Quantum Random Oracle Model, Part 3 - BIU
Transcript of Quantum Random Oracle Model, Part 3 - BIU
![Page 1: Quantum Random Oracle Model, Part 3 - BIU](https://reader034.fdocuments.net/reader034/viewer/2022051507/627e5d9914cc7e12707feab4/html5/thumbnails/1.jpg)
QuantumRandomOracleModel,Part3
MarkZhandry (Princeton&NTTResearch)
![Page 2: Quantum Random Oracle Model, Part 3 - BIU](https://reader034.fdocuments.net/reader034/viewer/2022051507/627e5d9914cc7e12707feab4/html5/thumbnails/2.jpg)
Recall:TypicalClassicalROMProof:On-the-flySimulation
H
Input Output
x1 y1
x2 y2
x3 y3
x4 y4
Query(x, D):If(x,y)∈D:
Return(y,D)Else:
y ß$ YD’ = D+(x,y) Return(y,D’)
![Page 3: Quantum Random Oracle Model, Part 3 - BIU](https://reader034.fdocuments.net/reader034/viewer/2022051507/627e5d9914cc7e12707feab4/html5/thumbnails/3.jpg)
Recall:TypicalClassicalROMProof:On-the-flySimulationAllowsusto:• Knowtheinputsadversarycaresabout ✓
• Knowthecorrespondingoutputs ✓
• (Adaptively)programtheoutputs ✓
![Page 4: Quantum Random Oracle Model, Part 3 - BIU](https://reader034.fdocuments.net/reader034/viewer/2022051507/627e5d9914cc7e12707feab4/html5/thumbnails/4.jpg)
CPReds?
Allowsusto:• Knowtheinputsadversarycaresabout ✘
• Knowthecorrespondingoutputs ✘
• (Adaptively)programtheoutputs ✓/✘
![Page 5: Quantum Random Oracle Model, Part 3 - BIU](https://reader034.fdocuments.net/reader034/viewer/2022051507/627e5d9914cc7e12707feab4/html5/thumbnails/5.jpg)
BeyondCommittedProgramming
Howdowechangeoraclewithoutdetection?
Problem:repeatedqueries?
Problem:distinguishingattack∑|x,0⟩∑|x,V1⟩
∑|x,0⟩∑|x,O(x)⟩VS
![Page 6: Quantum Random Oracle Model, Part 3 - BIU](https://reader034.fdocuments.net/reader034/viewer/2022051507/627e5d9914cc7e12707feab4/html5/thumbnails/6.jpg)
Randompoints
AH
H’ H’(x)=H(x)∀x≠aaß$
Negligiblequerymassona,sochangeundetectableUsed,e.g.forNIZKs[Unruh’16]
![Page 7: Quantum Random Oracle Model, Part 3 - BIU](https://reader034.fdocuments.net/reader034/viewer/2022051507/627e5d9914cc7e12707feab4/html5/thumbnails/7.jpg)
NewerTechniques
Veryrecently(last2years),newtechniqueshaveemergedthatallowforbetterprogramming
Willhighlightsometechniques
![Page 8: Quantum Random Oracle Model, Part 3 - BIU](https://reader034.fdocuments.net/reader034/viewer/2022051507/627e5d9914cc7e12707feab4/html5/thumbnails/8.jpg)
FiatShamir
![Page 9: Quantum Random Oracle Model, Part 3 - BIU](https://reader034.fdocuments.net/reader034/viewer/2022051507/627e5d9914cc7e12707feab4/html5/thumbnails/9.jpg)
Recall:ClassicalFiat-ShamirProof
V
comi*
ch*
res
comi
Selectrandomqueryi*
Ifi=i*: chi*=ch*Else: chißrandomchi
comchres
Check:com=comi*⋀ch=ch*
A
![Page 10: Quantum Random Oracle Model, Part 3 - BIU](https://reader034.fdocuments.net/reader034/viewer/2022051507/627e5d9914cc7e12707feab4/html5/thumbnails/10.jpg)
