
Remember: Always include all public information and all transcript values. When in doubt, consult ZKDocs!

### Preventing replay attacks #

Just like digital signatures, zero-knowledge proofs can also be susceptible to replay attacks. As is the case for other replay attacks, the severity of these replay attacks will be highly application and context-specific.

If you believe replay attacks could be severe for your application, you might be able to use the Fiat-Shamir transformation to protect yourself. Specifically, suppose your application has some notion of identity tied to each party (a unique party ID, for example). In that case, you should include the ID of the prover and the verifier inside of the Fiat-Shamir hash computation. Then, when the verifier verifies the proof, they should also check that the IDs used in the hash function match the ID of themself and the prover. This will prevent other malicious parties from replaying any proof that they did not produce themselves.