These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Fiat-Shamir Signatures from Identification Protocols. A canonical identification scheme [2] is a three-move authentication protocol \(\mathsf {ID}\) of a specific form. The prover (holding the secret-key) sends a commitment \(W\) to the verifier. The verifier (holding the public-key) returns a random challenge \(c\). The prover sends a response \(Z\). Finally, using the verification algorithm, the verifier accepts if the transcript \((W,c,Z)\) is correct. The Fiat-Shamir transformation [2, 20] combines a canonical identification scheme \(\mathsf {ID}\) and a hash function \(\mathsf {H}\) to obtain a digital signature scheme \({\mathsf {FS}}={\mathsf {FS}}[\mathsf {ID},\mathsf {H}]\). The signing algorithm first iteratively generates a transcript \((W,c,Z)\), where the challenge \(c\) is derived via \(c:=\mathsf {H}(W\parallel {M})\). Signature \(\sigma =(W, Z\)) is valid if the transcript \((W, c:=\mathsf {H}(W\parallel {M}), Z)\) makes the verification algorithm accept. Lyubashevsky [26] further generalized this to the “Fiat-Shamir with aborts” transformation to account for aborting provers.

Security of Fiat-Shamir Signatures in the ROM. Security of \({\mathsf {FS}}[\mathsf {ID},\mathsf {H}]\) in the ROM can be proved in two steps. Firstly, if the underlying identification scheme has statistical Honest-Verifier Zero-Knowledge (\(\mathsf {HVZK}\)), then UnForgeability against Chosen Message Attack (\({\mathsf {UF\text {-}CMA}}\)) and UnForgeability against No Message Attack (\({\mathsf {UF\text {-}NMA}}\)) are tightly equivalent (\({\mathsf {UF\text {-}NMA}}\) security means that the adversary is not allowed to make any signing queries). Secondly, the Forking Lemma [9, 34] (based on a technique called “rewinding”) is used to prove \({\mathsf {UF\text {-}NMA}}\) security in the random-oracle model (ROM) [11] from computational Special Soundness (\(\mathsf {SS}\)). The latter part of the security reduction is non-tight and the loss in tightness is known to be inherent (e.g., [24, 32]).

Fig. 1.
figure 1

Known security results of Fiat-Shamir signatures \({\mathsf {FS}}={\mathsf {FS}}[\mathsf {ID},\mathsf {H}]\) in the ROM. Solid arrows denote tight reductions, dashed arrows non-tight reductions.

Lossy Identification schemes. With the goal of constructing signature schemes with a tight security reduction and generalizing a signature scheme by Katz and Wang [22], AFLT [3] introduced the new concept of lossy identification schemes and proved that Fiat-Shamir transformed signatures have a tight security reduction in the ROM. A lossy identification scheme comes with an additional lossy key generator that produces a lossy public key, computationally indistinguishable from a honestly generated public key. Further, relative to a lossy public key the identification scheme has statistical soundness, i.e., not even an unbounded adversary can successfully impersonate a prover. Figure 1 summarizes the known security results of Fiat-Shamir signatures in the ROM.

Quantum Random-Oracle Model. Recently, NIST announced a competition with the goal to standardize new asymmetric encryption and signature schemes [1] with security against quantum adversaries, i.e., adversaries equipped with a quantum computer. There exists a number of (sometimes only implicitly defined) canonical identification schemes (e.g., [3, 5, 7, 16, 23, 26]) whose security relies on the hardness of certain problems over lattices and codes, which are generally believed to resist quantum adversaries. Quantum computers may execute all “offline primitives” such as the hash function on arbitrary superpositions, which motivated the introduction of the quantum (accessible) random-oracle model (QROM) [13]. That is, in the \({\mathsf {UF\text {-}CMA}}\) security experiment for signatures in the QROM, an adversary has quantum access to a perfect hash function \(\mathsf {H}\) and classical access to the signing oracle. Aiding in the construction of \({\mathsf {UF\text {-}CMA}}\) secure signatures with provable (post-quantum) security in the QROM is the main motivation of this paper.

Security of Fiat-Shamir signatures in the QROM. A number of recent works considered the security of Fiat-Shamir transformed signatures in the QROM. [13] proved a general result showing that if a reduction in the classical ROM is history-free, then it can also be carried out in the QROM. History-free reductions basically determine random oracle answers independently of the history of previous queries. For reductions that are not history-free, adaptive re-programming of the quantum random oracle is required which is problematic in the QROM: with one single quantum query to all inputs in superposition, an adversary might learn a superposition of all possible random oracle values which essentially means the reduction has to provide plausible values for the whole random oracle at this point. Hence, adaptive reprogramming in the QROM is difficult (but not impossible e.g., [12, 18, 36]).

Unfortunately, the known random-oracle proofs of Fiat-Shamir signatures [3, 24, 34] are not history-free. Beyond the general problem of adaptive re-programming, the classical proof [34] uses rewinding and the Forking Lemma, a technique that we currently do not know how to extend to the quantum setting. Even worse, Ambanis et al. [6] proved that Fiat-Shamir signatures cannot be proven secure in a black-box way by just assuming computational special soundness and \(\mathsf {HVZK}\) (these two conditions are, on the other hand, sufficient for a proof in the classical ROM).

To circumvent the above negative result, Unruh [36] proposed an alternative Fiat-Shamir transformation with provable QROM security but the resulting signatures are considerably less efficient as they require multiple executions of the underlying identification scheme.

Alkim et al. [5] gave a concrete tight security reduction for a signature scheme, TESLA, in the QROM. TESLA is a concrete lattice-based digital signature scheme implicitly derived via the Fiat-Shamir transformation. Their QROM proof from the learning with errors (\(\mathsf{LWE}\)) assumption adaptively re-programs the quantum random oracle using a technique from [12] and seems tailored to their particular identification protocol. As described in [5], the intuition behind the QROM security proof for TESLA comes from the fact that the underlying identification scheme is lossy. They leave it as an open problem to prove Fiat-Shamir signatures generically secure from lossy identification schemes.

Unruh [37] could prove (among other things) that identification schemes with \(\mathsf {HVZK}\) and statistical soundness yield \({\mathsf {UF\text {-}CMA}}\) secure Fiat-Shamir signatures in the QROM when additionally assuming a “dual-mode hard instance generator” for generating key pairs of the identification scheme. The latter dual mode hard instance generator is very similar to lossy identification schemes. Whereas the original publication [37] only contains asymptotic proofs, a recently updated version of the full version [38] also provides concrete security bounds. Below, in Sect. 1.2, we will compare them with our bounds.

1.1 Our Results

This work contains a simple and modular security analysis in the QROM of signatures \({\mathsf {FS}}[\mathsf {ID},\mathsf {H}]\) obtained via the Fiat-Shamir transform with aborts [26] from any lossy identification scheme \(\mathsf {ID}\). We also consider the security of a deterministic variant \({\mathsf {DFS}}[\mathsf {ID},\mathsf {H},{\mathsf {PRF}}]\) with better tightness. \({\mathsf {DFS}}\) derives the randomness for signing deterministically using a pseudo-random function \({\mathsf {PRF}}\). Our main security statements are summarized in Fig. 2. Most importantly, if \(\mathsf {ID}\) is a lossy identification scheme and has \(\mathsf {HVZK}\), then \({\mathsf {DFS}}[\mathsf {ID},\mathsf {H},{\mathsf {PRF}}]\) is tightly \({\mathsf {UF\text {-}CMA}}\) secure and \({\mathsf {FS}}[\mathsf {ID},\mathsf {H}]\) is (non-tightly) \({\mathsf {UF\text {-}CMA}}\) secure in the QROM. Our results suggest to prefer \({\mathsf {DFS}}[\mathsf {ID},\mathsf {H},{\mathsf {PRF}}]\) over \({\mathsf {FS}}[\mathsf {ID},\mathsf {H}]\).

The main component of our proof is a tweak to the AFLT Fiat-Shamir proof [3] that makes it history-free. Together with the general result of [13], one can immediately obtain asymptotic (i.e., non-concrete) versions of our QROM proof as a simple corollary. In this work, we instead give direct proofs with concrete, tight security bounds.

To demonstrate the efficacy of our generic framework, we construct a lattice-based signature scheme. The most compact lattice-based schemes, in terms of public key and signature sizes, crucially require sampling from a discrete Gaussian distribution [15, 17]. Such schemes, however, have been shown to be particularly vulnerable to side-channel attacks (c.f. [14, 19]), and it therefore seems prudent to consider schemes that only require simple uniform sampling over the integers. Of those, the most currently efficient one is the \(\mathsf {Dilithium}\) signature scheme [16]. This signature scheme is proved secure based on the \(\mathsf {MSIS}\) (Module-SIS) and the \(\mathsf {MLWE}\) (Module-LWE) assumptions in the ROM implicitly using the framework from Fig. 1.

In this paper, we provide a practical instantiation of a lossy identification scheme to obtain a new digital signature scheme, \(\mathsf {Dilithium\text {-}QROM}\), with a tight security reduction in the QROM from the \(\mathsf {MLWE}\) problem, derived using our new framework from Fig. 2. \(\mathsf {Dilithium\text {-}QROM}\) is essentially a less compact variant (\({\approx } 3\)X larger) of \(\mathsf {Dilithium}\) with modified parameters to allow the underlying identification scheme to admit a lossy mode. We additionally prove the security of the original \(\mathsf {Dilithium}\) scheme in the QROM based on \(\mathsf {MLWE}\) and another non-interactive assumption.

Security of Fiat-Shamir Signatures. Security of deterministic Fiat-Shamir signatures \({\mathsf {DFS}}[\mathsf {ID},\mathsf {H},{\mathsf {PRF}}]\) in the QROM is proved in two independent steps, see Fig. 2.

Fig. 2.
figure 2

Security of standard Fiat-Shamir signatures \({\mathsf {FS}}={\mathsf {FS}}[\mathsf {ID},\mathsf {H}]\) and deterministic Fiat-Shamir signatures \({\mathsf {DFS}}={\mathsf {DFS}}[\mathsf {ID},\mathsf {H},{\mathsf {PRF}}]\) in the QROM. Solid arrows denote tight reductions, dashed arrows non-tight reductions. The considered security notions are: \({\mathsf {UF\text {-}CMA}}\) (unforgeability against chosen-message attack), \({{\mathsf {UF\text {-}CMA}}_1}\) (unforgeability against one-query-per-message chosen-message attack), and \({\mathsf {UF\text {-}NMA}}\) (unforgeability against no-message attack).

Step 1: \(\mathsf {LOSSY} \Longrightarrow {\mathsf {UF\text {-}NMA}}\). We sketch an adaptation of the standard history-free proof implicitly contained in [3]. By the security properties of the lossy identification scheme, the public key can be set in lossy mode which remains unnoticed by a computationally bounded quantum adversary. Further, breaking the signature scheme in lossy mode with at most \(Q_\mathsf {H}\) queries to the quantum random oracle essentially requires to solve the generic quantum search problem, whose complexity is \(\varTheta (Q_\mathsf {H}^2 \cdot \varepsilon _{\mathsf {ls}})\) [21, 39], where \(\varepsilon _{\mathsf {ls}}\) is the statistical soundness parameter of \(\mathsf {ID}\) in lossy mode. A similar argument is implicitly contained in [5, 37].

Step 2: \({\mathsf {UF\text {-}NMA}}\Longrightarrow {\mathsf {UF\text {-}CMA}}\). We will now sketch a history-free proof of \({\mathsf {UF\text {-}NMA}}\Rightarrow {{\mathsf {UF\text {-}CMA}}_1}\), where (compared to \({\mathsf {UF\text {-}CMA}}\) security) \({{\mathsf {UF\text {-}CMA}}_1}\) security limits the number of queried signatures per message \({M}\) to one. We then apply a standard (history-free, tight) reduction to show that \({{\mathsf {UF\text {-}CMA}}_1}\) secure signatures de-randomized with a \({\mathsf {PRF}}\) yield \({\mathsf {UF\text {-}CMA}}\) secure signatures with deterministic signing [10].

The standard ROM proof of \({\mathsf {UF\text {-}NMA}}\Rightarrow {\mathsf {UF\text {-}CMA}}\) (implicitly contained in [3]) works as follows: one uses the \(\mathsf {HVZK}\) property of \(\mathsf {ID}\) to show that the signing oracle can be efficiently simulated only knowing the public-key. Concretely, the \(\mathsf {HVZK}\) simulator generates a transcript \((W,c,Z)\) and later “patches” the random oracle by defining \(\mathsf {H}(W\parallel {M}):=c\) to make \((W,Z)\) a valid signature. The problem is that the random oracle patching (i.e., defining \(\mathsf {H}(W\parallel {M}):=c\)) can only be done after the signing query on \({M}\) because only then \(W\) and \(c\) are known. This renders the AFLT standard reduction non history-free. In our history-free \({\mathsf {UF\text {-}NMA}}\Rightarrow {{\mathsf {UF\text {-}CMA}}_1}\) proof, we resolve this problem as follows. We use the \(\mathsf {HVZK}\) property to generate the transcript \((W_{M},c_{M},Z_{M})\) deterministically using message-dependent randomness. Hence, for each message \({M}\), the transcript \((W_{M},c_{M},Z_{M})\) is unique and can be computed at any time. This uniqueness allows us to patch the random oracle \(\mathsf {H}(W\parallel {M})\) to \(c_{M}\) at any time of the proof (i.e., iff \(W= W_{M}\)), even before the adversary has established a signing query on message \({M}\). This trick makes the proof history-free, see Theorem 3.2. Clearly, this only works if the adversary receives at most one signature for each messages \({M}\), which is guaranteed by the \({{\mathsf {UF\text {-}CMA}}_1}\) experiment.

In order to deal with (full) \({\mathsf {UF\text {-}CMA}}\) security of probabilistic Fiat-Shamir signatures \({\mathsf {FS}}[\mathsf {ID},\mathsf {H}]\), the above trick can be adapted to also obtain a history-free reduction, see Theorem 3.3. However, the proof is less tight as the reduction suffers from a quadratic blow-up in its running time.

Our results furthermore prove strong unforgeability if the identification scheme satisfies an additional property called computational unique response \(({\mathsf {CUR}})\). \({\mathsf {CUR}}\) essentially says that it is hard to come up with two accepting transcripts with the same commitment and challenge but different responses.

