Abstract
We show the following generic result: When a quantum query algorithm in the quantum random-oracle model outputs a classical value t that is promised to be in some tight relation with H(x) for some x, then x can be efficiently extracted with almost certainty. The extraction is by means of a suitable simulation of the random oracle and works online, meaning that it is straightline, i.e., without rewinding, and on-the-fly, i.e., during the protocol execution and (almost) without disturbing it.
The technical core of our result is a new commutator bound that bounds the operator norm of the commutator of the unitary operator that describes the evolution of the compressed oracle (which is used to simulate the random oracle above) and of the measurement that extracts x.
We show two applications of our generic online extractability result. We show tight online extractability of commit-and-open \(\Sigma \)-protocols in the quantum setting, and we offer the first complete post-quantum security proof of the textbook Fujisaki-Okamoto transformation, i.e., without adjustments to facilitate the proof, including concrete security bounds.
Full version available at https://eprint.iacr.org/2021/280.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
It is immediate for normalized \(|\phi \rangle \) and \(|\psi \rangle \) when expanding both vectors in an orthonormal basis containing \(|\varphi \rangle \) and \(\frac{|\psi \rangle -\langle \varphi |\psi \rangle |\varphi \rangle }{\sqrt{1-|\langle \varphi |\psi \rangle |^2}}\), and the general case then follows by homogeneity of the norms.
- 2.
In this equality and at other occasions, we use the same letter, here x, for the considered random variable as well as for a particular value.
- 3.
Both in \(\mathsf{X}^x\) and in \(w + x\) we understand \(x \in \mathcal{X} \cup \{\emptyset \}\) to be encoded as an element in \(\mathbb Z/(|\mathcal{X}|\!+\!1)\mathbb Z\), \(\dim (\mathcal{H}_P) = d:= |\mathcal{X}|+1\), and \(\mathsf{X}\in \mathcal{L}(\mathcal{H}_P)\) is the generalized Pauli of order d that maps \(|w\rangle \) to \(|w + 1\rangle \).
- 4.
The challenging aspect of Lemma 3 is that \(M_{DP}\) is made up of an exponential number of projectors \(\varPi ^x\), and thus the obvious approach of using triangle inequality leads to an exponential blow-up of the error term.
- 5.
Lemma 5 in [27] applies to an algorithm \(\mathcal A\) that outputs both x and what is supposed to be its hash value; this is why we need to do this additional query.
- 6.
We can also think of this measurement being done by the interface that receives t.
- 7.
I.e., applying it twice has the same effect on the state of \(\mathcal S\) as applying it once.
- 8.
The first inequality is an artefact of the \(|\bot \rangle \!\langle \bot |\)-term in \(\bar{\varPi }^{\hat{x}}\) contributing to the probability of \(\hat{h} = 0\), as discussed in Sect. 2.2.
- 9.
Naturally, we can assume \([\ell ]=\bigcup _{c\in C}c\).
- 10.
Using the language from secret sharing, we consider an arbitrary access structure \(\mathfrak {S}\), while the k-soundness case corresponds to a threshold access structure.
- 11.
The restriction for S to be in \(\mathfrak {S}_{\min }\), rather than in \(\mathfrak {S}\), is only to avoid an exponentially sized input. When C is constant in size, we may admit any \(S \in \mathfrak {S}\).
- 12.
This seems relevant e.g. for lattice-based schemes, where the ciphertext has little (or even no) entropy for certain very unlikely choices of the key (like being all 0).
- 13.
We can assume without loss of generality that pk is included in sk.
- 14.
These assignments seem to suggest that \(\mathcal{R} = \mathcal{K}\), which may not be the case. Indeed, we understand here that \(F: \mathcal{M} \rightarrow \{0,1\}^n\) with n large enough, and F(0||x) and F(1||x) are then cut down to the right size.
- 15.
If this choice instructs to measure Decaps’s query to \(H^\diamond \) or to \(G^\diamond \) for the decryption query \(c^\diamond \), but there is no decryption query \(c_i = c^\diamond \), \(m' := \bot \) is output instead.
