## Abstract

We revisit recent works by Don, Fehr, Majenz and Schaffner and by Liu and Zhandry on the security of the Fiat-Shamir (FS) transformation of \(\varSigma \)-protocols in the quantum random oracle model (QROM). Two natural questions that arise in this context are: (1) whether the results extend to the FS transformation of *multi-round* interactive proofs, and (2) whether Don et al.’s \(O(q^2)\) loss in security is optimal.

Firstly, we answer question (1) in the affirmative. As a byproduct of solving a technical difficulty in proving this result, we slightly improve the result of Don et al., equipping it with a cleaner bound and an even simpler proof. We apply our result to digital signature schemes showing that it can be used to prove strong security for schemes like MQDSS in the QROM. As another application we prove QROM-security of a non-interactive OR proof by Liu, Wei and Wong.

As for question (2), we show via a Grover-search based attack that Don et al.’s quadratic security loss for the FS transformation of \(\varSigma \)-protocols is optimal up to a small constant factor. This extends to our new multi-round result, proving it tight up to a factor depending on the number of rounds only, i.e. is constant for constant-round interactive proofs.

This is a preview of subscription content, access via your institution.

## Buying options

## Notes

- 1.
The security of the original Bulletproofs protocol relies on the hardness of discrete-log; however, work in progress considers post-quantum secure versions [2].

- 2.
Alternatively, we may regard \(|\phi _0\rangle \), as an additional input given to \(\mathcal A\).

- 3.
Allowing controlled queries to the random oracle is also the more natural model compared to restricting to plain access to the unitary After all, the motivation for the QROM is that in the real world, an attacker can implement hash functions on a quantum computer, allowing them to implement the controlled version as well.

- 4.
Here it is crucial that we allow

*controlled*queries to*H*. - 5.
We thank Dominique Unruh for the idea that it might be possible to avoid the additive error term, and for proposing an argument for achieving that, which inspired us to find the simpler argument we eventually used.

- 6.
If it is the final output that is measured then there is nothing left to reprogram, so no choice has to be made.

- 7.
Looking ahead, in Sect. 4.2 we will force \(\mathcal{A}^H\) to query, and thus \(\mathcal S\) to extract, \(x_1,\ldots ,x_n\) in the

*right*order by requiring \(x_2\) to contain \(H(x_1)\) as a substring, \(x_3\) to contain \(H(x_2)\) as a substring, etc. This will be important for the multi-round FS application. - 8.
One might try to exploit this actual improvement in the bound; however, for typical choices of parameters, with

*n*a small constant and*q*large, this is insignificant. - 9.
It is easy to see that the result of [19] also holds for controlled-query algorithms. Alternatively, the

*q*controlled queries can be simulated using \(q+1\) plain queries, and a \(2(q+1)\)-wise independent function can be used. - 10.
These additional assumptions on the simulator could be avoided, but they simplify the proof. Furthermore, for typical \(\Sigma \)-protocols they are satisfied. In particular, the simulated transcripts for hard instances are accepted by the verifier with high probability. Otherwise, the two polynomial-time algorithms could otherwise be used to solve the hard instances, a contradiction.

- 11.
While (1) follows by inspecting the proof, (2) holds more generically: the dishonest prover attacking \(\mathsf {FS[\Sigma ']}\) simply runs the prover attacking \(\mathsf {FS[\Sigma ]}\) but enlarges the output register of the hash queries, with the corresponding state being set to be the fully mixed state in each query, and then dismisses these additional qubits again.

- 12.
We take unpredictable commitments for PCIP’s to be exactly the same as for \(\Sigma \)-protocols, with the first message playing the role of the commitment.

- 13.
This property is required to have sufficient entropy on the inputs to the oracle that are reprogrammed by the zero-knowledge simulator \(\mathcal{S}_{ZK}\). While \(\mathcal{S}_{ZK}\) may reprogram the oracle on inputs \((i-1,c_{i-1},a_i)\) for \(i>1\), it is enough to require the first message \(a_1\) to have sufficient entropy, since with \(c_{i-1}\), these later inputs all include a uniformly random element from the superpolynomially large challenge space.

