1982
Chaum introduces digital cash, (1984) blind signatures, anonymous credentials. Foundational works for the cypherpunks movement and culture, such as Numbers Can Be a Better Form of Cash than Paper.
1988
Babai introduces Arthur-Merlin. Chaum with Gilles Brassard and Claude Crépeau introduce arguments of knowledge where the proof holds computationally.
1990
Schnorr has a brilliant idea and decides to patent, ensuring no large-scale deployments of Schnorr’s identification scheme will happen until 2010.
1996
Jim Bell has the original idea to use signatures to create a killer app. From 1995 through early 1996, Bell authored an essay entitled “Assassination Politics” in which he described the idea of using digital signatures through email to create an assassination market, “predicting” the deaths of “violators of rights, usually either government employees, officeholders, or appointees”.
1996
Pointcheval gives a formal proof for these signature schemes using the forking lemma.
This lemma will be the cornerstone of any fancy blockchain snark in use today.
They publish an analysis even more deep for blind signature in 2000 to which schnorr replies claiming an attack (that does not invalidate the theorem).
1997
Cramers completes his PhD thesis introducing the notion of sigma protocols
1997
Camenisch – Stadler drop a “report” that is incredible. They show show these sort of protocols can be composed nicely for proving very complex statements Their notation is used today in most engineering papers. Their proofs are still widely used: it’s what is used in coinjoin for Bitcoin, Signal for anonymous credentials, Solana, BBS for identity, and are the core scope of our work.
Stephan Brands - Rethinking public key systems Idemix - CL
1998
The standardization effort arrives. With FIPS 186-1 they decided to standardize a random variation to circumvent Schnorr’s patent. The signature gets into Bitcoin. (Bitcoin has today reverted to Schnorr signatures.)
This decision causes major headaches and hundreds of papers try to give a proof of security or produce primitives over it, such as multisignatures or threshold signatures.
1999
Stefan Brands publishes his phd thesis and announces a book in xs4all, the dutch telecom originated from the hacker club Hack-Tick.
2002
Jan Camenisch and Anna Lysyanskaya Signatures with efficient protocols
2009
Maurer. Unifying zero-knowledge proofs of knowledge.
2013
Adam back (and later in 2015 Maxwell) show how to do private payments in Bitcoin
2014
CMZ does anonymous credentials efficiently realizing that CL can be done in the keyed verification setting without pairings. Signal implements sigma protocols for private groups
2017
Major bug found in monero because they have the wrong keys
[[same bug in semaphore]]
2018
A VOPRF is used to do blocking on the web
C Hazay, Y Lindell, M. Ciampi, Unruh, Bellare (hash functions from sigma protocols), Damgard (definition of zk)
Today, I’m still going strong!
In hackernoon: https://hackernoon.com/sigma-protocols-for-the-working-programmer
2010
2016
Helios voting system does wrong the Fiat-Shamir transform. A Paper is published
2017
A bug in the Monero cryptocurrency is disclosed https://www.getmonero.org/2017/05/17/disclosure-of-a-major-bug-in-cryptonote-based-currencies.html
2018
Zcash ncc
Problem with the fiat-shamir transform
2019
https://github.com/semaphore-protocol/semaphore/issues/16
2020
Weak fiat-shamir in the coda review of o1 labs
2021
Forgot blinding scalars in Dusk network https://github.com/dusk-network/plonk/pull/651
2022
Bulletproofs Paper: Frozen Heart Identified By: TrailOfBits Team
The bulletproof paper, which outlines the bulletproof zero knowledge proof protocol, outlines how to use the Fiat-Shamir transformation to make the proof non-interactive. However, their recommended implementation of the Fiat-Shamir transformation left out a crucial component. This missing component in the non-interactive version of the protocol allowed malicious provers to forge proofs.
Background
Bulletproofs use Pedersen commitments, which are of the form:
commitment = (g^v)(h^gamma) Here g and h are elliptic curve points and v is a secret number. The bulletproof is meant to prove that v falls within a certain range. Since this commitment is public, it should be included in the Fiat-Shamir transformation used in the protocol.
2022 Missing bound checks on signature values O(1) labs
2023
https://eprint.iacr.org/2023/691 Weak Fiat-Shamir in many proving systems.
2023
2024
Darkfi review
BUG TRACKERS
