Abstract
We study the following question, first publicly posed by Hosoyamada and Yamakawa in 2018. Can parties \(\textsf{A},\textsf{B}\) with quantum computing power and classical communication rely only on a random oracle (that can be queried in quantum superposition) to agree on a key that is private from eavesdroppers?
We make the first progress on the question above and prove the following.
-
When only one of the parties \(\textsf{A}\) is classical and the other party \(\textsf{B}\) is quantum powered, as long as they ask a total of d oracle queries and agree on a key with probability 1, then there is always a way to break the key agreement by asking \(O(d^2)\) number of classical oracle queries.
-
When both parties can make quantum queries to the random oracle, we introduce a natural conjecture, which if true would imply attacks with \({\text {poly}}(d)\) classical queries to the random oracle. Our conjecture, roughly speaking, states that the multiplication of any two degree-d real-valued polynomials over the Boolean hypercube of influence at most \(\delta =1/{\text {poly}}(d)\) is nonzero. We then prove our conjecture for exponentially small influences, which leads to an (unconditional) classical \(2^{O(md)}\)-query attack on any such key agreement protocol, where m is the oracle’s output length.
-
Since our attacks are classical, we then ask whether it is always possible to find classical attacks on key agreements with imperfect completeness in the quantum random oracle model. We prove a barrier for this approach, by showing that if the folklore “Simulation Conjecture” (first formally stated by Aaronson and Ambainis in 2009) about the possibility of simulating efficient-query quantum algorithms using efficient-query classical algorithms is false, then there is in fact such a secure key agreement in the quantum random oracle model that cannot be broken classically.
H. Chung—Supported by Packard Fellowship and NSF award 2044679. Part of the work was done when working at Academia Sinica.
K.-M. Chung—Partially supported by the 2021 Academia Sinica Investigator Award (AS-IA-110-M02) and Executive Yuan Data Safety and Talent Cultivation Project (AS-KPQ-110-DSTCP).
M. Mahmoody—Supported by NSF grants CCF-1910681 and CNS1936799.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Note that a sufficiently large polynomial gap could still be a meaningful fine-grained security, particularly because this cap can only mean more security when the CPU clocks get shorter. In particular, with faster computers, Alice and Bob can pick a larger d, while running in the same time as before, while Eve now needs d times more running time than Alice and Bob.
- 2.
In comparison, Theorem 1.1 shows that such protocols (with a classical party and a quantum party) cannot offer more than quadratic security when the protocol has perfect completeness.
- 3.
To the best of our knowledge, the question was first asked in 2018 [HY18].
- 4.
- 5.
One cannot say the same thing for quantum algorithm Bob, as it might choose to “forget” things about oracle as it proceeds.
- 6.
As expected, the formulation of our Polynomial Compatibility Conjecture is such that, to use the conjecture for obtaining attacks, it does not matter in which basis the work registers of Alice and Bob are measured.
- 7.
See Remark 3.2 in https://www.boazbarak.org/Papers/merkle.pdf.
- 8.
We do not rely on \(\hat{{\mathcal Y}}\) and \({\mathcal Y}\) being isomorphic and think of them simply as disjoint sets.
- 9.
By delaying the measurement for the transcript, one can view it as applying an CNOT gate, where the controlled bit is the register that supposed to sent and the target bit is an ancilla. Then, one sends the ancilla bit, and in the rest of the computation, the ancilla bits are served only as control bits for Alice’s and Bob’s computation. The ancilla bits (transcript) remain unchanged throughout the computation. Thus, it is equivalent to sending classical information, and it is consistent with QCCC model.
- 10.
Recall that \(|\varPhi _0\rangle \) is a uniform superposition over all \(h \in {\mathcal H}\), defined as Eq. (1).
