Fiat–Shamir Transformation

Updated 23 March 2026

Fiat–Shamir transformation is a cryptographic method that converts public-coin three-round Σ-protocols into non-interactive protocols by replacing challenges with a random oracle's hash.
Its classical security uses rewinding and special soundness techniques, while quantum settings introduce challenges due to superposition queries and the inability to rewind.
Recent research offers alternate techniques like oblivious commitments and the measure-and-reprogram approach to maintain security in quantum adversarial models.

The Fiat–Shamir transformation is a fundamental cryptographic primitive for converting interactive proofs, specifically public-coin three-round “Σ-protocols,” into non-interactive protocols or signature schemes in the (random) oracle model. The transformation is widely used due to its simplicity, efficiency, and broad applicability, but its security guarantees in quantum settings, especially in the presence of quantum adversaries and quantum-accessible oracles, exhibit critical subtleties and limitations. This article surveys the underpinnings, methodology, classical and quantum security, impossibility results, and current research frontiers.

1. Classical Fiat–Shamir Transformation and Security

Let $R\subseteq\{0,1\}^*\times\{0,1\}^*$ be an NP relation and let $(\mathsf{P},\mathsf{V})$ be a 3-move public-coin interactive proof (Σ-protocol) for $R$ .

Classical interaction:

Prover on input $(x,w)$ picks a random “commitment” $a$ , sends $a$ to the verifier.
Verifier responds with a random challenge $c$ .
Prover computes $z$ , sends $z$ ; verifier checks witness validity from $(x,a,c,z)$ .

Key properties:

Perfect completeness: honest prover always convinces verifier.
Special soundness: given two accepting transcripts for same $a$ but distinct $c\neq c'$ , one can extract $w$ such that $(x,w)\in R$ .
Honest-verifier zero-knowledge (HVZK): for any $x$ , there exists a simulator producing transcripts indistinguishable from real interactions (Dagdelen et al., 2013, Don et al., 2019).
Fiat–Shamir transformation: replaces the interactive challenge $c$ with $c=H(a)$ , where $H$ is a cryptographic hash modeled as a random oracle. The signature on message $m$ is $(a,c,z)$ with $c=H(a \parallel m)$ . The verifier checks that $c=H(a \parallel m)$ and that $(x,a,c,z)$ verifies (Dagdelen et al., 2013).
Classical security in the random oracle model (ROM): exists a “rewinding extractor.” If an adversary produces an accepting $(a,c,z)$ , the extractor “rewinds” before $H(a)$ is learned, reprograms $H(a)$ to $c'\ne c$ to obtain a second $(a,c',z')$ , and applies special soundness to extract $w$ (Dagdelen et al., 2013, Don et al., 2019).

2. The Quantum Random Oracle Model (QROM) and Extractor Limitations

Quantum adversaries are allowed to make queries to the random oracle in superposition. The QROM models $H$ as a unitary $O_H: |x\rangle|y\rangle \mapsto |x\rangle|y\oplus H(x)\rangle$ .

In this setting, the rewinding extraction technique fails: the no-cloning theorem prevents rewinding and replaying a quantum adversary from an internal state. Further, responses to superposition queries cannot “program” the oracle on a single classical input without disturbing the adversary’s computation (Dagdelen et al., 2013, Ambainis et al., 2014).
Black-box security reductions relying on extraction are generally impossible for protocols with witness-independent commitments and standard active security notions—even for “quantum-immune” identification schemes (Dagdelen et al., 2013, Ambainis et al., 2014).

A critical impossibility insight is established by constructing meta-reductions showing that any black-box extractor would break some underlying active security or knowledge assumption (typically by simulating the random oracle via interaction with honest provers), yielding contradictions (Dagdelen et al., 2013, Ambainis et al., 2014).

3. Impossibility Results and Model Generalizations

Recent advances introduce the Common Reference Quantum State (CRQS) model as a generalization of the Common Reference String (CRS) model. In the CRQS model, parties begin with (possibly entangled) polynomial-size quantum states. This model captures arbitrary shared quantum setups (Dupuis et al., 2022).

Weak One-Time Random Oracle (WOTRO): Formalizes the essential randomness property: for every adversary seeking to enforce $c = f(a)$ , the probability of success is bounded by $1-\delta$ over all functions $f$ (Dupuis et al., 2022).
Main black-box impossibility theorem: No statistically secure CRQS-based protocol can implement WOTRO for $n-m \in \omega(\log n)$ . There is no fully black-box quantum reduction that can prove security for generic Fiat–Shamir or WOTRO protocols in this setting (Dupuis et al., 2022).
The construction utilizes a simulatable “Chernoff adversary” classically inefficient but indistinguishable from efficient adversaries in the eyes of the security reduction. Any such reduction must also succeed in the simulatable setting, which contradicts game-based assumptions (Dupuis et al., 2022).

Summary Implication: There is no security proof for the Fiat–Shamir transform in the quantum random oracle or CRQS models that is both black-box and based on game-type assumptions—unless non-standard, non-black-box, or non-game assumptions are introduced (Dupuis et al., 2022, Ambainis et al., 2014).

