Abstract
The FiatShamir transform is a technique for combining a hash function and an identification scheme to produce a digital signature scheme. The resulting scheme is known to be secure in the random oracle model (ROM), which does not, however, imply security in the scenario where the adversary also has quantum access to the oracle. The goal of this current paper is to create a generic framework for constructing tight reductions in the QROM from underlying hard problems to FiatShamir signatures.
Our generic reduction is composed of two results whose proofs, we believe, are simple and natural. We first consider a security notion (UFNMA) in which the adversary obtains the public key and attempts to create a valid signature without accessing a signing oracle. We give a tight reduction showing that deterministic signatures (i.e., ones in which the randomness is derived from the message and the secret key) that are UFNMA secure are also secure under the standard chosen message attack (UFCMA) security definition. Our second result is showing that if the identification scheme is “lossy”, as defined in (Abdalla et al. Eurocrypt 2012), then the security of the UFNMA scheme is tightly based on the hardness of distinguishing regular and lossy public keys of the identification scheme. This latter distinguishing problem is normally exactly the definition of some presumablyhard mathematical problem. The combination of these components gives our main result.
As a concrete instantiation of our framework, we modify the recent latticebased Dilithium digital signature scheme (Ducas et al., TCHES 2018) so that its underlying identification scheme admits lossy public keys. The original Dilithium scheme, which is proven secure in the classical ROM based on standard lattice assumptions, has 1.5 KB public keys and 2.7 KB signatures. The new scheme, which is tightly based on the hardness of the ModuleLWE problem in the QROM using our generic reductions, has 7.7 KB public keys and 5.7 KB signatures for the same security level. Furthermore, due to our proof of equivalence between the UFNMA and UFCMA security notions of deterministic signature schemes, we can formulate a new noninteractive assumption under which the original Dilithium signature scheme is also tightly secure in the QROM.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
1 Introduction
FiatShamir Signatures from Identification Protocols. A canonical identification scheme [2] is a threemove authentication protocol \(\mathsf {ID}\) of a specific form. The prover (holding the secretkey) sends a commitment \(W\) to the verifier. The verifier (holding the publickey) returns a random challenge \(c\). The prover sends a response \(Z\). Finally, using the verification algorithm, the verifier accepts if the transcript \((W,c,Z)\) is correct. The FiatShamir transformation [2, 20] combines a canonical identification scheme \(\mathsf {ID}\) and a hash function \(\mathsf {H}\) to obtain a digital signature scheme \({\mathsf {FS}}={\mathsf {FS}}[\mathsf {ID},\mathsf {H}]\). The signing algorithm first iteratively generates a transcript \((W,c,Z)\), where the challenge \(c\) is derived via \(c:=\mathsf {H}(W\parallel {M})\). Signature \(\sigma =(W, Z\)) is valid if the transcript \((W, c:=\mathsf {H}(W\parallel {M}), Z)\) makes the verification algorithm accept. Lyubashevsky [26] further generalized this to the “FiatShamir with aborts” transformation to account for aborting provers.
Security of FiatShamir Signatures in the ROM. Security of \({\mathsf {FS}}[\mathsf {ID},\mathsf {H}]\) in the ROM can be proved in two steps. Firstly, if the underlying identification scheme has statistical HonestVerifier ZeroKnowledge (\(\mathsf {HVZK}\)), then UnForgeability against Chosen Message Attack (\({\mathsf {UF\text {}CMA}}\)) and UnForgeability against No Message Attack (\({\mathsf {UF\text {}NMA}}\)) are tightly equivalent (\({\mathsf {UF\text {}NMA}}\) security means that the adversary is not allowed to make any signing queries). Secondly, the Forking Lemma [9, 34] (based on a technique called “rewinding”) is used to prove \({\mathsf {UF\text {}NMA}}\) security in the randomoracle model (ROM) [11] from computational Special Soundness (\(\mathsf {SS}\)). The latter part of the security reduction is nontight and the loss in tightness is known to be inherent (e.g., [24, 32]).
Lossy Identification schemes. With the goal of constructing signature schemes with a tight security reduction and generalizing a signature scheme by Katz and Wang [22], AFLT [3] introduced the new concept of lossy identification schemes and proved that FiatShamir transformed signatures have a tight security reduction in the ROM. A lossy identification scheme comes with an additional lossy key generator that produces a lossy public key, computationally indistinguishable from a honestly generated public key. Further, relative to a lossy public key the identification scheme has statistical soundness, i.e., not even an unbounded adversary can successfully impersonate a prover. Figure 1 summarizes the known security results of FiatShamir signatures in the ROM.
Quantum RandomOracle Model. Recently, NIST announced a competition with the goal to standardize new asymmetric encryption and signature schemes [1] with security against quantum adversaries, i.e., adversaries equipped with a quantum computer. There exists a number of (sometimes only implicitly defined) canonical identification schemes (e.g., [3, 5, 7, 16, 23, 26]) whose security relies on the hardness of certain problems over lattices and codes, which are generally believed to resist quantum adversaries. Quantum computers may execute all “offline primitives” such as the hash function on arbitrary superpositions, which motivated the introduction of the quantum (accessible) randomoracle model (QROM) [13]. That is, in the \({\mathsf {UF\text {}CMA}}\) security experiment for signatures in the QROM, an adversary has quantum access to a perfect hash function \(\mathsf {H}\) and classical access to the signing oracle. Aiding in the construction of \({\mathsf {UF\text {}CMA}}\) secure signatures with provable (postquantum) security in the QROM is the main motivation of this paper.
Security of FiatShamir signatures in the QROM. A number of recent works considered the security of FiatShamir transformed signatures in the QROM. [13] proved a general result showing that if a reduction in the classical ROM is historyfree, then it can also be carried out in the QROM. Historyfree reductions basically determine random oracle answers independently of the history of previous queries. For reductions that are not historyfree, adaptive reprogramming of the quantum random oracle is required which is problematic in the QROM: with one single quantum query to all inputs in superposition, an adversary might learn a superposition of all possible random oracle values which essentially means the reduction has to provide plausible values for the whole random oracle at this point. Hence, adaptive reprogramming in the QROM is difficult (but not impossible e.g., [12, 18, 36]).
Unfortunately, the known randomoracle proofs of FiatShamir signatures [3, 24, 34] are not historyfree. Beyond the general problem of adaptive reprogramming, the classical proof [34] uses rewinding and the Forking Lemma, a technique that we currently do not know how to extend to the quantum setting. Even worse, Ambanis et al. [6] proved that FiatShamir signatures cannot be proven secure in a blackbox way by just assuming computational special soundness and \(\mathsf {HVZK}\) (these two conditions are, on the other hand, sufficient for a proof in the classical ROM).
To circumvent the above negative result, Unruh [36] proposed an alternative FiatShamir transformation with provable QROM security but the resulting signatures are considerably less efficient as they require multiple executions of the underlying identification scheme.
Alkim et al. [5] gave a concrete tight security reduction for a signature scheme, TESLA, in the QROM. TESLA is a concrete latticebased digital signature scheme implicitly derived via the FiatShamir transformation. Their QROM proof from the learning with errors (\(\mathsf{LWE}\)) assumption adaptively reprograms the quantum random oracle using a technique from [12] and seems tailored to their particular identification protocol. As described in [5], the intuition behind the QROM security proof for TESLA comes from the fact that the underlying identification scheme is lossy. They leave it as an open problem to prove FiatShamir signatures generically secure from lossy identification schemes.
Unruh [37] could prove (among other things) that identification schemes with \(\mathsf {HVZK}\) and statistical soundness yield \({\mathsf {UF\text {}CMA}}\) secure FiatShamir signatures in the QROM when additionally assuming a “dualmode hard instance generator” for generating key pairs of the identification scheme. The latter dual mode hard instance generator is very similar to lossy identification schemes. Whereas the original publication [37] only contains asymptotic proofs, a recently updated version of the full version [38] also provides concrete security bounds. Below, in Sect. 1.2, we will compare them with our bounds.
1.1 Our Results
This work contains a simple and modular security analysis in the QROM of signatures \({\mathsf {FS}}[\mathsf {ID},\mathsf {H}]\) obtained via the FiatShamir transform with aborts [26] from any lossy identification scheme \(\mathsf {ID}\). We also consider the security of a deterministic variant \({\mathsf {DFS}}[\mathsf {ID},\mathsf {H},{\mathsf {PRF}}]\) with better tightness. \({\mathsf {DFS}}\) derives the randomness for signing deterministically using a pseudorandom function \({\mathsf {PRF}}\). Our main security statements are summarized in Fig. 2. Most importantly, if \(\mathsf {ID}\) is a lossy identification scheme and has \(\mathsf {HVZK}\), then \({\mathsf {DFS}}[\mathsf {ID},\mathsf {H},{\mathsf {PRF}}]\) is tightly \({\mathsf {UF\text {}CMA}}\) secure and \({\mathsf {FS}}[\mathsf {ID},\mathsf {H}]\) is (nontightly) \({\mathsf {UF\text {}CMA}}\) secure in the QROM. Our results suggest to prefer \({\mathsf {DFS}}[\mathsf {ID},\mathsf {H},{\mathsf {PRF}}]\) over \({\mathsf {FS}}[\mathsf {ID},\mathsf {H}]\).
The main component of our proof is a tweak to the AFLT FiatShamir proof [3] that makes it historyfree. Together with the general result of [13], one can immediately obtain asymptotic (i.e., nonconcrete) versions of our QROM proof as a simple corollary. In this work, we instead give direct proofs with concrete, tight security bounds.
To demonstrate the efficacy of our generic framework, we construct a latticebased signature scheme. The most compact latticebased schemes, in terms of public key and signature sizes, crucially require sampling from a discrete Gaussian distribution [15, 17]. Such schemes, however, have been shown to be particularly vulnerable to sidechannel attacks (c.f. [14, 19]), and it therefore seems prudent to consider schemes that only require simple uniform sampling over the integers. Of those, the most currently efficient one is the \(\mathsf {Dilithium}\) signature scheme [16]. This signature scheme is proved secure based on the \(\mathsf {MSIS}\) (ModuleSIS) and the \(\mathsf {MLWE}\) (ModuleLWE) assumptions in the ROM implicitly using the framework from Fig. 1.
In this paper, we provide a practical instantiation of a lossy identification scheme to obtain a new digital signature scheme, \(\mathsf {Dilithium\text {}QROM}\), with a tight security reduction in the QROM from the \(\mathsf {MLWE}\) problem, derived using our new framework from Fig. 2. \(\mathsf {Dilithium\text {}QROM}\) is essentially a less compact variant (\({\approx } 3\)X larger) of \(\mathsf {Dilithium}\) with modified parameters to allow the underlying identification scheme to admit a lossy mode. We additionally prove the security of the original \(\mathsf {Dilithium}\) scheme in the QROM based on \(\mathsf {MLWE}\) and another noninteractive assumption.
Security of FiatShamir Signatures. Security of deterministic FiatShamir signatures \({\mathsf {DFS}}[\mathsf {ID},\mathsf {H},{\mathsf {PRF}}]\) in the QROM is proved in two independent steps, see Fig. 2.
Step 1: \(\mathsf {LOSSY} \Longrightarrow {\mathsf {UF\text {}NMA}}\). We sketch an adaptation of the standard historyfree proof implicitly contained in [3]. By the security properties of the lossy identification scheme, the public key can be set in lossy mode which remains unnoticed by a computationally bounded quantum adversary. Further, breaking the signature scheme in lossy mode with at most \(Q_\mathsf {H}\) queries to the quantum random oracle essentially requires to solve the generic quantum search problem, whose complexity is \(\varTheta (Q_\mathsf {H}^2 \cdot \varepsilon _{\mathsf {ls}})\) [21, 39], where \(\varepsilon _{\mathsf {ls}}\) is the statistical soundness parameter of \(\mathsf {ID}\) in lossy mode. A similar argument is implicitly contained in [5, 37].
Step 2: \({\mathsf {UF\text {}NMA}}\Longrightarrow {\mathsf {UF\text {}CMA}}\). We will now sketch a historyfree proof of \({\mathsf {UF\text {}NMA}}\Rightarrow {{\mathsf {UF\text {}CMA}}_1}\), where (compared to \({\mathsf {UF\text {}CMA}}\) security) \({{\mathsf {UF\text {}CMA}}_1}\) security limits the number of queried signatures per message \({M}\) to one. We then apply a standard (historyfree, tight) reduction to show that \({{\mathsf {UF\text {}CMA}}_1}\) secure signatures derandomized with a \({\mathsf {PRF}}\) yield \({\mathsf {UF\text {}CMA}}\) secure signatures with deterministic signing [10].
