On the Quantum Security of HAWK

Abstract

In this paper, we prove the quantum security of the signature scheme HAWK, proposed by Ducas, Postlethwaite, Pulles and van Woerden (ASIACRYPT 2022). More precisely, we reduce its strong unforgeability in the quantum random oracle model (QROM) to the hardness of the one-more SVP problem, which is the computational problem on which also the classical security analysis of HAWK relies. Our security proof deals with the quantum aspects in a rather black-box way, making it accessible also to non-quantum-experts.

More Proofs

Proof of Lemma 2. Without loss of generality, assume \(\mathcal{A}\) makes exactly \(q_R\) queries to the reprogramming oracle \(\textsf{Repro}_b\) by doing additional dummy queries if otherwise. Define a sequence of hybrid games \(\mathcal{G}_i\) that replaces the first i reprogramming queries of \(\mathcal{A}^{\textsf{Repro}_1,H}\) to querying \(\textsf{Repro}_0\), where by definition \(\mathcal{G}_0\) and \(\mathcal{G}_{q_R}\) run as \(\mathcal{A}^{\textsf{Repro}_1,H}\) and \(\mathcal{A}^{\textsf{Repro}_0,H}\) respectively.

It suffices to show the closeness \(\mathcal{G}_i\approx \mathcal{G}_{i+1}\) for every \(0\le i<q_R\), where we refer to the only query that differs as the crucial query. For the sake of analysis, we consider the random oracle H to be (perfectly) simulated via compressed oracle in a designated database register \( \textsf{D} \), which, within the crucial query before \(y:=H(x)\) or \(H(x):=y\leftarrow \mathcal{Y} \), is decompressed and measured in the computational basis to obtain the oracle H to be used later.

Define \(\mathcal{G}',\mathcal{G}''\) to respectively run as \(\mathcal{G}_i,\mathcal{G}_{i+1}\) except additionally doing a binary measurement \(\{M_0,M_1\}\) where \(M_1:=\sum _{D(x)=\bot }\left| {D}\right\rangle \left\langle {D}\right| _ \textsf{D} \) right after \(x\leftarrow \mathcal{D}\) being sampled but before \(y:=H(x)\) or \(H(x):=y\leftarrow \mathcal{Y} \), and abort if the outcome does not match \(M_1\). \(\mathcal{G}'\) and \(\mathcal{G}''\) behaves identically because on non-abort, the database register \( \textsf{D} \) collapses into \(\left| {\bot }\right\rangle _{ \textsf{D} (x)}\), for which the reprogramming \(H(x):=y\leftarrow \mathcal{Y} \) do not affect the decompressed-and-measured distribution of \( \textsf{D} (x)\). The closeness of \(\mathcal{G}'\approx \mathcal{G}_i\) and \(\mathcal{G}''\approx \mathcal{G}_{i+1}\) follows from the gentle-measurement lemma, together with the fact that there has been at most \(q_H+q_R\) queries of interaction with H prior to the crucial query, so \(\Pr \left[ \mathcal{G}'\text { aborts}\right] =\Pr \left[ \mathcal{G}''\text { aborts}\right] \le (q_H+q_R)\epsilon \). This concludes the proof, which can be summarized by the following chain of closeness

$$ \mathcal{G}_i{\mathop {\approx }\limits ^{\sqrt{(q_H+q_R)\epsilon }}}\mathcal{G}'{\mathop {\approx }\limits ^{0}}\mathcal{G}''{\mathop {\approx }\limits ^{\sqrt{(q_H+q_R)\epsilon }}}\mathcal{G}_{i+1}\;. $$

   \(\square \)