I'm looking for a quantitative yet simple proof of the EUF-CMA security of a signature scheme obtained by Fiat-Shamir transform.
Recall the Fiat-Shamir transform starts from a 3-pass identification protocol with messages $(I,r,s)$, where $I$ is the prover's commitment, challenge $r$ is chosen uniformly at random in set $\Omega$ by the verifier, $s$ is the proof. It uses a hash $H$ into $\Omega$.
Generation of key pair $(\mathrm{pk},\mathrm{sk})$ in the signature scheme is as in the identification protocol. To sign message $M$, prover generates $I$ as in the identification protocol, computes $r:=H(I,M)$, then $s$ as in the identification protocol, then signature¹ $\sigma:=(I,s)$. The verification algorithm computes $r:=H(I,M)$ then applies the same verification procedure as the identification protocol, that is check $\mathcal V(\mathrm{pk},r,s)=I$.
By quantitative, I mean we assume an adversary can break the signature scheme with probability at least $\epsilon$ with time/effort $t$, $Q_S$ queries to the signature oracle, $Q_H$ queries to the hash oracle, and obtain some upper bound on the probability than an adversary can break the identification scheme with some time/effort.
I'm fine with a bound that's within a constant factor from optimal; requiring whatever plausible property on the 3-pass identification scheme, such as $I$ being uniformly random in some large enough set; $H$ being modeled as a random oracle; whatever algorithm being random polynomial time or even made deterministic (including using a PRG seeded with $\mathrm{sk}$ and $M$ for the random tape of the algorithm generating $I$, thus making the signature deterministic).
I know a standard reference is David Pointcheval and Jacques Stern's Security Arguments for Digital Signatures and Blind Signatures, in Journal of Cryptology, 2000, but I'd like something simpler and more focused.
¹ The signature can also be $\sigma:=(r,s)$ or $\sigma:=(I,r,s)$, and there's a comparatively simple, tight security reduction between the three.