4. Positive Results: Special Techniques and Restricted Protocol Classes

While generic black-box reductions are impossible, there exist restricted protocols and alternative constructions for which soundness can be established—even in the QROM:

Oblivious commitment Σ-protocols: If the commitment can be generated obliviously (with trapdoor allowing the prover to answer arbitrary commitments), full Fiat–Shamir security in the QROM is attainable under standard post-quantum assumptions (e.g., lattice-based, SIS) (Dagdelen et al., 2013). These coincide, up to fine details, with the GPV “hash-and-sign” paradigm. The forking-lemma is replaced with the possibility to simulate responses to randomly programmed commitments (Dagdelen et al., 2013).
Tight quantum reductions for commit-and-open Σ-protocols: For protocols where the prover opens subsets of multiple commitments in response to the challenge (as in Stern’s, KTX, SSH, MQDSS, and Picnic schemes), recent work provides parameter-tight reductions without exponent blow-up or quantum rewinding (Chailloux, 2019). The reduction leverages invertible quantum-secure PRPs and extractors based on permutation inversion, avoiding the rewinding barrier entirely.
Concrete schemes and bounds: Parameter choices for schemes such as Stern, KTX/SSH, MQDSS, and PICNIC in the NIST PQC process are given, with soundness tightly bounded provided the number of repetitions ( $r$ ) is chosen according to the quantum Grover bound: $r \ge 3\lambda/\log_2(3/2)$ for $\lambda$ -bit security (Chailloux, 2019).

5. Measure-and-Reprogram Approach and Security Loss Analysis

New analysis methodologies, such as the measure-and-reprogram technique, sidestep rewinding entirely by measuring adversary queries and adaptively reprogramming the random oracle:

Main result: Any $q$ -query quantum adversary against FS can at most increase its success probability by an $O(q^2)$ factor; this is optimal due to Grover-based attack lower bounds (Don et al., 2019, Don et al., 2020).
Multi-round and parallel repetition: The technique generalizes to $n$ -wise interactive and parallel-repeated protocols, yielding $O(q^{2n})$ tightness in reductions (Don et al., 2020). The security of the non-interactive FS proof is determined by the underlying special soundness advantage and the penalty from quantum-accessible oracles.
Implication for signature schemes: Post-quantum signature schemes built from suitable $\Sigma$ -protocols (e.g., MCP-in-the-head, Lyubashevsky’s protocol, code-based Stern, MQDSS/Picnic) directly inherit QROM security with parameter choices already used in deployed systems (Don et al., 2019, Chailloux, 2019).

6. Extensions, Open Questions, and Ongoing Research Directions

The foundational results outlined above lead to several significant open problems and extensions:

Role of non-black-box and non-game assumptions: Current impossibility results leave open whether non-black-box techniques (e.g., obfuscation-based or structure-exposing reductions) can yield provable FS security in fully quantum models (Dupuis et al., 2022).
Alternative transforms and extractor paradigms: Exploring transforms that do not require special or oblivious commitments (e.g., Fischlin’s online extractors, Pass’s deniability-based schemes), or new minimal structure for black-box extractability (Dagdelen et al., 2013).
Quantum security against more general attacks: Including side-channel (fault injection, nonce reuse) settings, adaptive adversaries, and hedged signature paradigms. Tight adaptive reprogramming bounds have been established for such models, avoiding prior losses associated with classical one-way-to-hiding techniques (Grilo et al., 2020).
Application to post-quantum signature schemes: The compact-knapsack-based FS transform exemplifies how Σ-protocols with special soundness and HVZK yield EUF-CMA security in the ROM; their quantum security depends on the status of the underlying problem in the QROM (Rizos et al., 2023).

7. Table: Impossibility and Positive Results for Quantum Fiat–Shamir Security

Setting/Protocol Class	Black-Box Security Possible?	Reference
Generic Σ-protocol in QROM	No (impossibility)	(Dagdelen et al., 2013, Dupuis et al., 2022, Ambainis et al., 2014)
Σ w/ oblivious commitments (HVZK, special soundness)	Yes (under LWE/SIS, etc.)	(Dagdelen et al., 2013)
Commit-and-open Σ with tight PRP reduction	Yes (parameter-tight)	(Chailloux, 2019)
Multi-round Fiat–Shamir (measure-and-reprogram)	Yes, w/ optimal $O(q^{2n})$ loss	(Don et al., 2019, Don et al., 2020)

In summary, the Fiat–Shamir transformation remains a central primitive for constructing non-interactive and signature schemes, but its black-box security, particularly in the presence of quantum adversaries, is fundamentally more delicate than in the classical field. While general impossibility barriers exist for black-box proofs in both the QROM and the more general CRQS model, research has identified protocol structures and reduction techniques (oblivious commitment, commit-and-open decomposition, measure-and-reprogram) that restore security guarantees for important subclasses. These insights guide both the design and analysis of future post-quantum cryptographic schemes.