Efficient NIZKs and Signatures from Commit-and-Open Protocols in the QROM

Abstract

Commit-and-open \(\Sigma \)-protocols are a popular class of protocols for constructing non-interactive zero-knowledge arguments and digital-signature schemes via the Fiat-Shamir transformation . Instantiated with hash-based commitments, the resulting non-interactive schemes enjoy tight online-extractability in the random oracle model. Online extractability improves the tightness of security proofs for the resulting digital-signature schemes by avoiding lossy rewinding or forking-lemma based extraction.

In this work, we prove tight online extractability in the quantum random oracle model (QROM), showing that the construction supports post-quantum security. First, we consider the default case where committing is done by element-wise hashing. In a second part, we extend our result to Merkle-tree based commitments. Our results yield a significant improvement of the provable post-quantum security of the digital-signature scheme Picnic.

Our analysis makes use of a recent framework by Chung et al. [CFHL21] for analysing quantum algorithms in the QROM using purely classical reasoning. Therefore, our results can to a large extent be understood and verified without prior knowledge of quantum information science.

Full version available at https://eprint.iacr.org/2022/270.

1 Introduction

Some interactive proofs come with amazing properties like zero-knowledge which intuitively allows a prover to convince a verifier that she knows the witness to an NP-statement without giving away information about this witness. Such zero-knowledge proofs of knowledge are some of the most fascinating objects in cryptography, and possibly in all of theoretical computer science. One might suspect that their “magic” is due to the prover and verifier running an interactive protocol with each other, and that this interaction causes the verifier to be convinced. Surprisingly, if the interactive proof is of suitable form, e.g. a \(\Sigma \)-protocol (i.e. a 3-round public-coin protocol), the Fiat-Shamir transformation  [FS87] provides a natural way to remove the interaction from such protocols while preserving (most of) the security properties, resulting in non-interactive zero-knowledge proofs (NIZKs). The idea is to compute the challenge c as a hash \(c = H(a)\) of the first message, rather than letting the verifier choose c. If the original \(\Sigma \)-protocol has additional soundness properties, the resulting NIZK after the Fiat-Shamir transformation is ideally suited to construct a digital-signature scheme, simply by hashing the message m to be signed together with the first message a in order to obtain the challenge c. The candidates Picnic [CDG+17] and Dilithium [DKL+18] in the ongoing NIST post-quantum cryptography competition follow this design paradigm.

This intuitive preservation of security properties under the Fiat-Shamir transformation can be formalized in the random-oracle model (ROM), where the hash function H is treated as a uniformly random function, and the security reduction gets enhanced access to anybody who queries the random oracle, by seeing which values are queried, and by possibly returning (random-looking) outputs. While this situation is conveniently easy to handle in a non-quantum world, complications arise in the context of post-quantum security. When studying the security of these non-quantum protocols against attackers equipped with large-enough quantum computers, it is natural to assume that such attackers have access to the public description of the employed hash function, and can therefore compute it in superposition on their quantum computers. Therefore, the proper notion of post-quantum security for random oracles is the quantum-accessible random-oracle model (QROM) as introduced in [BDF+11]. Due to the difficulty of recording adversarial random-oracle queries in superposition (also referred to as the recording barrier), establishing post-quantum security in the QROM has turned out to be quite a bit more difficult compared to the regular ROM.

Previous results in [DFMS19] (and concurrently in [LZ19b]) establish that for any interactive \(\Sigma \)-protocol \(\varPi \) that is a proof of knowledge, the non-interactive \(\textsf{FS}[\varPi ]\) is a proof of knowledge in the QROM. [DFM20] simplified the technical proof and extended these results to multi-round interactive proofs. However, the most desirable property from such a proof of knowledge is online extractability Indeed, online extractability avoids rewinding, which typically causes a significant loss in the security reduction and has other disadvantages (see later for a comparison). Thus, online extractability allows for the tightest security reductions.

Chailloux was the first to aim for showing online extractability of the Fiat-Shamir transformation in the QROM when considering the relevant class of commit-and-open (C &O) \(\Sigma \)-protocols and modelling the hash function used for the commitments (and for computing the challenge) as a random oracle. Indeed, the Fiat-Shamir transformation of such C &O \(\Sigma \)-protocols are known to be online extractable in the classical ROM (see e.g. discussion in [Fis05]). In a first attempt [Cha19], Chailloux tried to lift the argument to the quantum setting by means of Zhandry’s compressed-oracle technique [Zha19], which offers a powerful approach for re-establishing ROM results in the QROM, that has been successful in many instances. Unfortunately, this first attempt contained a subtle flaw, which turned out to be unfixable, and despite changing the technical approach, the latest version of this work still contains an open gap in the proof, which is put as an assumption in [Cha21].¹

In a recent article [DFMS21], online extractability of interactive C &O \(\Sigma \)-protocols \(\varPi \) in the QROM is established ; the result applies as soon as \(\varPi \) stisfies some liberal notion of special soundness, which is typically satisfied . As pointed out in Appendix E of [DFMS21], one can use previous results from [DFMS19, LZ19b, DFM20] to reduce the extractability of the resulting non-interactive protocol \(\textsf{FS}[\varPi ]\) to the extractability of the interactive protocol \(\varPi \). However, the resulting extraction error scales as \(O(\varepsilon /q^2)\) which results in a prohibitive loss for digital-signature schemes (see Table 1), leaving open the main question originally posed by Chailloux:

How to establish tight security reductions of the Fiat-Shamir transformation for commit-and-open \(\varSigma \)-protocols in the QROM?

As the technical quantum details of Zhandry’s compressed-oracle technique are rather complicated and only accessible for experts, a recent article by Chung, Fehr, Huang and Liao [CFHL21] establish a framework that allows researchers without extensive quantum knowledge to still deploy the compressed-oracle technique (in certain cases), basically by reasoning about classical quantities only. In short, the punchline of [CFHL21] is that, if applicable, one can prove quantum query complexity lower bounds (think of collision finding, for instance) by means of the following recipe, which is an abstraction of the technique developed in a line of works started by Zhandry [Zha19, LZ19a, CGLQ20, HM21]. First, one considers the corresponding classical query complexity problem, analyzing it by simulating the random oracle using lazy sampling and showing that the database, which keeps track of the oracle queries and the responses, is unlikely to satisfy a certain property (e.g. to contain a collision) after a bounded number of queries. Then, one lifts the analysis to the quantum setting by plugging key observations from the classical analysis into generic theorems provided by the [CFHL21] framework. A similar framework, using slightly different language (and limited to sequential queries) was given in [CMS19].

1.1 Our Contributions

In this work, we slightly extend the framework from [CFHL21], and use it to establish strong and tight security statements for a large, popular class of non-interactive zero-knowledge proofs and digital signature schemes. In broad strokes, our contributions are threefold.

Online Extractability for a Class of NIZKs in the QROM. We prove online extractability of the Fiat-Shamir transformation in the QROM for (a large class of) C &O \(\Sigma \)-protocols. This solves the problem considered and attacked by Chailloux. In more detail, we prove that if the considered C &O \(\Sigma \)-protocol satisfies some very liberal notion of special soundness , then the resulting NIZK is a proof of knowledge with online extractability in the QROM, i.e., when the hash function used for the commitments and the FS transformation is modeled as a quantum-accessible random oracle. Our security reduction is tight: Whenever a prover outputs a valid proof, the online-extractor succeeds, except with a small probability accounting for collision and preimage attacks on the involved hash functions. For previous reductions, the guaranteed extraction success probability was at least by a factor of \(q^2\) smaller than the succes probability of the prover subjected to extraction (see Table 1). This is our main technical contribution, see Theorem 4.2. Our result also applies to a variant of the Fiat-Shamir transformation where a digital signature scheme (DSS) is constructed. It thereby, for the first time, enables a multiplicatively tight security reduction for, e.g., DSS based on the MPC-in-the-head paradigm [IKOS07], like Picnic [CDG+17], Banquet [BdSGK+21] and Rainier [DKR+21], in the QROM.

A More Efficient Unruh Transformation. When a \(\Sigma \)-protocol does not have the mentioned C &O structure, a non-interactive proof of knowledge with online extractability in the QROM can be obtained using the Unruh transformation [Unr15]. For technical reasons, the original Unruh transformation requires the hash function to be length preserving, which may result in large commitments, and thus large NIZKs and digital signature schemes. In the full version, we revisit this transformation and show, by a rather direct application of our main result above, that the online extractability of the Unruh transform still holds when using a compressing hash function. The crucial observation is that the Unruh transformation can be viewed as the composition of a “pre-Unruh” transformation, which makes use of hash-based commitments and results in a C &O protocol, and the Fiat-Shamir transformation. By applying our security reduction, we then obtain the tight online extractability without requiring the hash function to be length preserving.

More Efficient NIZKs via Merkle Tree Based Commitments. In real-world constructions based on C &O protocols, like e.g., the Picnic digital signature scheme, commitments and their openings are responsible for a significant fraction of the signature/proof size. For certain parameters, this cost can be reduced by using a collective commitment mechanism based on Merkle trees. This was observed in passing, e.g. in [Fis05], and is exploited in the most recent versions of Picnic. We formalize Merkle-tree-based C &O protocols and extend our main result to NIZKs constructed from them (see Theorem 5.2). Applications include a security reduction of Picnic 3, the newest version of the Picnic digital signature scheme, that is significantly tighter than existing ones: An adversary against the Picnic 3 signature scheme in the QROM with success probability \(\varepsilon \) can now be used to break the underlying hard problem with probability \(\varepsilon \), up to some additive error terms, while previous reductions yielded at most \(\varepsilon ^5/q^{10}\), where q is the number of random oracle queries. We outline this reduction in Sect. 5.3.

We compare our reductions in detail to existing techniques in Table 1.

Table 1. Comparison of the losses of different reductions for the construction of a NIZK proof of knowledge (NIZK-PoK) from a special-sound (Merkle tree based) C &O protocol with constant challenge space size C using r-fold parallel repetition and the Fiat-Shamir transformation. “OE” stands for online extraction, 2-s for special soundness, UF-NMA for plain unforgeability and DSS for digital signature scheme. If the content of a cell in row “security property A \(\Rightarrow \) security property B” is \(f(\varepsilon )\), this means that an adversary breaking property B with probability \(\varepsilon \) yields an adversary breaking property A with probabilty \(f(\varepsilon )\). indicates results that do not apply to Merkle-tree-based C &O protocols like the one used to construct the digital signature schemes Picnic 2 [KZ20] and Picnic 3 [CDG+19b]. The additive error terms are \(g(q,r,n)=C^{-r}+O(rq2^{-n/2})+O(q^32^{-n})\) and \(h(q,r,n)=O(q^32^{-n})+O(q^2C^{-r})\), where n is the output length of the random oracles, and q is the number of adversarial (quantum) queries to the random oracle. Finally, we note that the constants hidden by the big-O in h(q, r, n) are reasonable, see Theorems 4.2 and 5.2.

1.2 Technical Overview

Our starting point is the fact that the compressed-oracle technique can be seen as a variant of the classical lazy-sampling technique that is applicable in the QROM. Namely, to some extent and informally described here, the compressed-oracle technique gives access to a database that contains the hash values that the adversary \(\mathcal A\), who has interacted with the random oracle (RO), may know. In particular, up to a small error, for any claimed-to-be hash value y output by \(\mathcal A\), one can find its preimage x by inspecting the database (and one can safely conclude that \(\mathcal A\) does not know a preimage of y if there is none in the database). Recalling that a C &O \(\Sigma \)-protocol \(\varPi \) is an interactive proof where the first message consists of hash-based commitments, and exploiting that typically some sort of special soundness property ensures that knowing sufficiently many preimages of these commitments/hashes allows one to efficiently compute a witness, constructing an online extractor for the Fiat-Shamir transformation \(\textsf{FS}[\varPi ]\) then appears straightforward: The extractor \(\mathcal E\) simply runs the (possibly dishonest) prover \(P^*\), answering RO queries using the compressed oracle. Once \(P^*\) has finished and outputs a proof, \(\mathcal E\) measures the compressed-oracle database and classically reads off any preimages of the commitments in the proof. Finally, \(\mathcal E\) run the special soundness extractor that computes a witness from the obtained preimages . It is, however, not obvious that the database contains the preimages of the commitments that are not opened in the proof, or that these preimages are correctly formed. Intuitively this should be the case: the RO used for the Fiat-Shamir transformation replaces interaction in that it forces the prover to chose a full set of commitments before knowing which ones need to be opened. The crux lies in replacing this intuition by a rigorous proof .

The main insight leading to our proof is that the event that needs to be controlled, namely that the prover succeeds yet the extractor fails, can be translated into a property \(\textsf{SUC} \) (as in “adversarial SUCcess”) of the compressed-oracle database, which needs to be satisfied for the event to hold. It is somewhat of a peculiar property though. The database properties that have led to query complexity lower bounds in prior work, e.g. for (multi-)collision finding [LZ19a, HM21, CFHL21] and similar problems [Zha19, CGLQ20, BLZ21], require the database to contain some particular input-output pairs (e.g. pairs that collide), while the database property \(\textsf{SUC} \) additionally forbids certain input-output pairs to be contained.

