A Concrete Treatment of FiatShamir Signatures in the Quantum RandomOracle Model
 43 Citations
 2k Downloads
Abstract
The FiatShamir transform is a technique for combining a hash function and an identification scheme to produce a digital signature scheme. The resulting scheme is known to be secure in the random oracle model (ROM), which does not, however, imply security in the scenario where the adversary also has quantum access to the oracle. The goal of this current paper is to create a generic framework for constructing tight reductions in the QROM from underlying hard problems to FiatShamir signatures.
Our generic reduction is composed of two results whose proofs, we believe, are simple and natural. We first consider a security notion (UFNMA) in which the adversary obtains the public key and attempts to create a valid signature without accessing a signing oracle. We give a tight reduction showing that deterministic signatures (i.e., ones in which the randomness is derived from the message and the secret key) that are UFNMA secure are also secure under the standard chosen message attack (UFCMA) security definition. Our second result is showing that if the identification scheme is “lossy”, as defined in (Abdalla et al. Eurocrypt 2012), then the security of the UFNMA scheme is tightly based on the hardness of distinguishing regular and lossy public keys of the identification scheme. This latter distinguishing problem is normally exactly the definition of some presumablyhard mathematical problem. The combination of these components gives our main result.
As a concrete instantiation of our framework, we modify the recent latticebased Dilithium digital signature scheme (Ducas et al., TCHES 2018) so that its underlying identification scheme admits lossy public keys. The original Dilithium scheme, which is proven secure in the classical ROM based on standard lattice assumptions, has 1.5 KB public keys and 2.7 KB signatures. The new scheme, which is tightly based on the hardness of the ModuleLWE problem in the QROM using our generic reductions, has 7.7 KB public keys and 5.7 KB signatures for the same security level. Furthermore, due to our proof of equivalence between the UFNMA and UFCMA security notions of deterministic signature schemes, we can formulate a new noninteractive assumption under which the original Dilithium signature scheme is also tightly secure in the QROM.
Keywords
FiatShamir Signature Quantum Random Oracle Model Canonical Identiﬁcation Scheme Public Key Lossy Mode1 Introduction
FiatShamir Signatures from Identification Protocols. A canonical identification scheme [2] is a threemove authentication protocol \(\mathsf {ID}\) of a specific form. The prover (holding the secretkey) sends a commitment \(W\) to the verifier. The verifier (holding the publickey) returns a random challenge \(c\). The prover sends a response \(Z\). Finally, using the verification algorithm, the verifier accepts if the transcript \((W,c,Z)\) is correct. The FiatShamir transformation [2, 20] combines a canonical identification scheme \(\mathsf {ID}\) and a hash function \(\mathsf {H}\) to obtain a digital signature scheme \({\mathsf {FS}}={\mathsf {FS}}[\mathsf {ID},\mathsf {H}]\). The signing algorithm first iteratively generates a transcript \((W,c,Z)\), where the challenge \(c\) is derived via \(c:=\mathsf {H}(W\parallel {M})\). Signature \(\sigma =(W, Z\)) is valid if the transcript \((W, c:=\mathsf {H}(W\parallel {M}), Z)\) makes the verification algorithm accept. Lyubashevsky [26] further generalized this to the “FiatShamir with aborts” transformation to account for aborting provers.
Lossy Identification schemes. With the goal of constructing signature schemes with a tight security reduction and generalizing a signature scheme by Katz and Wang [22], AFLT [3] introduced the new concept of lossy identification schemes and proved that FiatShamir transformed signatures have a tight security reduction in the ROM. A lossy identification scheme comes with an additional lossy key generator that produces a lossy public key, computationally indistinguishable from a honestly generated public key. Further, relative to a lossy public key the identification scheme has statistical soundness, i.e., not even an unbounded adversary can successfully impersonate a prover. Figure 1 summarizes the known security results of FiatShamir signatures in the ROM.
Quantum RandomOracle Model. Recently, NIST announced a competition with the goal to standardize new asymmetric encryption and signature schemes [1] with security against quantum adversaries, i.e., adversaries equipped with a quantum computer. There exists a number of (sometimes only implicitly defined) canonical identification schemes (e.g., [3, 5, 7, 16, 23, 26]) whose security relies on the hardness of certain problems over lattices and codes, which are generally believed to resist quantum adversaries. Quantum computers may execute all “offline primitives” such as the hash function on arbitrary superpositions, which motivated the introduction of the quantum (accessible) randomoracle model (QROM) [13]. That is, in the \({\mathsf {UF\text {}CMA}}\) security experiment for signatures in the QROM, an adversary has quantum access to a perfect hash function \(\mathsf {H}\) and classical access to the signing oracle. Aiding in the construction of \({\mathsf {UF\text {}CMA}}\) secure signatures with provable (postquantum) security in the QROM is the main motivation of this paper.
Security of FiatShamir signatures in the QROM. A number of recent works considered the security of FiatShamir transformed signatures in the QROM. [13] proved a general result showing that if a reduction in the classical ROM is historyfree, then it can also be carried out in the QROM. Historyfree reductions basically determine random oracle answers independently of the history of previous queries. For reductions that are not historyfree, adaptive reprogramming of the quantum random oracle is required which is problematic in the QROM: with one single quantum query to all inputs in superposition, an adversary might learn a superposition of all possible random oracle values which essentially means the reduction has to provide plausible values for the whole random oracle at this point. Hence, adaptive reprogramming in the QROM is difficult (but not impossible e.g., [12, 18, 36]).
Unfortunately, the known randomoracle proofs of FiatShamir signatures [3, 24, 34] are not historyfree. Beyond the general problem of adaptive reprogramming, the classical proof [34] uses rewinding and the Forking Lemma, a technique that we currently do not know how to extend to the quantum setting. Even worse, Ambanis et al. [6] proved that FiatShamir signatures cannot be proven secure in a blackbox way by just assuming computational special soundness and \(\mathsf {HVZK}\) (these two conditions are, on the other hand, sufficient for a proof in the classical ROM).
To circumvent the above negative result, Unruh [36] proposed an alternative FiatShamir transformation with provable QROM security but the resulting signatures are considerably less efficient as they require multiple executions of the underlying identification scheme.
Alkim et al. [5] gave a concrete tight security reduction for a signature scheme, TESLA, in the QROM. TESLA is a concrete latticebased digital signature scheme implicitly derived via the FiatShamir transformation. Their QROM proof from the learning with errors (\(\mathsf{LWE}\)) assumption adaptively reprograms the quantum random oracle using a technique from [12] and seems tailored to their particular identification protocol. As described in [5], the intuition behind the QROM security proof for TESLA comes from the fact that the underlying identification scheme is lossy. They leave it as an open problem to prove FiatShamir signatures generically secure from lossy identification schemes.
Unruh [37] could prove (among other things) that identification schemes with \(\mathsf {HVZK}\) and statistical soundness yield \({\mathsf {UF\text {}CMA}}\) secure FiatShamir signatures in the QROM when additionally assuming a “dualmode hard instance generator” for generating key pairs of the identification scheme. The latter dual mode hard instance generator is very similar to lossy identification schemes. Whereas the original publication [37] only contains asymptotic proofs, a recently updated version of the full version [38] also provides concrete security bounds. Below, in Sect. 1.2, we will compare them with our bounds.
1.1 Our Results
This work contains a simple and modular security analysis in the QROM of signatures \({\mathsf {FS}}[\mathsf {ID},\mathsf {H}]\) obtained via the FiatShamir transform with aborts [26] from any lossy identification scheme \(\mathsf {ID}\). We also consider the security of a deterministic variant \({\mathsf {DFS}}[\mathsf {ID},\mathsf {H},{\mathsf {PRF}}]\) with better tightness. \({\mathsf {DFS}}\) derives the randomness for signing deterministically using a pseudorandom function \({\mathsf {PRF}}\). Our main security statements are summarized in Fig. 2. Most importantly, if \(\mathsf {ID}\) is a lossy identification scheme and has \(\mathsf {HVZK}\), then \({\mathsf {DFS}}[\mathsf {ID},\mathsf {H},{\mathsf {PRF}}]\) is tightly \({\mathsf {UF\text {}CMA}}\) secure and \({\mathsf {FS}}[\mathsf {ID},\mathsf {H}]\) is (nontightly) \({\mathsf {UF\text {}CMA}}\) secure in the QROM. Our results suggest to prefer \({\mathsf {DFS}}[\mathsf {ID},\mathsf {H},{\mathsf {PRF}}]\) over \({\mathsf {FS}}[\mathsf {ID},\mathsf {H}]\).