The standard ROM proof of \({\mathsf {UF\text {}NMA}}\Rightarrow {\mathsf {UF\text {}CMA}}\) (implicitly contained in [3]) works as follows: one uses the \(\mathsf {HVZK}\) property of \(\mathsf {ID}\) to show that the signing oracle can be efficiently simulated only knowing the publickey. Concretely, the \(\mathsf {HVZK}\) simulator generates a transcript \((W,c,Z)\) and later “patches” the random oracle by defining \(\mathsf {H}(W\parallel {M}):=c\) to make \((W,Z)\) a valid signature. The problem is that the random oracle patching (i.e., defining \(\mathsf {H}(W\parallel {M}):=c\)) can only be done after the signing query on \({M}\) because only then \(W\) and \(c\) are known. This renders the AFLT standard reduction non historyfree. In our historyfree \({\mathsf {UF\text {}NMA}}\Rightarrow {{\mathsf {UF\text {}CMA}}_1}\) proof, we resolve this problem as follows. We use the \(\mathsf {HVZK}\) property to generate the transcript \((W_{M},c_{M},Z_{M})\) deterministically using messagedependent randomness. Hence, for each message \({M}\), the transcript \((W_{M},c_{M},Z_{M})\) is unique and can be computed at any time. This uniqueness allows us to patch the random oracle \(\mathsf {H}(W\parallel {M})\) to \(c_{M}\) at any time of the proof (i.e., iff \(W= W_{M}\)), even before the adversary has established a signing query on message \({M}\). This trick makes the proof historyfree, see Theorem 3.2. Clearly, this only works if the adversary receives at most one signature for each messages \({M}\), which is guaranteed by the \({{\mathsf {UF\text {}CMA}}_1}\) experiment.
In order to deal with (full) \({\mathsf {UF\text {}CMA}}\) security of probabilistic FiatShamir signatures \({\mathsf {FS}}[\mathsf {ID},\mathsf {H}]\), the above trick can be adapted to also obtain a historyfree reduction, see Theorem 3.3. However, the proof is less tight as the reduction suffers from a quadratic blowup in its running time.
Our results furthermore prove strong unforgeability if the identification scheme satisfies an additional property called computational unique response \(({\mathsf {CUR}})\). \({\mathsf {CUR}}\) essentially says that it is hard to come up with two accepting transcripts with the same commitment and challenge but different responses.
\(\mathsf {Dilithium\text {}QROM}\): A signature scheme with provable security in the QROM. The digital signature scheme \(\mathsf {Dilithium}\) [16] is constructed from a canonical identification scheme using the FiatShamir with aborts approach [26]. In the ROM, its security is based (via nontight reductions) on the hardness of the \(\mathsf {MSIS}\) and \(\mathsf {MLWE}\) problems. We show that by increasing the size of the modulus and the dimension of the public key matrix, the resulting identification scheme admits a lossy mode such that distinguishing real from lossy keys is based on the hardness of \(\mathsf {MLWE}\). We can then apply our main reduction to conclude that the resulting digital signature scheme is based on the hardness of the \(\mathsf {MLWE}\) problem.
In order to construct an identification scheme with a lossy mode, in addition to increasing the size of the modulus and the overall dimension, we also choose our prime modulus q so that the underlying ring \(\mathbb {Z}_q[X]/(X^n+1)\) has the property that all elements with coefficients less than \(\sqrt{q/2}\) have an inverse [29] – having all small elements be invertible is crucial to having lossiness.^{Footnote 1} For the same security levels as \(\mathsf {Dilithium}\), the total size of the public key and signature is increased by a factor of a little over 3.
Revisiting the Security of Dilithium. Due to the way the parameters are set, the underlying identification scheme of the original \(\mathsf {Dilithium}\) scheme does not have a lossy mode, and so we cannot apply Theorem 3.4 in the reduction sequence in Fig. 2. Nevertheless, the reduction from Theorem 3.2 is still applicable. In the classical ROM, one then obtains a reduction from \(\mathsf {MSIS}\) to the \({\mathsf {UF\text {}NMA}}\) scheme via the forking lemma (see Fig. 1).
The main downside of this last step is that the reduction is inherently nontight. In practice, however, parameters are set based on the hardness of the underlying \(\mathsf {MSIS}\) problem and the nontightness of the reduction is ignored. This is not just the case in latticebased schemes, but is the prevalent practice for every signature scheme built via the FiatShamir transform. The implicit assumption is, therefore, that the \({\mathsf {UF\text {}NMA}}\) scheme is exactly as secure as \(\mathsf {MSIS}\) (assuming that \(\mathsf {H}\) is secure). We point out that the assumption that the \({\mathsf {UF\text {}NMA}}\) scheme is secure is a noninteractive assumption that is reasonably simple to state, and so the fact that several decades of cryptanalysis haven’t produced any improved attacks against schemes whose parameters ignore the nontightness of the reduction, gives us confidence that equating the hardness of the \({\mathsf {UF\text {}NMA}}\) scheme with the hardness of the underlying problem is very reasonable.
In Sect. 4.5, we formulate the security of the \({\mathsf {UF\text {}NMA}}\) scheme as a “convolution” of a lattice/hash function problem, which we call \(\mathsf {SelfTargetMSIS}\), and then show that based on the hardness of \(\mathsf {MLWE}\) and \(\mathsf {SelfTargetMSIS}\), the deterministic version of the \(\mathsf {Dilithium}\) scheme is (tightly) \({\mathsf {UF\text {}CMA}}\) secure in the QROM. In other words, we show that the security of the tight version of the signature scheme is based on exactly the same assumptions in the ROM and the QROM.
Other Instantiations. Our framework can be applied to obtain a security proof in the QROM for a number of existing FiatShamir signature schemes that are similar to \(\mathsf {Dilithium}\) (e.g., [3, 5, 7, 26]) and those that have a somewhat different structure and possibly based on different assumptions (e.g., [23]). Our rationale for setting the parameters in \(\mathsf {Dilithium\text {}QROM}\) was to minimize the total sum of the public key and the signature. If one, on the other hand, wished to only minimize the signature size, one could create a public key whose “height” is larger than its “width” (e.g., as in [5]). For optimal efficiency, this may possibly require working over polynomial rings \(\mathbb {Z}_q[X]/(f(x))\) which are finite fields.
1.2 Concrete Bounds and Comparison with Unruh [37, 38]
Ignoring all constants and the computational term accounting for the pseudorandom function, our concrete bound for the \({\mathsf {UF\text {}CMA}}\) security of deterministic FiatShamir signatures \({\mathsf {DFS}}\) in the QROM is
where \(\mathrm {Adv}^{\mathsf {LOSS}}_{{\mathsf {ID}}}(\mathsf {B})\) is the lossyness advantage of \(\mathsf {ID}\), \(\varepsilon _{\mathsf {ls}}\) is the statistical soundness parameter of \(\mathsf {ID}\) in lossy mode, \(\alpha \) is the minentropy of \(\mathsf {ID}\)’s commitments, and \(\varepsilon _{\mathsf {zk}}\) is the \(\mathsf {HVZK}\) parameter of \(\mathsf {ID}\).
From Unruh [38] one can derive the following concrete bound which even holds for (standard) probabilistic FiatShamir signatures \({\mathsf {FS}}\).
Compared to (1), bound (2) has two sources of nontightness.
The first source of nontightness in (2) is the term \(Q_S Q_H^{1/2} \cdot 2^{\alpha /4}\) which stems from a generic reprogramming technique from [36]. In most practical latticebased schemes the commitment’s minentropy \(\alpha \) is large enough not to make a big impact on the worse bounds. However, this term puts a lower bound on the minentropy of commitments which translates to an unnatural lower bound on the size of quantumresistant FiatShamir signatures. Furthermore, it is sometimes not that easy to exactly compute the minentropy \(\alpha \). Further, simple techniques to get a “goodenough” bound (as we did for regular Dilithium when we obtained \(\alpha =255\)) would no longer result in something meaningful when used with (2).
The second and more important sources of nontightness in (2) is the quadratic (in the number of queries) blowup in the running time \(\mathrm {Time}(\mathsf {B}) \approx \mathrm {Time}(\mathsf {A})+Q_\mathsf {H}Q_S\) which renders the reduction nontight in all practical aspects. Interestingly, our proof for the security of probabilistic FiatShamir signatures (Theorem 3.3) introduces the same source of nontightness. However, under the assumption that superposition queries to classical data can be performed in a single time step (denoted by QRAM in [38]), the running time in (2) drops to \(\mathrm {Time}(\mathsf {B}) \approx \mathrm {Time}(\mathsf {A})\) and hence the reduction is tight again. We leave it as an open problem to come up with a tight reduction for probabilistic FiatShamir signatures in the QROM without using QRAM.
2 Preliminaries
For \(n \in \mathbb {N}\), let \([n] := \lbrace 1, \dots , n \rbrace .\) For a set S, S denotes the cardinality of S. For a finite set S, we denote the sampling of a uniform random element x by \(x \leftarrow S\), while we denote the sampling according to some distribution \(\mathfrak {D}\) by \(x \leftarrow \mathfrak {D}\). By \(\llbracket B\rrbracket \) we denote the bit that is 1 if the Boolean Statement B is true, and 0 otherwise.
Algorithms. Let \(\mathsf {A}\) be an algorithm. Unless stated otherwise, we assume all our algorithms to be probabilistic. We denote by \(y\leftarrow \mathsf {A}(x)\) the probabilistic computation of algorithm \(\mathsf {A}\) on input x. If \(\mathsf {A}\) is deterministic, we write \(y := \mathsf {A}(x).\) The notation \(y \in \mathsf {A}(x)\) is used to indicate all possible outcomes y of the probabilistic algorithm \(\mathsf {A}\) on input x. We can make any probabilistic \(\mathsf {A}\) deterministic by running it with fixed randomness. We write \(y := \mathsf {A}(x; r)\) to indicate that \(\mathsf {A}\) is run on input x with randomness r. Finally, the notation \(\mathsf {A}(x) \Rightarrow y\) denotes the event that \(\mathsf {A}\) on input x returns y.
Games. We use codebased games. We implicitly assume boolean flags to be initialized to false, numerical types to 0, sets to \(\varnothing \), and strings to the empty string \(\epsilon \). We make the convention that a procedure terminates once it has returned an output.
2.1 Quantum Computation
Quantum States. The state of a qubit \({\phi } \rangle \) is described by a twodimensional complex vector \({\phi } \rangle =\alpha {0} \rangle + \beta {1} \rangle \) where \(\{{0} \rangle , {1} \rangle \}\) form an orthonormal basis of \(\mathbb {C}^2\) and \(\alpha , \beta \in \mathbb {C}\) with \(\alpha ^2 + \beta ^2 = 1\) are called the complex amplitudes of \({\phi } \rangle \). The qbit \({\phi } \rangle \) is said to be in superposition if \(0<\alpha <1\). A classical bit \(b \in \{0,1\}\) is naturally encoded as state \({b} \rangle \) of a qubit.
The state \({\psi } \rangle \) of n qubits can be expressed as \({\psi } \rangle = \sum _{x \in \{0,1\}^n} \alpha _x {x} \rangle \in \mathbb {C}^{2^n}\) where \(\{ \alpha _x \}_{x \in \{0,1\}^n}\) is a set of \(2^n\) complex amplitudes such that \(\sum _{x \in \{0,1\}^n} \alpha _x^2 = 1\). As for one qubit, the standard orthonormal or computational basis is given by \(\{ {x} \rangle \}_{x \in \{0,1\}^n}\). When the quantum state \({\psi } \rangle \) is measured in the computational basis, the outcome is the classical string \(x \in \{0,1\}^n\) with probability \(\alpha _x^2\) and the quantum state collapses to what is observed, namely \({x} \rangle \).
The evolution of a quantum system in state \({\psi } \rangle \) can be described by a linear lengthpreserving transformation \(U: \mathbb {C}^{2^n} \rightarrow \mathbb {C}^{2^n}\). Such transformations correspond to unitary matrices U of size \(2^n\) by \(2^n\), i.e. U has the property that \(U U^\dag = \mathbbm {1}\), where \(U^\dag \) is the complexconjugate transpose of U.
For further details about basic concepts and notation of quantum computing, we refer to the standard text book by Nielsen and Chuang [31].
