Fiat-Shamir transform
The Fiat-Shamir transform converts an interactive, public-coin identification protocol (a sigma protocol) into a non-interactive digital signature. In the interactive version a verifier sends a random challenge; the transform instead computes that challenge as a hash of the prover's first message together with the message being signed. Modeling the hash as a random oracle stops the prover from choosing the challenge, so the resulting proof stays as sound as the interactive protocol yet needs no verifier. Fiat and Shamir introduced the idea in 1986 (How to Prove Yourself).
Role in post-quantum signatures
ML-DSA (FIPS 204) is a Fiat-Shamir signature: it applies the transform to a lattice identification scheme, using the Fiat-Shamir with aborts variant that rejects and resamples commitments whose distribution would otherwise leak the secret key. The construction targets EUF-CMA security in the random oracle model. The transform is central to many public-key signature designs because it reduces signing to hashing plus the underlying protocol. Its guarantees depend on the random oracle assumption and on binding the message correctly into the hash; omitting inputs from that hash has caused real forgery vulnerabilities.
Sources
- How to Prove Yourself: Practical Solutions to Identification and Signature Problems (Springer (CRYPTO 1986), 1987)
- FIPS 204, Module-Lattice-Based Digital Signature Standard (NIST, 2024)
Cite this entry
"Fiat-Shamir transform." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/fiat-shamir@misc{pqwiki-fiat-shamir,
title = {Fiat-Shamir transform},
howpublished = {\url{https://postquantum.wiki/fiat-shamir}},
year = {2026},
note = {postquantum.wiki, updated 2026-07-11}
}