The main component of our proof is a tweak to the AFLT FiatShamir proof [3] that makes it historyfree. Together with the general result of [13], one can immediately obtain asymptotic (i.e., nonconcrete) versions of our QROM proof as a simple corollary. In this work, we instead give direct proofs with concrete, tight security bounds.
To demonstrate the efficacy of our generic framework, we construct a latticebased signature scheme. The most compact latticebased schemes, in terms of public key and signature sizes, crucially require sampling from a discrete Gaussian distribution [15, 17]. Such schemes, however, have been shown to be particularly vulnerable to sidechannel attacks (c.f. [14, 19]), and it therefore seems prudent to consider schemes that only require simple uniform sampling over the integers. Of those, the most currently efficient one is the \(\mathsf {Dilithium}\) signature scheme [16]. This signature scheme is proved secure based on the \(\mathsf {MSIS}\) (ModuleSIS) and the \(\mathsf {MLWE}\) (ModuleLWE) assumptions in the ROM implicitly using the framework from Fig. 1.
In this paper, we provide a practical instantiation of a lossy identification scheme to obtain a new digital signature scheme, \(\mathsf {Dilithium\text {}QROM}\), with a tight security reduction in the QROM from the \(\mathsf {MLWE}\) problem, derived using our new framework from Fig. 2. \(\mathsf {Dilithium\text {}QROM}\) is essentially a less compact variant (\({\approx } 3\)X larger) of \(\mathsf {Dilithium}\) with modified parameters to allow the underlying identification scheme to admit a lossy mode. We additionally prove the security of the original \(\mathsf {Dilithium}\) scheme in the QROM based on \(\mathsf {MLWE}\) and another noninteractive assumption.
Step 1: \(\mathsf {LOSSY} \Longrightarrow {\mathsf {UF\text {}NMA}}\). We sketch an adaptation of the standard historyfree proof implicitly contained in [3]. By the security properties of the lossy identification scheme, the public key can be set in lossy mode which remains unnoticed by a computationally bounded quantum adversary. Further, breaking the signature scheme in lossy mode with at most \(Q_\mathsf {H}\) queries to the quantum random oracle essentially requires to solve the generic quantum search problem, whose complexity is \(\varTheta (Q_\mathsf {H}^2 \cdot \varepsilon _{\mathsf {ls}})\) [21, 39], where \(\varepsilon _{\mathsf {ls}}\) is the statistical soundness parameter of \(\mathsf {ID}\) in lossy mode. A similar argument is implicitly contained in [5, 37].
Step 2: \({\mathsf {UF\text {}NMA}}\Longrightarrow {\mathsf {UF\text {}CMA}}\). We will now sketch a historyfree proof of \({\mathsf {UF\text {}NMA}}\Rightarrow {{\mathsf {UF\text {}CMA}}_1}\), where (compared to \({\mathsf {UF\text {}CMA}}\) security) \({{\mathsf {UF\text {}CMA}}_1}\) security limits the number of queried signatures per message \({M}\) to one. We then apply a standard (historyfree, tight) reduction to show that \({{\mathsf {UF\text {}CMA}}_1}\) secure signatures derandomized with a \({\mathsf {PRF}}\) yield \({\mathsf {UF\text {}CMA}}\) secure signatures with deterministic signing [10].
The standard ROM proof of \({\mathsf {UF\text {}NMA}}\Rightarrow {\mathsf {UF\text {}CMA}}\) (implicitly contained in [3]) works as follows: one uses the \(\mathsf {HVZK}\) property of \(\mathsf {ID}\) to show that the signing oracle can be efficiently simulated only knowing the publickey. Concretely, the \(\mathsf {HVZK}\) simulator generates a transcript \((W,c,Z)\) and later “patches” the random oracle by defining \(\mathsf {H}(W\parallel {M}):=c\) to make \((W,Z)\) a valid signature. The problem is that the random oracle patching (i.e., defining \(\mathsf {H}(W\parallel {M}):=c\)) can only be done after the signing query on \({M}\) because only then \(W\) and \(c\) are known. This renders the AFLT standard reduction non historyfree. In our historyfree \({\mathsf {UF\text {}NMA}}\Rightarrow {{\mathsf {UF\text {}CMA}}_1}\) proof, we resolve this problem as follows. We use the \(\mathsf {HVZK}\) property to generate the transcript \((W_{M},c_{M},Z_{M})\) deterministically using messagedependent randomness. Hence, for each message \({M}\), the transcript \((W_{M},c_{M},Z_{M})\) is unique and can be computed at any time. This uniqueness allows us to patch the random oracle \(\mathsf {H}(W\parallel {M})\) to \(c_{M}\) at any time of the proof (i.e., iff \(W= W_{M}\)), even before the adversary has established a signing query on message \({M}\). This trick makes the proof historyfree, see Theorem 3.2. Clearly, this only works if the adversary receives at most one signature for each messages \({M}\), which is guaranteed by the \({{\mathsf {UF\text {}CMA}}_1}\) experiment.
In order to deal with (full) \({\mathsf {UF\text {}CMA}}\) security of probabilistic FiatShamir signatures \({\mathsf {FS}}[\mathsf {ID},\mathsf {H}]\), the above trick can be adapted to also obtain a historyfree reduction, see Theorem 3.3. However, the proof is less tight as the reduction suffers from a quadratic blowup in its running time.
Our results furthermore prove strong unforgeability if the identification scheme satisfies an additional property called computational unique response \(({\mathsf {CUR}})\). \({\mathsf {CUR}}\) essentially says that it is hard to come up with two accepting transcripts with the same commitment and challenge but different responses.
\(\mathsf {Dilithium\text {}QROM}\): A signature scheme with provable security in the QROM. The digital signature scheme \(\mathsf {Dilithium}\) [16] is constructed from a canonical identification scheme using the FiatShamir with aborts approach [26]. In the ROM, its security is based (via nontight reductions) on the hardness of the \(\mathsf {MSIS}\) and \(\mathsf {MLWE}\) problems. We show that by increasing the size of the modulus and the dimension of the public key matrix, the resulting identification scheme admits a lossy mode such that distinguishing real from lossy keys is based on the hardness of \(\mathsf {MLWE}\). We can then apply our main reduction to conclude that the resulting digital signature scheme is based on the hardness of the \(\mathsf {MLWE}\) problem.
In order to construct an identification scheme with a lossy mode, in addition to increasing the size of the modulus and the overall dimension, we also choose our prime modulus q so that the underlying ring \(\mathbb {Z}_q[X]/(X^n+1)\) has the property that all elements with coefficients less than \(\sqrt{q/2}\) have an inverse [29] – having all small elements be invertible is crucial to having lossiness.^{1} For the same security levels as \(\mathsf {Dilithium}\), the total size of the public key and signature is increased by a factor of a little over 3.
Revisiting the Security of Dilithium. Due to the way the parameters are set, the underlying identification scheme of the original \(\mathsf {Dilithium}\) scheme does not have a lossy mode, and so we cannot apply Theorem 3.4 in the reduction sequence in Fig. 2. Nevertheless, the reduction from Theorem 3.2 is still applicable. In the classical ROM, one then obtains a reduction from \(\mathsf {MSIS}\) to the \({\mathsf {UF\text {}NMA}}\) scheme via the forking lemma (see Fig. 1).
The main downside of this last step is that the reduction is inherently nontight. In practice, however, parameters are set based on the hardness of the underlying \(\mathsf {MSIS}\) problem and the nontightness of the reduction is ignored. This is not just the case in latticebased schemes, but is the prevalent practice for every signature scheme built via the FiatShamir transform. The implicit assumption is, therefore, that the \({\mathsf {UF\text {}NMA}}\) scheme is exactly as secure as \(\mathsf {MSIS}\) (assuming that \(\mathsf {H}\) is secure). We point out that the assumption that the \({\mathsf {UF\text {}NMA}}\) scheme is secure is a noninteractive assumption that is reasonably simple to state, and so the fact that several decades of cryptanalysis haven’t produced any improved attacks against schemes whose parameters ignore the nontightness of the reduction, gives us confidence that equating the hardness of the \({\mathsf {UF\text {}NMA}}\) scheme with the hardness of the underlying problem is very reasonable.