Quantum oracles and quantum adversaries. For a classical oracle function \(\textsc {O}: \{0,1\}^n \rightarrow \{0,1\}^{m}\), we follow the standard approach as in [8, 13] to make the execution of the classical function \(\textsc {O}\) a reversible unitary transformation. We model quantum access to \(\textsc {O}\) by
where \(x \in \{0,1\}^n\) and \(y \in \{0,1\}^{m}\). Note that due to the XOR function in the second register, \(U_{\textsc {O}}\) is its own inverse, i.e. executing \(U_{\textsc {O}}\) twice results in the identity for any function \(\textsc {O}\).^{Footnote 2} Quantum oracle adversaries \(\mathsf {A}^{{\textsc {O}} \rangle }\) can access \(\textsc {O}\) in superposition by applying \(U_{\textsc {O}}\). The quantum time it takes to apply \(U_{\textsc {O}}\) is linear in the time it takes to evaluate \(\textsc {O}\) classically. We write \(\mathsf {A}^{{\textsc {O}} \rangle }\) to indicate that an oracle is quantumaccessible, contrary to oracles which can only be accessed classically which are denoted by \(\mathsf {A}^{\textsc {O}}\). We also abuse notation and use \({O} \rangle \) to denote the oracle that is quantumly accessible.
Quantum randomoracle model. We consider security games in the quantum randomoracle model (QROM) [13] like their counterparts in the classical randomoracle model [11], with the difference that we consider quantum adversaries that are given quantum access to the random oracles involved, and classical access to all other oracles (e.g., the signing oracle). Zhandry [40] proved that no quantum algorithm \(\mathsf {A}^{{\mathsf {H}} \rangle }\), issuing at most Q quantum queries to \({\mathsf {H}} \rangle \), can distinguish between a random function \(\mathsf {H}:\{0,1\}^m \rightarrow \{0,1\}^n\) and a 2Qwise independent function \(f_{2Q}\). For concreteness, we view \(f_{2Q} :\{0,1\}^m \rightarrow \{0,1\}^n\) as a random polynomial of degree 2Q over the finite field \(\mathbb {F}_{2^n}\). The running time to evaluate \(f_{2Q}\) is linear in Q.
In this article, we will use this observation in the context of security reductions, where quantum adversary \(\mathsf {B}\) simulates quantum adversary \(\mathsf {A}^{{\mathsf {H}} \rangle }\) which makes at most Q queries to \({\mathsf {H}} \rangle \). Hence, the running time of \(\mathsf {B}\) is \(\mathrm {Time}(\mathsf {B}) = \mathrm {Time}(\mathsf {A}) + q \cdot \mathrm {Time}(\mathsf {H})\), where \(\mathrm {Time}(\mathsf {H})\) is the time it takes to simulate \({\mathsf {H}} \rangle \). Using the observation above, \(\mathsf {B}\) can use a 2Qwise independent function in order to (informationtheoretically) simulate \({\mathsf {H}} \rangle \) and we obtain that the running time of \(\mathsf {B}\) is \(\mathrm {Time}(\mathsf {B}) = \mathrm {Time}(\mathsf {A}) + Q \cdot \mathrm {Time}(f_{2Q})\), and the time \(\mathrm {Time}(f_{2Q})\) to evaluate \(f_{2Q}\) is linear in Q. The second term of this running time (quadratic in Q) can be further reduced to linear in Q in the quantum randomoracle model where \(\mathsf {B}\) can simply use another random oracle to simulate \({\mathsf {H}} \rangle \). Assuming evaluating the random oracle takes one time unit, we write \(\mathrm {Time}(\mathsf {B}) = \mathrm {Time}(\mathsf {A}) + Q\) which is approximately \(\mathrm {Time}(\mathsf {A})\).
Generic Quantum Search. For \(\lambda \in [0,1]\) let \(\mathcal {B}_\lambda \) be the Bernoulli distribution, i.e., \(\Pr [b=1] = \lambda \) for the bit \(b \leftarrow \mathcal {B}_\lambda \). Let X be some finite set. The generic quantum search problem \(\mathsf {GSP}\) [21, 39] is to find an \(x \in X\) satisfying \(g(x)=1\) given quantum access to an oracle \(g: X \rightarrow \{0,1\}\), such that for each \(x \in X\), g(x) is distributed according to \(\mathcal {B}_{\lambda }\). We will need the following slight variation of \(\mathsf {GSP}\). The Generic quantum Search Problem with Bounded probabilities \(\mathsf {GSPB}\) is like the quantum search problem with the difference that the Bernoulli parameter \(\lambda (x)\) may (adversarially) depend on x but it is upper bounded by a global \(\lambda \).
Lemma 2.1
(Generic Search Problem with Bounded Probabilities). Let \(\lambda \in [0,1]\). For any (unbounded, quantum) algorithm \(\mathsf {A}\) issuing at most Q quantum queries to \({g} \rangle \), \(\Pr [\mathsf {GSPB}_\lambda ^\mathsf {A}\Rightarrow 1 ] \le 8 \cdot \lambda \cdot (Q+1)^2\), where Game \(\mathsf {GSPB}_\lambda \) is defined in Fig. 3.
The bound on \(\mathsf {GSPB}\) can be reduced to the known bound on \(\mathsf {GSP}\) [21, 39] by artificially increasing the Bernoulli parameter to obtain the dependence on each \(x \in X\).
2.2 Pseudorandom Functions
A pseudorandom function \({\mathsf {PRF}}\) is a mapping \({\mathsf {PRF}}: \mathcal {K}\times \{0,1\}^n \rightarrow \{0,1\}^k\), where \(\mathcal {K}\) is a finite key space and n, k are integers. To a quantum adversary \(\mathsf {A}\) and \({\mathsf {PRF}}\) we associate the advantage function
where \(\mathsf {RF}:\{0,1\}^n \rightarrow \{0,1\}^k\) is a perfect random function. We note that while adversary \(\mathsf {A}\) is quantum, it only gets classical access to the oracles \({\mathsf {PRF}}(K, \cdot )\) and \(\mathsf {RF}(\cdot )\).
2.3 Canonical Identification Schemes
A canonical identification scheme \({\mathsf {ID}}\) is a threemove protocol of the form depicted in Fig. 4. The prover’s first message \(W\) is called commitment, the verifier selects a uniform challenge \(c\) from set \(\mathsf {ChSet}\), and, upon receiving a response \(Z\) from the prover, makes a deterministic decision.
Definition 2.2
(Canonical Identification Scheme). A canonical identification scheme \({\mathsf {ID}}\) is defined as a tuple of algorithms \({\mathsf {ID}}:=({\mathsf {IGen}},{\mathsf {P}},\mathsf {ChSet},{\mathsf {V}})\).

The key generation algorithm \({\mathsf {IGen}}\) takes system parameters \(\mathsf {par}\) as input and returns public and secret key \(( pk , sk )\). We assume that \( pk \) defines \(\mathsf {ChSet}\) (the set of challenges), \(\mathsf {WSet}\) (the set of commitments), and \(\mathsf {ZSet}\) (the set of responses).

The prover algorithm \({\mathsf {P}}=({\mathsf {P}}_1,{\mathsf {P}}_2)\) is split into two algorithms. \({\mathsf {P}}_1\) takes as input the secret key \( sk \) and returns a commitment \(W\in \mathsf {WSet}\) and a state \( St \); \({\mathsf {P}}_2\) takes as input the secret key \( sk \), a commitment \(W\), a challenge \(c\), and a state \( St \) and returns a response \(Z\in \mathsf {ZSet}\cup \{\bot \}\), where \(\bot \not \in \mathsf {ZSet}\) is a special symbol indicating failure.

The verifier algorithm \({\mathsf {V}}\) takes the public key \( pk \) and the conversation transcript as input and outputs a deterministic decision, 1 (acceptance) or 0 (rejection).
We make a couple of useful definitions. A transcript is a threetuple \((W,c,Z) \in \mathsf {WSet}\times \mathsf {ChSet}\times \mathsf {ZSet}\cup \{\bot ,\bot ,\bot \}\). It is called valid (with respect to publickey \( pk \)) if \({\mathsf {V}}( pk , W, c,Z)=1\). In Fig. 5 we also define a transcript oracle \(\mathsf {Trans}\) that returns a real interaction \((W,c,Z)\) between prover and verifier as depicted in Fig. 4, with the important convention that the transcript is defined as \((\bot ,\bot ,\bot )\) if \(Z= \bot \).
Definition 2.3
(Correctness Error). Identification scheme \(\mathsf {ID}\) has correctness error \(\delta \) if for all \(( pk , sk ) \in {\mathsf {IGen}}(\mathsf {par})\) the following holds:

All possible transcripts \((W, c, Z)\) satisfying \(Z\ne \bot \) are valid, i.e., for all \((W, St ) \in {\mathsf {P}}_1( sk )\), all \(c\in \mathsf {ChSet}\) and all \(Z\in {\mathsf {P}}_2( sk ,W,c, St )\) with \(Z\ne \bot \), we have \({\mathsf {V}}( pk , W, c,Z)=1\).

The probability that an honestly generated transcript \((W, c, Z)\) contains \(Z= \bot \) is bounded by \(\delta \), i.e., \(\Pr [Z= \bot \mid (W,c, Z) \leftarrow \mathsf {Trans}( sk )] \le \delta \).
Definition 2.4
We call \(\mathsf {ID}\) commitmentrecoverable, if for any \(( pk , sk )\in {\mathsf {IGen}}(\mathsf {par})\), \(c\in \mathsf {ChSet}\), and \(Z\in \mathsf {ZSet}\), there exists a unique \(W\in \mathsf {WSet}\) such that \({\mathsf {V}}( pk ,W,c,Z)=1\). This unique \(W\) can be publicly computed using a commitment recovery algorithm as \(W:={\mathsf {Rec}}( pk ,c,Z)\).
We define noabort honestverifier zeroknowledge, a weak variant of honestverifier zeroknowledge that requires the transcript (as generated by \(\mathsf {Trans}( sk )\)) to be publicly simulatable, conditioned on \(Z\ne \bot \).
Definition 2.5
(NoAbort Honestverifier Zeroknowledge). A canonical identification scheme \({\mathsf {ID}}\) is said to be \(\varepsilon _{\mathsf {zk}}\)perfect \(\mathsf {naHVZK}\) (noabort honestverifier zeroknowledge) if there exists an algorithm \(\mathsf {Sim}\) that, given only the public key \( pk \), outputs \((W,c,Z)\) such that the following conditions hold:

The distribution of \((W, c, Z) \leftarrow \mathsf {Sim}( pk )\) has statistical distance at most \(\varepsilon _{\mathsf {zk}}\) from \((W', c', Z') \leftarrow \mathsf {Trans}( sk )\), where \(\mathsf {Trans}\) is defined in Fig. 5.

The distribution of \(c\) from \((W, c, Z) \leftarrow \mathsf {Sim}( pk )\) conditioned on \(c\ne \bot \) is uniform random in \(\mathsf {ChSet}\).
Note that if \(\mathsf {ID}\) is commitmentrecoverable, then we can abandon the \(W\) in the output of \(\mathsf {Trans}\) and \(\mathsf {Sim}\) since \(W\) can be publicly computed from \((c,Z)\).
Definition 2.6
(MinEntropy). If the most likely value of a random variable W that is chosen from a discrete distribution D occurs with probability \(2^{\alpha }\), then we say that minentropy\((W \mid W\leftarrow D)=\alpha \). We will say that a canonical identification scheme \({\mathsf {ID}}\) has \(\alpha \) bits of minentropy, if
In other words, except with probability \(2^{\alpha }\) over the choice of \(( pk , sk )\), the minentropy of W will be at least \(\alpha \).
An identification scheme has unique responses if for all \(W\) and \(c\) there exists at most one \(Z\) to make the verifier accept, i.e., \({\mathsf {V}}( pk ,W,c,Z)=1\). We relax this property to computational unique response (\({\mathsf {CUR}}\)) for which we require it to be computationally difficult to come up with \((W, c,Z,Z')\) with \({\mathsf {V}}( pk ,W,c,Z)={\mathsf {V}}( pk ,W,c,Z')=1\) and \(Z' \ne Z\).
Definition 2.7
(Computational Unique Response). To an adversary \(\mathsf {A}\) we associate the advantage function
Lossy Identification schemes. We now recall lossy identification schemes [3].
Definition 2.8
An identification scheme \(\mathsf {ID}=({\mathsf {IGen}},{\mathsf {P}},\mathsf {ChSet},{\mathsf {V}})\) is lossy if there exists a lossy key generation algorithm \({\mathsf {LossyIGen}}\) that takes system parameters \(\mathsf {par}\) as input and returns public key \( pk _\mathsf {ls}\) (and no secret key \( sk \)).
We refer to \({\mathsf {LID}}= ({\mathsf {IGen}},{\mathsf {LossyIGen}},{\mathsf {P}},\mathsf {ChSet},{\mathsf {V}})\) as a lossy identification scheme.