Indeed, the framework from [CFHL21] is almost expressive enough to treat our problem. So, after a mild extension, we can apply it to prove that it is hard for any query algorithm to cause the compressed-oracle database to have property \(\textsf{SUC} \). Analyzing the relevant classical statistical properties of \(\textsf{SUC} \) is somewhat tedious but can be done (see the proof of Lemma 5.1). The resulting bound on the probability for the database to satisfy \(\textsf{SUC} \) then gives us a bound on the probability of the event that the prover succeeds in producing a valid proof while at the same time fooling the extractor.

Whenever it is advantageous for communication complexity, a Merkle tree can be used to collectively commit to all required messages in a C &O protocol. This collective commitment is one of the optimizations that improve the performance of, e.g. Picnic 2 [KZ20] over Picnic [CDG+17]. As the above-described argument for the extractability of C &O protocols already analyses iterated hashing (the hash-based commitments are hashed to compute the challenge), it generalizes to Merkle-tree-based C &O protocols without too much effort. We present this generalization in Sect. 5, and obtain similar bounds (see Theorem 5.2).

1.3 Additional Related Work

Besides the already mentioned work above, we note that Chiesa, Manohar and Spooner [CMS19] consider and prove security of various SNARG constructions, while we consider the Fiat-Shamir transformation of C &O protocols with a form of special soundness. Similar in to [CFHL21], they also provide some tools for deducing security of certain oracle games against quantum attacks by bounding a natural classical variant of the game.

2 Preliminaries

Our main technical proofs reliy on the recently introduced framework by Chung, Fehr, Huang, and Liao [CFHL21] for proving query complexity bounds in the QROM. This framework exploits Zhandry’s compressed-oracle technique but abstracts away all the quantum aspects, so that the reasoning becomes purely classical. We give here an introduction to a simplified, and slightly adjusted version that does not consider parallel queries. We start with recalling (a particular view on) the compressed oracle. Along the way, we also give an improved version of Zhandry’s central lemma for the compressed oracle.

Before getting into this, we fix the following standard notation. For any positive integer \(\ell >0\), we set \([\ell ]:=\{1,2,\ldots , \ell \}\), and we let \(2^{[\ell ]}\) denote the power set of \([\ell ]\), i.e., the set of all subsets of \([\ell ]\).

Finally, for any finite non-empty set \(\mathcal Z\), \(\mathbb C[\mathcal{Z}]\) denotes the Hilbert space \(\mathbb C^{|\mathcal{Z}|}\) together with a basis \(\{|z\rangle \}\) labeled by the elements \(z \in \mathcal Z\).

2.1 The Compressed Oracle — Seen as Quantum Lazy Sampling

With the goal to analyze oracle algorithms that interact with a RO \(H: \mathcal{X} \rightarrow \mathcal{Y}\), consider the set \(\mathfrak {D}\) of all functions \(D: \mathcal{X} \rightarrow \mathcal{Y} \cup \{\bot \}\), where \(\bot \) is a special symbol. Such a function is referred to as a database. Later, we will fix \(\mathcal{X} = \{0,1\}^{\le B}\) and \(\mathcal{Y} = \{0,1\}^n\). For \(D \in \mathfrak {D}\), \(x \in \mathcal{X}\) and \(y \in \mathcal{Y} \cup \{\bot \}\), \(D[x \!\mapsto \! y]\) denotes the database that maps x to y and otherwise coincides with D, i.e., \(D[x \!\mapsto \! y](x) = y\) and \(D[x \!\mapsto \! y](\bar{x}) = D(\bar{x})\) for all \(\bar{x} \in \mathcal{X} \setminus \{x\}\).

Following the exposition of [CFHL21], the compressed-oracle technique is a quantum analogue of the classical lazy-sampling technique, commonly used to analyze algorithms in the classical ROM. In the classical lazy-sampling technique, the (simulated) RO starts off with the empty database, i.e., with \(D_0 = {\boldsymbol{\bot }}\), which maps any \(x \in \mathcal X\) to \(\bot \). Then, recursively, upon a query x, the current database \(D_i\) is updated to \(D_{i+1} := D_i\) if \(D_i(x) \ne \bot \), and to \(D_{i+1} := D_i[x \!\mapsto \! y]\) for a randomly chosen \(y \in \mathcal Y\) otherwise. This construction ensures that \(|\{ x \,|\, D_i(x) \!\ne \! \bot \}| \le i\); after i queries thus, using standard sparse-encoding techniques, the database \(D_i\) can be efficiently represented and updated.

In the compressed-oracle quantum analogue of this lazy-sampling technique, the (simulated) RO also starts off with the empty database, but now considered as a quantum state \(|{\boldsymbol{\bot }}\rangle \) in the \(|\mathfrak {D}|\)-dimensional state space \(\mathbb C[\mathfrak {D}]\), and after i queries the state of the compressed oracle is then supported by databases \(|D_i\rangle \) for which \(|\{ x \,|\, D_i(x) \!=\! \bot \}| \le i\).² Here, the update is given by a unitary operator \(\textsf{cO}\) acting on \(\mathbb C[\mathcal{X}] \otimes \mathbb C[\mathcal{Y}]\otimes \mathbb C[\mathfrak {D}]\), i.e., on the query register, the response register, and the state of the compressed oracle. With respect to the computational basis \(\{|x\rangle \}\) of \(\mathbb C[\mathcal{X}]\) and the Fourier basis \(\{|\hat{y}\rangle \}\) of \(\mathbb C[\mathcal{Y}]\), \(\textsf{cO}\) is a control unitary, i.e., of the form \(\textsf{cO}= \sum _{x,\hat{y}} |x\rangle \!\langle x| \otimes |\hat{y}\rangle \!\langle \hat{y}| \otimes \textsf{cO}_{x,\hat{y}}\), where \(\textsf{cO}_{x,\hat{y}}\) is a unitary on \(\mathbb C[\mathcal{Y} \cup \{\bot \}]\), which in the above expression is understood to act on the register that carries the value of the database at the point x. More formally, \(\textsf{cO}_{x,\hat{y}}\) acts on register \(R_x\) when identifying \(\mathbb C[\mathfrak {D}]\) with \(\bigotimes _{x \in \mathcal X} \mathbb C[\mathcal{Y} \cup \{\bot \}]\) by means of the isomorphism \(|D\rangle \mapsto \bigotimes _{x \in \mathcal X}|D(x)\rangle _{R_x}\). We refer to Lemma 4.3 in the full version of [CFHL21] for the full specification of \(\textsf{cO}_{x,\hat{y}}\).

The compressed oracle is tightly related to the purified oracle, which initiates its internal state with a uniform superposition \(\sum _h |H\rangle \in \mathbb C[\mathfrak {D}]\) of all functions \(H: \mathcal{X} \rightarrow \mathcal{Y}\), and then answers queries “in superposition”. Indeed, at any point in time during the interaction with an oracle quantum algorithm \(\mathcal A\), the joint state of \(\mathcal A\) and the compressed oracle coincides with the joint state of \(\mathcal A\) and the purified oracle after “compressing” the latter.³ Formally, identifying \(\mathbb C[\mathfrak {D}]\) with \(\bigotimes _{x \in \mathcal X} \mathbb C[\mathcal{Y} \cup \{\bot \}]\) again, the compression of the state of the purified oracle works by applying the unitary \(\textsf{Comp}\) to each register \(R_x\), where

$$ \textsf{Comp}: |y\rangle \mapsto (|y\rangle +{(|\bot \rangle - |\hat{0}\rangle )/\sqrt{|\mathcal Y|}} $$

for any \(y \in \mathcal Y\), and \(\textsf{Comp}: |\bot \rangle \mapsto |\hat{0}\rangle \). Here, \(|\hat{0}\rangle \) is the \(\hat{0}\)-vector from the Fourier basis \(\{|\hat{y}\rangle \}\) of \(\mathbb C[\mathcal{Y}]\).

Similarly to the classical case, by exploiting a quantum version of the sparse-encoding technique, both the internal state of the compressed oracle and the evolution \(\textsf{cO}\) can be efficiently computed. Furthermore, for any classical function \(f: \mathfrak {D}\rightarrow \mathcal{T}\) that can be efficiently computed when given the sparse representation of \(D \in \mathfrak {D}\), the corresponding quantum measurement given by the projections \(P_t = \sum _{D: f(D)=t} |D\rangle \!\langle D|\) can be efficiently performed when given the sparse representation of the internal state of the compressed oracle. In particular, in Lemma 2.1 below, the condition \(\textbf{y} = D(\textbf{x})\) for given \(\textbf{x}\) and \(\textbf{y}\) can be efficiently checked by a measurement. See Appendix A in (the full version of) [CFHL21], or Appendix B in [DFMS21] for more details on this technique.

In the classical lazy-sampling technique, if at the end of the execution of an oracle algorithm \(\mathcal A\), having made q queries to the (lazy-sampled) RO, the database \(D_q\) is such that, say, \(D_q(x) \ne 0\) for any \(x \in \mathcal X\), then \(\mathcal A\)’s output is unlikely to be a 0-preimage, i.e., an x that is hashed to 0 upon one more query. \(\mathcal A\)’s best chance is to output an x that he has not queried yet, and thus \(D_q(x) = \bot \), and then he has a \(1/|\mathcal{Y}|\)-chance that \(D_{q+1}(x) := D_{q}[x \!\mapsto \! y](x) = 0\), given that y is randomly chosen. Something similar holds in the quantum setting, with some adjustments. The general statement is given by the following result by Zhandry.

Lemma 2.1

(Lemma 5 in [Zha19]). Let \(R \subseteq \mathcal{X}^\ell \times \mathcal{Y}^\ell \times \mathcal{Z}\) be a relation, and let \(\mathcal A\) be an oracle quantum algorithm that outputs \(\textbf{x} \in \mathcal{X}^\ell \), \(\textbf{y} \in \mathcal{Y}^\ell \) and \(z \in \mathcal Z\).

Furthermore, let

$$ p = p(\mathcal{A}) := \Pr [ \textbf{y} \!=\! H(\textbf{x}) \wedge (\textbf{x},\textbf{y},z) \!\in \! R ] $$

be the considered probability when \(\mathcal A\) has interacted with the standard RO, initialized with a uniformly random function H, and let

$$\begin{aligned} p' = p'(\mathcal{A})&:= \Pr [ \textbf{y} \!=\! D(\textbf{x}) \wedge (\textbf{x},\textbf{y},z) \!\in \! R ] \end{aligned}$$

be the considered probability when \(\mathcal A\) has interacted with the compressed oracle instead and D is obtained by measuring its internal state (in the basis \(\{|D\rangle \}_{D \in \mathfrak {D}}\)). Then

$$ \sqrt{p} \le \sqrt{p'} + {\sqrt{\ell /|\mathcal{Y}|}}\, . $$

In Sect. 2.3 we give an alternative (and in typical cases tighter) such relation between the success probability of an algorithm interacting with the actual RO, and probabilities obtained by inspecting the compressed oracle instead.

2.2 The Quantum Transition Capacity and Its Relevance

The above discussion shows that, in order to bound the success probability p of an oracle algorithm \(\mathcal A\), it is sufficient to bound \(p''\), the probability of the database D, obtained by measuring the internal state of the compressed oracle after the interaction with \(\mathcal A\), satisfying a certain property (e.g., the property of there existing an x such that \(D(x) = 0\)).

To facilitate that latter, Chung et al. [CFHL21] introduced a framework that, in certain cases, allows to bound this alternative figure of merit by means of purely classical reasoning. We briefly recall here some of the core elements of this framework, which are relevant to us. Note that [CFHL21] considers the parallel-query model, where in each of the q (sequential) interactions with the RO, a q-query oracle algorithm \(\mathcal A\) can make k queries simultaneously in parallel. Here, we consider the (more) standard model of one query per interaction, i.e., setting \(k = 1\). On the other hand, we state and prove a slight generalization of Theorem 5.16 in [CFHL21] (when restricted to \(k = 1\)).

A subset \(\textsf{P}\subseteq \mathfrak {D}\) is called a database property. We say that \(D \in \mathfrak {D}\) satisfies \(\textsf{P}\) if \(D \in \textsf{P}\), and the complement of \(\textsf{P}\) is denoted \(\lnot \textsf{P}= \mathfrak {D}\setminus \textsf{P}\). For such a database property \(\textsf{P}\), [CFHL21] defines as the square-root of the maximal probability of D satisfying \(\textsf{P}\) when D is obtained by measuring the internal state of the compressed oracle after the interaction with \(\mathcal A\), maximized over all oracle quantum algorithms \(\mathcal A\) with query complexity q, i.e., in short

$$\begin{aligned} \llbracket {\boldsymbol{\bot }}{\mathop {\Longrightarrow }\limits ^{q}}\textsf{P}\rrbracket := \max _\mathcal{A} \sqrt{\Pr [D \in \textsf{P}] } \, . \end{aligned}$$

(1)

In the context of Lemma 2.1 for the case \(\mathcal{Z} = \emptyset \), we can define the database property \(\textsf{P}^R := \{ D \!\in \! \mathfrak {D}\,|\, \exists \, \textbf{x} \!\in \! \mathcal{X}^\ell \!: (\textbf{x},D(\textbf{x})) \!\in \! R \}\) induced by R, and thus bound

$$\begin{aligned} p'(\mathcal{A}) \le \Pr [ (\textbf{x},D(\textbf{x})) \!\in \! R ] \le \Pr [D \in \textsf{P}^R] \le \llbracket {\boldsymbol{\bot }}{\mathop {\Longrightarrow }\limits ^{q}}\textsf{P}^R\rrbracket ^2 \end{aligned}$$

(2)

for any oracle quantum algorithm \(\mathcal A\) with query complexity q.

