Provable secure post-quantum signature scheme based on isomorphism of polynomials in quantum random oracle model

Abstract

Since a quantum adversary is supposed to be able to perform hash computation with superposition of the quantum bits, it is natural that in random oracle model, the reduction algorithm for security proof should allow the quantum adversary to query random oracle in superposition of quantum bits. However, due to physical nature of quantum states, any observation on a superposition of quantum bits will be noticed by quantum adversaries. Hence, to simulate the true random oracle, the reduction algorithm has to answer the queries without observing their content. This makes the classical reduction algorithms fail to properly perform rewinding and random oracle programming against quantum adversaries and it has been shown recently that several signature schemes generated by Fiat-Shamir transformation might be insecure against quantum adversaries although they have been proven secure in classical setting against classical adversaries. In this paper, we propose a method to construct reduction algorithm without rewinding of quantum adversary and such that the random oracle programming is unnoticeable by the quantum adversary except with negligible probability. We show the feasibility of our method by applying it on signature scheme generated via Fiat-Shamir transformation of an identification scheme whose security is based on the decisional problem of isomorphism of polynomials with two secrets.