\(\mathsf {Dilithium\text {-}QROM}\): A signature scheme with provable security in the QROM. The digital signature scheme \(\mathsf {Dilithium}\) [16] is constructed from a canonical identification scheme using the Fiat-Shamir with aborts approach [26]. In the ROM, its security is based (via non-tight reductions) on the hardness of the \(\mathsf {MSIS}\) and \(\mathsf {MLWE}\) problems. We show that by increasing the size of the modulus and the dimension of the public key matrix, the resulting identification scheme admits a lossy mode such that distinguishing real from lossy keys is based on the hardness of \(\mathsf {MLWE}\). We can then apply our main reduction to conclude that the resulting digital signature scheme is based on the hardness of the \(\mathsf {MLWE}\) problem.

In order to construct an identification scheme with a lossy mode, in addition to increasing the size of the modulus and the overall dimension, we also choose our prime modulus q so that the underlying ring \(\mathbb {Z}_q[X]/(X^n+1)\) has the property that all elements with coefficients less than \(\sqrt{q/2}\) have an inverse [29] – having all small elements be invertible is crucial to having lossiness.Footnote 1 For the same security levels as \(\mathsf {Dilithium}\), the total size of the public key and signature is increased by a factor of a little over 3.

Revisiting the Security of Dilithium. Due to the way the parameters are set, the underlying identification scheme of the original \(\mathsf {Dilithium}\) scheme does not have a lossy mode, and so we cannot apply Theorem 3.4 in the reduction sequence in Fig. 2. Nevertheless, the reduction from Theorem 3.2 is still applicable. In the classical ROM, one then obtains a reduction from \(\mathsf {MSIS}\) to the \({\mathsf {UF\text {-}NMA}}\) scheme via the forking lemma (see Fig. 1).

The main downside of this last step is that the reduction is inherently non-tight. In practice, however, parameters are set based on the hardness of the underlying \(\mathsf {MSIS}\) problem and the non-tightness of the reduction is ignored. This is not just the case in lattice-based schemes, but is the prevalent practice for every signature scheme built via the Fiat-Shamir transform. The implicit assumption is, therefore, that the \({\mathsf {UF\text {-}NMA}}\) scheme is exactly as secure as \(\mathsf {MSIS}\) (assuming that \(\mathsf {H}\) is secure). We point out that the assumption that the \({\mathsf {UF\text {-}NMA}}\) scheme is secure is a non-interactive assumption that is reasonably simple to state, and so the fact that several decades of cryptanalysis haven’t produced any improved attacks against schemes whose parameters ignore the non-tightness of the reduction, gives us confidence that equating the hardness of the \({\mathsf {UF\text {-}NMA}}\) scheme with the hardness of the underlying problem is very reasonable.

In Sect. 4.5, we formulate the security of the \({\mathsf {UF\text {-}NMA}}\) scheme as a “convolution” of a lattice/hash function problem, which we call \(\mathsf {SelfTargetMSIS}\), and then show that based on the hardness of \(\mathsf {MLWE}\) and \(\mathsf {SelfTargetMSIS}\), the deterministic version of the \(\mathsf {Dilithium}\) scheme is (tightly) \({\mathsf {UF\text {-}CMA}}\) secure in the QROM. In other words, we show that the security of the tight version of the signature scheme is based on exactly the same assumptions in the ROM and the QROM.

Other Instantiations. Our framework can be applied to obtain a security proof in the QROM for a number of existing Fiat-Shamir signature schemes that are similar to \(\mathsf {Dilithium}\) (e.g., [3, 5, 7, 26]) and those that have a somewhat different structure and possibly based on different assumptions (e.g., [23]). Our rationale for setting the parameters in \(\mathsf {Dilithium\text {-}QROM}\) was to minimize the total sum of the public key and the signature. If one, on the other hand, wished to only minimize the signature size, one could create a public key whose “height” is larger than its “width” (e.g., as in [5]). For optimal efficiency, this may possibly require working over polynomial rings \(\mathbb {Z}_q[X]/(f(x))\) which are finite fields.

1.2 Concrete Bounds and Comparison with Unruh [37, 38]

Ignoring all constants and the computational term accounting for the pseudo-random function, our concrete bound for the \({\mathsf {UF\text {-}CMA}}\) security of deterministic Fiat-Shamir signatures \({\mathsf {DFS}}\) in the QROM is

$$\begin{aligned} \mathrm {Adv}^{{\mathsf {UF\text {-}CMA}}}_{{\mathsf {DFS}}}(\mathsf {A}) \le \mathrm {Adv}^{\mathsf {LOSS}}_{{\mathsf {ID}}}(\mathsf {B}) + Q_\mathsf {H}^2 \cdot \varepsilon _{\mathsf {ls}}+ Q_S \cdot \varepsilon _{\mathsf {zk}}+ 2^{-\alpha }, \quad \mathrm {Time}(\mathsf {B}) \approx \mathrm {Time}(\mathsf {A}) \end{aligned}$$

where \(\mathrm {Adv}^{\mathsf {LOSS}}_{{\mathsf {ID}}}(\mathsf {B})\) is the lossyness advantage of \(\mathsf {ID}\), \(\varepsilon _{\mathsf {ls}}\) is the statistical soundness parameter of \(\mathsf {ID}\) in lossy mode, \(\alpha \) is the min-entropy of \(\mathsf {ID}\)’s commitments, and \(\varepsilon _{\mathsf {zk}}\) is the \(\mathsf {HVZK}\) parameter of \(\mathsf {ID}\).

From Unruh [38] one can derive the following concrete bound which even holds for (standard) probabilistic Fiat-Shamir signatures \({\mathsf {FS}}\).

$$\begin{aligned} \begin{aligned} \mathrm {Adv}^{{\mathsf {UF\text {-}CMA}}}_{{\mathsf {FS}}}(\mathsf {A})&\le \mathrm {Adv}^{\mathsf {LOSS}}_{{\mathsf {ID}}}(\mathsf {B})+Q_\mathsf {H}^2 \cdot \varepsilon _{\mathsf {ls}}+Q_S \cdot \varepsilon _{\mathsf {zk}}+Q_S Q_H^{1/2} \cdot 2^{-\alpha /4}, \\ \mathrm {Time}(\mathsf {B})&\approx \mathrm {Time}(\mathsf {A})+Q_\mathsf {H}Q_S . \end{aligned} \end{aligned}$$

Compared to (1), bound (2) has two sources of non-tightness.

The first source of non-tightness in (2) is the term \(Q_S Q_H^{1/2} \cdot 2^{-\alpha /4}\) which stems from a generic re-programming technique from [36]. In most practical lattice-based schemes the commitment’s min-entropy \(\alpha \) is large enough not to make a big impact on the worse bounds. However, this term puts a lower bound on the min-entropy of commitments which translates to an unnatural lower bound on the size of quantum-resistant Fiat-Shamir signatures. Furthermore, it is sometimes not that easy to exactly compute the min-entropy \(\alpha \). Further, simple techniques to get a “good-enough” bound (as we did for regular Dilithium when we obtained \(\alpha =255\)) would no longer result in something meaningful when used with (2).

The second and more important sources of non-tightness in (2) is the quadratic (in the number of queries) blow-up in the running time \(\mathrm {Time}(\mathsf {B}) \approx \mathrm {Time}(\mathsf {A})+Q_\mathsf {H}Q_S\) which renders the reduction non-tight in all practical aspects. Interestingly, our proof for the security of probabilistic Fiat-Shamir signatures (Theorem 3.3) introduces the same source of non-tightness. However, under the assumption that superposition queries to classical data can be performed in a single time step (denoted by QRAM in [38]), the running time in (2) drops to \(\mathrm {Time}(\mathsf {B}) \approx \mathrm {Time}(\mathsf {A})\) and hence the reduction is tight again. We leave it as an open problem to come up with a tight reduction for probabilistic Fiat-Shamir signatures in the QROM without using QRAM.

2 Preliminaries

For \(n \in \mathbb {N}\), let \([n] := \lbrace 1, \dots , n \rbrace .\) For a set S, |S| denotes the cardinality of S. For a finite set S, we denote the sampling of a uniform random element x by \(x \leftarrow S\), while we denote the sampling according to some distribution \(\mathfrak {D}\) by \(x \leftarrow \mathfrak {D}\). By \(\llbracket B\rrbracket \) we denote the bit that is 1 if the Boolean Statement B is true, and 0 otherwise.

Algorithms. Let \(\mathsf {A}\) be an algorithm. Unless stated otherwise, we assume all our algorithms to be probabilistic. We denote by \(y\leftarrow \mathsf {A}(x)\) the probabilistic computation of algorithm \(\mathsf {A}\) on input x. If \(\mathsf {A}\) is deterministic, we write \(y := \mathsf {A}(x).\) The notation \(y \in \mathsf {A}(x)\) is used to indicate all possible outcomes y of the probabilistic algorithm \(\mathsf {A}\) on input x. We can make any probabilistic \(\mathsf {A}\) deterministic by running it with fixed randomness. We write \(y := \mathsf {A}(x; r)\) to indicate that \(\mathsf {A}\) is run on input x with randomness r. Finally, the notation \(\mathsf {A}(x) \Rightarrow y\) denotes the event that \(\mathsf {A}\) on input x returns y.

Games. We use code-based games. We implicitly assume boolean flags to be initialized to false, numerical types to 0, sets to \(\varnothing \), and strings to the empty string \(\epsilon \). We make the convention that a procedure terminates once it has returned an output.

2.1 Quantum Computation

Quantum States. The state of a qubit \(|{\phi } \rangle \) is described by a two-dimensional complex vector \(|{\phi } \rangle =\alpha |{0} \rangle + \beta |{1} \rangle \) where \(\{|{0} \rangle , |{1} \rangle \}\) form an orthonormal basis of \(\mathbb {C}^2\) and \(\alpha , \beta \in \mathbb {C}\) with \(|\alpha |^2 + |\beta |^2 = 1\) are called the complex amplitudes of \(|{\phi } \rangle \). The qbit \(|{\phi } \rangle \) is said to be in superposition if \(0<|\alpha |<1\). A classical bit \(b \in \{0,1\}\) is naturally encoded as state \(|{b} \rangle \) of a qubit.

The state \(|{\psi } \rangle \) of n qubits can be expressed as \(|{\psi } \rangle = \sum _{x \in \{0,1\}^n} \alpha _x |{x} \rangle \in \mathbb {C}^{2^n}\) where \(\{ \alpha _x \}_{x \in \{0,1\}^n}\) is a set of \(2^n\) complex amplitudes such that \(\sum _{x \in \{0,1\}^n} |\alpha _x|^2 = 1\). As for one qubit, the standard orthonormal or computational basis is given by \(\{ |{x} \rangle \}_{x \in \{0,1\}^n}\). When the quantum state \(|{\psi } \rangle \) is measured in the computational basis, the outcome is the classical string \(x \in \{0,1\}^n\) with probability \(|\alpha _x|^2\) and the quantum state collapses to what is observed, namely \(|{x} \rangle \).

The evolution of a quantum system in state \(|{\psi } \rangle \) can be described by a linear length-preserving transformation \(U: \mathbb {C}^{2^n} \rightarrow \mathbb {C}^{2^n}\). Such transformations correspond to unitary matrices U of size \(2^n\) by \(2^n\), i.e. U has the property that \(U U^\dag = \mathbbm {1}\), where \(U^\dag \) is the complex-conjugate transpose of U.

For further details about basic concepts and notation of quantum computing, we refer to the standard text book by Nielsen and Chuang [31].

Quantum oracles and quantum adversaries. For a classical oracle function \(\textsc {O}: \{0,1\}^n \rightarrow \{0,1\}^{m}\), we follow the standard approach as in [8, 13] to make the execution of the classical function \(\textsc {O}\) a reversible unitary transformation. We model quantum access to \(\textsc {O}\) by

$$ U_{\textsc {O}}: |x\rangle |y\rangle \mapsto |x\rangle |y \oplus \textsc {O}(x)\rangle , $$

where \(x \in \{0,1\}^n\) and \(y \in \{0,1\}^{m}\). Note that due to the XOR function in the second register, \(U_{\textsc {O}}\) is its own inverse, i.e. executing \(U_{\textsc {O}}\) twice results in the identity for any function \(\textsc {O}\).Footnote 2 Quantum oracle adversaries \(\mathsf {A}^{|{\textsc {O}} \rangle }\) can access \(\textsc {O}\) in superposition by applying \(U_{\textsc {O}}\). The quantum time it takes to apply \(U_{\textsc {O}}\) is linear in the time it takes to evaluate \(\textsc {O}\) classically. We write \(\mathsf {A}^{|{\textsc {O}} \rangle }\) to indicate that an oracle is quantum-accessible, contrary to oracles which can only be accessed classically which are denoted by \(\mathsf {A}^{\textsc {O}}\). We also abuse notation and use \(|{O} \rangle \) to denote the oracle that is quantumly accessible.

Quantum random-oracle model. We consider security games in the quantum random-oracle model (QROM) [13] like their counterparts in the classical random-oracle model [11], with the difference that we consider quantum adversaries that are given quantum access to the random oracles involved, and classical access to all other oracles (e.g., the signing oracle). Zhandry [40] proved that no quantum algorithm \(\mathsf {A}^{|{\mathsf {H}} \rangle }\), issuing at most Q quantum queries to \(|{\mathsf {H}} \rangle \), can distinguish between a random function \(\mathsf {H}:\{0,1\}^m \rightarrow \{0,1\}^n\) and a 2Q-wise independent function \(f_{2Q}\). For concreteness, we view \(f_{2Q} :\{0,1\}^m \rightarrow \{0,1\}^n\) as a random polynomial of degree 2Q over the finite field \(\mathbb {F}_{2^n}\). The running time to evaluate \(f_{2Q}\) is linear in Q.

