Security of the Fiat-Shamir Transformation in the Quantum Random-Oracle Model

Abstract

The famous Fiat-Shamir transformation turns any public-coin three-round interactive proof, i.e., any so-called \(\Sigma {\text {-protocol}}\), into a non-interactive proof in the random-oracle model. We study this transformation in the setting of a quantum adversary that in particular may query the random oracle in quantum superposition.

Our main result is a generic reduction that transforms any quantum dishonest prover attacking the Fiat-Shamir transformation in the quantum random-oracle model into a similarly successful quantum dishonest prover attacking the underlying \(\Sigma {\text {-protocol}}\) (in the standard model). Applied to the standard soundness and proof-of-knowledge definitions, our reduction implies that both these security properties, in both the computational and the statistical variant, are preserved under the Fiat-Shamir transformation even when allowing quantum attacks. Our result improves and completes the partial results that have been known so far, but it also proves wrong certain claims made in the literature.

In the context of post-quantum secure signature schemes, our results imply that for any \(\Sigma {\text {-protocol}}\) that is a proof-of-knowledge against quantum dishonest provers (and that satisfies some additional natural properties), the corresponding Fiat-Shamir signature scheme is secure in the quantum random-oracle model. For example, we can conclude that the non-optimized version of Fish, which is the bare Fiat-Shamir variant of the NIST candidate Picnic, is secure in the quantum random-oracle model.

Appendices

A Proof of Lemmas 12 and 15

Proof

(of Lemma 12). Let \(\mathcal{A}\) be an adaptive \(\Sigma {\text {-protocol}}\) adversary, producing x and a in the first stage, and z in the second stage. We then consider the following algorithms. \(\mathcal{A}_{init}\) runs the first stage of \(\mathcal{A}\) (using the same initial state), outputting x and a. Let \(|\psi _{x,a}\rangle \) be the corresponding internal state at this point. Furthermore, for any possible x and a, \(\mathcal{A}_{x,a}\) is the following static \(\Sigma {\text {-protocol}}\) adversary. Its initial state is \(|\psi _{x,a}\rangle |a\rangle \) and in the first stage it simply outputs a, and in the second stage, after having received the verifier’s challenge, it runs the second stage of \(\mathcal{A}\). We then see that

$$\begin{aligned} \Pr \bigl [x \not \in \mathcal{L}&\,\wedge \, v = accept :(x,v) \leftarrow \langle \mathcal{A}, \mathcal{V}\rangle \bigr ] \\[1.2ex]&= \sum _{x_\circ \not \in \mathcal{L}} \Pr \bigl [x = x_\circ \,\wedge \, v = accept :(x,v) \leftarrow \langle \mathcal{A}, \mathcal{V}\rangle \bigr ]\\&= \sum _{x_\circ \not \in \mathcal{L}} \sum _a \Pr \bigl [\mathcal{A}_{init} = (x_\circ ,a)\bigr ] \Pr \bigl [\langle \mathcal{A}_{x_\circ ,a} , \mathcal{V}(x_\circ ) \rangle = accept \bigr ]. \end{aligned}$$

Since \( \Pr \bigl [\langle \mathcal{A}_{x_\circ ,a} , \mathcal{V}(x_\circ ) \rangle = accept \bigr ]\) is bounded by a negligible function, given that \(\mathcal{A}_{x,a}\) is a (quantum polynomial-time/unbounded) static adversary, the claim follows.    \(\square \)

Proof

(of Lemma 15). Let \(\mathcal{A}\) be an adaptive \(\Sigma {\text {-protocol}}\) adversary, producing x and a in the first stage, and z in the second stage. We construct a black-box knowledge extractor \(\mathcal{K}_{ad}\) that works for any such \(\mathcal{A}\). In a first step, \(\mathcal{K}_{ad}^\mathcal{A}\) runs the first stage of \(\mathcal{A}\) using the black-box access to \(\mathcal{A}\) (and having access to the initial state of \(\mathcal{A}\)). Below, we call this first stage of \(\mathcal{A}\) as \(\mathcal{A}_{init}\). This produces x and a, and we write \(|\psi _{x,a}\rangle \) for the corresponding internal state. Then, it runs \(\mathcal{K}_{na}^{\mathcal{A}^{x,a}}\), where \(\mathcal{K}_{na}\) is the knowledge extractor guaranteed to exist for static adversaries, and \(\mathcal{A}^{x,a}\) is the static adversary that works as follows. It’s initial state is \(|\psi _{x,a}\rangle |a\rangle \) and in the first stage it simply outputs a, and in the second stage it runs the second stage of \(\mathcal{A}\) on the state \(|\psi _{x,a}\rangle \). Note that having obtained x and a and the state \(|\psi _{x,a}\rangle \) as first step of \(\mathcal{K}_{ad}^\mathcal{A}\), \(\mathcal{K}_{na}^{\mathcal{A}^{x,a}}\) can then be executed with black box access to (the second stage of) \(\mathcal{A}\). For any subset \(X \subseteq \mathcal{X}\), we now see that