In Sect. 4.5, we formulate the security of the \({\mathsf {UF\text {}NMA}}\) scheme as a “convolution” of a lattice/hash function problem, which we call \(\mathsf {SelfTargetMSIS}\), and then show that based on the hardness of \(\mathsf {MLWE}\) and \(\mathsf {SelfTargetMSIS}\), the deterministic version of the \(\mathsf {Dilithium}\) scheme is (tightly) \({\mathsf {UF\text {}CMA}}\) secure in the QROM. In other words, we show that the security of the tight version of the signature scheme is based on exactly the same assumptions in the ROM and the QROM.
Other Instantiations. Our framework can be applied to obtain a security proof in the QROM for a number of existing FiatShamir signature schemes that are similar to \(\mathsf {Dilithium}\) (e.g., [3, 5, 7, 26]) and those that have a somewhat different structure and possibly based on different assumptions (e.g., [23]). Our rationale for setting the parameters in \(\mathsf {Dilithium\text {}QROM}\) was to minimize the total sum of the public key and the signature. If one, on the other hand, wished to only minimize the signature size, one could create a public key whose “height” is larger than its “width” (e.g., as in [5]). For optimal efficiency, this may possibly require working over polynomial rings \(\mathbb {Z}_q[X]/(f(x))\) which are finite fields.
1.2 Concrete Bounds and Comparison with Unruh [37, 38]
The first source of nontightness in (2) is the term \(Q_S Q_H^{1/2} \cdot 2^{\alpha /4}\) which stems from a generic reprogramming technique from [36]. In most practical latticebased schemes the commitment’s minentropy \(\alpha \) is large enough not to make a big impact on the worse bounds. However, this term puts a lower bound on the minentropy of commitments which translates to an unnatural lower bound on the size of quantumresistant FiatShamir signatures. Furthermore, it is sometimes not that easy to exactly compute the minentropy \(\alpha \). Further, simple techniques to get a “goodenough” bound (as we did for regular Dilithium when we obtained \(\alpha =255\)) would no longer result in something meaningful when used with (2).
The second and more important sources of nontightness in (2) is the quadratic (in the number of queries) blowup in the running time \(\mathrm {Time}(\mathsf {B}) \approx \mathrm {Time}(\mathsf {A})+Q_\mathsf {H}Q_S\) which renders the reduction nontight in all practical aspects. Interestingly, our proof for the security of probabilistic FiatShamir signatures (Theorem 3.3) introduces the same source of nontightness. However, under the assumption that superposition queries to classical data can be performed in a single time step (denoted by QRAM in [38]), the running time in (2) drops to \(\mathrm {Time}(\mathsf {B}) \approx \mathrm {Time}(\mathsf {A})\) and hence the reduction is tight again. We leave it as an open problem to come up with a tight reduction for probabilistic FiatShamir signatures in the QROM without using QRAM.
2 Preliminaries
For \(n \in \mathbb {N}\), let \([n] := \lbrace 1, \dots , n \rbrace .\) For a set S, S denotes the cardinality of S. For a finite set S, we denote the sampling of a uniform random element x by \(x \leftarrow S\), while we denote the sampling according to some distribution \(\mathfrak {D}\) by \(x \leftarrow \mathfrak {D}\). By \(\llbracket B\rrbracket \) we denote the bit that is 1 if the Boolean Statement B is true, and 0 otherwise.
Algorithms. Let \(\mathsf {A}\) be an algorithm. Unless stated otherwise, we assume all our algorithms to be probabilistic. We denote by \(y\leftarrow \mathsf {A}(x)\) the probabilistic computation of algorithm \(\mathsf {A}\) on input x. If \(\mathsf {A}\) is deterministic, we write \(y := \mathsf {A}(x).\) The notation \(y \in \mathsf {A}(x)\) is used to indicate all possible outcomes y of the probabilistic algorithm \(\mathsf {A}\) on input x. We can make any probabilistic \(\mathsf {A}\) deterministic by running it with fixed randomness. We write \(y := \mathsf {A}(x; r)\) to indicate that \(\mathsf {A}\) is run on input x with randomness r. Finally, the notation \(\mathsf {A}(x) \Rightarrow y\) denotes the event that \(\mathsf {A}\) on input x returns y.
Games. We use codebased games. We implicitly assume boolean flags to be initialized to false, numerical types to 0, sets to \(\varnothing \), and strings to the empty string \(\epsilon \). We make the convention that a procedure terminates once it has returned an output.
2.1 Quantum Computation
Quantum States. The state of a qubit \({\phi } \rangle \) is described by a twodimensional complex vector \({\phi } \rangle =\alpha {0} \rangle + \beta {1} \rangle \) where \(\{{0} \rangle , {1} \rangle \}\) form an orthonormal basis of \(\mathbb {C}^2\) and \(\alpha , \beta \in \mathbb {C}\) with \(\alpha ^2 + \beta ^2 = 1\) are called the complex amplitudes of \({\phi } \rangle \). The qbit \({\phi } \rangle \) is said to be in superposition if \(0<\alpha <1\). A classical bit \(b \in \{0,1\}\) is naturally encoded as state \({b} \rangle \) of a qubit.
The state \({\psi } \rangle \) of n qubits can be expressed as \({\psi } \rangle = \sum _{x \in \{0,1\}^n} \alpha _x {x} \rangle \in \mathbb {C}^{2^n}\) where \(\{ \alpha _x \}_{x \in \{0,1\}^n}\) is a set of \(2^n\) complex amplitudes such that \(\sum _{x \in \{0,1\}^n} \alpha _x^2 = 1\). As for one qubit, the standard orthonormal or computational basis is given by \(\{ {x} \rangle \}_{x \in \{0,1\}^n}\). When the quantum state \({\psi } \rangle \) is measured in the computational basis, the outcome is the classical string \(x \in \{0,1\}^n\) with probability \(\alpha _x^2\) and the quantum state collapses to what is observed, namely \({x} \rangle \).
The evolution of a quantum system in state \({\psi } \rangle \) can be described by a linear lengthpreserving transformation \(U: \mathbb {C}^{2^n} \rightarrow \mathbb {C}^{2^n}\). Such transformations correspond to unitary matrices U of size \(2^n\) by \(2^n\), i.e. U has the property that \(U U^\dag = \mathbbm {1}\), where \(U^\dag \) is the complexconjugate transpose of U.
For further details about basic concepts and notation of quantum computing, we refer to the standard text book by Nielsen and Chuang [31].
Quantum randomoracle model. We consider security games in the quantum randomoracle model (QROM) [13] like their counterparts in the classical randomoracle model [11], with the difference that we consider quantum adversaries that are given quantum access to the random oracles involved, and classical access to all other oracles (e.g., the signing oracle). Zhandry [40] proved that no quantum algorithm \(\mathsf {A}^{{\mathsf {H}} \rangle }\), issuing at most Q quantum queries to \({\mathsf {H}} \rangle \), can distinguish between a random function \(\mathsf {H}:\{0,1\}^m \rightarrow \{0,1\}^n\) and a 2Qwise independent function \(f_{2Q}\). For concreteness, we view \(f_{2Q} :\{0,1\}^m \rightarrow \{0,1\}^n\) as a random polynomial of degree 2Q over the finite field \(\mathbb {F}_{2^n}\). The running time to evaluate \(f_{2Q}\) is linear in Q.
In this article, we will use this observation in the context of security reductions, where quantum adversary \(\mathsf {B}\) simulates quantum adversary \(\mathsf {A}^{{\mathsf {H}} \rangle }\) which makes at most Q queries to \({\mathsf {H}} \rangle \). Hence, the running time of \(\mathsf {B}\) is \(\mathrm {Time}(\mathsf {B}) = \mathrm {Time}(\mathsf {A}) + q \cdot \mathrm {Time}(\mathsf {H})\), where \(\mathrm {Time}(\mathsf {H})\) is the time it takes to simulate \({\mathsf {H}} \rangle \). Using the observation above, \(\mathsf {B}\) can use a 2Qwise independent function in order to (informationtheoretically) simulate \({\mathsf {H}} \rangle \) and we obtain that the running time of \(\mathsf {B}\) is \(\mathrm {Time}(\mathsf {B}) = \mathrm {Time}(\mathsf {A}) + Q \cdot \mathrm {Time}(f_{2Q})\), and the time \(\mathrm {Time}(f_{2Q})\) to evaluate \(f_{2Q}\) is linear in Q. The second term of this running time (quadratic in Q) can be further reduced to linear in Q in the quantum randomoracle model where \(\mathsf {B}\) can simply use another random oracle to simulate \({\mathsf {H}} \rangle \). Assuming evaluating the random oracle takes one time unit, we write \(\mathrm {Time}(\mathsf {B}) = \mathrm {Time}(\mathsf {A}) + Q\) which is approximately \(\mathrm {Time}(\mathsf {A})\).