In this article, we will use this observation in the context of security reductions, where quantum adversary \(\mathsf {B}\) simulates quantum adversary \(\mathsf {A}^{|{\mathsf {H}} \rangle }\) which makes at most Q queries to \(|{\mathsf {H}} \rangle \). Hence, the running time of \(\mathsf {B}\) is \(\mathrm {Time}(\mathsf {B}) = \mathrm {Time}(\mathsf {A}) + q \cdot \mathrm {Time}(\mathsf {H})\), where \(\mathrm {Time}(\mathsf {H})\) is the time it takes to simulate \(|{\mathsf {H}} \rangle \). Using the observation above, \(\mathsf {B}\) can use a 2Q-wise independent function in order to (information-theoretically) simulate \(|{\mathsf {H}} \rangle \) and we obtain that the running time of \(\mathsf {B}\) is \(\mathrm {Time}(\mathsf {B}) = \mathrm {Time}(\mathsf {A}) + Q \cdot \mathrm {Time}(f_{2Q})\), and the time \(\mathrm {Time}(f_{2Q})\) to evaluate \(f_{2Q}\) is linear in Q. The second term of this running time (quadratic in Q) can be further reduced to linear in Q in the quantum random-oracle model where \(\mathsf {B}\) can simply use another random oracle to simulate \(|{\mathsf {H}} \rangle \). Assuming evaluating the random oracle takes one time unit, we write \(\mathrm {Time}(\mathsf {B}) = \mathrm {Time}(\mathsf {A}) + Q\) which is approximately \(\mathrm {Time}(\mathsf {A})\).

Generic Quantum Search. For \(\lambda \in [0,1]\) let \(\mathcal {B}_\lambda \) be the Bernoulli distribution, i.e., \(\Pr [b=1] = \lambda \) for the bit \(b \leftarrow \mathcal {B}_\lambda \). Let X be some finite set. The generic quantum search problem \(\mathsf {GSP}\) [21, 39] is to find an \(x \in X\) satisfying \(g(x)=1\) given quantum access to an oracle \(g: X \rightarrow \{0,1\}\), such that for each \(x \in X\), g(x) is distributed according to \(\mathcal {B}_{\lambda }\). We will need the following slight variation of \(\mathsf {GSP}\). The Generic quantum Search Problem with Bounded probabilities \(\mathsf {GSPB}\) is like the quantum search problem with the difference that the Bernoulli parameter \(\lambda (x)\) may (adversarially) depend on x but it is upper bounded by a global \(\lambda \).

Lemma 2.1

(Generic Search Problem with Bounded Probabilities). Let \(\lambda \in [0,1]\). For any (unbounded, quantum) algorithm \(\mathsf {A}\) issuing at most Q quantum queries to \(|{g} \rangle \), \(\Pr [\mathsf {GSPB}_\lambda ^\mathsf {A}\Rightarrow 1 ] \le 8 \cdot \lambda \cdot (Q+1)^2\), where Game \(\mathsf {GSPB}_\lambda \) is defined in Fig. 3.

Fig. 3.
figure 3

The generic search game \(\mathsf {GSPB}_\lambda \) with bounded maximal Bernoulli parameter \(\lambda \in [0,1]\).

The bound on \(\mathsf {GSPB}\) can be reduced to the known bound on \(\mathsf {GSP}\) [21, 39] by artificially increasing the Bernoulli parameter to obtain the dependence on each \(x \in X\).

2.2 Pseudorandom Functions

A pseudorandom function \({\mathsf {PRF}}\) is a mapping \({\mathsf {PRF}}: \mathcal {K}\times \{0,1\}^n \rightarrow \{0,1\}^k\), where \(\mathcal {K}\) is a finite key space and nk are integers. To a quantum adversary \(\mathsf {A}\) and \({\mathsf {PRF}}\) we associate the advantage function

$$ \mathrm {Adv}^{\mathsf {PR}}_{\mathsf {PRF}}(\mathsf {A}) := \big |\Pr [ \mathsf {A}^{{\mathsf {PRF}}(K, \cdot )} \Rightarrow 1 \mid K \leftarrow \mathcal {K}]-\Pr [ \mathsf {A}^{\mathsf {RF}(\cdot )} \Rightarrow 1 ] \big |, $$

where \(\mathsf {RF}:\{0,1\}^n \rightarrow \{0,1\}^k\) is a perfect random function. We note that while adversary \(\mathsf {A}\) is quantum, it only gets classical access to the oracles \({\mathsf {PRF}}(K, \cdot )\) and \(\mathsf {RF}(\cdot )\).

2.3 Canonical Identification Schemes

A canonical identification scheme \({\mathsf {ID}}\) is a three-move protocol of the form depicted in Fig. 4. The prover’s first message \(W\) is called commitment, the verifier selects a uniform challenge \(c\) from set \(\mathsf {ChSet}\), and, upon receiving a response \(Z\) from the prover, makes a deterministic decision.

Fig. 4.
figure 4

A canonical identification scheme and its transcript \((W,c,Z)\).

Definition 2.2

(Canonical Identification Scheme). A canonical identification scheme \({\mathsf {ID}}\) is defined as a tuple of algorithms \({\mathsf {ID}}:=({\mathsf {IGen}},{\mathsf {P}},\mathsf {ChSet},{\mathsf {V}})\).

  • The key generation algorithm \({\mathsf {IGen}}\) takes system parameters \(\mathsf {par}\) as input and returns public and secret key \(( pk , sk )\). We assume that \( pk \) defines \(\mathsf {ChSet}\) (the set of challenges), \(\mathsf {WSet}\) (the set of commitments), and \(\mathsf {ZSet}\) (the set of responses).

  • The prover algorithm \({\mathsf {P}}=({\mathsf {P}}_1,{\mathsf {P}}_2)\) is split into two algorithms. \({\mathsf {P}}_1\) takes as input the secret key \( sk \) and returns a commitment \(W\in \mathsf {WSet}\) and a state \( St \); \({\mathsf {P}}_2\) takes as input the secret key \( sk \), a commitment \(W\), a challenge \(c\), and a state \( St \) and returns a response \(Z\in \mathsf {ZSet}\cup \{\bot \}\), where \(\bot \not \in \mathsf {ZSet}\) is a special symbol indicating failure.

  • The verifier algorithm \({\mathsf {V}}\) takes the public key \( pk \) and the conversation transcript as input and outputs a deterministic decision, 1 (acceptance) or 0 (rejection).

We make a couple of useful definitions. A transcript is a three-tuple \((W,c,Z) \in \mathsf {WSet}\times \mathsf {ChSet}\times \mathsf {ZSet}\cup \{\bot ,\bot ,\bot \}\). It is called valid (with respect to public-key \( pk \)) if \({\mathsf {V}}( pk , W, c,Z)=1\). In Fig. 5 we also define a transcript oracle \(\mathsf {Trans}\) that returns a real interaction \((W,c,Z)\) between prover and verifier as depicted in Fig. 4, with the important convention that the transcript is defined as \((\bot ,\bot ,\bot )\) if \(Z= \bot \).

Fig. 5.
figure 5

An honestly generated transcript \((W, c,Z)\) output by the transcript oracle \(\mathsf {Trans}( sk )\).

Definition 2.3

(Correctness Error). Identification scheme \(\mathsf {ID}\) has correctness error \(\delta \) if for all \(( pk , sk ) \in {\mathsf {IGen}}(\mathsf {par})\) the following holds:

  • All possible transcripts \((W, c, Z)\) satisfying \(Z\ne \bot \) are valid, i.e., for all \((W, St ) \in {\mathsf {P}}_1( sk )\), all \(c\in \mathsf {ChSet}\) and all \(Z\in {\mathsf {P}}_2( sk ,W,c, St )\) with \(Z\ne \bot \), we have \({\mathsf {V}}( pk , W, c,Z)=1\).

  • The probability that an honestly generated transcript \((W, c, Z)\) contains \(Z= \bot \) is bounded by \(\delta \), i.e., \(\Pr [Z= \bot \mid (W,c, Z) \leftarrow \mathsf {Trans}( sk )] \le \delta \).

Definition 2.4

We call \(\mathsf {ID}\) commitment-recoverable, if for any \(( pk , sk )\in {\mathsf {IGen}}(\mathsf {par})\), \(c\in \mathsf {ChSet}\), and \(Z\in \mathsf {ZSet}\), there exists a unique \(W\in \mathsf {WSet}\) such that \({\mathsf {V}}( pk ,W,c,Z)=1\). This unique \(W\) can be publicly computed using a commitment recovery algorithm as \(W:={\mathsf {Rec}}( pk ,c,Z)\).

We define no-abort honest-verifier zero-knowledge, a weak variant of honest-verifier zero-knowledge that requires the transcript (as generated by \(\mathsf {Trans}( sk )\)) to be publicly simulatable, conditioned on \(Z\ne \bot \).

Definition 2.5

(No-Abort Honest-verifier Zero-knowledge). A canonical identification scheme \({\mathsf {ID}}\) is said to be \(\varepsilon _{\mathsf {zk}}\)-perfect \(\mathsf {naHVZK}\) (no-abort honest-verifier zero-knowledge) if there exists an algorithm \(\mathsf {Sim}\) that, given only the public key \( pk \), outputs \((W,c,Z)\) such that the following conditions hold:

  • The distribution of \((W, c, Z) \leftarrow \mathsf {Sim}( pk )\) has statistical distance at most \(\varepsilon _{\mathsf {zk}}\) from \((W', c', Z') \leftarrow \mathsf {Trans}( sk )\), where \(\mathsf {Trans}\) is defined in Fig. 5.

  • The distribution of \(c\) from \((W, c, Z) \leftarrow \mathsf {Sim}( pk )\) conditioned on \(c\ne \bot \) is uniform random in \(\mathsf {ChSet}\).

Note that if \(\mathsf {ID}\) is commitment-recoverable, then we can abandon the \(W\) in the output of \(\mathsf {Trans}\) and \(\mathsf {Sim}\) since \(W\) can be publicly computed from \((c,Z)\).

Definition 2.6

(Min-Entropy). If the most likely value of a random variable W that is chosen from a discrete distribution D occurs with probability \(2^{-\alpha }\), then we say that min-entropy\((W \mid W\leftarrow D)=\alpha \). We will say that a canonical identification scheme \({\mathsf {ID}}\) has \(\alpha \) bits of min-entropy, if

$$ \mathop {\mathrm {Pr}}_{( pk , sk )\leftarrow {\mathsf {IGen}}(\mathsf {par})}[\text {min-entropy}(W\mid (W, St )\leftarrow {\mathsf {P}}_1( sk ))\ge \alpha ]\ge 1-2^{-\alpha }.$$

In other words, except with probability \(2^{-\alpha }\) over the choice of \(( pk , sk )\), the min-entropy of W will be at least \(\alpha \).

An identification scheme has unique responses if for all \(W\) and \(c\) there exists at most one \(Z\) to make the verifier accept, i.e., \({\mathsf {V}}( pk ,W,c,Z)=1\). We relax this property to computational unique response (\({\mathsf {CUR}}\)) for which we require it to be computationally difficult to come up with \((W, c,Z,Z')\) with \({\mathsf {V}}( pk ,W,c,Z)={\mathsf {V}}( pk ,W,c,Z')=1\) and \(Z' \ne Z\).

Definition 2.7

(Computational Unique Response). To an adversary \(\mathsf {A}\) we associate the advantage function

$$\begin{aligned} \mathrm {Adv}^{\mathsf {CUR}}_\mathsf {ID}(\mathsf {A}) := \Pr \left[ \left. \begin{array}{l} {\mathsf {V}}( pk , W, c,Z)=1 \\ {\mathsf {V}}( pk , W, c,Z')=1 \wedge Z\ne Z' \end{array} \quad \right| \begin{array}{l} ( pk , sk ) \leftarrow {\mathsf {IGen}}(\mathsf {par}); \\ (W, c,Z,Z') \leftarrow \mathsf {A}( pk ) \end{array} \right] . \end{aligned}$$

Lossy Identification schemes. We now recall lossy identification schemes [3].

Definition 2.8

An identification scheme \(\mathsf {ID}=({\mathsf {IGen}},{\mathsf {P}},\mathsf {ChSet},{\mathsf {V}})\) is lossy if there exists a lossy key generation algorithm \({\mathsf {LossyIGen}}\) that takes system parameters \(\mathsf {par}\) as input and returns public key \( pk _\mathsf {ls}\) (and no secret key \( sk \)).

We refer to \({\mathsf {LID}}= ({\mathsf {IGen}},{\mathsf {LossyIGen}},{\mathsf {P}},\mathsf {ChSet},{\mathsf {V}})\) as a lossy identification scheme.

We now define two security properties of a lossy identification scheme \({\mathsf {LID}}\). The first property says that public keys generated with the real key generator \({\mathsf {IGen}}\) are indistinguishable from ones generated by the lossy key generator \({\mathsf {LossyIGen}}\). Concretely, we define the \(\mathsf {LOSS}\) advantage function of a quantum adversary \(\mathsf {A}\) against \({\mathsf {ID}}\) as

$$\begin{aligned} \mathrm {Adv}^{\mathsf {LOSS}}_{{\mathsf {LID}}}(\mathsf {A})&:= \big |\Pr [ \mathsf {A}( pk _\mathsf {ls}) \Rightarrow 1 \mid pk _\mathsf {ls}\leftarrow {\mathsf {LossyIGen}}(\mathsf {par})]\\&\quad -\Pr [ \mathsf {A}( pk ) \Rightarrow 1 \mid ( pk , sk ) \leftarrow {\mathsf {IGen}}(\mathsf {par})] \big |. \end{aligned}$$

The second security property is statistical and says that relative to a lossy key \( pk _\mathsf {ls}\), not even an unbounded quantum adversary can impersonate the prover. We say that \({\mathsf {ID}}\) has \(\varepsilon _{\mathsf {ls}}\)-lossy soundness if for every (possibly unbounded, quantum) adversary \(\mathsf {C}\), \(\Pr [\mathsf {LOSSY\text {-}IMP}^\mathsf {C}\Rightarrow 1] \le \varepsilon _{\mathsf {ls}}\), where game \(\mathsf {LOSSY\text {-}IMP}\) is defined in Fig. 6.

Fig. 6.
figure 6

The lossy impersonation game \(\mathsf {LOSSY\text {-}IMP}\).