We now define two security properties of a lossy identification scheme \({\mathsf {LID}}\). The first property says that public keys generated with the real key generator \({\mathsf {IGen}}\) are indistinguishable from ones generated by the lossy key generator \({\mathsf {LossyIGen}}\). Concretely, we define the \(\mathsf {LOSS}\) advantage function of a quantum adversary \(\mathsf {A}\) against \({\mathsf {ID}}\) as
The second security property is statistical and says that relative to a lossy key \( pk _\mathsf {ls}\), not even an unbounded quantum adversary can impersonate the prover. We say that \({\mathsf {ID}}\) has \(\varepsilon _{\mathsf {ls}}\)lossy soundness if for every (possibly unbounded, quantum) adversary \(\mathsf {C}\), \(\Pr [\mathsf {LOSSY\text {}IMP}^\mathsf {C}\Rightarrow 1] \le \varepsilon _{\mathsf {ls}}\), where game \(\mathsf {LOSSY\text {}IMP}\) is defined in Fig. 6.
Since \(\mathsf {C}\) is unbounded, we can upper bound \(\Pr [\mathsf {LOSSY\text {}IMP}^\mathsf {C}\Rightarrow 1] \) as
where the expectation is taken over \( pk _\mathsf {ls}\leftarrow {\mathsf {LossyIGen}}(\mathsf {par})\). Note that equality in Eq. (3) is achieved for the “optimal” adversary \(\mathsf {C}\) which on the “easiest” commitment \(W\in \mathsf {WSet}\) and a random challenge \(c\leftarrow \mathsf {ChSet}\) finds a response \(Z\in \mathsf {ZSet}\) that the verifier accepts.
2.4 Digital Signatures
We now define syntax and security of a digital signature scheme. Let \(\mathsf {par}\) be common system parameters shared among all participants.
Definition 2.9
(Digital Signature). A digital signature scheme \({\mathsf {SIG}}\) is defined as a triple of algorithms \({\mathsf {SIG}}= ({\mathsf {Gen}}, {\mathsf {Sign}}, {\mathsf {Ver}})\).

The key generation algorithm \({\mathsf {Gen}}(\mathsf {par})\) returns the public and secret keys \(( pk , sk )\). We assume that \( pk \) defines the message space \(\mathsf {MSet}\).

The signing algorithm \({\mathsf {Sign}}( sk ,{M})\) returns a signature \(\sigma \).

The deterministic verification algorithm \({\mathsf {Ver}}( pk , {M},\sigma )\) returns 1 (accept) or 0 (reject).
Signature scheme \({\mathsf {SIG}}\) has correctness error \(\gamma \) if for all \(( pk , sk )\in {\mathsf {Gen}}(\mathsf {par})\), all messages \({M}\in \mathsf {MSet}\), we have \(\Pr [{\mathsf {Ver}}( pk ,{M},{\mathsf {Sign}}( sk ,{M}))=0] \le \gamma \).
Security. We define the \({\mathsf {UF\text {}CMA}}\) (unforgeability against chosenmessage attack), \({{\mathsf {UF\text {}CMA}}_1}\) (unforgeability against onepermessage chosenmessage attack), and \({\mathsf {UF\text {}NMA}}\) (unforgeability against nomessage attack) advantage functions of a quantum adversary \(\mathsf {A}\) against \({\mathsf {SIG}}\) as \(\mathrm {Adv}^{\mathsf {UF\text {}CMA}}_{{\mathsf {SIG}}}(\mathsf {A}):=\Pr [{\mathsf {UF\text {}CMA}}^\mathsf {A}\Rightarrow 1]\), \(\mathrm {Adv}^{{\mathsf {UF\text {}CMA}}_1}_{{\mathsf {SIG}}}(\mathsf {A}):= \Pr [{{\mathsf {UF\text {}CMA}}_1}^\mathsf {A}\Rightarrow 1]\), and \(\mathrm {Adv}^{\mathsf {UF\text {}NMA}}_{{\mathsf {SIG}}}(\mathsf {A}):= \Pr [{\mathsf {UF\text {}NMA}}^\mathsf {A}\Rightarrow 1]\), where the games \({\mathsf {UF\text {}CMA}}\), \({{\mathsf {UF\text {}CMA}}_1}\), and \({\mathsf {UF\text {}NMA}}\) are given in Fig. 7. We also consider strong unforgeability where the adversary may return a forgery on a message previously queried to the signing oracle, but with a different signature. In the corresponding experiments \({\mathsf {sUF\text {}CMA}}\) and \({{\mathsf {sUF\text {}CMA}}_1}\), the set \(\mathcal {M}\) contains tuples \(({M}, \sigma )\) and for the winning condition it is checked that \(({M}^*,\sigma ^*) \not \in \mathcal {M}\).
Any \({{\mathsf {UF\text {}CMA}}_1}\) (\({{\mathsf {sUF\text {}CMA}}_1}\)) secure signature scheme can be combined with a pseudorandom function \({\mathsf {PRF}}\) to obtain an \({\mathsf {UF\text {}CMA}}\) (\({\mathsf {sUF\text {}CMA}}\)) secure signature scheme by defining \({\mathsf {Sign}}'(( sk ,K),{M}):={\mathsf {Sign}}( sk ,{M}; {\mathsf {PRF}}_K({M}))\), where K is a secret \({\mathsf {PRF}}\) key which is part of the secret key. This construction is well known in the classical setting [10], and the same proof works in the quantum setting. Here \({\mathsf {PRF}}\) only has to provide security against quantum adversaries where the access to \({\mathsf {PRF}}\) is classical.
3 FiatShamir in the Quantum RandomOracle Model
3.1 Signatures from Identification Schemes
Let \({\mathsf {ID}}:=({\mathsf {IGen}},{\mathsf {P}},\mathsf {ChSet},{\mathsf {V}})\) be a canonical identification scheme, let \(\kappa _ m \) be a positive integer, and let \(\mathsf {H}:\{0,1\}^* \rightarrow \mathsf {ChSet}\) be a hash function. The following signature scheme \({\mathsf {SIG}}:=({\mathsf {Gen}}={\mathsf {IGen}},{\mathsf {Sign}}, {\mathsf {Ver}})\) is obtained by the FiatShamir transformation with aborts \({\mathsf {FS}}[\mathsf {ID},\mathsf {H},\kappa _ m ]\) [26].
We make the convention that if \(\sigma = (W,Z) \) is not in \(\mathsf {WSet}\times \mathsf {ZSet}\), then \({\mathsf {Ver}}( pk ,{M},\sigma )\) returns 0 (reject). Clearly, if \(\mathsf {ID}\) has correctness error \(\delta \), then \({\mathsf {SIG}}\) has correctness error \(\gamma =\delta ^{\kappa _m}\).
FiatShamir for CommitmentRecoverable Identification. For commitmentrecoverable \(\mathsf {ID}\) (see Definition 2.4), we can define an alternative FiatShamir transformation \({\mathsf {SIG}}'={\mathsf {FS}}'[{\mathsf {ID}},\mathsf {H},\kappa _ m ]:=({\mathsf {Gen}}={\mathsf {IGen}},{\mathsf {Sign}}',{\mathsf {Ver}}')\). Algorithm \({\mathsf {Sign}}'( sk ,{M})\) is defined as \({\mathsf {Sign}}( sk ,{M})\) with the modified output \(\sigma ' = (c,Z)\). Algorithm \({\mathsf {Ver}}'( pk ,{M},\sigma ')\) first parses \(\sigma '=(c,Z)\), then recomputes the commitment as \(W' := {\mathsf {Rec}}( pk ,c,Z)\), and finally returns 1 iff \(\mathsf {H}(W' \parallel {M})=c\).
Since \(\sigma =(W,Z)\) can be publicly transformed into \(\sigma '=(c,Z)\) and vice versa, \({\mathsf {SIG}}\) and \({\mathsf {SIG}}'\) are equivalent in terms of security. The alternative FiatShamir transform yields shorter signatures if \(c\in \mathsf {ChSet}\) has a smaller representation size than the commitment \(W \in \mathsf {WSet}\).
Main Security Statement. The following is our main security statement for \({\mathsf {SIG}}:={\mathsf {FS}}[{\mathsf {ID}},\mathsf {H},\kappa _ m ]\) in the QROM.
Theorem 3.1
Assume the identification scheme \({\mathsf {ID}}\) is lossy, \(\varepsilon _{\mathsf {zk}}\)perfect \(\mathsf {naHVZK}\), has \(\alpha \) bits of min entropy, and is \(\varepsilon _{\mathsf {ls}}\)lossy sound. For any quantum adversary \(\mathsf {A}\) against \({{\mathsf {UF\text {}CMA}}_1}\) (\({{\mathsf {sUF\text {}CMA}}_1}\)) security that issues at most \(Q_{\mathsf {H}}\) queries to the quantum random oracle \({\mathsf {H}} \rangle \) and \(Q_S\) classical queries to the signing oracle \(\textsc {Sign}_1\), there exists a quantum adversary \(\mathsf {B}\) (and a quantum adversary \(\mathsf {C}\) against \({\mathsf {CUR}}\))such that
and \(\mathrm {Time}(\mathsf {B}) = \mathrm {Time}(\mathsf {C}) = \mathrm {Time}(\mathsf {A}) + \kappa _ m Q_\mathsf {H}\approx \mathrm {Time}(\mathsf {A})\).
Note that with this observation the bound of Theorem 3.1 is tight, i.e., the computational advantages appear with a constant factor (one). In the classical ROM setting, the only difference is that the bound depends linearly on \(Q_\mathsf {H}\), instead of quadratic.
Deterministic FiatShamir. Let \({\mathsf {PRF}}\) be a pseudorandom function. Consider a deterministic variant \({\mathsf {DSIG}}:={\mathsf {DFS}}[{\mathsf {ID}},\mathsf {H},{\mathsf {PRF}},\kappa _ m ]=({\mathsf {Gen}}, {\mathsf {DSign}}, {\mathsf {Ver}})\) of \({\mathsf {FS}}\) where lines 04 and 06 of \({\mathsf {Sign}}\) is derandomized using the \({\mathsf {PRF}}\), where the random key K is part of the secret key.
As discussed at the end of Sect. 2.4, the \({\mathsf {UF\text {}CMA}}\) (\({\mathsf {sUF\text {}CMA}}\)) security of \({\mathsf {DSIG}}\) is implied by the \({{\mathsf {UF\text {}CMA}}_1}\) (\({{\mathsf {sUF\text {}CMA}}_1}\)) security of \({\mathsf {FS}}\). Concretely the advantages are upper bounded by the same terms as in Theorem 3.1 plus an additional term \(\mathrm {Adv}^{{\mathsf {PR}}}_{{\mathsf {PRF}}}(\mathsf {D})\) accounting for the quantum security of the \({\mathsf {PRF}}\).
3.2 Security Proof
The proof of Theorem 3.1 is modular. First, in Theorem 3.2 we prove that \({\mathsf {UF\text {}NMA}}\) security plus \(\mathsf {naHVZK}\) implies \({{\mathsf {UF\text {}CMA}}_1}\) security. Second, in Theorem 3.4 we prove that a lossy identification scheme is always \({\mathsf {UF\text {}NMA}}\) secure.
Theorem 3.2
Assume the identification scheme \({\mathsf {ID}}\) is \(\varepsilon _{\mathsf {zk}}\)perfect \(\mathsf {naHVZK}\) and has \(\alpha \) bits of min entropy. For any \({{\mathsf {UF\text {}CMA}}_1}\) (\({{\mathsf {sUF\text {}CMA}}_1}\)) quantum adversary \(\mathsf {A}\) that issues at most \(Q_{\mathsf {H}}\) queries to the quantum random oracle \({\mathsf {H}} \rangle \) and \(Q_S\) (classical) queries to the signing oracle \(\textsc {Sign}_1\), there exists a quantum adversary \(\mathsf {B}\) against \({\mathsf {UF\text {}NMA}}\) security making \(Q_{\mathsf {H}}\) queries to its own quantum random oracle (and a quantum adversary \(\mathsf {C}\) against \({\mathsf {CUR}}\)) such that
and \(\mathrm {Time}(\mathsf {B}) = \mathrm {Time}(\mathsf {C})=\mathrm {Time}(\mathsf {A}) + \kappa _ m (Q_\mathsf {H}+Q_S) \approx \mathrm {Time}(\mathsf {A})\).