Generic Quantum Search. For \(\lambda \in [0,1]\) let \(\mathcal {B}_\lambda \) be the Bernoulli distribution, i.e., \(\Pr [b=1] = \lambda \) for the bit \(b \leftarrow \mathcal {B}_\lambda \). Let X be some finite set. The generic quantum search problem \(\mathsf {GSP}\) [21, 39] is to find an \(x \in X\) satisfying \(g(x)=1\) given quantum access to an oracle \(g: X \rightarrow \{0,1\}\), such that for each \(x \in X\), g(x) is distributed according to \(\mathcal {B}_{\lambda }\). We will need the following slight variation of \(\mathsf {GSP}\). The Generic quantum Search Problem with Bounded probabilities \(\mathsf {GSPB}\) is like the quantum search problem with the difference that the Bernoulli parameter \(\lambda (x)\) may (adversarially) depend on x but it is upper bounded by a global \(\lambda \).
Lemma 2.1
(Generic Search Problem with Bounded Probabilities). Let \(\lambda \in [0,1]\). For any (unbounded, quantum) algorithm \(\mathsf {A}\) issuing at most Q quantum queries to \({g} \rangle \), \(\Pr [\mathsf {GSPB}_\lambda ^\mathsf {A}\Rightarrow 1 ] \le 8 \cdot \lambda \cdot (Q+1)^2\), where Game \(\mathsf {GSPB}_\lambda \) is defined in Fig. 3.
The bound on \(\mathsf {GSPB}\) can be reduced to the known bound on \(\mathsf {GSP}\) [21, 39] by artificially increasing the Bernoulli parameter to obtain the dependence on each \(x \in X\).
2.2 Pseudorandom Functions
2.3 Canonical Identification Schemes
Definition 2.2
(Canonical Identification Scheme). A canonical identification scheme \({\mathsf {ID}}\) is defined as a tuple of algorithms \({\mathsf {ID}}:=({\mathsf {IGen}},{\mathsf {P}},\mathsf {ChSet},{\mathsf {V}})\).

The key generation algorithm \({\mathsf {IGen}}\) takes system parameters \(\mathsf {par}\) as input and returns public and secret key \(( pk , sk )\). We assume that \( pk \) defines \(\mathsf {ChSet}\) (the set of challenges), \(\mathsf {WSet}\) (the set of commitments), and \(\mathsf {ZSet}\) (the set of responses).

The prover algorithm \({\mathsf {P}}=({\mathsf {P}}_1,{\mathsf {P}}_2)\) is split into two algorithms. \({\mathsf {P}}_1\) takes as input the secret key \( sk \) and returns a commitment \(W\in \mathsf {WSet}\) and a state \( St \); \({\mathsf {P}}_2\) takes as input the secret key \( sk \), a commitment \(W\), a challenge \(c\), and a state \( St \) and returns a response \(Z\in \mathsf {ZSet}\cup \{\bot \}\), where \(\bot \not \in \mathsf {ZSet}\) is a special symbol indicating failure.

The verifier algorithm \({\mathsf {V}}\) takes the public key \( pk \) and the conversation transcript as input and outputs a deterministic decision, 1 (acceptance) or 0 (rejection).
Definition 2.3

All possible transcripts \((W, c, Z)\) satisfying \(Z\ne \bot \) are valid, i.e., for all \((W, St ) \in {\mathsf {P}}_1( sk )\), all \(c\in \mathsf {ChSet}\) and all \(Z\in {\mathsf {P}}_2( sk ,W,c, St )\) with \(Z\ne \bot \), we have \({\mathsf {V}}( pk , W, c,Z)=1\).

The probability that an honestly generated transcript \((W, c, Z)\) contains \(Z= \bot \) is bounded by \(\delta \), i.e., \(\Pr [Z= \bot \mid (W,c, Z) \leftarrow \mathsf {Trans}( sk )] \le \delta \).
Definition 2.4
We call \(\mathsf {ID}\) commitmentrecoverable, if for any \(( pk , sk )\in {\mathsf {IGen}}(\mathsf {par})\), \(c\in \mathsf {ChSet}\), and \(Z\in \mathsf {ZSet}\), there exists a unique \(W\in \mathsf {WSet}\) such that \({\mathsf {V}}( pk ,W,c,Z)=1\). This unique \(W\) can be publicly computed using a commitment recovery algorithm as \(W:={\mathsf {Rec}}( pk ,c,Z)\).
We define noabort honestverifier zeroknowledge, a weak variant of honestverifier zeroknowledge that requires the transcript (as generated by \(\mathsf {Trans}( sk )\)) to be publicly simulatable, conditioned on \(Z\ne \bot \).
Definition 2.5

The distribution of \((W, c, Z) \leftarrow \mathsf {Sim}( pk )\) has statistical distance at most \(\varepsilon _{\mathsf {zk}}\) from \((W', c', Z') \leftarrow \mathsf {Trans}( sk )\), where \(\mathsf {Trans}\) is defined in Fig. 5.

The distribution of \(c\) from \((W, c, Z) \leftarrow \mathsf {Sim}( pk )\) conditioned on \(c\ne \bot \) is uniform random in \(\mathsf {ChSet}\).
Note that if \(\mathsf {ID}\) is commitmentrecoverable, then we can abandon the \(W\) in the output of \(\mathsf {Trans}\) and \(\mathsf {Sim}\) since \(W\) can be publicly computed from \((c,Z)\).
Definition 2.6
An identification scheme has unique responses if for all \(W\) and \(c\) there exists at most one \(Z\) to make the verifier accept, i.e., \({\mathsf {V}}( pk ,W,c,Z)=1\). We relax this property to computational unique response (\({\mathsf {CUR}}\)) for which we require it to be computationally difficult to come up with \((W, c,Z,Z')\) with \({\mathsf {V}}( pk ,W,c,Z)={\mathsf {V}}( pk ,W,c,Z')=1\) and \(Z' \ne Z\).
Definition 2.7
Lossy Identification schemes. We now recall lossy identification schemes [3].
Definition 2.8
An identification scheme \(\mathsf {ID}=({\mathsf {IGen}},{\mathsf {P}},\mathsf {ChSet},{\mathsf {V}})\) is lossy if there exists a lossy key generation algorithm \({\mathsf {LossyIGen}}\) that takes system parameters \(\mathsf {par}\) as input and returns public key \( pk _\mathsf {ls}\) (and no secret key \( sk \)).
We refer to \({\mathsf {LID}}= ({\mathsf {IGen}},{\mathsf {LossyIGen}},{\mathsf {P}},\mathsf {ChSet},{\mathsf {V}})\) as a lossy identification scheme.
2.4 Digital Signatures
We now define syntax and security of a digital signature scheme. Let \(\mathsf {par}\) be common system parameters shared among all participants.
Definition 2.9
(Digital Signature). A digital signature scheme \({\mathsf {SIG}}\) is defined as a triple of algorithms \({\mathsf {SIG}}= ({\mathsf {Gen}}, {\mathsf {Sign}}, {\mathsf {Ver}})\).

The key generation algorithm \({\mathsf {Gen}}(\mathsf {par})\) returns the public and secret keys \(( pk , sk )\). We assume that \( pk \) defines the message space \(\mathsf {MSet}\).

The signing algorithm \({\mathsf {Sign}}( sk ,{M})\) returns a signature \(\sigma \).

The deterministic verification algorithm \({\mathsf {Ver}}( pk , {M},\sigma )\) returns 1 (accept) or 0 (reject).
Signature scheme \({\mathsf {SIG}}\) has correctness error \(\gamma \) if for all \(( pk , sk )\in {\mathsf {Gen}}(\mathsf {par})\), all messages \({M}\in \mathsf {MSet}\), we have \(\Pr [{\mathsf {Ver}}( pk ,{M},{\mathsf {Sign}}( sk ,{M}))=0] \le \gamma \).
