Fiat-Shamir on As it was https://galoishlee.github.io/tags/fiat-shamir/ Recent content in Fiat-Shamir on As it was Hugo zh-CN maocred@gmail.com (Halois) maocred@gmail.com (Halois) This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License. Wed, 03 Dec 2025 08:00:00 +0800 Sigma 协议的统一视角:Schnorr、表示证明与 Fiat-Shamir https://galoishlee.github.io/sigma-schnorr-fiat-shamir/ Wed, 03 Dec 2025 08:00:00 +0800maocred@gmail.com (Halois) https://galoishlee.github.io/sigma-schnorr-fiat-shamir/ <blockquote> <p>Reading: sigma protocols as the first reusable proof skeleton of the series.</p> </blockquote> <p>上一篇把 Pedersen 承诺写成了一个 relation:</p> $$ C = g^m h^r. $$<p>这一篇开始研究,怎样围绕这种 relation 构造一个既能 extraction、又能 simulation 的三步证明骨架。真正需要记住的不是 “Schnorr” 这个名字,而是同一个模板:first message 先把 witness 压进一个承诺式对象,verifier 给出一个公币 challenge,prover 再用线性响应把 witness 带回来。</p> <p>Sigma 协议之所以重要,不是因为它是某个古典协议家族,而是因为它把三件后面一直会重复出现的东西压进了同一份 transcript:</p> <ul> <li>commitment / first message</li> <li>extractor 需要的两份 accepting transcripts</li> <li>simulator 需要重建的 transcript distribution</li> </ul> <p>这也是它成为后续现代证明系统桥梁的原因。Schnorr 证明离散对数是最小例子,表示证明是直接推广,而 Fiat-Shamir 则显示这套骨架一旦被 hash 取代 challenge,交互虽然消失,模型边界却一起换掉了。<sup id="fnref:1"><a href="#fn:1" class="footnote-ref" role="doc-noteref">1</a></sup> <sup id="fnref:2"><a href="#fn:2" class="footnote-ref" role="doc-noteref">2</a></sup> <sup id="fnref:3"><a href="#fn:3" class="footnote-ref" role="doc-noteref">3</a></sup></p>