Quantum zero-knowledge proofs and quantum proofs of knowledge are
inherently difficult to analyze because their security analysis uses
rewinding. Certain cases of quantum rewinding are handled by the
results by Watrous (SIAM J Comput, 2009) and Unruh (Eurocrypt 2012),
yet in general the problem remains elusive. We show that this is not
only due to a lack of proof techniques: relative to an oracle, we show
that classically secure proofs and proofs of knowledge are insecure in
the quantum setting.
More specifically, sigma-protocols, the Fiat-Shamir construction, and
Fischlin\'s proof system are quantum insecure under assumptions that
are sufficient for classical security. Additionally, we show that for
similar reasons, computationally binding commitments provide almost no
security guarantees in a quantum setting.
To show these results, we develop the \"pick-one trick\", a general
technique that allows an adversary to find one value satisfying a
given predicate, but not two.