Any \({{\mathsf {UF\text {}CMA}}_1}\) (\({{\mathsf {sUF\text {}CMA}}_1}\)) secure signature scheme can be combined with a pseudorandom function \({\mathsf {PRF}}\) to obtain an \({\mathsf {UF\text {}CMA}}\) (\({\mathsf {sUF\text {}CMA}}\)) secure signature scheme by defining \({\mathsf {Sign}}'(( sk ,K),{M}):={\mathsf {Sign}}( sk ,{M}; {\mathsf {PRF}}_K({M}))\), where K is a secret \({\mathsf {PRF}}\) key which is part of the secret key. This construction is well known in the classical setting [10], and the same proof works in the quantum setting. Here \({\mathsf {PRF}}\) only has to provide security against quantum adversaries where the access to \({\mathsf {PRF}}\) is classical.
3 FiatShamir in the Quantum RandomOracle Model
3.1 Signatures from Identification Schemes
Main Security Statement. The following is our main security statement for \({\mathsf {SIG}}:={\mathsf {FS}}[{\mathsf {ID}},\mathsf {H},\kappa _ m ]\) in the QROM.
Theorem 3.1
Note that with this observation the bound of Theorem 3.1 is tight, i.e., the computational advantages appear with a constant factor (one). In the classical ROM setting, the only difference is that the bound depends linearly on \(Q_\mathsf {H}\), instead of quadratic.
As discussed at the end of Sect. 2.4, the \({\mathsf {UF\text {}CMA}}\) (\({\mathsf {sUF\text {}CMA}}\)) security of \({\mathsf {DSIG}}\) is implied by the \({{\mathsf {UF\text {}CMA}}_1}\) (\({{\mathsf {sUF\text {}CMA}}_1}\)) security of \({\mathsf {FS}}\). Concretely the advantages are upper bounded by the same terms as in Theorem 3.1 plus an additional term \(\mathrm {Adv}^{{\mathsf {PR}}}_{{\mathsf {PRF}}}(\mathsf {D})\) accounting for the quantum security of the \({\mathsf {PRF}}\).
3.2 Security Proof
The proof of Theorem 3.1 is modular. First, in Theorem 3.2 we prove that \({\mathsf {UF\text {}NMA}}\) security plus \(\mathsf {naHVZK}\) implies \({{\mathsf {UF\text {}CMA}}_1}\) security. Second, in Theorem 3.4 we prove that a lossy identification scheme is always \({\mathsf {UF\text {}NMA}}\) secure.
Theorem 3.2
Proof
The proof of \({{\mathsf {UF\text {}CMA}}_1}\) security follows by collecting the probabilities. The running time \(\mathrm {Time}(\mathsf {B})\) of adversary \(\mathsf {B}\) is given by the time \(\mathrm {Time}(\mathsf {A})\) to run \(\mathsf {A}\) as a blackbox in game \(G_2\) where in every of the \(Q_\mathsf {H}\) oracle and \(Q_S\) signaturequeries, at most \(O(\kappa _ m )\) computations need to be performed.
Strong unforgeability. For \({{\mathsf {sUF\text {}CMA}}_1}\) security we consider exactly the same games with the difference that in all games the winning condition in line 06 is changed to \(\llbracket ({M}^*,\sigma ^*) \not \in \mathcal {M}\rrbracket \wedge {\mathsf {V}}( pk , W^*,c^*,Z^*) \) to account for strong unforgerability, where \(\mathcal {M}\) now records all tuples \(({M}, \sigma _{M})\) of previously established messages/signature pairs.
The difference between games \(G_1\) and \(G_2\) is that game \(G_2\) returns 0 in line 05 if \(c^* \ne \mathsf {H}'(W^* \parallel {M}^*)\), i.e., if \(\mathsf {H}(W^* \parallel {M}^*)\) was previously patched in line 20 with \(\mathsf {H}(W^* \parallel {M}^*):=c_{{M}^*}\). Games \(G_1\) and \(G_2\) can only differ if \(W_{{M}^*}= W^*\), \(({M}^*,\sigma ^*) \not \in \mathcal {M}\), and \( {\mathsf {V}}( pk , W^*,c^*,Z^*)=1\). (In that case \(G_2\) returns 0 and \(G_1\) returns 1.)
We distinguish two cases. If \(({M}^*,\cdot ) \not \in \mathcal {M}\) then we are in the situation that the adversary did not query a signature on \({M}^*\) and we can use the same argument as in standard unforgeability to argue \(\Pr [G_2^{\mathsf {A}} \Rightarrow 1] \Pr [G_1^{\mathsf {A}} \Rightarrow 1]  \le 2^{\alpha +1}\). It leaves to handle the case \(({M}^*,\cdot ) \in \mathcal {M}\), i.e., the adversary obtained a signatures \(\sigma _{{M}^*} = (W_{{M}^*},Z_{{M}^*})\) on message \({M}^*\) and submits a correct forgery \(\sigma ^* = (W^*, Z^*)\) satisfying \(W^*=W_{{M}^*}\) and \(Z^* \ne Z_{{M}^*}\). The problem of finding values \((W^*, c^*, Z_{{M}^*},Z^*)\) with two accepting transcripts \((W^*, c^*, Z^*)\) and \((W^*, c^*, Z_{{M}^*})\) is exactly bounded by the advantage of an adversary \(\mathsf {C}\) against the \({\mathsf {CUR}}\) experiment, i.e., \(\Pr [G_2^{\mathsf {A}} \Rightarrow 1] \Pr [G_1^{\mathsf {A}} \Rightarrow 1]  \le \mathrm {Adv}^{\mathsf {CUR}}_\mathsf {ID}(\mathsf {C})\).
The running times \(\mathrm {Time}(\mathsf {B})\) and \(\mathrm {Time}(\mathsf {C})\) can be derived as above. \(\square \)
The following theorem shows that we can also prove directly \({\mathsf {UF\text {}CMA}}\) security of \({\mathsf {SIG}}\), but (in terms of the running time) the reduction is less tight than the one of Theorem 3.2.
Theorem 3.3
The proof of Theorem 3.3 is similar to the one of Theorem 3.2 and appears in the full version.
Theorem 3.4
Proof
4 DilithiumQROM
In this section, we present a modification of the \(\mathsf {Dilithium}\) digital signature scheme [16] whose security is based on MLWE in the QROM. We also present a new security proof of the original \(\mathsf {Dilithium}\) that shows it to be tightlysecure in the QROM based on a different noninteractive assumption. Since \(\mathsf {Dilithium}\) is a highlyoptimized version of a scheme constructed via the “FiatShamir with Aborts” framework [26], its details may be somewhat overwhelming to readers who are not already comfortable with such constructions. For this reason, we present a much simpler version of the signature scheme without any optimizations in the full version of this paper.
4.1 Preliminaries
Rings and Distributions. We let R and \(R_q\) respectively denote the rings \(\mathbb {Z}[X]/(X^{n}+1)\) and \(\mathbb {Z}_q[X]/(X^{n}+1)\), for an integer q. We will assume that \(q\equiv 5(\bmod \,8)\), as such a choice of q ensures that all polynomials in \(R_q\) with coefficients less than \(\sqrt{q/2}\) have an inverse in the ring [29, Lemma 2.2]. This property is crucial to our security proof. Regular font letters denote elements in R or \(R_q\) (which includes elements in \(\mathbb {Z}\) and \(\mathbb {Z}_q\)) and bold lowercase letters represent column vectors with coefficients in R or \(R_q\). By default, all vectors will be column vectors. Bold uppercase letters are matrices.
Modular reductions. For an even (resp. odd) positive integer \(\alpha \), we define \(r'=r\text { mod}^\pm \, \alpha \) to be the unique element \(r'\) in the range \(\frac{\alpha }{2}<r'\le \frac{\alpha }{2}\) (resp. \(\frac{\alpha 1}{2}\le r'\le \frac{\alpha 1}{2}\)) such that \(r'=r\bmod \alpha \). We will sometimes refer to this as a centered reduction modulo q. For any positive integer \(\alpha \), we define \(r'=r\text { mod}^+ \alpha \) to be the unique element \(r'\) in the range \(0\le r'<\alpha \) such that \(r'=r\bmod \alpha \). When the exact representation is not important, we simply write \(r\bmod \alpha \).
Extendable output function. Suppose that \(\mathsf {Sam}\) is an extendable output function, that is a function on bit strings in which the output can be extended to any desired length. If we would like \(\mathsf {Sam}\) to take as input x and then produce a value y that is distributed according to distribution S (or uniformly over a set S), we write \(y \sim S:=\mathsf {Sam}(x)\). It is important to note that this procedure is completely deterministic: a given x will always produce the same y. For simplicity we assume that the output distribution of \(\mathsf {Sam}\) is perfect, whereas in practice \(\mathsf {Sam}\) will be implemented using random oracles and produce an output that is statistically close to the perfect distribution. If K is a secret key, then \(\mathsf {Sam}(K \Vert x)\) is a pseudorandom function from \(\{0,1\}^* \rightarrow \{0,1\}^*\).
