# Security of the Fiat-Shamir Transformation in the Quantum Random-Oracle   Model

**Authors:** Jelle Don, Serge Fehr, Christian Majenz, Christian Schaffner

arXiv: 1902.07556 · 2020-07-28

## TL;DR

This paper proves that the Fiat-Shamir transformation maintains security against quantum adversaries in the quantum random-oracle model, ensuring the security of many post-quantum signature schemes.

## Contribution

It provides a generic reduction showing security preservation of the Fiat-Shamir transformation under quantum attacks, correcting previous misconceptions.

## Key findings

- Security of Fiat-Shamir is preserved against quantum attacks.
- Standard proof-of-knowledge and soundness properties hold in the quantum setting.
- The security of certain post-quantum signatures, like Picnic, is confirmed in the quantum random-oracle model.

## Abstract

The famous Fiat-Shamir transformation turns any public-coin three-round interactive proof, i.e., any so-called sigma-protocol, into a non-interactive proof in the random-oracle model. We study this transformation in the setting of a quantum adversary that in particular may query the random oracle in quantum superposition.   Our main result is a generic reduction that transforms any quantum dishonest prover attacking the Fiat-Shamir transformation in the quantum random-oracle model into a similarly successful quantum dishonest prover attacking the underlying sigma-protocol (in the standard model). Applied to the standard soundness and proof-of-knowledge definitions, our reduction implies that both these security properties, in both the computational and the statistical variant, are preserved under the Fiat-Shamir transformation even when allowing quantum attacks. Our result improves and completes the partial results that have been known so far, but it also proves wrong certain claims made in the literature.   In the context of post-quantum secure signature schemes, our results imply that for any sigma-protocol that is a proof-of-knowledge against quantum dishonest provers (and that satisfies some additional natural properties), the corresponding Fiat-Shamir signature scheme is secure in the quantum random-oracle model. For example, we can conclude that the non-optimized version of Fish, which is the bare Fiat-Shamir variant of the NIST candidate Picnic, is secure in the quantum random-oracle model.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1902.07556/full.md

## References

32 references — full list in the complete paper: https://tomesphere.com/paper/1902.07556/full.md

---
Source: https://tomesphere.com/paper/1902.07556