## References

Nist post-quantum cryptography standardization. https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions

Bootle, J.: Recursive techniques for lattice-based zero-knowledge. https://www.youtube.com/watch?v=NEayIq_k4ks. Accessed 06 Feb 2020

Boyer, M., Brassard, G., Høyer, P., Tapp, A.: Tight bounds on quantum searching. Fortschritte der Physik

**46**(4–5), 493–505 (1998)Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: short proofs for confidential transactions and more. In: 2018 IEEE Symposium on Security and Privacy (SP), pp. 315–334, May 2018

Chen, M.-S., Hülsing, A., Rijneveld, J., Samardjiska, S., Schwabe, P.: From 5-pass \(\cal{MQ}\)-based identification to \(\cal{MQ}\)-based signatures. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 135–165. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_5

Chen, M.-S., Hülsing, A., Rijneveld, J., Samardjiska, S., Schwabe, P.: SOFIA: \(\cal{MQ}\)-based signatures in the QROM. In: Abdalla, M., Dahab, R. (eds.) PKC 2018. LNCS, vol. 10770, pp. 3–33. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76581-5_1

Cramer, R., Damgård, I., Schoenmakers, B.: Proofs of partial knowledge and simplified design of witness hiding protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174–187. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48658-5_19

Dagdelen, Ö., Fischlin, M., Gagliardoni, T.: The Fiat–Shamir transformation in a quantum world. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 62–81. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-42045-0_4

Don, J., Fehr, S., Majenz, C., Schaffner, C.: Security of the Fiat-Shamir transformation in the quantum random-oracle model. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 356–383. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_13

Fischlin, M., Harasser, P., Janson, C.: Signatures from sequential-OR proofs. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12107, pp. 212–244. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45727-3_8

Kiltz, E., Lyubashevsky, V., Schaffner, C.: A concrete treatment of Fiat-Shamir signatures in the quantum random-oracle model. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 552–586. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_18

Liu, J.K., Wei, V.K., Wong, D.S.: Linkable spontaneous anonymous group signature for Ad Hoc groups. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 325–335. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-27800-9_28

Liu, Q., Zhandry, M.: Revisiting post-quantum Fiat-Shamir. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 326–355. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_12

Sakumoto, K., Shirai, T., Hiwatari, H.: Public-key identification schemes based on multivariate quadratic polynomials. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 706–723. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_40

Unruh, D.: Quantum proofs of knowledge. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 135–152. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_10

Unruh, D.: Non-interactive zero-knowledge proofs in the quantum random oracle model. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 755–784. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_25

Unruh, D.: Computationally binding quantum commitments. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 497–527. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_18

Unruh, D.: Post-quantum security of Fiat-Shamir. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 65–95. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_3

Zhandry, M.: How to construct quantum random functions. In: 2012 IEEE 53rd Annual Symposium on Foundations of Computer Science, pp. 679–687. IEEE, October 2012

## Acknowledgement

We thank Dominque Unruh for hinting towards the possibility of the improved Theorem 2 (compared to [DFMS19]), see also Footnote 8, and Andreas Hülsing for helpful discussions. CM was funded by a NWO VENI grant (Project No. VI.Veni.192.159). SF was partly supported by the EU Horizon 2020 Research and Innovation Program Grant 780701 (PROMETHEUS). JD was funded by ERC-ADG project 740972 (ALGSTRONGCRYPTO).

## Author information

### Authors and Affiliations

### Corresponding author

## Editor information

### Editors and Affiliations

## A Quantum extractability of q2 identification schemes

### A Quantum extractability of q2 identification schemes

A class of identification schemes that is of particular interest are so-called q2-identification schemes. The NIST candidate signature scheme MQDSS, for example, is obtained from such an identification scheme via the multi-round FS transformation from Definition 20 (with some additional strings included in the hash arguments). In this section, we will prove that a PCIP with a so-called “q2 extractor” [5, Definition 4.6] is a quantum proof of knowledge if it has an additional collapsingness property. This is necessary for its FS transformation to fulfill (s)UF-CMA in the QROM (for (s)UF-CMA in the ROM, the q2-extractor alone is sufficient [5]).

We begin by defining q2 identification schemes and their extractors.

### Definition 26

A 5-round identification scheme is a q2 identification scheme, if the second challenge is a single bit. A q2 identification scheme is called q2-extractable if there exists a polynomial-time algorithm that, on input four transcripts \(t^{(i)}=(a^{(i)}_1,c^{(i)}_1,a^{(i)}_2, c^{(i)}_2,z^{(i)})\), \(i=1,2,3,4\), such that

outputs the secret key with non-negligible probability.

For ease of exposition we have assumed that the different challenges of a single PCIP come all from the same challenge space. A q2 identification scheme can be brought into this form by having the prover compute the second challenge by selecting the first bit of an augmented second challenge that is as large as the first one. For classical provers, four transcripts as required by the above definition can be obtained by straightforward rewinding. In the following, we show that, if the q2 identification scheme has an additional property similar to the quantum-computationally unique responses property introduced in
[9, 13], then the existence of a q2 extractor implies that there exists a quantum extractor. This makes the scheme a quantum proof of knowledge. The argument follows the same lines as the one given in
[9] to prove that *t*-soundness and quantum-computationally unique responses imply the quantum proof-of-knowledge-property, which in turn is an extension of the result by Unruh for \(\Sigma \)-protocols with perfect unique responses
[15].