Since \(\mathsf {C}\) is unbounded, we can upper bound \(\Pr [\mathsf {LOSSY\text {-}IMP}^\mathsf {C}\Rightarrow 1] \) as

$$\begin{aligned} \begin{aligned}&\Pr [\mathsf {LOSSY\text {-}IMP}^\mathsf {C}\Rightarrow 1] \\&\quad \le \mathbf {E}\left[ \text {max}_{W\in \mathsf {WSet}}\left( \text {Pr}_{c\leftarrow \mathsf {ChSet}}[\exists Z\in \mathsf {ZSet}: {\mathsf {V}}( pk _\mathsf {ls},W,c,Z)=1 ] \right) \right] , \end{aligned} \end{aligned}$$

where the expectation is taken over \( pk _\mathsf {ls}\leftarrow {\mathsf {LossyIGen}}(\mathsf {par})\). Note that equality in Eq. (3) is achieved for the “optimal” adversary \(\mathsf {C}\) which on the “easiest” commitment \(W\in \mathsf {WSet}\) and a random challenge \(c\leftarrow \mathsf {ChSet}\) finds a response \(Z\in \mathsf {ZSet}\) that the verifier accepts.

2.4 Digital Signatures

We now define syntax and security of a digital signature scheme. Let \(\mathsf {par}\) be common system parameters shared among all participants.

Definition 2.9

(Digital Signature). A digital signature scheme \({\mathsf {SIG}}\) is defined as a triple of algorithms \({\mathsf {SIG}}= ({\mathsf {Gen}}, {\mathsf {Sign}}, {\mathsf {Ver}})\).

  • The key generation algorithm \({\mathsf {Gen}}(\mathsf {par})\) returns the public and secret keys \(( pk , sk )\). We assume that \( pk \) defines the message space \(\mathsf {MSet}\).

  • The signing algorithm \({\mathsf {Sign}}( sk ,{M})\) returns a signature \(\sigma \).

  • The deterministic verification algorithm \({\mathsf {Ver}}( pk , {M},\sigma )\) returns 1 (accept) or 0 (reject).

Signature scheme \({\mathsf {SIG}}\) has correctness error \(\gamma \) if for all \(( pk , sk )\in {\mathsf {Gen}}(\mathsf {par})\), all messages \({M}\in \mathsf {MSet}\), we have \(\Pr [{\mathsf {Ver}}( pk ,{M},{\mathsf {Sign}}( sk ,{M}))=0] \le \gamma \).

Security. We define the \({\mathsf {UF\text {-}CMA}}\) (unforgeability against chosen-message attack), \({{\mathsf {UF\text {-}CMA}}_1}\) (unforgeability against one-per-message chosen-message attack), and \({\mathsf {UF\text {-}NMA}}\) (unforgeability against no-message attack) advantage functions of a quantum adversary \(\mathsf {A}\) against \({\mathsf {SIG}}\) as \(\mathrm {Adv}^{\mathsf {UF\text {-}CMA}}_{{\mathsf {SIG}}}(\mathsf {A}):=\Pr [{\mathsf {UF\text {-}CMA}}^\mathsf {A}\Rightarrow 1]\), \(\mathrm {Adv}^{{\mathsf {UF\text {-}CMA}}_1}_{{\mathsf {SIG}}}(\mathsf {A}):= \Pr [{{\mathsf {UF\text {-}CMA}}_1}^\mathsf {A}\Rightarrow 1]\), and \(\mathrm {Adv}^{\mathsf {UF\text {-}NMA}}_{{\mathsf {SIG}}}(\mathsf {A}):= \Pr [{\mathsf {UF\text {-}NMA}}^\mathsf {A}\Rightarrow 1]\), where the games \({\mathsf {UF\text {-}CMA}}\), \({{\mathsf {UF\text {-}CMA}}_1}\), and \({\mathsf {UF\text {-}NMA}}\) are given in Fig. 7. We also consider strong unforgeability where the adversary may return a forgery on a message previously queried to the signing oracle, but with a different signature. In the corresponding experiments \({\mathsf {sUF\text {-}CMA}}\) and \({{\mathsf {sUF\text {-}CMA}}_1}\), the set \(\mathcal {M}\) contains tuples \(({M}, \sigma )\) and for the winning condition it is checked that \(({M}^*,\sigma ^*) \not \in \mathcal {M}\).

Fig. 7.
figure 7

Games \({\mathsf {UF\text {-}CMA}}\), \({{\mathsf {UF\text {-}CMA}}_1}\), and \({\mathsf {UF\text {-}NMA}}\).

Any \({{\mathsf {UF\text {-}CMA}}_1}\) (\({{\mathsf {sUF\text {-}CMA}}_1}\)) secure signature scheme can be combined with a pseudo-random function \({\mathsf {PRF}}\) to obtain an \({\mathsf {UF\text {-}CMA}}\) (\({\mathsf {sUF\text {-}CMA}}\)) secure signature scheme by defining \({\mathsf {Sign}}'(( sk ,K),{M}):={\mathsf {Sign}}( sk ,{M}; {\mathsf {PRF}}_K({M}))\), where K is a secret \({\mathsf {PRF}}\) key which is part of the secret key. This construction is well known in the classical setting [10], and the same proof works in the quantum setting. Here \({\mathsf {PRF}}\) only has to provide security against quantum adversaries where the access to \({\mathsf {PRF}}\) is classical.

3 Fiat-Shamir in the Quantum Random-Oracle Model

3.1 Signatures from Identification Schemes

Let \({\mathsf {ID}}:=({\mathsf {IGen}},{\mathsf {P}},\mathsf {ChSet},{\mathsf {V}})\) be a canonical identification scheme, let \(\kappa _ m \) be a positive integer, and let \(\mathsf {H}:\{0,1\}^* \rightarrow \mathsf {ChSet}\) be a hash function. The following signature scheme \({\mathsf {SIG}}:=({\mathsf {Gen}}={\mathsf {IGen}},{\mathsf {Sign}}, {\mathsf {Ver}})\) is obtained by the Fiat-Shamir transformation with aborts \({\mathsf {FS}}[\mathsf {ID},\mathsf {H},\kappa _ m ]\) [26].

figure a

We make the convention that if \(\sigma = (W,Z) \) is not in \(\mathsf {WSet}\times \mathsf {ZSet}\), then \({\mathsf {Ver}}( pk ,{M},\sigma )\) returns 0 (reject). Clearly, if \(\mathsf {ID}\) has correctness error \(\delta \), then \({\mathsf {SIG}}\) has correctness error \(\gamma =\delta ^{\kappa _m}\).

Fiat-Shamir for Commitment-Recoverable Identification. For commitment-recoverable \(\mathsf {ID}\) (see Definition 2.4), we can define an alternative Fiat-Shamir transformation \({\mathsf {SIG}}'={\mathsf {FS}}'[{\mathsf {ID}},\mathsf {H},\kappa _ m ]:=({\mathsf {Gen}}={\mathsf {IGen}},{\mathsf {Sign}}',{\mathsf {Ver}}')\). Algorithm \({\mathsf {Sign}}'( sk ,{M})\) is defined as \({\mathsf {Sign}}( sk ,{M})\) with the modified output \(\sigma ' = (c,Z)\). Algorithm \({\mathsf {Ver}}'( pk ,{M},\sigma ')\) first parses \(\sigma '=(c,Z)\), then recomputes the commitment as \(W' := {\mathsf {Rec}}( pk ,c,Z)\), and finally returns 1 iff \(\mathsf {H}(W' \parallel {M})=c\).

figure b

Since \(\sigma =(W,Z)\) can be publicly transformed into \(\sigma '=(c,Z)\) and vice versa, \({\mathsf {SIG}}\) and \({\mathsf {SIG}}'\) are equivalent in terms of security. The alternative Fiat-Shamir transform yields shorter signatures if \(c\in \mathsf {ChSet}\) has a smaller representation size than the commitment \(W \in \mathsf {WSet}\).

Main Security Statement. The following is our main security statement for \({\mathsf {SIG}}:={\mathsf {FS}}[{\mathsf {ID}},\mathsf {H},\kappa _ m ]\) in the QROM.

Theorem 3.1

Assume the identification scheme \({\mathsf {ID}}\) is lossy, \(\varepsilon _{\mathsf {zk}}\)-perfect \(\mathsf {naHVZK}\), has \(\alpha \) bits of min entropy, and is \(\varepsilon _{\mathsf {ls}}\)-lossy sound. For any quantum adversary \(\mathsf {A}\) against \({{\mathsf {UF\text {-}CMA}}_1}\) (\({{\mathsf {sUF\text {-}CMA}}_1}\)) security that issues at most \(Q_{\mathsf {H}}\) queries to the quantum random oracle \(|{\mathsf {H}} \rangle \) and \(Q_S\) classical queries to the signing oracle \(\textsc {Sign}_1\), there exists a quantum adversary \(\mathsf {B}\) (and a quantum adversary \(\mathsf {C}\) against \({\mathsf {CUR}}\))such that

$$\begin{aligned} \mathrm {Adv}^{{{\mathsf {UF\text {-}CMA}}_1}}_{{\mathsf {SIG}}}(\mathsf {A})\le & {} \mathrm {Adv}^{\mathsf {LOSS}}_{{\mathsf {ID}}}(\mathsf {B})+8(Q_\mathsf {H}+1)^2 \cdot \varepsilon _{\mathsf {ls}}+\kappa _ m Q_S \cdot \varepsilon _{\mathsf {zk}}+2^{-\alpha +1} , \\ \mathrm {Adv}^{{{\mathsf {sUF\text {-}CMA}}_1}}_{{\mathsf {SIG}}}(\mathsf {A})\le & {} \mathrm {Adv}^{\mathsf {LOSS}}_{{\mathsf {ID}}}(\mathsf {B})+8(Q_\mathsf {H}+1)^2 \cdot \varepsilon _{\mathsf {ls}}+\kappa _ m Q_S \cdot \varepsilon _{\mathsf {zk}}+2^{-\alpha +1}\nonumber \\&+\mathrm {Adv}^{\mathsf {CUR}}_\mathsf {ID}(\mathsf {C}) , \end{aligned}$$

and \(\mathrm {Time}(\mathsf {B}) = \mathrm {Time}(\mathsf {C}) = \mathrm {Time}(\mathsf {A}) + \kappa _ m Q_\mathsf {H}\approx \mathrm {Time}(\mathsf {A})\).

Note that with this observation the bound of Theorem 3.1 is tight, i.e., the computational advantages appear with a constant factor (one). In the classical ROM setting, the only difference is that the bound depends linearly on \(Q_\mathsf {H}\), instead of quadratic.

Deterministic Fiat-Shamir. Let \({\mathsf {PRF}}\) be a pseudo-random function. Consider a deterministic variant \({\mathsf {DSIG}}:={\mathsf {DFS}}[{\mathsf {ID}},\mathsf {H},{\mathsf {PRF}},\kappa _ m ]=({\mathsf {Gen}}, {\mathsf {DSign}}, {\mathsf {Ver}})\) of \({\mathsf {FS}}\) where lines 04 and 06 of \({\mathsf {Sign}}\) is derandomized using the \({\mathsf {PRF}}\), where the random key K is part of the secret key.

figure c

As discussed at the end of Sect. 2.4, the \({\mathsf {UF\text {-}CMA}}\) (\({\mathsf {sUF\text {-}CMA}}\)) security of \({\mathsf {DSIG}}\) is implied by the \({{\mathsf {UF\text {-}CMA}}_1}\) (\({{\mathsf {sUF\text {-}CMA}}_1}\)) security of \({\mathsf {FS}}\). Concretely the advantages are upper bounded by the same terms as in Theorem 3.1 plus an additional term \(\mathrm {Adv}^{{\mathsf {PR}}}_{{\mathsf {PRF}}}(\mathsf {D})\) accounting for the quantum security of the \({\mathsf {PRF}}\).

3.2 Security Proof

The proof of Theorem 3.1 is modular. First, in Theorem 3.2 we prove that \({\mathsf {UF\text {-}NMA}}\) security plus \(\mathsf {naHVZK}\) implies \({{\mathsf {UF\text {-}CMA}}_1}\) security. Second, in Theorem 3.4 we prove that a lossy identification scheme is always \({\mathsf {UF\text {-}NMA}}\) secure.

Theorem 3.2

Assume the identification scheme \({\mathsf {ID}}\) is \(\varepsilon _{\mathsf {zk}}\)-perfect \(\mathsf {naHVZK}\) and has \(\alpha \) bits of min entropy. For any \({{\mathsf {UF\text {-}CMA}}_1}\) (\({{\mathsf {sUF\text {-}CMA}}_1}\)) quantum adversary \(\mathsf {A}\) that issues at most \(Q_{\mathsf {H}}\) queries to the quantum random oracle \(|{\mathsf {H}} \rangle \) and \(Q_S\) (classical) queries to the signing oracle \(\textsc {Sign}_1\), there exists a quantum adversary \(\mathsf {B}\) against \({\mathsf {UF\text {-}NMA}}\) security making \(Q_{\mathsf {H}}\) queries to its own quantum random oracle (and a quantum adversary \(\mathsf {C}\) against \({\mathsf {CUR}}\)) such that

$$\begin{aligned} \mathrm {Adv}^{{{\mathsf {UF\text {-}CMA}}_1}}_{{\mathsf {SIG}}}(\mathsf {A})\le & {} \mathrm {Adv}^{{\mathsf {UF\text {-}NMA}}}_{{\mathsf {SIG}}}(\mathsf {B})+2^{-\alpha +1}+\kappa _ m Q_S \cdot \varepsilon _{\mathsf {zk}}\\ \mathrm {Adv}^{{{\mathsf {sUF\text {-}CMA}}_1}}_{{\mathsf {SIG}}}(\mathsf {A})\le & {} \mathrm {Adv}^{{\mathsf {UF\text {-}NMA}}}_{{\mathsf {SIG}}}(\mathsf {B})+2^{-\alpha +1}+\mathrm {Adv}^{\mathsf {CUR}}_\mathsf {ID}(\mathsf {C})+\kappa _ m Q_S \cdot \varepsilon _{\mathsf {zk}}, \end{aligned}$$

and \(\mathrm {Time}(\mathsf {B}) = \mathrm {Time}(\mathsf {C})=\mathrm {Time}(\mathsf {A}) + \kappa _ m (Q_\mathsf {H}+Q_S) \approx \mathrm {Time}(\mathsf {A})\).