Furthermore, Lemma 5.6 in [CFHL21] shows that for any target database property \(\textsf{P}\) and for any sequence \(\textsf{P}_0,\textsf{P}_1,\ldots ,\textsf{P}_q\) with \(\lnot \textsf{P}_0 = \{{\boldsymbol{\bot }}\}\) and \(\textsf{P}_q = \textsf{P}\),

$$\begin{aligned} \llbracket {\boldsymbol{\bot }}{\mathop {\Longrightarrow }\limits ^{q}}\textsf{P}\rrbracket \le \sum _{s=1}^q \llbracket \lnot \textsf{P}_{s-1}{\mathop {\rightarrow }\limits ^{}}\textsf{P}_s\rrbracket \, , \end{aligned}$$

(3)

where, for any database properties \(\textsf{P}\) and \(\textsf{P}'\), the definition of the quantum transition capacity \(\llbracket \textsf{P}{\mathop {\rightarrow }\limits ^{}}\textsf{P}'\rrbracket \) is recalled in the full version.

The nice aspect of the framework of [CFHL21] is that it provides means to manipulate and bound quantum transition capacities using purely classical reasoning, i.e., without the need to understand and work with the definition. Indeed, for instance Theorem 2.2 below, which is a variant of Theorem 5.17 in (the full version of) [CFHL21], shows how to bound \(\llbracket \textsf{P}{\mathop {\rightarrow }\limits ^{}}\textsf{P}'\rrbracket \) by means of a certain classical probability; furthermore, to facilitate the application of such theorems, [CFHL21] showed that the quantum transition capacity satisfies several natural manipulation rules, like \(\llbracket \textsf{P}{\mathop {\rightarrow }\limits ^{}}\textsf{P}'\rrbracket = \llbracket \textsf{P}'{\mathop {\rightarrow }\limits ^{}}\textsf{P}\rrbracket \) (i.e., it is symmetric), and

$$\begin{aligned} \begin{aligned} \llbracket \textsf{P}\cap \textsf{Q}{\mathop {\rightarrow }\limits ^{}}\textsf{P}'\rrbracket&\le \min \bigl \{ \llbracket \textsf{P}{\mathop {\rightarrow }\limits ^{}}\textsf{P}'\rrbracket , \llbracket \textsf{Q}{\mathop {\rightarrow }\limits ^{}}\textsf{P}'\rrbracket \bigr \} \qquad \text {and} \\ \min \bigl \{ \llbracket \textsf{P}{\mathop {\rightarrow }\limits ^{}}\textsf{P}'\rrbracket , \llbracket \textsf{P}{\mathop {\rightarrow }\limits ^{}} \textsf{Q}'\rrbracket \bigr \}&\le \llbracket \textsf{P}{\mathop {\rightarrow }\limits ^{}}\textsf{P}' \cup \textsf{Q}'\rrbracket \le \llbracket \textsf{P}{\mathop {\rightarrow }\limits ^{}}\textsf{P}'\rrbracket + \llbracket \textsf{P}{\mathop {\rightarrow }\limits ^{}}\textsf{Q}'\rrbracket \, , \end{aligned} \end{aligned}$$

(4)

which allow to decompose complicated capacities into simpler ones. Therefore, by means of the above series of inequalities with p from Lemma 2.1 on the left hand side, it is possible (in certain cases) to bound the success probability of any oracle quantum algorithm \(\mathcal A\) in the QROM by means of the following recipe: (1) Choose suitable transitions \(\textsf{P}_{s-1} \rightarrow \textsf{P}_s\), (2) decompose the capacities \(\llbracket \lnot \textsf{P}_{s-1}{\mathop {\rightarrow }\limits ^{}}\textsf{P}_s\rrbracket \) into simpler ones using manipulation rules as above, and (3) bound the simplified capacities by certain classical probabilities, exploiting results like Theorem 2.2.

In order to state and later use Theorem 2.2, we need to introduce the following additional concepts. As explained above, there is no need to actually spell out the definition of the quantum transition capacity in order to use Theorem 2.2; for completeness, and since it is needed for the proof of Theorem 2.2, we provide it in the full version (where we also give the proof of Theorem 2.2).

For any database \(D \in \mathfrak {D}\) and any \(x \in \mathcal X\), \( D|^x := \{ D[x \!\mapsto \! y] \mid y \in \mathcal{Y} \cup \{\bot \} \} \) denotes the set of all databases that coincide with D outside of x. Furthermore, for a database property \(\textsf{P}\),

$$ \textsf{P}|_{D|^x} := \{ y \in \mathcal{Y} \cup \{\bot \} \mid D[x \!\mapsto \! y] \in \textsf{P}\} \subseteq \mathcal{Y} \cup \{\bot \} $$

denotes the set of values y for which \(D[x \!\mapsto \! y]\) satisfies \(\textsf{P}\).

The following is a variation of Theorem 5.17 in (the full version of) [CFHL21], obtained by restricting k to 1. On the other hand, we exploit and include some symmetry that is not explicit in the original statement. The proof, given in the full version, is a small adjustment to the original proof.

Theorem 2.2

Let \(\textsf{P}\) and \(\textsf{P}'\) be database properties with trivial intersection, i.e., \(\textsf{P}\cap \textsf{P}' = \emptyset \), and for every \(D \in \mathfrak {D}\) and \(x \in \mathcal{X}\) let

$$ \textsf{L}^{x,D} := \left\{ \begin{array}{ll} \textsf{P}|_{D|^x} &{} \text {if }\bot \in \textsf{P}'|_{D|^x} \\ \textsf{P}'|_{D|^x} &{} \text {if }\bot \in \textsf{P}|_{D|^x} \; , \end{array}\right. $$

with \(\textsf{L}^{x,D}\) being either of the two if \(\bot \not \in \textsf{P}|_{D|^x} \cup \textsf{P}'|_{D|^x}\).⁴ Then

$$ \llbracket \textsf{P}{\mathop {\rightarrow }\limits ^{}}\textsf{P}'\rrbracket \le \max _{x,D}\sqrt{10 P\bigl [U \!\in \! \textsf{L}^{x,D} \bigr ]} \, , $$

where U is uniform over \(\mathcal Y\), and the maximization can be restricted to \(D \in \mathfrak {D}\) and \(x \in \mathcal X\) for which both \(\textsf{P}|_{D|^x}\) and \(\textsf{P}'|_{D|^x}\) are non-empty.

Remark 2.3

Both, \(\textsf{P}|_{D|^x}\) and \(\textsf{P}'|_{D|^x}\), and thus also \(\textsf{L}^{x,D}\), do not depend on the value of D(x), only on the values of D outside of x.

2.3 An Improved Variant of Zhandry’s Lemma

We show here an alternative to Zhandry’s lemma (Lemma 2.1), which offers a better bound in typical applications. To start with, note that Lemma 2.1 considers an algorithm \(\mathcal A\) that not only outputs \(\textbf{x} = (x_1,\ldots ,x_\ell )\) but also \(\textbf{y} = (y_1,\ldots ,y_\ell )\), where the latter is supposed to be the point-wise hash of \(\textbf{x}\); indeed, this is what is being checked in the definition of the probability p, along with \((\textbf{x},\textbf{y},z) \in R\). This requirement is somewhat unnatural, in that an algorithm \(\mathcal A\) for, say, finding a collision, i.e., \(x_1 \ne x_2\) with \(H(x_1) = H(x_2)\), does not necessarily output the (supposed to be equal) hashes \(y_1 = H(x_1)\) and \(y_2 = H(x_2)\). Of course, this is no problem since one can easily transform such an algorithm \(\mathcal A\) that does not output the hashes into one that does, simply by making a few more (classical) queries to the RO at the end of the execution, and then one can apply Lemma 2.1 to this tweaked algorithm \(\tilde{\mathcal{A}}\).

We show below that if we anyway consider this tweaked algorithm \(\tilde{\mathcal{A}}\), which is promised to query the RO to obtain and then output the hashes of \(\textbf{x} = (x_1,\ldots ,x_\ell )\), then we can actually improve the bound and avoid the square-roots in Lemma 2.1. On top, the proof is much simpler than Zhandry’s proof for his lemma. At the core is the following lemma; Coroallary 2.5 then puts it in a form that is comparable to Lemma 2.1 and shows the improvement.

Lemma 2.4

Let \(\mathcal A\) be an oracle quantum algorithm that outputs \(\textbf{x} = (x_1,...,x_\ell ) \in {\mathcal X}^\ell \) and \(z \in \mathcal Z\). Let \(\tilde{\mathcal A}\) be the oracle quantum algorithm that runs \(\mathcal A\), makes \(\ell \) classical queries on the outputs \(x_i\) to obtain \(\textbf{y} = H(\textbf{ x})\), and then outputs \((\textbf{x}, \textbf{y},z)\). When \(\tilde{\mathcal A}\) interacts with the compressed oracle instead, and at the end D is obtained by measuring the internal state of the compressed oracle, then, conditioned on \(\tilde{\mathcal A}\)’s output \((\textbf{x}, \textbf{y},z)\),

$$\begin{aligned} \Pr [ \textbf{y} \!=\! D(\textbf{x}) | (\textbf{x}, \textbf{y},z)]\ge 1 - \frac{2\ell }{|\mathcal Y|} \, . \end{aligned}$$

Proof

Consider first \(\tilde{\mathcal A}\) interacting with the purified (yet uncompressed) oracle. Conditioned on \(\tilde{\mathcal A}\)’s output \((\textbf{x}, \textbf{y},z)\), the state of the oracle is then supported by \(|H\rangle \) with \(H(x_i) = y_i\) for all \(i \in \{1,\ldots ,\ell \}\), i.e., the registers labeled by \(x_1,...,x_\ell \) are in state \(|y_1\rangle \cdots |y_\ell \rangle \). Given that the compressed oracle is obtained by applying \(\textsf{Comp}\) to all the registers, we thus have that

$$\begin{aligned} \Pr [y_i\!=\!y_i' | (\textbf{x}, \textbf{y},z)]&= \big |\langle y_i| \textsf{Comp} |y_i\rangle \big |^2 = \Big |\langle y_i| \Bigl (|y_i\rangle + \textstyle \frac{1}{\sqrt{|\mathcal Y|}}(|\bot \rangle - |\hat{0}\rangle )\Big )\Big |^2 \\&= \Big | 1 - {\textstyle \frac{1}{\sqrt{|\mathcal Y|}}}\langle y_i|\hat{0}\rangle \Big |^2 = \Big | 1 - {\textstyle \frac{1}{|\mathcal Y|}} \Big |^2 \ge 1 - \frac{2}{|\mathcal Y|} \, . \end{aligned}$$

Applying union bound concludes the claim.    \(\square \)

The following corollary of Lemma 2.4 is put in a form that can be nicely compared with Lemma 2.1, understanding that typically Lemma 2.1 is applied to \(\tilde{\mathcal A}\).

Corollary 2.5

Let \(R \subseteq \mathcal{X}^\ell \times \mathcal{Y}^\ell \times \mathcal{Z}\) be a relation. Let \(\mathcal A\) be an oracle quantum algorithm that outputs \(\textbf{x} \in \mathcal{X}^\ell \) and \(z \in \mathcal Z\), and let \(\tilde{\mathcal A}\) be as in Lemma 2.4. Let

$$ p_\circ (\mathcal{A}) := \Pr [ (\textbf{x},H(\textbf{x}),z) \in R ] $$

be the considered probability when \(\mathcal A\) has interacted with the RO. Furthermore, let \(p(\tilde{\mathcal{A}})\) and \(p'(\tilde{\mathcal{A}})\) be defined as in Lemma 2.1 (but now for \(\tilde{\mathcal{A}}\)). Then

$$ p_\circ (\mathcal{A}) = p(\tilde{\mathcal{A}}) \le p'(\tilde{\mathcal{A}}) + \frac{2\ell }{|\mathcal Y|} \, . $$

In the full version, we show yet another corollary of Lemma 2.4, where \(\tilde{\mathcal A}\) may make a more involved computation on \(\textbf{x}\), possibly calling H adaptively.

3 Some Background on (Non-)Interactive Proofs

Throughout this and later sections, we consider a hash function \(H: \mathcal{X} \rightarrow \mathcal{Y}\), to be modeled as a RO then. For concreteness and simplicity, we assume that all relevant variables are encoded as bit strings, and that we can therefore choose \(H: \{0,1\}^{\le B} \rightarrow \{0,1\}^n\) for sufficiently large B and n.⁵

Let \(\{\mathcal{I}_\lambda \}_{\lambda \in \mathbb N}\) and \(\{\mathcal{W}_\lambda \}_{\lambda \in \mathbb N}\) be two families of sets, with the members being labeled by the security parameter \(\lambda \in \mathbb N\). Let \(R_\lambda \subseteq \mathcal{I}_\lambda \times \mathcal{W}_\lambda \) be a relation that is polynomial-time computable in \(\lambda \). \(w \in \mathcal{W}_\lambda \) is called a witness for \({{\textbf {{\textsf {inst}}}}}\in \mathcal{I}_\lambda \) if \(R_\lambda ({{\textbf {{\textsf {inst}}}}},w)\), and \(L_\lambda \) is the language \(L_\lambda = \{{{\textbf {{\textsf {inst}}}}}\in \mathcal{I}_\lambda \mid \exists \, w \in \mathcal{W}_\lambda : R_\lambda ({{\textbf {{\textsf {inst}}}}},w) \}\).