References
Alagic, G., Majenz, C., Russell, A., Song, F.: Quantum-access-secure message authentication via blind-unforgeability. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12107, pp. 788–817. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45727-3_27
Ambainis, A., Hamburg, M., Unruh, D.: Quantum security proofs using semi-classical oracles. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 269–295. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_10
Bindel, N., Hamburg, M., Hövelmanns, K., Hülsing, A., Persichetti, E.: Tighter proofs of CCA security in the quantum random oracle model. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019. LNCS, vol. 11892, pp. 61–90. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36033-7_3
Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_3
Brassard, G., Chaum, D., Crépeau, C.: Minimum disclosure proofs of knowledge. J. Comput. Syst. Sci. 37(2), 156–189 (1988)
Chase, M., et al.: The picnic signature scheme, design document v2.1 (2019)
Chase, M., et al.: Post-quantum zero-knowledge and signatures from symmetric-key primitives. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, pp. 1825–1842, ACM, New York (2017)
Chen, M.-S., Hülsing, A., Rijneveld, J., Samardjiska, S., Schwabe, P.: From 5-pass \(\cal{MQ}\)-based identification to \(\cal{MQ}\)-based signatures. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 135–165. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_5
Chiesa, A., Manohar, P., Spooner, N.: Succinct arguments in the quantum random oracle model. In: Hofheinz, D., Rosen, A. (eds.) Theory of Cryptography. pp, pp. 1–29. Springer, Cham (2019). https://doi.org/10.1007/978-3-642-54242-8
Chung, K.-M., Fehr, S., Huang, Y.-H., Liao, T.-N.: On the compressed-oracle technique, and post-quantum security of proofs of sequential work. Cryptology ePrint Archive, Report 2020/1305 (2020). https://eprint.iacr.org/2020/1305
Czajkowski, J., Majenz, C., Schaffner, C., Zur, S.: Quantum lazy sampling and game-playing proofs for quantum indifferentiability. Cryptology ePrint Archive, Report 2019/428 (2019). https://eprint.iacr.org/2019/428
Don, J., Fehr, S., Majenz, C., Schaffner, C.: Security of the Fiat-Shamir transformation in the quantum random-oracle model. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 356–383. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_13
Fujisaki, E., Okamoto, T.: How to enhance the security of public-key encryption at minimum cost. In: Imai, H., Zheng, Y. (eds.) PKC 1999. LNCS, vol. 1560, pp. 53–68. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-49162-7_5
Goldreich, O., Micali, S., Wigderson, A.: Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems. J. ACM 38(3), 690–728 (1991)
Hamoudi, Y., Magniez, F.: Quantum time-space tradeoff for finding multiple collision pairs (2020)
Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the Fujisaki-Okamoto transformation. In: Kalai, Y., Reyzin, L. (eds.) Theory of Cryptography, pp. 341–371. Springer, Cham (2017). https://doi.org/10.1007/978-3-642-54242-8
Kales, D., Zaverucha, G.: Improving the performance of the picnic signature scheme. In: IACR Transactions on Cryptographic Hardware and Embedded Systems, pp. 154–188 (2020)
Katsumata, S., Kwiatkowski, K., Pintore, F., Prest, T.: Scalable ciphertext compression techniques for post-quantum KEMs and their applications. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12491, pp. 289–320. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64837-4_10
Liu, Q., Zhandry, M.: On finding quantum multi-collisions. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 189–218. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_7
Liu, Q., Zhandry, M.: Revisiting post-quantum Fiat-Shamir. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 326–355. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_12
Nielsen, M.A., Chuang, I.L.: Quantum Computation and Quantum Information: 10th Anniversary Edition, 10th edn. Cambridge University Press, New York (2011)
Pass, R.: On deniability in the common reference string and random oracle model. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 316–337. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_19
Pass, R.: Alternative variants of zero-knowledge proofs. PhD thesis, KTH Stockholm (2004)
Targhi, E.E., Unruh, D.: Post-quantum security of the Fujisaki-Okamoto and OAEP Transforms. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 192–216. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_8
Unruh, D.: Revocable quantum timed-release encryption. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 129–146. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_8
Wikström, D.: Special soundness revisited. Cryptology ePrint Archive, Report 2018/1157 (2018). https://ia.cr/2018/1157
Zhandry, M.: How to record quantum queries, and applications to quantum indifferentiability. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 239–268. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_9
Acknowledgements
The authors thank Andreas Hülsing and Kathrin Hövelmanns for helpful discussions, and Eike Kiltz and anonymous referees for helpful comments on an earlier version of this article. JD was funded by ERC-ADG project 740972 (ALGSTRONGCRYPTO). SF was partly supported by the EU Horizon 2020 Research and Innovation Program Grant 780701 (PROMETHEUS). CM was funded by a NWO VENI grant (Project No. VI.Veni.192.159). CS was supported by a NWO VIDI grant (Project No. 639.022.519).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 International Association for Cryptologic Research
About this paper
Cite this paper
Don, J., Fehr, S., Majenz, C., Schaffner, C. (2022). Online-Extractability in the Quantum Random-Oracle Model. In: Dunkelman, O., Dziembowski, S. (eds) Advances in Cryptology – EUROCRYPT 2022. EUROCRYPT 2022. Lecture Notes in Computer Science, vol 13277. Springer, Cham. https://doi.org/10.1007/978-3-031-07082-2_24
Download citation
DOI: https://doi.org/10.1007/978-3-031-07082-2_24
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-07081-5
Online ISBN: 978-3-031-07082-2
eBook Packages: Computer ScienceComputer Science (R0)