The below Lemmas recall the crucial properties of these supporting algorithms that are necessary for the correctness and security of our scheme.
Lemma 4.1
 1.
\(\mathsf {UseHint}_q(\mathsf {MakeHint}_q(\mathbf{z},\mathbf{r},\alpha ),\mathbf{r},\alpha )=\mathsf {HighBits}_q(\mathbf{r}+\mathbf{z},\alpha )\).
 2.
Let \(\mathbf{v}_1=\mathsf {UseHint}_q(\mathbf{h},\mathbf{r},\alpha )\). Then \(\Vert \mathbf{r}\mathbf{v}_1\cdot \alpha \Vert _\infty \le \alpha +1\).
 3.
For any \(\mathbf{h},\mathbf{h}'\), if \(\mathsf {UseHint}_q(\mathbf{h},\mathbf{r},\alpha )=\mathsf {UseHint}_q(\mathbf{h}',\mathbf{r},\alpha )\), then \(\mathbf{h}=\mathbf{h}'\).
Lemma 4.2
4.2 The Identification Protocol
The constituting algorithms of our identification protocol \(\mathsf {ID}=({\mathsf {IGen}},{\mathsf {P}}_1,{\mathsf {P}}_2, {\mathsf {V}})\) are described in Fig. 13 with the concrete parameters \(\mathsf {par}= (q,n,k,\ell ,d,\gamma ,\)\(\gamma ',\eta ,\beta )\) given later in Table 1.
Key Generation. The key generation proceeds by choosing a random 256bit seed \(\rho \) and expanding into a matrix \(\mathbf{A}\in R_q^{k\times \ell }\) by an extendable output function \(\mathsf {Sam}\) modeled as a random oracle. The secret keys \((\mathbf{s}_1,\mathbf{s}_2)\in S_\eta ^\ell \times S_\eta ^k\) have uniformly random coefficients between \(\eta \) and \(\eta \) (inclusively). The value \(\mathbf{t}=\mathbf{A}\mathbf{s}_1+\mathbf{s}_2\) is then computed. The public key that is needed for verification is \((\rho ,\mathbf{t}_1)\) with \(\mathbf{t}_1\) output by the \(\mathsf {Power2Round}_q(\mathbf{t},d)\) algorithm in Fig. 12 (we have \(\mathbf{t}=\mathbf{t}_1\cdot 2^d +\mathbf{t}_0\) for some small \(\mathbf{t}_0\)), while the secret key is \((\rho , \mathbf{s}_1,\mathbf{s}_2,\mathbf{t}_0)\).
While the verifier never needs the value \(\mathbf{t}_0\) (and thus it does not need to be included in the public key of the actual scheme), we do need this value in order to simulate transcripts (see Sect. 4.3). Thus the security of our scheme is based on the fact that the adversary gets \(\mathbf{t}_1\) and \(\mathbf{t}_0\), whereas in reality he only gets \(\mathbf{t}_1\).
The set \(\mathsf {ChSet}\) is defined as in Eq. (8), and \(\mathsf {ZSet}= S^\ell _{\gamma '\beta 1}\times \{0,1\}^k\). The set of commitments \(\mathsf {WSet}\) is defined as \(\mathsf {WSet}=\{\mathbf{w}_1~:~\exists \mathbf{y}\in S_{\gamma '1}^\ell \text { s.t. }\mathbf{w}_1=\mathsf {HighBits}_q(\mathbf{A}\mathbf{y},2\gamma )\}.\)
Protocol Execution. The prover starts the identification protocol by reconstructing \(\mathbf{A}\) from the random seed \(\rho \). The next step has the prover sample \(\mathbf{y}\leftarrow S_{\gamma '1}^\ell \) and then compute \(\mathbf{w}=\mathbf{A}\mathbf{y}\). He then writes \(\mathbf{w}=2\gamma \cdot \mathbf{w}_1+\mathbf{w}_0\), with \(\mathbf{w}_0\) between \(\gamma \) and \(\gamma \) (inclusively), and then sends \(\mathbf{w}_1\) to the verifier. The verifier generates a random challenge \(c\leftarrow \mathsf {ChSet}\) and sends it to the prover. The prover computes \(\mathbf{z}=\mathbf{y}+c\mathbf{s}\). If \(\mathbf{z}\notin S_{\gamma '\beta 1}^\ell \), then the prover sets his response to \(\bot \). He also replies with \(\bot \) if \(\mathsf {LowBits}_q(\mathbf{w}c\mathbf{s}_2,2\gamma )\notin S_{\gamma \beta 1}^k\). This part of the protocol is necessary for security – it makes sure that \(\mathbf{z}\) does not leak anything about the secret key \(\mathbf{s}_1,\mathbf{s}_2\).
If the checks pass and a \(\bot \) is not sent, then it can be shown (see Sect. 4.3) that \(\mathsf {HighBits}_q(\mathbf{A}\mathbf{z}c\mathbf{t},2\gamma )=\mathbf{w}_1\). At this point, if the verifier knew the entire element \(\mathbf{t}\) and \((\mathbf{z}, c)\), he could have recovered \(\mathbf{w}_1\) and checked that \(\Vert \mathbf{z}\Vert _\infty <\gamma '\beta \) and that the highorder bits of \(\mathbf{A}\mathbf{z}c\mathbf{t}\) are indeed \(\mathbf{w}_1\). However, since we want to compress the size of the public key, the verifier only knows \(\mathbf{t}_1\). Hence, the signer needs to provide a “hint” \(\mathbf{h}\) which will allow the verifier to compute \(\mathsf {HighBits}_q(\mathbf{A}\mathbf{z}c\mathbf{t},2\gamma )\).
The verifier checks whether \(\Vert \mathbf{z}\Vert _\infty < \gamma '\beta \) and that \(\mathbf{A}\mathbf{z}c\mathbf{t}_1\cdot 2^d\) together with the hint \(\mathbf{h}\) allow him to reconstruct \(\mathbf{w}_1\). We should point out that in the identification scheme it is actually not necessary for the verifier to be able to recover exactly \(\mathbf{w}_1\). He could have simply checked that \(\mathbf{A}\mathbf{z}c\mathbf{t}_1\cdot 2^d \approx \mathbf{w}_1\) and this would be good enough for security. The reason that we want the verifier to be able to exactly recover \(\mathbf{w}_1\) is to make the ID scheme commitmentrecoverable and be able to reduce the communication size in the FiatShamir transform (see Sect. 3.1).
4.3 Security Properties
In this section we analyze the security of \(\mathsf {ID}\). Most of the proofs are postponed to the full version.
Lemma 4.3
If \(\beta \ge \max _{s\in S_{\eta },c\in \mathsf {ChSet}}\Vert cs\Vert _\infty \), then \(\mathsf {ID}\) is perfectly \(\mathsf {naHVZK}\).
Correctness. In this section, we compute the probability that the Prover does not send \(\bot \) and then show that the verification procedure will always accept a transcript when the Prover does not send \(\bot \).
Lemma 4.4
If \(\beta \ge \max _{s\in S_{\eta },c\in \mathsf {ChSet}}\Vert cs\Vert _\infty \) then \(\mathsf {ID}\) has correctness error \(\delta \approx 1\exp {(\beta n\cdot (k/\gamma +\ell /\gamma '))}\).
Lemma 4.5
Our proof follows the framework from [3, 22]. Then to prove Lemma 4.5, we show that if \(\mathsf {C}\), who outputs the first message \((\mathbf{w}_1, St )\) in the \(\mathsf {LOSSY\text {}IMP}\) game (see Fig. 16) is able to correctly respond to more than one random challenge c, then the previously mentioned linear equation will have a solution, which with high probability is not possible. Therefore we conclude that for virtually all \(\mathbf{A},\mathbf{t}\) output by \({\mathsf {LossyIGen}}\), there exists (at most) only one challenge for which the prover can respond to, and therefore his success probability is at most \(1/\mathsf {ChSet}\).
Lemma 4.6
Computational Unique Response. In this section we state that our scheme satisfies the Computational Unique Response (\({\mathsf {CUR}}\)) property required for strongunforgeability of the signature scheme.
