Making Existential-Unforgeable Signatures Strongly Unforgeable in the Quantum Random-Oracle Model

Strongly unforgeable signature schemes provide a more stringent security guarantee than the standard existential unforgeability. It requires that not only forging a signature on a new message is hard, it is infeasible as well to produce a new signature on a message for which the adversary has seen valid signatures before. Strongly unforgeable signatures are useful both in practice and as a building block in many cryptographic constructions. This work investigates a generic transformation that compiles any existential-unforgeable scheme into a strongly unforgeable one, which was proposed by Teranishi et al. and was proven in the classical random-oracle model. Our main contribution is showing that the transformation also works against quantum adversaries in the quantum random-oracle model. We develop proof techniques such as adaptively programming a quantum random-oracle in a new setting, which could be of independent interest. Applying the transformation to an existential-unforgeable signature scheme due to Cash et al., which can be shown to be quantum-secure assuming certain lattice problems are hard for quantum computers, we get an efficient quantum-secure strongly unforgeable signature scheme in the quantum random-oracle model.

💡 Research Summary

The paper addresses the problem of upgrading any existential‑unforgeable (EU‑ACMA) digital signature scheme to a strongly unforgeable (SU‑ACMA) one in the presence of quantum adversaries. Strong unforgeability is a stricter security notion: an attacker must not be able to produce a new valid signature on a previously signed message, in addition to being unable to forge signatures on fresh messages. This property is essential for many higher‑level cryptographic constructions such as CCA‑secure encryption, blind signatures, and group signatures.

Historically, a generic transformation due to Teranishi, Ohta, and Ohta (referred to as the TOO transformation) converts any EU‑ACMA scheme into an SU‑ACMA scheme. The original proof works only in the classical random‑oracle model (RO) and relies on a specific instantiation of a chameleon hash function based on the discrete‑log problem. Since discrete‑log is broken by Shor’s algorithm, the transformation cannot be directly used with quantum‑safe assumptions. Moreover, the classical proof techniques (recording all oracle queries, re‑programming the oracle at will) do not carry over to the quantum random‑oracle model (QRO), where an adversary may query the oracle in superposition.

The authors make two key observations. First, the TOO transformation does not fundamentally depend on the discrete‑log based hash; any collision‑resistant chameleon hash suffices. Second, if both the underlying EU‑ACMA signature scheme and the chameleon hash are quantum‑secure, then the transformed scheme remains quantum‑secure in the QRO model. To substantiate this claim they develop a novel proof technique for adaptively programming a quantum random oracle.

In the QRO setting, two obstacles arise: (1) one cannot simply keep a list of all queries because a superposition query reveals information about many inputs simultaneously; (2) re‑programming the oracle after the adversary has already queried a point would be detectable. The authors solve the first issue by randomly measuring one of the adversary’s query registers; with polynomial‑size loss the probability of hitting a target point is still non‑negligible. For the second issue they exploit the computational hardness of finding collisions in the chameleon hash. They construct two quantum‑accessible functions: the all‑zero function and a function that marks exactly those inputs whose pre‑images would break the collision‑resistance. Under the lattice‑based hardness assumption, these two functions are quantum‑indistinguishable, which is analogous to the Grover lower bound for searching an unknown marked set. Consequently, the oracle can be switched between the two functions without the adversary noticing, effectively allowing adaptive re‑programming.

With this machinery, the authors prove the main theorem: given any quantum‑safe EU‑ACMA signature scheme Σ and any quantum‑safe collision‑resistant chameleon hash family H, the TOO transformation yields a quantum‑safe SU‑ACMA scheme Σ′ in the QRO model.

To demonstrate practicality, they instantiate Σ with the lattice‑based signature of Cash, Hofheinz, and Kiltz, which is EU‑ACMA under the hardness of the Learning With Errors (LWE) problem. They also use the lattice‑based chameleon hash proposed by the same authors, which inherits the same quantum‑security assumption. Plugging these into the transformation produces an efficient, strongly unforgeable signature scheme that remains secure against quantum adversaries in the QRO model.

The paper situates its contribution among related work. Boneh and Zhandry studied quantum superposition attacks on signing oracles, but their transformations target a different threat model. Unruh’s Σ‑protocol based transformation yields SU‑ACMA signatures in QRO but incurs a large overhead. Merkle‑tree constructions can also achieve SU‑ACMA from one‑time signatures, yet they are stateful and less efficient. The present work therefore offers a more efficient and conceptually simple path to quantum‑secure strong unforgeability.

In summary, the authors extend a classical generic transformation to the quantum setting by introducing a new adaptive programming technique for quantum random oracles, and they provide concrete lattice‑based instantiations. This advances both the theory of quantum‑secure reductions and the practical deployment of strongly unforgeable signatures in a post‑quantum world.