Abstract. The interest in post-quantum cryptography — classical sys-
tems that remain secure in the presence of a quantum adversary — has
generated elegant proposals for new cryptosystems. Some of these sys-
tems are set in the random oracle model and are proven secure relative
to adversaries that have classical access to the random oracle. We argue
that to prove post-quantum security one needs to prove security in the
quantum-accessible random oracle model where the adversary can query
the random oracle with quantum states.
We begin by separating the classical and quantum-accessible random or-
acle models by presenting a scheme that is secure when the adversary
is given classical access to the random oracle, but is insecure when the
adversary can make quantum oracle queries. We then set out to develop
generic conditions under which a classical random oracle proof implies
security in the quantum-accessible random oracle model. We introduce
the concept of a history-free reduction which is a category of classical
random oracle reductions that basically determine oracle answers inde-
pendently of the history of previous queries, and we prove that such
reductions imply security in the quantum model. We then show that
certain post-quantum proposals, including ones based on lattices, can
be proven secure using history-free reductions and are therefore post-
quantum secure. We conclude with a rich set of open problems in this
area
6 Conclusion
We have shown that great care must be taken if using the random oracle model
when arguing security against quantum attackers. Proofs in the classical case
should be reconsidered, especially in case the quantum adversary can access the
random oracle with quantum states. We also developed conditions for translating
security proofs in the classical random oracle model to the quantum random
oracle model. We applied these tools to certain signature and encryption schemes.
The foremost question raised by our results is in how far techniques for
“classical random oracles” can be applied in the quantum case. This stems from
the fact that manipulating or even observing the interaction with the quantum-
accessible random oracle would require measurements of the quantum states.
That, however, prevents further processing of the query in a quantum manner.
We gave several examples of schemes that remain secure in the quantum setting,
provided quantum-accessible pseudorandom functions exist. The latter primitive
seems to be fundamental to simulate random oracles in the quantum world.
Showing or disproving the existence of such pseudorandom functions is thus an
important step.
Many classical random oracle results remain open in the quantum random
oracle settings. It is not known how to prove security of generic FDH signatures
as well as signatures derived from the Fiat-Shamir heuristic in the quantum
random oracle model. Similarly, a secure generic transformation from CPA to
CCA security in the quantum RO model is still open