Lemma 4.7
If \(4\gamma +2,\, 2\gamma '<\sqrt{q/2}\) and \(\gamma '<\gamma \beta \), and \(\ell \le k\) (i.e. the same conditions as in Lemma 4.5), then \(\mathrm {Adv}^{\mathsf {CUR}}_\mathsf {ID}(\mathsf {A}) < \left( \frac{32\gamma \gamma '}{q}\right) ^{nk}\) for every (even unbounded) adversary \(\mathsf {A}\).
4.4 The \(\mathsf {Dilithium\text {}QROM}\) Signature Scheme and Concrete Parameters
Lemma 4.7 states that as long as \(4\gamma + 2\) and \(2\gamma ' < \sqrt{q/2}\), we will have \(\mathrm {Adv}^{\mathsf {CUR}}_\mathsf {ID}(\mathsf {C})<\left( \frac{32\gamma \gamma '}{q}\right) ^{nk}\). The parameters in Table 1 indeed satisfy the preconditions, and so \(\mathrm {Adv}^{\mathsf {CUR}}_\mathsf {ID}(\mathsf {C})<\left( \frac{32\gamma \gamma '}{q}\right) ^{nk}< 2^{865}.\)
Parameters for \(\mathsf {Dilithium\text {}QROM}\) and \(\mathsf {Dilithium}\). The security analysis for the \(\mathsf {MLWE}\) and \(\mathsf {MSIS}\) problems is as described in [16].
\(\mathsf {Dilithium\text {}QROM}\)  \(\mathsf {Dilithium}\) [16]  

Recomm.  Very high  Recomm.  Very high  
q (ring modulus)  \(2^{45}21283\)  \(2^{45}21283\)  \(2^{23}8191\)  \(2^{23}8191\) 
n (ring dimension)  512  512  256  256 
\((k,\ell )\) (dimension of matrix \(\mathbf{A}\))  (4, 4)  (5, 5)  (5, 4)  (6, 5) 
d (dropped bits from \(\mathbf{t}\))  15  15  \(14^{{\text {a}}}\)  14 
# of \(\pm 1\text {'}s\) in \(c\in \mathsf {ChSet}\)  46  46  60  60 
\(\gamma \) s.t \(2\gamma \mid q1\)  905679  905679  261888  261888 
\(\gamma '\) (\(\approx \) max. sig. coefficient)  905679  905679  523776  523776 
\(\eta \) (maximum coefficient of \(\mathbf{s}_1,\mathbf{s}_2\))  7  3  5  3 
\(\beta \) (\(=\eta \cdot \)(# of \(\pm 1\text {'}s\) in c))  322  138  \(275^{{\text {b}}}\)  175 
\( pk \) size (bytes)  7712  9632  1472  1760 
Sig size (bytes)  5690  7098  2701  3366 
Exp. repeats (\(1/(1\delta )\) from Lemma 4.4)  4.3  2.2  6.6  4.3 
BKZ blocksize to break LWE  480  600  485  595 
Best known classical bitcost  140  175  141  174 
Best known quantum bitcost  127  159  128  158 
BKZ blocksize to break SIS  NA  NA  475  605 
Best known classical bitcost  NA  NA  138  176 
Best known quantum bitcost  NA  NA  125  160 
In Table 1, we compare the parameters from the current scheme, which can be proved secure based on the hardness of \(\mathsf {MLWE}\) in the QROM, to those of the original \(\mathsf {Dilithium}\) scheme from [16], which only has a classical security reduction from the combination of \(\mathsf {MLWE}\) and \(\mathsf {MSIS}\) (we introduce this latter problem in the next section). One can see that the sum of the public key and signature sizes are approximately 3.2 times larger in \(\mathsf {Dilithium\text {}QROM}\) than in \(\mathsf {Dilithium}\).
4.5 Security Assumptions for Nonlossy Schemes
The reduction from the \(\mathsf {MLWE}\) problem to the hardness of the \(\mathsf {Dilithium\text {}QROM}\) scheme was a direct consequence of Theorem 3.1, which is itself a combination of Theorems 3.2 and 3.4. In this section, we consider the security of schemes for which Theorem 3.4 is inapplicable. In particular, in these schemes it is no longer true that a computationallyunbounded adversary cannot win the \(\mathsf {LOSSY\text {}IMP}\) game. The reason that one would like to use schemes constructed in such a manner is because they turn out to be more efficient. In particular, the original \(\mathsf {Dilithium}\) scheme^{4} [16], which is virtually identical to the \(\mathsf {Dilithium\text {}QROM}\) presented in this paper except for the parameter sizes, has outputs (of the public key plus signature) that are smaller by a factor of a little over 3 (see Table 1).
But while the \(\mathsf {Dilithium}\) scheme has a security reduction from standard lattice problems in the classical randomoracle model, there is no such reduction in the quantum randomoracle model. Nevertheless, it is unclear whether this lack of reduction implies any weakness against quantum attacks. It would therefore be useful to understand exactly what assumptions the more efficient scheme is relying on in the quantum randomoracle model.
Let us suppose that the parameters for the \(\mathsf {Dilithium}\) scheme are set such that Theorem 3.2 is still applicable. That is, suppose that \(\varepsilon _{\mathsf {zk}}=0\), \(\alpha \) is very large, and the scheme is commitmentrecoverable. In this case, ignoring the \(2^{\alpha +1}\) term, Theorem 3.2 states that the security of the full signature scheme is exactly the security of the \({\mathsf {UF\text {}NMA}}\) signature scheme in the quantum randomoracle model. Since the adversary does not obtain any valid signatures in the \({\mathsf {UF\text {}NMA}}\) security game, the security assumption of such signatures is noninteractive.
Below, we recall the standard \(\mathsf {MSIS}\) assumption and then define a new assumption, \(\mathsf {SelfTargetMSIS}\), upon which the security of \(\mathsf {Dilithium}\) is based. We also point out that in the classical randomoracle model, there is a (nontight) reduction from the \(\mathsf {MSIS}\) to the \(\mathsf {SelfTargetMSIS}\) problem. Then we show that the \(\mathsf {Dilithium}\) scheme for which Theorem 3.4 is not necessarily applicable, still has a security reduction from the combination of \(\mathsf {MLWE}\) and \(\mathsf {SelfTargetMSIS}\) problems.
Footnotes
 1.
There do not exist q for which \(\mathbb {Z}_q[X]/(X^n+1)\) is a field.
 2.
Together with the observation that taking the conjugatecomplex and transposing \(U_{\textsc {O}}\) do not change \(U_{\textsc {O}}\), we obtain \(U_{\textsc {O}}^\dag = U_{\textsc {O}}\), and hence, \(U_{\textsc {O}} U_{\textsc {O}}^\dag = U_{\textsc {O}}^2 = \mathbbm {1}\), showing that \(U_{\textsc {O}}\) is indeed a unitary transformation.
 3.
In Sect. 4.5, we will also discuss a scheme where \(n=256\). For that scheme the challenge space consists of 60 \(\pm 1\)’s.
 4.
We refer to the deterministic version of the scheme.
 5.
This can be improved to \(Q_\mathsf {H}\mathrm {Adv}^\mathsf {SelfTargetMSIS}_{\mathsf {H},m,k,\gamma }(\mathsf {B})/\mathrm {Time}(\mathsf {B}) \approx \mathrm {Adv}^\mathsf {MSIS}_{m,k,2\gamma }(\mathsf {A})/\mathrm {Time}(\mathsf {A})\).
Notes
Acknowledgments
Eike Kiltz was supported in part by ERC Project ERCC (FP7/615074) and by DFG SPP 1736 Big Data. Vadim Lyubashevsky was supported by the SNSF ERC Transfer Starting Grant CRETP2166734FELICITY and the H2020 Project SAFEcrypto. Christian Schaffner was supported by a NWO VIDI grant (639.022.519). The authors are grateful to Dominique Unruh and the anonymous reviewers for comments and discussions.