Below, we recall some concepts in the context of interactive and non-interactive proofs for such families \(\{R_\lambda \}_{\lambda \in \mathbb N}\) of relations. We start by discussing the aspired security definition for non-interactive proofs.

3.1 Non-interactive Proofs and Online Extractability

An non-interactive proof in the random-oracle model for a family \(\{R_\lambda \}_{\lambda \in \mathbb N}\) of relations consists of a pair \((\mathcal{P},\mathcal{V})\) of oracle algorithms, referred to as prover and verifier, both making queries to the RO \(H: \mathcal{X} \rightarrow \mathcal{Y}\). The prover \(\mathcal P\) takes as input \(\lambda \in \mathbb N\) and an instance \({{\textbf {{\textsf {inst}}}}}\in L_\lambda \) and outputs a proof \(\pi \in \varPi _\lambda \), and \(\mathcal{V}\) takes as input \(\lambda \in \mathbb N\) and a pair \(({{\textbf {{\textsf {inst}}}}},\pi ) \in \mathcal{I}_\lambda \times \varPi _\lambda \) and outputs a Boolean value, 0 or 1, or \(\texttt {accept}\) or \(\texttt {reject}\). The verifier \(\mathcal{V}\) is required to run in time polynomial in \(\lambda \), while, per-se, \(\mathcal P\) may have unbounded running time.⁶

By default, we require correctness and soundness, i.e., that for any \(\lambda \in \mathbb N\) and any \({{\textbf {{\textsf {inst}}}}}\in L_\lambda \) the probability \( \Pr \bigl [\mathcal{V}^H(\lambda ,{{\textbf {{\textsf {inst}}}}},\pi ) : \pi \leftarrow \mathcal{P}^H(\lambda ,{{\textbf {{\textsf {inst}}}}})\bigr ] \) is close to 1, while for any \(\lambda \in \mathbb N\) and any oracle quantum algorithm \(\mathcal{P}^*\) with bounded query complexity the probability \( \Pr \bigl [ {{\textbf {{\textsf {inst}}}}}\not \in L_\lambda \, \wedge \, \mathcal{V}^H(\lambda ,{{\textbf {{\textsf {inst}}}}},\pi ) : ({{\textbf {{\textsf {inst}}}}}, \pi ) \leftarrow {\mathcal{P}^*}{}^H(\lambda ) \bigr ] \) is close to vanishing. The fact that the instance \({{\textbf {{\textsf {inst}}}}}\), for which \(\mathcal{P}^*\) tries to forge a proof, is not given as input to \(\mathcal{P}^*\) but is instead chosen by \(\mathcal{P}^*\) is referred to as \(\mathcal{P}^*\) being adaptive.

We now move towards defining online extractability (for adaptive \(\mathcal{P}^*\)). For that purpose, let \(\mathcal{P}^*\) be a dishonest prover as above, except that it potentially outputs some additional auxiliary (possibly quantum) output Z next to \(({{\textbf {{\textsf {inst}}}}}, \pi )\). We then consider an interactive algorithm \(\mathcal E\), called online extractor, which takes \(\lambda \in \mathbb N\) as input and simulates the answers to the oracle queries in the execution of \(\mathcal{V}^H \circ \mathcal{P}^*{}^H(\lambda )\), which we define to run \(({{\textbf {{\textsf {inst}}}}}, \pi ,Z) \leftarrow {\mathcal{P}^*}{}^H(\lambda )\) followed by \(v \leftarrow \mathcal{V}^H(\lambda ,{{\textbf {{\textsf {inst}}}}},\pi )\); furthermore, at the end, \(\mathcal E\) outputs \(w \in \mathcal{W}_\lambda \). We denote the execution of \(\mathcal{V}^H \circ \mathcal{P}^*{}^H(\lambda )\) with the calls to H simulated by \(\mathcal E\), and considering \(\mathcal E\)’s final output w as well, as \(({{\textbf {{\textsf {inst}}}}},\pi ,Z;v;w) \leftarrow \mathcal{V}^\mathcal{E} \circ \mathcal{P}^*{}^\mathcal{E}(\lambda )\).

Definition 3.1

A non-interactive proof in the (quantum-accessible) RO model (QROM) for \(\{R_\lambda \}_{\lambda \in \mathbb N}\) is a proof of knowledge with online extractability (PoK-OE) against adaptive adversaries if there exists an online extractor \(\mathcal E\), and functions \(\varepsilon _\textrm{sim}\) (the simulation error) and \(\varepsilon _\textrm{ex}\) (the extraction error), with the following properties. For any \(\lambda \in \mathbb N\) and for any dishonest prover \(\mathcal{P}^*\) with query complexity q,

$$\begin{aligned}&\delta \bigl ( [({{\textbf {{\textsf {inst}}}}},\pi ,Z,v)]_{\mathcal{V}^H \circ \mathcal{P}^*{}^H(\lambda )} , [({{\textbf {{\textsf {inst}}}}},\pi ,Z,v)]_{\mathcal{V}^\mathcal{E} \circ \mathcal{P}^*{}^\mathcal{E}(\lambda )} \bigr ) \le \varepsilon _\textrm{sim}(\lambda ,q,n) \qquad \text {and} \\ \Pr \bigl [&v = \texttt {accept} \,\wedge \, ({{\textbf {{\textsf {inst}}}}},w) \not \in R: ({{\textbf {{\textsf {inst}}}}},\pi ,Z;v;w) \leftarrow \mathcal{V}^\mathcal{E} \circ \mathcal{P}^*{}^\mathcal{E}(\lambda ) \bigr ] \le \varepsilon _\textrm{ex}(\lambda ,q,n) . \end{aligned}$$

Furthermore, the runtime of \(\mathcal E\) is polynomial in \(\lambda +q+n\), and \(\varepsilon _\textrm{sim}(\lambda ,q,n)\) and \(\varepsilon _\textrm{ex}(\lambda ,q,n)\) are negligible in \(\lambda \) whenever q and n are polynomial in \(\lambda \).

Remark 3.2

In the classical definition of a proof of knowledge, the extractor \(\mathcal E\) interacts with \(\mathcal{P}^*\) only, and the verifier \(\mathcal V\) is not explicitly involved, but would typically be run by \(\mathcal E\). Here, in the context of online extractability, it is necessary to explicitly go through the verification procedure, which also makes oracle queries, to determine whether a proof is valid, i.e., for the event \(v = \texttt {accept}\) to be well defined.

3.2 (Commit-and-Open) \(\varSigma \)-Protocols

A \(\varSigma \) -protocol is a 3-round public-coin interactive proof \((\mathcal{P},\mathcal{V})\) for a relation \(R_\lambda \subseteq \mathcal{I}_\lambda \times \mathcal{W}_\lambda \), indexed by the security parameter. From now on, we leave any dependencies on the security parameter implicit. We therefore simply write R etc. By definition, a \(\Sigma \)-protocol has the following communication pattern. In the first round, \(\mathcal P\) sends a first message a; in the second round, \(\mathcal V\) sends a random challenge \(c \in \mathcal C\); and in the third round, \(\mathcal P\) sends a response z. By a slight abuse of notation, we sometimes write \(\mathcal{V}({{\textbf {{\textsf {inst}}}}},a,c,z)\) for the predicate that determines whether \(\mathcal V\) accepts the transcript (a, c, z) on input \({{\textbf {{\textsf {inst}}}}}\).

For the purpose of this work, a commit-and-open \(\Sigma \)-protocol, or C &O \(\varSigma \) -protocol or C &O protocol for short, is a \(\Sigma \)-protocol \(\varPi =(\mathcal{P},\mathcal{V})\) of a special form, involving a hash function H that is modeled as a RO.⁷ Concretely, in a C &O protocol, the transcript (a, c, z) is of the following form. The first message a consists of commitments \(y_1,\ldots ,y_\ell \), computed as \(y_i = H(m_i)\) for messages \(m_1,\ldots ,m_\ell \in \mathcal M\), and possibly an additional string \(a_\circ \)⁸. The challenge c is picked uniformly at random from the challenge space \(\mathcal{C} \subseteq 2^{[\ell ]}\), which is set to be a subset of \(2^{[\ell ]}\). Finally, the response z is given by \(\textbf{m}_c = (m_i)_{i \in c}\). Eventually, \(\mathcal V\) accepts if and only if \(H(m_i)=y_i\) for all \(i \in c\) and some given predicate \(V({{\textbf {{\textsf {inst}}}}},c,\textbf{m}_c,a_\circ )\) is satisfied.

For the above to be meaningful, we obviously need that \(\mathcal{M} \subseteq \mathcal{X}\), i.e., the bit size of the possible \(m_i\)’s are upper bounded by B. Furthermore, the parameter n determines the hardness of finding a collision in H (in the random oracle model), and thus the level of binding the commitments provide.

Remark 3.3

Looking ahead, we may also consider a generalization of the above notion of a C &O protocol, where the first message is parsed as a single commitment y of the \(\ell \) messages \(m_1,\ldots ,m_\ell \) and where this commitment is computed by means of an arbitrary “multi-message” commitment scheme involving H, which has the property that any subset of \(m_1,\ldots ,m_\ell \) can be opened without revealing the remaining \(m_i\)’s. The above component-wise hashing is then one particular instantiation, but alternatively one can for instance also compute y by means of a Merkle tree (see Sect. 5.1), and then open individual \(m_i\)’s by revealing the corresponding authentication paths. We stress that the concepts discussed below: the notions of \(\mathfrak {S}\)-soundness and \(\mathfrak {S}\)-soundness\(^*\) and the probability \(p^{\mathfrak S}_{triv}\), do not depend on the choice of commitment scheme, and thus remain unaffected when considering such a Merkle-tree-based C &O protocol. To emphasize the default choice of the commitment scheme, which is element-wise hashing, we sometimes also speak of an ordinary C &O protocol.

3.3 \(\mathfrak {S}\)-soundness of C &O \(\varSigma \)-Protocols

We briefly recall the notion of \(\mathfrak {S}\)-soundness and \(\mathfrak {S}\)-soundness\(^*\) for C &O protocols, as considered in [DFMS21], which offers a convenient general notion of special soundness, or more generally k-soundness for C &O protocols. A similar notion of \(\mathfrak {S}\)-soundness naturally exists for plain \(\Sigma \)-protocols, i.e., \(\Sigma \)-protocols in the plain model. For completeness, we formalize the latter in the full version.

Here and below, given a C &O protocol \(\varPi \) with challenge space \(\mathcal{C} \subseteq 2^{[\ell ]}\), we let \(\mathfrak {S} \subseteq 2^\mathcal{C}\) be an arbitrary non-empty, monotone increasing set of subsets \(S \subseteq \mathcal C\), where the monotonicity means that \(S \in \mathfrak {S}\, \wedge \,S \subseteq S' \, \Rightarrow \, S' \in \mathfrak {S}\). We then also set \(\mathfrak {S}_{\min } := \{S \in \mathfrak {S} \mid S_\circ \subsetneq S \Rightarrow S_\circ \not \in \mathfrak {S} \}\) to be the minimal sets in \(\mathfrak {S}\).

For simplicity, the reader can consider \(\mathfrak {S} = \mathfrak {T}_k := \{ S \subseteq \mathcal{C} \mid |S| \ge k \}\) for some threshold k, and thus \(\mathfrak {S}_{\min } = \{ S \subseteq \mathcal{C} \mid |S| = k \}\). This then corresponds to the notion of k-soundness for C &O protocols, which in turn means that the witness can be computed from valid responses to k (or more) distinct challenges for a given first message \(y_1,\ldots ,y_\ell \), assuming the messages \(m_1,\ldots ,m_\ell \) to be uniquely determined by their commitments.

Definition 3.4

([DFMS21] Def. 5.1). A C &O protocol \(\varPi \) is \(\mathfrak {S}\)-sound if there exists an efficient deterministic algorithm \(\mathcal E_\mathfrak {S}({{\textbf {{\textsf {inst}}}}},m_1,\ldots ,m_\ell , a_\circ ,S)\) that takes as input an instance \({{\textbf {{\textsf {inst}}}}}\in \mathcal{I}\), messages \(m_1,\ldots ,m_\ell \in \mathcal{M} \cup \{\bot \}\), a string \(a_\circ \), and a set \(S \in \mathfrak {S}_{\min }\), and outputs a witness for \({{\textbf {{\textsf {inst}}}}}\) if \(V({{\textbf {{\textsf {inst}}}}}, c,\textbf{m}_c,a_\circ )\) for all \(c \in S\).⁹

A slightly stronger condition than \(\mathfrak {S}\)-soundness is the following variant, which differs in that the extractor needs to work as soon as there exists a set S as specified, without the extractor being given S as input. We refer to [DFMS21] for a more detailed discussion of this aspect. As explained there, whether S is given or not often makes no (big) difference.