(of Theorem 3.2). We first prove standard unforgeability (\({{\mathsf {UF\text {-}CMA}}_1}\) security) and then show how the proof can be modified to obtain strong unforgeability (\({{\mathsf {sUF\text {-}CMA}}_1}\) security). Let \(\mathsf {A}\) be a quantum adversary against the \({{\mathsf {UF\text {-}CMA}}_1}\) security of \({\mathsf {SIG}}\), issuing at most \(Q_{\mathsf {H}}\) queries to \(|{\mathsf {H}} \rangle \) and at most \(Q_{S}\) queries to \(\textsc {Sign}_1\). Consider the games given in Fig. 8. Recall that \(\mathsf {A}\) has classical access to the signing oracle \(\textsc {Sign}_1\) and quantum access to the random oracle \(\mathsf {H}\). The quantum random oracle \(\mathsf {H}\) is called with \(|{W\parallel {M}} \rangle \) and returns \(|{\mathsf {H}(|{W\parallel {M}} \rangle )} \rangle \). The games in Fig. 8 describe the computation that is performed for any \(W\parallel {M}\) that has a non-zero amplitude in \(|{W\parallel {M}} \rangle \).

Fig. 8.
figure 8

Games \(G_0, G_1, G_2\) for the proof of Theorem 3.2. Here \(\mathsf {RF}\) and \(\mathsf {H}'\) are perfect random function that cannot be accessed by \(\mathsf {A}\). Deterministic algorithm \(\mathsf {GetTrans}({M})\) is only used internally and cannot be accessed by \(\mathsf {A}\).

Game \(G_0\). Note that game \(G_0\) is the original \({{\mathsf {UF\text {-}CMA}}_1}\) game. The signing oracle \(\textsc {Sign}_1\) produces a signature using internal deterministic algorithm \(\mathsf {GetTrans}\) which, in lines 10 and 12, derives the randomness of \({\mathsf {P}}_1\) and \({\mathsf {P}}_2\) using a perfect random function \(\mathsf {RF}\) that cannot be accessed by \(\mathsf {A}\). Since in the \({{\mathsf {UF\text {-}CMA}}_1}\) game only one single signing query is allowed per message,

$$ \Pr [G_0^{\mathsf {A}} \Rightarrow 1] = \mathrm {Adv}^{{{\mathsf {UF\text {-}CMA}}_1}}_{{\mathsf {SIG}}}(\mathsf {A}) . $$

Game \(G_1\). This game computes the signatures on \({M}\) using the \(\mathsf {naHVZK}\) simulation algorithm \(\mathsf {Sim}\) and patches the quantum random oracle \(\mathsf {H}\) accordingly.

Concretely, consider a classical query \(\textsc {Sign}_1({M})\) and let \(\kappa _{M}\) be the smallest integer \(1 \le \kappa \le \kappa _ m \) satisfying \((W,c,Z) := \mathsf {Sim}( pk ; \mathsf {RF}({M}\parallel \kappa ))\) and \(Z\ne \bot \). If no such integer exists, then we define \(\kappa _{M}:= \bot \). It deterministically computes

$$\begin{aligned} (W_{M},c_{M},Z_{M}) := \mathsf {GetTrans}({M})={\left\{ \begin{array}{ll} \mathsf {Sim}( pk ; \mathsf {RF}({M}\parallel \kappa _{M})) &{} 1 \le \kappa _{M}\le \kappa _ m \\ (\bot ,\bot ,\bot ) &{} \kappa _{M}= \bot \end{array}\right. } \end{aligned}$$

The signature on \({M}\) is returned as

$$ \sigma _{M}:=(W_{M}, Z_{M}). $$

By the \(\mathsf {naHVZK}\) property and the union bound, the distribution of each \(\sigma _{M}\) has statistical distance at most \(\kappa _ m \varepsilon _{\mathsf {zk}}\) from one computed in game \(G_0\). To ensure that \(\sigma _{M}\) is a valid signature on \({M}\), in line 20 the random oracle is patched such that \(\mathsf {H}(W_{M}\parallel {M})=c_{M}\) holds. Concretely, a query \(W\parallel {M}\) to quantum random oracle \(\mathsf {H}\) with non-zero amplitude is patched with \(\mathsf {H}(W\parallel {M}):=c_{M}\) iff \(W=W_{M}\), where \(c_{M}\) and \(W_{M}\) are computed by \(\mathsf {GetTrans}({M})\), see Eq. (4). Note that the output distribution of the random oracle \(\mathsf {H}\) in this game remains unchanged since \(c_{M}\) generated by the \(\mathsf {naHVZK}\) simulator \(\mathsf {Sim}\) is required to be uniformly distributed.

Overall, by a union bound we obtain

$$ |\Pr [G_1^{\mathsf {A}} \Rightarrow 1] -\Pr [G_0^{\mathsf {A}} \Rightarrow 1] | \le \kappa _ m Q_S \cdot \varepsilon _{\mathsf {zk}}. $$

Game \(G_2\). This game returns 0 in line 05 if \(c^* \ne \mathsf {H}'(W^* \parallel {M}^*)\). Games \(G_1\) and \(G_2\) can only differ if \(W_{{M}^*}= W^*\) and \({M}^* \not \in \mathcal {M}\). (In that case \(G_2\) returns 0 and \(G_1\) returns 1.) Since \({M}^* \not \in \mathcal {M}\), the random variable \(W_{{M}^*}\) was not yet revealed as part of an established signature and is completely hidden from the view of the adversary. It has \(\alpha \) bits of min-entropy, meaning we have \(\Pr [W_{{M}^*} = W^*] \le 2^{-\alpha }\). We obtain

$$ |\Pr [G_2^{\mathsf {A}} \Rightarrow 1] -\Pr [G_1^{\mathsf {A}} \Rightarrow 1] | \le 2^{-\alpha +1} . $$

Consider adversary \(\mathsf {B}\) against the \({\mathsf {UF\text {-}NMA}}\) game from Fig. 9 having quantum access to random oracle \(\mathsf {H}'\). It perfectly simulates \(\mathsf {A}\)’s view in game \(G_2\), using its own random oracle \(\mathsf {H}'\) to simulate \(\mathsf {H}'\) and perfectly simulating the random function \(\mathsf {RF}\) with a \(2\kappa _ m Q_\mathsf {H}\)-wise independent hash function. Assume \(\mathsf {A}\)’s forgery \(({M}^*,\sigma ^*)\) is valid in game \(G_2\), i.e., \({M}^* \not \in \mathcal {M}\) and \({\mathsf {V}}( pk , W^*,c^*,Z^*)=1 \), where \(c^* = \mathsf {H}(W^* \parallel {M}^*)\). If \(\mathsf {H}(W^* \parallel {M}^*) = \mathsf {H}'(W^* \parallel {M}^*)\), then \(({M}^*,\sigma ^*)\) is also a valid forgery in the \({\mathsf {UF\text {-}NMA}}\) game, i.e., \({\mathsf {V}}( pk , W^*,c^*,Z^*)=1\), where \(c^* = \mathsf {H}'(W^* \parallel {M}^*)\). Hence,

$$ \Pr [G_2^{\mathsf {A}} \Rightarrow 1] =\mathrm {Adv}^{{\mathsf {UF\text {-}NMA}}}_{{\mathsf {SIG}}}(\mathsf {B}) . $$
Fig. 9.
figure 9

Adversary \(\mathsf {B}\) against \({\mathsf {UF\text {-}NMA}}\) security of \({\mathsf {SIG}}\) with quantum access to random oracle \(\mathsf {H}'\). The oracles \(\textsc {Sign}_1\) and \(\mathsf {H}\) simulated by \(\mathsf {B}\) are defined as in game \(G_2\) of Fig. 8.

The proof of \({{\mathsf {UF\text {-}CMA}}_1}\) security follows by collecting the probabilities. The running time \(\mathrm {Time}(\mathsf {B})\) of adversary \(\mathsf {B}\) is given by the time \(\mathrm {Time}(\mathsf {A})\) to run \(\mathsf {A}\) as a blackbox in game \(G_2\) where in every of the \(Q_\mathsf {H}\) oracle- and \(Q_S\) signature-queries, at most \(O(\kappa _ m )\) computations need to be performed.

Strong unforgeability. For \({{\mathsf {sUF\text {-}CMA}}_1}\) security we consider exactly the same games with the difference that in all games the winning condition in line 06 is changed to \(\llbracket ({M}^*,\sigma ^*) \not \in \mathcal {M}\rrbracket \wedge {\mathsf {V}}( pk , W^*,c^*,Z^*) \) to account for strong unforgerability, where \(\mathcal {M}\) now records all tuples \(({M}, \sigma _{M})\) of previously established messages/signature pairs.

The difference between games \(G_1\) and \(G_2\) is that game \(G_2\) returns 0 in line 05 if \(c^* \ne \mathsf {H}'(W^* \parallel {M}^*)\), i.e., if \(\mathsf {H}(W^* \parallel {M}^*)\) was previously patched in line 20 with \(\mathsf {H}(W^* \parallel {M}^*):=c_{{M}^*}\). Games \(G_1\) and \(G_2\) can only differ if \(W_{{M}^*}= W^*\), \(({M}^*,\sigma ^*) \not \in \mathcal {M}\), and \( {\mathsf {V}}( pk , W^*,c^*,Z^*)=1\). (In that case \(G_2\) returns 0 and \(G_1\) returns 1.)

We distinguish two cases. If \(({M}^*,\cdot ) \not \in \mathcal {M}\) then we are in the situation that the adversary did not query a signature on \({M}^*\) and we can use the same argument as in standard unforgeability to argue \(|\Pr [G_2^{\mathsf {A}} \Rightarrow 1] -\Pr [G_1^{\mathsf {A}} \Rightarrow 1] | \le 2^{-\alpha +1}\). It leaves to handle the case \(({M}^*,\cdot ) \in \mathcal {M}\), i.e., the adversary obtained a signatures \(\sigma _{{M}^*} = (W_{{M}^*},Z_{{M}^*})\) on message \({M}^*\) and submits a correct forgery \(\sigma ^* = (W^*, Z^*)\) satisfying \(W^*=W_{{M}^*}\) and \(Z^* \ne Z_{{M}^*}\). The problem of finding values \((W^*, c^*, Z_{{M}^*},Z^*)\) with two accepting transcripts \((W^*, c^*, Z^*)\) and \((W^*, c^*, Z_{{M}^*})\) is exactly bounded by the advantage of an adversary \(\mathsf {C}\) against the \({\mathsf {CUR}}\) experiment, i.e., \(|\Pr [G_2^{\mathsf {A}} \Rightarrow 1] -\Pr [G_1^{\mathsf {A}} \Rightarrow 1] | \le \mathrm {Adv}^{\mathsf {CUR}}_\mathsf {ID}(\mathsf {C})\).

In combination this proves

$$ |\Pr [G_2^{\mathsf {A}} \Rightarrow 1] -\Pr [G_1^{\mathsf {A}} \Rightarrow 1] | \le 2^{-\alpha +1}+\mathrm {Adv}^{\mathsf {CUR}}_\mathsf {ID}(\mathsf {C}). $$

Finally, a straightforward modification of adversary \(\mathsf {B}\) against \({\mathsf {UF\text {-}NMA}}\) security to account for the strong unforgerability check proves

$$ \Pr [G_2^{\mathsf {A}} \Rightarrow 1] =\mathrm {Adv}^{{\mathsf {UF\text {-}NMA}}}_{{\mathsf {SIG}}}(\mathsf {B}) $$

and completes proof of \({{\mathsf {sUF\text {-}CMA}}_1}\) security.

The running times \(\mathrm {Time}(\mathsf {B})\) and \(\mathrm {Time}(\mathsf {C})\) can be derived as above.    \(\square \)

The following theorem shows that we can also prove directly \({\mathsf {UF\text {-}CMA}}\) security of \({\mathsf {SIG}}\), but (in terms of the running time) the reduction is less tight than the one of Theorem 3.2.

Theorem 3.3

Assume the identification scheme \({\mathsf {ID}}\) is \(\varepsilon _{\mathsf {zk}}\)-perfect \(\mathsf {naHVZK}\) and has \(\alpha \) bits of min entropy. For any \({\mathsf {UF\text {-}CMA}}\) (\({\mathsf {sUF\text {-}CMA}}\)) quantum adversary \(\mathsf {A}\) that issues at most \(Q_{\mathsf {H}}\) queries to the quantum random oracle \(|{\mathsf {H}} \rangle \) and \(Q_S\) classical queries to the signing oracle \(\textsc {Sign}\), there exists a quantum adversary \(\mathsf {B}\) against \({\mathsf {UF\text {-}NMA}}\) security making \(Q_{\mathsf {H}}\) queries to its own quantum random oracle (and a quantum adversary \(\mathsf {C}\) against \({\mathsf {CUR}}\)) such that

$$\begin{aligned} \mathrm {Adv}^{{\mathsf {UF\text {-}CMA}}}_{{\mathsf {SIG}}}(\mathsf {A})\le & {} \mathrm {Adv}^{{\mathsf {UF\text {-}NMA}}}_{{\mathsf {SIG}}}(\mathsf {B})+Q_S \cdot 2^{-\alpha +1}+\kappa _ m Q_S \cdot \varepsilon _{\mathsf {zk}},\\ \mathrm {Adv}^{{\mathsf {sUF\text {-}CMA}}}_{{\mathsf {SIG}}}(\mathsf {A})\le & {} \mathrm {Adv}^{{\mathsf {UF\text {-}NMA}}}_{{\mathsf {SIG}}}(\mathsf {B})+Q_S \cdot 2^{-\alpha +1}+\kappa _ m Q_S \cdot \varepsilon _{\mathsf {zk}}+\mathrm {Adv}^{\mathsf {CUR}}_\mathsf {ID}(\mathsf {C}) , \end{aligned}$$

and \(\mathrm {Time}(\mathsf {B}) = \mathrm {Time}(\mathsf {C})=\mathrm {Time}(\mathsf {A}) + \kappa _ m Q_\mathsf {H}Q_S\).

The proof of Theorem 3.3 is similar to the one of Theorem 3.2 and appears in the full version.

