Fiat-Shamir heuristic（含实现）和Random oracle

1. Fiat-Shamir 定义

通过Fiat-Shamir转换，可将Bulletproof中Verifier多次challenge的interactive证明切换为Non-Interactive proof.

The Fiat-Shamir heuristic. The Fiat-Shamir transformation takes an interactive public coin argument and replaces the challenges with the output of a cryptographic hash function. The idea is that the hash function will produce random looking output and therefore be a suitable replacement for the verifier.
The Fiat-Shamir heuristic yields a non-interactive zero-knowledge argument in the random oracle model [BR93].
The transformation can be applied to our arguments to make them noninteractive at the cost of using the random oracle model in the security proofs. From an efficiency point of view this is especially useful for the arguments in Sections 4 and 5.2, reducing a logarithmic number of moves to a single one.

2. random oracle定义

In cryptography, a random oracle is an oracle (a theoretical black box) that responds to every unique query with a (truly) random response chosen uniformly from its output domain. If a query is repeated it responds the same way every time that query is submitted.

Stated differently, a random oracle is a mathematical function chosen uniformly at random, that is, a function mapping each possible query to a (fixed) random response from its output domain.

Random oracles as a mathematical abstraction were firstly used in rigorous cryptographic proofs in the 1993 publication by Mihir Bellare and Phillip Rogaway (1993).[1] They are typically used when the proof cannot be carried out using weaker assumptions on the cryptographic hash function. A system that is proven secure when every hash function is replaced by a random oracle is described as being secure in the random oracle model, as opposed to secure in the standard model of cryptography.

Random oracles are typically used as an ideal replacement for cryptographic hash functions in schemes where strong randomness assumptions are needed of the hash function’s output. Such a proof generally shows[example needed] that a system or a protocol is secure by showing that an attacker must require impossible behavior from the oracle, or solve some mathematical problem believed hard in order to break it.

Not all uses of cryptographic hash functions require random oracles: schemes that require only one or more properties having a definition in the standard model (such as collision resistance, preimage resistance, second preimage resistance, etc.) can often be proven secure in the standard model (e.g., the Cramer–Shoup cryptosystem).

3. Fiat-Shamir的实现

根据https://merlin.cool/problem.html：
The Fiat-Shamir heuristic provides a way to transform a (public-coin) interactive argument into a non-interactive argument. Intuitively, the idea is to replace a verifier’s random challenges with a hash of the prover’s prior messages, but the exact details are usually unspecified.
也就是说，实际实现时，不同的实现方式可能存在安全漏洞，如论文《How not to Prove Yourself: Pitfalls of the Fiat-Shamir Heuristic and Applications to Helios》指出在IACR elections中所使用的Helios protocol 具有安全漏洞，论文《How not to prove your election outcome》中指出的在SwissPost/Scytl e-voting system中存在的伪造证明可通过验证问题。

https://github.com/dalek-cryptography/merlin声称所做的Fiat-Shamir实现可解决以上两篇论文中提及的问题。

参考资料：
[1] 论文《Efficient Zero-Knowledge Arguments for Arithmetic Circuits in the Discrete Log Setting》
[2] https://en.wikipedia.org/wiki/Random_oracle
[3] 论文《How not to Prove Yourself: Pitfalls of the Fiat-Shamir Heuristic and Applications to Helios》
[4] 论文《How not to prove your election outcome》