References
Aaronson, S., Ambainis, A.: The need for structure in quantum speedups. arXiv preprint arXiv:0911.0996 (2009)
Aaronson, S.: Quantum computing, postselection, and probabilistic polynomial-time. Proc. R. Soc. A Math. Phys. Eng. Sci. 461(2063), 3473–3482 (2005)
Agarwal, A., Bartusek, J., Goyal, V., Khurana, D., Malavolta, G.: Post-quantum multi-party computation. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12696, pp. 435–464. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_16
Austrin, P., Chung, H., Chung, K.-M., Fu, S., Lin, Y.-T., Mahmoody, M.: On the impossibility of key agreements from quantum random oracles. Cryptology ePrint Archive, Paper 2022/218 (2022). https://eprint.iacr.org/2022/218
Alagic, G., Childs, A.M., Grilo, A.B., Hung, S.-H.: Non-interactive classical verification of quantum computation. In: Pass, R., Pietrzak, K. (eds.) TCC 2020. LNCS, vol. 12552, pp. 153–180. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64381-2_6
Ananth, P., Chung, K.-M., Placa, R.L.L.: On the concurrent composition of quantum zero-knowledge. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12825, pp. 346–374. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84242-0_13
Barak, B.: The complexity of public-key cryptography. In: Tutorials on the Foundations of Cryptography. ISC, pp. 45–77. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-57048-8_2
Bartusek, J.: Secure quantum computation with classical communication. Cryptology ePrint Archive, Report 2021/964 (2021). https://ia.cr/2021/964
Bennett, C.H., Brassard, G.: Quantum cryptography: public key distribution and coin tossing. In: Proceedings of IEEE International Conference on Computers, Systems, and Signal Processing, pp. 175–179 (1984)
Biham, E., Goren, Y.J., Ishai, Y.: Basing weak public-key cryptography on strong one-way functions. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 55–72. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78524-8_4
Bellare, M., Goldreich, O., Petrank, E.: Uniform generation of NP-witnesses using an NP-oracle. Inf. Comput. 163(2), 510–526 (2000)
Brassard, G., Hoyer, P., Kalach, K., Kaplan, M., Laplante, S., Salvail, L.: Key establishment à la merkle in a quantum world (2015)
Bitansky, N., Kellner, M., Shmueli, O.: Post-quantum resettably-sound zero knowledge. In: Nissim, K., Waters, B. (eds.) TCC 2021. LNCS, vol. 13042, pp. 62–89. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-90459-3_3
Brakerski, Z., Katz, J., Segev, G., Yerukhimovich, A.: Limits on the power of zero-knowledge proofs in cryptographic constructions. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 559–578. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19571-6_34
Brakerski, Z., Koppula, V., Vazirani, U., Vidick, T.: Simpler proofs of quantumness. arXiv preprint arXiv:2005.04826 (2020)
Barak, B., Mahmoody, M.: Merkle’s key agreement protocol is optimal: an \({O}(n^2)\) attack on any key agreement from random oracles. J. Cryptol. 30(3), 699–734 (2017)
Barak, B., Mahmoody-Ghidary, M.: Merkle puzzles are optimal — an O(n2)-query attack on any key exchange from a random oracle. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 374–390. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_22
Brassard, G., Salvail, L.: Quantum Merkle puzzles. In: International Conference on Quantum, Nano and Micro Technologies (ICQNM), pp. 76–79. IEEE Computer Society (2008)
Bitansky, N., Shmueli, O.: Post-quantum zero knowledge in constant rounds. In: Proceedings of the 52nd Annual ACM SIGACT Symposium on Theory of Computing, pp. 269–279 (2020)
Chia, N.-H., Chung, K.-M., Yamakawa, T.: Classical verification of quantum computations with efficient verifier. In: Pass, R., Pietrzak, K. (eds.) TCC 2020. LNCS, vol. 12552, pp. 181–206. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64381-2_7
Chung, K.-M., Fehr, S., Huang, Y.-H., Liao, T.-N.: On the compressed-oracle technique, and post-quantum security of proofs of sequential work. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12697, pp. 598–629. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77886-6_21
Cao, S., Xue, R.: Being a permutation is also orthogonal to one-wayness in quantum world: impossibilities of quantum one-way permutations from one-wayness primitives. Theor. Comput. Sci. 855, 16–42 (2021)
