0
点赞
收藏
分享

微信扫一扫

Random Oracles in a Quantum World

西特张 2023-05-20 阅读 92

Abstract. The interest in post-quantum cryptography — classical sys-

tems that remain secure in the presence of a quantum adversary — has

generated elegant proposals for new cryptosystems. Some of these sys-

tems are set in the random oracle model and are proven secure relative

to adversaries that have classical access to the random oracle. We argue

that to prove post-quantum security one needs to prove security in the

quantum-accessible random oracle model where the adversary can query

the random oracle with quantum states.

We begin by separating the classical and quantum-accessible random or-

acle models by presenting a scheme that is secure when the adversary

is given classical access to the random oracle, but is insecure when the

adversary can make quantum oracle queries. We then set out to develop

generic conditions under which a classical random oracle proof implies

security in the quantum-accessible random oracle model. We introduce

the concept of a history-free reduction which is a category of classical

random oracle reductions that basically determine oracle answers inde-

pendently of the history of previous queries, and we prove that such

reductions imply security in the quantum model. We then show that

certain post-quantum proposals, including ones based on lattices, can

be proven secure using history-free reductions and are therefore post-

quantum secure. We conclude with a rich set of open problems in this

area



6 Conclusion

We have shown that great care must be taken if using the random oracle model

when arguing security against quantum attackers. Proofs in the classical case

should be reconsidered, especially in case the quantum adversary can access the

random oracle with quantum states. We also developed conditions for translating

security proofs in the classical random oracle model to the quantum random

oracle model. We applied these tools to certain signature and encryption schemes.

The foremost question raised by our results is in how far techniques for

“classical random oracles” can be applied in the quantum case. This stems from

the fact that manipulating or even observing the interaction with the quantum-

accessible random oracle would require measurements of the quantum states.

That, however, prevents further processing of the query in a quantum manner.

We gave several examples of schemes that remain secure in the quantum setting,

provided quantum-accessible pseudorandom functions exist. The latter primitive

seems to be fundamental to simulate random oracles in the quantum world.

Showing or disproving the existence of such pseudorandom functions is thus an

important step.

Many classical random oracle results remain open in the quantum random

oracle settings. It is not known how to prove security of generic FDH signatures

as well as signatures derived from the Fiat-Shamir heuristic in the quantum

random oracle model. Similarly, a secure generic transformation from CPA to

CCA security in the quantum RO model is still open

举报

相关推荐

0 条评论