$$\begin{aligned} \Pr&\left[ x\in X\wedge (x,w)\in R : (x,w)\leftarrow \mathcal {K}_{ad}^{\mathcal {A}}\right] \\[0.5em]&= \sum _{x\in X} \sum _a \Pr \bigr [\mathcal{A}_{init} = (x,a) \bigl ] \Pr \Bigl [(x,w)\in R : w\leftarrow \mathcal {K}_{na}^{\mathcal {A}^{x,a}} \Bigr ] \\&\ge \sum _{x\in X} \sum _a \Pr \bigr [\mathcal{A}_{init} = (x,a) \bigl ] \cdot \frac{1}{p(\eta )} \cdot \Pr \bigl [\langle \mathcal{A}^{x,a} , \mathcal{V}(x)\rangle = accept \bigr ]^d- \kappa (\eta )\\&\ge \frac{1}{p(\eta )}\bigg (\sum _{x\in X} \sum _a \Pr \bigr [\mathcal{A}_{init} = (x,a) \bigl ] \Pr \bigl [\langle \mathcal{A}^{x,a} , \mathcal{V}(x)\rangle = accept \bigr ]\bigg )^d -\kappa (\eta )\\&= \frac{1}{p(\eta )} \Pr \bigl [ x \in X \wedge v\!=\!1: (x,v)\leftarrow \langle \mathcal{A}^{x,a} , \mathcal{V}(x)\rangle \bigr ]^d -\kappa (\eta ), \end{aligned}$$

where the first inequality is because of the static proof-of-knowledge property, and the second is Jensen’s inequality, noting that we may assume without loss of generality that \(d \ge 1\).    \(\square \)

B Generalization of Lemma 7 from [Unr12]

Lemma 29

Let \(P_1,\ldots ,P_n\) be projections and \(|\psi \rangle \) a state vector, and set

$$ V := \frac{1}{n} \sum _i \langle \psi | P_i |\psi \rangle = \frac{1}{n} \sum _i \Vert P_i |\psi \rangle \Vert ^2 \quad \text {and}\quad F := \frac{1}{n^t}\sum _{i_1 \cdots i_t} \Vert P_{i_t} \cdots P_{i_1} |\psi \rangle \Vert ^2. $$

Then \(F \ge V^{2t-1}\).

The case \(t=2\) was proven in [Unr12, Lemma 7]. We show here how to extend the proof to \(t = 3\); the general case works along the same lines.

Proof

(of the case \(t = 3\)). For convenience, set \(A:= \frac{1}{n} \sum _i P_i\) and \(|\psi _{ijk}\rangle := P_k P_j P_i |\psi \rangle \). Then, using convexity of the function \(x \mapsto x^5\) to argue the first inequality, we get

$$\begin{aligned} V^5 =&(\langle \psi | A |\psi \rangle )^5 = \langle \psi | A^5 |\psi \rangle = \frac{1}{n^5} \sum _{i j k \ell m} \langle \psi | P_i P_j P_k P_\ell P_m |\psi \rangle \\&= \frac{1}{n^5} \sum _{i j k \ell m} \langle \psi _{ijk}|\psi _{m \ell k}\rangle = \frac{1}{n} \sum _k \bigg ( \frac{1}{n^2} \sum _{ij} \langle \psi _{ijk}|\bigg )\bigg (\frac{1}{n^2} \sum _{\ell m} |\psi _{m \ell k}\rangle \bigg )\\&\qquad = \frac{1}{n} \sum _k \Big \Vert \frac{1}{n^2} \sum _{ij} |\psi _{ijk}\rangle \Big \Vert ^2 \le \frac{1}{n^3} \sum _{ijk} \Vert |\psi _{ijk}\rangle \Vert ^2 = F, \end{aligned}$$

where the last inequality is Claim 2 in the proof of Lemma 7 in [Unr12].    \(\square \)