Proof
(of Theorem 3.2). We first prove standard unforgeability (\({{\mathsf {UF\text {}CMA}}_1}\) security) and then show how the proof can be modified to obtain strong unforgeability (\({{\mathsf {sUF\text {}CMA}}_1}\) security). Let \(\mathsf {A}\) be a quantum adversary against the \({{\mathsf {UF\text {}CMA}}_1}\) security of \({\mathsf {SIG}}\), issuing at most \(Q_{\mathsf {H}}\) queries to \({\mathsf {H}} \rangle \) and at most \(Q_{S}\) queries to \(\textsc {Sign}_1\). Consider the games given in Fig. 8. Recall that \(\mathsf {A}\) has classical access to the signing oracle \(\textsc {Sign}_1\) and quantum access to the random oracle \(\mathsf {H}\). The quantum random oracle \(\mathsf {H}\) is called with \({W\parallel {M}} \rangle \) and returns \({\mathsf {H}({W\parallel {M}} \rangle )} \rangle \). The games in Fig. 8 describe the computation that is performed for any \(W\parallel {M}\) that has a nonzero amplitude in \({W\parallel {M}} \rangle \).
Game \(G_0\). Note that game \(G_0\) is the original \({{\mathsf {UF\text {}CMA}}_1}\) game. The signing oracle \(\textsc {Sign}_1\) produces a signature using internal deterministic algorithm \(\mathsf {GetTrans}\) which, in lines 10 and 12, derives the randomness of \({\mathsf {P}}_1\) and \({\mathsf {P}}_2\) using a perfect random function \(\mathsf {RF}\) that cannot be accessed by \(\mathsf {A}\). Since in the \({{\mathsf {UF\text {}CMA}}_1}\) game only one single signing query is allowed per message,
Game \(G_1\). This game computes the signatures on \({M}\) using the \(\mathsf {naHVZK}\) simulation algorithm \(\mathsf {Sim}\) and patches the quantum random oracle \(\mathsf {H}\) accordingly.
Concretely, consider a classical query \(\textsc {Sign}_1({M})\) and let \(\kappa _{M}\) be the smallest integer \(1 \le \kappa \le \kappa _ m \) satisfying \((W,c,Z) := \mathsf {Sim}( pk ; \mathsf {RF}({M}\parallel \kappa ))\) and \(Z\ne \bot \). If no such integer exists, then we define \(\kappa _{M}:= \bot \). It deterministically computes
The signature on \({M}\) is returned as
By the \(\mathsf {naHVZK}\) property and the union bound, the distribution of each \(\sigma _{M}\) has statistical distance at most \(\kappa _ m \varepsilon _{\mathsf {zk}}\) from one computed in game \(G_0\). To ensure that \(\sigma _{M}\) is a valid signature on \({M}\), in line 20 the random oracle is patched such that \(\mathsf {H}(W_{M}\parallel {M})=c_{M}\) holds. Concretely, a query \(W\parallel {M}\) to quantum random oracle \(\mathsf {H}\) with nonzero amplitude is patched with \(\mathsf {H}(W\parallel {M}):=c_{M}\) iff \(W=W_{M}\), where \(c_{M}\) and \(W_{M}\) are computed by \(\mathsf {GetTrans}({M})\), see Eq. (4). Note that the output distribution of the random oracle \(\mathsf {H}\) in this game remains unchanged since \(c_{M}\) generated by the \(\mathsf {naHVZK}\) simulator \(\mathsf {Sim}\) is required to be uniformly distributed.
Overall, by a union bound we obtain
Game \(G_2\). This game returns 0 in line 05 if \(c^* \ne \mathsf {H}'(W^* \parallel {M}^*)\). Games \(G_1\) and \(G_2\) can only differ if \(W_{{M}^*}= W^*\) and \({M}^* \not \in \mathcal {M}\). (In that case \(G_2\) returns 0 and \(G_1\) returns 1.) Since \({M}^* \not \in \mathcal {M}\), the random variable \(W_{{M}^*}\) was not yet revealed as part of an established signature and is completely hidden from the view of the adversary. It has \(\alpha \) bits of minentropy, meaning we have \(\Pr [W_{{M}^*} = W^*] \le 2^{\alpha }\). We obtain
Consider adversary \(\mathsf {B}\) against the \({\mathsf {UF\text {}NMA}}\) game from Fig. 9 having quantum access to random oracle \(\mathsf {H}'\). It perfectly simulates \(\mathsf {A}\)’s view in game \(G_2\), using its own random oracle \(\mathsf {H}'\) to simulate \(\mathsf {H}'\) and perfectly simulating the random function \(\mathsf {RF}\) with a \(2\kappa _ m Q_\mathsf {H}\)wise independent hash function. Assume \(\mathsf {A}\)’s forgery \(({M}^*,\sigma ^*)\) is valid in game \(G_2\), i.e., \({M}^* \not \in \mathcal {M}\) and \({\mathsf {V}}( pk , W^*,c^*,Z^*)=1 \), where \(c^* = \mathsf {H}(W^* \parallel {M}^*)\). If \(\mathsf {H}(W^* \parallel {M}^*) = \mathsf {H}'(W^* \parallel {M}^*)\), then \(({M}^*,\sigma ^*)\) is also a valid forgery in the \({\mathsf {UF\text {}NMA}}\) game, i.e., \({\mathsf {V}}( pk , W^*,c^*,Z^*)=1\), where \(c^* = \mathsf {H}'(W^* \parallel {M}^*)\). Hence,
The proof of \({{\mathsf {UF\text {}CMA}}_1}\) security follows by collecting the probabilities. The running time \(\mathrm {Time}(\mathsf {B})\) of adversary \(\mathsf {B}\) is given by the time \(\mathrm {Time}(\mathsf {A})\) to run \(\mathsf {A}\) as a blackbox in game \(G_2\) where in every of the \(Q_\mathsf {H}\) oracle and \(Q_S\) signaturequeries, at most \(O(\kappa _ m )\) computations need to be performed.
Strong unforgeability. For \({{\mathsf {sUF\text {}CMA}}_1}\) security we consider exactly the same games with the difference that in all games the winning condition in line 06 is changed to \(\llbracket ({M}^*,\sigma ^*) \not \in \mathcal {M}\rrbracket \wedge {\mathsf {V}}( pk , W^*,c^*,Z^*) \) to account for strong unforgerability, where \(\mathcal {M}\) now records all tuples \(({M}, \sigma _{M})\) of previously established messages/signature pairs.
The difference between games \(G_1\) and \(G_2\) is that game \(G_2\) returns 0 in line 05 if \(c^* \ne \mathsf {H}'(W^* \parallel {M}^*)\), i.e., if \(\mathsf {H}(W^* \parallel {M}^*)\) was previously patched in line 20 with \(\mathsf {H}(W^* \parallel {M}^*):=c_{{M}^*}\). Games \(G_1\) and \(G_2\) can only differ if \(W_{{M}^*}= W^*\), \(({M}^*,\sigma ^*) \not \in \mathcal {M}\), and \( {\mathsf {V}}( pk , W^*,c^*,Z^*)=1\). (In that case \(G_2\) returns 0 and \(G_1\) returns 1.)
We distinguish two cases. If \(({M}^*,\cdot ) \not \in \mathcal {M}\) then we are in the situation that the adversary did not query a signature on \({M}^*\) and we can use the same argument as in standard unforgeability to argue \(\Pr [G_2^{\mathsf {A}} \Rightarrow 1] \Pr [G_1^{\mathsf {A}} \Rightarrow 1]  \le 2^{\alpha +1}\). It leaves to handle the case \(({M}^*,\cdot ) \in \mathcal {M}\), i.e., the adversary obtained a signatures \(\sigma _{{M}^*} = (W_{{M}^*},Z_{{M}^*})\) on message \({M}^*\) and submits a correct forgery \(\sigma ^* = (W^*, Z^*)\) satisfying \(W^*=W_{{M}^*}\) and \(Z^* \ne Z_{{M}^*}\). The problem of finding values \((W^*, c^*, Z_{{M}^*},Z^*)\) with two accepting transcripts \((W^*, c^*, Z^*)\) and \((W^*, c^*, Z_{{M}^*})\) is exactly bounded by the advantage of an adversary \(\mathsf {C}\) against the \({\mathsf {CUR}}\) experiment, i.e., \(\Pr [G_2^{\mathsf {A}} \Rightarrow 1] \Pr [G_1^{\mathsf {A}} \Rightarrow 1]  \le \mathrm {Adv}^{\mathsf {CUR}}_\mathsf {ID}(\mathsf {C})\).
In combination this proves
Finally, a straightforward modification of adversary \(\mathsf {B}\) against \({\mathsf {UF\text {}NMA}}\) security to account for the strong unforgerability check proves
and completes proof of \({{\mathsf {sUF\text {}CMA}}_1}\) security.
The running times \(\mathrm {Time}(\mathsf {B})\) and \(\mathrm {Time}(\mathsf {C})\) can be derived as above. \(\square \)
The following theorem shows that we can also prove directly \({\mathsf {UF\text {}CMA}}\) security of \({\mathsf {SIG}}\), but (in terms of the running time) the reduction is less tight than the one of Theorem 3.2.
Theorem 3.3
Assume the identification scheme \({\mathsf {ID}}\) is \(\varepsilon _{\mathsf {zk}}\)perfect \(\mathsf {naHVZK}\) and has \(\alpha \) bits of min entropy. For any \({\mathsf {UF\text {}CMA}}\) (\({\mathsf {sUF\text {}CMA}}\)) quantum adversary \(\mathsf {A}\) that issues at most \(Q_{\mathsf {H}}\) queries to the quantum random oracle \({\mathsf {H}} \rangle \) and \(Q_S\) classical queries to the signing oracle \(\textsc {Sign}\), there exists a quantum adversary \(\mathsf {B}\) against \({\mathsf {UF\text {}NMA}}\) security making \(Q_{\mathsf {H}}\) queries to its own quantum random oracle (and a quantum adversary \(\mathsf {C}\) against \({\mathsf {CUR}}\)) such that
and \(\mathrm {Time}(\mathsf {B}) = \mathrm {Time}(\mathsf {C})=\mathrm {Time}(\mathsf {A}) + \kappa _ m Q_\mathsf {H}Q_S\).
The proof of Theorem 3.3 is similar to the one of Theorem 3.2 and appears in the full version.
Theorem 3.4
Assume the identification scheme is lossy and \(\varepsilon _{\mathsf {ls}}\)lossy sound. For any \({\mathsf {UF\text {}NMA}}\) quantum adversary \(\mathsf {A}\) that issues at most \(Q_{\mathsf {H}}\) queries to the quantum random oracle \({\mathsf {H}} \rangle \), there exists a quantum adversary \(\mathsf {B}\) against \(\mathsf {LOSS}\) such that
and \(\mathrm {Time}(\mathsf {B}) = \mathrm {Time}(\mathsf {A}) + Q_\mathsf {H}\approx \mathrm {Time}(\mathsf {A})\).
Proof
Let \(\mathsf {A}\) be an adversary against the \({\mathsf {UF\text {}NMA}}\) security of \({\mathsf {SIG}}\), issuing at most \(Q_{\mathsf {H}}\) quantum queries to \({\mathsf {H}} \rangle \). Consider the games given in Fig. 10.
Game \(G_0\). Since game \(G_0\) is the original \({\mathsf {UF\text {}NMA}}\) game,
Game \(G_1\). In this game, the public key \( pk \) is changed to lossy mode. Clearly, there exists an adversary \(\mathsf {B}\) simulating \(\mathsf {H}\) by a \(2Q_\mathsf {H}\)wise independent hash function such that
Finally, we will reduce a successful \(\mathsf {A}\) in game \(G_1\) to the generic search problem \(\mathsf {GSPB}\) to show
For a finite set S, let \(\mathsf {Uni}(S)\) be a probabilistic algorithm that returns uniform \(x \leftarrow S\) and recall that \(x := \mathsf {Uni}(S; r)\) denotes the deterministic execution of \(\mathsf {Uni}(S)\) using explicitly given random tape r. To prove Eq. (5), consider the unbounded adversary \(\mathsf {C}=(\mathsf {C}_1, \mathsf {C}_2)\) defined in Fig. 11 that is executed in the generic search game \(\mathsf {GSPB}\), making at most \(Q_\mathsf {H}\) quantum queries to the oracle \({g(\cdot )} \rangle \). First note that computing the probabilities \(\lambda _{ pk }(W\parallel {M})=\lambda _{ pk }(W)\) in line 05 for all \(W\in \mathsf {WSet}\) and \({M}\in \mathsf {MSet}\) may take exponential time but since \(\mathsf {C}\) is computationally unbounded it does not matter.
