The Measure-and-Reprogram Technique 2.0: Multi-Round Fiat-Shamir and More

We revisit recent works by Don, Fehr, Majenz and Schaffner and by Liu and Zhandry on the security of the Fiat-Shamir transformation of $\Sigma$-protocols in the quantum random oracle model (QROM). Two natural questions that arise in this context are: (1) whether the results extend to the Fiat-Shamir transformation of multi-round interactive proofs, and (2) whether Don et al.'s $O(q^2)$ loss in security is optimal. Firstly, we answer question (1) in the affirmative. As a byproduct of solving a technical difficulty in proving this result, we slightly improve the result of Don et al., equipping it with a cleaner bound and an even simpler proof. We apply our result to digital signature schemes showing that it can be used to prove strong security for schemes like MQDSS in the QROM. As another application we prove QROM-security of a non-interactive OR proof by Liu, Wei and Wong. As for question (2), we show via a Grover-search based attack that Don et al.'s quadratic security loss for the Fiat-Shamir transformation of $\Sigma$-protocols is optimal up to a small constant factor. This extends to our new multi-round result, proving it tight up to a factor that depends on the number of rounds only, i.e. is constant for any constant-round interactive proof.

[1]  Dan Boneh,et al.  Bulletproofs: Short Proofs for Confidential Transactions and More , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[2]  Marc Fischlin,et al.  Signatures from Sequential-OR Proofs , 2020, IACR Cryptol. ePrint Arch..

[3]  Joseph K. Liu,et al.  Linkable Spontaneous Anonymous Group Signature for Ad Hoc Groups (Extended Abstract) , 2004, ACISP.

[4]  Serge Fehr,et al.  Security of the Fiat-Shamir Transformation in the Quantum Random-Oracle Model , 2019, IACR Cryptol. ePrint Arch..

[5]  Gilles Brassard,et al.  Tight bounds on quantum searching , 1996, quant-ph/9605034.

[6]  Mark Zhandry,et al.  Revisiting Post-Quantum Fiat-Shamir , 2019, IACR Cryptol. ePrint Arch..

[7]  Peter Schwabe,et al.  SOFIA: MQ-based signatures in the QROM , 2017, IACR Cryptol. ePrint Arch..

[8]  Dominique Unruh,et al.  Quantum Proofs of Knowledge , 2012, IACR Cryptol. ePrint Arch..

[9]  Tommaso Gagliardoni,et al.  The Fiat-Shamir Transformation in a Quantum World , 2013, IACR Cryptol. ePrint Arch..

[10]  Dominique Unruh,et al.  Non-Interactive Zero-Knowledge Proofs in the Quantum Random Oracle Model , 2015, EUROCRYPT.

[11]  Dominique Unruh,et al.  Computationally Binding Quantum Commitments , 2016, EUROCRYPT.

[12]  Taizo Shirai,et al.  Public-Key Identification Schemes Based on Multivariate Quadratic Polynomials , 2011, CRYPTO.

[13]  Ivan Damgård,et al.  Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols , 1994, CRYPTO.

[14]  Peter Schwabe,et al.  From 5-Pass MQ -Based Identification to MQ -Based Signatures , 2016, ASIACRYPT.

[15]  Mark Zhandry,et al.  How to Construct Quantum Random Functions , 2012, 2012 IEEE 53rd Annual Symposium on Foundations of Computer Science.

[16]  Eike Kiltz,et al.  A Concrete Treatment of Fiat-Shamir Signatures in the Quantum Random-Oracle Model , 2018, IACR Cryptol. ePrint Arch..

[17]  Dominique Unruh,et al.  Post-quantum Security of Fiat-Shamir , 2017, ASIACRYPT.