Embed Size (px)
Citation preview
QuantumRandomOracleModel,Part3
MarkZhandry (Princeton&NTTResearch)
Recall:TypicalClassicalROMProof:On-the-flySimulation
H
Input Output
x1 y1
x2 y2
x3 y3
x4 y4
Query(x, D):If(x,y)∈D:
Return(y,D)Else:
y ß$ YD’ = D+(x,y) Return(y,D’)
Recall:TypicalClassicalROMProof:On-the-flySimulationAllowsusto:• Knowtheinputsadversarycaresabout ✓
• Knowthecorrespondingoutputs ✓
• (Adaptively)programtheoutputs ✓
CPReds?
Allowsusto:• Knowtheinputsadversarycaresabout ✘
• Knowthecorrespondingoutputs ✘
• (Adaptively)programtheoutputs ✓/✘
BeyondCommittedProgramming
Howdowechangeoraclewithoutdetection?
Problem:repeatedqueries?
Problem:distinguishingattack∑|x,0⟩∑|x,V1⟩
∑|x,0⟩∑|x,O(x)⟩VS
Randompoints
AH
H’ H’(x)=H(x)∀x≠aaß$
Negligiblequerymassona,sochangeundetectableUsed,e.g.forNIZKs[Unruh’16]
NewerTechniques
Veryrecently(last2years),newtechniqueshaveemergedthatallowforbetterprogramming
Willhighlightsometechniques
FiatShamir
Recall:ClassicalFiat-ShamirProof
V
comi*
ch*
res
comi
Selectrandomqueryi*
Ifi=i*: chi*=ch*Else: chißrandomchi
comchres
Check:com=comi*⋀ch=ch*
A
FailedQuantumFiat-ShamirProof
∑│com⟩
Selectrandomqueryi*LetH berandomfunc
Ifqueryi*:Measureà com*Respondw/ch*Re-ProgramH(com*)=ch*
Ifquery≠i*: ch=H(com)
comchres
A∑│ch⟩
Unfortunately,doesn’twork
V
com*ch*
res
FixedQuantumFiat-ShamirProof
V
com*ch*
res
∑│com⟩
Selectrandomqueryi*LetH berandomfunc
Ifqueryi*:Measureà com*Resp.w/chß{ch*,H(com*)}Re-ProgramH(com*)=ch*
Ifquery≠i*: ch=H(com)
comchres
A∑│ch⟩
[Don-Fehr-Majenz-Schaffner’19]:Amazinglyworks
OtherApplications
[Don-Fehr-Majenz’20]:Multi-roundFiat-Shamir
“LiftingTheorem”[Yamakawa-Z’20]:Ifsearch-type game,andchallengermakesconstant numberofqueriestoRO,classicalROMproofà QROMproof(w/polynomialsecurityloss)
CompressedOracles
Step1:Quantum-ify (akaPurify)
H
H
Quantum-ifying (akapurifying)randomoracle:A +nowsinglequantumsystem
Reminiscentofoldimpossibilitiesforunconditionalquantumprotocols[Lo’97,Lo-Chau’97,Mayers’97,Nayak’99]
Step1:SuperpositionofOracles
HInitialoraclestate:H
Query(x, y, H): y = y⊕H(x)
Adversary’squeryOracle’sstate
Step2:LookatFourierDomain
HĤ
Step2:LookatFourierDomain
Initialoraclestate:Z(x) = 0
Query(x, y, Ĥ): Ĥ = Ĥ⊕Px,y
Px,y(x’) = y ifx=x’0 else
Ĥ
Proof: A FourierTransform A-T
D
Step3:Compress
Ĥ
Observation:Afterq queries,Ĥ isnon-zeroonatmostq points
^
Step3:Compress
Initialoraclestate:{}
Query(x, y, D): (1)If∄(x,y’)∈D: D = D+(x,0)
(2)Replace(x,y’)∈Dwith(x,y’⊕y)
(3)If(x,0)∈D: removeit
^^ ^ ^
^
^
D̂
Step4:RevertbacktoPrimalDomain
D̂D
Input Output
x1 y1
x2 y2
x3 y3
x4 y4
Step4:RevertbacktoPrimalDomain
Pointsadversarycaresabout ≈Correspondingoutputs
DRoughlyanalogoustoclassicalon-the-flysimulation
CompressedOracles
Allowsusto:• Knowtheinputsadversarycaresabout? ✓
• Knowthecorrespondingoutputs? ✓
• (Adaptively)programtheoutputs? ✓ (withsomework)
So,whathappened?
ObserverEffect:Learninganythingaboutquantumsystemdisturbsit
getsdisturbedH
HA learnsaboutthroughqueries
Compressedoraclesdecodesuchdisturbance
Reductionmustanswerobliviously,too?
answersobliviously,sonodisturbance
H
MotivationforCPReds: BeyondCPReds:
Caveats
But,stillgoodenoughformanyapplications…
Outputsindatabase≠0 inFourierdomainy valuesaren’texactlyqueryoutputs
Examiningx,y valuesperturbsstateStillmustbecarefulabouthowweusethem
SomeApplications[Alagic-Majenz-Russell-Song’18]:
Quantum-securesignatureseparation
[Liu-Z’19a]:Tightboundsformulti-collisionproblem [Liu-Z’19b]:Fiat-Shamir
([Don-Fehr-Majenz-Schaffner’19]:directproof)[Hosoyamada-Iwata’19]:4-roundLuby-Rackoff
[Bindel-Hamburg-Hülsing-Persichetti’19]:TighterCCAsecurityproofs
[Chiesa-Manohar-Spooner’19]:zk-SNARKs[Unruh’21]:CollisionresistanceofSponge
[Z’19]:Indifferentiability ofMD
Summary
• NowhavenumeroustechniquesforprovingQROMsecurity
•ManyschemesofinterestnowhaveQROMproof
•Majorlingeringissues:• Tightnessofreductions• Indifferentiability (Sponge,idealciphersfromRO)• Constant-queryliftingtheoremforindistinguishability?• Stillvariousmissingpieces