Dinur, I., Friedgut, E., Kindler, G., O’Donnell, R.: On the Fourier tails of bounded functions over the discrete cube. In: Proceedings of the Thirty-Eighth Annual ACM Symposium on Theory of Computing, pp. 437–446 (2006)
Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)
Gertner, Y., Kannan, S., Malkin, T., Reingold, O., Viswanathan, M.: The relationship between public key encryption and oblivious transfer. In: Proceedings 41st Annual Symposium on Foundations of Computer Science, pp. 325–335. IEEE (2000)
Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing, pp. 212–219 (1996)
Haitner, I., Hoch, J.J., Reingold, O., Segev, G.: Finding collisions in interactive protocols - a tight lower bound on the round complexity of statistically-hiding commitments. In: Proceedings of the 48th Annual IEEE Symposium on Foundations of Computer Science (FOCS 2007), Providence, RI, USA, 20–23 October 2007, pp. 669–679 (2007)
Haitner, I., Mazor, N., Oshman, R., Reingold, O., Yehudayoff, A.: On the communication complexity of key-agreement protocols. arXiv preprint arXiv:2105.01958 (2021)
Haitner, I., Mazor, N., Silbak, J., Tsfadia, E.: On the complexity of two-party differential privacy (2021)
Holenstein, T.: Key agreement from weak bit agreement. In: Proceedings of the Thirty-Seventh Annual ACM Symposium on Theory of Computing, pp. 664–673 (2005)
Haitner, I., Omri, E., Zarosim, H.: Limits on the usefulness of random oracles. J. Cryptol. 29(2), 283–335 (2016)
Hosoyamada, A., Yamakawa, T.: Finding collisions in a quantum world: quantum black-box separation of collision-resistance and one-wayness. Cryptology ePrint Archive, Report 2018/1066 (2018). http://ia.cr/2018/1066
Hosoyamada, A., Yamakawa, T.: Finding collisions in a quantum world: quantum black-box separation of collision-resistance and one-wayness. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12491, pp. 3–32. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64837-4_1
Impagliazzo, R., Rudich, S.: Limits on the provable consequences of one-way permutations. In: Proceedings of the 21st Annual ACM Symposium on Theory of Computing (STOC), pp. 44–61. ACM Press (1989)
Kahn, J., Saks, M., Smyth, C.: A dual version of Reimer’s inequality and a proof of Rudich’s conjecture. In: Proceedings 15th Annual IEEE Conference on Computational Complexity, pp. 98–103. IEEE (2000)
Mahadev, U.: Classical verification of quantum computations. In: 2018 IEEE 59th Annual Symposium on Foundations of Computer Science (FOCS), pp. 259–267. IEEE (2018)
Merkle, R.: C.s. 244 project proposal (1974). Facsimile http://www.merkle.com/1974
Mahmoody, M., Maji, H.K., Prabhakaran, M.: Limits of random oracles in secure computation. In: Proceedings of the 5th Conference on Innovations in Theoretical Computer Science, pp. 23–34 (2014)
O’Donnell, R., Saks, M., Schramm, O., Servedio, R.A.: Every decision tree has an influential variable. In: 46th Annual IEEE Symposium on Foundations of Computer Science (FOCS 2005), pp. 31–39. IEEE (2005)
Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)
Reingold, O., Trevisan, L., Vadhan, S.: Notions of reducibility between cryptographic primitives. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 1–20. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24638-1_1
Rudich, S.: Limits on the provable consequences of one-way functions. Ph.D. thesis, University of California (1988)
Zhandry, M.: How to record quantum queries, and applications to quantum indifferentiability. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 239–268. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_9
Zhang, J.: Succinct blind quantum computation using a random oracle. In: STOC 2021: 53rd Annual ACM SIGACT Symposium on Theory of Computing, Virtual Event, Italy, 21–25 June 2021, pp. 1370–1383 (2021)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 International Association for Cryptologic Research
About this paper
Cite this paper
Austrin, P., Chung, H., Chung, KM., Fu, S., Lin, YT., Mahmoody, M. (2022). On the Impossibility of Key Agreements from Quantum Random Oracles. In: Dodis, Y., Shrimpton, T. (eds) Advances in Cryptology – CRYPTO 2022. CRYPTO 2022. Lecture Notes in Computer Science, vol 13508. Springer, Cham. https://doi.org/10.1007/978-3-031-15979-4_6
Download citation
DOI: https://doi.org/10.1007/978-3-031-15979-4_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-15978-7
Online ISBN: 978-3-031-15979-4
eBook Packages: Computer ScienceComputer Science (R0)
