $ ten $ : $ x= ( d-d ‘ ) / ( c-c ‘ ) $. If $ P $ can reliably generate accepting transcripts, then there is no reason to suppose she could n’t generate $ t_1 $. Likewise $ t_2 $. And if she can produce both, then she “ knows ” $ x $ in the sense that the cognition required to produce $ t_1 $ and $ t_2 $ is sufficient to produce $ x $ itself .

When we finally get to Fiat-Shamir, it will be authoritative to have formalized this notion of “ extractability ” a little bite. Consider the site where $ P $ is a compose binary program alternatively of a person. You can run $ P $ which will perform the protocol and you can rewind $ P $ to a previous internal department of state, but you ca n’t decompile it or look at the inner state ( this is called rewindable blackbox access ; why these special powers are allowed in proving extractability is a subject for another fourth dimension ) .

We say that a protocol is extractable if you can get $ x $ from interacting with such a black box. And we say a protocol is sound if it is extractable in this way ( a blackbox that you can rewind ). Both of these propositions have proofs in the literature with lots of fine-print I am omitting. note that you can prove soundness in other ways than extractability or other flavours than blackbox-rewindable extractability ( extractability is sufficient but not necessity ) .

For Schnorr, it should be obvious how, but you do the trace :

- Let $ P $ output $ b $
- Give $ P $ a random $ c $ as input
- Let $ P $ output $ d $
- Rewind $ P $ to after step 1 and before step 2
- Give $ P $ a different random $ vitamin c ‘ $ as input
- Let $ P $ output $ d ‘ $
- Compute $ x $ from $ \langle barn, coulomb, vitamin d \rangle $ and $ \langle b, coulomb ‘, vitamin d ‘ \rangle $

### Zero-knowledge (via Simulation)

similarly, we can indirectly prove the protocol is zero-knowledge by showing it has a different property : simulatability. In this case, we get a compose binary of $ V $ and have to reliably supply it with acceptable $ b-complex vitamin $ and $ vitamin d $ values for the $ c $ ‘s it gives us. however the protocol is for cognition of an $ adam $ we do not actually know ! If we can simulate acceptable protocol runs without knowing $ ten $, then the values in the protocol must not actually be leaking any information about $ ten $. so if the protocol is simulatable in this esteem, then it is zero-knowledge .

I mentioned before that Schnorr is not actually a zero-knowledge protocol. This creates some problems with simulating Schnorr transcripts that will get resolved when we use a random prophet with Fiat-Shamir. To simulate Schnorr protocols, we do the postdate :

- Generate random value $ d $
- Guess the value of $ c $
- Supply $ b=g^dy^ { -c } $ as input to $ V $
- Let $ V $ output $ c ‘ $
- If $ c’\neq deoxycytidine monophosphate $ (you guessed wrong), rewind to step 2. Else continue
- Supply $ d $ to $ V $ which will accept

If the values of $ c $ are in truth short ( say a bite ), then the simulator is efficient. For longer values, you ca n’t prove the zero-knowledgeness of Schnorr with this method acting. There are a handful of tricks to convert Schnorr into something that is true zero-knowledge .

### Fiat-Shamir Heuristic

Reading the above, you might do a double-take : on one hand, you can show that $ ten $ must be known if transcripts accept and on the other, you can generate transcripts that accept without $ x $ : what gives ? If you look closely, you ‘ll see that the imitate transcripts are generated out of rate while the extractable ones are generated in order. In fact, by generating out of ordain, we can not produce $ \langle bacillus, c, five hundred \rangle $ and $ \langle b, coulomb ‘, d’\rangle $ transcripts since the value of $ bacillus $ is no longer being chosen : it is determined by $ d $ and $ coulomb $ .

The idea of Fiat-Shamir is to make Schnorr ( and related ) protocols non-interactive. This means $ P $ can produce all three values $ \langle b, c, vitamin d \rangle $ alternatively of relying on $ V $ to provide $ coke $. Furthermore, since we know transcripts are simulatable, $ P $ can produce a value of $ c $ that has to have been generated after the value $ b $ frankincense ruling out any pretense. How ? It is in truth slowly actually : set $ c=\mathcal { H } ( bacillus ) $. The voucher additionally checks that $ c=\mathcal { H } ( b-complex vitamin ) $. [ aside : there is actually a neat optimization here where you do n’t have to send the value $ b $ at all but leave that digression ] .

last we can introduce random oracles. It turns out that if you use regular hash functions, you ca n’t wrestle extractability or pretense out of the protocol. We ‘ll try but ultimately we will require a random prophet that can be programmed .

### Extraction with Fiat-Shamir heuristic

recall that extraction relies on pairs of transcripts like $ \langle bacillus, c, five hundred \rangle $ and $ \langle b, c ‘, five hundred ‘ \rangle $. With Fiat-Shamir, $ c=\mathcal { H } ( bel ) $ so if the values of $ b $ between two transcripts are identical, then $ c $ and frankincense $ five hundred $ will be american samoa well. consequently, we can not get two such transcripts with a regular deterministic hash function. But if $ \mathcal { H } $ is a programmable random oracle, we can get it to produce different values for the like stimulation. once again, we play the game of having rewindable blackbox access to $ P $ but this time we besides get the random oracle :

- Let $ P $ generate $ b $
- See $ P $ query $ O $ with $ b $ for $ \mathcal { H } ( bacillus ) $
- Generate random $ c $ and program $ c=\mathcal { H } ( b-complex vitamin ) $ in $ O $
- Let $ O $ answer query
- Let $ P $ compute $ d $
- Let $ P $ output $ \langle boron, hundred, five hundred \rangle $
- Rewind to end of step 2
- Generate random $ coulomb ‘ $ and program $ c’=\mathcal { H } ( b ) $ in $ O $
- Proceed as before and eventually let $ P $
output $ \langle b-complex vitamin, carbon ‘, five hundred ‘ \rangle $

A few notes : ( 1 ) because this is non-interactive, $ P $ does not output $ b $ after gradation 1, so we rely on the ability to see queries to the random prophet ; ( 2 ) if the oracle generates answers “ on the fly ” ( rather of entering the protocol with a codebook of all queries/responses ), we do n’t actually have to broadcast it with different values of $ coulomb $. We just rewind to before the point it is about to generate a answer and let it generate a random value ( which will overwhelmingly be different than in the first execution ). This sheds some light on the original poster ‘s one-third question .

### Simulation with Fiat-Shamir

similarly to origin, the use of a random oracle makes simulation a cinch. Assuming you ‘ve read this far, you can probably see how then I will merely say it in a sentence : Set a random value for $ coulomb $, calculate $ \langle boron, hundred, vitamin d \rangle $ by choosing $ five hundred $ beginning, and when the voucher checks with the oracle that $ c=\mathcal { H } ( bel ) $, program $ c $ as the response .