FailedQuantumFiat-ShamirProof
∑│com⟩
Selectrandomqueryi*LetH berandomfunc
Ifqueryi*:Measureà com*Respondw/ch*Re-ProgramH(com*)=ch*
Ifquery≠i*: ch=H(com)
comchres
A∑│ch⟩
Unfortunately,doesn’twork
V
com*ch*
res
![Page 11: Quantum Random Oracle Model, Part 3 - BIU](https://reader034.fdocuments.net/reader034/viewer/2022051507/627e5d9914cc7e12707feab4/html5/thumbnails/11.jpg)
FixedQuantumFiat-ShamirProof
V
com*ch*
res
∑│com⟩
Selectrandomqueryi*LetH berandomfunc
Ifqueryi*:Measureà com*Resp.w/chß{ch*,H(com*)}Re-ProgramH(com*)=ch*
Ifquery≠i*: ch=H(com)
comchres
A∑│ch⟩
[Don-Fehr-Majenz-Schaffner’19]:Amazinglyworks
![Page 12: Quantum Random Oracle Model, Part 3 - BIU](https://reader034.fdocuments.net/reader034/viewer/2022051507/627e5d9914cc7e12707feab4/html5/thumbnails/12.jpg)
OtherApplications
[Don-Fehr-Majenz’20]:Multi-roundFiat-Shamir
“LiftingTheorem”[Yamakawa-Z’20]:Ifsearch-type game,andchallengermakesconstant numberofqueriestoRO,classicalROMproofà QROMproof(w/polynomialsecurityloss)
![Page 13: Quantum Random Oracle Model, Part 3 - BIU](https://reader034.fdocuments.net/reader034/viewer/2022051507/627e5d9914cc7e12707feab4/html5/thumbnails/13.jpg)
CompressedOracles
![Page 14: Quantum Random Oracle Model, Part 3 - BIU](https://reader034.fdocuments.net/reader034/viewer/2022051507/627e5d9914cc7e12707feab4/html5/thumbnails/14.jpg)
Step1:Quantum-ify (akaPurify)
H
H
Quantum-ifying (akapurifying)randomoracle:A +nowsinglequantumsystem
Reminiscentofoldimpossibilitiesforunconditionalquantumprotocols[Lo’97,Lo-Chau’97,Mayers’97,Nayak’99]
![Page 15: Quantum Random Oracle Model, Part 3 - BIU](https://reader034.fdocuments.net/reader034/viewer/2022051507/627e5d9914cc7e12707feab4/html5/thumbnails/15.jpg)
Step1:SuperpositionofOracles
HInitialoraclestate:H
Query(x, y, H): y = y⊕H(x)
Adversary’squeryOracle’sstate
![Page 16: Quantum Random Oracle Model, Part 3 - BIU](https://reader034.fdocuments.net/reader034/viewer/2022051507/627e5d9914cc7e12707feab4/html5/thumbnails/16.jpg)
Step2:LookatFourierDomain
HĤ
![Page 17: Quantum Random Oracle Model, Part 3 - BIU](https://reader034.fdocuments.net/reader034/viewer/2022051507/627e5d9914cc7e12707feab4/html5/thumbnails/17.jpg)
Step2:LookatFourierDomain
Initialoraclestate:Z(x) = 0
Query(x, y, Ĥ): Ĥ = Ĥ⊕Px,y
Px,y(x’) = y ifx=x’0 else
Ĥ
Proof: A FourierTransform A-T
![Page 18: Quantum Random Oracle Model, Part 3 - BIU](https://reader034.fdocuments.net/reader034/viewer/2022051507/627e5d9914cc7e12707feab4/html5/thumbnails/18.jpg)
D
Step3:Compress
Ĥ
Observation:Afterq queries,Ĥ isnon-zeroonatmostq points
^
![Page 19: Quantum Random Oracle Model, Part 3 - BIU](https://reader034.fdocuments.net/reader034/viewer/2022051507/627e5d9914cc7e12707feab4/html5/thumbnails/19.jpg)
Step3:Compress
Initialoraclestate:{}