To analyze \(\mathsf {C}\)’s success probability in game \(\mathsf {GSPB}\), we first fix a publickey \( pk \). Now consider some \(W\parallel {M}\) with nonzero amplitude as part of a query to quantum random oracle \(\mathsf {H}\). Set \(\mathsf {ChGOOD}_{ pk }(W)\) of “good challenges” is defined as
That is, the set \(\mathsf {ChGOOD}_{ pk }(W)\) contains all challenges \(c\) for which there exists a possible response \(Z\) to make \((W, c, Z)\) a valid transcript (with respect to \( pk \)). By definition of \(\mathsf {GSPB}\), each query to oracle \(g(W\parallel {M})\) returns \(y=1\) with probability \(\lambda _{ pk }(W\parallel {M}) = \mathsf {ChGOOD}_{ pk }(W) / \mathsf {ChSet}\). Hence, the output distribution of \(\mathsf {H}(W\parallel {M})\) sampled in lines 14 and 15 is uniform over \(\mathsf {ChSet}\), as in game \(G_1\). Consistency of \(\mathsf {H}\) is assured by deriving the randomness to sample c in case \(y=0\) (lines 14 and 15) using fixed random coins \(f_{2Q_\mathsf {H}}(W\parallel {M})\), derived by a \(2Q_\mathsf {H}\)wise independent hash function \(f_{2Q_\mathsf {H}}\) (which looks like a perfectly random function to \(\mathsf {A}\)).
Now consider \(\mathsf {A}\)’s forgery \(\sigma ^* = (W^*, Z^*)\) on message \({M}^*\) and define \(c^* := \mathsf {H}(W^* \parallel {M}^*)\). If the signature is valid (i.e., \({\mathsf {V}}( pk , W^*,c^*,Z^*)=1\)), then clearly \(c^*\) is a good challenge from set \(\mathsf {ChGOOD}_{ pk }( W^*)\) which implies \(g(W^* \parallel {M}^*)=1\). This proves
where
Averaging Eq. (7) over \( pk \leftarrow {\mathsf {LossyIGen}}\) we finally obtain
where the last inequality uses Eq. (3) for the optimal adversary. \(\square \)
4 DilithiumQROM
In this section, we present a modification of the \(\mathsf {Dilithium}\) digital signature scheme [16] whose security is based on MLWE in the QROM. We also present a new security proof of the original \(\mathsf {Dilithium}\) that shows it to be tightlysecure in the QROM based on a different noninteractive assumption. Since \(\mathsf {Dilithium}\) is a highlyoptimized version of a scheme constructed via the “FiatShamir with Aborts” framework [26], its details may be somewhat overwhelming to readers who are not already comfortable with such constructions. For this reason, we present a much simpler version of the signature scheme without any optimizations in the full version of this paper.
4.1 Preliminaries
Rings and Distributions. We let R and \(R_q\) respectively denote the rings \(\mathbb {Z}[X]/(X^{n}+1)\) and \(\mathbb {Z}_q[X]/(X^{n}+1)\), for an integer q. We will assume that \(q\equiv 5(\bmod \,8)\), as such a choice of q ensures that all polynomials in \(R_q\) with coefficients less than \(\sqrt{q/2}\) have an inverse in the ring [29, Lemma 2.2]. This property is crucial to our security proof. Regular font letters denote elements in R or \(R_q\) (which includes elements in \(\mathbb {Z}\) and \(\mathbb {Z}_q\)) and bold lowercase letters represent column vectors with coefficients in R or \(R_q\). By default, all vectors will be column vectors. Bold uppercase letters are matrices.
Modular reductions. For an even (resp. odd) positive integer \(\alpha \), we define \(r'=r\text { mod}^\pm \, \alpha \) to be the unique element \(r'\) in the range \(\frac{\alpha }{2}<r'\le \frac{\alpha }{2}\) (resp. \(\frac{\alpha 1}{2}\le r'\le \frac{\alpha 1}{2}\)) such that \(r'=r\bmod \alpha \). We will sometimes refer to this as a centered reduction modulo q. For any positive integer \(\alpha \), we define \(r'=r\text { mod}^+ \alpha \) to be the unique element \(r'\) in the range \(0\le r'<\alpha \) such that \(r'=r\bmod \alpha \). When the exact representation is not important, we simply write \(r\bmod \alpha \).
Sizes of elements. For an element \(w\in \mathbb {Z}_q\), we write \(\Vert w\Vert _\infty \) to mean \(w\text { mod}^\pm \, q\). We now define the \(\ell _\infty \) and \(\ell _2\) norms for \(w=w_0+w_1X+\ldots +w_{n1}X^{n1}\in R\):
Similarly, for \(\mathbf{w}=(w_1,\ldots ,w_k)\in R^k\), we define
We will write \(S_\eta \) to denote all elements \(w \in R\) such that \(\Vert w\Vert _\infty \le \eta \).
Extendable output function. Suppose that \(\mathsf {Sam}\) is an extendable output function, that is a function on bit strings in which the output can be extended to any desired length. If we would like \(\mathsf {Sam}\) to take as input x and then produce a value y that is distributed according to distribution S (or uniformly over a set S), we write \(y \sim S:=\mathsf {Sam}(x)\). It is important to note that this procedure is completely deterministic: a given x will always produce the same y. For simplicity we assume that the output distribution of \(\mathsf {Sam}\) is perfect, whereas in practice \(\mathsf {Sam}\) will be implemented using random oracles and produce an output that is statistically close to the perfect distribution. If K is a secret key, then \(\mathsf {Sam}(K \Vert x)\) is a pseudorandom function from \(\{0,1\}^* \rightarrow \{0,1\}^*\).
The Challenge Space. The challenge space in our identification and signature schemes needs to be a subset of the ring R, have size a little larger than \(2^{256}\), and consist of polynomials with small norms. In this paper, the dimension n of the ring R will be taken to be 512,^{Footnote 3} and so we will define the challenge space accordingly as
In other words, \(\mathsf {ChSet}\) consists of elements in R with \(1/0/1\) coefficients that have exactly 46 nonzero coefficients. The size of this set is \({n \atopwithdelims ()46}\cdot 2^{46}\), which for \(n=512\) is greater than \(2^{265}\).
The \(\mathsf {MLWE}\) Assumption. For integers m, k, and a probability distribution \(D: R_q\rightarrow [0,1]\), we say that the advantage of algorithm \(\mathsf {A}\) in solving the decisional \(\mathsf {MLWE}_{m,k,D}\) problem over the ring \(R_q\) is
The MLWE assumption states that the above advantage is negligible for all polynomialtime algorithms \(\mathsf {A}\). This assumption was introduced in [25], and is generalization of the \(\mathsf{LWE}\) assumption from [35]. The \(\mathsf {Ring\text {}LWE}\) assumption [30] is a special case of \(\mathsf {MLWE}\) where \(k=1\). Analogously to \(\mathsf{LWE}\) and \(\mathsf {Ring\text {}LWE}\), it was shown in [25] that solving the \(\mathsf {MLWE}\) problem for certain parameters is as hard as solving certain worstcase problems in certain algebraic lattices.
Summary of Supporting Algorithms. To reduce the size of the public key, we will need some simple algorithms that extract “higherorder” and “lowerorder” bits of elements in \(\mathbb {Z}_q\). The goal is that when given an arbitrary element \(r\in \mathbb {Z}_q\) and another small element \(z\in \mathbb {Z}_q\), we would like to be able to recover the higher order bits of \(r+z\) without needing to store z. We therefore define algorithms that take r, z and produce a 1bit hint h that allows one to compute the higher order bits of \(r+z\) just using r and h. This hint is essentially the “carry” caused by z in the addition. The algorithms are exactly as in [16], and we repeat them for convenience in Fig. 12. The algorithms are described as working on integers modulo q, but are extended to polynomials in \(R_q\) by simply being applied individually to each coefficient.
The below Lemmas recall the crucial properties of these supporting algorithms that are necessary for the correctness and security of our scheme.
Lemma 4.1
Suppose that q and \(\alpha \) are positive integers satisfying \(q>2\alpha \), \(q\equiv 1 \pmod {\alpha }\) and \(\alpha \) even. Let \(\mathbf{r}\) and \(\mathbf{z}\) be vectors of elements in \(R_q\) where \(\Vert \mathbf{z}\Vert _\infty \le \alpha /2\), and let \(\mathbf{h}, \mathbf{h}'\) be vectors of bits. Then the \(\mathsf {HighBits}_q\), \(\mathsf {MakeHint}_q\), and \(\mathsf {UseHint}_q\) algorithms satisfy the following properties:

1.
\(\mathsf {UseHint}_q(\mathsf {MakeHint}_q(\mathbf{z},\mathbf{r},\alpha ),\mathbf{r},\alpha )=\mathsf {HighBits}_q(\mathbf{r}+\mathbf{z},\alpha )\).

2.
Let \(\mathbf{v}_1=\mathsf {UseHint}_q(\mathbf{h},\mathbf{r},\alpha )\). Then \(\Vert \mathbf{r}\mathbf{v}_1\cdot \alpha \Vert _\infty \le \alpha +1\).

3.
For any \(\mathbf{h},\mathbf{h}'\), if \(\mathsf {UseHint}_q(\mathbf{h},\mathbf{r},\alpha )=\mathsf {UseHint}_q(\mathbf{h}',\mathbf{r},\alpha )\), then \(\mathbf{h}=\mathbf{h}'\).
Lemma 4.2
If \(\Vert \mathbf{s}\Vert _\infty \le \beta \) and \(\Vert \mathsf {LowBits}_q(\mathbf{r},\alpha )\Vert _\infty <\alpha /2\beta \), then
4.2 The Identification Protocol
The constituting algorithms of our identification protocol \(\mathsf {ID}=({\mathsf {IGen}},{\mathsf {P}}_1,{\mathsf {P}}_2, {\mathsf {V}})\) are described in Fig. 13 with the concrete parameters \(\mathsf {par}= (q,n,k,\ell ,d,\gamma ,\)\(\gamma ',\eta ,\beta )\) given later in Table 1.
Key Generation. The key generation proceeds by choosing a random 256bit seed \(\rho \) and expanding into a matrix \(\mathbf{A}\in R_q^{k\times \ell }\) by an extendable output function \(\mathsf {Sam}\) modeled as a random oracle. The secret keys \((\mathbf{s}_1,\mathbf{s}_2)\in S_\eta ^\ell \times S_\eta ^k\) have uniformly random coefficients between \(\eta \) and \(\eta \) (inclusively). The value \(\mathbf{t}=\mathbf{A}\mathbf{s}_1+\mathbf{s}_2\) is then computed. The public key that is needed for verification is \((\rho ,\mathbf{t}_1)\) with \(\mathbf{t}_1\) output by the \(\mathsf {Power2Round}_q(\mathbf{t},d)\) algorithm in Fig. 12 (we have \(\mathbf{t}=\mathbf{t}_1\cdot 2^d +\mathbf{t}_0\) for some small \(\mathbf{t}_0\)), while the secret key is \((\rho , \mathbf{s}_1,\mathbf{s}_2,\mathbf{t}_0)\).
While the verifier never needs the value \(\mathbf{t}_0\) (and thus it does not need to be included in the public key of the actual scheme), we do need this value in order to simulate transcripts (see Sect. 4.3). Thus the security of our scheme is based on the fact that the adversary gets \(\mathbf{t}_1\) and \(\mathbf{t}_0\), whereas in reality he only gets \(\mathbf{t}_1\).
The set \(\mathsf {ChSet}\) is defined as in Eq. (8), and \(\mathsf {ZSet}= S^\ell _{\gamma '\beta 1}\times \{0,1\}^k\). The set of commitments \(\mathsf {WSet}\) is defined as \(\mathsf {WSet}=\{\mathbf{w}_1~:~\exists \mathbf{y}\in S_{\gamma '1}^\ell \text { s.t. }\mathbf{w}_1=\mathsf {HighBits}_q(\mathbf{A}\mathbf{y},2\gamma )\}.\)
Protocol Execution. The prover starts the identification protocol by reconstructing \(\mathbf{A}\) from the random seed \(\rho \). The next step has the prover sample \(\mathbf{y}\leftarrow S_{\gamma '1}^\ell \) and then compute \(\mathbf{w}=\mathbf{A}\mathbf{y}\). He then writes \(\mathbf{w}=2\gamma \cdot \mathbf{w}_1+\mathbf{w}_0\), with \(\mathbf{w}_0\) between \(\gamma \) and \(\gamma \) (inclusively), and then sends \(\mathbf{w}_1\) to the verifier. The verifier generates a random challenge \(c\leftarrow \mathsf {ChSet}\) and sends it to the prover. The prover computes \(\mathbf{z}=\mathbf{y}+c\mathbf{s}\). If \(\mathbf{z}\notin S_{\gamma '\beta 1}^\ell \), then the prover sets his response to \(\bot \). He also replies with \(\bot \) if \(\mathsf {LowBits}_q(\mathbf{w}c\mathbf{s}_2,2\gamma )\notin S_{\gamma \beta 1}^k\). This part of the protocol is necessary for security – it makes sure that \(\mathbf{z}\) does not leak anything about the secret key \(\mathbf{s}_1,\mathbf{s}_2\).