For instance, when \(\mathfrak {S}_{\min }\) consists of a polynomial number of sets S then the extractor can do a brute-force search to find S, and so \(\mathfrak {S}\)-soundness\(^*\) is then implied by \(\mathfrak {S}\)-soundness. Also, the r-fold parallel repetition of a \(\mathfrak {S}\)-sound protocol, which by default is a \(\mathfrak {S}^{\vee r}\)-sound protocol (see [DFMS21]), is automatically \(\mathfrak {S}^\vee \)-sound\(^*\) if \(\mathfrak {S}_{\min }\) is polynomial in size: the extractor can then do a brute-force search in every repeated instance.

Definition 3.5

([DFMS21] Def. 5.2). A C &O protocol \(\varPi \) is \(\mathfrak {S}\)-sound\(^*\) if there exists an efficient deterministic algorithm \(\mathcal E^*_{\mathfrak {S}}({{\textbf {{\textsf {inst}}}}},m_1,\ldots ,m_\ell , a_\circ )\) that takes as input an instance \({{\textbf {{\textsf {inst}}}}}\in \mathcal{I}\) and strings \(m_1,\ldots ,m_\ell \in \mathcal{M} \cup \{\bot \}\) and \(a_\circ \), and it outputs a witness for \({{\textbf {{\textsf {inst}}}}}\) if there exists \(S \in \mathfrak {S}\) such that \(V({{\textbf {{\textsf {inst}}}}}, c,\textbf{m}_c,a_\circ )\) for all \(c \in S\).

As in [DFMS21], we define

$$\begin{aligned} p^{\mathfrak S}_{triv} := \frac{1}{|\mathcal {C}|} \max _{\hat{S} \not \in \mathfrak {S}} |\hat{S}| \, , \end{aligned}$$

(5)

capturing the “trivial” attack of picking a set \(\hat{S} = \{\hat{c}_1,\ldots ,\hat{c}_{m}\} \not \in \mathfrak {S}\) of challenges \(\hat{c}_i \in \mathcal {C}\) and then prepare \(\hat{\textbf{m}} = (\hat{m}_1,\ldots ,\hat{m}_\ell )\) and \(a_\circ \) in such a way that \(V({{\textbf {{\textsf {inst}}}}}, c, \hat{\textbf{m}}_c,a_\circ )\) holds if \(c \in \hat{S}\). After committing to \(\hat{m}_1,\ldots ,\hat{m}_\ell \), the prover can successfully answer to challenges \(c \in \hat{S}\).

3.4 The Fiat-Shamir Transformation of (C &O) \(\varSigma \)-Protocols

The Fiat-Shamir (FS) transformation [FS87] turns arbitrary \(\varSigma \)-protocols into non-interactive proofs in the random oracle model by setting the challenge \(c \in \mathcal C\) to be the hash of the instance and the first message a. For this transformation to work smoothly, it is typically assumed that \(|\mathcal{C}|\) is a power of 2 and its elements are represented as bit strings of size \(\log |\mathcal{C}|\), so that one can indeed set c to be (the first \(\log |\mathcal{C}|\) bits of) the hash \(H({{\textbf {{\textsf {inst}}}}},a)\). The assumption on \(|\mathcal{C}|\) is essentially without loss of generality (WLOG), since one can always reduce the size of \(|\mathcal{C}|\) to the next lower power of 2, at the cost of losing at most 1 bit of security. However, for a C &O \(\varSigma \)-protocol, where a challenge space \(\mathcal C\) is a (typically strict) subset of \(2^{[\ell ]}\), there is not necessarily a natural way to represent \(c \in \mathcal C\) as a bitstring of size \(\log |\mathcal{C}|\). Therefore, we will make it explicit that the challenge-set \(c \in \mathcal{C} \subset 2^{[\ell ]}\) is computed from the “raw randomness” \(H({{\textbf {{\textsf {inst}}}}}, y_1,\ldots ,y_\ell , a_\circ )\) in a deterministic way as \(c = \gamma \circ H({{\textbf {{\textsf {inst}}}}}, y_1,\ldots ,y_\ell , a_\circ )\) for an appropriate function \(\gamma : \mathcal{Y} \rightarrow \mathcal{C}\), mapping a uniformly random hash in \(\mathcal Y\) to a random challenge-set in \(\mathcal C\). Obviously, for \(H({{\textbf {{\textsf {inst}}}}}, y_1,\ldots ,y_\ell , a_\circ )\) to be defined, in addition to \(\mathcal{M} \subseteq \mathcal{X}\) we also need that \(\mathcal{I}\times \mathcal{Y}^\ell \subseteq \mathcal X\), which again just means that B needs to be large enough. We write \(\textsf{FS}[\varPi ]\) for the FS transformation of a (C &O) \(\varSigma \)-protocol \(\varPi \).

Remark 3.6

Additionally, we need that n is sufficiently large, so that there is a sufficient amount of randomness in the hash value \(H({{\textbf {{\textsf {inst}}}}}, y_1,\ldots ,y_\ell )\) in order to be mapped to a random \(c \in \mathcal C\). The canonical choice for \(\gamma \) is then the function that the interactive verifier applies to his local randomness to compute the random challenge \(c \in \mathcal{C}\). To simplify the exposition, we assume that n is indeed sufficiently large. Otherwise, one can simply set \(\mathcal{Y} := \{0,1\}^{n'}\) instead, for sufficiently large \(n'\), and then let \(y_i\) be \(H(m_i)\) truncated to the original number n of bits again. This truncation has no effect on our results.

Remark 3.7

We assume WLOG that the two kinds of inputs to H, i.e., \(m_i\) and \(({{\textbf {{\textsf {inst}}}}}, y_1,\ldots ,y_\ell , a_\circ )\), are differently formatted, e.g., bit strings of different respective sizes or prefixes (this is referred to as domain separation). In other words, we assume that \(\mathcal{M}\) and \(\mathcal{I}\times \mathcal{Y}^\ell \) are disjoint.

Remark 3.8

When considering the adaptive security of a FS transformation \(\textsf{FS}[\varPi ]\) of a C &O protocol \(\varPi \) for a relation R, the additional string \(a_\circ \), which may be part of the first message a of the original protocol \(\varPi \), may WLOG be considered to be part of the instance \({{\textbf {{\textsf {inst}}}}}\) instead.

Indeed, any dishonest prover \(\mathcal{P}^*\) against \(\textsf{FS}[\varPi ]\), which (by Definition 3.1) outputs an instance \({{\textbf {{\textsf {inst}}}}}\) and a proof \(\pi = (a_\circ , y_1,\ldots y_\ell )\), can alternatively be parsed as a dishonest prover that outputs an instance \({{\textbf {{\textsf {inst}}}}}' = ({{\textbf {{\textsf {inst}}}}}, a_\circ )\) and a proof \(\pi ' = (y_1,\ldots y_\ell )\). Thus, \(\mathcal{P}^*\) can be parsed as a dishonest prover against \(\textsf{FS}[\varPi ']\), where the C &O protocol \(\varPi '\) works as \(\varPi \), except that \(a_\circ \) is considered as part of the instance, rather than as part of the first message, and thus \(\varPi '\) is a C &O protocol for the relation \((({{\textbf {{\textsf {inst}}}}},a_\circ ),w)\in R' :\Leftrightarrow ({{\textbf {{\textsf {inst}}}}},w)\in R\).¹⁰ Therefore, security (in the sense of Definition 3.1) for \(\textsf{FS}[\varPi ']\) implies that of \(\textsf{FS}[\varPi ]\).

4 Online Extractability of the FS-Transformation: The Case of Ordinary C &O Protocols

We now consider the FS transformation \(\textsf{FS}[\varPi ]\) of an ordinary C &O protocol \(\varPi \). Our goal is to show that \(\textsf{FS}[\varPi ]\) admits online extraction. We note that by exploiting Remark 3.8, we may assume WLOG that the first message of \(\varPi \) consists of the commitments \(y_1,\ldots ,y_\ell \) only, and no additional string \(a_\circ \). In Sect. 5, we then consider the case of Merkle-tree-based C &O protocols.

Our analysis of \(\textsf{FS}[\varPi ]\) uses the framework of Chung et al. [CFHL21], discussed and outlined in Sect. 2. Thus, at the core of our analysis is a bound on a certain quantum transition capacity. This is treated in the upcoming subsection.

4.1 Technical Preface

We first introduce a couple of elementary database properties (related to CoLlisions and the SiZe of the database) that will be useful for us:

$$ \textsf{CL}:= \{D \,|\, \exists \, x \!\ne \! x':D(x) \!=\! D(x') \!\ne \! \bot \} \;\text { and }\; \textsf{SZ}_{\le s}:= \{D \,|\, \#\{z|D(z) \!\ne \! \bot \}\le s \} . $$

Next, for an instance \({{\textbf {{\textsf {inst}}}}}\in \mathcal{I}\), we want to specify the database property that captures a cheating prover that succeeds in producing an accepting proof while fooling the extractor. For the purpose of specifying this database property, we introduce the following notation. For a given database \(D \in \mathfrak {D}\) and for a commitment \(y \in \mathcal Y\), we define \(D^{-1}(y)\) to be the smallest \(x \in \mathcal X\) with \(D(x) = y\), with the convention that \(D^{-1}(y) := \bot \) if there is no such x, as well as \(D^{-1}(\bot ):=\bot \). By removing collisions, we ensure that there is at most one such x; thus, taking the smallest one in case of multiple choices is not important but only for well-definedness. The database property of interest can now be defined as

$$\begin{aligned} \textsf{SUC}:= \!\left\{ D \,\bigg |\, \begin{array}{c}\exists \, \textbf{y} \in \mathcal{Y}^\ell \text { and }{{\textbf {{\textsf {inst}}}}}\in \mathcal{I}\text { so that } \textbf{m}:= D^{-1}(\textbf{y}) \text { satisfies} \\ V({{\textbf {{\textsf {inst}}}}},c,\textbf{m}_c) \text { for } c := \gamma \circ D({{\textbf {{\textsf {inst}}}}}, \textbf{y}) \,\;\text {and}\;\, \big (inst,\mathcal{E}^*({{\textbf {{\textsf {inst}}}}}, \textbf{m})\big ) \not \in R \end{array} \right\} \! . \end{aligned}$$

(6)

Informally, assuming no collisions (i.e., restricting to \(D \not \in \textsf{CL}\)), the database property \(\textsf{SUC} \) captures whether a database D admits a valid proof \(\pi = (\textbf{y},\textbf{m}_c)\) for an instance \({{\textbf {{\textsf {inst}}}}}\) for which the (canonical) extractor, which first computes \(\textbf{m}\) by inverting D and then runs \(\mathcal{E}^*\), fails to produce a witness.

Our (first) goal is to show that \(\llbracket \bot {\mathop {\Longrightarrow }\limits ^{q}}\textsf{SUC} \cup \textsf{CL}\rrbracket \) is small, capturing that it is unlikely that after q queries the compressed database contains collisions or admits a valid proof upon which the extractor fails. Indeed, we show the following, where \(p^{\mathfrak S}_{triv}\) is the trivial cheating probability of \(\varPi \) as defined in (5).

Lemma 4.1

\( \llbracket \bot {\mathop {\Longrightarrow }\limits ^{q}}\textsf{SUC} \cup \textsf{CL}\rrbracket \le 2eq^{3/2} 2^{-n/2} + q \sqrt{10 \max \left( q \ell \cdot 2^{-n}, p_{triv}^{\mathfrak S}\right) } \).

We begin with an outline of the proof. In a first step, by using (3) and union-bound-like properties of the transition capacity, and additionally exploiting a bound from [CFHL21] to control the transition capacity of \(\textsf{CL}\), we reduce the problem to bounding the quantum transition capacity \( \llbracket \textsf{SZ}_{\le s}\backslash \textsf{SUC} {\mathop {\rightarrow }\limits ^{}}\textsf{SUC} \rrbracket \) for \(s<q\). Informally, this capacity is a measure of the “likelihood” — but then in a quantum-sense — that a database \(D \in \mathfrak {D}\) that is bounded in size and not in \(\textsf{SUC} \) turns into a database \(D'\) that is in \(\textsf{SUC} \), when D is updated to \(D' = D[x\!\mapsto \!U]\) with U uniformly random in \(\mathcal Y\), for any fixed x.

We emphasize that the state of the compressed oracle at any point is a superposition of databases, and a query is made up of a superposition of inputs; nevertheless, due to Theorem 2.2, the above classical intuition is actually very close to what needs to be shown to rigorously bound the considered quantum transition capacity. Formally, as will become clear in the proof below, we need to show that for any database \(D \in \textsf{SZ}_{\le s}\backslash \textsf{SUC} \) and for any \(x \in \mathcal X\) with \(D(x) = \bot \), the probability that \(D[x\!\mapsto \!U] \in \textsf{SUC} \) is small. Below, this probability is bounded in the Case 2 and Case 3 parts of the proof, where the two cases distinguish between x being a “commit query” or a “challenge query”.