Theorem 3.4

Assume the identification scheme is lossy and \(\varepsilon _{\mathsf {ls}}\)-lossy sound. For any \({\mathsf {UF\text {-}NMA}}\) quantum adversary \(\mathsf {A}\) that issues at most \(Q_{\mathsf {H}}\) queries to the quantum random oracle \(|{\mathsf {H}} \rangle \), there exists a quantum adversary \(\mathsf {B}\) against \(\mathsf {LOSS}\) such that

$$ \mathrm {Adv}^{{\mathsf {UF\text {-}NMA}}}_{{\mathsf {SIG}}}(\mathsf {A}) \le \mathrm {Adv}^{\mathsf {LOSS}}_{{\mathsf {ID}}}(\mathsf {B})+8(Q_\mathsf {H}+1)^2 \cdot \varepsilon _{\mathsf {ls}}, $$

and \(\mathrm {Time}(\mathsf {B}) = \mathrm {Time}(\mathsf {A}) + Q_\mathsf {H}\approx \mathrm {Time}(\mathsf {A})\).


Let \(\mathsf {A}\) be an adversary against the \({\mathsf {UF\text {-}NMA}}\) security of \({\mathsf {SIG}}\), issuing at most \(Q_{\mathsf {H}}\) quantum queries to \(|{\mathsf {H}} \rangle \). Consider the games given in Fig. 10.

Fig. 10.
figure 10

Games \(G_0\)-\(G_1\) for the proof of Theorem 3.4.

Game \(G_0\). Since game \(G_0\) is the original \({\mathsf {UF\text {-}NMA}}\) game,

$$ \Pr [G_0^{\mathsf {A}} \Rightarrow 1] = \mathrm {Adv}^{{\mathsf {UF\text {-}NMA}}}_{{\mathsf {SIG}}}(\mathsf {A}) . $$

Game \(G_1\). In this game, the public key \( pk \) is changed to lossy mode. Clearly, there exists an adversary \(\mathsf {B}\) simulating \(\mathsf {H}\) by a \(2Q_\mathsf {H}\)-wise independent hash function such that

$$ |\Pr [G_1^{\mathsf {A}} \Rightarrow 1] -\Pr [G_0^{\mathsf {A}} \Rightarrow 1] | \le \mathrm {Adv}^{\mathsf {LOSS}}_{{\mathsf {ID}}}(\mathsf {B}) . $$
Fig. 11.
figure 11

Adversary \(\mathsf {C}=(\mathsf {C}_1, \mathsf {C}_2)\) in game \(\mathsf {GSPB}\) for the proof of Theorem 3.4. The set of good challenges \(\mathsf {ChGOOD}_{ pk }(W)\) is defined in Eq. (6).

Finally, we will reduce a successful \(\mathsf {A}\) in game \(G_1\) to the generic search problem \(\mathsf {GSPB}\) to show

$$\begin{aligned} \Pr [G_1^{\mathsf {A}} \Rightarrow 1] \le 8(Q_\mathsf {H}+1)^2 \varepsilon _{\mathsf {ls}}. \end{aligned}$$

For a finite set S, let \(\mathsf {Uni}(S)\) be a probabilistic algorithm that returns uniform \(x \leftarrow S\) and recall that \(x := \mathsf {Uni}(S; r)\) denotes the deterministic execution of \(\mathsf {Uni}(S)\) using explicitly given random tape r. To prove Eq. (5), consider the unbounded adversary \(\mathsf {C}=(\mathsf {C}_1, \mathsf {C}_2)\) defined in Fig. 11 that is executed in the generic search game \(\mathsf {GSPB}\), making at most \(Q_\mathsf {H}\) quantum queries to the oracle \(|{g(\cdot )} \rangle \). First note that computing the probabilities \(\lambda _{ pk }(W\parallel {M})=\lambda _{ pk }(W)\) in line 05 for all \(W\in \mathsf {WSet}\) and \({M}\in \mathsf {MSet}\) may take exponential time but since \(\mathsf {C}\) is computationally unbounded it does not matter.

To analyze \(\mathsf {C}\)’s success probability in game \(\mathsf {GSPB}\), we first fix a public-key \( pk \). Now consider some \(W\parallel {M}\) with non-zero amplitude as part of a query to quantum random oracle \(\mathsf {H}\). Set \(\mathsf {ChGOOD}_{ pk }(W)\) of “good challenges” is defined as

$$\begin{aligned} \mathsf {ChGOOD}_{ pk }(W):=\{c\in \mathsf {ChSet}\mid \exists Z\in \mathsf {ZSet}: {\mathsf {V}}( pk ,W,c,Z)=1 \}. \end{aligned}$$

That is, the set \(\mathsf {ChGOOD}_{ pk }(W)\) contains all challenges \(c\) for which there exists a possible response \(Z\) to make \((W, c, Z)\) a valid transcript (with respect to \( pk \)). By definition of \(\mathsf {GSPB}\), each query to oracle \(g(W\parallel {M})\) returns \(y=1\) with probability \(\lambda _{ pk }(W\parallel {M}) = |\mathsf {ChGOOD}_{ pk }(W)| / |\mathsf {ChSet}|\). Hence, the output distribution of \(\mathsf {H}(W\parallel {M})\) sampled in lines 14 and 15 is uniform over \(\mathsf {ChSet}\), as in game \(G_1\). Consistency of \(\mathsf {H}\) is assured by deriving the randomness to sample c in case \(y=0\) (lines 14 and 15) using fixed random coins \(f_{2Q_\mathsf {H}}(W\parallel {M})\), derived by a \(2Q_\mathsf {H}\)-wise independent hash function \(f_{2Q_\mathsf {H}}\) (which looks like a perfectly random function to \(\mathsf {A}\)).

Now consider \(\mathsf {A}\)’s forgery \(\sigma ^* = (W^*, Z^*)\) on message \({M}^*\) and define \(c^* := \mathsf {H}(W^* \parallel {M}^*)\). If the signature is valid (i.e., \({\mathsf {V}}( pk , W^*,c^*,Z^*)=1\)), then clearly \(c^*\) is a good challenge from set \(\mathsf {ChGOOD}_{ pk }( W^*)\) which implies \(g(W^* \parallel {M}^*)=1\). This proves

$$\begin{aligned} \Pr [G_1 \Rightarrow 1 \mid pk ] = \Pr [\mathsf {GSPB}_{\lambda _ pk }^\mathsf {C}\Rightarrow 1 \mid pk ] \le 8 (Q_\mathsf {H}+1)^2 \lambda _{ pk } , \end{aligned}$$


$$ \lambda _{ pk } = \max _{W\in \mathsf {WSet}, {M}\in \mathsf {MSet}} \lambda _{ pk }(W\parallel {M}) $$

Averaging Eq. (7) over \( pk \leftarrow {\mathsf {LossyIGen}}\) we finally obtain

$$ \Pr [G_1 \Rightarrow 1 ] \le 8(Q_\mathsf {H}+1)^2 \cdot \mathbf {E}_{ pk }[\lambda _{ pk }] \le 8(Q_\mathsf {H}+1)^2 \varepsilon _{\mathsf {ls}}, $$

where the last inequality uses Eq. (3) for the optimal adversary.    \(\square \)

4 Dilithium-QROM

In this section, we present a modification of the \(\mathsf {Dilithium}\) digital signature scheme [16] whose security is based on MLWE in the QROM. We also present a new security proof of the original \(\mathsf {Dilithium}\) that shows it to be tightly-secure in the QROM based on a different non-interactive assumption. Since \(\mathsf {Dilithium}\) is a highly-optimized version of a scheme constructed via the “Fiat-Shamir with Aborts” framework [26], its details may be somewhat overwhelming to readers who are not already comfortable with such constructions. For this reason, we present a much simpler version of the signature scheme without any optimizations in the full version of this paper.

4.1 Preliminaries

Rings and Distributions. We let R and \(R_q\) respectively denote the rings \(\mathbb {Z}[X]/(X^{n}+1)\) and \(\mathbb {Z}_q[X]/(X^{n}+1)\), for an integer q. We will assume that \(q\equiv 5(\bmod \,8)\), as such a choice of q ensures that all polynomials in \(R_q\) with coefficients less than \(\sqrt{q/2}\) have an inverse in the ring [29, Lemma 2.2]. This property is crucial to our security proof. Regular font letters denote elements in R or \(R_q\) (which includes elements in \(\mathbb {Z}\) and \(\mathbb {Z}_q\)) and bold lower-case letters represent column vectors with coefficients in R or \(R_q\). By default, all vectors will be column vectors. Bold upper-case letters are matrices.

Modular reductions. For an even (resp. odd) positive integer \(\alpha \), we define \(r'=r\text { mod}^\pm \, \alpha \) to be the unique element \(r'\) in the range \(-\frac{\alpha }{2}<r'\le \frac{\alpha }{2}\) (resp. \(-\frac{\alpha -1}{2}\le r'\le \frac{\alpha -1}{2}\)) such that \(r'=r\bmod \alpha \). We will sometimes refer to this as a centered reduction modulo q. For any positive integer \(\alpha \), we define \(r'=r\text { mod}^+ \alpha \) to be the unique element \(r'\) in the range \(0\le r'<\alpha \) such that \(r'=r\bmod \alpha \). When the exact representation is not important, we simply write \(r\bmod \alpha \).

Sizes of elements. For an element \(w\in \mathbb {Z}_q\), we write \(\Vert w\Vert _\infty \) to mean \(|w\text { mod}^\pm \, q|\). We now define the \(\ell _\infty \) and \(\ell _2\) norms for \(w=w_0+w_1X+\ldots +w_{n-1}X^{n-1}\in R\):

$$ \Vert w\Vert _\infty =\max _{i}{\Vert w_i\Vert _\infty },\,\,\,\, \Vert w\Vert =\sqrt{\Vert w_0\Vert _\infty ^2+\ldots +\Vert w_{n-1}\Vert _\infty ^2}. $$

Similarly, for \(\mathbf{w}=(w_1,\ldots ,w_k)\in R^k\), we define

$$ \Vert \mathbf{w}\Vert _\infty =\max _{i}{\Vert w_i\Vert _\infty },\,\,\,\, \Vert \mathbf{w}\Vert =\sqrt{\Vert w_1\Vert ^2+\ldots +\Vert w_k\Vert ^2}. $$

We will write \(S_\eta \) to denote all elements \(w \in R\) such that \(\Vert w\Vert _\infty \le \eta \).

Extendable output function. Suppose that \(\mathsf {Sam}\) is an extendable output function, that is a function on bit strings in which the output can be extended to any desired length. If we would like \(\mathsf {Sam}\) to take as input x and then produce a value y that is distributed according to distribution S (or uniformly over a set S), we write \(y \sim S:=\mathsf {Sam}(x)\). It is important to note that this procedure is completely deterministic: a given x will always produce the same y. For simplicity we assume that the output distribution of \(\mathsf {Sam}\) is perfect, whereas in practice \(\mathsf {Sam}\) will be implemented using random oracles and produce an output that is statistically close to the perfect distribution. If K is a secret key, then \(\mathsf {Sam}(K \Vert x)\) is a pseudo-random function from \(\{0,1\}^* \rightarrow \{0,1\}^*\).

The Challenge Space. The challenge space in our identification and signature schemes needs to be a subset of the ring R, have size a little larger than \(2^{256}\), and consist of polynomials with small norms. In this paper, the dimension n of the ring R will be taken to be 512,Footnote 3 and so we will define the challenge space accordingly as

$$\begin{aligned} \mathsf {ChSet}:=\{c \in R \,|\, \Vert c\Vert _\infty =1\text { and } \Vert c\Vert =\sqrt{46}\}. \end{aligned}$$

In other words, \(\mathsf {ChSet}\) consists of elements in R with \(-1/0/1\) coefficients that have exactly 46 non-zero coefficients. The size of this set is \({n \atopwithdelims ()46}\cdot 2^{46}\), which for \(n=512\) is greater than \(2^{265}\).

The \(\mathsf {MLWE}\) Assumption. For integers mk, and a probability distribution \(D: R_q\rightarrow [0,1]\), we say that the advantage of algorithm \(\mathsf {A}\) in solving the decisional \(\mathsf {MLWE}_{m,k,D}\) problem over the ring \(R_q\) is

$$\begin{aligned} \mathrm {Adv}^{\mathsf {MLWE}}_{m,k,D}&:=\left| \Pr [\mathsf {A}(\mathbf{A},\mathbf{t})\Rightarrow 1 \, |\, \mathbf{A}\leftarrow R_q^{m\times k}; \mathbf{t}\leftarrow R_q^m]\right. \\&\quad \,- \, \left. \Pr [\mathsf {A}(\mathbf{A},\mathbf{A}\mathbf{s}_1+\mathbf{s}_2)\Rightarrow 1\, |\, \mathbf{A}\leftarrow R_q^{m\times k}; \mathbf{s}_1\leftarrow D^k; \mathbf{s}_2\leftarrow D^m]\right| . \end{aligned}$$

The MLWE assumption states that the above advantage is negligible for all polynomial-time algorithms \(\mathsf {A}\). This assumption was introduced in [25], and is generalization of the \(\mathsf{LWE}\) assumption from [35]. The \(\mathsf {Ring\text {-}LWE}\) assumption [30] is a special case of \(\mathsf {MLWE}\) where \(k=1\). Analogously to \(\mathsf{LWE}\) and \(\mathsf {Ring\text {-}LWE}\), it was shown in [25] that solving the \(\mathsf {MLWE}\) problem for certain parameters is as hard as solving certain worst-case problems in certain algebraic lattices.

Summary of Supporting Algorithms. To reduce the size of the public key, we will need some simple algorithms that extract “higher-order” and “lower-order” bits of elements in \(\mathbb {Z}_q\). The goal is that when given an arbitrary element \(r\in \mathbb {Z}_q\) and another small element \(z\in \mathbb {Z}_q\), we would like to be able to recover the higher order bits of \(r+z\) without needing to store z. We therefore define algorithms that take rz and produce a 1-bit hint h that allows one to compute the higher order bits of \(r+z\) just using r and h. This hint is essentially the “carry” caused by z in the addition. The algorithms are exactly as in [16], and we repeat them for convenience in Fig. 12. The algorithms are described as working on integers modulo q, but are extended to polynomials in \(R_q\) by simply being applied individually to each coefficient.