If the checks pass and a \(\bot \) is not sent, then it can be shown (see Sect. 4.3) that \(\mathsf {HighBits}_q(\mathbf{A}\mathbf{z}c\mathbf{t},2\gamma )=\mathbf{w}_1\). At this point, if the verifier knew the entire element \(\mathbf{t}\) and \((\mathbf{z}, c)\), he could have recovered \(\mathbf{w}_1\) and checked that \(\Vert \mathbf{z}\Vert _\infty <\gamma '\beta \) and that the highorder bits of \(\mathbf{A}\mathbf{z}c\mathbf{t}\) are indeed \(\mathbf{w}_1\). However, since we want to compress the size of the public key, the verifier only knows \(\mathbf{t}_1\). Hence, the signer needs to provide a “hint” \(\mathbf{h}\) which will allow the verifier to compute \(\mathsf {HighBits}_q(\mathbf{A}\mathbf{z}c\mathbf{t},2\gamma )\).
The verifier checks whether \(\Vert \mathbf{z}\Vert _\infty < \gamma '\beta \) and that \(\mathbf{A}\mathbf{z}c\mathbf{t}_1\cdot 2^d\) together with the hint \(\mathbf{h}\) allow him to reconstruct \(\mathbf{w}_1\). We should point out that in the identification scheme it is actually not necessary for the verifier to be able to recover exactly \(\mathbf{w}_1\). He could have simply checked that \(\mathbf{A}\mathbf{z}c\mathbf{t}_1\cdot 2^d \approx \mathbf{w}_1\) and this would be good enough for security. The reason that we want the verifier to be able to exactly recover \(\mathbf{w}_1\) is to make the ID scheme commitmentrecoverable and be able to reduce the communication size in the FiatShamir transform (see Sect. 3.1).
4.3 Security Properties
In this section we analyze the security of \(\mathsf {ID}\). Most of the proofs are postponed to the full version.
Non Abort Honest Verifier ZeroKnowledge. In this section, we will show that \(\mathsf {ID}\) is perfectly \(\mathsf {naHVZK}\), i.e., the distribution of the output of the \(\mathsf {Trans}\) algorithm (Fig. 14, left) that uses the secret key as input is exactly that of the \(\mathsf {Sim}\) algorithm (Fig. 14, right) that uses only the public key as input.
Lemma 4.3
If \(\beta \ge \max _{s\in S_{\eta },c\in \mathsf {ChSet}}\Vert cs\Vert _\infty \), then \(\mathsf {ID}\) is perfectly \(\mathsf {naHVZK}\).
Correctness. In this section, we compute the probability that the Prover does not send \(\bot \) and then show that the verification procedure will always accept a transcript when the Prover does not send \(\bot \).
Lemma 4.4
If \(\beta \ge \max _{s\in S_{\eta },c\in \mathsf {ChSet}}\Vert cs\Vert _\infty \) then \(\mathsf {ID}\) has correctness error \(\delta \approx 1\exp {(\beta n\cdot (k/\gamma +\ell /\gamma '))}\).
Lossyness. In this section, we analyze the scheme in which the public key is generated uniformly at random, as in algorithm \({\mathsf {LossyIGen}}\) of Fig. 15, rather than as in \({\mathsf {IGen}}\) of Fig. 13. Our goal is to show that even if the prover is computationally unbounded, he only has approximately a \(1/\mathsf {ChSet}\) probability of making the verifier accept during each run of the identification scheme. This will show that the probability in Eq. (3) is upperbounded by approximately \(1/\mathsf {ChSet}\).
By observing that the output of \({\mathsf {LossyIGen}}\) is uniformly random over \(R_q^{k\times \ell }\times R_q^k\) and the output of \({\mathsf {IGen}}\) in Fig. 13 is \((\mathbf{A},\mathbf{A}\mathbf{s}_1+\mathbf{s}_2)\) where \(\mathbf{A}\leftarrow R_q^{k\times \ell }\) and \((\mathbf{s}_1,\mathbf{s}_2)\leftarrow S_\eta ^\ell \times S_\eta ^k\), we have that
where D is the uniform distribution over \(S_\eta \).
Lemma 4.5
If \(4\gamma +2,\, 2\gamma '<\sqrt{q/2}\) and \(\gamma '<\gamma \beta \), and \(\ell \le k\), then \(\mathsf {ID}\) has \(\varepsilon _{\mathsf {ls}}\)lossy soundness for
Our proof follows the framework from [3, 22]. Then to prove Lemma 4.5, we show that if \(\mathsf {C}\), who outputs the first message \((\mathbf{w}_1, St )\) in the \(\mathsf {LOSSY\text {}IMP}\) game (see Fig. 16) is able to correctly respond to more than one random challenge c, then the previously mentioned linear equation will have a solution, which with high probability is not possible. Therefore we conclude that for virtually all \(\mathbf{A},\mathbf{t}\) output by \({\mathsf {LossyIGen}}\), there exists (at most) only one challenge for which the prover can respond to, and therefore his success probability is at most \(1/\mathsf {ChSet}\).
Min Entropy. In Lemma 4.6 we will prove that the \(\mathbf{w}_1\) sent by the honest prover in the first step is extremely likely to be distinct for every run of the protocol.
Lemma 4.6
If \(2\gamma ,\,2\gamma '<\sqrt{q/2}\) and \(\ell \le k\), then the identification scheme \(\mathsf {ID}\) in Fig. 13 has
bits of minentropy (as in Definition 2.6).
Computational Unique Response. In this section we state that our scheme satisfies the Computational Unique Response (\({\mathsf {CUR}}\)) property required for strongunforgeability of the signature scheme.
Lemma 4.7
If \(4\gamma +2,\, 2\gamma '<\sqrt{q/2}\) and \(\gamma '<\gamma \beta \), and \(\ell \le k\) (i.e. the same conditions as in Lemma 4.5), then \(\mathrm {Adv}^{\mathsf {CUR}}_\mathsf {ID}(\mathsf {A}) < \left( \frac{32\gamma \gamma '}{q}\right) ^{nk}\) for every (even unbounded) adversary \(\mathsf {A}\).
4.4 The \(\mathsf {Dilithium\text {}QROM}\) Signature Scheme and Concrete Parameters
In this section, we describe the signature scheme \(\mathsf {Dilithium\text {}QROM}\) (Fig. 17) which is obtained via the FiatShamir transform from the scheme \(\mathsf {ID}\) of Fig. 13 and using \(\mathsf {Sam}(K \parallel \cdot )\) as a pseudorandom function. We then instantiate it with concrete parameters (Table 1) and compare them for the same security level with those in [16].
The parameters for our scheme are dictated by the requirements for the scheme to be stronglyunforgeable in Theorem 3.1 which gives an upper bound on \(\mathrm {Adv}^{{\mathsf {sUF\text {}CMA}}}_{\mathsf {Dilithium\text {}QROM}}(\mathsf {A})\). Following [24], for “\(\kappa \) bits of quantum security” for \(\mathsf {Dilithium\text {}QROM}\) we require that for all quantum adversaries \(\mathsf {A}\) running in time at most \(2^\kappa \),
To this end, we need to put bounds on the parameters \(\varepsilon _{\mathsf {ls}},\varepsilon _{\mathsf {zk}},\) and \(\alpha \). Lemma 4.3 tells us that
To lowerbound \(\alpha \), note that in the parameters, we always have \(2\gamma =2\gamma '<\sqrt{q/2}\), and using a lemma in the full version of the paper, we can conclude that \(\alpha \) is greater than 2900. Thus the \(2^{\alpha }\) term has absolutely no practical effect in Theorem 3.1 for the parameters in Sect. 4.4.
Lemma 4.7 states that as long as \(4\gamma + 2\) and \(2\gamma ' < \sqrt{q/2}\), we will have \(\mathrm {Adv}^{\mathsf {CUR}}_\mathsf {ID}(\mathsf {C})<\left( \frac{32\gamma \gamma '}{q}\right) ^{nk}\). The parameters in Table 1 indeed satisfy the preconditions, and so \(\mathrm {Adv}^{\mathsf {CUR}}_\mathsf {ID}(\mathsf {C})<\left( \frac{32\gamma \gamma '}{q}\right) ^{nk}< 2^{865}.\)
We finally turn to bounding \(\varepsilon _{\mathsf {ls}}\). Notice that Lemma 4.5 directly implies that
The size of the challenge set \(\mathsf {ChSet}\) defined in Eq. (8) is larger than \(2^{265}\), and so the above is at most
Plugging everything into the equation at the end of Sect. 3.1, we obtain
Table 1 also shows that the parameters of the \(\mathsf {MLWE}\) problem are chosen such that it provides 128 bits of quantum security (using the same metric as was used in the original Dilithium scheme [16].) Assuming \(\mathsf {Sam}\) provides 128 bits security when used as a pseudorandom function, we conclude that for all quantum adversaries running in time at most \(2^{128}\) and making \(1\le Q_\mathsf {H}\le 2^{128}\) (quantum) queries to \(\mathsf {H}\), and we have
The signature size in \(\mathsf {Dilithium\text {}QROM}\) is \((n\cdot \ell \cdot ( \lceil \log (2\gamma )\rceil ) + nk + 46\cdot (\log (n)+1))/8\) bytes, while the public key is \((n\cdot k\cdot (\lceil \log (q)\rceil  d)+256)/8\) bytes.
In Table 1, we compare the parameters from the current scheme, which can be proved secure based on the hardness of \(\mathsf {MLWE}\) in the QROM, to those of the original \(\mathsf {Dilithium}\) scheme from [16], which only has a classical security reduction from the combination of \(\mathsf {MLWE}\) and \(\mathsf {MSIS}\) (we introduce this latter problem in the next section). One can see that the sum of the public key and signature sizes are approximately 3.2 times larger in \(\mathsf {Dilithium\text {}QROM}\) than in \(\mathsf {Dilithium}\).
4.5 Security Assumptions for Nonlossy Schemes
The reduction from the \(\mathsf {MLWE}\) problem to the hardness of the \(\mathsf {Dilithium\text {}QROM}\) scheme was a direct consequence of Theorem 3.1, which is itself a combination of Theorems 3.2 and 3.4. In this section, we consider the security of schemes for which Theorem 3.4 is inapplicable. In particular, in these schemes it is no longer true that a computationallyunbounded adversary cannot win the \(\mathsf {LOSSY\text {}IMP}\) game. The reason that one would like to use schemes constructed in such a manner is because they turn out to be more efficient. In particular, the original \(\mathsf {Dilithium}\) scheme^{Footnote 4} [16], which is virtually identical to the \(\mathsf {Dilithium\text {}QROM}\) presented in this paper except for the parameter sizes, has outputs (of the public key plus signature) that are smaller by a factor of a little over 3 (see Table 1).
But while the \(\mathsf {Dilithium}\) scheme has a security reduction from standard lattice problems in the classical randomoracle model, there is no such reduction in the quantum randomoracle model. Nevertheless, it is unclear whether this lack of reduction implies any weakness against quantum attacks. It would therefore be useful to understand exactly what assumptions the more efficient scheme is relying on in the quantum randomoracle model.
Let us suppose that the parameters for the \(\mathsf {Dilithium}\) scheme are set such that Theorem 3.2 is still applicable. That is, suppose that \(\varepsilon _{\mathsf {zk}}=0\), \(\alpha \) is very large, and the scheme is commitmentrecoverable. In this case, ignoring the \(2^{\alpha +1}\) term, Theorem 3.2 states that the security of the full signature scheme is exactly the security of the \({\mathsf {UF\text {}NMA}}\) signature scheme in the quantum randomoracle model. Since the adversary does not obtain any valid signatures in the \({\mathsf {UF\text {}NMA}}\) security game, the security assumption of such signatures is noninteractive.
Below, we recall the standard \(\mathsf {MSIS}\) assumption and then define a new assumption, \(\mathsf {SelfTargetMSIS}\), upon which the security of \(\mathsf {Dilithium}\) is based. We also point out that in the classical randomoracle model, there is a (nontight) reduction from the \(\mathsf {MSIS}\) to the \(\mathsf {SelfTargetMSIS}\) problem. Then we show that the \(\mathsf {Dilithium}\) scheme for which Theorem 3.4 is not necessarily applicable, still has a security reduction from the combination of \(\mathsf {MLWE}\) and \(\mathsf {SelfTargetMSIS}\) problems.