Informally, for D with \(D(x) = \bot \), if x is a “commit query” then assigning a value to D(x) can only turn \(D \not \in \textsf{SUC} \) into \(D[x\!\mapsto \!u] \in \textsf{SUC} \), if u is a coordinate of some \(\textbf{y} \in \mathcal{Y}^\ell \) for which \(D({{\textbf {{\textsf {inst}}}}}, \textbf{y}) \ne \bot \) for some \({{\textbf {{\textsf {inst}}}}}\). Indeed, otherwise, \(D[x\!\mapsto \!u]\) does not contribute to a valid proof \(\pi \) that did not exist before. Thus, given the bound \(s < q\) on the size of D, this happens with probability at most \(q\ell /2^n\) for a random u. Similarly, if x is a “challenge query”, i.e. of the form \(x = ({{\textbf {{\textsf {inst}}}}},\textbf{y})\), then assigning a value u to D(x) can only make a difference if \(V({{\textbf {{\textsf {inst}}}}},c, \textbf{m}_c)\) is satisfied for \(c = \gamma (u)\) and \(\textbf{m} = D^{-1}(\textbf{y})\), while \(\mathcal{E}^*({{\textbf {{\textsf {inst}}}}}, \textbf{m})\) is not a witness for \({{\textbf {{\textsf {inst}}}}}\). However, for a random u, this is bounded by \(p_{triv}^{\mathfrak S}\).

But then, on top of the above, due to the quantum nature of the quantum transition capacity,¹¹ Theorem 2.2 requires to also show the “reverse”, i.e., that for any \(D \in \textsf{SUC} \) and for any \(x \in \mathcal X\) with \(D(x) \ne \bot \), the probability that \(D[x\!\mapsto \!U] \in \textsf{SZ}_{\le s}\backslash \textsf{SUC} \) is small; this is analyzed in Case 1 below.

Thus, by exploiting the framework of [CFHL21], the core of the reasoning is purely classical, very closely mimicking how one would have to reason the classical setting with a classical RO. Due to the rather complex definition of \(\textsf{SUC} \), the formal argument in each case is still somewhat cumbersome.

Proof

We first observe that, by (3) (which is Lemma 5.6 in [CFHL21]) and basic properties of the quantum transition capacity as in (4),

$$\begin{aligned}&\llbracket \bot {\mathop {\Longrightarrow }\limits ^{q}}\textsf{SUC} \cup \textsf{CL}\rrbracket \le \sum _{s=0}^{q-1} \llbracket \textsf{SZ}_{\le s}\backslash \textsf{SUC} \backslash \textsf{CL}{\mathop {\rightarrow }\limits ^{}}\textsf{SUC} \cup \textsf{CL}\cup \lnot \textsf{SZ}_{\le s+1}\rrbracket \nonumber \\&\le \sum _{s=0}^{q-1} \big (\llbracket \textsf{SZ}_{\le s}{\mathop {\rightarrow }\limits ^{}}\lnot \textsf{SZ}_{\le s+1}\rrbracket + \llbracket \textsf{SZ}_{\le s}\backslash \textsf{CL}{\mathop {\rightarrow }\limits ^{}}\textsf{CL}\rrbracket + \llbracket \textsf{SZ}_{\le s}\backslash \textsf{SUC} {\mathop {\rightarrow }\limits ^{}}\textsf{SUC} \rrbracket \big ) \, . \end{aligned}$$

(7)

The first term, \(\llbracket \textsf{SZ}_{\le s}{\mathop {\rightarrow }\limits ^{}}\lnot \textsf{SZ}_{\le s+1}\rrbracket \), vanishes, while the second term was shown to be bounded as

$$\begin{aligned} \llbracket \textsf{SZ}_{\le s}\backslash \textsf{CL}{\mathop {\rightarrow }\limits ^{}}\textsf{CL}\rrbracket \le 2e\sqrt{(s+1)/|\mathcal{Y}|} \le 2e\sqrt{q/2^n} \end{aligned}$$

(8)

in Example 5.28 in [CFHL21]. Thus, it remains to control the third term, which we will do by means of Theorem 2.2 with \(\textsf{P}:= \textsf{SZ}_{\le s}\setminus \textsf{SUC} \) and \(\textsf{P}' := \textsf{SUC} \).

To this end, we consider arbitrary but fixed \(D \in \mathfrak {D}\) and input \(x \in \mathcal X\). By Remark 2.3, we may assume that \(D(x) = \bot \). Furthermore, for \(\textsf{P}|_{D|^x}\) to be non-empty, it must be that \(D \in \textsf{SZ}_{\le s}\), i.e., D is bounded in size. We now distinguish between the following cases for the considered D and x.

Case 1: \(D \in \textsf{SUC} \). In particular, \(\bot \in \textsf{SUC} |_{D|^x} = \textsf{P}'_{D|^x}\). So, Theorem 2.2 instructs us to set \(\textsf{L}:= \textsf{P}_{D|^x}\), where we leave the dependency of \(\textsf{L}\) on D and x implicit to simplify notation. Given that \(D \in \textsf{SUC} \), we can consider \({{\textbf {{\textsf {inst}}}}}\) and \(\textbf{y}\) as promised by the definition of \(\textsf{SUC} \) in (6), i.e., such that \(V({{\textbf {{\textsf {inst}}}}},c, \textbf{m}_{c})\) and \(\big ({{\textbf {{\textsf {inst}}}}},\mathcal{E}^*({{\textbf {{\textsf {inst}}}}}, \textbf{m})\big ) \not \in R\) for

$$ c := \gamma \circ D({{\textbf {{\textsf {inst}}}}}, \textbf{y}) \quad \text {and}\quad m_i: = D^{-1}(y_i) \, , $$

where it is understood that \(\textbf{m} = (m_1,\ldots ,m_\ell )\). Recall that \(D(x) = \bot \); thus, by definition of the \(m_i\)’s, it must be that \(x \ne m_i\) for all i, and the fact that \(V({{\textbf {{\textsf {inst}}}}},c, \textbf{m}_{c})\) is satisfied for c as defined implies that \(x \ne ({{\textbf {{\textsf {inst}}}}}, \textbf{y})\). Furthermore,

$$ u \in \textsf{L}\,\Longleftrightarrow \, D[x \!\mapsto \! u] \in \textsf{P}\,\Longrightarrow \, D[x \!\mapsto \! u] \not \in \textsf{SUC} \,\Longrightarrow \, u \in \{y_1,\ldots ,y_\ell \} \, , $$

where the last implication is easiest seen by contraposition: Assume that \(u \not \in \{y_1,\ldots ,y_\ell \}\). Then, also recalling that \(x \ne m_i\), we have that \(m_i = D^{-1}(y_i) = D[x \!\mapsto \! u]^{-1}(y_i)\). But also \(c = \gamma \circ D({{\textbf {{\textsf {inst}}}}}, \textbf{y}) = \gamma \circ D[x \!\mapsto \! u]({{\textbf {{\textsf {inst}}}}}, \textbf{y})\). Together, this implies that the defining property of \(\textsf{SUC} \) is also satisfied for \(D[x \!\mapsto \! u]\), i.e., \(D[x \!\mapsto \! u] \in \textsf{SUC} \), as was to be shown. Thus, we can bound

$$\begin{aligned} P[U \!\in \! \textsf{L}] \le P[ U \!\in \! \{y_1,\ldots ,y_\ell \}] \le \frac{\ell }{|\mathcal{Y}|} \, . \end{aligned}$$

(9)

Case 2: \(D \not \in \textsf{SUC} \), and x is a “commit query”, i.e., \(x=m \in \mathcal {M}\). In particular, \(\bot \not \in \textsf{P}'|_{D|^x}\) (by the assumption that \(D(x)=\bot \)) and so in light of Theorem 2.2 we may choose \(\textsf{L}:= \textsf{P}'|_{D|^x}\). We then have

$$\begin{aligned} u \in \textsf{L}\,\Longleftrightarrow \, D[x \!\mapsto \! u] \in \textsf{P}' = \textsf{SUC} \,\Longrightarrow \, \exists \, {{\textbf {{\textsf {inst}}}}},\textbf{y}, i: D({{\textbf {{\textsf {inst}}}}}, \textbf{y}) \ne \bot \,\wedge \, u = y_i \, . \end{aligned}$$

(10)

The last implication can be seen as follows. By definition of \(\textsf{SUC} \), the assumption \(D[x \!\mapsto \! u] \in \textsf{SUC} \) implies the existence of \({{\textbf {{\textsf {inst}}}}}\) and \(\textbf{y} = (y_1,\ldots ,y_\ell )\) with \(V({{\textbf {{\textsf {inst}}}}},c, \textbf{m}_{c})\) and \(\big ({{\textbf {{\textsf {inst}}}}},\mathcal{E}^*({{\textbf {{\textsf {inst}}}}}, \textbf{m})\big ) \not \in R\) for

$$ c := \gamma \circ D[x \!\mapsto \! u]({{\textbf {{\textsf {inst}}}}}, \textbf{y}) = \gamma \circ D({{\textbf {{\textsf {inst}}}}}, \textbf{y}) \quad \text {and}\quad m_i: = D[x \!\mapsto \! u]^{-1}(y_i) \, , $$

where the equality in the definition of c exploits that x is not a “challenge” query. With the goal to reach a contradiction, assume that \(u \ne y_i\) for all i. This assumption implies that \(D[x \!\mapsto \! u](x) = u \ne y_i\). But also \(D(x) = \bot \ne y_i\), and hence for all \(\xi \in \mathcal X\) and \(i \in \{1,\ldots ,\ell \}\): \(D(\xi ) = y_i \,\Leftrightarrow \, D[x \!\mapsto \! u](\xi ) = y_i\). Therefore, \(m_i = D[x \!\mapsto \! u]^{-1}(y_i) = D^{-1}(y_i)\) for all i, and the above then implies that \(D \in \textsf{SUC} \), a contradiction. Thus, there exists i for which \(u = y_i\); furthermore, \(D({{\textbf {{\textsf {inst}}}}}, \textbf{y}) \ne \bot \) given that \(V({{\textbf {{\textsf {inst}}}}},u, \textbf{m}_{c})\) is satisfied for \(c = \gamma \circ D({{\textbf {{\textsf {inst}}}}}, \textbf{y}) \). This shows the claimed implication. Thus, we can bound

$$\begin{aligned} P[U \!\in \! \textsf{L}] \le P[\, \exists \, {{\textbf {{\textsf {inst}}}}},\textbf{y}, i : D({{\textbf {{\textsf {inst}}}}}, \textbf{y}) \ne \bot \,\wedge \, u = y_i ] \le s \ell /|\mathcal{Y}| \le q \ell /|\mathcal{Y}| \, . \end{aligned}$$

(11)

Case 3: \(D \not \in \textsf{SUC} \), and x is a “challenge query”, i.e., \(x = ({{\textbf {{\textsf {inst}}}}}, \textbf{y}) \in \mathcal{I}\times \mathcal{Y}^\ell \). Set \(\textbf{m} = (m_1,\ldots ,m_\ell )\) for \(m_i := D^{-1}(y_i)\). Again, we have that \(\bot \not \in \textsf{SUC} |_{D|^x} = \textsf{P}'_{D|^x}\), and so by Theorem 2.2 we may set \(\textsf{L}:= \textsf{P}'_{D|^x}\). Here, we can argue that

$$\begin{aligned} u \in \textsf{L}\Longleftrightarrow D[x \!\mapsto \! u] \in \textsf{P}' =\textsf{SUC} \Longrightarrow V({{\textbf {{\textsf {inst}}}}},u, \textbf{m} _{\gamma (u)}){\wedge } \big ({{\textbf {{\textsf {inst}}}}},\mathcal{E}^*({{\textbf {{\textsf {inst}}}}}, \textbf{m})\big ) \not \in R \, , \end{aligned}$$

where the final implication can be seen as follows. By definition of \(\textsf{SUC} \), the assumption \(D[x \!\mapsto \! u] \in \textsf{SUC} \) implies the existence of \({{\textbf {{\textsf {inst}}}}}'\) and \(\textbf{y}' = (y'_1,\ldots ,y'_\ell )\) with \(V({{\textbf {{\textsf {inst}}}}}',u, \textbf{m}'_{c})\) and \(\mathcal{E}^*({{\textbf {{\textsf {inst}}}}}', \textbf{m}') \ne w\) for

$$ c := \gamma \circ D[x \!\mapsto \! u]({{\textbf {{\textsf {inst}}}}}', \mathbf{y'}) \quad \text {and}\quad m'_i: = D[x \!\mapsto \! u]^{-1}(y'_i) = D^{-1}(y'_i) \, , $$

where the very last equality exploits that x is not a “commit” query. With the goal to come to a contradiction, assume that \(({{\textbf {{\textsf {inst}}}}}',\mathbf{y'}) \ne ({{\textbf {{\textsf {inst}}}}}, \textbf{y}) = x\). Then, \(c = \gamma \circ D[x \!\mapsto \! u]({{\textbf {{\textsf {inst}}}}}', \mathbf{y'}) = \gamma \circ D({{\textbf {{\textsf {inst}}}}}', \mathbf{y'})\), and the above then implies that \(D \in \textsf{SUC} \), a contradiction. Thus, \(({{\textbf {{\textsf {inst}}}}}',\mathbf{y'}) = ({{\textbf {{\textsf {inst}}}}}, \textbf{y}) = x\). In particular, \(\textbf{m}' = \textbf{m}\) and \(c = \gamma \circ D[x \!\mapsto \! u]({{\textbf {{\textsf {inst}}}}}', \mathbf{y'}) = \gamma \circ D[x \!\mapsto \! u](x) = \gamma (u)\). Hence, the claimed implication holds.