Fig. 12.
figure 12

Supporting algorithms for \(\mathsf {Dilithium}\) and \(\mathsf {Dilithium\text {-}QROM}\).

The below Lemmas recall the crucial properties of these supporting algorithms that are necessary for the correctness and security of our scheme.

Lemma 4.1

Suppose that q and \(\alpha \) are positive integers satisfying \(q>2\alpha \), \(q\equiv 1 \pmod {\alpha }\) and \(\alpha \) even. Let \(\mathbf{r}\) and \(\mathbf{z}\) be vectors of elements in \(R_q\) where \(\Vert \mathbf{z}\Vert _\infty \le \alpha /2\), and let \(\mathbf{h}, \mathbf{h}'\) be vectors of bits. Then the \(\mathsf {HighBits}_q\), \(\mathsf {MakeHint}_q\), and \(\mathsf {UseHint}_q\) algorithms satisfy the following properties:

  1. 1.

    \(\mathsf {UseHint}_q(\mathsf {MakeHint}_q(\mathbf{z},\mathbf{r},\alpha ),\mathbf{r},\alpha )=\mathsf {HighBits}_q(\mathbf{r}+\mathbf{z},\alpha )\).

  2. 2.

    Let \(\mathbf{v}_1=\mathsf {UseHint}_q(\mathbf{h},\mathbf{r},\alpha )\). Then \(\Vert \mathbf{r}-\mathbf{v}_1\cdot \alpha \Vert _\infty \le \alpha +1\).

  3. 3.

    For any \(\mathbf{h},\mathbf{h}'\), if \(\mathsf {UseHint}_q(\mathbf{h},\mathbf{r},\alpha )=\mathsf {UseHint}_q(\mathbf{h}',\mathbf{r},\alpha )\), then \(\mathbf{h}=\mathbf{h}'\).

Lemma 4.2

If \(\Vert \mathbf{s}\Vert _\infty \le \beta \) and \(\Vert \mathsf {LowBits}_q(\mathbf{r},\alpha )\Vert _\infty <\alpha /2-\beta \), then

$$ \mathsf {HighBits}_q(\mathbf{r},\alpha )=\mathsf {HighBits}_q(\mathbf{r}+\mathbf{s},\alpha ). $$
Fig. 13.
figure 13

Our \(\mathsf {ID}\) scheme – a concrete instantiation based on the hardness of the \(\mathsf {MLWE}\) problem of the commitment-recoverable (Definition 2.4) canonical identification scheme in Fig. 4. The \(\mathbf{t}_0\) part of the public key is assumed to be known by the adversary in the security proofs, but is not needed by the verifier for verification. Thus in the real scheme, \(\mathbf{t}_0\) would not be included as part of the public key.

4.2 The Identification Protocol

The constituting algorithms of our identification protocol \(\mathsf {ID}=({\mathsf {IGen}},{\mathsf {P}}_1,{\mathsf {P}}_2, {\mathsf {V}})\) are described in Fig. 13 with the concrete parameters \(\mathsf {par}= (q,n,k,\ell ,d,\gamma ,\)\(\gamma ',\eta ,\beta )\) given later in Table 1.

Key Generation. The key generation proceeds by choosing a random 256-bit seed \(\rho \) and expanding into a matrix \(\mathbf{A}\in R_q^{k\times \ell }\) by an extendable output function \(\mathsf {Sam}\) modeled as a random oracle. The secret keys \((\mathbf{s}_1,\mathbf{s}_2)\in S_\eta ^\ell \times S_\eta ^k\) have uniformly random coefficients between \(-\eta \) and \(\eta \) (inclusively). The value \(\mathbf{t}=\mathbf{A}\mathbf{s}_1+\mathbf{s}_2\) is then computed. The public key that is needed for verification is \((\rho ,\mathbf{t}_1)\) with \(\mathbf{t}_1\) output by the \(\mathsf {Power2Round}_q(\mathbf{t},d)\) algorithm in Fig. 12 (we have \(\mathbf{t}=\mathbf{t}_1\cdot 2^d +\mathbf{t}_0\) for some small \(\mathbf{t}_0\)), while the secret key is \((\rho , \mathbf{s}_1,\mathbf{s}_2,\mathbf{t}_0)\).

While the verifier never needs the value \(\mathbf{t}_0\) (and thus it does not need to be included in the public key of the actual scheme), we do need this value in order to simulate transcripts (see Sect. 4.3). Thus the security of our scheme is based on the fact that the adversary gets \(\mathbf{t}_1\) and \(\mathbf{t}_0\), whereas in reality he only gets \(\mathbf{t}_1\).

The set \(\mathsf {ChSet}\) is defined as in Eq. (8), and \(\mathsf {ZSet}= S^\ell _{\gamma '-\beta -1}\times \{0,1\}^k\). The set of commitments \(\mathsf {WSet}\) is defined as \(\mathsf {WSet}=\{\mathbf{w}_1~:~\exists \mathbf{y}\in S_{\gamma '-1}^\ell \text { s.t. }\mathbf{w}_1=\mathsf {HighBits}_q(\mathbf{A}\mathbf{y},2\gamma )\}.\)

Protocol Execution. The prover starts the identification protocol by reconstructing \(\mathbf{A}\) from the random seed \(\rho \). The next step has the prover sample \(\mathbf{y}\leftarrow S_{\gamma '-1}^\ell \) and then compute \(\mathbf{w}=\mathbf{A}\mathbf{y}\). He then writes \(\mathbf{w}=2\gamma \cdot \mathbf{w}_1+\mathbf{w}_0\), with \(\mathbf{w}_0\) between \(-\gamma \) and \(\gamma \) (inclusively), and then sends \(\mathbf{w}_1\) to the verifier. The verifier generates a random challenge \(c\leftarrow \mathsf {ChSet}\) and sends it to the prover. The prover computes \(\mathbf{z}=\mathbf{y}+c\mathbf{s}\). If \(\mathbf{z}\notin S_{\gamma '-\beta -1}^\ell \), then the prover sets his response to \(\bot \). He also replies with \(\bot \) if \(\mathsf {LowBits}_q(\mathbf{w}-c\mathbf{s}_2,2\gamma )\notin S_{\gamma -\beta -1}^k\). This part of the protocol is necessary for security – it makes sure that \(\mathbf{z}\) does not leak anything about the secret key \(\mathbf{s}_1,\mathbf{s}_2\).

If the checks pass and a \(\bot \) is not sent, then it can be shown (see Sect. 4.3) that \(\mathsf {HighBits}_q(\mathbf{A}\mathbf{z}-c\mathbf{t},2\gamma )=\mathbf{w}_1\). At this point, if the verifier knew the entire element \(\mathbf{t}\) and \((\mathbf{z}, c)\), he could have recovered \(\mathbf{w}_1\) and checked that \(\Vert \mathbf{z}\Vert _\infty <\gamma '-\beta \) and that the high-order bits of \(\mathbf{A}\mathbf{z}-c\mathbf{t}\) are indeed \(\mathbf{w}_1\). However, since we want to compress the size of the public key, the verifier only knows \(\mathbf{t}_1\). Hence, the signer needs to provide a “hint” \(\mathbf{h}\) which will allow the verifier to compute \(\mathsf {HighBits}_q(\mathbf{A}\mathbf{z}-c\mathbf{t},2\gamma )\).

The verifier checks whether \(\Vert \mathbf{z}\Vert _\infty < \gamma '-\beta \) and that \(\mathbf{A}\mathbf{z}-c\mathbf{t}_1\cdot 2^d\) together with the hint \(\mathbf{h}\) allow him to reconstruct \(\mathbf{w}_1\). We should point out that in the identification scheme it is actually not necessary for the verifier to be able to recover exactly \(\mathbf{w}_1\). He could have simply checked that \(\mathbf{A}\mathbf{z}-c\mathbf{t}_1\cdot 2^d \approx \mathbf{w}_1\) and this would be good enough for security. The reason that we want the verifier to be able to exactly recover \(\mathbf{w}_1\) is to make the ID scheme commitment-recoverable and be able to reduce the communication size in the Fiat-Shamir transform (see Sect. 3.1).

4.3 Security Properties

In this section we analyze the security of \(\mathsf {ID}\). Most of the proofs are postponed to the full version.

Non Abort Honest Verifier Zero-Knowledge. In this section, we will show that \(\mathsf {ID}\) is perfectly \(\mathsf {naHVZK}\), i.e., the distribution of the output of the \(\mathsf {Trans}\) algorithm (Fig. 14, left) that uses the secret key as input is exactly that of the \(\mathsf {Sim}\) algorithm (Fig. 14, right) that uses only the public key as input.

Fig. 14.
figure 14

Left: a real transcript output by the transcript algorithm \(\mathsf {Trans}( sk )\); Right: a simulated transcript output by the \(\mathsf {Sim}( pk )\) algorithm.

Lemma 4.3

If \(\beta \ge \max _{s\in S_{\eta },c\in \mathsf {ChSet}}\Vert cs\Vert _\infty \), then \(\mathsf {ID}\) is perfectly \(\mathsf {naHVZK}\).

Correctness. In this section, we compute the probability that the Prover does not send \(\bot \) and then show that the verification procedure will always accept a transcript when the Prover does not send \(\bot \).

Lemma 4.4

If \(\beta \ge \max _{s\in S_{\eta },c\in \mathsf {ChSet}}\Vert cs\Vert _\infty \) then \(\mathsf {ID}\) has correctness error \(\delta \approx 1-\exp {(-\beta n\cdot (k/\gamma +\ell /\gamma '))}\).

Lossyness. In this section, we analyze the scheme in which the public key is generated uniformly at random, as in algorithm \({\mathsf {LossyIGen}}\) of Fig. 15, rather than as in \({\mathsf {IGen}}\) of Fig. 13. Our goal is to show that even if the prover is computationally unbounded, he only has approximately a \(1/|\mathsf {ChSet}|\) probability of making the verifier accept during each run of the identification scheme. This will show that the probability in Eq. (3) is upper-bounded by approximately \(1/|\mathsf {ChSet}|\).

Fig. 15.
figure 15

The lossy instance generator \({\mathsf {LossyIGen}}\).

By observing that the output of \({\mathsf {LossyIGen}}\) is uniformly random over \(R_q^{k\times \ell }\times R_q^k\) and the output of \({\mathsf {IGen}}\) in Fig. 13 is \((\mathbf{A},\mathbf{A}\mathbf{s}_1+\mathbf{s}_2)\) where \(\mathbf{A}\leftarrow R_q^{k\times \ell }\) and \((\mathbf{s}_1,\mathbf{s}_2)\leftarrow S_\eta ^\ell \times S_\eta ^k\), we have that

$$ \mathrm {Adv}^{\mathsf {LOSS}}_{\mathsf {ID}}(\mathsf {A}) = \mathrm {Adv}^{\mathsf {MLWE}}_{{k,\ell ,D}}(\mathsf {A}), $$

where D is the uniform distribution over \(S_\eta \).

Lemma 4.5

If \(4\gamma +2,\, 2\gamma '<\sqrt{q/2}\) and \(\gamma '<\gamma \beta \), and \(\ell \le k\), then \(\mathsf {ID}\) has \(\varepsilon _{\mathsf {ls}}\)-lossy soundness for

$$ \varepsilon _{\mathsf {ls}}\le \frac{1}{|\mathsf {ChSet}|}+2\cdot |\mathsf {ChSet}|^2\cdot \left( \frac{32\gamma \gamma '}{q}\right) ^{nk}. $$

Our proof follows the framework from [3, 22]. Then to prove Lemma 4.5, we show that if \(\mathsf {C}\), who outputs the first message \((\mathbf{w}_1, St )\) in the \(\mathsf {LOSSY\text {-}IMP}\) game (see Fig. 16) is able to correctly respond to more than one random challenge c, then the previously mentioned linear equation will have a solution, which with high probability is not possible. Therefore we conclude that for virtually all \(\mathbf{A},\mathbf{t}\) output by \({\mathsf {LossyIGen}}\), there exists (at most) only one challenge for which the prover can respond to, and therefore his success probability is at most \(1/|\mathsf {ChSet}|\).

Min Entropy. In Lemma 4.6 we will prove that the \(\mathbf{w}_1\) sent by the honest prover in the first step is extremely likely to be distinct for every run of the protocol.

Fig. 16.
figure 16

The lossy impersonation game \(\mathsf {LOSSY\text {-}IMP}\) in case of Dilithium.

Lemma 4.6

If \(2\gamma ,\,2\gamma '<\sqrt{q/2}\) and \(\ell \le k\), then the identification scheme \(\mathsf {ID}\) in Fig. 13 has

$$ \alpha >n\ell \cdot \log \left( \min \left\{ \frac{q}{(4\gamma +1)(4\gamma '+1)},2\gamma '-1\right\} \right) $$

bits of min-entropy (as in Definition 2.6).

Computational Unique Response. In this section we state that our scheme satisfies the Computational Unique Response (\({\mathsf {CUR}}\)) property required for strong-unforgeability of the signature scheme.

Lemma 4.7

If \(4\gamma +2,\, 2\gamma '<\sqrt{q/2}\) and \(\gamma '<\gamma \beta \), and \(\ell \le k\) (i.e. the same conditions as in Lemma 4.5), then \(\mathrm {Adv}^{\mathsf {CUR}}_\mathsf {ID}(\mathsf {A}) < \left( \frac{32\gamma \gamma '}{q}\right) ^{nk}\) for every (even unbounded) adversary \(\mathsf {A}\).

4.4 The \(\mathsf {Dilithium\text {-}QROM}\) Signature Scheme and Concrete Parameters

In this section, we describe the signature scheme \(\mathsf {Dilithium\text {-}QROM}\) (Fig. 17) which is obtained via the Fiat-Shamir transform from the scheme \(\mathsf {ID}\) of Fig. 13 and using \(\mathsf {Sam}(K \parallel \cdot )\) as a pseudorandom function. We then instantiate it with concrete parameters (Table 1) and compare them for the same security level with those in [16].

