Embed Size (px)
Citation preview
QuantumRandomOracleModel,Part1
MarkZhandry (Princeton&NTTResearch)
(Classical)RandomOracleModel(ROM)[Bellare-Rogaway’93]
Cryptosystem
hashfunction
Examples:OAEP,Fujisaki-Okamoto,Full-DomainHash,…
(Classical)RandomOracleModel(ROM)[Bellare-Rogaway’93]
Cryptosystem
H
(Classical)RandomOracleModel(ROM)[Bellare-Rogaway’93]
Idea:If∃ROMsecurityproof,anyattackmustexploitstructureofhashfunction
Hopefullynotpossibleforwell-designedhash
TheQuantumRandomOracleModel(QROM)[Boneh-Dagdelen-Fischlin-Lehmann-Schaffner-Z’11]
H
Nowstandardinpost-quantumcrypto
Example:FullDomainHash
BuildingBlock:TrapdoorPermutations
P^pk
x P-1
^sk
y x
Security:∀PPT A, Pr[A(pk,y)=x] < negl
SigsfromTDPs
Example:FullDomainHash
P-1
^sk
σHm
Example:FullDomainHash
Proof:Assumetowardcontradiction
A
mi
σi
m*∉{mi}i
P-1
^
H
sk
σ*H
P^pk
=H
xi
yi
Example:FullDomainHash
Proof:
A
mi
σi
m*∉{mi}i
P-1
^
H
sk
σ*H
P^pk
=H
xi
yi
Step0:Assumem* queriestoRO
Example:FullDomainHash
Proof:
A
mi
σi
m*∉{mi}i
P-1
^
H
sk
σ*H
P^pk
=H
xi
yi
Step1:H à P∘H’
Example:FullDomainHash
Proof:
A
mi
σi
m*∉{mi}i
P-1
^
H
sk
σ*H
P^pk
=H’
xi
yi
Step1:H à P∘H’
P^pk
Example:FullDomainHash
Proof:
A
mi
σi
m*∉{mi}i
H’
σ*H
P^pk
=H’
xi
yi
Step1:H à P∘H’
P^pk
Example:FullDomainHash
Proof:
A
mi
σi
m*∉{mi}i
H’
σ*H’
=H’
xi
yi
Step1:H à P∘H’
P^pk
Example:FullDomainHash
Proof:
A
mi
σi
m*∉{mi}i
H’
σ*H’
=H’
xi
yiP^pk
Notice:AcomputesH’(m*), givenonlyP(pk,H’(m*))
Example:FullDomainHash
Proof:
A
mi
σi
m*∉{mi}i
H’
σ*H’
=H’
xi
yiP^pk
B(y): setH’(xi)=y forrandomqueryà advantageε/q
Example:FullDomainHash
QROMProof?
A
mi
σi
m*∉{mi}i
H’
σ*H’
=H’
∑x|x,y⟩
P^pk
HowdoesB insertchallenge?
Challenges
Take1:PerQUERY
A
∑αx,y|x,y⟩∑αx,y|x,y⊕V1⟩
B∑αx,y|x,y⟩
∑αx,y|x,y⊕V2⟩
Problem:repeatedqueries?
Problem:distinguishingattack∑|x,0⟩∑|x,V1⟩
∑|x,0⟩∑|x,O(x)⟩VS
SecurityProofChallenges
TypicalQROMreductionscommittoentirefunctionH atbeginning,remainconsistentthroughout
[Zhang-Yu-Feng-Fan-Zhang’19]:“Committedprogrammingreductions"
SecurityProofChallenges
Take2:PerVALUE
A∑αx,y|x,y⟩
∑αx,y|x,y⊕Vx⟩ BProblem:exp-manyvaluesà Pr[correctlyguessm*] =negl
SmallRangeDistributions
Domain Range
Sizer
Random Random
SmallRangeDistributions
Thm [Z’12b]:Noq quantumqueryalg candistinguishSRr fromrandom,exceptwithprobabilityO(q3/r).
Quantumcollisionfindingboundtight
FinishingTheProof
Pr[A wins | H’ random] ≥ ε
Pr[A wins | H’ = SRr] ≥ ε – O(q3/r)
B(y) insertsy intorandomoutputPr[B inverts y] ≥ ε/r–O(q3/r2) = O(ε2/q3)
r=O(q3/ε)
Example:FullDomainHash,Take2
BuildingBlock:Pre-imageSampleable Funcs
sk
y
pk
x y
Security:(1)Collisionresistant(2)randomy à ≈randomx
P-1 P
[Gentry-Peikert-Vaikuntanathan’08]:constructionfromLWE
SigsfromPSFs
Example:FullDomainHash,Take2
sk
σHm P-1
Example:FullDomainHash,Take2
Proof:Assumetowardcontradiction
A
mi
σi
m*∉{mi}i
H
sk
σ*H
pk
=H
xi
yi
P-1
P
Example:FullDomainHash,Take2
Proof:
A
mi
σi
m*∉{mi}i
H’
σ*H
pk
=
Step1:P-1∘H à H’
P
H’
xi
yi
pk
P P
Example:FullDomainHash,Take2
Proof:
A
mi
σi
m*∉{mi}i
H’
σ*H
=
Notice:H(m*), σ* formcollisionà advantageε
P
H’
xi
yi
pk
P P
Example:FullDomainHash,Take2
QROMProof?
A
mi
σi
m*∉{mi}i
H
sk
σ*H
pk
=H
xi
yi
P-1
P
Example:FullDomainHash,Take2
Main*QROMissue:simulatingH’ efficiently
Asbefore,candousing2q-wiseindependence
*someissueshavingtodowithP-1(y) beingonlyapproximatelyuniform
RuleofThumb
RuleofThumb:Iflossofclassicalreductionisindependentofq,goodchancewecan
upgradetoquantumsecurity
Iflossinreductiondependsonq,newreductionlikelyneeded,maybeimpossible
Noperqueryhybrid
CanAllROMProofsbeUpgraded?
Thm [Yamakawa-Z’20]:No,assumingLWEorrelativetoanoracle
Recall:ImpossibilityofQuantumRewinding
Coinflipping/commitmentgame
A
y
xbß{0,1} Winif
•Hash(x)=y•x1 = b
Devisedquantum A andcol.res.Hash wherePr[A wins] ≈ 1
[Ambainis-Rosmanis-Unruh’14]
NewGame
Coinflipping/commitmentgame
A
y
xbß{0,1} Winif
•Hash(x)=y•H(x) = b
EssentiallysameA,Hash workhere
(1-bitRO)
QuantumAlg
Idea:
Vf Diff Vf Diff ∑x∈D,H(x)=b│x⟩∑x:Hash(x)=y│x⟩
f(x)=H(x)
^
y
^ ^x:Hash(x)=y x:Hash(x)=y
y
Giveoutasoracle
NoClassical-QueryAlg
Suppose∃classicalqueryquantumA s.t. Pr[A wins]≥½+ε• ConsiderH queriesonx s.t. Hash(x)=y• Firstsuchqueryx0 hasprob ½ of H(x0)=b• IfA onlyeveroutputsx0,Pr[A wins]≤½• Therefore,Amustsometimesoutputx1≠x0• Butthenx0,x1 formcollisionforHash
QROMImpossibility
[Yamakawa-Z’20]:Moregenerally,upgradeproofsofquantumness toproofsofquantumaccesstoRO
UpNext
Tomorrow,willlookatfurtherexamples
Inparticular,wewillseebarriers/impossibilitiesforcommittedprogrammingreductions,andhowtoovercomethem