Query(x, y, D): (1)If∄(x,y’)∈D: D = D+(x,0)
(2)Replace(x,y’)∈Dwith(x,y’⊕y)
(3)If(x,0)∈D: removeit
^^ ^ ^
^
^
D̂
![Page 20: Quantum Random Oracle Model, Part 3 - BIU](https://reader034.fdocuments.net/reader034/viewer/2022051507/627e5d9914cc7e12707feab4/html5/thumbnails/20.jpg)
Step4:RevertbacktoPrimalDomain
D̂D
![Page 21: Quantum Random Oracle Model, Part 3 - BIU](https://reader034.fdocuments.net/reader034/viewer/2022051507/627e5d9914cc7e12707feab4/html5/thumbnails/21.jpg)
Input Output
x1 y1
x2 y2
x3 y3
x4 y4
Step4:RevertbacktoPrimalDomain
Pointsadversarycaresabout ≈Correspondingoutputs
DRoughlyanalogoustoclassicalon-the-flysimulation
![Page 22: Quantum Random Oracle Model, Part 3 - BIU](https://reader034.fdocuments.net/reader034/viewer/2022051507/627e5d9914cc7e12707feab4/html5/thumbnails/22.jpg)
CompressedOracles
Allowsusto:• Knowtheinputsadversarycaresabout? ✓
• Knowthecorrespondingoutputs? ✓
• (Adaptively)programtheoutputs? ✓ (withsomework)
![Page 23: Quantum Random Oracle Model, Part 3 - BIU](https://reader034.fdocuments.net/reader034/viewer/2022051507/627e5d9914cc7e12707feab4/html5/thumbnails/23.jpg)
So,whathappened?
ObserverEffect:Learninganythingaboutquantumsystemdisturbsit
getsdisturbedH
HA learnsaboutthroughqueries
Compressedoraclesdecodesuchdisturbance
Reductionmustanswerobliviously,too?
answersobliviously,sonodisturbance
H
MotivationforCPReds: BeyondCPReds:
![Page 24: Quantum Random Oracle Model, Part 3 - BIU](https://reader034.fdocuments.net/reader034/viewer/2022051507/627e5d9914cc7e12707feab4/html5/thumbnails/24.jpg)
Caveats
But,stillgoodenoughformanyapplications…
Outputsindatabase≠0 inFourierdomainy valuesaren’texactlyqueryoutputs
Examiningx,y valuesperturbsstateStillmustbecarefulabouthowweusethem
![Page 25: Quantum Random Oracle Model, Part 3 - BIU](https://reader034.fdocuments.net/reader034/viewer/2022051507/627e5d9914cc7e12707feab4/html5/thumbnails/25.jpg)
SomeApplications[Alagic-Majenz-Russell-Song’18]:
Quantum-securesignatureseparation
[Liu-Z’19a]:Tightboundsformulti-collisionproblem [Liu-Z’19b]:Fiat-Shamir
([Don-Fehr-Majenz-Schaffner’19]:directproof)[Hosoyamada-Iwata’19]:4-roundLuby-Rackoff
[Bindel-Hamburg-Hülsing-Persichetti’19]:TighterCCAsecurityproofs
[Chiesa-Manohar-Spooner’19]:zk-SNARKs[Unruh’21]:CollisionresistanceofSponge
[Z’19]:Indifferentiability ofMD
![Page 26: Quantum Random Oracle Model, Part 3 - BIU](https://reader034.fdocuments.net/reader034/viewer/2022051507/627e5d9914cc7e12707feab4/html5/thumbnails/26.jpg)
Summary
• NowhavenumeroustechniquesforprovingQROMsecurity
•ManyschemesofinterestnowhaveQROMproof
•Majorlingeringissues:• Tightnessofreductions• Indifferentiability (Sponge,idealciphersfromRO)• Constant-queryliftingtheoremforindistinguishability?• Stillvariousmissingpieces