Fig. 17.
figure 17

Our signature scheme \(\mathsf {Dilithium\text {-}QROM}:={\mathsf {DFS}}[\mathsf {ID}]\). The key generation algorithm is \({\mathsf {IGen}}\) from Fig. 13, where the secret key also contains a random key K for the pseudorandom function \(\mathsf {Sam}(K \parallel \cdot )\). The bound \(200/(1-\delta )\) on \(\kappa \) can be ignored as there is only a \(\delta ^{200/(1-\delta )} < \exp (-200)\) chance that it will be reached in any call to the signing procedure. Its presence is for consistency with the generic signing algorithm in Sect. 3.1.

The parameters for our scheme are dictated by the requirements for the scheme to be strongly-unforgeable in Theorem 3.1 which gives an upper bound on \(\mathrm {Adv}^{{\mathsf {sUF\text {-}CMA}}}_{\mathsf {Dilithium\text {-}QROM}}(\mathsf {A})\). Following [24], for “\(\kappa \) bits of quantum security” for \(\mathsf {Dilithium\text {-}QROM}\) we require that for all quantum adversaries \(\mathsf {A}\) running in time at most \(2^\kappa \),

$$\begin{aligned} \mathrm {Adv}^{{\mathsf {UF\text {-}CMA}}}_{\mathsf {Dilithium\text {-}QROM}}(\mathsf {A}) / \mathrm {Time}(\mathsf {A}) \le 2^{-\kappa }. \end{aligned}$$

To this end, we need to put bounds on the parameters \(\varepsilon _{\mathsf {ls}},\varepsilon _{\mathsf {zk}},\) and \(\alpha \). Lemma 4.3 tells us that

$$ \varepsilon _{\mathsf {zk}}=0. $$

To lower-bound \(\alpha \), note that in the parameters, we always have \(2\gamma =2\gamma '<\sqrt{q/2}\), and using a lemma in the full version of the paper, we can conclude that \(\alpha \) is greater than 2900. Thus the \(2^{-\alpha }\) term has absolutely no practical effect in Theorem 3.1 for the parameters in Sect. 4.4.

Lemma 4.7 states that as long as \(4\gamma + 2\) and \(2\gamma ' < \sqrt{q/2}\), we will have \(\mathrm {Adv}^{\mathsf {CUR}}_\mathsf {ID}(\mathsf {C})<\left( \frac{32\gamma \gamma '}{q}\right) ^{nk}\). The parameters in Table 1 indeed satisfy the preconditions, and so \(\mathrm {Adv}^{\mathsf {CUR}}_\mathsf {ID}(\mathsf {C})<\left( \frac{32\gamma \gamma '}{q}\right) ^{nk}< 2^{-865}.\)

We finally turn to bounding \(\varepsilon _{\mathsf {ls}}\). Notice that Lemma 4.5 directly implies that

$$ \varepsilon _{\mathsf {ls}}\le \frac{1}{|\mathsf {ChSet}|}+2\cdot |\mathsf {ChSet}|^2\cdot \left( \frac{32\gamma \gamma '}{q}\right) ^{nk}. $$

The size of the challenge set \(\mathsf {ChSet}\) defined in Eq. (8) is larger than \(2^{265}\), and so the above is at most

$$ \varepsilon _{\mathsf {ls}}\le 2^{-265}+2^{-334} \le 2^{-264}. $$

Plugging everything into the equation at the end of Sect. 3.1, we obtain

$$\begin{aligned} \mathrm {Adv}^{{\mathsf {UF\text {-}CMA}}}_{\mathsf {Dilithium\text {-}QROM}}(\mathsf {A}) \le \mathrm {Adv}^{\mathsf {LOSS}}_{\mathsf {ID}}(\mathsf {B})&+ \,\mathrm {Adv}^{\mathsf {CUR}}_\mathsf {ID}(\mathsf {C})+8\cdot (Q_\mathsf {H}+1)^2 \cdot \varepsilon _{\mathsf {ls}}\\&+ \, \mathrm {Adv}^{{\mathsf {PR}}}_{\mathsf {Sam}}(\mathsf {D})+\frac{200}{(1-\delta )}\cdot Q_S \cdot \varepsilon _{\mathsf {zk}}+2^{-\alpha } \\ < \mathrm {Adv}^{\mathsf {MLWE}}_{{\mathsf {ID}}}(\mathsf {B})&+ \, Q_\mathsf {H}^2\cdot 2^{-261} + \mathrm {Adv}^{{\mathsf {PR}}}_{\mathsf {Sam}}(\mathsf {D}). \end{aligned}$$
Table 1. Parameters for \(\mathsf {Dilithium\text {-}QROM}\) and \(\mathsf {Dilithium}\). The security analysis for the \(\mathsf {MLWE}\) and \(\mathsf {MSIS}\) problems is as described in [16].

Table 1 also shows that the parameters of the \(\mathsf {MLWE}\) problem are chosen such that it provides 128 bits of quantum security (using the same metric as was used in the original Dilithium scheme [16].) Assuming \(\mathsf {Sam}\) provides 128 bits security when used as a pseudorandom function, we conclude that for all quantum adversaries running in time at most \(2^{128}\) and making \(1\le Q_\mathsf {H}\le 2^{128}\) (quantum) queries to \(\mathsf {H}\), and we have

$$\begin{aligned} \frac{\mathrm {Adv}^{{\mathsf {UF\text {-}CMA}}}_{\mathsf {Dilithium\text {-}QROM}}(\mathsf {A})}{\mathrm {Time}(\mathsf {A})} \le \frac{\mathrm {Adv}^{\mathsf {MLWE}}_{{\mathsf {ID}}}(\mathsf {B})}{\mathrm {Time}(\mathsf {B})}+ \frac{\mathrm {Adv}^{{\mathsf {PR}}}_{\mathsf {Sam}}(\mathsf {D})}{\mathrm {Time}(\mathsf {D})} + Q_\mathsf {H}\cdot 2^{-261} \le 2^{-128} \end{aligned}$$

The signature size in \(\mathsf {Dilithium\text {-}QROM}\) is \((n\cdot \ell \cdot ( \lceil \log (2\gamma )\rceil ) + nk + 46\cdot (\log (n)+1))/8\) bytes, while the public key is \((n\cdot k\cdot (\lceil \log (q)\rceil - d)+256)/8\) bytes.

In Table 1, we compare the parameters from the current scheme, which can be proved secure based on the hardness of \(\mathsf {MLWE}\) in the QROM, to those of the original \(\mathsf {Dilithium}\) scheme from [16], which only has a classical security reduction from the combination of \(\mathsf {MLWE}\) and \(\mathsf {MSIS}\) (we introduce this latter problem in the next section). One can see that the sum of the public key and signature sizes are approximately 3.2 times larger in \(\mathsf {Dilithium\text {-}QROM}\) than in \(\mathsf {Dilithium}\).

4.5 Security Assumptions for Non-lossy Schemes

The reduction from the \(\mathsf {MLWE}\) problem to the hardness of the \(\mathsf {Dilithium\text {-}QROM}\) scheme was a direct consequence of Theorem 3.1, which is itself a combination of Theorems 3.2 and 3.4. In this section, we consider the security of schemes for which Theorem 3.4 is inapplicable. In particular, in these schemes it is no longer true that a computationally-unbounded adversary cannot win the \(\mathsf {LOSSY\text {-}IMP}\) game. The reason that one would like to use schemes constructed in such a manner is because they turn out to be more efficient. In particular, the original \(\mathsf {Dilithium}\) schemeFootnote 4 [16], which is virtually identical to the \(\mathsf {Dilithium\text {-}QROM}\) presented in this paper except for the parameter sizes, has outputs (of the public key plus signature) that are smaller by a factor of a little over 3 (see Table 1).

But while the \(\mathsf {Dilithium}\) scheme has a security reduction from standard lattice problems in the classical random-oracle model, there is no such reduction in the quantum random-oracle model. Nevertheless, it is unclear whether this lack of reduction implies any weakness against quantum attacks. It would therefore be useful to understand exactly what assumptions the more efficient scheme is relying on in the quantum random-oracle model.

Let us suppose that the parameters for the \(\mathsf {Dilithium}\) scheme are set such that Theorem 3.2 is still applicable. That is, suppose that \(\varepsilon _{\mathsf {zk}}=0\), \(\alpha \) is very large, and the scheme is commitment-recoverable. In this case, ignoring the \(2^{-\alpha +1}\) term, Theorem 3.2 states that the security of the full signature scheme is exactly the security of the \({\mathsf {UF\text {-}NMA}}\) signature scheme in the quantum random-oracle model. Since the adversary does not obtain any valid signatures in the \({\mathsf {UF\text {-}NMA}}\) security game, the security assumption of such signatures is non-interactive.

Below, we recall the standard \(\mathsf {MSIS}\) assumption and then define a new assumption, \(\mathsf {SelfTargetMSIS}\), upon which the security of \(\mathsf {Dilithium}\) is based. We also point out that in the classical random-oracle model, there is a (non-tight) reduction from the \(\mathsf {MSIS}\) to the \(\mathsf {SelfTargetMSIS}\) problem. Then we show that the \(\mathsf {Dilithium}\) scheme for which Theorem 3.4 is not necessarily applicable, still has a security reduction from the combination of \(\mathsf {MLWE}\) and \(\mathsf {SelfTargetMSIS}\) problems.

The \(\mathsf {MSIS}\) and \(\mathsf {SelfTargetMSIS}\) Problems. The \(\mathsf {MSIS}\) problem [25] is a generalization of the \(\mathsf{SIS}\) [4] and \(\mathsf {Ring\text {-}SIS}\) [28, 33] problems in the same way that \(\mathsf {MLWE}\) is a generalization of \(\mathsf{LWE}\) and \(\mathsf {Ring\text {-}LWE}\). To an algorithm \(\mathsf {A}\) we associate the advantage function \(\mathrm {Adv}^\mathsf {MSIS}_{m,k,\gamma }(\mathsf {A})\) to solve the (Hermite Normal Form) \(\mathsf {MSIS}_{m,k,\gamma }\) problem over the ring \(R_q\) as

$$ \mathrm {Adv}^\mathsf {MSIS}_{m,k,\gamma }(\mathsf {A}):=\Pr \left[ 0<\Vert \mathbf{y}\Vert _\infty \le \gamma \wedge [\mathbf{I}\,|\,\mathbf{A}]\cdot \mathbf{y}= \mathbf{0}\mid \mathbf{A}\leftarrow R_q^{m\times k}; \mathbf{y}\leftarrow \mathsf {A}(\mathbf{A})\right] . $$

As for \(\mathsf{SIS}\) and \(\mathsf {Ring\text {-}SIS}\), it was shown that solving \(\mathsf {MSIS}\) for certain parameters is as hard as worst-case instances of lattice problems over algebraic lattices of a certain form [25].

Suppose that \(\mathsf {H}: \{0,1\}^* \rightarrow \mathsf {ChSet}\) is a cryptographic hash function. To an algorithm \(\mathsf {A}\) we associate the advantage function \(\mathrm {Adv}^\mathsf {SelfTargetMSIS}_{\mathsf {H},m,k,\gamma }(\mathsf {A})\) to solve the \(\mathsf {SelfTargetMSIS}_{\mathsf {H},m,k,\gamma }\) problem over the ring \(R_q\) as

$$\begin{aligned}&\mathrm {Adv}^\mathsf {SelfTargetMSIS}_{\mathsf {H},m,k,\gamma }(\mathsf {A})\\&\quad :=\, \Pr \left[ \left. \begin{array}{l} \Vert \mathbf{y}\Vert _\infty \le \gamma \\ \wedge \mathsf {H}([\mathbf{I}\,|\,\mathbf{A}]\cdot \mathbf{y}\parallel {M})=c \end{array} \right| \mathbf{A}\leftarrow R_q^{m\times k}; \left( \mathbf{y}:=\begin{bmatrix}\mathbf{r}\\ c\end{bmatrix}, {M}\right) \leftarrow \mathsf {A}^{|{\mathsf {H}} \rangle }(\mathbf{A}) \right] . \end{aligned}$$

If \(\mathsf {A}\) only has classical access to \(\mathsf {H}\), then there is a reduction, using the forking lemma [9, 34], to prove that \( \mathrm {Adv}^\mathsf {SelfTargetMSIS}_{\mathsf {H},m,k,\gamma }(\mathsf {B}) \approx \sqrt{\mathrm {Adv}^\mathsf {MSIS}_{m,k,2\gamma }(\mathsf {A})/Q_\mathsf {H}}\), where \(Q_\mathsf {H}\) is the number of classical queries to \(\mathsf {H}\).Footnote 5 This reduction is standard and is implicit in the (classical) security proofs of digital signatures based on the hardness of the \(\mathsf{SIS}\) problem (cf. [16, 27]).

Security based on \(\mathsf {MLWE}\), \(\mathsf {MSIS}\), and \(\mathsf {SelfTargetMSIS}\) in the QROM. The QROM security of (deterministic) \(\mathsf {Dilithium}\) can be expressed as

$$\begin{aligned} \mathrm {Adv}^{{\mathsf {sUF\text {-}CMA}}}_{\mathsf {Dilithium}}(\mathsf {A})&\le \mathrm {Adv}^{\mathsf {MLWE}}_{k,\ell ,D}(\mathsf {B})+\mathrm {Adv}^\mathsf {SelfTargetMSIS}_{\mathsf {H},k,\ell +1,\zeta }(\mathsf {C})\end{aligned}$$
$$\begin{aligned}&\quad + \, \mathrm {Adv}^{{\mathsf {PR}}}_{\mathsf {Sam}}(\mathsf {D})+\mathrm {Adv}^\mathsf {MSIS}_{k,\ell ,\zeta '}(\mathsf {E})+2^{-\alpha +1} , \end{aligned}$$

for D a uniform distribution over \(S_\eta \),

$$\begin{aligned} \zeta =\max \{\gamma '-\beta ,2\gamma +1+2^{d-1}\cdot \rho \}, \end{aligned}$$

where \(\rho \) is the number of \(\pm 1\)’s in the challenge set \(\mathsf {ChSet}\), and

$$\begin{aligned} \zeta '=\max \{2(\gamma '-\beta ),4\gamma +2\}. \end{aligned}$$

The proof that the min-entropy \(\alpha \) is greater than 255, and the proof for strong unforgeability appears in the full version of the paper. The bound in Eq. (10) is then obtained by combining Theorem 3.2 with results from Sect. 4.3.