Thus, we can bound

$$\begin{aligned}&P[U \!\in \! \textsf{L}] \le P[V({{\textbf {{\textsf {inst}}}}},\gamma (U), \textbf{m}_{\gamma (U)}) \, \wedge \, \mathcal{E}^*({{\textbf {{\textsf {inst}}}}}, \textbf{m} ) \ne w] \nonumber \\&\le P[V({{\textbf {{\textsf {inst}}}}},\gamma (U), \textbf{m}_{\gamma (U)}) \, \wedge \, S := \{ c \,|\, V({{\textbf {{\textsf {inst}}}}}, c, \textbf{m}_{c}) \} \not \in \mathfrak {S} ] \nonumber \\&\le P[\gamma (U) \in S := \{ c \,|\, V({{\textbf {{\textsf {inst}}}}}, c, \textbf{m}_{c}) \} \not \in \mathfrak {S} ] \le \max _{S \not \in \mathfrak {S}}P[\gamma (U) \in S ] \le p_{triv}^{\mathfrak S} \, . \end{aligned}$$

(12)

By Theorem 2.2, we now get

$$\begin{aligned}&\llbracket \textsf{SZ}_{\le s}\backslash \textsf{SUC} \backslash \textsf{CL}{\mathop {\rightarrow }\limits ^{}}\textsf{SUC} \rrbracket \le \max _{x,D}\sqrt{10 P\bigl [U \!\in \! \textsf{L}^{x,D} \bigr ]} \\&\le \sqrt{10}\sqrt{ \max \left( \ell /|\mathcal{Y}|,q \ell /|\mathcal{Y}|, p_{triv}^{\mathfrak S}\right) }\le \sqrt{10}\sqrt{ \max \left( q \ell \cdot 2^{-n}, p_{triv}^{\mathfrak S}\right) }, \end{aligned}$$

where we have used Eqs. (9), (11) and (12) in the second inequality. Combining with Eqs. (8) and (7) yields the desired bound.    \(\square \)

4.2 Online Extractability of the Fiat-Shamir Transformation

We are now ready to state and proof the claimed online-extractability result for the FS transformation of (ordinary) C &O protocols.

Theorem 4.2

Let \(\varPi \) be a \(\mathfrak {S}\)-sound\(^*\) ordinary C &O protocol with challenge space \(\mathcal{C}_\lambda \) and \(\ell = \ell (\lambda )\) commitments, and set \(\kappa = \kappa (\lambda ) := \max _{c\in \mathcal{C}_\lambda }|c|\). Then, \(\textsf{FS}[\varPi ]\) is a PoK-OE in the QROM (as in Definition 3.1), with \( \varepsilon _\textrm{sim}(\lambda ,q,n) = 0\) and

$$\begin{aligned} \varepsilon _\textrm{ex}(\lambda ,q,n)&\le 2(\kappa +1) \cdot 2^{-n} + \bigg (2eq^{3/2}2^{-n/2} + q \sqrt{10 \max \left( q \ell \cdot 2^{-n}, p_{triv}^{\mathfrak S}\right) }\bigg )^2 \\&\le (22\ell +60 )q^{3}2^{-n} + 20 q^2 p_{triv}^{\mathfrak S} \, . \end{aligned}$$

The runtime of the extractor is dominated by running the compressed oracle, which has complexity \(O(q^2) \cdot poly(n,B)\), and running \(\mathcal{E}^*\).

We note that the above bound on \(\varepsilon _\textrm{ex}\) is asymptotically tight, except for the factor \(\ell \). Indeed, the binding property of the hash-based commitment can be invalidated by means of a collision finding attack, which succeeds with probability \(\varOmega (q^{3}/2^{n})\). Furthermore the trivial soundness attack, which potentially applies to a \(\mathfrak {S}\)-sound\(^*\) C &O protocol \(\varPi \), can be complemented with a Grover search, yielding an attack against \(\textsf{FS}[\varPi ]\) that succeeds with probability \(\varOmega (q^2 p_{triv}^{\mathfrak S})\). The non-tightness by a factor of \(\ell \) is very mild in most cases. In particular, the number of commitments \(\ell \) is polynomial in \(\lambda \) and thus in n. For the most common case of a parallel repetition of a protocol with a constant number of commitments, using a hash function with output length linear in \(\lambda \) (e.g. \(n=3\lambda \)) results in \(\ell =O(n)=O(\lambda )\).

Proof

We consider an arbitrary but fixed \(\lambda \in \mathbb N\). For simplicity, we assume that |c| is the same for all \(c \in \mathcal{C}_{\lambda }\), and thus equal to \(\kappa = \kappa (\lambda )\). If it is not, we could always make the prover output a couple of dummy outputs \(m_i\) to match the upper bound on |c|. Let \(\mathcal P^*\) be a dishonest prover that, after making q queries to a RO H, outputs \(({{\textbf {{\textsf {inst}}}}},\pi )=({{\textbf {{\textsf {inst}}}}},\textbf{y},\textbf{m}_\circ )\) plus some (possibly quantum) auxiliary output Z. In the experiment \(\mathcal{V}^\mathcal{E} \circ \mathcal{P}^*{}^\mathcal{E}(\lambda )\), our extractor \(\mathcal E\) works as follows while simulating all queries to H (by \(\mathcal P^*\) and \(\mathcal V\)) with the compressed oracle:

1. 1.

   Run \(\mathcal P^*(\lambda )\) to obtain \(({{\textbf {{\textsf {inst}}}}},\pi ,Z)\) where \(\pi =(\textbf{y},\textbf{m}_\circ )\) with \(\textbf{m}_\circ = (m_1,\ldots ,m_\kappa )\).

2. 2.

   Run \(\mathcal{V}(\lambda ,{{\textbf {{\textsf {inst}}}}},\pi )\) to obtain v. In detail: obtain \(h_0 := H({{\textbf {{\textsf {inst}}}}},\textbf{y})\) and \(h_j := H(m_j)\) for \(j \in \{1,\ldots ,\kappa \}\), and set \(v := \texttt {accept}\) if and only if the pair consisting of \(\textbf{x} = \big ( ({{\textbf {{\textsf {inst}}}}}, \textbf{y}),m_1,\ldots ,m_\kappa \big )\) and \(\textbf{h} = (h_0,h_1,\ldots ,h_\kappa )\) satisfies the relation \(\tilde{R}\), defined to hold if and only if

   $$ (h_1,\ldots ,h_\kappa ) = \textbf{y}_c \quad \wedge \quad V({{\textbf {{\textsf {inst}}}}},c,\textbf{m}_\circ ) \quad \text {where} \quad c := \gamma (h_0) \, . $$
3. 3.

   Measure the internal state of the compressed oracle to obtain D.

4. 4.

   Run \(\mathcal{E}^*({{\textbf {{\textsf {inst}}}}},\textbf{m})\) on input \({{\textbf {{\textsf {inst}}}}}\) and \(\textbf{m} := D^{-1}(\textbf{y})\) to obtain w.

Note that in the views of both \(\mathcal P^*\) and \(\mathcal V\), the interaction with H and the interaction with \(\mathcal E\) differ only in that their oracle queries are answered by a compressed oracle instead of a real random-oracle in the latter case. This simulation is perfect and therefore \(\varepsilon _\textrm{sim}(\lambda ,q,n) = 0\).

Considering \(\mathcal{P}^*\) as the algorithm \(\mathcal A\) in Lemma 2.4, the additional classical oracle queries that \(\mathcal V\) performs in \(\mathcal{V} \circ \mathcal{P}^*\) then match up with the algorithm \(\tilde{\mathcal{A}}\), with \(h_0,\ldots ,h_\kappa \) here playing the role of \(y_1,\ldots ,y_\ell \) in Lemma 2.4. Thus,

$$\begin{aligned} \Pr \bigl [ \textbf{h} \ne D(\textbf{x}) \bigr ] \le 2(\kappa (\lambda )+1)\cdot 2^{-n} \, . \end{aligned}$$

Therefore, we can bound the figure of merit \(\varepsilon _\textrm{ex}\) as

$$\begin{aligned} \varepsilon _\textrm{ex}(\lambda ,q,n)&= \Pr \bigl [v = \texttt {accept} \,\wedge \, ({{\textbf {{\textsf {inst}}}}},w)\notin R\bigr ] \\&= \Pr \bigl [ (\textbf{x}, \textbf{h}) \in \tilde{R} \,\wedge \, ({{\textbf {{\textsf {inst}}}}},w)\notin R\bigr ] \\&\le \Pr \bigl [ \big (\textbf{x}, D(\textbf{x})\big ) \in \tilde{R} \,\wedge \, ({{\textbf {{\textsf {inst}}}}},w)\notin R\bigr ] + 2(\kappa (\lambda )+1)\cdot 2^{-n} \\&\le \Pr [\big (\textbf{x}, D(\textbf{x})\big ) \in \tilde{R} \,\wedge \, ({{\textbf {{\textsf {inst}}}}},w)\notin R \,|\, D \not \in \textsf{SUC} \cup \textsf{CL}] \\&\qquad + \Pr [D \in \textsf{SUC} \cup \textsf{CL}] + 2(\kappa (\lambda )+1)\cdot 2^{-n} \, . \end{aligned}$$

Using the definition of \(\tilde{R}\), understanding that \(c := \gamma \circ D({{\textbf {{\textsf {inst}}}}},\textbf{y})\), we can write the first term as

$$\begin{aligned} \Pr \bigl [&D(\textbf{m}_{\circ }) = \textbf{y}_c \, \wedge \, V(\lambda , {{\textbf {{\textsf {inst}}}}}, c, \textbf{m}_{\circ }) \,\wedge \, ({{\textbf {{\textsf {inst}}}}},w)\notin R \,|\, D \not \in \textsf{SUC} \cup \textsf{CL}\bigr ]\\&\le \Pr \bigl [ V(\lambda , {{\textbf {{\textsf {inst}}}}}, c, \textbf{m}_c) \text { for } \textbf{m}:= D^{-1}(\textbf{y}) \,\wedge \, ({{\textbf {{\textsf {inst}}}}},w)\notin R \,|\, D \not \in \textsf{SUC} \cup \textsf{CL}\bigr ]\\&\le \Pr \bigl [D\in \textsf{SUC} \,|\, D \not \in \textsf{SUC} \cup \textsf{CL}\bigr ] = 0 \, , \end{aligned}$$

where the first equality exploits that \(D(m) = y\) iff \(m = D^{-1}(y)\) for \(D \not \in \textsf{CL}\).

We may thus conclude that

$$\begin{aligned} \varepsilon _\textrm{ex}(\lambda ,q,n)&\le (2\kappa (\lambda )+1)\cdot 2^{-n} + \Pr \bigl [D\in \textsf{SUC} \cup \textsf{CL}\bigr ] \\&\le (2\kappa (\lambda )+1)\cdot 2^{-n} + \llbracket \bot {\mathop {\Longrightarrow }\limits ^{q}}\textsf{SUC} \cup \textsf{CL}\rrbracket ^2 \, , \end{aligned}$$

using Eq. (1) in the last inequality. The bound now follows from Lemma 4.1.    \(\square \)

5 Online Extractability of the FS-Transformation: The Case of Merkle-tree-based C &O Protocols

For an ordinary C &O protocol with reasonable concrete security (e.g., 128 bits), the number of commitments \(\ell \) might be considerable. In this case, the communication complexity of the protocol (and thus the size of the non-interactive proof system, or digital-signature scheme, obtained via the FS transformation) can be reduced by using a Merkle tree to collectively commit to the \(\ell \) strings \(m_i\). Such a construction is mentioned in [Fis05], and it is used in the construction of the digital-signature schemes Picnic2 and Picnic3 [KKW18, KZ20, CDG+19a]. The Merkle-tree-based C &O mechanism shrinks the commitment information from \(\ell \cdot n\) to n, at the expense of increasing the cost of opening |c| values \(m_i\) by an additive term of about \(\lessapprox |c|\cdot n\cdot \log \ell \).

The cost of opening can, in fact, be slightly reduced again, by streamlining the opening information. When opening several leaves of a Merkle tree, the authentication paths overlap, so opening requires a number of hash values less than h per leaf, where h is the height of the tree. This overlap was observed and exploited in the octopus authentication algorithm which constitutes one of the optimizations of the stateless hash-based signature scheme gravity-SPHINCS [AE18], as well as in Picnic2 and Picnic3 [KZ20]. In the following section, we formalize tree-based collective commitment schemes with “octopus” opening.