The \(\mathsf {MSIS}\) and \(\mathsf {SelfTargetMSIS}\) Problems. The \(\mathsf {MSIS}\) problem [25] is a generalization of the \(\mathsf{SIS}\) [4] and \(\mathsf {Ring\text {}SIS}\) [28, 33] problems in the same way that \(\mathsf {MLWE}\) is a generalization of \(\mathsf{LWE}\) and \(\mathsf {Ring\text {}LWE}\). To an algorithm \(\mathsf {A}\) we associate the advantage function \(\mathrm {Adv}^\mathsf {MSIS}_{m,k,\gamma }(\mathsf {A})\) to solve the (Hermite Normal Form) \(\mathsf {MSIS}_{m,k,\gamma }\) problem over the ring \(R_q\) as
As for \(\mathsf{SIS}\) and \(\mathsf {Ring\text {}SIS}\), it was shown that solving \(\mathsf {MSIS}\) for certain parameters is as hard as worstcase instances of lattice problems over algebraic lattices of a certain form [25].
Suppose that \(\mathsf {H}: \{0,1\}^* \rightarrow \mathsf {ChSet}\) is a cryptographic hash function. To an algorithm \(\mathsf {A}\) we associate the advantage function \(\mathrm {Adv}^\mathsf {SelfTargetMSIS}_{\mathsf {H},m,k,\gamma }(\mathsf {A})\) to solve the \(\mathsf {SelfTargetMSIS}_{\mathsf {H},m,k,\gamma }\) problem over the ring \(R_q\) as
If \(\mathsf {A}\) only has classical access to \(\mathsf {H}\), then there is a reduction, using the forking lemma [9, 34], to prove that \( \mathrm {Adv}^\mathsf {SelfTargetMSIS}_{\mathsf {H},m,k,\gamma }(\mathsf {B}) \approx \sqrt{\mathrm {Adv}^\mathsf {MSIS}_{m,k,2\gamma }(\mathsf {A})/Q_\mathsf {H}}\), where \(Q_\mathsf {H}\) is the number of classical queries to \(\mathsf {H}\).^{Footnote 5} This reduction is standard and is implicit in the (classical) security proofs of digital signatures based on the hardness of the \(\mathsf{SIS}\) problem (cf. [16, 27]).
Security based on \(\mathsf {MLWE}\), \(\mathsf {MSIS}\), and \(\mathsf {SelfTargetMSIS}\) in the QROM. The QROM security of (deterministic) \(\mathsf {Dilithium}\) can be expressed as
for D a uniform distribution over \(S_\eta \),
where \(\rho \) is the number of \(\pm 1\)’s in the challenge set \(\mathsf {ChSet}\), and
The proof that the minentropy \(\alpha \) is greater than 255, and the proof for strong unforgeability appears in the full version of the paper. The bound in Eq. (10) is then obtained by combining Theorem 3.2 with results from Sect. 4.3.
Notes
 1.
There do not exist q for which \(\mathbb {Z}_q[X]/(X^n+1)\) is a field.
 2.
Together with the observation that taking the conjugatecomplex and transposing \(U_{\textsc {O}}\) do not change \(U_{\textsc {O}}\), we obtain \(U_{\textsc {O}}^\dag = U_{\textsc {O}}\), and hence, \(U_{\textsc {O}} U_{\textsc {O}}^\dag = U_{\textsc {O}}^2 = \mathbbm {1}\), showing that \(U_{\textsc {O}}\) is indeed a unitary transformation.
 3.
In Sect. 4.5, we will also discuss a scheme where \(n=256\). For that scheme the challenge space consists of 60 \(\pm 1\)’s.
 4.
We refer to the deterministic version of the scheme.
 5.
This can be improved to \(Q_\mathsf {H}\mathrm {Adv}^\mathsf {SelfTargetMSIS}_{\mathsf {H},m,k,\gamma }(\mathsf {B})/\mathrm {Time}(\mathsf {B}) \approx \mathrm {Adv}^\mathsf {MSIS}_{m,k,2\gamma }(\mathsf {A})/\mathrm {Time}(\mathsf {A})\).
References
NIST Special Publication 800–165 Computer Security Division 2012 Annual Report, p. 39, June 2013. https://csrc.nist.gov/Projects/PostQuantumCryptography. Accessed 30 Jan 2014. 554
Abdalla, M., An, J.H., Bellare, M., Namprempre, C.: From identification to signatures via the FiatShamir transform: minimizing assumptions for security and forwardsecurity. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 418–433. Springer, Heidelberg (2002). https://doi.org/10.1007/3540460357_28. 553
Abdalla, M., Fouque, P.A., Lyubashevsky, V., Tibouchi, M.: Tightlysecure signatures from lossy identification schemes. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 572–590. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642290114_34. 553, 554, 555, 556, 558, 564, 578
Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: 28th ACM STOC, pp. 99–108. ACM Press, May 1996. 582
Alkim, E., Bindel, N., Buchmann, J., Dagdelen, Ö., Eaton, E., Gutoski, G., Krämer, J., Pawlega, F.: Revisiting TESLA in the quantum random oracle model. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 143–162. Springer, Cham (2017). https://doi.org/10.1007/9783319598796_9. 554, 555, 556, 558
Ambainis, A., Rosmanis, A., Unruh, D.: Quantum attacks on classical proof systems: the hardness of quantum rewinding. In: 55th FOCS, pp. 474–483. IEEE Computer Society Press, October 2014. 554
Bai, S., Galbraith, S.D.: An improved compression technique for signatures based on learning with errors. In: Benaloh, J. (ed.) CTRSA 2014. LNCS, vol. 8366, pp. 28–47. Springer, Cham (2014). https://doi.org/10.1007/9783319048529_2. 554, 558
Beals, R., Buhrman, H., Cleve, R., Mosca, M., Wolf, R.: Quantum lower bounds by polynomials. In: 39th FOCS, pp. 352–361. IEEE Computer Society Press, November 1998. 560
Bellare, M., Neven, G.: Multisignatures in the plain publickey model and a general forking lemma. In: Juels, A., Wright, R.N., Vimercati, S. (eds.) ACM CCS 2006, pp. 390–399. ACM Press, October/November 2006. 553, 583
Bellare, M., Poettering, B., Stebila, D.: From identification to signatures, tightly: a framework and generic transforms. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part II. LNCS, vol. 10032, pp. 435–464. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662538906_15. 556, 565
Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Ashby, V. (ed.) ACM CCS 1993, pp. 62–73. ACM Press, November 1993. 553, 560
Bennett, C.H., Bernstein, E., Brassard, G., Vazirani, U.V.: Strengths and weaknesses of quantum computing. SIAM J. Comput. 26(5), 1510–1523 (1997). 554, 555
Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011). https://doi.org/10.1007/9783642253850_3. 554, 555, 560
Groot Bruinderink, L., Hülsing, A., Lange, T., Yarom, Y.: Flush, gauss, and reload – a cache attack on the BLISS latticebased signature scheme. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 323–345. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662531402_16. 555
Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal Gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 40–56. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642400414_3. 555
Ducas, L., Kiltz, E., Lepoint, T., Lyubashevsky, V., Schwabe, P., Seiler, G., Stehlé, D.: CRYSTALSDilithium: a latticebased digital signature scheme. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(1), 238–268 (2018). 554, 555, 557, 573, 575, 579, 580, 581, 582, 583
Ducas, L., Lyubashevsky, V., Prest, T.: Efficient identitybased encryption over NTRU lattices. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 22–41. Springer, Heidelberg (2014). https://doi.org/10.1007/9783662456088_2. 555, 554
Eaton, E., Song, F.: Making existentialunforgeable signatures strongly unforgeable in the quantum randomoracle model. In: 10th Conference on the Theory of Quantum Computation, Communication and Cryptography, TQC 2015, Brussels, Belgium, pp. 147–162, 20–22 May 2015. 554
Espitau, T., Fouque, P., Gérard, B., Tibouchi, M.: Sidechannel attacks on BLISS latticebased signatures  exploiting branch tracing against strongSwan and electromagnetic emanations in microcontrollers. IACR Cryptology ePrint Archive 2017, 505 (2017). http://eprint.iacr.org/2017/505. 555
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3540477217_12. 553
Hülsing, A., Rijneveld, J., Song, F.: Mitigating multitarget attacks in hashbased signatures. In: Cheng, C.M., Chung, K.M., Persiano, G., Yang, B.Y. (eds.) PKC 2016, Part I. LNCS, vol. 9614, pp. 387–416. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662493847_15. 556, 561
Katz, J., Wang, N.: Efficiency improvements for signature schemes with tight security reductions. In: Jajodia, S., Atluri, V., Jaeger, T. (eds.) ACM CCS 2003, pp. 155–164. ACM Press, October 2003. 553, 578
Kawachi, A., Tanaka, K., Xagawa, K.: Concurrently secure identification schemes based on the worstcase hardness of lattice problems. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 372–389. Springer, Heidelberg (2008). https://doi.org/10.1007/9783540892557_23. 554, 558
Kiltz, E., Masny, D., Pan, J.: Optimal security proofs for signatures from identification schemes. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part II. LNCS, vol. 9815, pp. 33–61. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662530085_2. 554, 579
Langlois, A., Stehlé, D.: Worstcase to averagecase reductions for module lattices. Des. Codes Cryptogr. 75(3), 565–599 (2015). 574, 582
Lyubashevsky, V.: FiatShamir with aborts: applications to lattice and factoringbased signatures. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 598–616. Springer, Heidelberg (2009). https://doi.org/10.1007/9783642103667_35. 553, 554, 555, 557, 558, 566, 573
Lyubashevsky, V.: Lattice signatures without trapdoors. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 738–755. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642290114_43. 583
Lyubashevsky, V., Micciancio, D.: Generalized compact knapsacks are collision resistant. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006, Part II. LNCS, vol. 4052, pp. 144–155. Springer, Heidelberg (2006). https://doi.org/10.1007/11787006_13. 582
Lyubashevsky, V., Neven, G.: Oneshot verifiable encryption from lattices. In: Coron, J.S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part I. LNCS, vol. 10210, pp. 293–323. Springer, Cham (2017). https://doi.org/10.1007/9783319566207_11. 557, 573
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/9783642131905_1. 574
Nielsen, M.A., Chuang, I.L.: Quantum Computation and Quantum Information. Cambridge University Press, Cambridge (2000). 560
Paillier, P., Vergnaud, D.: Discretelogbased signatures may not be equivalent to discrete log. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 1–20. Springer, Heidelberg (2005). https://doi.org/10.1007/11593447_1. 553
Peikert, C., Rosen, A.: Efficient collisionresistant hashing from worstcase assumptions on cyclic lattices. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 145–166. Springer, Heidelberg (2006). https://doi.org/10.1007/11681878_8. 582
Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Cryptol. 13(3), 361–396 (2000). 553, 554, 583
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th ACM STOC, pp. 84–93. ACM Press, May 2005. 574
Unruh, D.: Noninteractive zeroknowledge proofs in the quantum random oracle model. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part II. LNCS, vol. 9057, pp. 755–784. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662468036_25. 554, 558
Unruh, D.: Postquantum security of FiatShamir. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017, Part I. LNCS, vol. 10624, pp. 65–95. Springer, Cham (2017). https://doi.org/10.1007/9783319706948_3. 555, 556, 558
Unruh, D.: Postquantum security of fiatshamir. Cryptology ePrint Archive, Report 2017/398 (2017). http://eprint.iacr.org/2017/398. 555, 558, 559
Zhandry, M.: How to construct quantum random functions. In: 53rd FOCS, pp. 679–687. IEEE Computer Society Press, October 2012. 561, 556
Zhandry, M.: Secure identitybased encryption in the quantum random oracle model. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 758–775. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642320095_44. 560
Acknowledgments
Eike Kiltz was supported in part by ERC Project ERCC (FP7/615074) and by DFG SPP 1736 Big Data. Vadim Lyubashevsky was supported by the SNSF ERC Transfer Starting Grant CRETP2166734FELICITY and the H2020 Project SAFEcrypto. Christian Schaffner was supported by a NWO VIDI grant (639.022.519). The authors are grateful to Dominique Unruh and the anonymous reviewers for comments and discussions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 International Association for Cryptologic Research
About this paper
Cite this paper
Kiltz, E., Lyubashevsky, V., Schaffner, C. (2018). A Concrete Treatment of FiatShamir Signatures in the Quantum RandomOracle Model. In: Nielsen, J., Rijmen, V. (eds) Advances in Cryptology – EUROCRYPT 2018 . EUROCRYPT 2018. Lecture Notes in Computer Science(), vol 10822. Springer, Cham. https://doi.org/10.1007/9783319783727_18
Download citation
DOI: https://doi.org/10.1007/9783319783727_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 9783319783710
Online ISBN: 9783319783727
eBook Packages: Computer ScienceComputer Science (R0)