The famous Fiat-Shamir transformation turns any public-coin three-round interactive proof, i.e., any so-called Σ-protocol, into a non-interactive proof in the random-oracle model. We study this transformation in the setting of a quantum adversary that in particular may query the random oracle in quantum superposition. Our main result is a generic reduction that transforms any quantum dishonest prover attacking the Fiat-Shamir transformation in the quantum random-oracle model into a similarly successful quantum dishonest prover attacking the underlying Σ-protocol (in the standard model). Applied to the standard soundness and proof-of-knowledge definitions, our reduction implies that both these security properties, in both the computational and the statistical variant, are preserved under the Fiat-Shamir transformation even when allowing quantum attacks. Our result improves and completes the partial results that have been known so far, but it also proves wrong certain claims made in the literature. In the context of post-quantum secure signature schemes, our results imply that for any Σ-protocol that is a proof-of-knowledge against quantum dishonest provers (and that satisfies some additional natural properties), the corresponding Fiat-Shamir signature scheme is secure in the quantum randomoracle model. For example, we can conclude that the non-optimized version of Fish, which is the bare Fiat-Shamir variant of the NIST candidate Picnic, is secure in the quantum random-oracle model. learn x α x |x |H(x) by making a single query to the RO. This is referred to as the quantum random-oracle model (QROM) [BDF + 11].Unfortunately, these superposition queries obstruct the above mentioned advantages of the ROM. By basic properties of quantum mechanics one cannot observe or locally copy such superposition queries made by the adversary without disturbing them. Also, reprogramming is usually done for an x that is queried by the adversary at a certain point, so also here we are stuck with the problem that we cannot look at the queries without disturbing them.As a consequence, security proofs in the ROM almost always do not carry over to the QROM. This lack of proof does not mean that the schemes become insecure; on the contrary, unless there is some failure because of some other reason 5 , we actually expect typical schemes to remain secure. However, it is often not obvious how to find a security proof in the QROM. Some examples where security in the QROM has been established are [Unr14, Zha15, ES15, Unr15, KLS18, ABB + 17, Zha18, SXY18, BDK + 18].Main technical result. Our main technical result (Theorem 2) can be understood as a particular way to overcome -to some extent -the above described limitation in the QROM of not being able to "read out" any query to the RO and to then reprogram the corresponding hash value. Concretely, we achieve the following.We consider an arbitrary quantum algorithm A that makes queries to the RO and in the end outputs a pair (x, z), where z is supposed to satisfy some relation with respect to H(x...