References
 1.NIST Special Publication 800–165 Computer Security Division 2012 Annual Report, p. 39, June 2013. https://csrc.nist.gov/Projects/PostQuantumCryptography. Accessed 30 Jan 2014. 554
 2.Abdalla, M., An, J.H., Bellare, M., Namprempre, C.: From identification to signatures via the FiatShamir transform: minimizing assumptions for security and forwardsecurity. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 418–433. Springer, Heidelberg (2002). https://doi.org/10.1007/3540460357_28. 553CrossRefGoogle Scholar
 3.Abdalla, M., Fouque, P.A., Lyubashevsky, V., Tibouchi, M.: Tightlysecure signatures from lossy identification schemes. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 572–590. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642290114_34. 553, 554, 555, 556, 558, 564, 578CrossRefGoogle Scholar
 4.Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: 28th ACM STOC, pp. 99–108. ACM Press, May 1996. 582Google Scholar
 5.Alkim, E., Bindel, N., Buchmann, J., Dagdelen, Ö., Eaton, E., Gutoski, G., Krämer, J., Pawlega, F.: Revisiting TESLA in the quantum random oracle model. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 143–162. Springer, Cham (2017). https://doi.org/10.1007/9783319598796_9. 554, 555, 556, 558CrossRefGoogle Scholar
 6.Ambainis, A., Rosmanis, A., Unruh, D.: Quantum attacks on classical proof systems: the hardness of quantum rewinding. In: 55th FOCS, pp. 474–483. IEEE Computer Society Press, October 2014. 554Google Scholar
 7.Bai, S., Galbraith, S.D.: An improved compression technique for signatures based on learning with errors. In: Benaloh, J. (ed.) CTRSA 2014. LNCS, vol. 8366, pp. 28–47. Springer, Cham (2014). https://doi.org/10.1007/9783319048529_2. 554, 558CrossRefGoogle Scholar
 8.Beals, R., Buhrman, H., Cleve, R., Mosca, M., Wolf, R.: Quantum lower bounds by polynomials. In: 39th FOCS, pp. 352–361. IEEE Computer Society Press, November 1998. 560Google Scholar
 9.Bellare, M., Neven, G.: Multisignatures in the plain publickey model and a general forking lemma. In: Juels, A., Wright, R.N., Vimercati, S. (eds.) ACM CCS 2006, pp. 390–399. ACM Press, October/November 2006. 553, 583Google Scholar
 10.Bellare, M., Poettering, B., Stebila, D.: From identification to signatures, tightly: a framework and generic transforms. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part II. LNCS, vol. 10032, pp. 435–464. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662538906_15. 556, 565CrossRefGoogle Scholar
 11.Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Ashby, V. (ed.) ACM CCS 1993, pp. 62–73. ACM Press, November 1993. 553, 560Google Scholar
 12.Bennett, C.H., Bernstein, E., Brassard, G., Vazirani, U.V.: Strengths and weaknesses of quantum computing. SIAM J. Comput. 26(5), 1510–1523 (1997). 554, 555MathSciNetCrossRefzbMATHGoogle Scholar
 13.Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011). https://doi.org/10.1007/9783642253850_3. 554, 555, 560CrossRefGoogle Scholar
 14.Groot Bruinderink, L., Hülsing, A., Lange, T., Yarom, Y.: Flush, gauss, and reload – a cache attack on the BLISS latticebased signature scheme. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 323–345. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662531402_16. 555Google Scholar
 15.Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal Gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 40–56. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642400414_3. 555CrossRefGoogle Scholar
 16.Ducas, L., Kiltz, E., Lepoint, T., Lyubashevsky, V., Schwabe, P., Seiler, G., Stehlé, D.: CRYSTALSDilithium: a latticebased digital signature scheme. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(1), 238–268 (2018). 554, 555, 557, 573, 575, 579, 580, 581, 582, 583Google Scholar
 17.Ducas, L., Lyubashevsky, V., Prest, T.: Efficient identitybased encryption over NTRU lattices. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 22–41. Springer, Heidelberg (2014). https://doi.org/10.1007/9783662456088_2. 555, 554Google Scholar
 18.Eaton, E., Song, F.: Making existentialunforgeable signatures strongly unforgeable in the quantum randomoracle model. In: 10th Conference on the Theory of Quantum Computation, Communication and Cryptography, TQC 2015, Brussels, Belgium, pp. 147–162, 20–22 May 2015. 554Google Scholar
 19.Espitau, T., Fouque, P., Gérard, B., Tibouchi, M.: Sidechannel attacks on BLISS latticebased signatures  exploiting branch tracing against strongSwan and electromagnetic emanations in microcontrollers. IACR Cryptology ePrint Archive 2017, 505 (2017). http://eprint.iacr.org/2017/505. 555
 20.Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3540477217_12. 553Google Scholar
 21.Hülsing, A., Rijneveld, J., Song, F.: Mitigating multitarget attacks in hashbased signatures. In: Cheng, C.M., Chung, K.M., Persiano, G., Yang, B.Y. (eds.) PKC 2016, Part I. LNCS, vol. 9614, pp. 387–416. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662493847_15. 556, 561CrossRefGoogle Scholar
 22.Katz, J., Wang, N.: Efficiency improvements for signature schemes with tight security reductions. In: Jajodia, S., Atluri, V., Jaeger, T. (eds.) ACM CCS 2003, pp. 155–164. ACM Press, October 2003. 553, 578Google Scholar
 23.Kawachi, A., Tanaka, K., Xagawa, K.: Concurrently secure identification schemes based on the worstcase hardness of lattice problems. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 372–389. Springer, Heidelberg (2008). https://doi.org/10.1007/9783540892557_23. 554, 558CrossRefGoogle Scholar
 24.Kiltz, E., Masny, D., Pan, J.: Optimal security proofs for signatures from identification schemes. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part II. LNCS, vol. 9815, pp. 33–61. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662530085_2. 554, 579CrossRefGoogle Scholar
 25.Langlois, A., Stehlé, D.: Worstcase to averagecase reductions for module lattices. Des. Codes Cryptogr. 75(3), 565–599 (2015). 574, 582MathSciNetCrossRefzbMATHGoogle Scholar
 26.Lyubashevsky, V.: FiatShamir with aborts: applications to lattice and factoringbased signatures. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 598–616. Springer, Heidelberg (2009). https://doi.org/10.1007/9783642103667_35. 553, 554, 555, 557, 558, 566, 573CrossRefGoogle Scholar
 27.Lyubashevsky, V.: Lattice signatures without trapdoors. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 738–755. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642290114_43. 583CrossRefGoogle Scholar
 28.Lyubashevsky, V., Micciancio, D.: Generalized compact knapsacks are collision resistant. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006, Part II. LNCS, vol. 4052, pp. 144–155. Springer, Heidelberg (2006). https://doi.org/10.1007/11787006_13. 582CrossRefGoogle Scholar
 29.Lyubashevsky, V., Neven, G.: Oneshot verifiable encryption from lattices. In: Coron, J.S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part I. LNCS, vol. 10210, pp. 293–323. Springer, Cham (2017). https://doi.org/10.1007/9783319566207_11. 557, 573CrossRefGoogle Scholar
 30.Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/9783642131905_1. 574CrossRefGoogle Scholar
 31.Nielsen, M.A., Chuang, I.L.: Quantum Computation and Quantum Information. Cambridge University Press, Cambridge (2000). 560zbMATHGoogle Scholar
 32.Paillier, P., Vergnaud, D.: Discretelogbased signatures may not be equivalent to discrete log. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 1–20. Springer, Heidelberg (2005). https://doi.org/10.1007/11593447_1. 553CrossRefGoogle Scholar
 33.Peikert, C., Rosen, A.: Efficient collisionresistant hashing from worstcase assumptions on cyclic lattices. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 145–166. Springer, Heidelberg (2006). https://doi.org/10.1007/11681878_8. 582CrossRefGoogle Scholar
 34.Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Cryptol. 13(3), 361–396 (2000). 553, 554, 583CrossRefzbMATHGoogle Scholar
 35.Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th ACM STOC, pp. 84–93. ACM Press, May 2005. 574Google Scholar
 36.Unruh, D.: Noninteractive zeroknowledge proofs in the quantum random oracle model. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part II. LNCS, vol. 9057, pp. 755–784. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662468036_25. 554, 558Google Scholar
 37.Unruh, D.: Postquantum security of FiatShamir. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017, Part I. LNCS, vol. 10624, pp. 65–95. Springer, Cham (2017). https://doi.org/10.1007/9783319706948_3. 555, 556, 558CrossRefGoogle Scholar
 38.Unruh, D.: Postquantum security of fiatshamir. Cryptology ePrint Archive, Report 2017/398 (2017). http://eprint.iacr.org/2017/398. 555, 558, 559
 39.Zhandry, M.: How to construct quantum random functions. In: 53rd FOCS, pp. 679–687. IEEE Computer Society Press, October 2012. 561, 556Google Scholar
 40.Zhandry, M.: Secure identitybased encryption in the quantum random oracle model. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 758–775. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642320095_44. 560CrossRefGoogle Scholar