Cryptology ePrint Archive: Report 2019/699

Quantum security of the Fiat-Shamir transform of commit and open protocols

André Chailloux

Abstract: Applying the Fiat-Shamir transform on identification schemes is one of the main ways of constructing signature schemes. While the classical security of this transformation is well understood, it is only very recently that generic results for the quantum case has been proposed [DFMS19,LZ19]. In this paper, we show that if we start from a commit-and-open identification scheme, where the prover first commits to several strings and then as a second message opens a subset of them depending on the verifier's message, then the Fiat-Shamir transform is quantum secure, for a suitable choice of commitment scheme. Unlike previous generic results, our transformation doesn't require to reprogram the random function H used in the Fiat-Shamir transform and we actually only require a quantum one-wayness property. Our techniques can in some cases lead to a much tighter security reduction. To illustrate this, we apply our techniques to identifications schemes at the core of the MQDSS signature scheme, the Picnic scheme (both present in the round 2 of the post quantum NIST competition) and the Stern signature scheme. For all these schemes, we show that our technique can be applied with essentially tight results.

Category / Keywords: cryptographic protocols / quantum Fiat-Shamir transform, signature schemes, commit and open identifications schemes

Date: received 12 Jun 2019, last revised 1 Jul 2019

Contact author: andre chailloux at inria fr

Available format(s): PDF | BibTeX Citation

Version: 20190701:091436 (All versions of this report)

Short URL: ia.cr/2019/699


[ Cryptology ePrint archive ]