Recall the definition of a collapsing relation, [9, Definition 23], a generalization of the notion of a collapsing hash function [17]. We define the notion of collapsingness for interactive proof systems as follows:

### Definition 27

A \((2n\!+\!1)\)-round interactive proof system \(\mathsf \Pi \) is called collapsing, if the relation \(R_{\mathsf \Pi }:\mathcal{X}\times \mathcal{Y}\rightarrow \{0,1\}\) with \(\mathcal{X}=\mathcal {C}^n\times \mathcal{A}_1\) and \(\mathcal{Y}=\mathcal{A}_2\times ...\times \mathcal{A}_n\times \mathcal{Z}\) given by the verification predicate \(V_{\mathsf \Pi }\) of \(\mathsf \Pi \) is collapsing from \(\mathcal{X}\) to \(\mathcal{Y}\).

Note that for \(n=1\), this notion of collapsingness coincides with the notion of quantum-computationally unique responses from [9].

Given a q2-identification scheme \(\mathsf \Pi \), consider the following straightforward (first stage of a) quantum extractor \(\mathcal E_{\mathsf \Pi }^\mathcal {A}\). The extractor runs the prover \(\mathcal {A}\) using honestly sampled challenges to obtain a first transcript \(t^{(1)}\). Now it rewinds three times and reruns \(\mathcal {A}\), each time with a fresh pair of challenges, chosen such as to obtain \(t^{(i)}\), \(i=2,3,4\) such that the four transcripts fulfill the conditions (11). For this extractor, we obtain the following

### Theorem 28

Let \(\mathsf \Pi \) a q2-extractable q2-identification scheme that is also collapsing. Then the success probability of the extractor \(\mathcal{E}_{\mathsf \Pi }^\mathcal {A}\) is lower-bounded in terms of the success probability of the prover \(\mathcal A\) as

The proof of this theorem is essentially the same as for Theorem 25 in [9], which is a slight modification of an argument from [15].

As a corollary, we obtain the fact that for q2 identification schemes, q2-extractability and collapsingness imply the quantum proof of knowledge property as defined in [15].

### Corollary 29

Let \(\mathsf \Pi \) a q2-extractable q2-identification scheme that is also collapsing. Then it is a quantum proof of knowledge.

In particular, the 5-round identification scheme \(\mathsf \Pi _{\mathrm {SSH}}\) from [14] which is used to construct the post-quantum digital signature scheme MQDSS has these properties under plausible assumptions, namely that it is instantiated with the standard hash-based commitment scheme using a collapsing hash function [17] (see discussion towards the end of Sect. 7.1). For MQDSS, this is no additional assumption, as the FS transformation uses the QROM anyway, and a quantum accessible random oracle is collapsing by [17].

### Corollary 30

If the 5-round identification scheme from [14] is instantiated with the standard hash-based commitment scheme using a collapsing hash function, it is a quantum proof of knowledge.

### Proof

*(sketch).* According to
[5], \(\mathsf \Pi _{\mathrm {SSH}}\) is a q2-extractable q2 identification scheme. In \(\mathsf \Pi _{\mathrm {SSH}}\), the honest prover’s first message consists of two commitments, and the second and final messages contain functions of the strings commited to in the first message, and some opening information, respectively. Measuring a function of a register is equivalent to a partial computational basis measurement of that register. According to the collapsing property of the hash function, no efficient algorithm can distinguish whether the committed string and the opening information are measured or not. This clearly implies the same indistinguishability for partial measurements of the string register, which implies that \(\mathsf \Pi _{\mathrm {SSH}}\) is collapsing. \(\square \)

Note that the above proof works for any multi-round PCIP that has a similar commit-and-open structure.

## Rights and permissions

## Copyright information

© 2020 International Association for Cryptologic Research

## About this paper

### Cite this paper

Don, J., Fehr, S., Majenz, C. (2020). The Measure-and-Reprogram Technique 2.0: Multi-round Fiat-Shamir and More. In: Micciancio, D., Ristenpart, T. (eds) Advances in Cryptology – CRYPTO 2020. CRYPTO 2020. Lecture Notes in Computer Science(), vol 12172. Springer, Cham. https://doi.org/10.1007/978-3-030-56877-1_21

### Download citation

DOI: https://doi.org/10.1007/978-3-030-56877-1_21

Published:

Publisher Name: Springer, Cham

Print ISBN: 978-3-030-56876-4

Online ISBN: 978-3-030-56877-1

eBook Packages: Computer ScienceComputer Science (R0)