|
|
|
|
|
|
by less_less
336 days ago
|
|
|
As I understand the paper, the point is that Fiat-Shamir does *not* give a correct proof of the program's output. They gave a (maliciously constructed) program whose outputs are pairs (a,b) where certainly a != b (instead the program is constructed such that a = b+1 always). But you can get the corresponding Fiat-Shamir protocol to accept the statement "I know a secret x such that Program(x) = (0,0)", which is clearly a false statement. |
|
|