Security of the FiatShamir Transformation in the Quantum RandomOracle Model
Abstract
The famous FiatShamir transformation turns any publiccoin threeround interactive proof, i.e., any socalled sigmaprotocol, into a noninteractive proof in the randomoracle model. We study this transformation in the setting of a quantum adversary that in particular may query the random oracle in quantum superposition. Our main result is a generic reduction that transforms any quantum dishonest prover attacking the FiatShamir transformation in the quantum randomoracle model into a similarly successful quantum dishonest prover attacking the underlying sigmaprotocol (in the standard model). Applied to the standard soundness and proofofknowledge definitions, our reduction implies that both these security properties, in both the computational and the statistical variant, are preserved under the FiatShamir transformation even when allowing quantum attacks. Our result improves and completes the partial results that have been known so far, but it also proves wrong certain claims made in the literature. In the context of postquantum secure signature schemes, our results imply that for any sigmaprotocol that is a proofofknowledge against quantum dishonest provers (and that satisfies some additional natural properties), the corresponding FiatShamir signature scheme is secure in the quantum randomoracle model. For example, we can conclude that the nonoptimized version of Fish, which is the bare FiatShamir variant of the NIST candidate Picnic, is secure in the quantum randomoracle model.
 Publication:

arXiv eprints
 Pub Date:
 February 2019
 arXiv:
 arXiv:1902.07556
 Bibcode:
 2019arXiv190207556D
 Keywords:

 Computer Science  Cryptography and Security;
 Quantum Physics
 EPrint:
 20 pages