# Security of the Fiat-Shamir Transformation in the Quantum Random-Oracle Model

@article{Don2019SecurityOT, title={Security of the Fiat-Shamir Transformation in the Quantum Random-Oracle Model}, author={Jelle Don and Serge Fehr and Christian Majenz and Christian Schaffner}, journal={IACR Cryptol. ePrint Arch.}, year={2019}, volume={2019}, pages={190} }

The famous Fiat-Shamir transformation turns any public-coin three-round interactive proof, i.e., any so-called \(\Sigma {\text {-protocol}}\), into a non-interactive proof in the random-oracle model. We study this transformation in the setting of a quantum adversary that in particular may query the random oracle in quantum superposition.

## 105 Citations

### Revisiting Post-Quantum Fiat-Shamir

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2019

This work gives mild conditions under which Fiat- Shamir is secure in the quantum setting, and shows that existing lattice signatures based on Fiat-Shamir are secure without any modifications.

### A Simple Post-Quantum Non-Interactive Zero-Knowledge Proof from Garbled Circuits

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2021

A simple public-coin zero-knowledge proof system solely based on symmetric primitives, from which the Fiat-Shamir heuristic can be applied to make it non-interactive.

### Succinct Arguments in the Quantum Random Oracle Model

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2019

SNARGs are highly efficient certificates of membership in non-deterministic languages and are widely believed to be post-quantum secure, provided the oracle is instantiated with a suitable post- quantum hash function.

### Fiat-Shamir Transformation of Multi-Round Interactive Proofs

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2021

This work shows that for t-fold parallel repetitions of typical (k1, . . . , kμ)-special-sound protocols with t ≥ μ, there is an attack that results in a security loss of approximately 1 2 Q μ/μμ+t.

### A Note on Separating Classical and Quantum Random Oracles

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2020

The first examples of natural cryptographic schemes that separate classical and quantum random oracle models are given, which construct digital signature and public key encryption schemes that are secure in the classical random oracles model but insecure in the quantumrandom oracle model assuming the quantum hardness of learning with error problem.

### SO-CCA Secure PKE in the Quantum Random Oracle Model or the Quantum Ideal Cipher Model

- Computer Science, MathematicsIMACC
- 2019

It is shown that there exist PKE schemes which meet the standard security such as indistinguishability against chosen ciphertext attacks (IND-CCA security) but do not meet SO security against chosen Ciphertext attacks, so it is important to consider SO security in the multi-user setting.

### Post-Quantum Succinct Arguments

- Computer Science, MathematicsEmpir. Softw. Eng.
- 2021

We prove that Kilian’s four-message succinct argument system is post-quantum secure in the standard model when instantiated with any probabilistically checkable proof and any collapsing hash function…

### Quantum security of the Fiat-Shamir transform of commit and open protocols

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2019

This paper shows that if the authors start from a commit-and-open identification scheme, where the prover first commits to several strings and then as a second message opens a subset of them depending on the verifier's message, then the Fiat-Shamir transform is quantum secure, for a suitable choice of commitment scheme.

### Quantum Random Oracle Model with Auxiliary Input

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2019

The random oracle model (ROM) is an idealized model where hash functions are modeled as random functions that are only accessible as oracles and no work has dealt with the above two problems simultaneously.

### A non-PCP Approach to Succinct Quantum-Safe Zero-Knowledge

- Mathematics, Computer ScienceIACR Cryptol. ePrint Arch.
- 2020

Today’s most compact zero-knowledge arguments are based on the hardness of the discrete logarithm problem and related classical assumptions, which, by exploiting extra algebraic structure, are a few orders of magnitude more compact in practice than the generic constructions.

## References

SHOWING 1-10 OF 35 REFERENCES

### Post-quantum Security of Fiat-Shamir

- Computer Science, MathematicsASIACRYPT
- 2017

The Fiat-Shamir construction is an efficient transformation in the random oracle model for creating non-interactive proof systems and signatures from sigma-protocols, but Ambainis, Rosmanis, and Unruh ruled out non-relativizing proofs under those conditions in the quantum setting.

### A Concrete Treatment of Fiat-Shamir Signatures in the Quantum Random-Oracle Model

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2017

The goal of this current paper is to create a generic framework for constructing tight reductions in the QROM from underlying hard problems to Fiat-Shamir signatures.

### Non-Interactive Zero-Knowledge Proofs in the Quantum Random Oracle Model

- Computer Science, MathematicsEUROCRYPT
- 2014

We present a construction for non-interactive zero-knowledge proofs of knowledge in the random oracle model from general sigma-protocols. Our construction is secure against quantum adversaries. Prior…

### Revisiting Post-Quantum Fiat-Shamir

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2019

This work gives mild conditions under which Fiat- Shamir is secure in the quantum setting, and shows that existing lattice signatures based on Fiat-Shamir are secure without any modifications.

### How to Record Quantum Queries, and Applications to Quantum Indifferentiability

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2018

The quantum random oracle model (QROM) has become the standard model in which to prove the post-quantum security of random-oracle-based constructions. Unfortunately, none of the known proof…

### The Fiat-Shamir Transformation in a Quantum World

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2013

It has been unclear if the Fiat-Shamir technique is still secure in this quantum oracle model (QROM) and whether such adversaries should be allowed to query the random oracle in superposition.

### Revisiting TESLA in the Quantum Random Oracle Model

- Computer Science, MathematicsPQCrypto
- 2017

We study a scheme of Bai and Galbraith (CT-RSA’14), also known as TESLA. TESLA was thought to have a tight security reduction from the learning with errors problem (LWE) in the random oracle model…

### Quantum Position Verification in the Random Oracle Model

- Computer Science, MathematicsCRYPTO
- 2014

This work presents a quantum position verification scheme in the random oracle model that gives an efficient position-based authentication protocol that enables secret and authenticated communication with an entity that is only identified by its position in space.

### Secure Identity-Based Encryption in the Quantum Random Oracle Model

- Computer Science, MathematicsCRYPTO
- 2012

This work gives the first proof of security for an identity-based encryption (IBE) scheme in the quantum random oracle model and argues that the aforementioned cryptosystems are secure against quantum adversaries.

### Random Oracles in a Quantum World

- Computer Science, MathematicsASIACRYPT
- 2011

It is shown that certain post-quantum proposals, including ones based on lattices, can be proven secure using history-free reductions and are therefore postquantum secure.