5.1 Merkle-Tree-Based C &O Protocols

In line with Remark 3.3, we can consider C &O protocols with a different choice of commitment scheme, compared to the default choice of committing by element-wise hashing. Here, we discuss a particular choice of an alternative commitment scheme, which gives rise to more efficient C &O protocols in certain cases when \(\ell \) is large. Informally, we consider C &O protocols where \(m_1,\ldots ,m_\ell \) is committed to by using a Merkle tree, and individual \(m_i\)’s are opened by announcing the corresponding authentication paths.

To make this more formal, we introduce the following notation (see the full version for a formal discussion, and see Fig. 1 for an example). For simplicity, we assume that \(\ell \) is a power of 2. We write \(\textsf{MTree}_H(\textbf{m})\) for the Merkle tree of messages \(\textbf{m} = (m_1,\ldots ,m_\ell )\) computed using hash function H; more formally, the (labels of the) vertices in the Merkle tree are recursively computed as \(l_v(\textbf{m}) := H\big (l_{v\Vert 0}(\textbf{m}) \Vert l_{v\Vert 1}(\textbf{m})\big )\), with the leaves being the hashes of the \(m_i\)’s. \(\textsf{MRoot}_H(\textbf{m})\) then denotes the root of the Merkle tree. Furthermore, for \(c \subseteq [\ell ]\), we write \(\textsf{MAuth}_H(c, \textbf{m})\) for the union of the authentication paths for all messages \(m_i\) with \(i \in c\), and the octopus \(\textsf{MOcto}_H(c, \textbf{m})\) denotes all the vertices needed to compute all the authentication paths in \(\textsf{MAuth}_H(c, \textbf{m})\), but excluding the hashes of the actual messages \(m_i\) with \(i \in c\) (see Fig. 1).

Fig. 1.

The Merkle tree \(\textsf{MTree}_H(\textbf{m})\) for \(\textbf{m} = (m_1,\ldots ,m_8)\) with \(\textsf{MRoot}_H(\textbf{m}) = y\). The yellow vertices mark the octopus \(\textsf{MOcto}_H(\{1\},\textbf{m})\), which is revealed (along with \(m_1\)) when opening the commitment y to \(m_1\). (Color figure online)

A Merkle-tree-based C &O protocol is now defined to be a variation of a C &O protocol, as hinted at in Remark 3.3, where the first message of the protocol, i.e., the commitment of \(\textbf{m} = (m_1,\ldots ,m_\ell )\), is computed as \(y = \textsf{MRoot}_H(\textbf{m})\), and the response z for challenge-set c then consists of the messages \(\textbf{m}_c = (m_i)_{i \in c}\) together with \(O = \textsf{MOcto}_H(c,\textbf{m})\). The verifier \(\mathcal V\) then accepts if and only if \(\textbf{m}_c\) and O “hash down to” y and the predicate \(V(\lambda ,{{\textbf {{\textsf {inst}}}}},c,\textbf{m}_c,a)\) is satisfied. More formally, the former means that \(\mathcal V\) computes \(\textsf{MAuth}_H(c, \textbf{m})\) from \(O \cup \{(\textrm{lf}(i),H(m_i)) \,|\, i \in c \}\) in the obvious way, and then checks whether \(l_{\emptyset }(\textbf{m}) = y\). This verification is denoted by \(\textit{OctoVerify}^{H}(c,y,{\textbf{m}}_{c},O)\).

Looking ahead, we may also consider a variation where the verifier resamples the challenge c if the resulting octopus is bigger than a given bound. Formally, this means that the challenge space of the Merkle-tree-based C &O protocol is restricted to those challenges \(c \in [\ell ]\) for which \(\textsf{Octo}(c)\) is not too large.

5.2 Online Extractability of the Fiat-Shamir Transformation

The analysis in Sect. 4 can be generalized to the case of FS-transformed Merkle-tree-based C &O protocols. To that end, we generalize the notation from that section as follows. Let \(\varPi \) be a Merkle-tree-based C &O protocol with number of messages to be committed equal to \(\ell =2^h\) where h is the height of the commitment Merkle tree.¹²

For a given database \(D \in \mathfrak {D}\), recall from Sect. 4 the definition of \(D^{-1}\); applied to a tuple \(\textbf{y} = (y_1,\ldots ,y_\ell ) \in \mathcal{Y}^\ell \) of commitments, \(D^{-1}\) attempts to recover the corresponding committed messages \(m_1,\ldots ,m_\ell \). Here, in a similar spirit but now considering the Merkle-tree commitment, \(\textsf{MRoot}_D^{-1}\) attempts to recover the committed messages from the root label of the Merkle tree.

In more detail, for a commitment \(y \in \mathcal{Y} = \{0,1\}^{n}\) we reverse engineer the Merkle tree in the obvious way; namely, accepting a small clash in notation with the labeling function \(l_v(\textbf{m})\) defined for a tuple \(\textbf{m} \in \mathcal{M}^\ell \), we set the root label \(l_\emptyset (y) := y\), and recursively define

$$ \big (l_{v\Vert 0}(y) , l_{v\Vert 1}(y)\big ) := \textsf{split} \circ D^{-1}\big (l_v(y)\big ) \in \mathcal{Y} \times \mathcal{Y} $$

for \(\emptyset \ne v \in \{0,1\}^{\le h}\), where \(\textsf{split}\) maps any 2n-bit string, parsed as \(y_1\Vert y_2\) with \(y_1,y_2 \in \{0,1\}^{n}\), to the pair \((y_1,y_2)\) of n-bit strings, while it maps anything else to \((\bot ,\bot )\). Then, accepting a small clash in notation again, we set

$$ \textsf{MTree}_D(y) := \{ l_v(y) \,|\, v \in \{0,1\}^{\le h} \} \, , $$

and finally, with \(\textrm{lf}(i)\) denoting the i-th leaf in the tree,

$$ \textsf{MRoot}_D^{-1}(y) := \big (D^{-1}\bigl (l_{\textrm{lf}(1)}(y)\bigr ),\ldots ,D^{-1}\bigl (l_{\textrm{lf}(\ell )}(y)\bigr )\big ) \, . $$

Following the strategy we used in Sect. 4, we define the database property

$$\begin{aligned} \textsf{SUC}:= \left\{ D \,\bigg |\, \begin{array}{c}\exists \, y \in \mathcal{Y}\text { and }{{\textbf {{\textsf {inst}}}}}\in \mathcal{I}\text { so that } \textbf{m}:= \textsf{MRoot}_D^{-1}(y)\text { satisfies} \\ V({{\textbf {{\textsf {inst}}}}},c,\textbf{m}_c) \text { for } c := \gamma \circ D({{\textbf {{\textsf {inst}}}}}, y) \;\text {and}\; \big (inst,\mathcal{E}^*({{\textbf {{\textsf {inst}}}}}, \textbf{m})\big ) \not \in R \end{array} \right\} , \end{aligned}$$

and our first goal is to show that \(\llbracket \bot {\mathop {\Longrightarrow }\limits ^{q}}\textsf{SUC} \cup \textsf{CL}\rrbracket \) is small.

Lemma 5.1

\( \llbracket \bot {\mathop {\Longrightarrow }\limits ^{q}}\textsf{SUC} \cup \textsf{CL}\rrbracket \le 2eq^{3/2}2^{-n/2} + q\sqrt{10 \max \left( q \ell \cdot 2^{-n+1}, p_{triv}^{\mathfrak S}\right) } \, . \)

The proof works exactly as the proof of Lemma 4.1, accounting for some syntactic differences due to the Merkle tree commitment. In particular, where in Case 1 and 2 of the proof of Lemma 4.1 we have to exclude U from falling on one of the hash values \(y_1,\ldots , y_\ell \) in order to keep the \(\textbf{m}\) that was constructed from the database intact, we now have a similar restriction for U, but with respect to the whole tree \(\textsf{MTree}_D(y)\). The full proof can be found in the full version.

Similarly to Theorem 4.2, we now obtain the following.

Theorem 5.2

Let \(\varPi \) be an \(\mathfrak {S}\)-sound\(^*\) Merkle-tree-based C &O protocol with challenge space \(\mathcal{C}_\lambda \). Then \(\mathsf FS[\varPi ]\) is a PoK-OE in the QROM (as in Definition 3.1), with \(\varepsilon _\textrm{sim}(\lambda ,q,n) = 0\) and

$$\begin{aligned} \varepsilon _\textrm{ex}(\lambda ,q,n)&\le 2(\kappa \log \ell +1) \cdot 2^{-n} \!\!+ \Big (2eq^{3/2}2^{-n/2} \!\!+ q\sqrt{ 10 \max \left( q \ell \cdot 2^{-n+1}, p_{triv}^{\mathfrak S}\right) } \Big )^2 \\&\le \left( 22\ell \log \ell +60\right) q^32^{-n}+20 q^2 p_{triv}^{\mathfrak S} \end{aligned}$$

where \(\kappa = \kappa (\lambda ) := \max _{c\in \mathcal{C}_\lambda }|c|\) and \(\ell \) is the number of leaves of the Merkle-tree-based commitment. The running time of the extractor is dominated by running the compressed oracle, which has complexity \(O(q^2) \cdot poly(n,B)\), and by computing \(\textsf{MRoot}_D^{-1}(y)\) and running \(\mathcal{E}^*\).

Here again the proof follows exactly the outline of its counterpart from Sect. 4.2, with some minor alterations to cope with the formalism of a Merkle-tree based C &O \(\Sigma \)-protocol. The difference in the bound is simply due to the difference between Lemmas 4.1 and 5.1. We refer to the full version for the full proof.

5.3 Discussion: Application to Picnic, and Limiting the Proof Size

Application to Picnic. A prominent use case of C &O protocols is the construction of digital signature schemes via the FS transformation. An important example is Picnic [CDG+17] currently under consideration as an alternate candidate in the NIST standardization process for post-quantum cryptographic schemes [NIS]. On a high level, the design of Picnic can be described as follows. A C &O \(\Sigma \)-protocol is constructed using the MPC-in-the-head paradigm [IKOS07]. Then, the FS transformation is applied in the usual way to obtain a digital signature scheme. There are three evolutions of Picnic: Picnic-FS, Picnic 2 and Picnic 3.¹³ Picnic-FS uses plain hash-based commitments, while Picnic 2 and Picnic 3 use a Merkle-tree-based collective commitment.

All three evolutions enjoy provable post-quantum security when the hash function used for the FS transformation is modeled as a (quantum-accessible) RO. The best reduction applying to all of them proceeds as follows. First, Unruh’s rewinding lemma [Unr12] is used to construct a knowledge extractor for the underlying \(\Sigma \)-protocol based on an appropriate \(\mathfrak S\)-soundness notion. Then, the generic QROM reduction for the FS transformation from [DFMS19] is used to construct a knowledge extractor for the signature scheme in the QROM from the extractor for the \(\Sigma \)-protocol. Finally, the technique from [GHHM21] is used for simulating the chosen-message oracle to reduce breaking NMA (no-message attack) security to breaking CMA (chosen-message attack) security. This final step connects to the previous one because for the signature scheme the witness extracted from an NMA attacker is the secret key.

The first two steps, i.e. Unruh’s rewinding and [DFMS19], are not tight: The former loses at least a fifth power in the Picnic case, and the latter a factor of \(q^2\), where q is the number of RO queries. This means that an NMA attacker with success probability \(\epsilon \) can be used to break the underlying hard problem with probability \(\varOmega (\epsilon ^5/q^{10})\) (or worse, depending on the Picnic variant).

For Picnic-FS (only), when in addition modeling the hash function used for the commitments as a RO, Unruh’s rewinding can be replaced with tight online extraction from [DFMS21]. The remaining loss due to the FS reduction is of order \(\epsilon /q^2\), up to some additive terms accounting for search and collision finding in the RO, a sizable improvement over the above but still not tight.

By analyzing the FS transformation of a C &O protocol (with or without Merkle tree commitments) directly, our results provide a tight alternative to the above lossy reductions. Using Theorems 4.2 (for Picnic-FS) and 5.2 (for Picnic 2 and Picnic 3) we can avoid all multiplicative/power losses in the reduction for NMA security. An NMA attacker with success probability \(\epsilon \) can thus be used to break the underlying hard problem with probability \(\varOmega (\epsilon )\), up to unavoidable additive terms due to search and collision finding in the RO.

An Observation About Octopus Opening Sizes. Depending on the parameters of the C &O protocol, the octopus opening information, \(\textsf{MOcto}(c,\textbf{m})\) can be much smaller than the concatenation of the individual authentication paths. On the other hand, it is also variable in size (namely dependent on the choice of the challenge c), and the variance can be significant (see e.g. the computations for gravity SPHINCS in [AE18]). In the context of a digital signature scheme constructed via the FS transformation of a Merkle-tree-based C &O protocol, like, e.g., Picnic 2 and Picnic 3, this leads to the undesirable property of a variable signature size, where signatures can be quite a bit larger in the worst case than on average. This might, e.g., lead to problems when looking for a drop-in replacement for quantum-broken digital signature schemes for use in a larger protocol, where signatures need to be stored in a data field of fixed size.

One option to mitigate this situation is to cut off the tail of the octopus size distribution, i.e. to restrict the challenge space of the Merkle-tree-based C &O protocol to challenges whose octopus is not larger than some bound. This can be done before applying the FS transformation, e.g. using rejection sampling. In that way, one obtains a digital signature scheme with significantly reduced worst case signature size, at the expense of a tiny security loss.